Enviado em 09/06/2015 - 13:46h
Bom dia.########################### FIREWALL ##################### ############################################################## #Interpretador de comandos #!/bin/bash # Carrega os moulos echo Modulos do firewall modprobe ipt_string modprobe ip_tables modprobe iptable_filter modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe iptable_nat modprobe ip_nat_ftp modprobe ipt_LOG modprobe ipt_state modprobe ipt_MASQUERADE #zerando as regras; echo Regras default iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -t nat -F iptables -t mangle -F #Alterando a politica das Chains #Alterando a politica das Chains iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT #iptables -t nat -A POSTROUTING -p tcp -m multiport --dport 25,58215,110,465,587,995 -j MASQUERADE #skype incoming connections #iptables -A INPUT -p udp --dport 58215 -m state --state NEW,ESTABLISHED -j ACCEPT #iptables -A INPUT -p tcp --dport 58215 -m state --state NEW,ESTABLISHED -j ACCEPT #iptables -A FORWARD -p tcp --dport 39856 -j ACCEPT #iptables -I FORWARD -m string --algo bm --string "skype.com" -j ACCEPT #Nat da rede iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE #liberando encaminhamento de pacotes; echo "1" > /proc/sys/net/ipv4/ip_forward # Libera o acesso SSH de qualquer origem echo Liberando acesso SSH iptables -A INPUT -p tcp --dport 7351 -j ACCEPT # Libera o squid a partir da rede interna #echo Liberando rede interna iptables -A INPUT -p tcp --dport 3128 -j ACCEPT #Acesso externo Cameras echo "acesso as cameras" iptables -A INPUT -i eth0 -p tcp --dport 37777 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 37777 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 37777 -j ACCEPT iptables -A INPUT -i eth1 -p udp --dport 37777 -j ACCEPT iptables -A FORWARD -p tcp -d 192.168.10.219 --dport 37777 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 37777 -j DNAT --to-destination 192.168.10.90:37777 iptables -A FORWARD -p udp -d 192.168.10.219 --dport 37777 -j ACCEPT iptables -t nat -A PREROUTING -p udp --dport 37777 -j DNAT --to-destination 192.168.10.219:37777 #liberar acesso externo siga echo Acesso externo Siga iptables -A INPUT -i eth0 -p tcp --dport 1257 -j ACCEPT iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1257 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 1257 -j DNAT --to-destination 192.168.10.90:1257 iptables -A INPUT -i eth0 -p tcp --dport 1299 -j ACCEPT iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1299 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 1299 -j DNAT --to-destination 192.168.10.90:1299 iptables -A INPUT -i eth0 -p tcp --dport 1256 -j ACCEPT iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1256 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 1256 -j DNAT --to-destination 192.168.10.90:1256 echo Acesso ao Sql Server iptables -A INPUT -i eth0 -p tcp --dport 9723 -j ACCEPT iptables -A INPUT -i eth1 -p udp --dport 9723 -j ACCEPT iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 9723 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 9723 -j DNAT --to-destination 192.168.10.91:1433 #acesso aos servidores via TS echo Liberando acesso via TS iptables -A INPUT -i eth0 -p tcp --dport 3390 -j ACCEPT iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 3389 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 3390 -j DNAT --to-destination 192.168.10.90:3389 iptables -A INPUT -i eth0 -p tcp --dport 3391 -j ACCEPT iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 3389 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 3391 -j DNAT --to-destination 192.168.10.91:3389 #acesso ao BI echo Liberando Acesso ao BI iptables -A INPUT -i eth0 -p tcp --dport 7980 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 7980 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 7980 -j ACCEPT iptables -A INPUT -i eth1 -p udp --dport 7980 -j ACCEPT iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 7980 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 7980 -j DNAT --to-destination 192.168.10.91:8080 iptables -A FORWARD -p udp -d 192.168.10.91 --dport 7980 -j ACCEPT iptables -t nat -A PREROUTING -p udp --dport 7980 -j DNAT --to-destination 192.168.10.91:8080 iptables -t nat -A PREROUTING -d 0/0 -p tcp --dport 7980 -j DNAT --to 192.168.10.91:7980 #*************************** BLOQUEIO DO FACEBOOK *********************************************************** echo "Acesso Facebook" #BLOQUEIOS FACEBOOK: hora=`/bin/date +%H%M` if `[ "$hora" -gt "0759" ] && [ "$hora" -lt "1229" ] || [ "$hora" -gt "1329" ] && [ "$hora" -lt "2359" ] `; then op=1; else op=2; fi permitidos=$(egrep -v "(^#|^$)" /etc/squid3/regras/ips_fb) ##BLOQUEIO DO FACEBOOK FACEBOOK_IP_RANGE="31.13.64.0-31.13.127.255 31.13.24.0-31.13.31.255 74.119.76.0-74.119.79.255 69.63.176.0-69.63.191.255 69.171.224.0-69.171.255.255 66.220.144.0-66.220.159.255 204.15.20.0-204.15.23.255 173.252.64.0-173.252.127.255" iptables -N FACEBOOK ## FACEBOOK DENY for face in $FACEBOOK_IP_RANGE; do iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 443 -j FACEBOOK iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 80 -j FACEBOOK done FACEBOOK_ALLOW="$permitidos" #MSR_LIBERADO #Aqui libera os permitidos. for MSR_LIBERADO in $FACEBOOK_ALLOW; do iptables -I FACEBOOK -s $MSR_LIBERADO -j ACCEPT done if [ $op -eq "1" ]; then echo "Bloqueando" iptables -A FACEBOOK -j REJECT fi if [ $op -eq "2" ]; then #E caso esteja fora do horáo de serviçéiberado echo "Liberando" iptables -A FACEBOOK -j ACCEPT fi #****************************************************************************************************************
# Portas padrao acl SSL_ports port 443 acl Safe_ports port 443 #acl Safe_ports port 8080 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow connect SSL_Ports http_access deny !Safe_ports http_access deny CONNECT !SSL_ports #http_access allow localhost manager #http_access deny manager acl redelocal src 192.168.10.0/24 #http_access allow redelocal #http_access deny all #controle de cache do proxy cache_mem 32 MB maximum_object_size_in_memory 64 KB minimum_object_size 0 KB maximum_object_size 4096 MB cache_swap_low 85 cache_swap_high 90 cache_dir ufs /var/spool/squid3 2048 16 256 cache_access_log /var/log/squid3/access.log #Controle do arquivo de Log logfile_rotate 10 ftp_user Squid@ #protocolos refresh_pattern ^ftp: 15 20% 2280 refresh_pattern ^gopher: 15 0% 2280 refresh_pattern . 15 20% 2280 ######Block Video and Audio Streaming############## acl media rep_mime_type video/flv video/x-flv acl media rep_mime_type -i ^video/ acl media rep_mime_type -i ^video\/ acl media rep_mime_type ^application/x-shockwave-flash acl media rep_mime_type ^application/vnd.ms.wms-hdr.asfv1 acl media rep_mime_type ^application/x-fcs acl media rep_mime_type ^application/x-mms-framed acl media rep_mime_type ^video/x-ms-asf acl media rep_mime_type ^audio/mpeg acl media rep_mime_type ^audio/x-scpls acl media rep_mime_type ^video/x-flv acl media rep_mime_type ^video/mpeg4 acl media rep_mime_type ms-hdr acl media rep_mime_type x-fcs acl mediapr urlpath_regex \.flv(\?.*)?$ acl mediapr urlpath_regex -i \.(avi|mp4|mov|m4v|mkv|flv)(\?.*)?$ acl mediapr urlpath_regex -i \.(mpg|mpeg|avi|mov|flv|wmv|mkv|rmvb)(\?.*)?$ #********************************* GERAL ***************************************** acl ips_geral src "/etc/squid3/regras/geral/ips_liberados" acl sites_liberados_geral url_regex -i "/etc/squid3/regras/geral/sites_liberados_geral" acl palavras_bloqueadas url_regex -i "/etc/squid3/regras/geral/palavras_bloqueadas" acl sites_bloqueados_geral url_regex -i "/etc/squid3/regras/geral/sites_bloqueados_geral" #************************************************************************************ #********************************* COMERCIAL ***************************************** acl comercial src "/etc/squid3/regras/comercial/ips_comercial" acl sites_comercial url_regex -i "/etc/squid3/regras/comercial/sites_liberados" #********************************* COMPRAS ***************************************** acl compras src "/etc/squid3/regras/compras/ips_compras" acl sites_compras url_regex -i "/etc/squid3/regras/compras/sites_liberados" #********************************* CTP ***************************************** acl ctp src "/etc/squid3/regras/ctp/ips_ctp" acl sites_ctp url_regex -i "/etc/squid3/regras/ctp/sites_liberados" #********************************* FINANCEIRO ***************************************** acl financeiro src "/etc/squid3/regras/financeiro/ips_financeiro" acl sites_financeiro url_regex -i "/etc/squid3/regras/financeiro/sites_liberados" #********************************* INSPECAO ***************************************** acl inspecao src "/etc/squid3/regras/inspecao/ips_inspecao" acl sites_inspecao url_regex -i "/etc/squid3/regras/inspecao/sites_liberados" #********************************* PRODUCAO ***************************************** acl producao src "/etc/squid3/regras/producao/ips_producao" acl sites_producao url_regex -i "/etc/squid3/regras/producao/sites_liberados" #********************************* PCP ***************************************** acl pcp src "/etc/squid3/regras/pcp/ips_pcp" acl sites_pcp url_regex -i "/etc/squid3/regras/pcp/sites_liberados" #********************************* RH ***************************************** acl rh src "/etc/squid3/regras/rh/ips_rh" acl sites_rh url_regex -i "/etc/squid3/regras/rh/sites_liberados" #********************************* TI ***************************************** acl TI src "/etc/squid3/regras/TI/ips_TI" acl ips_gestores src "/etc/squid3/regras/geral/ips_gestores" acl almoco time MTWHF 12:30-13:30 #CONFIGURACAO DAS ACLS http_access allow TI http_access allow ips_geral http_access allow almoco http_access allow rh http_access deny sites_bloqueados_geral http_access deny mediapr http_reply_access deny media !TI http_access allow financeiro http_access allow compras http_access allow ctp http_access allow sites_liberados_geral http_access allow ips_gestores http_access allow comercial sites_comercial http_access allow inspecao sites_inspecao http_access allow producao sites_producao http_access allow pcp sites_pcp #http_access allow redelocal http_access deny all log_mime_hdrs on http_port 3128 #coredump_dir /var/spool/squid3 #refresh_pattern ^ftp: 1440 20% 10080 #refresh_pattern ^gopher: 1440 0% 1440 #refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 #refresh_pattern . 0 20% 4320
Enviado em 10/06/2015 - 05:35h
Qual ERP?Enviar mensagem ao usuário trabalhando com as opções do php.ini
Meu Fork do Plugin de Integração do CVS para o KDevelop
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Compartilhamento de Rede com samba em modo Público/Anônimo de forma simples, rápido e fácil
Cups: Mapear/listar todas as impressoras de outro Servidor CUPS de forma rápida e fácil
Criando uma VPC na AWS via CLI