ola gente tudo bom ?
tenho um fw iptables com 3 interfaces de rede eth0 -> internet; eth1 -> dmz e eth2 -> lan
como faco para ajustar minhas regras?
regras
ola gente tudo bom ?
tenho um fw iptables com 3 interfaces de rede eth0 -> internet; eth1 -> dmz e eth2 -> lan
como faco para ajustar minhas regras?
regras
#!/bin/bash
#limpando tabelas
iptables -F &&
iptables -X &&
iptables -t nat -F &&
iptables -t nat -X &&
#variaveis de ambiente
lan="172.16.0.0/16"
dmz="10.10.0.0/16"
int_ext="200.200.200.162"
int_dmz="10.10.10.30"
int_interna="172.16.0.1"
suporte="200.200.100.5"
### libera o PROXY squid para internet
iptables -A INPUT -s 10.10.10.51 -j ACCEPT
iptables -A FORWARD -s 10.10.10.51 -j ACCEPT
iptables -A OUTPUT -s 10.10.10.51 -j ACCEPT
### Libera o loopback
iptables -A OUTPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT
### saida
iptables -A OUTPUT -j ACCEPT &&
### libera tudo entre lan e dmz
iptables -A INPUT -s $lan -d $dmz -j ACCEPT
iptables -A FORWARD -s $lan -d $dmz -j ACCEPT
iptables -A OUTPUT -s $lan -d $dmz -j ACCEPT
iptables -A INPUT -s $dmz -d $lan -j ACCEPT
iptables -A FORWARD -s $dmz -d $lan -j ACCEPT
iptables -A OUTPUT -s $dmz -d $lan -j ACCEPT
### libera tudo da dmz para INTERNET
iptables -A INPUT -s $lan -d 0/0 -j ACCEPT
iptables -A FORWARD -s $lan -d 0/0 -j ACCEPT
iptables -A OUTPUT -s $lan -d 0/0 -j ACCEPT
#liberando acesso interno da rede
####################### TOTAL
#Ip's que devem ser liberados:
user1=100.100.100.20
user2=100.100.100.117
for i in $user1 $user2
do
iptables -A FORWARD -s $i -d 0.0.0.0/0 -p tcp -j ACCEPT
iptables -A FORWARD -d $i -p tcp -j ACCEPT
iptables -A FORWARD -s $i -d 0.0.0.0/0 -p udp -j ACCEPT
iptables -A FORWARD -d $i -p udp -j ACCEPT
iptables -A FORWARD -s $i -d 0.0.0.0/0 -p icmp -j ACCEPT
iptables -A FORWARD -d $i -p icmp -j ACCEPT
done
#######################
####################### PARCIAL - MSN
user3=100.100.100.104
user4=100.100.100.103
for j in $user3 $user4
do
iptables -A FORWARD -s $j -d 0.0.0.0/0 -p tcp -m multiport --dport 25,53,80,110,443,8080 -j ACCEPT
iptables -A FORWARD -d $j -p tcp -m multiport --sport 25,53,80,110,443,8080 -j ACCEPT
iptables -A FORWARD -s $j -d 0.0.0.0/0 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -d $j -p udp --sport 53 -j ACCEPT
### msn
iptables -A FORWARD -s $j -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s $j -d loginnet.passport.com -j ACCEPT
iptables -A FORWARD -s $j -d webmessenger.msn.com -j ACCEPT
done
####################### FIM - PARCIAL - MSN
####################### REDE 172.16/16
REDEINTERNA="172.16.0.0/16"
for ri in $REDEINTERNA
do
iptables -A FORWARD -s $ri -d 0.0.0.0/0 -p tcp -m multiport --dport 25,53,80,110,443,8080 -j ACCEPT
iptables -A FORWARD -d $ri -p tcp -m multiport --sport 25,53,80,110,443,8080 -j ACCEPT
iptables -A FORWARD -s $ri -d 0.0.0.0/0 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -d $ri -p udp --sport 53 -j ACCEPT
done
####################### FIM REDE 172.16/16
#nat PROXY redirecionamento SQUID
iptables -t nat -A PREROUTING -i eth2 -s 100.100.100.7 -p tcp --dport 80 -j DNAT --to 10.10.10.51:3128
####################### NAT 1:1
iptables -A PREROUTING -t nat -d 200.200.200.163 -j DNAT --to 10.10.10.50
iptables -A POSTROUTING -t nat -s 10.10.10.50 -j SNAT --to 200.200.200.163
############# REGRAS PARA OS NATS #############
iptables -A FORWARD -d 200.200.200.163 -p tcp -dport 80 -j ACCEPT
iptables -A FORWARD -d 200.200.200.163 -p tcp -dport 443 -j ACCEPT
iptables -A FORWARD -d 200.200.200.163 -p tcp -dport 25 -j ACCEPT
iptables -A FORWARD -d 200.200.200.163 -p tcp -dport 110 -j ACCEPT
iptables -A FORWARD -d 200.200.200.163 -p tcp -dport 143 -j ACCEPT
iptables -A FORWARD -d 200.200.200.163 -p tcp -dport 993 -j ACCEPT
iptables -A FORWARD -d 200.200.200.163 -p tcp -dport 995 -j ACCEPT
###############################################
#compartilhando a web na rede interna
iptables -t nat -A POSTROUTING -s 172.16.0.0/255.255.0.0 -o eth0 -j MASQUERADE &&
iptables -t nat -A POSTROUTING -s 10.10.0.0/255.255.0.0 -o eth0 -j MASQUERADE &&
echo 1 > /proc/sys/net/ipv4/ip_forward &&
# Protecao contra port scanners ocultos
#iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Bloqueando tracertroute
#iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j DROP
#Protecoes contra ataques
#iptables -A INPUT -m state --state INVALID -j DROP
### bloqueia TODO o resto
iptables -A INPUT -j DROP &&
iptables -A FORWARD -j DROP &&
#Configura aliases
/etc/sysconfig/aliases.sh &&