dagostim
(usa Debian)
Enviado em 24/05/2010 - 07:14h
Ola galera.. estou precisando de uma regra para poder acessar o exchange web access.
O meu script e o seguinte:
modprobe iptable_filter
modprobe iptable_nat
modprobe iptable_mangle
#modprobe ipt_layer7
modprobe ipt_state
modprobe ipt_limit
modprobe ipt_string
modprobe ipt_owner
modprobe ipt_mac
modprobe ipt_tos
modprobe ipt_LOG
modprobe ipt_mark
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_tcpmss
modprobe ipt_multiport
modprobe ipt_MASQUERADE
modprobe ip_conntrack_ftp
modprobe ip_conntrack
modprobe ip_nat_ftp
modprobe ip_queue
modprobe ip_tables
#### Variaveis
echo "definindo variaveis..."
WAN="eth0" #interface externa
LAN_RADIO="eth2" #interface rede local radio
LAN_TV="eth1" #interface rede local tv
NET_LAN_RADIO="192.168.30.0/24" #rede local radio
NET_LAN_TV="192.168.100.0/24" #rede local tv
IP_LAN_RADIO="192.168.30.1" #ip da rede local radio
IP_LAN_TV="192.168.100.4" #ip da rede local tv
GW="82.111.219.193" #default gateway
####---------------------------------------------------------------------------
#### Adiciona rota ao default gateway
route add default gw $GW
#### Ativa roteamento de pacotes
echo 1 > /proc/sys/net/ipv4/ip_forward
#### Protecao contra spoofing
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done
####---------------------------------------------------------------------------
echo "Politicas padrao..."
#### Politica Padrao
iptables -t mangle -F
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -X
iptables -t filter -X
iptables -t nat -X
iptables -t mangle -Z
iptables -t filter -Z
iptables -t nat -Z
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
####---------------------------------------------------------------------------
#### Politica INPUT
echo ">> politicas de INPUT..."
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $LAN_RADIO -j ACCEPT
iptables -A INPUT -i $LAN_TV -j ACCEPT
iptables -A INPUT -i $WAN -m state --state NEW,INVALID -j DROP
####---------------------------------------------------------------------------
#### Conexoes estabelecidas e relatadas
echo ">> definida conexoes estabelecidas e relatadas..."
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
####---------------------------------------------------------------------------
#### IP's Liberados
echo "IP's liberados..."
## DIRETORIA
iptables -A FORWARD -p ALL -s 192.168.100.20 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.100.20 -o $WAN -j MASQUERADE
####---------------------------------------------------------------------------
#### Servicos WWW
echo "Servicos de acesso a internet..."
#iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
#iptables -A FORWARD -p udp -s $NET_LAN_RADIO -o $WAN --dport 80 -j ACCEPT
#iptables -A FORWARD -p udp -s $NET_LAN_TV -o $WAN --dport 80 -j ACCEPT
#### Servicos DNS
echo ">> servicos de consulta DNS..."
iptables -A FORWARD -p udp -s $NET_LAN_RADIO -o $WAN --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s $NET_LAN_TV -o $WAN --dport 53 -j ACCEPT
####---------------------------------------------------------------------------
#### Servicos POP SMTP IMAP
echo ">> servicos de email POP SMTP..."
iptables -t nat -A POSTROUTING -s $NET_LAN_RADIO -p tcp -m multiport --dport 25,110,143,993,995 -o $WAN -j MASQUERADE
iptables -t nat -A POSTROUTING -s $NET_LAN_TV -p tcp -m multiport --dport 25,110,143,993,995 -o $WAN -j MASQUERADE
#iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.100.11:80
#iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
####---------------------------------------------------------------------------
#### Liberando FTP
echo ">> liberando FTP..."
iptables -A FORWARD -p tcp -s $NET_LAN_RADIO -o $WAN --dport 20:21 -j ACCEPT
iptables -t nat -A POSTROUTING -s $NET_LAN_RADIO -p tcp --dport 20:21 -o $WAN -j MASQUERADE
iptables -A FORWARD -p tcp -s $NET_LAN_TV -o $WAN --dport 20:21 -j ACCEPT
iptables -t nat -A POSTROUTING -s $NET_LAN_TV -p tcp --dport 20:21 -o $WAN -j MASQUERADE
####---------------------------------------------------------------------------
#### Liberando HTTPS
echo ">> liberando HTTPS..."
iptables -A FORWARD -p tcp -s $NET_LAN_RADIO -o $WAN --dport 443 -j ACCEPT
iptables -t nat -A POSTROUTING -s $NET_LAN_RADIO -p tcp --dport 443 -o $WAN -j MASQUERADE
iptables -A FORWARD -p tcp -s $NET_LAN_TV -o $WAN --dport 443 -j ACCEPT
iptables -t nat -A POSTROUTING -s $NET_LAN_TV -p tcp --dport 443 -o $WAN -j MASQUERADE
####---------------------------------------------------------------------------
#### Liberando skype
echo ">> liberando skype..."
#### Liberando todo mundo
#iptables -A FORWARD -p tcp -s $NET_LAN_RADIO -o $WAN --dport 5800:5900 -j ACCEPT
#iptables -A FORWARD -s $NET_LAN_RADIO -m layer7 --l7proto skypeout -j ACCEPT
#iptables -A FORWARD -s $NET_LAN_RADIO -m layer7 --l7proto skypetoskype -j ACCEPT
#iptables -t nat -A POSTROUTING -s $NET_LAN_RADIO -p tcp --dport 5800:5900 -o $WAN -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $NET_LAN_RADIO -m layer7 --l7proto skypeout -o $WAN -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $NET_LAN_RADIO -m layer7 --l7proto skypetoskype -o $WAN -j MASQUERADE
#iptables -A FORWARD -p tcp -s $NET_LAN_TV -o $WAN --dport 5800:5900 -j ACCEPT
#iptables -A FORWARD -s $NET_LAN_TV -m layer7 --l7proto skypeout -j ACCEPT
#iptables -A FORWARD -s $NET_LAN_TV -m layer7 --l7proto skypetoskype -j ACCEPT
#iptables -t nat -A POSTROUTING -s $NET_LAN_TV -p tcp --dport 5800:5900 -o $WAN -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $NET_LAN_TV -m layer7 --l7proto skypeout -o $WAN -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $NET_LAN_TV -m layer7 --l7proto skypetoskype -o $WAN -j MASQUERADE
#### Liberando por maquina
#iptables -A FORWARD -p tcp -s 192.200.30.212/24 -o $WAN --dport 5800:5900 -j ACCEPT
#iptables -A FORWARD -s 192.200.30.212/24 -m layer7 --l7proto skypeout -j ACCEPT
#iptables -A FORWARD -s 192.200.30.212/24 -m layer7 --l7proto skypetoskype -j ACCEPT
#iptables -t nat -A POSTROUTING -s 192.200.30.212/24 -p tcp --dport 5800:5900 -o $WAN -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.200.30.212/24 -m layer7 --l7proto skypeout -o $WAN -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.200.30.212/24 -m layer7 --l7proto skypetoskype -o $WAN -j MASQUERADE
####---------------------------------------------------------------------------
#### Controle Layer7
echo ">> controle p2p por layer7..."
#iptables -A FORWARD -m layer7 --l7proto imesh -j DROP
#iptables -A FORWARD -m layer7 --l7proto ares -j DROP
#iptables -A FORWARD -m layer7 --l7proto applejuice -j DROP
#iptables -A FORWARD -m layer7 --l7proto edonkey -j DROP
#iptables -A FORWARD -m layer7 --l7proto gnutella -j DROP
#iptables -A FORWARD -m layer7 --l7proto fasttrack -j DROP
#iptables -A FORWARD -m layer7 --l7proto bittorrent -j DROP
#iptables -A FORWARD -m layer7 --l7proto msn-filetransfer -j DROP
#iptables -A FORWARD -m layer7 --l7proto msnmessenger -j DROP
#iptables -A FORWARD -m layer7 --l7proto yahoo -j DROP
####---------------------------------------------------------------------------
#### Protecoes
echo ">> protecoes adicionais..."
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state invalid -i eth0 -j DROP
#iptables -A INPUT -p tcp -s 0/0 -m string --string "cmd.exe" --algo bm -j drop
#iptables -A INPUT -i eth0 -m unclean -j DROP
####---------------------------------------------------------------------------
#### Spoofing
iptables -A PREROUTING -t nat -i eth0 -s 192.168.1.0/16 -j DROP
iptables -A PREROUTING -t nat -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A PREROUTING -t nat -i eth0 -s 127.0.0.0/8 -j DROP
iptables -A PREROUTING -t nat -i eth0 -s 10.0.0.0/8 -j DROP
####---------------------------------------------------------------------------
#### Traceroute
iptables -A INPUT -p tcp -s 0/0 -i $WAN --dport 33433:33525 -j DROP
iptables -A INPUT -p udp -s 0/0 -i $WAN --dport 33433:33525 -j DROP
####---------------------------------------------------------------------------
#### Multicast
iptables -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP
####---------------------------------------------------------------------------
#### Back Orifice
iptables -A INPUT -p tcp -i $WAN --dport 31337 -j DROP
iptables -A INPUT -p udp -i $WAN --dport 31337 -j DROP
####---------------------------------------------------------------------------
#### NetBus
iptables -A INPUT -p tcp -i $WAN --dport 12345:12346 -j DROP
iptables -A INPUT -p udp -i $WAN --dport 12345:12346 -j DROP
####---------------------------------------------------------------------------
#### Trin00
iptables -A INPUT -p tcp -i $WAN -m multiport --dport 1524,27665 -j DROP
iptables -A INPUT -p udp -i $WAN -m multiport --dport 27444,31335 -j DROP
####---------------------------------------------------------------------------
#### Redireciona trafego para squid
echo "Redirecionando trafego WWW para o squid..."
iptables -t nat -A PREROUTING -p tcp -s $NET_LAN_TV -m multiport --dport 80,443 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -p tcp -s $NET_LAN_RADIO -m multiport --dport 80,443 -j REDIRECT --to-ports 3128
####---------------------------------------------------------------------------
#### Performance dos pacotes
#echo ">> delay minimo POP SMTP DNS..."
#iptables -t mangle -A OUTPUT -p tcp -m multiport --dport 25,53,110 -j TOS --set-tos 16
#iptables -t mangle -A PREROUTING -p tcp -m multiport --dport 25,53,110 -j TOS --set-tos 16
####---------------------------------------------------------------------------
OBRIGADo