- Direcionar porta 1433
+ Responder ao Tópico
-
Direcionar porta 1433
Preciso liberar a porta 1433 para acesso externo no firewall.
Segue a configuração do firewall.
Estou meio que com urgencia, desde ja agradeço toda a ajuda.
#/bin/bash
#
# cftk Bring up/down the packet filtering rules
#
# chkconfig: 345 08 92
# description: Bring up/down the packet filtering rules
# description(pt_BR): Bring up/down the packet filtering rules
# probe: true
#
. /etc/init.d/functions
#
# Observações:
#
# O conntrack aplica o conceito de "ESTABLISHED" e "NEW" inclusive
# para conexões UDP e ICMP, além de TCP.
#
#
# FIXME: retirar as regras daqui, colocar em /etc/sysconfig/iptables
#
##################################################################
# DEFINIÇÃO DE VARIÁVEIS
#################################################################
IPTABLES="/sbin/iptables"
MODPROBE="/sbin/modprobe"
# Alterar os dados abaixo de acordo com a rede do cliente
IF_LOC="lo" # Interface Loopback
IF_INT="eth0" # Interface da intranet (interna)
IF_EXT="eth1" # Interface da internet (externa)
IP_INT="192.168.0.1" # IP da interface IF_INT
IP_EXT="192.168.10.253" # IP da interface IF_EXT (Link)
NET_LOC="127.0.0.0/24" # Rede da interface IF_LOC
NET_INT="192.168.0.0/24" # Rede da interface IF_INT
NET_EXT="192.168.10.0/24" # Rede da interface IF_EXT
BRO_INT="192.168.0.255" # Broadcast da IF_INT
BRO_EXT="192.168.10.255" # Broadcast da IF_EXT
IP_TELECORP="200.195.161.2"
REDE1_CEF="200.252.47.0/24"
REDE2_CEF="200.201.173.68/32"
REDE3_CEF="200.201.174.0/24"
#################################################################
# CARGA DE MÓDULOS
#################################################################
carrega_modulos() {
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
# $MODPROBE ip_conntrack_irc
$MODPROBE ip_nat_ftp
# $MODPROBE ip_nat_irc
}
#################################################################
# CARGA DE REGRAS
#################################################################
cria_regras() {
cria_regras_auxiliares
cria_regras_PREROUTING
cria_regras_INPUTOUTPUT
cria_regras_INT2EXT
cria_regras_EXT2INT
cria_regras_FORWARD
cria_regras_POSTROUTING
}
#################################################################
# FLUSH E POLÍTICAS DEFAULT
#################################################################
destroi_regras() {
# Define política default para chains defaults
$IPTABLES -P INPUT DROP # política default para filter
$IPTABLES -P FORWARD DROP # política default para filter
$IPTABLES -P OUTPUT DROP # política default para filter
$IPTABLES -F -t filter # flush nas regras de filter
$IPTABLES -F -t nat # flush nas regras de nat
$IPTABLES -F -t mangle # flush nas regras de mangle
$IPTABLES -X -t filter # deleta chains de filter
$IPTABLES -X -t nat # deleta chains de nat
$IPTABLES -X -t mangle # deleta chains de mangle
$IPTABLES -Z -t filter # zera contadores de filter
$IPTABLES -Z -t nat # zera contadores de nat
$IPTABLES -Z -t mangle # zera contadores de mangle
}
abre_regras() {
# Define política default para chains defaults
$IPTABLES -P INPUT ACCEPT # política default para filter
$IPTABLES -P FORWARD ACCEPT # política default para filter
$IPTABLES -P OUTPUT ACCEPT # política default para filter
$IPTABLES -F -t filter # flush nas regras de filter
$IPTABLES -F -t nat # flush nas regras de nat
$IPTABLES -F -t mangle # flush nas regras de mangle
$IPTABLES -X -t filter # deleta chains de filter
$IPTABLES -X -t nat # deleta chains de nat
$IPTABLES -X -t mangle # deleta chains de mangle
$IPTABLES -Z -t filter # zera contadores de filter
$IPTABLES -Z -t nat # zera contadores de nat
$IPTABLES -Z -t mangle # zera contadores de mangle
}
#################################################################
# CHAIN DE PREROUTING
#################################################################
cria_regras_PREROUTING() {
# Melhora latência de ssh pra fora
$IPTABLES -A PREROUTING -t mangle -p tcp --dport ssh -j TOS --set-tos Minimize-Delay
# Não deixa smtp sair com prioridade pra não matar o link
$IPTABLES -A PREROUTING -t nat -p tcp -i $IF_EXT --dport 3389 -j DNAT --to 192.168.0.188
$IPTABLES -A PREROUTING -t nat -p tcp -i $IF_EXT --dport 7500 -j DNAT --to 192.168.0.9
$IPTABLES -A PREROUTING -t nat -p tcp -i $IF_EXT --dport 8084 -j DNAT --to 192.168.0.188
$IPTABLES -A PREROUTING -t nat -p tcp -i $IF_EXT --dport 8086 -j DNAT --to 192.168.0.10:8084
$IPTABLES -A PREROUTING -t nat -p tcp -i $IF_EXT --dport 1299 -j DNAT --to 192.168.0.188
$IPTABLES -A PREROUTING -t nat -p tcp -i $IF_EXT --dport 8085 -j DNAT --to 192.168.0.4:80
}
#################################################################
# CHAIN DE POSTROUTING
#################################################################
cria_regras_POSTROUTING() {
# Faz o mascaramento da rede interna.
$IPTABLES -A POSTROUTING -t nat -o $IF_EXT -j MASQUERADE
}
#################################################################
# CHAINS DE INPUT, OUTPUT
#################################################################
cria_regras_INPUTOUTPUT() {
#Libera tudo ateh a casa arrumar
$IPTABLES -A INPUT -j ACCEPT
$IPTABLES -A OUTPUT -j ACCEPT
#LIbera interface local
$IPTABLES -A INPUT -j ACCEPT -i $IF_LOC
$IPTABLES -A OUTPUT -j ACCEPT -o $IF_LOC
# Recusa pacotes invaálidos em primeiro lugar
$IPTABLES -A INPUT -j END_INVALID -m state --state INVALID
### Serviços que rodam na máquina
# Aceita ssh da Telecorp (manutenção)
$IPTABLES -A INPUT -j ACCEPT -p tcp -s $IP_TELECORP --dport ssh
$IPTABLES -A OUTPUT -j ACCEPT -p tcp -d $IP_TELECORP --sport ssh
#Aceita que o firewall acesse a web
$IPTABLES -A INPUT -j ACCEPT -p tcp --sport 80
$IPTABLES -A OUTPUT -j ACCEPT -p tcp --dport 80
#Aceita squid
$IPTABLES -A INPUT -j ACCEPT -s $NET_INT -p tcp --dport squid
$IPTABLES -A OUTPUT -j ACCEPT -p tcp --sport squid
#Aceita que o firewall faca ssh pra fora
$IPTABLES -A INPUT -j ACCEPT -p tcp --sport ssh
$IPTABLES -A OUTPUT -j ACCEPT -p tcp --dport ssh
#Aceita conexao com o no-ip.com
$IPTABLES -A INPUT -j ACCEPT -p tcp --sport 8245
$IPTABLES -A OUTPUT -j ACCEPT -p tcp --dport 8245
# Testa por broadcasts e descarta (sem logar)
$IPTABLES -A INPUT -j DROP -d $BRO_INT
$IPTABLES -A INPUT -j DROP -d $BRO_EXT
$IPTABLES -A INPUT -j DROP -d 255.255.255.255
$IPTABLES -A OUTPUT -j DROP -d $BRO_INT
$IPTABLES -A OUTPUT -j DROP -d $BRO_EXT
$IPTABLES -A OUTPUT -j DROP -d 255.255.255.255
# Aceita conexoes da rede interna
$IPTABLES -A INPUT -j ACCEPT -s $NET_INT
$IPTABLES -A OUTPUT -j ACCEPT -d $NET_INT
# Aceita consultas a DNSs externos
$IPTABLES -A INPUT -j ACCEPT -p udp --sport domain --dport 1024:
$IPTABLES -A OUTPUT -j ACCEPT -p udp --sport 1024: --dport domain
$IPTABLES -A INPUT -j ACCEPT -p udp --dport domain
$IPTABLES -A OUTPUT -j ACCEPT -p udp --sport domain
# Checa por trojans, para logar diferenciado
$IPTABLES -A INPUT -j TROJAN_CHECK -m state --state NEW
# Recusa e loga todo o resto
$IPTABLES -A INPUT -j END_INPUT
$IPTABLES -A OUTPUT -j END_OUTPUT
}
#################################################################
# CHAINS DE FORWARD
#################################################################
cria_regras_FORWARD() {
# Se for inválido, jogamos fora
$IPTABLES -A FORWARD -j END_INVALID -m state --state INVALID
# Se já está estabelecida, pode passar
$IPTABLES -A FORWARD -j ACCEPT -m state --state ESTABLISHED
# Se relacionada, pode passar (inclusive ftp & cia caem aqui)
$IPTABLES -A FORWARD -j ACCEPT -m state --state RELATED
## Apenas conexões NEW daqui pra frente
# Checa por trojans (para registrar no log se encontrar)
$IPTABLES -A FORWARD -j TROJAN_CHECK
$IPTABLES -A FORWARD -j ACCEPT -s 192.168.0.0/24 -d 192.168.10.0/24
$IPTABLES -A FORWARD -j ACCEPT -s 192.168.10.0/24 -d 192.168.0.0/24
$IPTABLES -A FORWARD -j INT2EXT -s $NET_INT -o $IF_EXT
$IPTABLES -A FORWARD -j EXT2INT -i $IF_EXT -d $NET_INT
# Se sobreviver, dropa e loga
$IPTABLES -A FORWARD -j END_FORWARD
}
#################################################################
# CHAINS DIRECIONAIS
#################################################################
### INT2EXT
cria_regras_INT2EXT() {
$IPTABLES -N INT2EXT
$IPTABLES -A INT2EXT -j ACCEPT
$IPTABLES -A INT2EXT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INT2EXT -p tcp --dport 110 -j ACCEPT
$IPTABLES -A INT2EXT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INT2EXT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INT2EXT -p tcp --dport 1299 -j ACCEPT
# Bloqueia o que sobrou
$IPTABLES -A INT2EXT -j END_INT2EXT
}
### EXT2INT
cria_regras_EXT2INT() {
$IPTABLES -N EXT2INT
$IPTABLES -A EXT2INT -j ACCEPT -d 192.168.0.10
$IPTABLES -A EXT2INT -j ACCEPT -d 192.168.0.188
$IPTABLES -A EXT2INT -j ACCEPT -d 192.168.0.4
$IPTABLES -A EXT2INT -j ACCEPT -d 192.168.0.9
# Nenhum accept, simplesmente nega tudo
$IPTABLES -A EXT2INT -j END_EXT2INT
}
#################################################################
# CHAINS AUXILIARES
#################################################################
cria_regras_auxiliares() {
### END_INPUT
$IPTABLES -N END_INPUT
#$IPTABLES -A END_INPUT -j LOG --log-prefix "FIREWALL: End_Input! "
$IPTABLES -A END_INPUT -j DROP
### END_OUTPUT
$IPTABLES -N END_OUTPUT
$IPTABLES -A END_OUTPUT -j LOG --log-prefix "FIREWALL: End_Output! "
$IPTABLES -A END_OUTPUT -j DROP
### END_FORWARD
$IPTABLES -N END_FORWARD
$IPTABLES -A END_FORWARD -j LOG --log-prefix "FIREWALL: End_Forward! "
$IPTABLES -A END_FORWARD -j DROP
### END_INVALID
$IPTABLES -N END_INVALID
$IPTABLES -A END_INVALID -j LOG --log-prefix "FIREWALL: Invalid! "
$IPTABLES -A END_INVALID -j DROP
### END_TROJAN
$IPTABLES -N END_TROJAN
$IPTABLES -A END_TROJAN -j LOG --log-prefix "FIREWALL: Trojan! "
$IPTABLES -A END_TROJAN -j DROP
### END_INT2EXT
$IPTABLES -N END_INT2EXT
$IPTABLES -A END_INT2EXT -j LOG --log-prefix "FIREWALL: End_Int2Ext! "
$IPTABLES -A END_INT2EXT -j DROP
### END_EXT2INT
$IPTABLES -N END_EXT2INT
$IPTABLES -A END_EXT2INT -j LOG --log-prefix "FIREWALL: End_Ext2Int! "
$IPTABLES -A END_EXT2INT -j DROP
### TROJANS
# Alguns trojans, os mais comuns
# Nào é necessário checar por trojans se você adota a política de
# tudo fechado, abrem-se as excessões. Mas, você pode querer verificar
# mesmo assim, para poder registrar um log mais específico (nosso caso).
$IPTABLES -N TROJAN_CHECK
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 555 # phAse zero
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 555 # phAse zero
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 1243 # Sub-7, SubSeven
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 1243 # Sub-7, SubSeven
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 3129 # Masters Paradise
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 3129 # Masters Paradise
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 6670 # DeepThroat
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 6670 # DeepThroat
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 6711 # Sub-7, SubSeven
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 6711 # Sub-7, SubSeven
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 6969 # GateCrasher
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 6969 # GateCrasher
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 12345 # NetBus
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 12345 # NetBus
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 21544 # GirlFriend
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 21544 # GirlFriend
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 23456 # EvilFtp
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 23456 # EvilFtp
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 27374 # Sub-7, SubSeven
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 27374 # Sub-7, SubSeven
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 30100 # NetSphere
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 30100 # NetSphere
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 31789 # Hack'a'Tack
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 31789 # Hack'a'Tack
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 31337 # BackOrifice, and many others
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 31337 # BackOrifice, and many others
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 50505 # Sockets de Troie
$IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 50505 # Sockets de Troie
}
#################################################################
# SCRIPT INIT DO SYSV
#################################################################
case "$1" in
start)
echo -n "Configurando regras do firewall: "
destroi_regras && cria_regras && \
echo_success || echo_failure
echo ""
#touch /var/lock/subsys/iptables
;;
stop)
echo -n "Removendo regras do firewall: "
destroi_regras && \
echo_success || echo_failure
echo ""
#rm -f /var/lock/subsys/iptables
;;
stopopen)
echo -n "Removendo regras e abrindo firewall: "
abre_regras && \
echo_success || echo_failure
echo ""
#rm -f /var/lock/subsys/iptables
;;
restart)
# isso não é um daemon, então não é necessário dar "stop"
# foi deixado aqui para os que esperam que ele exista
$0 start
;;
status)
$IPTABLES --list -n
;;
*)
echo "Uso: $0 {start|stop|stopopen|restart|status}"
esac
-
Direcionar porta 1433
-
Direcionar porta 1433
eu mesmo uma vez precisei fazer o redirecionamento da porta do SQL Server ... e tb abri um topico nesse forum .... é so pesquisar pelo forum a porta 1433. ´so colocar na pesquisa do forum 1433 que ele acha na hora..
Valeu maluco?