reynatojr
(usa Ubuntu)
Enviado em 06/04/2010 - 15:51h
=/ nao deu... quer que eu coloque o firewall antigo aonde funciona pra poder analisar?
Segue abaixo:
#
#!/bin/sh
#
# debug? (uncomment the following line)
#set -x
#
#
#
#
#
#
###################################
# V A R I A V E I S / A L I A S E S
###################################
# ********
# comandos
# ********
# BASICOS
IPTABLES="/sbin/iptables"
MODPROBE="/sbin/modprobe"
# NAT
PSR="$IPTABLES -t nat -A POSTROUTING"
PRR="$IPTABLES -t nat -A PREROUTING"
# CHAINS BASICAS
INPUT="$IPTABLES -t filter -A INPUT"
OUTPUT="$IPTABLES -t filter -A OUTPUT"
FORWARD="$IPTABLES -t filter -A FORWARD"
# TRAFICO LOCAL
FNI="$IPTABLES -t filter -A FIREWALL_N_INTERNET"
FND1="$IPTABLES -t filter -A FIREWALL_N_DMZ1"
FNA="$IPTABLES -t filter -A FIREWALL_N_INTRANET"
# TRAFICO ROTEADO
c
#IND1="$IPTABLES -t filter -A INTRANET_N_DMZ1"
#D1NI="$IPTABLES -t filter -A DMZ1_N_INTERNET"
# NETBIOS
SMB2kS="$IPTABLES -t filter -A SMB2k_SERVER"
SMB2kC="$IPTABLES -t filter -A SMB2k_CLIENT"
SMBNTS="$IPTABLES -t filter -A SMBNT_SERVER"
SMBNTC="$IPTABLES -t filter -A SMBNT_CLIENT"
# SEGURANCA
FDROP="$IPTABLES -A FIRSTDROP"
DROPNL="$IPTABLES -A DROPNOTLOG"
LWBL="$IPTABLES -A LW_BLACKLIST"
LW="$IPTABLES -A LOGWATCH"
# LOG
LOG="-m limit --limit 1/min --limit-burst 5 -j LOG --log-prefix"
# **********
# interfaces
# **********
IF_LOC="lo" # Interface Loopback
IF_INT_ADM="eth0" # Interface da interna
IF_EXT="eth1" # Interface da externa
IF_INT_LAB="eth2" # Interface da DMZ 1
# *****
# redes
# *****
ANY="0.0.0.0/0" # Rede remota
NET_LOC="127.0.0.0/8" # Rede da interface IF_LOC
NET_INT_ALL="10.0.0.0/16 192.168.0.0/24" # Rede Interna Geral
NET_INT_ADM="10.0.0.0/16"
NET_INT_LAB="192.168.0.0/24"
# -------
# grupos de servidores
# -------
# ***************
# Servidores
# ***************
IP_SRV_ACAD="192.168.0.2"
IP_SRV_ADM="10.0.0.2"
# -------
# grupos de servidores
# -------
GRP_WINDOWS_SRVS="$IP_SRV_ADM $IP_SRV_ACAD"
# ***************
# maquinas intranet
# ****************
IP_INT_DESENV1="10.0.0.197"
IP_INT_DESENV2="10.0.0.33"
IP_INT_DESENV3="10.0.0.32"
IP_INT_DP1="10.0.0.24"
IP_INT_DP2="10.0.0.25"
IP_INT_FIJ="192.168.0.2"
# ***************
# usuarios vpn
# ***************
USR_VPN_="10.0.253." # Estacao
# ***************
# grupos de usuarios
# ***************
#GRP_USRS_HELPDESK="$EST_RICARDO_INT $EST_HELPDESK1_INT $EST_HELPDESK2_INT"
GRP_USRS_DP="10.0.0.0/24"
GRP_USRS_DESENV="$IP_INT_DESENV1 $IP_INT_DESENV2 $IP_INT_DESENV3"
# *********
# ips local
# *********
# -----
# local
# -----
IP_LOC="127.0.0.1" # IP loopback
IP_INT_ADM="10.0.0.9"
IP_INT_LAB="192.168.0.17" # IPs Internos
# -----
# ext
# -----
IP_EXT="200.155.25.214" # IP externo para NAT de saida e saida do Firewall
IP_EXT_NAT="200.155.25.214" # IP externo para NAT de Entrada
# -----
# dmz
# -----
# ---
# nat
# ---
IP_NAT_GERAL="200.155.25.214" # IP para o NAT de todos
# *****************
# maquinas internet
# *****************
CAIXA_CONNSOCIAL="200.201.173.0/24 200.201.174.0/24 200.201.166.0/24"
IP_EXT_SUPORTE="FIXO"
SRVS_DNS_DOMINAL="200.150.144.254 200.150.144.253"
IP_EXT_TERRA="200.192.192.5"
SRV_RECEITAFEDERAL="161.148.185.140"
SRV_ALOG_EAD="FIXO"
SRV_FETRANSPOR="200.255.208.38"
#*****************
# grupos de maquinas internet
#*****************
SRVS_EMAIL_EXT="216.109.112.135 209.73.177.115 200.226.132.230 209.73.177.115 200.221.8.150 66.249.83.19"
###############################
# S C R I P T S
##################################
unload_filter() {
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F
$IPTABLES -X
}
unload_nat() {
$IPTABLES -t nat -F
$IPTABLES -t nat -X
}
unload_all() {
unload_filter
unload_nat
}
chains_load() {
# CHAINS DE CONTROLE DE estado e flasg no ACCEPT
$IPTABLES -N SERVER_ACCEPT
$IPTABLES -N CLIENT_ACCEPT
$IPTABLES -N RELATED_ACCEPT
# INPUT E OUTPUT
$IPTABLES -N FIREWALL_N_INTERNET
$IPTABLES -N FIREWALL_N_DMZ1
$IPTABLES -N FIREWALL_N_INTRANET
# FORWARD
$IPTABLES -N INTRANET_N_INTERNET
$IPTABLES -N INTRANET_N_DMZ1
$IPTABLES -N DMZ1_N_INTERNET
# NETBIOS CHAINS
$IPTABLES -N SMB2k_SERVER
$IPTABLES -N SMB2k_CLIENT
$IPTABLES -N SMBNT_SERVER
$IPTABLES -N SMBNT_CLIENT
# DROP BASICO
$IPTABLES -N FIRSTDROP
# CHAINS DE DROP SEM LOG
$IPTABLES -N DROPNOTLOG
# LOGWATCH
$IPTABLES -N LOGWATCH
# BLACKLIST CHAINS
$IPTABLES -N LW_BLACKLIST
}
nat_chains_load() {
echo "" > /dev/null
}
filter_rules_load() {
state_n_flag # regras de controle de accept com estado e flags
input # regras basicas direcionais do input
output # regras basicas direcionais do output
forward # regras basicas direcionais do forward
lw_blacklist # lista negra do logwatch
netbios # regras para permitir netbios, melhorar!!
first_drop # regras para o drop rapido, basico
drop_not_log # regras de drop sem log
local_policy # regras efetivas para o trafego local
rpolicy_intranet_n_internet # regras efetivas para o trafego entre intranet e internet
}
nat_rules_load() {
prerouting
postrouting
}
pdefault_load() {
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
}
load_filter() {
chains_load
filter_rules_load
pdefault_load
}
load_nat() {
nat_chains_load
nat_rules_load
}
load_all() {
load_filter
load_nat
}
modules_load() {
$MODPROBE ip_tables
$MODPROBE ipt_LOG
$MODPROBE iptable_filter
$MODPROBE ip_conntrack
$MODPROBE iptable_nat
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
#$MODPROBE ip_nat_pptp
}
modules_unload() {
$MODPROBE -r ipt_REDIRECT
$MODPROBE -r xt_state
$MODPROBE -r xt_tcpudp
$MODPROBE -r xt_limit
$MODPROBE -r ipt_recent
$MODPROBE -r ip_nat
$MODPROBE -r x_tables
$MODPROBE -r ip_nat_ftp
$MODPROBE -r ip_nat_pptp
$MODPROBE -r ip_conntrack_ftp
$MODPROBE -r iptable_nat
$MODPROBE -r ip_conntrack
$MODPROBE -r iptable_filter
$MODPROBE -r ipt_LOG
$MODPROBE -r ip_tables
}
state_n_flag() {
#####################
# ACCEPT DE REQUEST
#####################
$IPTABLES -A SERVER_ACCEPT -p ! tcp -m state --state NEW -j ACCEPT
$IPTABLES -A SERVER_ACCEPT -p tcp -m state --state NEW --syn -j ACCEPT
$IPTABLES -A SERVER_ACCEPT -m state --state ESTABLISHED -j ACCEPT
#####################
# ACCEPT DE RETORNO
#####################
$IPTABLES -A CLIENT_ACCEPT -m state --state ESTABLISHED -j ACCEPT
###################################
# ACCEPT DE CONEXOES RELACIONADAS
###################################
$IPTABLES -A RELATED_ACCEPT -m state --state RELATED,ESTABLISHED -j ACCEPT
}
##################################
# R E G R A S NAT
##################################
# *******************
# POSTROUTING ou SNAT
# *******************
# $PSR = /sbin/iptables -t nat -A POSTROUTING
postrouting() {
for i in $NET_INT_ALL; do
$PSR -s $i -d $ANY -j SNAT --to $IP_EXT_NAT
done;
echo "" > /dev/null
}
# ******************
# PREROUTING ou DNAT
# ******************
# $PRR = /sbin/iptables -t nat -A PREROUTING
prerouting() {
echo "" > /dev/null
#for i in $CAIXA_CONNSOCIAL; do
# $PRR -i $IF_INT_ADM -s ! $IP_INT_DP2 -d ! $i -p tcp --dport 80 -j REDIRECT --to-port 3128
#done;
#$PRR -i $IF_INT_LAB -s $NET_INT_LAB -p tcp --dport 80 -j REDIRECT --to-port 3128
#$PRR -i $IF_INT_LAB -s $NET_INT_LAB -p tcp --dport 443 -j REDIRECT --to-port 3128
#$PRR -s $ANY -d $IP_EXT -p tcp --dport 1723 -j DNAT --to $SRV_W2003PDC_INT:1723
#$PRR -s $ANY -d $IP_EXT -p 47 -j DNAT --to $SRV_W2003PDC_INT
}
##################################
# R E G R A S FILTROS
##################################
# ***********************
# REGRAS BASICAS DE INPUT
# ***********************
# $INPUT = /sbin/iptables -t filter -A INPUT
input() {
$INPUT -i $IF_LOC -j ACCEPT
# REGRAS DE SEGURANCA (portscan,blacklist,strings,etc).
$INPUT -m recent --rcheck --name lw_blacklist --seconds 7200 -j LW_BLACKLIST
$INPUT -j LOGWATCH
$INPUT -j FIRSTDROP # DROP BASICO
# MOVENDO OS PACOTES PARA AS CHAINS DIRECIONAIS
# LOGANDO E DROPANDO O QUE NAO DER MATCH
$INPUT -i $IF_EXT -j FIREWALL_N_INTERNET # input na if externma
$INPUT -i $IF_EXT -j DROPNOTLOG # DEFAULT DROP SEM LOG
$INPUT -i $IF_EXT $LOG "INPUT ext-to-fw: "
$INPUT -i $IF_EXT -j DROP
#$INPUT -i $IF_DMZ1 -j FIREWALL_N_DMZ1 # input na if dmz1
#$INPUT -i $IF_DMZ1 -j DROPNOTLOG # DEFAULT DROP SEM LOG
#$INPUT -i $IF_DMZ1 $LOG "INPUT dmz1-to-fw: "
#$INPUT -i $IF_DMZ1 -j DROP
$INPUT -i $IF_INT_ADM -j FIREWALL_N_INTRANET # input na if interna
$INPUT -i $IF_INT_ADM -j DROPNOTLOG # DEFAULT DROP SEM LOG
$INPUT -i $IF_INT_ADM $LOG "INPUT int-adm-to-fw: "
$INPUT -i $IF_INT_ADM -j DROP
$INPUT -i $IF_INT_LAB -j FIREWALL_N_INTRANET # input na if interna
$INPUT -i $IF_INT_LAB -j DROPNOTLOG # DEFAULT DROP SEM LOG
$INPUT -i $IF_INT_LAB $LOG "INPUT int-lab-to-fw: "
$INPUT -i $IF_INT_LAB -j DROP
# LOGAR O QUE NAO DEU MATCH ATE AQUI
$INPUT $LOG "INPUT geral: "
}
# ***********************
# REGRAS BASICAS DE OUTPUT
# ***********************
# $OUTPUT = /sbin/iptables -t filter -A OUTPUT
output() {
$OUTPUT -o $IF_LOC -j ACCEPT
# MOVENDO OS PACOTES PARA AS CHAINS DIRECIONAIS
# LOGANDO E DROPANDO O QUE NAO DER MATCH
$OUTPUT -o $IF_EXT -j FIREWALL_N_INTERNET # output na if externa
$OUTPUT -o $IF_EXT $LOG "OUTPUT fw-to-ext: "
$OUTPUT -o $IF_EXT -j DROP
#$OUTPUT -o $IF_DMZ1 -j FIREWALL_N_DMZ1 # output na if dmz1
#$OUTPUT -o $IF_DMZ1 $LOG "OUTPUT fw-to-dmz1: "
#$OUTPUT -o $IF_DMZ1 -j DROP
$OUTPUT -o $IF_INT_ADM -j FIREWALL_N_INTRANET # output na if interna
$OUTPUT -o $IF_INT_ADM $LOG "OUTPUT fw-to-int: "
$OUTPUT -o $IF_INT_ADM -j DROP
$OUTPUT -o $IF_INT_LAB -j FIREWALL_N_INTRANET # output na if interna
$OUTPUT -o $IF_INT_LAB $LOG "OUTPUT fw-to-int: "
$OUTPUT -o $IF_INT_LAB -j DROP
# LOGAR O QUE NAO DEU MATCH ATE AQUI
$OUTPUT $LOG "OUTPUT geral: "
}
# *************************
# REGRAS BASICAS DE FORWARD
# *************************
# $FORWARD = /sbin/iptables -t filter -A FORWARD
forward () {
# REGRAS DE SEGURANCA (portscan,blacklist,strings,etc).
$FORWARD -m recent --rcheck --name lw_blacklist --seconds 7200 -j LW_BLACKLIST
$FORWARD -j LOGWATCH
$FORWARD -j FIRSTDROP # DEFAULT DROP SEM LOG
# MOVENDO OS PACOTES PARA AS CHAINS DIRECIONAIS
# LOGANDO E DROPANDO O QUE NAO DEU MATCH
$FORWARD -i $IF_INT_ADM -o $IF_EXT -j INTRANET_N_INTERNET # int2ext
$FORWARD -i $IF_INT_ADM -o $IF_EXT -j DROPNOTLOG # DEFAULT DROP SEM LOG
$FORWARD -i $IF_INT_ADM -o $IF_EXT $LOG "FORWARD, int-to-ext: "
$FORWARD -i $IF_INT_ADM -o $IF_EXT -j DROP
$FORWARD -i $IF_EXT -o $IF_INT_ADM -j INTRANET_N_INTERNET # ext2int
$FORWARD -i $IF_EXT -o $IF_INT_ADM -j DROPNOTLOG # DEFAULT DROP SEM LOG
$FORWARD -i $IF_EXT -o $IF_INT_ADM $LOG "FORWARD, ext-to-int: "
$FORWARD -i $IF_EXT -o $IF_INT_ADM -j DROP
$FORWARD -i $IF_INT_LAB -o $IF_EXT -j INTRANET_N_INTERNET # int2ext
$FORWARD -i $IF_INT_LAB -o $IF_EXT -j DROPNOTLOG # DEFAULT DROP SEM LOG
$FORWARD -i $IF_INT_LAB -o $IF_EXT $LOG "FORWARD, int-to-ext: "
$FORWARD -i $IF_INT_LAB -o $IF_EXT -j DROP
$FORWARD -i $IF_EXT -o $IF_INT_LAB -j INTRANET_N_INTERNET # ext2int
$FORWARD -i $IF_EXT -o $IF_INT_LAB -j DROPNOTLOG # DEFAULT DROP SEM LOG
$FORWARD -i $IF_EXT -o $IF_INT_LAB $LOG "FORWARD, ext-to-int: "
$FORWARD -i $IF_EXT -o $IF_INT_LAB -j DROP
# LOGANDO O QUE NAO DEU MATCH ATE AQUI
$FORWARD $LOG "FORWARD geral: "
# Usuarios internos acessam webmail sgs web e fazem vpn
#
}
# ##############################
# RULES DE SEGURANCA
# ##############################
# ********************************
# LOGWATCH
# ********************************
# $LW = /sbin/iptables -A LOGWATCH
#logwatch() {
#$LW -j LOG --log-prefix "LOGWATCH dropped: "
#}
# ********************************
# LW_BLACKLIST
# ********************************
# $LWBL = /sbin/iptables -A LW_BLACKLIST
lw_blacklist() {
$LWBL -m limit --limit 1/min --limit-burst 5 -j LOG --log-prefix "LW_BLACKLIST: "
$LWBL -j DROP
}
# ********************************
# FIRST DROP
# ********************************
# $FDROP = /sbin/iptables -A FIRSTDROP
first_drop() {
$FDROP -m state --state INVALID -j DROP
}
# ********************************
# DROP SEM LOG
# ********************************
# $DROPNL = /sbin/iptables -A DROPNOTLOG
drop_not_log() {
$DROPNL -s 10.30.2.69 -j DROP
$DROPNL -s 200.153.158.200 -j DROP
$DROPNL -s 218.152.53.124 -j DROP
$DROPNL -s 220.90.248.70 -j DROP
$DROPNL -s 61.76.138.40 -j DROP
}
# ##############################
# RULES REAIS PARA TRAFICO LOCAL
# ##############################
local_policy() {
# *******************
# FIREWALL_N_INTERNET
# *******************
# $FNI = /sbin/iptables -t filter -A FIREWALL_N_INTERNET
$FNI -p tcp --sport 113 -j ACCEPT
#Servidor pode acessar tudo na internet.
$FNI -s $IP_EXT -d $ANY -j SERVER_ACCEPT
$FNI -d $IP_EXT -s $ANY -j CLIENT_ACCEPT
# Aceita somente conexoes externas na porta 53 udp 80(http) 443(https) PPTP, protocolo 47 e FTP
$FNI -s $ANY -d $IP_EXT -p tcp --dport 80 -j SERVER_ACCEPT
$FNI -s $IP_EXT -d $ANY -p tcp --sport 80 -j CLIENT_ACCEPT
$FNI -s $ANY -d $IP_EXT -p tcp --dport 443 -j SERVER_ACCEPT
$FNI -s $IP_EXT -d $ANY -p tcp --sport 443 -j CLIENT_ACCEPT
$FNI -s $ANY -d $IP_EXT -p tcp --dport 80 -j SERVER_ACCEPT
$FNI -s $IP_EXT -d $ANY -p tcp --sport 80 -j CLIENT_ACCEPT
$FNI -s $ANY -d $IP_EXT -p tcp --dport 443 -j SERVER_ACCEPT
$FNI -s $IP_EXT -d $ANY -p tcp --sport 443 -j CLIENT_ACCEPT
$FNI -s $ANY -d $IP_EXT -p tcp --dport 1723 -j SERVER_ACCEPT
$FNI -s $IP_EXT -d $ANY -p tcp --sport 1723 -j CLIENT_ACCEPT
$FNI -s $ANY -d $IP_EXT -p 47 -j ACCEPT
$FNI -s $IP_EXT -d $ANY -p 47 -j ACCEPT
$FNI -s $ANY -d $IP_EXT -p tcp --dport 21 -j SERVER_ACCEPT
$FNI -s $IP_EXT -d $ANY -p tcp --sport 21 -j CLIENT_ACCEPT
$FNI -s $ANY -d $IP_EXT -p udp --dport 53 -j SERVER_ACCEPT
$FNI -s $IP_EXT -d $ANY -p udp --sport 53 -j CLIENT_ACCEPT
#aceita conexoes da suporte informatica
#$FNI -s $IP_EXT_SUPORTE -d $IP_EXT -p tcp --dport 22 -j SERVER_ACCEPT
#$FNI -s $IP_EXT -d $IP_EXT_SUPORTE -p tcp --sport 22 -j CLIENT_ACCEPT
#$FNI -s $ANY -d $IP_EXT -p tcp --dport 2000 -j SERVER_ACCEPT
#$FNI -s $IP_EXT -d $ANY -p tcp --sport 2000 -j CLIENT_ACCEPT
# *******************
# FIREWALL_N_INTRANET
# *******************
# $FNA = /sbin/iptables -t filter -A FIREWALL_N_INTRANET
$FNA -s $NET_INT_ADM -d $IP_INT_ADM -j SERVER_ACCEPT
$FNA -s $IP_INT_ADM -d $NET_INT_ADM -j CLIENT_ACCEPT
$FNA -s $IP_INT_ADM -d $NET_INT_ADM -j SERVER_ACCEPT
$FNA -s $NET_INT_ADM -d $IP_INT_ADM -j CLIENT_ACCEPT
$FNA -s $NET_INT_LAB -d $IP_INT_LAB -j SERVER_ACCEPT
$FNA -s $IP_INT_LAB -d $NET_INT_LAB -j CLIENT_ACCEPT
$FNA -s $IP_INT_LAB -d $NET_INT_LAB -j SERVER_ACCEPT
$FNA -s $NET_INT_LAB -d $IP_INT_LAB -j CLIENT_ACCEPT
}
##########################
# NETBIOS (SMB) RULES
##########################
# $SMB2kS = /usr/local/sbin/iptables -A SMB2k_SERVER
# $SMB2kC = /usr/local/sbin/iptables -A SMB2k_CLIENT
# $SMBNTS = /usr/local/sbin/iptables -A SMBNT_SERVER
# $SMBNTC = /usr/local/sbin/iptables -A SMBNT_CLIENT
netbios() {
$SMBNTS -p tcp --sport 1024: --dport 135 -j SERVER_ACCEPT
$SMBNTS -p tcp --sport 1024: --dport 139 -j SERVER_ACCEPT
$SMBNTS -p tcp --sport 1024: --dport 42 -j SERVER_ACCEPT
$SMBNTS -p tcp --sport 1024: --dport 445 -j SERVER_ACCEPT
$SMBNTS -p udp --sport 137 --dport 137 -j ACCEPT
$SMBNTS -p udp --sport 138 --dport 138 -j ACCEPT
$SMBNTC -p tcp --sport 135 --dport 1024: -j CLIENT_ACCEPT
$SMBNTC -p tcp --sport 139 --dport 1024: -j CLIENT_ACCEPT
$SMBNTC -p tcp --sport 42 --dport 1024: -j CLIENT_ACCEPT
$SMBNTC -p tcp --sport 445 --dport 1024: -j CLIENT_ACCEPT
$SMBNTC -p udp --sport 137 --dport 137 -j ACCEPT
$SMBNTC -p udp --sport 138 --dport 138 -j ACCEPT
}
# ################################
# RULES REAIS PARA TRAFICO ROTEADO
# ################################
rpolicy_intranet_n_internet() {
# *******************
# INTRANET_N_INTERNET
# *******************
# $INI = /sbin/iptables -t filter -A INTRANET_N_INTERNET
echo "" > /dev/null
# estaçoes adm acessam ftp na internet
$INI -s $NET_INT_ADM -p tcp --dport 21 -j SERVER_ACCEPT
$INI -d $NET_INT_ADM -p tcp --sport 21 -j CLIENT_ACCEPT
$INI -s $NET_INT_ADM -p tcp --dport 20 -j SERVER_ACCEPT
$INI -d $NET_INT_ADM -p tcp --sport 20 -j CLIENT_ACCEPT
$INI -s $NET_INT_ADM -p tcp --dport 20 -j RELATED_ACCEPT
$INI -d $NET_INT_ADM -p tcp --sport 20 -j RELATED_ACCEPT
$INI -s $NET_INT_ADM -p tcp --sport 1024:65535 -j RELATED_ACCEPT
$INI -d $NET_INT_ADM -p tcp --sport 1024:65535 -j RELATED_ACCEPT
# estaçoes adm acessam chess cube
#$INI -s $NET_INT_ADM -p tcp --dport 843 -j SERVER_ACCEPT
#$INI -d $NET_INT_ADM -p tcp --sport 843 -j CLIENT_ACCEPT
#$INI -d $NET_INT_ADM -p tcp --dport 5222 -j SERVER_ACCEPT
#$INI -s $NET_INT_ADM -p tcp --sport 5222 -j CLIENT_ACCEPT
# estaçoes baixam e-mails direto do provedor
$INI -s $NET_INT_ADM -d $ANY -p tcp --dport 110 -j SERVER_ACCEPT
$INI -s $ANY -d $NET_INT_ADM -p tcp --sport 110 -j CLIENT_ACCEPT
$INI -s $NET_INT_ADM -d $ANY -p tcp --dport 25 -j SERVER_ACCEPT
$INI -s $ANY -d $NET_INT_ADM -p tcp --sport 25 -j CLIENT_ACCEPT
# estaçoes pingam pra fora
$INI -s $NET_INT_LAB -d $ANY -p icmp --icmp-type echo-request -j SERVER_ACCEPT
$INI -s $ANY -d $NET_INT_LAB -p icmp --icmp-type echo-reply -j CLIENT_ACCEPT
$INI -s $ANY -d $NET_INT_LAB -p icmp --icmp-type 11 -j ACCEPT
# usuarios acessam ssh porta 1234 para fora (terra)e mysql adm 3306
$INI -s c -d $IP_EXT_TERRA -p tcp --dport 1234 -j SERVER_ACCEPT
$INI -s $IP_EXT_TERRA -d $IP_INT_DESENV1 -p tcp --sport 1234 -j CLIENT_ACCEPT
$INI -s $IP_INT_DESENV1 -d $IP_EXT_TERRA -p tcp --dport 3306 -j SERVER_ACCEPT
$INI -s $IP_EXT_TERRA -d $IP_INT_DESENV1 -p tcp --sport 3306 -j CLIENT_ACCEPT
$INI -s $NET_INT_ADM -d $SRV_ALOG_EAD -p tcp --dport 3306 -j SERVER_ACCEPT
$INI -s $SRV_ALOG_EAD -d $NET_INT_ADM -p tcp --sport 3306 -j CLIENT_ACCEPT
# Liberando acesso mysql e ssh para o desenvolvimento maquina colocation
for i in $GRP_USRS_DESENV; do
$INI -s $i -d $SRV_ALOG_EAD -p tcp --dport 22 -j SERVER_ACCEPT
$INI -s $SRV_ALOG_EAD -d $i -p tcp --sport 22 -j CLIENT_ACCEPT
$INI -s $i -d $SRV_ALOG_EAD -p tcp --dport 3306 -j SERVER_ACCEPT
$INI -s $SRV_ALOG_EAD -d $i -p tcp --sport 3306 -j CLIENT_ACCEPT
done;
# Servidores windows atualizam horario NTP na internet
for i in $NET_INT_ALL; do
$INI -s $i -d $ANY -p udp --dport 123 -j SERVER_ACCEPT
$INI -s $ANY -d $i -p udp --sport 123 -j CLIENT_ACCEPT
done;
# usuario do DP acessa o site da fetranspor direto.
$INI -s $IP_INT_DP2 -d $SRV_FETRANSPOR -p tcp --dport 80 -j SERVER_ACCEPT
$INI -s $SRV_FETRANSPOR -d $IP_INT_DP2 -p tcp --dport 80 -j CLIENT_ACCEPT
# usuarios acessam ssh porta 1234 para fora (terra)e mysql adm 3306
$INI -s $IP_INT_DESENV3 -d $IP_EXT_TERRA -p tcp --dport 3306 -j SERVER_ACCEPT
$INI -s $IP_EXT_TERRA -d $IP_INT_DESENV3 -p tcp --sport 3306 -j CLIENT_ACCEPT
$INI -s $IP_INT_DESENV2 -d $IP_EXT_TERRA -p tcp --dport 1234 -j SERVER_ACCEPT
$INI -s $IP_EXT_TERRA -d $IP_INT_DESENV2 -p tcp --sport 1234 -j CLIENT_ACCEPT
$INI -s $IP_INT_DESENV2 -d $IP_EXT_TERRA -p tcp --dport 3306 -j SERVER_ACCEPT
$INI -s $IP_EXT_TERRA -d $IP_INT_DESENV2 -p tcp --sport 3306 -j CLIENT_ACCEPT
# Usuarios acessam http e https para servidores
#$INI -s $NET_INT_ADM -d $ANY -p tcp --dport 80 -j SERVER_ACCEPT
#$INI -s $ANY -d $NET_INT_ADM -p tcp --sport 80 -j CLIENT_ACCEPT
#$INI -s $NET_INT_ADM -d $ANY -p tcp --dport 443 -j SERVER_ACCEPT
#$INI -s $ANY -d $NET_INT_ADM -p tcp --sport 443 -j CLIENT_ACCEPT
# estações laboratorio...liberado para o ensino de redes de computadores..
$INI -s $NET_INT_LAB -d $ANY -p tcp --dport 23 -j SERVER_ACCEPT
$INI -s $ANY -d $NET_INT_LAB -p tcp --sport 23 -j CLIENT_ACCEPT
$INI -s $NET_INT_LAB -d $ANY -p tcp --dport 25 -j SERVER_ACCEPT
$INI -s $ANY -d $NET_INT_LAB -p tcp --sport 25 -j CLIENT_ACCEPT
$INI -s $NET_INT_LAB -d $ANY -p tcp --dport 21 -j SERVER_ACCEPT
$INI -s $ANY -d $NET_INT_LAB -p tcp --sport 21 -j CLIENT_ACCEPT
#redirecionamento cameras
iptables -t nat -A PREROUTING -d $IP_EXT -p tcp -m tcp --dport 2000 -j DNAT --to-destination 192.168.0.13:2000
# servidor academico faz vnc pra fora
#$INI -s $IP_INT_FIJ -d $ANY -p tcp --dport 3389 -j SERVER_ACCEPT
#$INI -s $ANY -d $IP_INT_FIJ -p tcp --sport 3389 -j CLIENT_ACCEPT
#$INI -s 192.168.0.72 -d $ANY -p tcp --dport 2000 -j SERVER_ACCEPT
#$INI -s $ANY -d 192.168.0.72 -p tcp --sport 2000 -j CLIENT_ACCEPT
#$INI -s $NET_INT_LAB -d $ANY -p tcp --dport 443 -j SERVER_ACCEPT
#$INI -s $ANY -d $NET_INT_LAB -p tcp --sport 443 -j CLIENT_ACCEPT
#for i in $SRVS_EMAILS_EXT;do
# $INI -s $NET_INT_LAB -d $i -p tcp --dport 443 -j SERVER_ACCEPT
# $INI -s $i -d $NET_INT_LAB -p tcp --sport 443 -j CLIENT_ACCEPT
#done;
# Usuarios fazem pesquisa de DNS na DOMINAL
for i in $SRVS_DNS_DOMINAL;do
$INI -s $NET_INT_LAB -d $i -p udp --dport 53 -j SERVER_ACCEPT
$INI -s $i -d $NET_INT_LAB -p udp --sport 53 -j CLIENT_ACCEPT
$INI -s $NET_INT_ADM -d $i -p udp --dport 53 -j SERVER_ACCEPT
$INI -s $i -d $NET_INT_ADM -p udp --sport 53 -j CLIENT_ACCEPT
done;
for i in $CAIXA_CONNSOCIAL; do
$INI -s $NET_INT_ADM -d $i -j SERVER_ACCEPT
$INI -s $i -d $NET_INT_ADM -j CLIENT_ACCEPT
$INI -s $NET_INT_LAB -d $i -j SERVER_ACCEPT
$INI -s $i -d $NET_INT_LAB -j CLIENT_ACCEPT
done;
for i in $GRP_USRS_DP; do
$INI -s $i -d $SRV_RECEITAFEDERAL -p tcp --dport 3456 -j SERVER_ACCEPT
$INI -s $SRV_RECEITAFEDERAL -d $i -p tcp --sport 3456 -j CLIENT_ACCEPT
done;
}
##################################
# INIT - P A R A M E T R O S
##################################
case "$1" in
start)
if [ "$2" == "-nat" ]; then
modules_load
load_nat
elif [ "$2" == "-filter" ]; then
modules_load
load_filter
elif [ "$2" == "-all" ]; then
modules_load
load_all
elif [ "$2" == "" ]; then
modules_load
load_all
fi
;;
stop)
if [ "$2" == "-nat" ]; then
unload_nat
elif [ "$2" == "-filter" ]; then
unload_filter
elif [ "$2" == "-all" ]; then
unload_all
elif [ "$2" == "" ]; then
unload_all
modules_unload
fi
;;
restart)
if [ "$2" == "-nat" ]; then
unload_nat
load_nat
elif [ "$2" == "-filter" ]; then
unload_filter
load_filter
elif [ "$2" == "-all" ]; then
unload_all
load_all
elif [ "$2" == "" ]; then
unload_all
load_all
fi
;;
*)
printf "usage: $0 start|stop|restart [(-all)|-filter|-nat]\n";
esac