liberação de portas para um ip
1. liberação de portas para um ip
kledir
(usa Outra)
Enviado em 24/10/2011 - 08:31h
Estou tentando Liberar portas para um determinado ip no meu script mais não esta dando certo. Estou fazendo algo errado?a regra que estou utilizando é:
iptables -A FORWARD -p tcp -d 192.168.1.11 --dport 50:100 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.1.11 --dport 50:100 -j ACCEPT
Utilizo no meu firewall proxy transparente.
echo "----------Inicio Regras de Firewall Goes---------------"
#!/bin/sh
# Variaveis
# -------------------------------------------------------
IF_EXTERNA=eth0
IF_INTERNA=eth1
echo -n "Carregando Modulos.............................."
# Ativa modulos
# -------------------------------------------------------
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
#modprobe ipt_layer7
echo " { OK } "
echo -n "Ativando Roteamento no Kernel..................."
# Ativa roteamento no kernel
# -------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
echo " { OK } "
echo -n "Ativando Protecao contra Spoofing..............."
# Proteçontra IP spoofing
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo " { OK } "
echo -n "Limpando Regras Existentes......................"
# Zera regras
# -------------------------------------------------------
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
iptables -N unclean
echo " { OK } "
echo -n "Definindo Politica Padrao......................."
# Determina a politica padrao
# -------------------------------------------------------
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
echo " { OK } "
#################################################
# Tabela FILTER
#################################################
echo -n "Dropando Pacotes Indesejados e Registrando Log.."
# Dropa pacotes TCP indesejaveis
# -------------------------------------------------------
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIREWALL: NEW sem syn: "
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
# Aceita os pacotes que realmente devem entrar
# -------------------------------------------------------
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -p udp --dport 3389 -j ACCEPT
iptables -A OUTPUT -p udp --dport 3389 -j ACCEPT
#Libera porta do squid para a interface interna
iptables -A INPUT -i eth1 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
echo " { OK } "
echo -n "Ativando Protecao do Firewall..................."
# Protecao contra trinoo
# -------------------------------------------------------
iptables -N TRINOO
iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
iptables -A TRINOO -j DROP
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27444 -j TRINOO
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27665 -j TRINOO
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 31335 -j TRINOO
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 34555 -j TRINOO
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 35555 -j TRINOO
# Proteçontra tronjans
# -------------------------------------------------------
iptables -N TROJAN
iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
iptables -A TROJAN -j DROP
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 4000 -j TROJAN
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6000 -j TROJAN
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6006 -j TROJAN
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 16660 -j TROJAN
# Protecao contra worms
# -------------------------------------------------------
iptables -A FORWARD -p tcp --dport 135 -i $IF_INTERNA -j REJECT
# Protecao contra syn-flood
# -------------------------------------------------------
iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
# Protecao contra ping da morte
# -------------------------------------------------------
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Protecao contra port scanners
# -------------------------------------------------------
iptables -N SCANNER
iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: port scanner: "
iptables -A SCANNER -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXTERNA -j SCANNER
iptables -A IN\PUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXTERNA -j SCANNER
# Loga tentativa de acesso a determinadas portas
# -------------------------------------------------------
iptables -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: ftp: "
iptables -A INPUT -p tcp --dport 23 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: telnet: "
iptables -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: smtp: "
iptables -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: http: "
iptables -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: pop3: "
iptables -A INPUT -p udp --dport 111 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: rpc: "
iptables -A INPUT -p tcp --dport 113 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: identd: "
iptables -A INPUT -p tcp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
iptables -A INPUT -p udp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
iptables -A INPUT -p tcp --dport 161:162 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: snmp: "
iptables -A INPUT -p tcp --dport 6667:6668 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: irc: "
iptables -A INPUT -p tcp --dport 3128 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: squid: "
echo " { OK } "
# Libera acesso externo a determinadas portas
# -------------------------------------------------------
iptables -A INPUT -p tcp --dport 7826 -i $IF_EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 7826 -i $IF_INTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 3389 -i $IF_EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 3389 -i $IF_INTERNA -j ACCEPT
# Libera acesso externo a determinadas portas
# -------------------------------------------------------
iptables -A INPUT -p tcp --dport 7826 -i $IF_EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 7826 -i $IF_INTERNA -j ACCEPT
# Ativa mascaramento de saida
# -------------------------------------------------------
#iptables -A POSTROUTING -t nat -o $IF_EXTERNA -j MASQUERADE
echo -n "Regras de Redirecionamento......................"
#Redirecionamento para Area de trabalho Remota
iptables -A INPUT -p tcp -s 0/0 --dport 3389 --syn -j ACCEPT
iptables -A INPUT -p tcp --syn -s $IF_INTERNA -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 3389 -i eth0 -j DNAT --to 192.168.1.11
#Redireciona para o squid -- proxy transparente
#iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo " { OK } "
#liberacao de portas por ip
iptables -A FORWARD -p tcp -d 192.168.1.11 --dport 50:100 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.1.11 --dport 50:100 -j ACCEPT