Firewall com controle de acessos (firewall)

Firewall completo para você implantar em sua rede wireless ou provedor

Categoria: Init

Software: Firewall com controle de acessos

[ Hits: 12.378 ]

Por: Rodrigo Rodrigues de mattos


Bom, esta é a minha primeira contribuiçãoo de .conf, então decidi que seria para aumentar segurança do seu Linux.

Sei que já exitem muitas configurações aqui no VOL, e sempre que procurei algo nos inúmeros exemplos que pudesse me ajudar a incrementar  a segurança da minha rede de 20 computadores unidos por wireless encontrei.

Espero de seja proveitoso para todos que passam por aqui.

Observacao: O arquivo netfur.txt aqui usado possui a seguinte  
nomenclatura

,,


#!/bin/sh
#
# /etc/rc.d/init.d/firewall
# chkconfig: - 60 95
# description: Este script controla o start/stop do servico de \
#              firewall baseado no iptables.
#   
# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Habilita  ip forward
echo 1 > /proc/sys/net/ipv4/ip_forward

# Check that networking is up.
if [ ${NETWORKING} = "no" ]
   then
      exit 0
fi

if [ ! -x /sbin/iptables ]; then
   exit 0
fi

# Parametros 
  case "$1" in
  start)
     echo "Starting Firewalling Services: "
     touch /var/lock/subsys/firewall
     # -----------------------------------------------------------------
     # Define o default como DROP
     # -----------------------------------------------------------------
     # Remove todas as regras  
       iptables -F
       iptables -X
       iptables -F -t nat
       iptables -X -t nat

     # -----------------------------------------------------------------
     # Definicao de variaveis 
     # -----------------------------------------------------------------
       EXTERNAL_IP=`ifconfig ppp0 | grep inet | cut -d: -f2 | cut -dP -f1` 
     # colocar a linha para buscar o ip da ppp0
       EXTERNAL_INTERFACE="ppp0"
     # colocar aqui o dispositivo pppo
       EXTERNAL_NET="192.168.0.0/255.255.255.0"
       INTERNAL_IP="192.168.1.1"
       INTERNAL_INTERFACE="eth1"
       INTERNAL_NET="192.168.1.0/255.255.255.224"
       PRIVPORTS="0:1023"
       UNPRIVPORTS="1024:65535"

     # -----------------------------------------------------------------
     # Define o default como DROP 
     # -----------------------------------------------------------------
       iptables -P INPUT   DROP 
       iptables -P OUTPUT  DROP
       iptables -P FORWARD DROP  

     # -----------------------------------------------------------------
     # Carrega modulos 
     # -----------------------------------------------------------------
       modprobe ip_nat_ftp
       modprobe ip_conntrack
       modprobe ip_conntrack_ftp
       modprobe ipt_REJECT
       modprobe ipt_LOG
       modprobe ipt_MASQUERADE
       modprobe ipt_state
       modprobe ipt_mac
       modprobe ipt_mark
       modprobe ipt_MARK
       modprobe iptable_nat
       modprobe ipt_multiport
       modprobe ipt_owner
       modprobe ipt_state
       modprobe ipt_tos
       modprobe iptable_mangle
       # modprobe ipt_unclean
       echo 1 > /proc/sys/net/ipv4/ip_forward
       echo "5 4 1 7" > /proc/sys/kernel/printk


     # -----------------------------------------------------------------
     # Habilita trafego loopback
     # -----------------------------------------------------------------
       iptables -A INPUT   -i lo -j ACCEPT
       iptables -A OUTPUT  -o lo -j ACCEPT

     # -----------------------------------------------------------------
     # Anti-Spoofing
     # -----------------------------------------------------------------
       echo 1 > /proc/sys/net/ipv4/conf/lo/rp_filter
       echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter
       echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter
      
     # ligando proteç para SYN flood. Deve ser feita em todos os servidores
       echo 1 > /proc/sys/net/ipv4/tcp_syncookies
       echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses    
     # -----------------------------------------------------------------
     # Habilita trafego na rede interna
     # -----------------------------------------------------------------
     # Libera tr�ego entre redes 192.168.1.0
                     
      # ##Abrindo trafego IPSEC 
      # iptables -A INPUT -p udp --dport 5000 -s 0/0 -d 0/0 -j ACCEPT
      # iptables  -A INPUT -p tcp -s 0/0 -d 0/0 -j ACCEPT
      # iptables -A INPUT -p tcp -s 0/0 -d 0/0 -j ACCEPT

      ##Permitir acesso a subrede 
      # iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
      # iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
      
       ## Bloquear Multiquest 
       iptables -A INPUT -s 224.0.0.0/8  -d 0/0 -j DROP
       iptables -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP

     
     
     
     ##Permitir trafego entre as redes 
     #iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -j ACCEPT

 
     # iptables -A FORWARD -s 192.168.1.3 -m mac --mac-source 00:0F:B0:3C:A6:6E -d 192.168.1.0/27 \
     #          -j ACCEPT        
    
      # Portas Para Rede Windows!!!! OBS:. 192.168.1.0/27 e o mesmo que 192.168.1.0/255.255.255.224

       iptables -A INPUT  -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
                -p tcp --dport 2121 -j ACCEPT
       iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
                -p tcp --sport 2121 -j ACCEPT
       
      # iptables -A INPUT  -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
      #          -p tcp --dport 5900 -j ACCEPT
      # iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
      #          -p tcp --sport 5900 -j ACCEPT

      # iptables -A INPUT -i $INTERNAL_INTERFACE -s 192.168.1.0/16 \
      #          -p tcp --dport 47151 -j ACCEPT

      # iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/16 \
      #          -p tcp --sport 47151 -j ACCEPT

       iptables -A INPUT  -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
                -p tcp --dport 20 -j ACCEPT
       iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
                -p tcp --sport 20 -j ACCEPT

       iptables -A INPUT  -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
                -p tcp --dport 9920 -j ACCEPT
       iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
                -p tcp --sport 9920 -j ACCEPT

       iptables -A INPUT  -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
                -p tcp --dport 1863 -j ACCEPT
       iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
                -p tcp --sport 1863 -j ACCEPT
 
       iptables -A INPUT  -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
                -p tcp --dport 137 -j ACCEPT
       iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
                -p tcp --sport 137 -j ACCEPT

       iptables -A INPUT  -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
                -p tcp --dport 138 -j ACCEPT
       iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
                -p tcp --sport 138 -j ACCEPT

       iptables -A INPUT  -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
                -p tcp --dport 139 -j ACCEPT
       iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
                -p tcp --sport 139 -j ACCEPT

     # Libera acesso ao proxy e DNS e icmp para todas as maquinas 
      
       iptables -A INPUT  -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
                -p icmp  -j ACCEPT
       iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
                -p icmp  -j ACCEPT
      
      ##############################################################
      #     LIBERA O PROXY INTERMO NA REDE
      ###############################################################
      # iptables -A INPUT  -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
      #          -p tcp --dport 3128 -j ACCEPT
      # iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
      #          -p tcp --sport 3128 -j ACCEPT
      ##############################################################
      
       iptables -A INPUT  -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
                -p tcp --dport 53 -j ACCEPT
       iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
                -p tcp --sport 53 -j ACCEPT
       iptables -A INPUT  -i $INTERNAL_INTERFACE -s 192.168.1.0/27 \
                -p udp  -j ACCEPT
       iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
                -p udp  -j ACCEPT

     # Libera acesso total ao firewall para algumas (REDE LOCAL) 

       iptables -A INPUT  -i $INTERNAL_INTERFACE -s 192.168.1.1 -j ACCEPT
       iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.1 -j ACCEPT

      #######################################################################
      # A REGRA ABAIXO SERVE PARA LIBERAR O ACESSO TOTAL PARA O IP APONTADO
      #######################################################################
      
       iptables -A INPUT  -i $INTERNAL_INTERFACE -s 192.168.1.2 -j ACCEPT
       iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.2 -j ACCEPT
       iptables -A INPUT  -i $INTERNAL_INTERFACE -s 192.168.1.3 -j ACCEPT
       iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.3 -j ACCEPT

         
      ############Liberados para os Aps #####################################
    
       iptables -A INPUT  -i $INTERNAL_INTERFACE -s 192.168.1.29 -j ACCEPT
       iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.29 -j ACCEPT
    
      iptables -A INPUT  -i $INTERNAL_INTERFACE -s 192.168.1.30 -j ACCEPT
      iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.30 -j ACCEPT

     ########################################################################
     # Libera ping do firewall para a internet 
     ########################################################################
        
       iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p icmp \
                           -s 0/0 --icmp-type 0 -d $EXTERNAL_IP -j ACCEPT
       iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p icmp \
                           -s 0/0 --icmp-type 3 -d $EXTERNAL_IP -j ACCEPT
       iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p icmp \
                           -s 0/0 --icmp-type 4 -d $EXTERNAL_IP -j ACCEPT
       iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p icmp \
                           -s 0/0 --icmp-type 11 -d $EXTERNAL_IP -j ACCEPT
       iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p icmp \
                           -s 0/0 --icmp-type 12 -d $EXTERNAL_IP -j ACCEPT
       iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p icmp \
                           -s $EXTERNAL_IP --icmp-type 4 -d 0/0 -j ACCEPT
       iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p icmp \
                           -s $EXTERNAL_IP --icmp-type 8 -d 0/0 -j ACCEPT
       iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p icmp \
                           -s $EXTERNAL_IP --icmp-type 12 -d 0/0 -j ACCEPT
       iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p icmp \
                           -s $EXTERNAL_IP --icmp-type 11 -d 0/0 -j ACCEPT
    
    ###########################################################################
    # Libera ping do firewall para a rede local 
    ##########################################################################
    
       iptables -A INPUT   -i $INTERNAL_INTERFACE  -p icmp \
                           -s 0/0 --icmp-type 0 -d $INTERNAL_IP -j ACCEPT
       iptables -A INPUT   -i $INTERNAL_INTERFACE  -p icmp \
                           -s 0/0 --icmp-type 3 -d $INTERNAL_IP -j ACCEPT
       iptables -A INPUT   -i $INTERNAL_INTERFACE  -p icmp \
                           -s 0/0 --icmp-type 4 -d $INTERNAL_IP -j ACCEPT
       iptables -A INPUT   -i $INTERNAL_INTERFACE  -p icmp \
                           -s 0/0 --icmp-type 11 -d $INTERNAL_IP -j ACCEPT
       iptables -A INPUT   -i $INTERNAL_INTERFACE  -p icmp \
                           -s 0/0 --icmp-type 12 -d $INTERNAL_IP -j ACCEPT
       iptables -A OUTPUT  -o $INTERNAL_INTERFACE  -p icmp \
                           -s $INTERNAL_IP --icmp-type 4 -d 0/0 -j ACCEPT
       iptables -A OUTPUT  -o $INTERNAL_INTERFACE  -p icmp \
                           -s $INTERNAL_IP --icmp-type 8 -d 0/0 -j ACCEPT
       iptables -A OUTPUT  -o $INTERNAL_INTERFACE  -p icmp \
                           -s $INTERNAL_IP --icmp-type 12 -d 0/0 -j ACCEPT
       iptables -A OUTPUT  -o $INTERNAL_INTERFACE  -p icmp \
                           -s $INTERNAL_IP --icmp-type 11 -d 0/0 -j ACCEPT

     # ================================================================= 
     #     As linhas a seguir liberam o acesso de m�uinas da internet 
     #   a acessar recursos deste computador como servidor, as regras 
     #         servem para liberar as portas para o meio esterno.  
     # =================================================================
      
     # ----------------------------------------------------------------- 
     # HTTP Server (porta 80 e 8080 para o Apache)
     # -----------------------------------------------------------------
     
       iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p tcp  \
                -s 0/0 --sport $UNPRIVPORTS                \
                -d $EXTERNAL_IP --dport 80 -j ACCEPT

       iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p tcp  \
                -s $EXTERNAL_IP --sport 80                 \
                -d 0/0 --dport $UNPRIVPORTS -j ACCEPT   

       iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p tcp  \
                -s 0/0 --sport $UNPRIVPORTS                \
                -d $EXTERNAL_IP --dport 8080 -j ACCEPT

       iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p tcp  \
                -s $EXTERNAL_IP --sport 8080                 \
                -d 0/0 --dport $UNPRIVPORTS -j ACCEPT

    
     ##################################################################
     # Libera SSH  >>>>>>>>>>>>>>3420
     ##################################################################

       iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p tcp  \
                -s 0/0 --sport $UNPRIVPORTS                \
                -d $EXTERNAL_IP --dport 3420 -j ACCEPT
                                                                                                                             
       iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p tcp  \
                -s $EXTERNAL_IP --sport 3420                 \
                -d 0/0 --dport $UNPRIVPORTS -j ACCEPT
    #################################################################
    # FECHANDO A PORTA 3128 PARA O MUNDO EXTERNO            
    #################################################################

    iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p tcp  \
                -s 0/0 --sport $UNPRIVPORTS                \
                -d $EXTERNAL_IP --dport 3128 -j DROP
                
    #################################################################            
    #   iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p tcp  \
    #            -s 0/0 --sport $UNPRIVPORTS                \
    #            -d $EXTERNAL_IP --dport 22 -j ACCEPT
    #                                                                                                                         
    #   iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p tcp  \
    #            -s $EXTERNAL_IP --sport 22                 \
    #            -d 0/0 --dport $UNPRIVPORTS -j ACCEPT
    #
    #    iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p tcp  \
    #            -s 0/0 --sport $UNPRIVPORTS                \
    #            -d $EXTERNAL_IP --dport 5000:5200 -j ACCEPT
                                                                                                                             
                                                                                                                
    #################################################################
    # HTTTPS :443                              Acesso EXTERNO       #
    #################################################################
      
       iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p tcp  \
                -s 0/0 --sport $UNPRIVPORTS                \
                -d $EXTERNAL_IP --dport 443 -j ACCEPT


       iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p tcp  \
                -s $EXTERNAL_IP --sport 443                 \
                -d 0/0 --dport $UNPRIVPORTS -j ACCEPT 

    ####################################################################################
    # Regras para Impedir ataques do Tipo DoS, NetBus,Ping, Port Scaner, Back Orifice
    ####################################################################################
    # >>>>>> Back Orifice
    
    iptables -A INPUT  -p tcp --dport 31337 -j DROP
    iptables -A INPUT  -p udp --dport 31337 -j DROP
     
    # >>>>>>>> NetBus
    
    iptables -A INPUT -p tcp --dport 12345:12346 -j DROP
    iptables -A INPUT -p udp --dport 12345:12346 -j DROP
   
    # >>>>>>> Bloqueando tracertroute
  
    iptables -A INPUT -p udp -s 0/0 -i $EXTERNAL_INTERFACE --dport 33435:33525 -j DROP
  
    #>>>>>>>> Proteç contra Syn-floods
   
    #iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
   
    #>>>>>>> Proteç contra ping da morte
   
    iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT 
  
    #>>>>>>> Proteç contra port scanners ocultos
   
    iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

    #####################################################################################

     # -----------------------------------------------------------------
     # AUTH Server (porta 113)
     # -----------------------------------------------------------------
     
       iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p tcp  \
                -s 0/0 --sport $UNPRIVPORTS                \
                -d $EXTERNAL_IP --dport 113 -j REJECT 

       iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p tcp  \
                -s $EXTERNAL_IP --sport 113                \
                -d 0/0 --dport $UNPRIVPORTS -j REJECT   

     ####################################################################
     # Esta linha esta liberando o acesso para o servidor PROftpd      
     ###################################################################
     
       iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p tcp  \
                -s 0/0 --sport $UNPRIVPORTS               \
                -d $EXTERNAL_IP --dport 2121 -j ACCEPT
       iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p tcp  \
                -s 0/0 --sport 2121                         \
                -d 0/0 --dport $UNPRIVPORTS -j ACCEPT
     
       iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p udp  \
                -s 0/0 --sport $UNPRIVPORTS                \
                -d $EXTERNAL_IP --dport 20 -j ACCEPT
       iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p udp  \
                -s $EXTERNAL_IP --sport 20                 \
                -d 0/0 --dport $UNPRIVPORTS -j ACCEPT
     
       iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p tcp  \
                -s 0/0 --sport $UNPRIVPORTS                \
                -d $EXTERNAL_IP --dport 20 -j ACCEPT
       iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p tcp  \
                -s $EXTERNAL_IP --sport 20                 \
                -d 0/0 --dport $UNPRIVPORTS -j ACCEPT

       iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p tcp  \
                -s 0/0 --sport $UNPRIVPORTS                \
                -d $EXTERNAL_IP --dport 40000:65535 -j ACCEPT
      
       iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p tcp  \
                -s $EXTERNAL_IP --sport 40000:65535      \
                -d 0/0 --dport $UNPRIVPORTS -j ACCEPT

     # ================================================================
     #  iptables -A INPUT -j ACCEPT -p tcp --dport 2121
     #  iptables -A OUTPUT -j ACCEPT -p tcp --dport 2121
     # ================================================================= 
     #     As linhas a seguir liberam o acesso desta m�uina para recur-
     # na internet. 
     # =================================================================
     # Permite que esta maquina acesse qualquer servidor na internet
     # Linhas obrigatorias ter para o funcionamento do firewall
     ################################################################### 

       iptables -A INPUT -m state --state ESTABLISHED,RELATED  \
                -i $EXTERNAL_INTERFACE -j ACCEPT
       iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED \
                -o $EXTERNAL_INTERFACE -j ACCEPT
     
     # -----------------------------------------------------------------
     # DNS Client (porta 53) Usado para servidor de DNS
     # -----------------------------------------------------------------
       iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p udp  \
                -s 0/0 --sport 53                          \
                -d $EXTERNAL_IP --dport $UNPRIVPORTS -j REJECT

       iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p udp  \
                -s $EXTERNAL_IP --sport $UNPRIVPORTS       \
                -d 0/0 --dport 53 -j REJECT

      # iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p tcp  \
      #          -s 0/0 --sport 53                          \
      #          -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT

      # iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p tcp  \
      #          -s $EXTERNAL_IP --sport $UNPRIVPORTS       \
      #          -d 0/0 --dport 53 -j ACCEPT 


     # -----------------------------------------------------------------
     # Finger Client (porta 79)
     # -----------------------------------------------------------------
       iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p tcp  \
                -s 0/0 --sport 79                          \
                -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT

       iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p tcp  \
                -s $EXTERNAL_IP --sport $UNPRIVPORTS       \
                -d 0/0 --dport 79 -j ACCEPT 

     # -----------------------------------------------------------------
     # AUTH Client (porta 113)
     # -----------------------------------------------------------------
     #  iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p tcp  \
     #           -s 0/0 --sport 113                         \
     #           -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT
     #
     #  iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p tcp  \
     #           -s $EXTERNAL_IP --sport $UNPRIVPORTS       \
     #           -d 0/0 --dport 113 -j ACCEPT 
    
    #>>>porta para os radios
    #
    #     iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p tcp  \
    #              -s 0/0 --sport 772                         \
    #              -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT
    #
    #     iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p tcp  \
    #              -s $EXTERNAL_IP --sport $UNPRIVPORTS       \
    #              -d 0/0 --dport 772 -j ACCEPT 

       
     # -----------------------------------------------------------------
     # WHOIS Client (porta 43)
     # -----------------------------------------------------------------
       iptables -A INPUT   -i $EXTERNAL_INTERFACE  -p tcp  \
                -s 0/0 --sport 43                          \
                -d $EXTERNAL_IP --dport $UNPRIVPORTS -j ACCEPT

       iptables -A OUTPUT  -o $EXTERNAL_INTERFACE  -p tcp  \
                -s $EXTERNAL_IP --sport $UNPRIVPORTS       \
                -d 0/0 --dport 43 -j ACCEPT 

              
     #####################################################################################
     #    >>> Libera Acesso livre externo para alguem da minha rede interna SEM PROXY  <<<
     #####################################################################################
     #>>>>>
       list=`cat /etc/netfuture/firewall/netfur.txt`
       for rede in `echo $list`;do
           #laco Capturando dados do netfur.txt
       ip_cliente=`echo $rede | cut -d , -f1`
       mac_cliente=`echo $rede | cut -d , -f2`
       mark_cliente=`echo $ip_cliente | cut -d. -f4` # Pega o mark pre definido em netfur.txt
      
       #>>> linha contendo a regra de iptables
       iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \
                -s $ip_cliente -j MASQUERADE
                
       iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \
                -s $ip_cliente -m mac --mac-source $mac_cliente -j ACCEPT
       iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
                -d $ip_cliente -j ACCEPT
        
       ######## Marca os pacotes com 10 que vem da ppp0 ########################
     
       iptables -t mangle -A FORWARD -s $ip_cliente -j MARK --set-mark $mark_cliente
       iptables -t mangle -A FORWARD -s $ip_cliente -j ACCEPT
       iptables -t mangle -A FORWARD -d $ip_cliente -j MARK --set-mark $mark_cliente
       iptables -t mangle -A FORWARD -d $ip_cliente -j ACCEPT
   
      # iptables -t mangle -A POSTROUTING -j RETURN
      # iptables -t mangle -A PREROUTING -s $ip_cliente -j MARK --set-mark $mark_cliente
      # iptables -t mangle -A PREROUTING -j RETURN
        
    
    
    
       ################################# Marcas nos pacotes ##############################
       # iptables -t mangle -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
       #          -d $ip_cliente -j MARK --set-mark $mark_cliente

       ###############################################################
       #     LIBERA O PROXY INTERMO NA REDE
       ###############################################################
      
        iptables -A INPUT  -i $INTERNAL_INTERFACE -s $ip_cliente -m mac --mac-source $mac_cliente -p tcp --dport 3128 -j ACCEPT 

       # iptables -t mangle -A INPUT  -i $INTERNAL_INTERFACE -s $ip_cliente -m mac --mac-source $mac_cliente -p tcp --dport 3128 -j MARK --set-mark $mark_cliente 

        iptables -A OUTPUT -o $INTERNAL_INTERFACE -d 192.168.1.0/27 \
                 -p tcp --sport 3128 -j ACCEPT
             
     
       
       #################################################################
       #>>>  Proxy Trasparente para rede
       #################################################################

       iptables -t nat -A PREROUTING  -p tcp -s $ip_cliente -m mac --mac-source $mac_cliente --dport 80 -j REDIRECT --to-port 3128
       
          done
     # fim do loop
    
    
    
     # ================================================================= 
     # Source NAT (POSTROUTING) e FORWARD
     # 
     # Tratamento de casos espec�icos, onde m�uinas precisam de portas 
     # liberadas ou acesso direto a internet.
     # =================================================================
     # ACESSO AOS APS PARA CONFIGURACAO NETFUTURE : 8089
      iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP \
               --dport 8029 -j DNAT --to 192.168.1.29:80
      iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \
                -s 192.168.1.29 -j MASQUERADE
      iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \
                -s 192.168.1.29 -j ACCEPT
      iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
                -d 192.168.1.29 -j ACCEPT
     #>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
     
     # =================================================================
     # ACESSO AOS APS PARA CONFIGURACAO NETFUTURE_1 ; 8088
      iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP \
               --dport 8030 -j DNAT --to 192.168.1.30:80
      iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \
                -s 192.168.1.30 -j MASQUERADE
      iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \
                -s 192.168.1.30 -j ACCEPT
      iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
                -d 192.168.1.30 -j ACCEPT
     #>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
      
      
     # ================================================================= 
     # Source NAT (POSTROUTING) e FORWARD
     # 
     # Tratamento de casos espec�icos, onde m�uinas precisam de portas 
     # liberadas ou acesso direto a internet.
     # =================================================================
     # iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP \
     #       --dport 5900 -j DNAT --to 192.168.1.1:5900
     # iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE \
     #          -s 192.168.1.1 -j MASQUERADE
     # iptables -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE \
     #          -s 192.168.1.1 -j ACCEPT
     # iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE \
     #          -d 192.168.1.1 -j ACCEPT
     #>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
     # -----------------------------------------------------------------
     # LOG 
     # -----------------------------------------------------------------
       iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -p tcp \
                --dport 80 -j LOG --log-prefix "WEB-SEM-PROXY:" \
                --log-level info -m limit   --limit 5/minute
       iptables -A INPUT   -j LOG --log-prefix "BAD INPUT:" \
                --log-level info -m limit   --limit 5/minute 
       iptables -A OUTPUT  -j LOG --log-prefix "BAD OUTPUT:" \
                --log-level info -m limit   --limit 5/minute 
       iptables -A FORWARD -j LOG --log-prefix "BAD FORWARD:" \
                --log-level info -m limit   --limit 5/minute
       #>>>Controle de acesso ao servico baixo

       iptables -A INPUT -p tcp --dport 2121 -j LOG --log-prefix "Acesso ao Proftpd"
       iptables -A INPUT -p tcp --dport 3420 -j LOG --log-prefix "Acesso ao SSH"
       iptables -A INPUT -p tcp --dport 443 -j LOG --log-prefix "WEB segura"
      
 
       #>>>>>>Gerando log de Backdoors
      
       iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Wincrash"
       iptables -A INPUT -p tcp --dport 12345 -j LOG --log-prefix "Netbus"
       iptables -A INPUT -p tcp --dport 12346 -j LOG --log-prefix "NetBus"
       iptables -A INPUT -p tcp --dport 33435 -j LOG --log-prefix "BackOrifice"
       
##################### LOG PACOTES EXTERN MARCADOS ##########################
# iptables -t mangle -A FORWARD -i $EXTERNAL_INTERFACE -o $INTERNAL_INTERFACE -j LOG --log-prefix "marcado FORWARD"
# iptables -t mangle -A INPUT  -i $INTERNAL_INTERFACE -s $ip_cliente -m mac --mac-source $mac_cliente -p tcp --dport 3128 -j LOG --log-prefix "Marcado do squid "
# iptables -t mangle -A POSTROUTING -s $ip_cliente -j LOG --log-prefix "Marcado POSTROUTING"         

               

     
     ;;
  stop)
     echo "Shutting Firewalling Services: "
     rm -rf /var/lock/subsys/firewall

     # -----------------------------------------------------------------
     # Remove all existing rules belonging to this filter
     # -----------------------------------------------------------------
       iptables -F
       iptables -X
       iptables -t mangle -F
     # -----------------------------------------------------------------
     # Reset the default policy of the filter to accept.
     # -----------------------------------------------------------------
       iptables -P INPUT   ACCEPT 
       iptables -P OUTPUT  ACCEPT
       iptables -P FORWARD ACCEPT 

     ;;
   status)
       status firewall
     ;;
   restart|reload)
       $0 stop
       $0 start
     ;;
   *)
       echo "Usage: firewall {start|stop|status|restart|reload}"
       exit 1
 esac

 exit 0
  


Comentários
[1] Comentário enviado por demattos em 16/02/2008 - 10:16h

bom dia, nao apareceu como a nomeclatura do arquivo usado com o nome netfur.txt, mas estou passando para que seja facil entender o script completo

list=`cat /etc/netfuture/firewall/netfur.txt`

seria assim o arquivo netfur.txt

ip do cliente,mac do cliente,nome do cliente

t+



[2] Comentário enviado por rambo em 18/04/2012 - 17:05h

excelente!...valeu mesmo!...eu estava quebrando a cabeça para corrigir um problema no meu aqui!...ésta sua dica veio na hora certa!...valeu mesmo!!!!!!!!!!


Contribuir com comentário

  



Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts