Alguem poderia me ajudar com iptables ?
Alguem na lista poderia me ajudar com regras do iptables, explico :
Tudo funcionava mil maravilhas, tenho dois servidores de internet
(adsl) cada um para uso específico com um configurador automatico
(arquivo .pac) de navegadores que determina pelo tipo de site qual dos
proxys deverá usar, um dos proxy é praticamente dedicado a email, mas
oras um tá mais ocioso que o outro. Um belo dia eu acordei e pensei :
puxa ! preciso fazer balanceamento de carga e ter apenas um servidor.
Eureka, comprei um roteador dlink DI-LB604 que possui duas portas WAN
e faz LB (balanceamento de carga). Comprei e instalei-o, muito prático
por sinal e funciona que é uma maravilha. O único porém, é que não
devo usar o DNS da telefonica, devo usar um local ou o OpenDNS - voces
não acreditam o quanto os DNSs da telefonica são lerdos e como dão
problema.
Enfim, tá tudo funcionando de acordo, mas ... (sempre há um mas)
Há alguns usuários como os de RH e Contabilidade que usam alguns
serviços da prefeitura, estado e federal que são muito especificos e
precisam ser programados por iptables, e para esses usuários eu tenho
o gateway com um o script de iptables já com todas as regras. Quando o
gateway estava com eth0 com ip quente(200.x.x.x), funcionava
maravilhosamente bem, mas quando instalei o roteador onde o eth0 ficou
com ip frio (192.168.0.x) ele deixou de funcionar. O script tá
programado para usar o IP de eth0 como referencia durante todo o
script, de forma que não deveria parar nunca, mas ele pára.
Eu já fiquei descabelado, e não sei onde tá o erro, mas sei que a
partir dessas linhas no script :
134 ## Flush Built-in Rules
135 $IPTABLES -F INPUT
136 $IPTABLES -F OUTPUT
137 $IPTABLES -F FORWARD
Ele simplesmente morre, e nenhuma linha a seguir do script parece
funcionar direito.
Será que alguem poderia me ajudar a descobrir porque este script
morreu quando passei a usar eth0=192.168.0.x ao invés do ip quente ?
Se alguem precisar do arquivo mesmo, basta me pedir em particular e eu envio.
Tô desesperado, e já estou escrevendo outro script com menos linhas
como plano B. Mas é que eu me apeguei ao script velho e gostaria de
recupera-lo ou entender o que sucede.
<------ SCRIPT ------>
1 #!/bin/bash
2 #
3 # http://www.Sentry.net/~obsid/IPTables/rc.scripts.dir/current/rc.firewall.iptables.dual
4 #
5 ##################################################################
6 #
7 ## rc.firewall.iptables.dual -- Version 1.2b2
8 #
9 ##################################################################
10 ## Obsid@sentry.net
11 ## http://www.sentry.net/~obsid/
12 ## 04/28/01
13 ## Example IPTables 1.2.1 script for a dual-homed firewall.
14 ## This script has not yet been tested thoroughly on a dual-homed
15 ## firewall. If you find any problems, please drop me an email.
16 ## Current versions and documentation are available at
17 ## http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/
18 ## Visit one of the NetFilter Project Home Pages for more
information about IPTables.
19 ## http://netfilter.filewatcher.org/
20 ## http://netfilter.samba.org/
21 ## More Resources:
22 ## http://netfilter.filewatcher.org/netfilter-faq.html
23 ## http://netfilter.filewatcher.org/unreliable-guides/networking-concepts-HOWTO/index.html
24 ## http://netfilter.filewatcher.org/unreliable-guides/packet-filtering-HOWTO/index.html
25 ## http://netfilter.filewatcher.org/unreliable-guides/NAT-HOWTO/index.html
26 ## http://www.ds9a.nl/2.4Routing/HOWTO/cvs/2.4routing/output/2.4routing.html
27 echo "Firewall para o servidor FWVIDY..."
28 ## Carregando alguns modulos importantes ##
29 /sbin/modprobe ip_tables
30 /sbin/modprobe iptable_nat
31 /sbin/modprobe ip_conntrack_ftp
32 /sbin/modprobe ip_nat_ftp
33 /sbin/modprobe ip_conntrack
34 /sbin/modprobe ip_conntrack_ftp
35 /sbin/modprobe ip_conntrack_irc
36 /sbin/modprobe ip_nat_ftp
37 /sbin/modprobe ip_nat_irc
38 /sbin/modprobe iptable_filter
39 /sbin/modprobe iptable_mangle
40 /sbin/modprobe iptable_nat
41 /sbin/modprobe ipt_limit
42 /sbin/modprobe ipt_LOG
43 /sbin/modprobe ipt_MASQUERADE
44 /sbin/modprobe ipt_state
45 /sbin/modprobe ipt_TOS
46 /sbin/modprobe ip_nat
47 ## Variaveis ##
48 ATIVAR_PROXY_TRANSPARENTE="N"
49 REDIRECIONAR_SSH="N"
50 REDIRECIONAR_HTTP="N"
51 REDIRECIONAR_SMTP="N"
52 REDIRECIONAR_POP3="N"
53 REDIRECIONAR_IMAP="N"
54 REDIRECIONAR_FIREBIRD="N"
55 REDIRECIONAR_MSSQL="N"
56 LIBERAR_SERVIDORES="S"
57 LIBERAR_LISTA_BRANCA="S"
58 LIBERAR_CAIXAGOV="S"
59 LIBERAR_GMAIL="S"
60 LIBERAR_SPTRANS="S"
61 LIBERAR_SIMPLES_EMBU="S"
62 LIBERAR_SINTEGRA="S"
63 LIBERAR_RECEITANET="S"
64 LIBERAR_TESTES="N"
65 LIBERAR_FERREIRA="S"
66 LIBERAR_CLEU="S"
67 LIBERAR_EXPOLABOR="S"
68 LIBERAR_GLADISTON="S"
69 LIBERAR_PIERRE="N"
70 LIBERAR_SERGIO="S"
71 LIBERAR_REDE="N"
72 LIBERAR_AVULSOS="S"
73 LIBERAR_RAISNET="S"
74 LIBERAR_LINKSYS="S"
75 REJEITAR_MSN="N"
76 HELLO_TXT="/tmp/firewall_fwvidy.txt"
77 IPTABLES=`which iptables` ## Default IPTables >= v. 1.2.0
78 IFCONFIG=`which ifconfig`
79 GREP=`which grep`
80 CUT=`which cut`
81 LOOPBACK="lo" ## Loopback Interface
82 EXTERNAL="eth0" ## External Interface
83 INTERNAL="eth1" ## Internal Interface
84 EXT_IP=""
85 INT_IP=""
86 INTERNAL_NET="192.168.1.0/24" ## Network address for the internal network
87 #
88 # Autoidentifica os IPs da interface interna e externa
89 #
90 if [ -z "$INT_IP" ] ; then
91 INT_IP=`$IFCONFIG $INTERNAL|$GREP "inet end"|$CUT -d":" -f
2|$CUT -d" " -f 2`
92 fi
93 if [ -z "$EXT_IP" ] ; then
94 EXT_IP=`$IFCONFIG $EXTERNAL|$GREP "inet end"|$CUT -d":" -f
2|$CUT -d" " -f 2`
95 fi
96 #
97 # Se nao conseguiu entao utiliza os IPs conhecidos usados na VIDY
98 #
99 if [ -z "$INT_IP" ] || [ "$INT_IP" = "" ] ; then
100 INT_IP="192.168.1.254"
101 fi
102 if [ -z "$EXT_IP" ] || [ "$EXT_IP" = "" ] ; then
103 EXT_IP="192.168.0.4"
104 fi
105 LOG_LEVEL="notice" ## Default log level: kern.notice
106 echo "Interface Externa : $EXTERNAL - $EXT_IP">$HELLO_TXT
107 echo "Interface Interna : $INTERNAL - $INT_IP">>$HELLO_TXT
108 echo "Rede Interna : $INTERNAL_NET">>$HELLO_TXT
109 echo "Rede Externa : 0.0.0.0/0.0.0.0 (tudo)">>$HELLO_TXT
110 echo "iptables : $IPTABLES">>$HELLO_TXT
111 echo "cut : $CUT">>$HELLO_TXT
112 echo "grep : $GREP">>$HELLO_TXT
113 # mensagem na console de que o firewall esta sendo executado
114 wall $HELLO_TXT
115 if [ -z "$EXTERNAL" ] ; then
116 echo "Nao foi encontrado a interface EXTERNA."
117 exit 2;
118 fi
119 if [ -z "$INTERNAL" ] ; then
120 echo "Nao foi encontrado a interface INTERNA."
121 exit 2;
122 fi
123 if [ -z "$EXT_IP" ] ; then
124 echo "Nao foi encontrado o IP da interface EXTERNA ($EXTERNAL)."
125 exit 2;
126 fi
127 if [ -z "$INT_IP" ] ; then
128 echo "Nao foi encontrado o IP da interface INTERNA ($INTERNAL)."
129 exit 2;
130 fi
131 echo "Limpando configuracoes iniciais..."
132 ## Attempt to Flush All Rules in Filter Table
133 $IPTABLES -F
134 ## Flush Built-in Rules
135 $IPTABLES -F INPUT
136 $IPTABLES -F OUTPUT
137 $IPTABLES -F FORWARD
138 ## Flush Rules/Delete User Chains in Mangle Table, if any
139 $IPTABLES -F -t mangle
140 $IPTABLES -t mangle -X
141 ## Delete all user-defined chains, reduces dumb warnings if you run
142 ## this script more than once.
143 $IPTABLES -X
144 if [ "$1" == "stop" ] ; then
145 echo "Parando o serviço de firewalling."
146 exit 0;
147 fi
148 ## Set Default Policies
149 $IPTABLES -P INPUT DROP ## Highly Recommended Default Policy
150 $IPTABLES -P OUTPUT DROP
151 $IPTABLES -P FORWARD ACCEPT
152 ################
153 # habilitando monitoramento
154 # para verificar o consumo digite :
155 # iptables -vnL acct_in
156 # iptables -vnL acct_out
157 #$IPTABLESES -N acct_in
158 #$IPTABLES -N acct_out
159 #$IPTABLES -I acct_in -j RETURN
160 #$IPTABLES -i acct_out -j RETURN
161 #$IPTABLES -I INPUT -i $EXT_IP -j acct_in
162 #$IPTABLES -I OUTPUT -o $EXT_IP -j acct_out
163 #$IPTABLES -I FORWARD -i $EXT_IP -j acct_in
164 #$IPTABLES -I FORWARD -o $EXT_IP -j acct_out
165 # fim do monitoramento
166 ################
167 ## Reserved/Private IP Addresses ##
168 ## The following was adapted from Jean-Sebastien Morisset's
excellent IPChains
169 ## firewall script, available at --
http://jsmoriss.mvlan.net/linux/rcf.html
170 ## See DOCUMENTATION for optimization notes.
171 echo "Verificando IPs reservados para regras de rejeicao..."
172 RESERVED_NET="
173 0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 \
174 5.0.0.0/8 \
175 7.0.0.0/8 \
176 23.0.0.0/8 \
177 27.0.0.0/8 \
178 31.0.0.0/8 \
179 36.0.0.0/8 37.0.0.0/8 \
180 39.0.0.0/8 \
181 41.0.0.0/8 42.0.0.0/8 \
182 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \
183 68.0.0.0/8 68.0.0.0/8 69.0.0.0/8 70.0.0.0/8 71.0.0.0/8
72.0.0.0/8 73.0.0.0/8 \
184 74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8
79.0.0.0/8 80.0.0.0/8 \
185 81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8
86.0.0.0/8 87.0.0.0/8 \
186 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8
93.0.0.0/8 94.0.0.0/8 \
187 95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8
100.0.0.0/8 101.0.0.0/8 \
188 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 \
189 108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 \
190 114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 \
191 120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 \
192 126.0.0.0/8 127.0.0.0/8 \
193 197.0.0.0/8 \
194 201.0.0.0/8 \
195 219.0.0.0/8 220.0.0.0/8 221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 \
196 240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 \
197 246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 \
198 252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8"
199 ## More variables further down near the NAT rules.
200 ## NOTE: User-defined chains first, regular INPUT/OUTPUT chains
will follow.
201 ###############################################################################
202 ## Special Chains
203 ###############################################################################
204 ###############################################################################
205 ## Special chain KEEP_STATE to handle incoming, outgoing, and
206 ## established connections.
207 $IPTABLES -N KEEP_STATE
208 $IPTABLES -F KEEP_STATE
209 ##------------------------------------------------------------------------##
210 ## DROP packets associated with an "INVALID" connection.
211 $IPTABLES -A KEEP_STATE -m state --state INVALID -j DROP
212 ##------------------------------------------------------------------------##
213 ##------------------------------------------------------------------------##
214 ## UNCLEAN match target, somewhat experimental at this point.
215 # $IPTABLES -A KEEP_STATE -m unclean -j DROP
216 ##------------------------------------------------------------------------##
217 ##------------------------------------------------------------------------##
218 ## ACCEPT packets which are related to an established connection.
219 $IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT
220 ##------------------------------------------------------------------------##
221 echo "Regras para rejeicao de pacotes que procuram fazer scan
neste servidor..."
222 ###############################################################################
223 ## Special chain CHECK_FLAGS that will DROP and log TCP packets
with certain
224 ## TCP flags set.
225 ## We set some limits here to limit the amount of crap that gets sent
226 ## to the logs.
227 ## Keep in mind that these rules should never match normal traffic, they
228 ## are designed to capture obviously messed up packets... but
there's alot of
229 ## wierd shit out there, so who knows.
230 $IPTABLES -N CHECK_FLAGS
231 $IPTABLES -F CHECK_FLAGS
232 ##------------------------------------------------------------------------##
233 ## NMAP FIN/URG/PSH
234 #$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
235 # --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix
"NMAP-XMAS:"
236 #$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
237 ##------------------------------------------------------------------------##
238 ##------------------------------------------------------------------------##
239 ## SYN/RST
240 #$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
241 # --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/RST:"
242 #$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
243 ##------------------------------------------------------------------------##
244 ##------------------------------------------------------------------------##
245 ## SYN/FIN -- Scan(probably)
246 #$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
247 # --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/FIN:"
248 #$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
249 ##------------------------------------------------------------------------##
250 echo "Limitando Port-Scans para levar apenas 5 segundos..."
251 ##------------------------------------------------------------------------##
252 ## Make some types of port scans annoyingly slow, also provides some
253 ## protection against certain DoS attacks. The rule in chain KEEP_STATE
254 ## referring to the INVALID state should catch most TCP packets with the
255 ## RST or FIN bits set that aren't associate with an
established connection.
256 ## Still, these will limit the amount of stuff that is accepted
through our
257 ## open ports(if any). I suggest you test these for your
configuration before
258 ## you uncomment them, as they could cause problems.
259 $IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp
--tcp-flags ALL RST -j ACCEPT
260 $IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp
--tcp-flags ALL FIN -j ACCEPT
261 $IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp
--tcp-flags ALL SYN -j ACCEPT
262 ##------------------------------------------------------------------------##
263 ###############################################################################
264 ## Special Chain DENY_PORTS
265 ## This chain will DROP/LOG packets based on port number.
266 $IPTABLES -N DENY_PORTS
267 $IPTABLES -F DENY_PORTS
268 ##------------------------------------------------------------------------##
269 ## DROP TCP packets based on port number.
270 ## See DOCUMENTATION for explanation of these example port numbers.
271 #DENIED_PORTS_TCP="137:139 2049 6000:6063 \
272 # 20034 12345:12346 27374 27665 \
273 # 27444 31335 10498 12754"
274 DENIED_PORTS_TCP="137:139 6000:6063 \
275 20034 12345:12346 27374 27665 \
276 27444 31335 10498 12754"
277 echo "Negando acesso as seguintes portas TCP :"
278 echo $DENIED_PORTS_TCP
279 for PORT in $DENIED_PORTS_TCP; do
280 # tirando o verbose da tela
281 # $IPTABLES -A DENY_PORTS -p tcp --dport $PORT -m limit
--limit 5/minute \
282 # -j LOG --log-level $LOG_LEVEL --log-prefix "DENIED PORT $PORT:"
283 $IPTABLES -A DENY_PORTS -p tcp --sport $PORT -m limit
--limit 5/minute \
284 -j LOG --log-level $LOG_LEVEL --log-prefix "DENIED PORT $PORT:"
285 $IPTABLES -A DENY_PORTS -p tcp --dport $PORT -j DROP
286 $IPTABLES -A DENY_PORTS -p tcp --sport $PORT -j DROP
287 done
288 ##------------------------------------------------------------------------##
289 ##------------------------------------------------------------------------##
290 ## DROP UDP packets based on port number.
291 ## See DOCUMENTATION for explanation of these example port numbers.
292 #DENIED_PORTS_UDP="2049 31337 27444 31335 10498"
293 DENIED_PORTS_UDP="31337 27444 31335 10498"
294 echo "Negando acesso as seguintes portas UDP :"
295 echo $DENIED_PORTS_UDP
296
297 for PORT in $DENIED_PORTS_UDP; do
298 # tirando o verbose da tela
299 $IPTABLES -A DENY_PORTS -p udp --dport $PORT -m limit --limit 5/minute \
300 -j LOG --log-level $LOG_LEVEL --log-prefix "DENIED PORT $PORT:"
301 $IPTABLES -A DENY_PORTS -p udp --sport $PORT -m limit --limit 5/minute \
302 -j LOG --log-level $LOG_LEVEL --log-prefix "DENIED PORT $PORT:"
303 $IPTABLES -A DENY_PORTS -p udp --dport $PORT -j DROP
304 $IPTABLES -A DENY_PORTS -p udp --sport $PORT -j DROP
305 done
306 ##------------------------------------------------------------------------##
307 ####
308 # Negando acesso de alguns MAC-ADDR conhecidos na empresa
309 ####
310 #$IPTABLES -t filter -A FORWARD -j MACtest
311 #$IPTABLES -A MACtest -m mac --mac-source a0:12:f5:8b:15:e0 -j DROP
312 ###############################################################################
313 ## Special Chain ALLOW_PORTS
314 ## Rules to allow packets based on port number. This sort of
thing is generally
315 ## required only if you're running services on(!!!) the
firewall or if you have a
316 ## FORWARD policy of DROP(which we don't right now).
317 $IPTABLES -N ALLOW_PORTS
318 $IPTABLES -F ALLOW_PORTS
319 ##------------------------------------------------------------------------##
320 ## ACCEPT TCP traffic based on port number. (Examples)
321 # TCP_PORTS="ssh domain"
322 TCP_PORTS="25 80 3128"
323 echo "permitindo trafego de dados nas seguintes portas TCP :"
324 echo $TCP_PORTS
325 for PORT in $TCP_PORTS; do
326 $IPTABLES -A ALLOW_PORTS -m state --state NEW -p tcp --dport
$PORT -j ACCEPT
327 done
328 ##------------------------------------------------------------------------##
329 ## Monitorar qualquer porta desejada.
330 ## LOG_PORTS="ssh(22) domain(53) smtp(25)
conec.social(2631) http(80)"
331 LOG_PORTS="80 25"
332 # echo "Monitorando as seguintes portas : $LOG_PORTS"
333 # for PORT in $LOG_PORTS; do
334 # $IPTABLES -A FORWARD -p tcp -i $EXTERNAL --dport
$PORT -j LOG \
335 # --log-level $LOG_LEVEL --log-prefix
"MONITORANDO_PORTA_$PORT:"
336 # $IPTABLES -A FORWARD -p tcp --dport $PORT -j LOG \
337 # --log-level $LOG_LEVEL --log-prefix
"MONITORANDO_PORTA_$PORT:"
338 # done
339 ##------------------------------------------------------------------------##
340 ## ACCEPT UDP traffic based on port number.
341 # UDP_PORTS="domain"
342 UDP_PORTS="25 3128"
343 echo "permitindo trafego de dados nas seguintes portas UDP:"
344 echo $TCP_PORTS
345 for PORT in $UDP_PORTS; do
346 $IPTABLES -A ALLOW_PORTS -m state --state NEW -p udp --dport
$PORT -j ACCEPT
347 done
348 ##------------------------------------------------------------------------##
349 ## REJECT port 113 ident requests.
350 #echo "Rejeitando porta 113 ident-requests..."
351 #$IPTABLES -A ALLOW_PORTS -p tcp --dport 113 -j REJECT
--reject-with tcp-reset
352 ##------------------------------------------------------------------------##
353 ###############################################################################
354 ## Special Chain ALLOW_ICMP
355 ## This chain contains rules to allow/drop specific types of
ICMP datagrams.
356 $IPTABLES -N ALLOW_ICMP
357 $IPTABLES -F ALLOW_ICMP
358 ##------------------------------------------------------------------------##
359 ## Echo Reply (pong)
360 echo "Habilitando o echo-reply (pong)..."
361 $IPTABLES -A ALLOW_ICMP -p icmp --icmp-type echo-reply -j ACCEPT
362 ##------------------------------------------------------------------------##
363 ##------------------------------------------------------------------------##
364 ## Destination Unreachable
365 $IPTABLES -A ALLOW_ICMP -p icmp --icmp-type
destination-unreachable -j ACCEPT
366 ##------------------------------------------------------------------------##
367 ##------------------------------------------------------------------------##
368 ## Echo Request (ping) -- Several Options:
369 ## Accept Pings ##
370 $IPTABLES -A ALLOW_ICMP -p icmp --icmp-type echo-request -j ACCEPT
371 ## Accept Pings at the rate of one per second ##
372 echo "Limitando pings para 1 segundo..."
373 $IPTABLES -A ALLOW_ICMP -p icmp --icmp-type echo-request -m
limit --limit 5/second -j ACCEPT
374 ## LOG all pings ##
375 #echo "Registrando todos os pings que forem feitos..."
376 #$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type echo-request -m
limit --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix
"PING:"
377 ##------------------------------------------------------------------------##
378 ##------------------------------------------------------------------------##
379 ## TTL Exceeded (traceroute)
380 $IPTABLES -A ALLOW_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
381 ##------------------------------------------------------------------------##
382 ###############################################################################
383 ## Special Chain SRC_EGRESS
384 ## Rules to Provide Egress Filtering Based on Source IP Address.
385 $IPTABLES -N SRC_EGRESS
386 $IPTABLES -F SRC_EGRESS
387 ##------------------------------------------------------------------------##
388 ## DROP all reserved private IP addresses. Some of these may be legit
389 ## for certain networks and configurations. For connection problems,
390 ## traceroute is your friend.
391 echo "Rejeitando IPs de redes privadas que nao permitem
rastreabilidade..."
392 ## Class A Reserved
393 $IPTABLES -A SRC_EGRESS -s 10.0.0.0/8 -j DROP
394 ## Class B Reserved
395 $IPTABLES -A SRC_EGRESS -s 172.16.0.0/12 -j DROP
396 ## Class C Reserved
397 #$IPTABLES -A SRC_EGRESS -s 192.168.0.0/16 -j DROP
398 ## Class D Reserved
399 $IPTABLES -A SRC_EGRESS -s 224.0.0.0/4 -j DROP
400 ## Class E Reserved
401 $IPTABLES -A SRC_EGRESS -s 240.0.0.0/5 -j DROP
402 # rejeitando destino a redes reservadas
403 #echo "rejeitando destino a redes reservadas..."
404 #for NET in $RESERVED_NET; do
405 # $IPTABLES -A SRC_EGRESS -s $NET -j DROP
406 #done
407 ##------------------------------------------------------------------------##
408 ###############################################################################
409 ## Special Chain DST_EGRESS
410 ## Rules to Provide Egress Filtering Based on Destination IP Address.
411 $IPTABLES -N DST_EGRESS
412 $IPTABLES -F DST_EGRESS
413 ##------------------------------------------------------------------------##
414 ## DROP all reserved private IP addresses. Some of these may be legit
415 ## for certain networks and configurations. For connection problems,
416 ## traceroute is your friend.
417 ## Class A Reserved
418 $IPTABLES -A DST_EGRESS -d 10.0.0.0/8 -j DROP
419 ## Class B Reserved
420 $IPTABLES -A DST_EGRESS -d 172.16.0.0/12 -j DROP
421 ## Class C Reserved
422 $IPTABLES -A DST_EGRESS -d 192.168.0.0/16 -j DROP
423 ## Class D Reserved
424 $IPTABLES -A DST_EGRESS -d 224.0.0.0/4 -j DROP
425 ## Class E Reserved
426 $IPTABLES -A DST_EGRESS -d 240.0.0.0/5 -j DROP
427 # classe de IPs reservados
428 #for NET in $RESERVED_NET; do
429 # $IPTABLES -A DST_EGRESS -d $NET -j DROP
430 #done
431 ##------------------------------------------------------------------------##
432 ###############################################################################
433 ## Special Chain MANGLE_OUTPUT
434 ## Mangle values of packets created locally. Only TOS values
are mangled right
435 ## now.
436 ## TOS stuff: (type: iptables -m tos -h)
437 ## Minimize-Delay 16 (0x10)
438 ## Maximize-Throughput 8 (0x08)
439 ## Maximize-Reliability 4 (0x04)
440 ## Minimize-Cost 2 (0x02)
441 ## Normal-Service 0 (0x00)
442 echo "Carregando regras TOS/TTL/Mangles :"
443 echo " Minimize-Delay 16 (0x10)"
444 echo " Maximize-Throughput 8 (0x08)"
445 echo " Maximize-Reliability 4 (0x04)"
446 echo " Minimize-Cost 2 (0x02)"
447 echo " Normal-Service 0 (0x00)"
448 $IPTABLES -t mangle -N MANGLE_OUTPUT
449 $IPTABLES -t mangle -F MANGLE_OUTPUT
450 ##---------------------------------------------------------------------------##
451 ## Most of these are the RFC 1060/1349 suggested TOS values,
yours might vary.
452 ## - To view mangle table, type: iptables -L -t mangle
453 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 20 -j TOS --set-tos 8
454 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 21 -j TOS
--set-tos 16
455 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 22 -j TOS
--set-tos 16
456 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 23 -j TOS
--set-tos 16
457 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 25 -j TOS
--set-tos 16
458 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 53 -j TOS
--set-tos 16
459 $IPTABLES -t mangle -A MANGLE_OUTPUT -p udp --dport 53 -j TOS
--set-tos 16
460 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 80 -j TOS --set-tos 8
461 ##--------------------------------------------------------------------------##
462 ###############################################################################
463 ## Special Chain MANGLE_PREROUTING
464 ## Rules to mangle TOS values of packets routed through the
firewall. Only TOS
465 ## values are mangled right now.
466 ## TOS stuff: (type: iptables -m tos -h)
467 ## Minimize-Delay 16 (0x10)
468 ## Maximize-Throughput 8 (0x08)
469 ## Maximize-Reliability 4 (0x04)
470 ## Minimize-Cost 2 (0x02)
471 ## Normal-Service 0 (0x00)
472 $IPTABLES -t mangle -N MANGLE_PREROUTING
473 $IPTABLES -t mangle -F MANGLE_PREROUTING
474 ##---------------------------------------------------------------------------##
475 ## Most of these are the RFC 1060/1349 suggested TOS values,
yours might vary.
476 ## - To view mangle table, type: iptables -L -t mangle
477 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 20 -j
TOS --set-tos 8
478 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 21 -j
TOS --set-tos 16
479 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 22 -j
TOS --set-tos 16
480 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 23 -j
TOS --set-tos 16
481 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 25 -j
TOS --set-tos 16
482 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 53 -j
TOS --set-tos 16
483 $IPTABLES -t mangle -A MANGLE_PREROUTING -p udp --dport 53 -j
TOS --set-tos 16
484 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 80 -j
TOS --set-tos 8
485 ##--------------------------------------------------------------------------##
486 echo "****** Carregando parametros de firewall para entradas *********"
487 ###############################################################################
488 ## Firewall Input Chains
489 ###############################################################################
490 ###############################################################################
491 ## New chain for input to the external interface
492 $IPTABLES -N EXTERNAL_INPUT
493 $IPTABLES -F EXTERNAL_INPUT
494 ##------------------------------------------------------------------------##
495 ## Hated Hosts -- Block hosts/subnets(Example)
496 # $IPTABLES -A EXTERNAL_INPUT -i $EXTERNAL -s 123.123.123.0/24 -j DROP
497 ##------------------------------------------------------------------------##
498 ##------------------------------------------------------------------------##
499 ## Check TCP packets coming in on the external interface for wierd flags
500 $IPTABLES -A EXTERNAL_INPUT -i $EXTERNAL -p tcp -j CHECK_FLAGS
501 ##------------------------------------------------------------------------##
502 ##------------------------------------------------------------------------##
503 ## Filter incoming packets based on port number.
504 $IPTABLES -A EXTERNAL_INPUT -i $EXTERNAL -p ! icmp -j DENY_PORTS
505 ##------------------------------------------------------------------------##
506 ###############################################################################
507 ## New chain for input to the internal interface
508 $IPTABLES -N INTERNAL_INPUT
509 $IPTABLES -F INTERNAL_INPUT
510 ##------------------------------------------------------------------------##
511 ## DROP anything not coming from the internal network.
512 $IPTABLES -A INTERNAL_INPUT -i $INTERNAL -s ! $INTERNAL_NET -j DROP
513 ##------------------------------------------------------------------------##
514 ##------------------------------------------------------------------------##
515 ## Check TCP packets coming in on the external interface for wierd flags.
516 $IPTABLES -A INTERNAL_INPUT -i $INTERNAL -p tcp -j CHECK_FLAGS
517 ##------------------------------------------------------------------------##
518 ##------------------------------------------------------------------------##
519 ## DROP/LOG packets based on port number.
520 $IPTABLES -A INTERNAL_INPUT -i $INTERNAL -p ! icmp -j DENY_PORTS
521 ##------------------------------------------------------------------------##
522 ###############################################################################
523 ## New chain for input to the loopback interface
524 $IPTABLES -N LO_INPUT
525 $IPTABLES -F LO_INPUT
526 ##------------------------------------------------------------------------##
527 ## Accept packets to the loopback interface.
528 $IPTABLES -A LO_INPUT -i $LOOPBACK -j ACCEPT
529 ##------------------------------------------------------------------------##
530 ###############################################################################
531 ## Firewall Output Chains
532 ###############################################################################
533 echo "****** Carregando parametros de firewall para saidas *********"
534 ###############################################################################
535 ## New chain for output from the external interface
536 $IPTABLES -N EXTERNAL_OUTPUT
537 $IPTABLES -F EXTERNAL_OUTPUT
538 ##------------------------------------------------------------------------##
539 ## Check TCP packets coming in on the external interface for wierd flags.
540 $IPTABLES -A EXTERNAL_OUTPUT -o $EXTERNAL -p tcp -j CHECK_FLAGS
541 ##------------------------------------------------------------------------##
542 ##------------------------------------------------------------------------##
543 ## Filter outgoing packets based on port number.
544 $IPTABLES -A EXTERNAL_OUTPUT -o $EXTERNAL -p ! icmp -j DENY_PORTS
545 ##------------------------------------------------------------------------##
546 ###############################################################################
547 ## New chain for output across the internal interface
548 $IPTABLES -N INTERNAL_OUTPUT
549 $IPTABLES -F INTERNAL_OUTPUT
550 ##------------------------------------------------------------------------##
551 ## DROP packets not destined for the internal network.
552 $IPTABLES -A INTERNAL_OUTPUT -o $INTERNAL -d ! $INTERNAL_NET -j DROP
553 ##------------------------------------------------------------------------##
554 ##------------------------------------------------------------------------##
555 ## Filter outgoing packets based on port number.
556 $IPTABLES -A INTERNAL_OUTPUT -o $INTERNAL -p ! icmp -j DENY_PORTS
557 ##------------------------------------------------------------------------##
558 ##------------------------------------------------------------------------##
559 ## Check TCP packets going out on the internal interface for wierd flags.
560 $IPTABLES -A INTERNAL_OUTPUT -o $INTERNAL -p tcp -j CHECK_FLAGS
561 ##------------------------------------------------------------------------##
562 ###############################################################################
563 ## New chain for output across the loopback device
564 $IPTABLES -N LO_OUTPUT
565 $IPTABLES -F LO_OUTPUT
566 ##------------------------------------------------------------------------##
567 ## ACCEPT all traffic across loopback device
568 $IPTABLES -A LO_OUTPUT -o $LOOPBACK -j ACCEPT
569 ##------------------------------------------------------------------------##
570 ###############################################################################
571 ## Main Stuff
572 ###############################################################################
573 ## This is where we get to jump to our user-defined chains from
the built-in
574 ## chains.
575 ##========================================================================##
576 ## Jump to the mangle table rules.
577 $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -j MANGLE_OUTPUT
578 $IPTABLES -t mangle -A PREROUTING -i $INTERNAL -j MANGLE_PREROUTING
579 ##========================================================================##
580 ##========================================================================##
581 ## LOG and DROP TCP packets with no flags set.
582 ## Possible NULL scan.
583 #$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE \
584 # -m limit --limit 5/minute -j LOG --log-level $LOG_LEVEL \
585 # --log-prefix "NULL SCAN:" --log-tcp-options --log-ip-options
586 #$IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
587 ##========================================================================##
588 ##========================================================================##
589 ## Jump to our INPUT chains.
590 ##===================================================================##
591 ## INPUT to our loopback interface.
592 ## Jump to our LO_INPUT Chain.
593 $IPTABLES -A INPUT -i $LOOPBACK -j LO_INPUT
594 ##===================================================================##
595 ##===================================================================##
596 ## INPUT to our internal interface.
597 ## DROP packets not destined for the internal IP address of the
598 ## firewall.
599 $IPTABLES -A INPUT -i $INTERNAL -d ! $INT_IP -j DROP
600 ## Jump to our INTERNAL_INPUT Chain.
601 $IPTABLES -A INPUT -i $INTERNAL -j INTERNAL_INPUT
602 ## DROP/ACCEPT packets based on the state of the connection.
603 $IPTABLES -A INPUT -i $INTERNAL -j KEEP_STATE
604 ## ACCEPT packets based on port number.
605 $IPTABLES -A INPUT -i $INTERNAL -s $INTERNAL_NET -d $INT_IP \
606 -p ! icmp -j ALLOW_PORTS
607 ## Jump to ALLOW_ICMP for general rules relating to the ICMP protocol.
608 $IPTABLES -A INPUT -i $INTERNAL -p icmp -j ALLOW_ICMP
609 ##===================================================================##
610 ##===================================================================##
611 ## INPUT to the external Interface
612 ## Filter out Reserved/Private IP addresses based on source IP.
613 $IPTABLES -A INPUT -i $EXTERNAL -j SRC_EGRESS
614 ## Filter out Reserved/Private IP addresses based on destination IP.
615 $IPTABLES -A INPUT -i $EXTERNAL -j DST_EGRESS
616 ## Jump to our EXTERNAL_INPUT Chain.
617 $IPTABLES -A INPUT -i $EXTERNAL -j EXTERNAL_INPUT
618 ## DROP/ACCEPT packets based on the state of the connection.
619 $IPTABLES -A INPUT -i $EXTERNAL -j KEEP_STATE
620 ## Allow Packets On Certain External Ports.
621 $IPTABLES -A INPUT -i $EXTERNAL -p ! icmp -j ALLOW_PORTS
622 ## Jump to ALLOW_ICMP for general rules relating to the ICMP protocol.
623 $IPTABLES -A INPUT -i $EXTERNAL -p icmp -j ALLOW_ICMP
624 ##===================================================================##
625 ## End INPUT Chain Rules ##
626 ##========================================================================##
627 ##========================================================================##
628 ## Jump to our OUTPUT chains.
629 ##===================================================================##
630 ## OUTPUT on the loopback interface.
631 ## Jump to our LO_OUTPUT Chain.
632 $IPTABLES -A OUTPUT -o $LOOPBACK -j LO_OUTPUT
633 ##===================================================================##
634 ##===================================================================##
635 ## OUTPUT on the internal interface.
636 ## Jump to our INTERNAL_OUTPUT Chain.
637 $IPTABLES -A OUTPUT -o $INTERNAL -j INTERNAL_OUTPUT
638 ## DROP anything not coming from the firewall.
639 $IPTABLES -A OUTPUT -o $INTERNAL -s ! $INT_IP -j DROP
640 ## Jump to the KEEP_STATE chain for generic state-based packet filtering.
641 $IPTABLES -A OUTPUT -o $INTERNAL -j KEEP_STATE
642 ## ACCEPT NEW connections from the firewall to the internal network.
643 $IPTABLES -A OUTPUT -o $INTERNAL -s $INT_IP \
644 -d $INTERNAL_NET -m state --state NEW -j ACCEPT
645 ##===================================================================##
646 ##===================================================================##
647 ## OUTPUT on the external interface
648 ## Filter out Reserved/Private IP addresses based on source IP.
649 $IPTABLES -A OUTPUT -o $EXTERNAL -j SRC_EGRESS
650 ## Filter out Reserved/Private IP addresses based on destination IP.
651 $IPTABLES -A OUTPUT -o $EXTERNAL -j DST_EGRESS
652 ## Jump to our EXTERNAL_OUTPUT Chain.
653 $IPTABLES -A OUTPUT -o $EXTERNAL -j EXTERNAL_OUTPUT
654 ## Jump to the KEEP_STATE chain for generic state-based packet filtering.
655 $IPTABLES -A OUTPUT -o $EXTERNAL -j KEEP_STATE
656 ## Accept outgoing packets establishing a NEW connection.
657 $IPTABLES -A OUTPUT -o $EXTERNAL -m state --state NEW -j ACCEPT
658 ##===================================================================##
659 ## End OUTPUT Chain Rules ##
660 ##========================================================================##
661 ##========================================================================##
662 ## Jump to our FORWARD chains.
663 ##===================================================================##
664 ## Jump to our (INTERFACE)_INPUT/OUTPUT Chains.
665 $IPTABLES -A FORWARD -i $EXTERNAL -j EXTERNAL_INPUT
666 $IPTABLES -A FORWARD -i $INTERNAL -j INTERNAL_INPUT
667 $IPTABLES -A FORWARD -o $EXTERNAL -j EXTERNAL_OUTPUT
668 $IPTABLES -A FORWARD -o $INTERNAL -j INTERNAL_OUTPUT
669 ##===================================================================##
670 ##===================================================================##
671 ## More rules to DROP stuff.
672 ##----------------------------------------------------------------##
673 ## DROP any attempted NEW connections to the internal network.
674 $IPTABLES -A FORWARD -i $EXTERNAL -d $INTERNAL_NET -m state
--state NEW -j DROP
675 ##----------------------------------------------------------------##
676 ##----------------------------------------------------------------##
677 ## DROP any outbound traffic to the internal network that is trying to
678 ## establish a NEW connection.
679 $IPTABLES -A FORWARD -o $INTERNAL -d $INTERNAL_NET -m state
--state NEW -j DROP
680 ##----------------------------------------------------------------##
681 ##----------------------------------------------------------------##
682 ## DROP echo reply packets coming into the internal interface.
683 $IPTABLES -A FORWARD -o $INTERNAL -p icmp --icmp-type
echo-request -j DROP
684 ##----------------------------------------------------------------##
685 ##===================================================================##
686 ##===================================================================##
687 ## Egress Stuff
688 ## NOTE: Some of these rules will break things if you're redirecting
689 ## connections to another port, rather than simply routing between
690 ## the external and internal network.
691 ##----------------------------------------------------------------##
692 ## DROP anything not headed for the internal network.
693 $IPTABLES -A FORWARD -i $EXTERNAL -d ! $INTERNAL_NET -j DROP
694 ## Filter out Reserved/Private IP addresses based on Source IP.
695 $IPTABLES -A FORWARD -i $EXTERNAL -j SRC_EGRESS
696 $IPTABLES -A FORWARD -o $EXTERNAL -s ! $INTERNAL_NET -j SRC_EGRESS
697 ## Filter out Reserved/Private IP addresses based on destination IP.
698 $IPTABLES -A FORWARD -o $EXTERNAL -j DST_EGRESS
699 ##----------------------------------------------------------------##
700 ##----------------------------------------------------------------##
701 ## Filter out Reserved/Private IP addresses based on Destination IP.
702 $IPTABLES -A FORWARD -i $INTERNAL -j DST_EGRESS
703 $IPTABLES -A FORWARD -o $INTERNAL -j SRC_EGRESS
704 ##----------------------------------------------------------------##
705 ## End Egress Stuff ##
706 ##===================================================================##
707 ##===================================================================##
708 ## ACCEPT some stuff.
709 ## Basic State Based Rules.
710 $IPTABLES -A FORWARD -j KEEP_STATE
711 ## Accept outgoing packets establishing a NEW connection.
712 $IPTABLES -A FORWARD -o $EXTERNAL -m state --state NEW -j ACCEPT
713 ## Jump to ALLOW_ICMP for general rules relating to the ICMP protocol.
714 $IPTABLES -A FORWARD -p icmp -j ALLOW_ICMP
715 ##===================================================================##
716 ## End FORWARD Chain Rules ##
717 ##========================================================================##
718 ### END FIREWALL RULES ###
719 ##------------------------------------------------------------------------##
720 ## I generally prefer to keep the NAT stuff in a separate file
called ##
721 ## rc.firewall.nat, which is why alot of these variables are
declared ##
722 ## again here, but that's just me.
##
723 ##------------------------------------------------------------------------##
724 echo "#####################################################"
725 echo "## IPTABLES Network Address Translation(NAT) Rules ##"
726 echo "#####################################################"
727
728 ###############################################################################
729 ## IPTABLES Network Address Translation(NAT) Rules
730 ###############################################################################
731 ###############################################################################
732 ## Destination NAT -- (DNAT)
733 echo "Applicando regras de redirecionamento..."
734 if [ "$ATIVAR_PROXY_TRANSPARENTE" = "S" ] ; then
735 echo "########################################"
736 echo "## REDIRECIONAMENTO PROXY TRANSPARENTE #"
737 echo "########################################"
738 echo "Aplicando redirecionamento da porta 80 para o SQUID
(proxy transparente)"
739 $IPTABLES -t nat -A PREROUTING -p tcp -s $INTERNAL_NET \
740 --dport 80 -j REDIRECT --to-port 3128
741 #echo "$IPTABLES -A -t nat PREROUTING -p tcp -s $INTERNAL_NET
--dport 80 -j REDIRECT --to-port 3128"
742 echo "Redirecionamento aplicado. Proxy transparente funcionando."
743 fi
744 if [ "$REDIRECIONAR_SSH" = "S" ] ; then
745 echo "########################################"
746 echo "# REDIRECIONAR SSH(22) #"
747 echo "########################################"
748 $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP \
749 --dport 22 -j DNAT --to-destination 192.168.1.2:22
750 fi
751 if [ "$REDIRECIONAR_HTTP" = "S" ] ; then
752 echo "################################"
753 echo "# Redirecionamento de HTTP(80) #"
754 echo "################################"
755 $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP \
756 --dport 80 -j DNAT --to-destination 192.168.1.5:80
757 fi
758 if [ "$REDIRECIONAR_SMTP" = "S" ] ; then
759 echo "################################"
760 echo "# Redirecionamento de SMTP(25) #"
761 echo "################################"
762 #$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp \
763 # -d $EXT_IP --dport 25 -j DNAT --to-destination
192.168.1.5:25
764 $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport
25 -j DNAT --to-destination 192.168.1.5:25
765 fi
766 if [ "$REDIRECIONAR_POP3" = "S" ] ; then
767 echo "#################################"
768 echo "# Redirecionamento de POP3(110) #"
769 echo "#################################"
770 $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP \
771 --dport 110 -j DNAT --to-destination 192.168.1.5:110
772 fi
773 if [ "$REDIRECIONAR_IMAP" = "S" ] ; then
774 echo "#################################"
775 echo "# Redirecionamento de IMAP(143) #"
776 echo "#################################"
777 $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP \
778 --dport 143 -j DNAT --to-destination 192.168.1.5:143
779 fi
780 if [ "$REDIRECIONAR_FIREBIRD" = "S" ] ; then
781 echo "################################################"
782 echo "# Redirecionamento para o servidor FirebirdSQL #"
783 echo "################################################"
784 $IPTABLES -t nat -A PREROUTING -p tcp -s 0/0 -d $EXT_IP
--dport 3050 -j DNAT --to-destination 192.168.1.14:3050
785 fi
786 if [ "$REDIRECIONAR_MSSQL" = "S" ] ; then
787 echo "################################################"
788 echo "# Redirecionamento para o servidor MSSQL #"
789 echo "################################################"
790 $IPTABLES -t nat -A PREROUTING -p tcp -s 0/0 -d $EXT_IP
--dport 1433 -j DNAT --to-destination 192.168.1.14:1433
791 fi
792 echo "Aplicando regras de mascaramento..."
793 ###############################################################################
794 ## Source NAT -- (SNAT/Masquerading)
795 ## Source NAT allows us to "masquerade" our internal machines behind our
796 ## firewall. (Examples)
797 #######
798 # As maquinas na rede interna por padrao tem acesso aos seguintes
799 # servicos : smtp, pop3, dns
800 echo "Mascaramento das portas : smtp, pop3, dns"
801 echo "para toda a rede $INTERNAL_NET..."
802 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp --dport 25
-j MASQUERADE
803 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp --dport 110
-j MASQUERADE
804 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp --dport 53
-j MASQUERADE
805 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p udp --dport 52
-j MASQUERADE
806 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp --dport 119
-j MASQUERADE
807 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p udp --dport 119
-j MASQUERADE
808 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp --dport 143
-j MASQUERADE
809 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p udp --dport 143
-j MASQUERADE
810 if [ "$LIBERAR_LISTA_BRANCA" = "S" ] ; then
811 echo "### Liberando acesso para atualizacao dos anti-virus AVG"
812 while read LINHA ; do
813 if [ "$LINHA" != "" ] ; then
814 if ! [[ "$LINHA" =~ "#" ]] ; then
815 LIBERAR_SITE="$LINHA"
816 echo "liberando navegacao transparente para o site
:$LIBERAR_SITE"
817 $IPTABLES -t nat -A POSTROUTING -s $INTERNAL_NET -o
$EXTERNAL -d $LIBERAR_SITE -j MASQUERADE
818 #echo "$IPTABLES -t nat -A POSTROUTING -s $INTERNAL_NET
-o $EXTERNAL -d $LIBERAR_SITE -j MASQUERADE"
819 $IPTABLES -t nat -A POSTROUTING -s $INTERNAL_NET -o
$EXTERNAL -j LOG --log-level $LOG_LEVEL --log-prefix "LISTA_BRANCA:"
820 else
821 echo $LINHA
822 fi
823 fi
824 done </home/administrador/fwvidy-scripts/firewall-lista_branca.txt
825 fi
826 # sites da caixa economica federal
827 # acrescente essa lista no proxy.pac
828 if [ "$LIBERAR_CAIXAGOV" = "S" ] ; then
829 echo "Liberando sites da caixa.gov.br..."
830 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET
-d cmt.caixa.gov.br -j MASQUERADE
831 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET
-d webp.caixa.gov.br -j MASQUERADE
832 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET
-d www.caixa.gov.br -j MASQUERADE
833 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET
-d caixa.gov.br -j MASQUERADE
834 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET
-d obsupgdp.caixa.gov.br -j MASQUERADE
835 # conectividade social
836 echo "Liberando IPs conhecidos da caixa.gov.br"
837 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp --dport
2631 -j MASQUERADE
838 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p udp --dport
2631 -j MASQUERADE
839 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET
-d 200.201.162.0/24 -j MASQUERADE
840 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET
-d 200.201.166.0/24 -j MASQUERADE
841 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET
-d 200.201.173.0/24 -j MASQUERADE
842 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET
-d 200.201.174.0/24 -j MASQUERADE
843 ### REDIRECIONANDO P/ PROXY
844 #$IPTABLES -t nat -A PREROUTING -s $INTERNAL_NET -p tcp
--dport 80 -d ! 200.201.173.0/24 -j REDIRECT --to-port 3128
845 #$IPTABLES -t nat -A PREROUTING -s $INTERNAL_NET -p tcp
--dport 80 -d ! 200.201.174.0/24 -j REDIRECT --to-port 3128
846 #$IPTABLES -t nat -A PREROUTING -s $INTERNAL_NET -p tcp
--dport 80 -d ! 200.201.166.0/24 -j REDIRECT --to-port 3128
847 fi
848 ###################################################
849 ### Google POP3 e IMAP para alguns usuarios ###
850 ### de ip fixo da nossa rede local ###
851 ###################################################
852 if [ "$LIBERAR_GMAIL" = "S" ] ; then
853 #####################################
854 ### Rudd ###
855 #####################################
856 echo "Liberando IMAP e POP3 do GMAIL para rede interna."
857 $IPTABLES -t nat -A POSTROUTING -s $INTERNAL_NET -o $EXTERNAL
-d imap.gmail.com -j MASQUERADE
858 $IPTABLES -t nat -A POSTROUTING -s $INTERNAL_NET -o $EXTERNAL
-d smtp.gmail.com -j MASQUERADE
859 fi
860 ##========================================================================##
861 ## Static IP address ##
862 if [ "$LIBERAR_REDE" = "S" ] ; then
863 echo "Liberando a rede inteira com acesso total a mascarading..."
864 echo "192.168.1.* com acesso transparente."
865 # servidor de arquivos (vidy1)
866 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -o
$EXTERNAL -j MASQUERADE
867 fi
868 if [ "$LIBERAR_SERVIDORES" = "S" ] ; then
869 echo "Permitindo a alguns servidores acesso total a mascarading..."
870 echo "192.168.1.[2/4/5/14/50] tem acesso transparente."
871 # servidor de arquivos (vidy1)
872 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.2/32 -o
$EXTERNAL -j MASQUERADE
873 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.10/32 -o
$EXTERNAL -j MASQUERADE
874 # servidor de banco de dados (terra)
875 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.14/32 -o
$EXTERNAL -j MASQUERADE
876 # servidor de intranet (vidy2)
877 #$IPTABLES -t nat -A POSTROUTING -s 192.168.1.5/32 -o
$EXTERNAL -j MASQUERADE
878 fi
879 if [ "$LIBERAR_GLADISTON" = "S" ] ; then
880 echo "Liberando proxy transparente para Gladiston/Informatica"
881 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.50/32 -o
$EXTERNAL -j MASQUERADE
882 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.50/32 -o
$EXTERNAL -j LOG --log-level $LOG_LEVEL --log-prefix "GLADISTON:"
883 fi
884 if [ "$LIBERAR_PIERRE" = "S" ] ; then
885 echo "Liberando proxy transparente para Pierre/Diretor"
886 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.171/32 -o
$EXTERNAL -j MASQUERADE
887 fi
888 if [ "$LIBERAR_SERGIO" = "S" ] ; then
889 echo "Liberando proxy transparente para Sergio/Diretor"
890 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.124/32 -o
$EXTERNAL -j MASQUERADE
891 fi
892 if [ "$LIBERAR_FERREIRA" = "S" ] ; then
893 echo "Liberando proxy transparente para Ferreira/RH"
894 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.74/32 -o
$EXTERNAL -j MASQUERADE
895 fi
896 if [ "$LIBERAR_CLEU" = "S" ] ; then
897 echo "Liberando proxy transparente para Cleu/RH"
898 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.120/32 -o
$EXTERNAL -j MASQUERADE
899 fi
900 if [ "$REJEITAR_MSN" = "S" ] ; then
901 echo "Rejeitando pacotes MSN"
902 #indiana.ebuddy.com
903 $IPTABLES -A FORWARD -s $INTERNAL_NET -o $EXTERNAL -d
ebuddy.com -p tcp -m string --string 'msn' -m limit --limit 6/h -j
DROP
904 fi
905 if [ "$LIBERAR_SPTRANS" = "S" ] ; then
906 ###############################################################
907 # liberando acesso a uma página especial de admnistracao do #
908 # site sptrans donde pode-se requisitar vale-transportes #
909 # e outros servicos #
910 ###############################################################
911 echo "Liberando SPTRANS..."
912 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET
-d 200.189.189.94 -p tcp --dport 809 -j MASQUERADE
913 $IPTABLES -t nat -A POSTROUTING -s $INTERNAL_NET -o $EXTERNAL
-d www.sptrans.com.br -j MASQUERADE
914 # $IPTABLES -t nat -A POSTROUTING -s $INTERNAL_NET -o
$EXTERNAL -d www.sptrans.com.br -j MASQUERADE
915 fi
916 if [ "$LIBERAR_SIMPLES_EMBU" = "S" ] ; then
917 ###############################################################
918 # liberando acesso ao simples - embu para toda a rede interna #
919 # o IP para as aplicacoes desenvolvidas pela cidade de embu #
920 # utiliza o endereÃo 200.232.50.106:3000 #
921 ###############################################################
922 echo "Liberando acesso ao simples/embu..."
923 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET
-d 200.232.50.106 -p tcp --dport 3000 -j MASQUERADE
924 # liberando acesso ao sistema do taboao (iss)
925 echo "liberando acesso ao sistema do taboao (iss)"
926 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET
-d 200.177.97.71 -j MASQUERADE
927 fi
928 if [ "$LIBERAR_RAISNET" = "S" ] ; then
929 ###############################################################
930 # liberando acesso ao raisnet #
931 ###############################################################
932 echo "Liberando acesso ao raisnet..."
933 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET
-d 161.148.185.46 -p tcp --dport 3007 -j MASQUERADE
934 fi
935 if [ "$LIBERAR_SINTEGRA" = "S" ] ; then
936 echo "liberando sintegra..."
937 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET
-d 200.144.39.30 -j MASQUERADE
938 fi
939 if [ "$LIBERAR_RECEITANET" = "S" ] ; then
940 echo "Liberando receitanet ..."
941 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp --dport
3456 -j MASQUERADE
942 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p udp --dport
3456 -j MASQUERADE
943 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET
-d 200.200.200.1 -j MASQUERADE
944 ###############################################
945 # Liberando receitanet do programa PJSI #
946 # (Pessoa Juridica Simples) #
947 ###############################################
948 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET
-d 161.148.185.130 -j MASQUERADE
949 fi
950 if [ "$LIBERAR_SERASA" = "S" ] ; then
951 echo "Liberando serasa ..."
952 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p tcp --dport
3007 -j MASQUERADE
953 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -p udp --dport
3007 -j MASQUERADE
954 fi
955 if [ "$LIBERAR_TESTES" = "S" ] ; then
956 echo "Liberando maquinas de testes..."
957 echo "IP 192.168.1.12/13 liberado para proxy transparente com
proposito de testes."
958 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.13/32 -o
$EXTERNAL -j MASQUERADE
959 fi
960 #if [ "$LIBERAR_EXPOLABOR" = "S" ] ; then
961 # lista_site="ftp.vidy.com.br \
962 # ftp.expolabor.com.br \
963 # mm1.merchantmetrix.com \
964 # plesk19.hospedagemdesites.ws"
965 # lista_ip="192.168.1.80/32 192.168.1.81/32"
966 #
967 # for este_ip in $lista_ip ; do
968 # for este_site in $lista_site ; do
969 # echo "liberando expolabor (IP:$este_ip) a
nav.transparente para $este_site"
970 # $IPTABLES -t nat -A POSTROUTING -s $este_ip -o
$EXTERNAL -d $este_site -j MASQUERADE
971 # done
972 # done
973 #fi
974 if [ "$LIBERAR_LINKSYS" = "S" ] ; then
975 echo "Liberando proxy transparente para o roteador LINKSYS"
976 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.24/32 -o
$EXTERNAL -j MASQUERADE
977 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.24/32 -o
$EXTERNAL -j LOG --log-level $LOG_LEVEL --log-prefix "LINKSYS:"
978 fi
979 if [ "$LIBERAR_AVULSOS" = "S" ] && [ -f
"/etc/squid/firewall_liberados.txt" ] ; then
980 if ! [ -f /etc/squid/firewall_liberados.txt ] ; then
981 sudo touch /etc/squid/firewall_liberados.txt
982 sudo chmod 666 /etc/squid/firewall_liberados.txt
983 fi
984 if ! [ -f /home/administrador/acessos_avulsos.log ] ; then
985 sudo touch /home/administrador/acessos_avulsos.log
986 sudo chmod 666 /home/administrador/acessos_avulsos.log
987 fi
988 while read LINHA ; do
989 if [ "$LINHA" != "" ] ; then
990 if ! [[ "$LINHA" =~ "#" ]] ; then
991 LIBERAR_IP="$LINHA"
992 echo "liberando navegacao transparente para :$LIBERAR_IP"
993 echo "`date +%Y-%m-%d-%H:%M` liberando navegacao
transparente para
IP:$LIBERAR_IP">>/home/administrador/acessos_avulsos.log
994 $IPTABLES -t nat -A POSTROUTING -s $LIBERAR_IP -o
$EXTERNAL -j MASQUERADE
995 $IPTABLES -t nat -A POSTROUTING -s $LIBERAR_IP -o
$EXTERNAL -j LOG --log-level $LOG_LEVEL --log-prefix "LISTA_BRANCA:"
996 else
997 echo $LINHA
998 fi
999 fi
1000 done </etc/squid/firewall_liberados.txt
1001 #while read LIBERAR_IP ; do
1002 # if [[ "$LIBERAR_IP" =~ "192.168.1." ]] ; then
1003 # echo "liberando navegacao transparente para IP:$LIBERAR_IP"
1004 # echo "`date +%Y-%m-%d-%H:%M` liberando navegacao
transparente para
IP:$LIBERAR_IP">>/home/administrador/acessos_avulsos.log
1005 # $IPTABLES -t nat -A POSTROUTING -s $LIBERAR_IP -o
$EXTERNAL -j MASQUERADE
1006 # $IPTABLES -t nat -A POSTROUTING -s $LIBERAR_IP -o
$EXTERNAL -j LOG --log-level $LOG_LEVEL --log-prefix
"TRANSPARENTE_$LIBERAR_IP:"
1007 # fi
1008 #done </etc/squid/firewall_liberados.txt
1009 fi
1010 ### END NAT RULES ###
1011 echo "#######################################################"
1012 echo "## Configuracoes adicionais para o kernel do sistema ##"
1013 echo "#######################################################"
1014 ###############################################################################
1015 ## Additional Kernel Configuration
1016 ###############################################################################
1017 ## Adjust for your requirements/preferences.
1018 ## For more information regarding the options below see the resources
1019 ## listed at the top of the script or the Documentation that comes with
1020 ## the Linux Kernel source.
1021 ## For Example: linux/Documentation/filesystems/proc.txt
1022 ## linux/Documentation/networking/ip-sysctl.txt
1023 ##========================================================================##
1024 ## Set the maximum number of connections to track. (Kernel Default: 2048)
1025 echo "Limitando o numero de conexoes simultaneas por pilha para 4096..."
1026 if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]; then
1027 echo "16376" > /proc/sys/net/ipv4/ip_conntrack_max
1028 fi
1029 ##========================================================================##
1030 ##========================================================================##
1031 ## Local port range for TCP/UDP connections
1032 echo "Limitando lista de portas para conexoes TCP/UDP..."
1033 if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then
1034 echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range
1035 fi
1036 ##========================================================================##
1037 ##========================================================================##
1038 ## Disable TCP Explicit Congestion Notification Support
1039 ## and Zero Sized Reply
1040 #echo "Desabilitando notificacao explicita de congestionamento
e zero sized reply ..."
1041 #if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then
1042 # echo "0" > /proc/sys/net/ipv4/tcp_ecn
1043 #fi
1044 ##========================================================================##
1045 ##========================================================================##
1046 ## Disable source routing of packets
1047 #if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
1048 # for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
1049 # echo "0" > $i;
1050 # done
1051 #fi
1052 ##========================================================================##
1053 ##========================================================================##
1054 ## Enable/Disable send redirectss
1055 if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
1056 for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
1057 echo "0" > $i;
1058 done
1059 fi
1060 ##
1061 ##========================================================================##
1062 ## Enable rp_filter
1063 echo "Habilitando rp_filter..."
1064 if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
1065 for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
1066 echo "1" > $i;
1067 done
1068 fi
1069 ##========================================================================##
1070 ##========================================================================##
1071 ## Ignore any broadcast icmp echo requests
1072 echo "Regra para ignorar pings de broadcast..."
1073 if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
1074 echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
1075 fi
1076 ##========================================================================##
1077 ##========================================================================##
1078 ## Ignore all icmp echo requests on all interfaces
1079 echo "Regra para ignorar icmp-echo em todas as interfaces..."
1080 if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_all ]; then
1081 echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
1082 fi
1083 ##========================================================================##
1084 ##========================================================================##
1085 ## Log packets with impossible addresses to kernel log.
1086 #echo "Regra para registrar pacotes com enderecos marcianos
(impossiveis)..."
1087 #if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then
1088 # echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
1089 #fi
1090 ##========================================================================##
1091 ##========================================================================##
1092 ## Don't accept ICMP redirects
1093 ## Disable on all interfaces
1094 if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
1095 echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
1096 fi
1097 ## Disable only on the external interface.
1098 if [ -e /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects ]; then
1099 echo "0" > /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects
1100 fi
1101 ##========================================================================##
1102 ##========================================================================##
1103 ## Additional options for dialup connections with a dynamic ip address
1104 ## See: linux/Documentation/networking/ip_dynaddr.txt
1105 if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
1106 echo "1" > /proc/sys/net/ipv4/ip_dynaddr
1107 fi
1108 ##========================================================================##
1109 ##========================================================================##
1110 ## Enable IP Forwarding
1111 echo "Habilitando IP Forwarding..."
1112 if [ -e /proc/sys/net/ipv4/ip_forward ]; then
1113 echo "1" > /proc/sys/net/ipv4/ip_forward
1114 else
1115 echo "Uh oh: /proc/sys/net/ipv4/ip_forward does not exist"
1116 echo "(That may be a problem)"
1117 echo
1118 fi
1119 ##========================================================================##
1120 echo 1 > /proc/sys/net/ipv4/tcp_syncookies
1121 # mensagem na console de que o firewall foi executado
1122 wall $HELLO_TXT
1123 echo "Firewall carregado." | wall
1124 ## EOF ##
Reply to: