Dificuldade com firewall no ubuntu server 24-04

1. Dificuldade com firewall no ubuntu server 24-04

Adriano_Cadriza
(usa Debian)

Enviado em 17/06/2024 - 13:08h

Boas

Tenho um script de firewall (iptables) que era completamente funcional até semana passada. Ele parou de funcionar e só o que passava pelo squid funcionava nas estações.

Meio desesperado sem saber o que fazer, fui fuçando a esmo no webmin pra ver se achava qquer coisa que me ajudasse e achei nas configurações do squid a seguinte mensagem:

O seu módulo Firewall do Linux parece não estar completamente instalado no seu sistema. Este módulo é utilizado para fazer o redirecionamento de portas.
(o texto Firewall do Linux é um link q retorna 404 File not found — /firewall/')

Aí cliquei no módulo de firewall do menu a esquerda (rede -- Firewall Linux) e apertei de qualquer ordem os botões de aplicar, reinicar e reverter, e então meu script voltou a funcionar...

Mas se reinicio o server, preciso fazer isso de novo pra voltar.

Sabem o que pode ser?

0 0

Quote

2. Re: Dificuldade com firewall no ubuntu server 24-04

danniel-lara
(usa Fedora)

Enviado em 17/06/2024 - 14:20h

poderia postar o seu script ?

0 0

Quote

3. Re: Dificuldade com firewall no ubuntu server 24-04

Adriano_Cadriza
(usa Debian)

Enviado em 17/06/2024 - 14:30h

Olá. Obrigado pela disposição

Segue



#!/bin/bash

### BEGIN INIT INFO 

# Provides: firewall.sh 

# Required-Start: $local_fs $remote_fs $network $syslog 

# Required-Stop: $local_fs $remote_fs $network $syslog 

# Default-Start: 2 3 4 5 

# Default-Stop: 0 1 6 

# Short-Description: Start firewall.sh at boot time 

# Description: Enable service provided by firewall.sh. 

### END INIT INFO



#enp3s0 	eh a interface da internet

#enp5s0 	eh a interface da rede



iptables -F

iptables -Z

iptables -X

iptables -F -t nat



#Libera o Nateamento

modprobe iptable_nat

echo 1 > /proc/sys/net/ipv4/ip_forward



#Ignora Pings

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all



#Acesso Remoto

iptables -A INPUT -p tcp --destination-port 5657 -j ACCEPT



#proxy anonimo

iptables -A INPUT -p tcp -s 177.68.157.7 --destination-port 3128 -j ACCEPT

iptables -A INPUT -p tcp -s 189.54.69.192 --destination-port 3128 -j ACCEPT



#E-mail

iptables -A INPUT -p tcp --destination-port 143 -j ACCEPT

iptables -A INPUT -p tcp --destination-port 25 -j ACCEPT

iptables -A INPUT -p tcp --destination-port 587 -j ACCEPT



#acesso samba

iptables -t nat -A PREROUTING -i enp3s0 -p tcp -m tcp --dport 139 -j DNAT --to-destination 192.168.40.2:139 #apache server7

iptables -t nat -A PREROUTING -i enp3s0 -p tcp -m tcp --dport 135 -j DNAT --to-destination 192.168.40.2:135 #apache server7

iptables -t nat -A PREROUTING -i enp3s0 -p tcp -m tcp --dport 445 -j DNAT --to-destination 192.168.40.2:445 #apache server7



#AcessoNFE

iptables -t nat -A PREROUTING -p tcp -d 201.55.62.0/24 -j ACCEPT

iptables -A FORWARD -p tcp -d 201.55.62.0/24 --dport 80 -j ACCEPT



#Acesso externo ao Apache

#iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT

#iptables -A INPUT -p tcp --destination-port 21 -j ACCEPT



#ftp

#iptables -A FORWARD -p TCP --dport 21 -i enp3s0 -j ACCEPT

#iptables -A FORWARD -p UDP --dport 21 -i enp3s0 -j ACCEPT

#iptables -A OUTPUT-p TCP --dport 21 -j accept

#iptables -A OUTPUT -p ALL -j DROP





#Acesso Webmin

iptables -A INPUT -p tcp --destination-port 10000 -j ACCEPT



# Abre uma faixa de enderecos para a rede interna

iptables -A INPUT -p tcp --syn -s 192.168.40.0/255.255.255.0 -j ACCEPT



# Abre para a interface de loopback.

# Esta regra e essencial para o KDE e outros programas graficos

# funcionarem adequadamente.

iptables -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT



# Observacao enp3s0 eh a rede externa.

# Computadores com acesso total





# Desobriga passar pelo squid

iptables -I POSTROUTING 1 -j MASQUERADE -t nat -s 192.168.40.8 -o enp3s0 # phac

iptables -t nat -A PREROUTING -i enp5s0 -s 192.168.40.8 -p tcp --dport 80 -j ACCEPT # phac

iptables -I POSTROUTING 1 -j MASQUERADE -t nat -s 192.168.40.10 -o enp3s0 # Adriano

iptables -t nat -A PREROUTING -i enp5s0 -s 192.168.40.10 -p tcp --dport 80 -j ACCEPT # Adriano

iptables -I POSTROUTING 1 -j MASQUERADE -t nat -s 192.168.40.11 -o enp3s0 # JA





#Liberacoes Roteadores

iptables -I POSTROUTING 1 -j MASQUERADE -t nat -s 192.168.40.30 -o enp3s0 # Calibratec01

iptables -t nat -A PREROUTING -i enp5s0 -s 192.168.40.30 -p tcp --dport 80 -j ACCEPT

iptables -I POSTROUTING 1 -j MASQUERADE -t nat -s 192.168.40.140 -o enp3s0 # Calibratec01

iptables -t nat -A PREROUTING -i enp5s0 -s 192.168.40.140 -p tcp --dport 80 -j ACCEPT

iptables -I POSTROUTING 1 -j MASQUERADE -t nat -s 192.168.40.146 -o enp3s0 # Calibratec01

iptables -t nat -A PREROUTING -i enp5s0 -s 192.168.40.146 -p tcp --dport 80 -j ACCEPT





#Liberacoes Notebooks

iptables -I POSTROUTING 1 -j MASQUERADE -t nat -s 192.168.40.50 -o enp3s0 # Note01_Asus

iptables -t nat -A PREROUTING -i enp5s0 -s 192.168.40.50 -p tcp --dport 80 -j ACCEPT

iptables -I POSTROUTING 1 -j MASQUERADE -t nat -s 192.168.40.82 -o enp3s0 # Note02_DIM





#Liberacoes temporarias

iptables -I POSTROUTING 1 -j MASQUERADE -t nat -s 192.168.40.168 -o enp3s0 # Rafael

iptables -t nat -A PREROUTING -i enp5s0 -s 192.168.40.168 -p tcp --dport 80 -j ACCEPT # Rafael

iptables -I POSTROUTING 1 -j MASQUERADE -t nat -s 192.168.40.106 -o enp3s0 # Rafael

iptables -t nat -A PREROUTING -i enp5s0 -s 192.168.40.106 -p tcp --dport 80 -j ACCEPT # Rafael



#Liberacoes do antivirus



#Redirecionamentos de portas.

#iptables -t nat -A PREROUTING -i enp3s0 -p tcp -m tcp --dport 4590 -j DNAT --to-destination 192.168.40.3:4590 #ServidorSiscal_TS_PortaNova

iptables -t nat -A PREROUTING -i enp3s0 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.40.10:5900 #VNCAdriano

iptables -t nat -A PREROUTING -i enp3s0 -p tcp -m tcp --dport 5991 -j DNAT --to-destination 192.168.40.91:5900 #VNCJA

#iptables -t nat -A PREROUTING -i enp3s0 -p tcp -m tcp --dport 5984 -j DNAT --to-destination 192.168.40.84:5900 #VNCVA

iptables -t nat -A PREROUTING -i enp3s0 -p tcp -m tcp --dport 5903 -j DNAT --to-destination 192.168.40.8:5900 #VNC03 Phac

iptables -t nat -A PREROUTING -i enp3s0 -p tcp -m tcp --dport 5904 -j DNAT --to-destination 192.168.40.83:5900 #VNCDani

iptables -t nat -A PREROUTING -i enp3s0 -p tcp -m tcp --dport 5984 -j DNAT --to-destination 192.168.40.72:5900 #VNCLigia (alterna com a Va)

#iptables -t nat -A PREROUTING -i enp3s0 -p tcp -m tcp --dport 5984 -j DNAT --to-destination 192.168.40.88:5900 #VNCJu (alterna com a Va)

#iptables -t nat -A PREROUTING -i enp3s0 -p tcp -m tcp --dport 5657 -j DNAT --to-destination 192.168.40.2:5657 #libera acesso externo direto ao servidor de arquivos







#Portas Siemens

iptables -A FORWARD -p TCP --dport 9191 -i enp3s0 -j ACCEPT

iptables -A FORWARD -p TCP --dport 37777 -i enp3s0 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.40.0/24 -p tcp --dport 9191 -o enp3s0

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.40.0/24 -p tcp --dport 37777 -o enp3s0

iptables -t nat -A PREROUTING -i enp3s0 -p tcp -m tcp --dport 9191 -j DNAT --to-destination 192.168.40.148:9191

iptables -t nat -A PREROUTING -i enp3s0 -p tcp -m tcp --dport 37777 -j DNAT --to-destination 192.168.40.148:37777



# Funciooooooona e-mail

iptables -A FORWARD -p TCP --dport 25 -i enp3s0 -j ACCEPT

iptables -A FORWARD -p UDP --dport 53 -i enp3s0 -j ACCEPT

iptables -A FORWARD -p TCP --dport 110 -i enp3s0 -j ACCEPT

iptables -A FORWARD -p TCP --dport 143 -i enp3s0 -j ACCEPT #IMAP

iptables -A FORWARD -p TCP --dport 993 -i enp3s0 -j ACCEPT

iptables -A FORWARD -p TCP --dport 465 -i enp3s0 -j ACCEPT

iptables -A FORWARD -p TCP --dport 587 -i enp3s0 -j ACCEPT

iptables -A FORWARD -p TCP --dport 2500 -i enp3s0 -j ACCEPT #orcamento marcia

iptables -A FORWARD -p TCP --dport 3080 -i enp3s0 -j ACCEPT #orcamento marcia

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.40.0/24 -p tcp --dport 25 -o enp3s0

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.40.0/24 -p tcp --dport 110 -o enp3s0

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.40.0/24 -p udp --dport 53 -o enp3s0

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.40.0/24 -p tcp --dport 143 -o enp3s0 #IMAP

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.40.0/24 -p tcp --dport 993 -o enp3s0

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.40.0/24 -p tcp --dport 465 -o enp3s0

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.40.0/24 -p tcp --dport 587 -o enp3s0

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.40.0/24 -p tcp --dport 2500 -o enp3s0 #Orcamento marcia

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.40.0/24 -p tcp --dport 3080 -o enp3s0 #Orcamento marcia





# Funcioooooona Itau

iptables -A FORWARD -p TCP --dport 443 -i enp3s0 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.40.0/24 -p tcp --dport 443 -o enp3s0

iptables -A FORWARD -p TCP --dport 9787 -i enp3s0 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.40.0/24 -p tcp --dport 9787 -o enp3s0

iptables -A FORWARD -p TCP --dport 809 -i enp3s0 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.40.0/24 -p tcp --dport 809 -o enp3s0

iptables -A FORWARD -p TCP --dport 8080 -i enp3s0 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.40.0/24 -p tcp --dport 8080 -o enp3s0

iptables -A FORWARD -p TCP --dport 7777 -i enp3s0 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.40.0/24 -p tcp --dport 7777 -o enp3s0

#iptables -A FORWARD -p TCP --dport 2083 -i enp3s0 -j ACCEPT

#iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.40.0/24 -p tcp --dport 2083 -o enp3s0







#Direciona para o Squid

iptables -t nat -A PREROUTING -i enp5s0 -m multiport -p tcp --dport 80,8080 -j REDIRECT --to-port 3128



#RESERVADO PARA BLOQUEIO DE PORTAS ALTAS

#

# Protecoes diversas contra portscanners, ping of death, ataques DoS, etc.

iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

## iptables -A FORWARD -m unclean -j DROP



# Ignora qualquer pacote de entrada, vindo de qualquer endereco, a menos que especificado 

# o contrario acima. Bloqueia tudo.

iptables -A INPUT -p tcp --syn -j DROP

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

for i in /proc/sys/net/ipv4/conf/*; do

echo 0 > $i/accept_redirects

echo 0 > $i/accept_source_route

echo 1 > $i/log_martians

echo 1 > $i/rp_filter;

done