Iptables
Senhores, estou procurando fazer um firewall na empresa bem fechado e
seletivo.
Seguinte:
Eu coloquei as regras para liberar as portas 22 (ssh) 25+110 (smtp)
+(pop) 110 http 20/21 para ftp
echo ' mascaramento'
$IPT -t nat -A POSTROUTING -s $REDE -o eth0 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
#$IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to $INTERNET
echo ' conexoes estabelecidas'
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
echo ' login messenger '
$IPT -I FORWARD -s $REDE -d loginnet.passport.com -j REJECT
$IPT -I FORWARD -s $REDE -d webmessenger.msn.com -j REJECT
echo ' Proxy '
$IPT -t nat -A PREROUTING -s $REDE -p tcp --dport 80 -j REDIRECT
--to-port 3128
echo ' loopback '
$IPT -A INPUT -i lo -j ACCEPT
echo ' Http/https '
$IPT -A FORWARD -i $GATEWAY -p tcp -s $REDE -o $INText --dport 80 -j ACCEPT
$IPT -A FORWARD -i $GATEWAY -p tcp -s $REDE -o $INText --dport 443 -j
ACCEPT
$IPT -A FORWARD -i $GATEWAY -p udp -s $REDE -o $INText --dport 443 -j ACCEPT
echo ' Dns '
$IPT -A INPUT -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -p tcp --sport 53 --dport 53 -s $INTERNET -j ACCEPT
$IPT -A FORWARD -i $GATEWAY -p tcp -s $REDE -o $INText --dport 53 -j ACCEPT
$IPT -A FORWARD -i $GATEWAY -p udp -s $REDE -o $INText --dport 53 -j ACCEPT
echo ' Smtp '
$IPT -A FORWARD -i $GATEWAY -p tcp -s $REDE -o $INText --dport 25 -j ACCEPT
$IPT -A FORWARD -i $GATEWAY -p tcp -s $REDE -o $INText --dport 25 -j ACCEPT
echo ' Pop '
$IPT -A FORWARD -i $GATEWAY -p tcp -s $REDE -o $INText --dport 110 -j ACCEPT
echo ' Ftp '
$IPT -A FORWARD -i $GATEWAY -p udp -s $REDE -o $INText --dport 21 -j ACCEPT
$IPT -A FORWARD -i $GATEWAY -p tcp -s $REDE -o $INText --dport 21 -j ACCEPT
$IPT -A FORWARD -i $GATEWAY -p tcp -s $REDE -o $INText --dport 20 -j ACCEPT
echo ' ssh '
$IPT -A FORWARD -i $GATEWAY -p tcp -s $REDE -o $INText --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp --dport 9090 -j ACEPT
echo ' Messenger '
$IPT -t nat -A PREROUTING -p tcp --dport 6891:6894 -i $INTERNET -j DNAT
--to-destination 10.11.20.171
$IPT -A FORWARD -p tcp -s --dport 6891:6894 -j ACCEPT
$IPT -A FORWARD -p tcp -d 10.11.20.171/24 --dport 6891:6894 -j ACCEPT
# ????????????????????????????????????????????????????????????????????????
#iptables -t filter -A OUTPUT -p tcp --dport 1863 -o $INTERNET -j ACCEPT
# $IPT -A INPUT -p tcp --syn -s 10.11.20.0/255.255.255.0 -j ACCEPT
# $IPT -A INPUT -p tcp --syn -j DROP
$IPT -A INPUT -i $INTERNET -p udp --dport 0:30000 -j DROP
Se eu fizer essas regras eu estou com a rede fechada em relacao as portas ?
Alguem pra debater sobre o mesmo ?
--
[]'
SpYdErLiNuX
"Slackware Linux"
Reply to: