Ajuda com IPTABLES... Helppp!!!

1. Ajuda com IPTABLES... Helppp!!!

Marcos Honorato de Souza
mshonorato

(usa Debian)

Enviado em 20/05/2009 - 15:30h

Olá pessoal,

Preciso montar um script de iptables para a empresa onde trabalho, alguém pode me dizer se estou no caminho certo?

Estou com dificuldades para liberar o acesso EXTERNO as "CAMERAS" daqui, e liberar alguns serviços como CONECTIVIDADE SOCIAL da CEF...

Obrigado a quem puder ajudar...

Segue abaixo o script:

#!/bin/bash

IPTABLES=/usr/sbin/iptables

#----SPEEDY----
IP_SPEEDY="xxx.xxx.xxx.xxx" #IP Speedy
GW_SPEEDY="xxx.xxx.xxx.xxx" #GW Speedy
DNS_SPEEDY1="xxx.xxx.xxx.xxx" #DNS1 do Speedy
DNS_SPEEDY2="xxx.xxx.xxx.xxx" #DNS2 do Speedy

#----INTERFACE DE REDE----
WAN="eth0" #Placa Rede Externa
LAN="eth1" #Placa Rede Interna
REDE_INTERNA="192.168.0.0/24" #Range Rede Interna

#----SERVIDORES----
FIREWALL="192.168.0.1"
DATASUL="192.168.0.98"
FILE_SERVER="192.168.0.99"
PROSOFT="192.168.0.100"
CAMERAS="192.168.0.80"

EMAIL="192.168.0.99" # SERVIDOR DE EMAILS
FTP="192.168.0.99" # SERVIDOR FTP - Portas 20, 21 udp e tcp
WEB1="192.168.0.99" # SERVIDOR WEB - Porta 80
WEB2="192.168.0.98" # SERVIDOR WEB2 - Porta 443

#----DEFINICOES DE DNS----
DNS="192.168.0.1" # IP DO DNS1
DNS2="192.168.0.99" # IP DO DNS2

#----IPS DE TERCEIROS----
HONTRON1="xxx.xxx.xxx.xxx"
HONTRON2="xxx.xxx.xxx.xxx"
HONTRON3="xxx.xxx.xxx.xxx"
LOCAWEB_POP_SMTP="xxx.xxx.xxx.xxx"
LOCAWEB_SITE="xxx.xxx.xxx.xxx"
MACDATA="xxx.xxx.xxx.xxx"

#----IPs LIBERADOS----
MARCOS="10.1.0.10"
MARCOS2="192.168.0.9"

#----IPs CAIXA ECONOMICA FEDERAL----
CAIXA1="200.201.174.0/24"
CAIXA2="200.201.173.0/24"
CAIXA3="200.201.166.0/24"
CAIXA4="200.201.169.0/24"

#----IP DATAPREV (cafe.dataprev.org.br)----
DATAPREV="200.152.32.148"

#----IP RAIS----
RAIS="161.148.185.46"

#----IPs DES----
DES1="200.230.190.75"
DES2="200.230.190.129"

#----IP NFP1 (Nota Fiscal Paulista)----
NFP1="201.55.62.85"

#----IP COMERCIARIOS----
COMERCIARIOS="200.182.243.2"

#----IPs SYMANTEC----
FTP_SYMANTEC="69.22.137.0/24"
FTP_SYMANTEC2="64.86.106.0/24"
WEB_SYMANTEC="8.15.32.11/24"

#----PORTAS----
OPENVPN_PORT="11943" #Porta UDP do OpenVPN
PPTPD_PORT="1173" #Porta TCP do PPTPD
TED_PORTA="8017" #TED (Transmissao Eletronica de Documentos) Abrir porta 8017

function stop_firewall()
{
echo "Desativando as regras de Firewall..."
$IPTABLES -X
$IPTABLES -F
$IPTABLES -Z

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

$IPTABLES -t nat -X
$IPTABLES -t nat -F
$IPTABLES -t nat -Z
echo "Regras de Firewall Desativadas!!"
}

function start_firewall()
{

echo "Ativando as regras de Firewall..."

#----MODULOS-----
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ip_gre

#----SETA POLITICAS-----
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

#----IMPEDE ALTERAÇÃO DE ROTAS-----
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#----PROTEGE CONTRA RESPONSES BOGUS-----
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#----PROTEGE CONTRA SYN-FOOD------
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#----CONTRA TRACEROUTE-----
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#----CONTRA IP SPOOFING----
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

#----INPUT-----
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -s $REDE_INTERNA -j ACCEPT
$IPTABLES -A INPUT -s $HONTRON2 -j ACCEPT
$IPTABLES -A INPUT -s $HONTRON3 -j ACCEPT
$IPTABLES -A INPUT -s $LOCAWEB_POP_SMTP -j ACCEPT
$IPTABLES -A INPUT -s $LOCAWEB_SITE -j ACCEPT
$IPTABLES -A INPUT -p 47 -j ACCEPT
# PORTAS INPUT
$IPTABLES -A INPUT -p tcp --dport 38392 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $OPENVPN_PORT -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport $PPTPD_PORT -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#----FORWARD-----
$IPTABLES -A FORWARD -s $MARCOS -j ACCEPT
$IPTABLES -A FORWARD -s $MARCOS2 -j ACCEPT
$IPTABLES -A FORWARD -s $LOCAWEB_POP_SMTP -j ACCEPT
$IPTABLES -A FORWARD -s $LOCAWEB_SITE -j ACCEPT
$IPTABLES -A FORWARD -s $MACDATA -j ACCEPT
$IPTABLES -A FORWARD -s $CAIXA1 -j ACCEPT
$IPTABLES -A FORWARD -s $CAIXA2 -j ACCEPT
$IPTABLES -A FORWARD -s $CAIXA3 -j ACCEPT
$IPTABLES -A FORWARD -s $CAIXA4 -j ACCEPT
$IPTABLES -A FORWARD -s $DATAPREV -j ACCEPT
$IPTABLES -A FORWARD -s $RAIS -j ACCEPT
$IPTABLES -A FORWARD -s $DES1 -j ACCEPT
$IPTABLES -A FORWARD -s $DES2 -j ACCEPT
$IPTABLES -A FORWARD -s $NFP1 -j ACCEPT
$IPTABLES -A FORWARD -s $COMERCIARIOS -j ACCEPT
$IPTABLES -A FORWARD -s $FTP_SYMANTEC -j ACCEPT
$IPTABLES -A FORWARD -s $FTP_SYMANTEC2 -j ACCEPT
$IPTABLES -A FORWARD -s $WEB_SYMANTEC -j ACCEPT
# PORTAS FORWARD
$IPTABLES -A FORWARD -p tcp --dport $TED_PORTA -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

#----NAT------
$IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE

#----CAMERAS----
$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp --dport 8888 -j DNAT --to-destination $CAMERAS:8888
$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp --dport 8080 -j DNAT --to-destination $CAMERAS:8080
$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp --dport 7620 -j DNAT --to-destination $CAMERAS:7620
$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp --dport 7621 -j DNAT --to-destination $CAMERAS:7621
$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp --dport 7622 -j DNAT --to-destination $CAMERAS:7622
$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp --dport 7623 -j DNAT --to-destination $CAMERAS:7623
$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp --dport 7624 -j DNAT --to-destination $CAMERAS:7624
$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp --dport 7625 -j DNAT --to-destination $CAMERAS:7625

#----CONEXAO AO SQUID-----
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -s $MARCOS -j RETURN
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -s $MARCOS2 -j RETURN
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

#----ROTEAMENTO-----
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "Regras de Firewall Ativadas com Sucesso!!"

}

case $1 in
"start")
start_firewall
;;
"stop")
stop_firewall
;;
"restart")
stop_firewall
start_firewall
;;
*)
echo "Use: $0 {start|stop|restart}"
esac


  






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts