#SSH para ASTERISK
#iptables -A INPUT -p tcp -s $ASTERISK --dport 64022 -j ACCEPT
#iptables -A FORWARD -p tcp -s $ASTERISK --dport 64022 -j ACCEPT
#Servidor FTP:
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to 10.0.1.22:22 #ssh para ubuntu
#iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to 10.0.1.3:21 # FTP
#Acesso FTP
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
#HENRY
iptables -A INPUT -p tcp -m tcp --dport 1405 -j ACCEPT
#iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT --src $IP_INTERNO/$INTMASK -i $IF_EXTERNO -j ACCEPT # Servidor web
###################### PROTECA CONTRA WORMS ###########################################################
iptables -A FORWARD -p tcp --dport 135 -i $IF_INTERNO -j REJECT
#####################PROTECAO contra viruS###########################################################
iptables -A OUTPUT -o $IF_INTERNO -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A FORWARD -o $IF_INTERNO -p tcp --dport 31337 --sport 31337 -j DROP
#FTP:
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -p tcp --dport 21 -j ACCEPT #
###################### PROTECAO CONTRA Syn-flood ######################################################
iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
################### PROTECAO CONTRA PING DA MORTE #####################################################
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
######################################### LIBERANDO E BLOQUEANDO PORTAS #################
iptables -A INPUT -j ACCEPT -p tcp --dport 110
iptables -A INPUT -j ACCEPT -p tcp --dport 25
iptables -A INPUT --dst $IP_EXTERNO/255.255.255.255 -p tcp --dport 25 -j ACCEPT # E-mail - SMTP
iptables -A OUTPUT -p TCP --dport 25 -j ACCEPT # SMTP
iptables -A OUTPUT -p TCP --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT #Porta 443
iptables -A INPUT -p tcp -m tcp --dport 1863 #MS
iptables -A PREROUTING -p tcp --dport 3389 -j DNAT -t nat --to-destination 10.0.1.80-10.0.1.80:3389 # redirecionar porta terminal services
iptables -A FORWARD -i $IF_EXTERNO --dst 10.0.1.80/255.255.255.255 -p tcp --dport 3389 -j ACCEPT # habilitar trafego ts
#TS2
iptables -A PREROUTING -p tcp --dport 3390 -j DNAT -t nat --to-destination 10.0.1.6-10.0.1.6:3390 # redirecionar porta terminal services
iptables -A FORWARD -i $IF_EXTERNO --dst 10.0.1.6/255.255.255.255 -p tcp --dport 3390 -j ACCEPT # habilitar trafego ts
####### BLOQUEIO KAZZA/EMULE/P2P/MSN ###################################
iptables -A FORWARD -d 213.248.112.0/24 -j REJECT #KAZAA
iptables -A FORWARD -p TCP --dport 1214 -j REJECT #KAZAA
iptables -A FORWARD -p UDP --dport 1214 -j REJECT
iptables -A FORWARD -d 206.142.53.0/24 -j REJECT
iptables -A FORWARD -p TCP --dport 6346 -j REJECT #EMULW
iptables -A FORWARD -p TCP --dport 4662 -j REJECT #EMULE
iptables -A FORWARD -p TCP --dport 4672 -j REJECT #EMULE
########### liberar sites ########
iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 200.201.174.0/24 --dport 80 -j ACCEPT #SEFIP
iptables -A INPUT -p tcp -s 0/0 --sport 2631 -d 200.201.174.0/24 --dport 80 -j ACCEPT #SEFIP
iptables -t nat -A PREROUTING -p tcp -s 0/0 --sport 2004 -d 200.244.109.0/24 --dport 80 -j ACCEPT # SEFIP
iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 200.229.128.0/24 --dport 80 -j ACCEPT #MAESK
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 200.201.174.0/24 --dport 80 -j ACCEPT #Conectividade
iptables -t nat -A PREROUTING -p tcp -s 0/0 --sport 1024:65535 -d 200.201.174.0/24 --dport 80 -j ACCEPT #Conectividade
#iptables -A INPUT -p udp -m udp --dport 2631 -j ACCEPT
#iptables -A INPUT -p udp -m tcp --dport 2631 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 2631 -d 200.201.174.204 --dport 80 -j ACCEPT #Conectividade
iptables -t nat -A PREROUTING -p tcp -s 0/0 --sport 2631 -d 200.201.174.204 --dport 80 -j ACCEPT #Conectividade
iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 161.148.2.128 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.160.0/20 -j ACCEPT #conectividade
iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 161.148.2.128 --dport 259 -j ACCEPT #C-vpn
iptables -A INPUT -p tcp -s 0/0 --sport 259 -d 161.148.2.128 --dport 259 -j ACCEPT #C-vpn
iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 161.148.2.128 --dport 264 -j ACCEPT #C-vpn
iptables -A INPUT -p udp -s 0/0 --sport 500 -d 161.148.2.128 --dport 500 -j ACCEPT #C-vpn
iptables -t nat -A PREROUTING -p udp -s 0/0 -d 161.148.2.128 --dport 500 -j ACCEPT #C-vp
# IKE negotiations
iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption
iptables -A INPUT -p 50 -j ACCEPT
iptables -A OUTPUT -p 50 -j ACCEPT
# AH authentication
iptables -A INPUT -p 51 -j ACCEPT
iptables -A OUTPUT -p 51 -j ACCEPT
#################### LIEBRAR MACS DO PROXY ###################
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 00:15:C5:35:C5:8E -d 200.244.109.0/24 --dport 80 -j ACCEPT #Caixa/Sefip
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 00:15:C5:35:C5:8E -d 200.201.173.68 --dport 80 -j ACCEPT #CAixa/Sefip
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 00:15:C5:35:C5:8E -d 200.201.174.0/24 --dport 80 -j ACCEPT #Caixa/Sefip
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source f8:1e:df:eb:1c:c5 -d 0.0.0.0/0 --dport 80 -j ACCEPT #Libera Fernando Proxy
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 00:E0:4C:30:23:9D -d 0.0.0.0/0 --dport 80 -j ACCEPT #DELL
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 00:25:d3:d3:72:f4 -d 0.0.0.0/0 --dport 80 -j ACCEPT #J.H
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 78:ca:39:b5:a2:92 -d 0.0.0.0.0/0 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 00:13:A9:35:A6:42 -d 0.0.0.0.0/0 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 00:16:6F:82:9A:52 -d 0.0.0.0.0/0 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 00:1a:73:f9:a0:a9 -d 0.0.0.0.0/0 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 00:19:D2:48:D7:6F -d 0.0.0.0.0/0 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 00:13:A9:8F:33:C2 -d 0.0.0.0.0/0 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 00:1D:09:EF:57:8C -d 0.0.0.0.0/0 --dport 80 -j ACCEPT
############### REDIRECIONAR PORTA PARA 3128 ###########################
iptables -t nat -A PREROUTING -i $IF_INTERNO -p tcp --dport 80 -j REDIRECT --to-port 3128 #redirecionar www da porta 80 para 3128 proxy
iptables -A INPUT -i $IF_INTERNO --dst $IP_INTERNO/255.255.255.255 -p tcp --dport 3128 -j ACCEPT # acesso interno ao Proxy aceitar os outros na porta 3128