Squid Lento
1. Squid Lento
brunobonato
(usa Outra)
Enviado em 20/07/2012 - 16:35h
Boa tarde, tenho um Servidor HP Proliant GL150 G6 com 2 gb mem, e 500G de HD. Tenho Debian Squeeze Instalado nele com squid 3.1.6 e iptables 1.4.8, tenho uma fibra da copel de 2M. Porém a internet está esquisita, ela demora muito pra começar a carregar o site. Por exemplo quando eu digito www.google.com.br ele demora uns 10 segundos para carregar a pagina. Aparentemente a pagina carrega rápido mais demora pra começar a carregar, parece que alguma coisa ta atrasando a requisição. Não sei se da pra entender.Vou postar meu Firewall e Squid aqui pra alguém me dar uma luz.
Não sei se fui bem claro. Desculpa ai se não me expressei bem.
##squid.conf
http_port 3128 transparent
cache_dir ufs /var/spool/squid3 45000 16 256
maximum_object_size_in_memory 40 KB
access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
pid_filename /var/log/squid3/squid3.pid
mime_table /usr/share/squid3/mime.conf
cache_mgr bruno@cofama.com.br
memory_pools off
diskd_program /usr/lib/squid3/diskd
unlinkd_program /usr/lib/squid3/unlinkd
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_max 16 KB
quick_abort_pct 95
quick_abort_min 16 KB
request_header_max_size 20 KB
reply_header_max_size 20 KB
request_body_max_size 0 KB
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl redelocal src 192.168.1.0/24
acl SSL_ports port 443 563
acl Safe_ports port 80 #http
acl Safe_ports port 21 #ftp
acl Safe_ports port 443 563 1863 #https
acl Safe_ports port 70 #gopher
acl Safe_ports port 210 #wais
acl Safe_ports port 1025-65535 #unregistered ports
acl Safe_ports port 280 #http-mgmt
acl Safe_ports port 488 #gss-http
acl Safe_ports port 591 #filemaker
acl Safe_ports port 777 #multiling http
acl CONNECT method CONNECT
acl admin arp "/etc/squid3/lista/admin.txt"
acl sites url_regex -i "/etc/squid3/lista/sites.txt
# http_access deny sites !admin
acl internet arp "/etc/squid3/lista/internet.txt"
# http_access deny !internet !admin
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow redelocal
# http_access deny all
cache_mgr webmaster
mail_program mail
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string off
visible_hostname zenhulk
error_directory /usr/share/squid3/errors/Portuguese/
cache_dir ufs /var/spool/squid3 45000 16 256
maximum_object_size_in_memory 40 KB
access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
pid_filename /var/log/squid3/squid3.pid
mime_table /usr/share/squid3/mime.conf
cache_mgr bruno@cofama.com.br
memory_pools off
diskd_program /usr/lib/squid3/diskd
unlinkd_program /usr/lib/squid3/unlinkd
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_max 16 KB
quick_abort_pct 95
quick_abort_min 16 KB
request_header_max_size 20 KB
reply_header_max_size 20 KB
request_body_max_size 0 KB
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl redelocal src 192.168.1.0/24
acl SSL_ports port 443 563
acl Safe_ports port 80 #http
acl Safe_ports port 21 #ftp
acl Safe_ports port 443 563 1863 #https
acl Safe_ports port 70 #gopher
acl Safe_ports port 210 #wais
acl Safe_ports port 1025-65535 #unregistered ports
acl Safe_ports port 280 #http-mgmt
acl Safe_ports port 488 #gss-http
acl Safe_ports port 591 #filemaker
acl Safe_ports port 777 #multiling http
acl CONNECT method CONNECT
acl admin arp "/etc/squid3/lista/admin.txt"
acl sites url_regex -i "/etc/squid3/lista/sites.txt
# http_access deny sites !admin
acl internet arp "/etc/squid3/lista/internet.txt"
# http_access deny !internet !admin
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow redelocal
# http_access deny all
cache_mgr webmaster
mail_program mail
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string off
visible_hostname zenhulk
error_directory /usr/share/squid3/errors/Portuguese/
Firewall.sh
#!/bin/sh
# Firewall System
# Author - Paulo Cabral
# Mail - paulocdc@gmail.com
#
PATH="/bin:/sbin:/usr/bin:/usr/sbin"
firewall_start(){
## Variaveis
internet="eth0"
redelocal="eth1"
# Ip do kinghost para emails
ip_smtp=189.38.82.150
ip_pop=189.38.85.158
# Ip do gmail
ip_gmail=74.125.47.109
# Ip do gatware da Copel
ip_fw=200.xxx.xxx.xxx
# Ip da rede local
ip_rede_local=192.168.1.0/24
# Ip do xxxx para suporte
ip_vnc_suporte=187.17.xxx.xxx
# Ip da xxxx para suporte
ip_mannes=189.16.xxx.xxx
# Ip da xxx para suporte
ip_novo_mundo=200.103.xxx.xxx
# Ip da prefeitura de Araruna
ip_araruna=200.195.xxx.xxx
echo "####################ATIVANDO IPTABLES#######################"
### Passo 1: Limpando as regras ###
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat
iptables -F -t nat
echo "Limpando as regras ..................................[ OK ]"
# Definindo a Politica Default das Cadeias
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
echo "Politica Default das Cadeias ........................[ OK ]"
### Passo 2: Desabilitar o trafego IP entre as placas de rede ###
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "Desabilitar o trafego IP entre as placas ............[ OK ]"
# Configurando a Protecao anti-spoofing
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter; do
# echo "1" > $spoofing
#done
echo "Protecao anti-spoofing ..............................[ OK ]"
# Impedimos que um atacante possa maliciosamente alterar alguma rota
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "Impedimos alterar alguma rota .......................[ OK ]"
# Utilizado em diversos ataques, isso possibilita que o atacante determine o "caminho" que seu
# pacote vai percorrer (roteadores) ate seu destino. Junto com spoof, isso se torna muito perigoso.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "Impossibilita que o atacante determine o "caminho" ....[ OK ]"
# Protecao contra responses bogus
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "Protecao contra responses bogus .....................[ OK ]"
# Protecao contra ataques de syn flood (inicio da conexao TCP). Tenta conter ataques de DoS.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "Protecao contra ataques de syn ......................[ OK ]"
### Passo 3: Carregando os modulos do iptables ###
# Ativa modulos
# -------------------------------------------------------
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
echo "Carregando os modulos ...............................[ OK ]"
#################################################
# FIM DA Tabela FILTER
#################################################
# Proteção contra port scanners
#iptables -N SCANNER
#iptables -A SCANNER -m limit --limit 15/m -j LOG --log-prefix "FIREWALL: port scanner: "
#iptables -A SCANNER -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $internet -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $internet -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $internet -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $internet -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $internet -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $internet -j SCANNER
#iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $internet -j SCANNER
#echo "Scaner de Portas ....................................[ OK ]"
# Libera acesso externo a determinadas portas
iptables -A FORWARD -p tcp -s $ip_rede_local --dport 1863 -j ACCEPT
##Algumas portas devem ser negadas.
iptables -A INPUT -p tcp --dport 1433 -j DROP
iptables -A INPUT -p tcp --dport 6670 -j DROP
iptables -A INPUT -p tcp --dport 6711 -j DROP
iptables -A INPUT -p tcp --dport 6712 -j DROP
iptables -A INPUT -p tcp --dport 6713 -j DROP
iptables -A INPUT -p tcp --dport 12345 -j DROP
iptables -A INPUT -p tcp --dport 12346 -j DROP
iptables -A INPUT -p tcp --dport 20034 -j DROP
iptables -A INPUT -p tcp --dport 31337 -j DROP
iptables -A INPUT -p tcp --dport 6000 -j DROP
echo "Negando portas invalidas ............................[ OK ]"
#Liberando porta 80 rede local
iptables -A INPUT -p tcp -s 192.168.1.0/24 -d 192.168.1.100 --dport 80 -j ACCEPT
#
iptables -A OUTPUT -p tcp -s 192.168.1.100 -d 192.168.1.0/24 --dport 80 -j ACCEPT
#Traceroutes caindo
iptables -A INPUT -p udp --dport 33434:33523 -j DROP
iptables -A INPUT -p tcp --dport 113 -j REJECT
iptables -A INPUT -p igmp -j REJECT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j REJECT
echo "Rejeitando lixo :....................................[ OK ]"
##ips que nao passam pelo proxy
iptables -t nat -I PREROUTING -s 192.168.1.19 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.1.25 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.1.26 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.1.27 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.1.28 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.1.29 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.1.30 -j ACCEPT
#iptables -t nat -I PREROUTING -s 192.168.1.6 -j ACCEPT
#iptables -A FORWARD -p tcp -s 192.168.1.90 -j ACCEPT
echo "Computadores que nao passam pelo proxy...............[ OK ]"
# Liberando o ATA do VOIP para acesso interno e externo (para dar suporte)
#iptables -A FORWARD -s $ip_ata_int -j ACCEPT
#iptables -A FORWARD -s $ip_ata_ext -j ACCEPT
#iptables -t nat -A PREROUTING -d $ip_ata_ext -j DNAT --to $ip_ata_int
#iptables -t nat -A POSTROUTING -s $ip_ata_int -j SNAT --to $ip_ata_ext
#echo "Regra para ATA.......................................[ OK ]"
# Inicio Correio Eletronico
# PORTA 110 - ACEITA PARA A REDE LOCAL SOMENTE O KINGHOST
iptables -A FORWARD -s $ip_rede_local -d $ip_smtp -j ACCEPT
iptables -A FORWARD -s $ip_rede_local -d $ip_pop -j ACCEPT
iptables -A FORWARD -s $ip_smtp -d $ip_rede_local -j ACCEPT
iptables -A FORWARD -s $ip_pop -d $ip_rede_local -j ACCEPT
iptables -t nat -A POSTROUTING -o $internet -d $ip_smtp -j MASQUERADE
iptables -t nat -A POSTROUTING -o $internet -d $ip_pop -j MASQUERADE
echo "Regra para o correio eletronico......................[ OK ]"
# PORTA 110 - LIBERA ACESSO PARA O EMAIL DA GMAIL
iptables -A FORWARD -s $ip_rede_local -d $ip_gmail -j ACCEPT
iptables -A FORWARD -s $ip_gmail -d $ip_rede_local -j ACCEPT
iptables -t nat -A POSTROUTING -o $internet -d $ip_gmail -j MASQUERADE
echo "Regra para o correio eletronico gmail................[ OK ]"
##Fim correio eletronico
#####Inicio acesso de clientes para assistencia remota####
#Suporte da xxx via VNC
iptables -A INPUT -p tcp --dport 5540:5543 -j ACCEPT
iptables -A INPUT -p tcp --sport 5540:5543 -j ACCEPT
iptables -A FORWARD -p tcp --dport 5540:5543 -j ACCEPT
iptables -A FORWARD -p tcp --sport 5540:5543 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 5540 -j DNAT --to 192.168.1.6 #
iptables -t nat -A PREROUTING -p tcp --dport 5541 -j DNAT --to 192.168.1.1 #
iptables -t nat -A PREROUTING -p tcp --dport 5542 -j DNAT --to 192.168.1.2 #
iptables -t nat -A PREROUTING -p tcp --dport 5543 -j DNAT --to 192.168.1.3 #
echo "Regra para o VNC do Suporte xxx...................[ OK ]"
#Acesso ao suporte do sistema
iptables -A FORWARD -s $ip_rede_local -d $ip_vnc_suporte -p tcp --dport 5500:5530 -j ACCEPT
iptables -A FORWARD -s $ip_vnc_suporte -d $ip_rede_local -p tcp --sport 5500:5530 -j ACCEPT
iptables -A FORWARD -s $ip_rede_local -d $ip_vnc_suporte -p udp --dport 5500:5530 -j ACCEPT
iptables -A FORWARD -s $ip_vnc_suporte -d $ip_rede_local -p udp --sport 5500:5530 -j ACCEPT
iptables -t nat -A POSTROUTING -o $internet -d $ip_vnc_suporte -p tcp --dport 5500:5530 -j MASQUERADE
iptables -t nat -A POSTROUTING -o $internet -d $ip_vnc_suporte -p udp --dport 5500:5530 -j MASQUERADE
echo "Regra para o Sistema xxx.........................[ OK ]"
#Acesso ao suporte xxxportas 5222 e 1080
iptables -A FORWARD -s $ip_rede_local -d $ip_mannes -p tcp --dport 5222 -j ACCEPT
iptables -A FORWARD -s $ip_rede_local -d $ip_mannes -p tcp --dport 1080 -j ACCEPT
iptables -A FORWARD -s $ip_mannes -d $ip_rede_local -p tcp --sport 5222 -j ACCEPT
iptables -A FORWARD -s $ip_mannes -d $ip_rede_local -p tcp --sport 1080 -j ACCEPT
iptables -A FORWARD -s $ip_rede_local -d $ip_mannes -p udp --dport 5222 -j ACCEPT
iptables -A FORWARD -s $ip_rede_local -d $ip_mannes -p udp --dport 1080 -j ACCEPT
iptables -A FORWARD -s $ip_mannes -d $ip_rede_local -p udp --sport 5222 -j ACCEPT
iptables -A FORWARD -s $ip_mannes -d $ip_rede_local -p udp --sport 1080 -j ACCEPT
iptables -t nat -A POSTROUTING -o $internet -d $ip_mannes -p tcp --dport 5222 -j MASQUERADE
iptables -t nat -A POSTROUTING -o $internet -d $ip_mannes -p tcp --dport 1080 -j MASQUERADE
iptables -t nat -A POSTROUTING -o $internet -d $ip_mannes -p udp --dport 5222 -j MASQUERADE
iptables -t nat -A POSTROUTING -o $internet -d $ip_mannes -p udp --dport 1080 -j MASQUERADE
echo "Regra para o Suporte xxx..........................[ OK ]"
#Acesso a xxx pela porta 11371
iptables -A FORWARD -s $ip_rede_local -d $ip_novo_mundo -p tcp --dport 11371 -j ACCEPT
iptables -A FORWARD -s $ip_rede_local -d $ip_novo_mundo -p udp --dport 11371 -j ACCEPT
iptables -A INPUT -p tcp --dport 11371 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 11371 -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -p tcp --sport 1194 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1194 -j ACCEPT
iptables -A INPUT -p udp --sport 1194 -j ACCEPT
iptables -A OUTPUT -p udp --sport 1194 -j ACCEPT
echo "Regra para o Sistema da xxx...................[ OK ]"
#Acesso ao backup porta 8080 para o ip da xxx
iptables -A FORWARD -p tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -s $ip_rede_local -d $ip_vnc_suporte -p tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -s $ip_vnc_suporte -d $ip_rede_local -p tcp --sport 8080 -j ACCEPT
iptables -A FORWARD -s $ip_rede_local -d $ip_vnc_suporte -p udp --dport 8080 -j ACCEPT
iptables -A FORWARD -s $ip_vnc_suporte -d $ip_rede_local -p udp --sport 8080 -j ACCEPT
iptables -t nat -A POSTROUTING -o $internet -d $ip_vnc_suporte -p tcp --dport 8080 -j MASQUERADE
iptables -t nat -A POSTROUTING -o $internet -d $ip_vnc_suporte -p udp --dport 8080 -j MASQUERADE
echo "Regra para o Sistema Backup xxx..................[ OK ]"
#Acesso para o sistema da prefeitura
iptables -A FORWARD -p tcp --dport 8888 -j ACCEPT
iptables -A FORWARD -s $ip_rede_local -d $ip_araruna -p tcp --dport 8888 -j ACCEPT
iptables -A FORWARD -s $ip_araruna -d $ip_rede_local -p tcp --sport 8888 -j ACCEPT
iptables -A FORWARD -s $ip_rede_local -d $ip_araruna -p udp --dport 8888 -j ACCEPT
iptables -A FORWARD -s $ip_araruna -d $ip_rede_local -p udp --sport 8888 -j ACCEPT
iptables -t nat -A POSTROUTING -o $internet -d $ip_araruna -p tcp --dport 8888 -j MASQUERADE
iptables -t nat -A POSTROUTING -o $internet -d $ip_araruna -p udp --dport 8888 -j MASQUERADE
echo "Regra para o Sistema Prefeitura Araruna..............[ OK ]"
### FIM DAS REGRAS PARA SISTEMA EXTERNO####
#Acesso a Internet sem squid
#iptables -A FORWARD -s 192.168.1.6 -j ACCEPT
#iptables -A FORWARD -d 192.168.1.6 -j ACCEPT
iptables -A FORWARD -s 192.168.1.19 -j ACCEPT
iptables -A FORWARD -d 192.168.1.19 -j ACCEPT
iptables -A FORWARD -s 192.168.1.25 -j ACCEPT
iptables -A FORWARD -d 192.168.1.25 -j ACCEPT
iptables -A FORWARD -s 192.168.1.26 -j ACCEPT
iptables -A FORWARD -d 192.168.1.26 -j ACCEPT
iptables -A FORWARD -s 192.168.1.27 -j ACCEPT
iptables -A FORWARD -d 192.168.1.27 -j ACCEPT
iptables -A FORWARD -s 192.168.1.28 -j ACCEPT
iptables -A FORWARD -d 192.168.1.28 -j ACCEPT
iptables -A FORWARD -s 192.168.1.29 -j ACCEPT
iptables -A FORWARD -d 192.168.1.29 -j ACCEPT
iptables -A FORWARD -s 192.168.1.30 -j ACCEPT
iptables -A FORWARD -d 192.168.1.30 -j ACCEPT
iptables -A FORWARD -d 192.168.1.43 -j ACCEPT
iptables -A FORWARD -s 192.168.1.43 -j ACCEPT
iptables -A FORWARD -d 192.168.1.99 -j ACCEPT
iptables -A FORWARD -s 192.168.1.99 -j ACCEPT
iptables -A FORWARD -d 192.168.1.128 -j ACCEPT
iptables -A FORWARD -s 192.168.1.128 -j ACCEPT
iptables -t nat -A POSTROUTING -o $internet -j MASQUERADE
echo "Regra para Antena Wireless...........................[ OK ]"
#Acesso para o servidor de video
iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
iptables -A INPUT -p tcp --sport 8000 -j ACCEPT
iptables -A INPUT -p tcp --dport 9092 -j ACCEPT
iptables -A INPUT -p tcp --sport 9092 -j ACCEPT
iptables -A FORWARD -p tcp --dport 8000 -j ACCEPT
iptables -A FORWARD -p tcp --sport 8000 -j ACCEPT
iptables -A FORWARD -p tcp --dport 9092 -j ACCEPT
iptables -A FORWARD -p tcp --sport 9092 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d $ip_fw --dport 8000 -j DNAT --to 192.168.1.88
iptables -t nat -A PREROUTING -p tcp -d $ip_fw --dport 9092 -j DNAT --to 192.168.1.88
iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.88 --dport 8000 -j SNAT --to $ip_fw
iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.88 --dport 9092 -j SNAT --to $ip_fw
echo "Regra para o servidor de video.......................[ OK ]"
# PORTA 3128 - ACEITA PARA A REDE LOCAL
#iptables -A FORWARD -i $redelocal -p tcp --dport 3128 -j ACCEPT
# Redireciona porta 80 para 3128 (squid)
iptables -t nat -A PREROUTING -i $redelocal -p tcp --dport 80 -j REDIRECT --to-port 3128
# PORTA 53 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -i $redelocal -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i $redelocal -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i $redelocal -p tcp --dport 5080 -j ACCEPT
# PORTA 110 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -i $redelocal -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -i $redelocal -p udp --dport 110 -j ACCEPT
# PORTA 25 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -i $redelocal -p tcp --dport 25 -j ACCEPT
# PORTA 587 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -i $redelocal -p tcp --dport 587 -j ACCEPT
# identd
iptables -A INPUT -p tcp --dport 113 -j ACCEPT
iptables -A INPUT -p udp --dport 113 -j ACCEPT
# https
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp --dport 443 -j ACCEPT
iptables -A FORWARD -i $redelocal -p tcp --dport 443 -j ACCEPT
# PORTA 20 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset
iptables -A FORWARD -p tcp --syn --dport 22 -m recent --name sshattack --set
iptables -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
iptables -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset
# PORTA 21 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -p tcp --dport 21 -j ACCEPT
# PORTA 22 - ACEITA PARA A REDE INTERNET
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
#libera porta 123 para atualizacao automatica do relogio do widows
iptables -A FORWARD -p udp --dport 123 -j ACCEPT
iptables -A FORWARD -p tcp --dport 123 -j ACCEPT
echo "Regras para porta 123................................[ OK ]"
#bloqueia qualquer tentativa de nova conexao de fora para esta maquina
iptables -A INPUT -i $internet -m state ! --state ESTABLISHED,RELATED -j LOG --log-level 6 --log-prefix "FIREWALL entrada "
iptables -A INPUT -i $internet -m state ! --state ESTABLISHED,RELATED -j DROP
#no iptables, temos de dizer quais sockets sao validos em uma conexao
iptables -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
echo "Cadeia de Entrada ...................................[ OK ]"
################################
# Cadeia de Reenvio (FORWARD).
# Primeiro, ativar o mascaramento (nat).
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o $internet -j MASQUERADE
echo "Ativando o mascaramento .............................[ OK ]"
# Agora dizemos quem e o que podem acessar externamente
# O controle do acesso a rede externa e feito na cadeia "FORWARD"
iptables -A FORWARD -i $internet -j ACCEPT
iptables -A FORWARD -o $internet -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Ativando o acesso ftp.. .............................[ OK ]"
###################
###BLOQUEANDO TODAS AS SAIDAS E PORTAS
iptables -A INPUT -p all -j DROP
iptables -A FORWARD -p all -j DROP
echo "Rejeitando saida e entrada ..........................[ OK ]"
########################
# No iptables, temos de dizer quais sockets sao validos em uma conexao
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
echo "Quais sockets sao validos ...........................[ OK ]"
#################################################
# Tabela FILTER
#################################################
# Protecao contra trojans
# -------------------------------------------------------
iptables -A INPUT -p TCP -i $internet --dport 666 -j DROP
iptables -A INPUT -p TCP -i $internet --dport 4000 -j DROP
iptables -A INPUT -p TCP -i $internet --dport 6000 -j DROP
iptables -A INPUT -p TCP -i $internet --dport 6006 -j DROP
iptables -A INPUT -p TCP -i $internet --dport 16660 -j DROP
# Protecao contra trinoo
# -------------------------------------------------------
iptables -A INPUT -p TCP -i $internet --dport 27444 -j DROP
iptables -A INPUT -p TCP -i $internet --dport 27665 -j DROP
iptables -A INPUT -p TCP -i $internet --dport 31335 -j DROP
iptables -A INPUT -p TCP -i $internet --dport 34555 -j DROP
iptables -A INPUT -p TCP -i $internet --dport 35555 -j DROP
echo "Protecao contra trinoo ..............................[ OK ]"
# Protecao contra acesso externo squid
iptables -A INPUT -p TCP -i $internet --dport 3128 -j DROP
iptables -A INPUT -p TCP -i $internet --dport 8080 -j DROP
echo "Protecao contra squid externo........................[ OK ]"
# Protecao contra telnet
iptables -A INPUT -p TCP -i $internet --dport telnet -j DROP
echo "Protecao contra telnet...............................[ OK ]"
# Dropa pacotes TCP indesejaveis
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
# Dropa pacotes mal formados
#iptables -A INPUT -i $internet -m unclean -j DROP
# Protecao contra worms
iptables -A FORWARD -p tcp --dport 135 -i $internet -j REJECT
# Protecaocontra syn-flood
iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
# Protecao contra ping da morte
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#Allow ALL other forwarding going out
iptables -A FORWARD -o $internet -i $redelocal -j ACCEPT
echo "Caregado tabela filter...............................[ OK ]"
# Finalmente: Habilitando o trafego IP, entre as Interfaces de rede
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Habilitar o trafego IP entre as placas: .............[ OK ]"
echo "##################FIM DE REGRAS IPTABLES####################"
exit 0
sleep 1
}
firewall_stop(){
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat
iptables -F -t nat
echo "Limpando as regras ..................................[ OK ]"
}
case "$1" in
"start")
firewall_start
;;
"stop")
firewall_stop
echo "Firewall desativado!"
;;
"restart")
echo "Firewall reiniciando..."
firewall_stop; firewall_start
;;
*)
iptables -L -nv
esac