renato_pacheco
(usa Debian)
Enviado em 04/03/2013 - 17:03h
Eu enxuguei suas regras. Veja se funciona e refaça a varredura novamente.
### Limpando as regras ###
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
echo "Limpando todas as regras .................[ OK ]"
# Definindo a Politica Default das Cadeias
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
echo "Setando as regras padrao .................[ OK ]"
### Passo 2: Desabilitar o trafego IP entre as placas de rede ###
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "Setando ip_foward ........................[ OK ]"
IADSL=eth0
IWAVE=eth4
ILAN1=eth1
ILAN2=eth2
ILAN3=eth3
ILocal=lo
# Redes Internas
LAN1=192.168.0.0/24
LAN2=192.168.1.0/24
LAN3=192.168.2.0/24
ADSL=172.16.0.2
WAVE=172.16.10.2
### Passo 3: Carregando os modulos do iptables ###
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ipt_MASQUERADE
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
echo "Carregando modulos do iptables ...........[ OK ]"
### Passo 4: Agora, vamos definir o que pode passar e o que nao ###
# Cadeia de Entrada
# LOCALHOST - ACEITA TODOS OS PACOTES
iptables -A INPUT -i lo -j ACCEPT
# PORTA $http - ACEITA PARA A REDE LOCAL
iptables -A INPUT -i $ILAN1 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $ILAN2 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $ILAN3 -p tcp --dport 80 -j ACCEPT
# PORTA 22 - ACEITA PARA A REDE LOCAL
iptables -A INPUT -i $ILAN1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $ILAN2 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $ILAN3 -p tcp --dport 22 -j ACCEPT
#iptables -A INPUT -i $IADSL -p tcp --dport 22 -j ACCEPT
#iptables -A INPUT -i $IWAVE -p tcp --dport 22 -j ACCEPT
# PORTA WTS
iptables -A INPUT -i $IADSL -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -i $IWAVE -p tcp --dport 3389 -j ACCEPT
#SAMBA
iptables -A INPUT -p tcp --dport 137:139 -j ACCEPT
iptables -A INPUT -p udp --dport 137:139 -j ACCEPT
#PING
#iptables -A INPUT -p ICMP -i $LAN1 -j ACCEPT
#iptables -A INPUT -p ICMP -i $LAN2 -j ACCEPT
#iptables -A INPUT -p ICMP -i $LAN3 -j ACCEPT
iptables -A INPUT -p ICMP -i $ADSL -j ACCEPT
iptables -A INPUT -p ICMP -i $WAVE -j ACCEPT
echo "Setando regras para INPUT ................[ OK ]"
################################
# Cadeia de Reenvio (FORWARD).
# Primeiro, ativar o mascaramento (nat).
#iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o lo -j ACCEPT
iptables -t nat -A POSTROUTING -s $LAN1 -o $ILAN1 -j ACCEPT
iptables -t nat -A POSTROUTING -s $LAN2 -o $ILAN2 -j ACCEPT
iptables -t nat -A POSTROUTING -s $LAN3 -o $ILAN3 -j ACCEPT
iptables -t nat -A POSTROUTING -s $LAN1 -o $IADSL -j MASQUERADE
iptables -t nat -A POSTROUTING -s $LAN2 -o $IADSL -j MASQUERADE
iptables -t nat -A POSTROUTING -s $LAN3 -o $IADSL -j MASQUERADE
iptables -t nat -A POSTROUTING -s $LAN1 -o $IWAVE -j MASQUERADE
iptables -t nat -A POSTROUTING -s $LAN2 -o $IWAVE -j MASQUERADE
iptables -t nat -A POSTROUTING -s $LAN3 -o $IWAVE -j MASQUERADE
iptables -t nat -A POSTROUTING -o $LAN1 -d $ILAN1 -j LOG --log-prefix "FIREWALL: SNAT unknown"
iptables -t nat -A POSTROUTING -o $LAN1 -d $ILAN1 -j DROP
iptables -t nat -A POSTROUTING -o $LAN2 -d $ILAN2 -j LOG --log-prefix "FIREWALL: SNAT unknown"
iptables -t nat -A POSTROUTING -o $LAN2 -d $ILAN2 -j DROP
iptables -t nat -A POSTROUTING -o $LAN3 -d $ILAN3 -j LOG --log-prefix "FIREWALL: SNAT unknown"
iptables -t nat -A POSTROUTING -o $LAN3 -d $ILAN3 -j DROP
iptables -t nat -A POSTROUTING -o $IADSL -j ACCEPT
iptables -t nat -A POSTROUTING -o $IWAVE -j ACCEPT
iptables -t nat -A POSTROUTING -j LOG --log-prefix "FIREWALL: SNAT-LOG "
iptables -t nat -A POSTROUTING -j DROP
echo "Ativando mascaramento de IP ..............[ OK ]"
# REDIRECIONAMENTOS
#WTS
iptables -t nat -A PREROUTING -s 0/0 -m tcp -p tcp -i eth4 --dport 3389 -j DNAT --to-destination 192.168.2.1:3389
iptables -t nat -A PREROUTING -s 0/0 -m tcp -p tcp -i eth0 --dport 3389 -j DNAT --to-destination 192.168.2.1:3389
#ACESSO SISTEMA
iptables -t nat -A PREROUTING -d xxx -p tcp --dport 80 -j DNAT --to 192.168.0.254
iptables -t nat -A PREROUTING -d xxx -p tcp --dport 80 -j DNAT --to 192.168.0.254
# Agora dizemos quem e o que podem acessar externamente
# No iptables, o controle do acesso a rede externa e feito na cadeia "FORWARD"
# Abre para a interface de loopback.
iptables -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT
# Abre para uma faixa de enderecos da rede local
iptables -A INPUT -p tcp --syn -s $LAN1 -j ACCEPT
iptables -A INPUT -p tcp --syn -s $LAN2 -j ACCEPT
iptables -A INPUT -p tcp --syn -s $LAN3 -j ACCEPT
# ROTAS
iptables -A PREROUTING -i $ILAN1 -t mangle -s $LAN1 -j MARK --set-mark 201
iptables -t nat -A POSTROUTING -s $LAN1 -d 0/0 -j SNAT --to $ADSL
iptables -t nat -A POSTROUTING -s $LAN1 -d 0/0 -o eth0 -j MASQUERADE
iptables -A PREROUTING -i $ILAN2 -t mangle -s $LAN2 -j MARK --set-mark 201
iptables -t nat -A POSTROUTING -s $LAN2 -d 0/0 -j SNAT --to $ADSL
iptables -t nat -A POSTROUTING -s $LAN2 -d 0/0 -o eth0 -j MASQUERADE
iptables -A PREROUTING -i $ILAN3 -t mangle -s $LAN3 -j MARK --set-mark 200
iptables -t nat -A POSTROUTING -s $LAN3 -d 0/0 -j SNAT --to $WAVE
iptables -t nat -A POSTROUTING -s $LAN3 -d 0/0 -o $IWAVE -j MASQUERADE
# Qualquer outra origem de tráfego desconhecida indo para eth0 (conexões vindas
# de eth3) são bloqueadas aqui
iptables -t nat -A POSTROUTING -o eth1 -d 192.168.0.0/24 -j LOG --log-prefix "FIREWALL: SNAT unknown "
iptables -t nat -A POSTROUTING -o eth1 -d 192.168.0.0/24 -j DROP
iptables -t nat -A POSTROUTING -o eth2 -d 192.168.2.0/24 -j LOG --log-prefix "FIREWALL: SNAT unknown "
iptables -t nat -A POSTROUTING -o eth2 -d 192.168.2.0/24 -j DROP
iptables -t nat -A POSTROUTING -o eth3 -d 192.168.3.0/24 -j LOG --log-prefix "FIREWALL: SNAT unknown "
iptables -t nat -A POSTROUTING -o eth3 -d 192.168.3.0/24 -j DROP
# PORTA 3128 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -i $ILAN1 -p tcp --dport 3128 -j ACCEPT
iptables -A FORWARD -i $ILAN2 -p tcp --dport 3128 -j ACCEPT
iptables -A FORWARD -i $ILAN3 -p tcp --dport 3128 -j ACCEPT
# PORTA 53 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -i $ILAN1 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i $ILAN2 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i $ILAN3 -p udp --dport 53 -j ACCEPT
# PORTA 110 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -i $ILAN1 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -i $ILAN2 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -i $ILAN3 -p tcp --dport 110 -j ACCEPT
# PORTA 25 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -i $ILAN1 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i $ILAN2 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i $ILAN3 -p tcp --dport 25 -j ACCEPT
# PORTA 587 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -i $ILAN1 -p tcp --dport 587 -j ACCEPT
iptables -A FORWARD -i $ILAN2 -p tcp --dport 587 -j ACCEPT
iptables -A FORWARD -i $ILAN3 -p tcp --dport 587 -j ACCEPT
# PORTA 995 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -i $ILAN1 -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -i $ILAN2 -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -i $ILAN3 -p tcp --dport 995 -j ACCEPT
# PORTA 465 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -i $ILAN1 -p tcp --dport 465 -j ACCEPT
iptables -A FORWARD -i $ILAN2 -p tcp --dport 465 -j ACCEPT
iptables -A FORWARD -i $ILAN3 -p tcp --dport 465 -j ACCEPT
# PORTA 443 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -i $ILAN1 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i $ILAN2 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i $ILAN3 -p tcp --dport 443 -j ACCEPT
# PORTA 21 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -i $ILAN1 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i $ILAN2 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i $ILAN3 -p tcp --dport 21 -j ACCEPT
echo "Liberando ping"
iptables -A FORWARD -p ICMP -i $ILAN1 -j ACCEPT
iptables -A FORWARD -p ICMP -i $ILAN2 -j ACCEPT
iptables -A FORWARD -p ICMP -i $ILAN3 -j ACCEPT
iptables -A FORWARD -p ICMP -i $ADSL -j ACCEPT
iptables -A FORWARD -p ICMP -i $WAVE -j ACCEPT
# No iptables, temos de dizer quais sockets sao validos em uma conexao
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
echo "Setando regras para FOWARD ...............[ OK ]"
# Apesar do padrao do forward ser bloqueio. Aqui a regra eh duplicada para gerar log,
# ou seja, tudo o que eh bloqueado por default no forward eh logado aqui
iptables -A FORWARD -m limit --limit 2/m -j LOG --log-prefix "FORWARD: Bloqueio Padrao "
iptables -A FORWARD -j DROP
#PRIORIZA PACOTES
iptables -t mangle -A PREROUTING -p tcp --dport 5060 -j TOS --set-tos 16
iptables -t mangle -A PREROUTING -p udp --dport 1000:20000 -j TOS --set-tos 8
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos 8
iptables -t mangle -A PREROUTING -p udp --dport 80 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 5060 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o eth0 -p udp --dport 10000:20000 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -o eth0 -p udp --dport 80 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -o eth4 -p tcp --dport 5060 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o eth4 -p udp --dport 10000:20000 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -o eth4 -p tcp --dport 80 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -o eth4 -p udp --dport 80 -j TOS --set-tos 8
# Finalmente: Habilitando o trafego IP, entre as Interfaces de rede
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Setando ip_foward: ON ....................[ OK ]"
echo "Firewall configurado com sucesso .........[ OK ]"