+ Responder ao Tópico



  1. #1
    polaco
    Preciso liberar a porta 1433 para acesso externo no firewall.

    Segue a configuração do firewall.

    Estou meio que com urgencia, desde ja agradeço toda a ajuda.

    #/bin/bash
    #
    # cftk Bring up/down the packet filtering rules
    #
    # chkconfig: 345 08 92
    # description: Bring up/down the packet filtering rules
    # description(pt_BR): Bring up/down the packet filtering rules
    # probe: true
    #

    . /etc/init.d/functions

    #
    # Observações:
    #
    # O conntrack aplica o conceito de "ESTABLISHED" e "NEW" inclusive
    # para conexões UDP e ICMP, além de TCP.
    #

    #
    # FIXME: retirar as regras daqui, colocar em /etc/sysconfig/iptables
    #

    ##################################################################
    # DEFINIÇÃO DE VARIÁVEIS
    #################################################################

    IPTABLES="/sbin/iptables"
    MODPROBE="/sbin/modprobe"

    # Alterar os dados abaixo de acordo com a rede do cliente
    IF_LOC="lo" # Interface Loopback
    IF_INT="eth0" # Interface da intranet (interna)
    IF_EXT="eth1" # Interface da internet (externa)

    IP_INT="192.168.0.1" # IP da interface IF_INT
    IP_EXT="192.168.10.253" # IP da interface IF_EXT (Link)

    NET_LOC="127.0.0.0/24" # Rede da interface IF_LOC
    NET_INT="192.168.0.0/24" # Rede da interface IF_INT
    NET_EXT="192.168.10.0/24" # Rede da interface IF_EXT

    BRO_INT="192.168.0.255" # Broadcast da IF_INT
    BRO_EXT="192.168.10.255" # Broadcast da IF_EXT

    IP_TELECORP="200.195.161.2"

    REDE1_CEF="200.252.47.0/24"
    REDE2_CEF="200.201.173.68/32"
    REDE3_CEF="200.201.174.0/24"


    #################################################################
    # CARGA DE MÓDULOS
    #################################################################

    carrega_modulos() {

    $MODPROBE ip_tables
    $MODPROBE iptable_filter
    $MODPROBE ip_conntrack
    $MODPROBE ip_conntrack_ftp
    # $MODPROBE ip_conntrack_irc
    $MODPROBE ip_nat_ftp
    # $MODPROBE ip_nat_irc

    }

    #################################################################
    # CARGA DE REGRAS
    #################################################################

    cria_regras() {

    cria_regras_auxiliares
    cria_regras_PREROUTING
    cria_regras_INPUTOUTPUT

    cria_regras_INT2EXT
    cria_regras_EXT2INT

    cria_regras_FORWARD
    cria_regras_POSTROUTING

    }


    #################################################################
    # FLUSH E POLÍTICAS DEFAULT
    #################################################################

    destroi_regras() {

    # Define política default para chains defaults
    $IPTABLES -P INPUT DROP # política default para filter
    $IPTABLES -P FORWARD DROP # política default para filter
    $IPTABLES -P OUTPUT DROP # política default para filter
    $IPTABLES -F -t filter # flush nas regras de filter
    $IPTABLES -F -t nat # flush nas regras de nat
    $IPTABLES -F -t mangle # flush nas regras de mangle
    $IPTABLES -X -t filter # deleta chains de filter
    $IPTABLES -X -t nat # deleta chains de nat
    $IPTABLES -X -t mangle # deleta chains de mangle
    $IPTABLES -Z -t filter # zera contadores de filter
    $IPTABLES -Z -t nat # zera contadores de nat
    $IPTABLES -Z -t mangle # zera contadores de mangle


    }

    abre_regras() {

    # Define política default para chains defaults
    $IPTABLES -P INPUT ACCEPT # política default para filter
    $IPTABLES -P FORWARD ACCEPT # política default para filter
    $IPTABLES -P OUTPUT ACCEPT # política default para filter
    $IPTABLES -F -t filter # flush nas regras de filter
    $IPTABLES -F -t nat # flush nas regras de nat
    $IPTABLES -F -t mangle # flush nas regras de mangle
    $IPTABLES -X -t filter # deleta chains de filter
    $IPTABLES -X -t nat # deleta chains de nat
    $IPTABLES -X -t mangle # deleta chains de mangle
    $IPTABLES -Z -t filter # zera contadores de filter
    $IPTABLES -Z -t nat # zera contadores de nat
    $IPTABLES -Z -t mangle # zera contadores de mangle

    }


    #################################################################
    # CHAIN DE PREROUTING
    #################################################################

    cria_regras_PREROUTING() {

    # Melhora latência de ssh pra fora
    $IPTABLES -A PREROUTING -t mangle -p tcp --dport ssh -j TOS --set-tos Minimize-Delay

    # Não deixa smtp sair com prioridade pra não matar o link

    $IPTABLES -A PREROUTING -t nat -p tcp -i $IF_EXT --dport 3389 -j DNAT --to 192.168.0.188
    $IPTABLES -A PREROUTING -t nat -p tcp -i $IF_EXT --dport 7500 -j DNAT --to 192.168.0.9
    $IPTABLES -A PREROUTING -t nat -p tcp -i $IF_EXT --dport 8084 -j DNAT --to 192.168.0.188
    $IPTABLES -A PREROUTING -t nat -p tcp -i $IF_EXT --dport 8086 -j DNAT --to 192.168.0.10:8084
    $IPTABLES -A PREROUTING -t nat -p tcp -i $IF_EXT --dport 1299 -j DNAT --to 192.168.0.188
    $IPTABLES -A PREROUTING -t nat -p tcp -i $IF_EXT --dport 8085 -j DNAT --to 192.168.0.4:80
    }

    #################################################################
    # CHAIN DE POSTROUTING
    #################################################################

    cria_regras_POSTROUTING() {

    # Faz o mascaramento da rede interna.
    $IPTABLES -A POSTROUTING -t nat -o $IF_EXT -j MASQUERADE
    }


    #################################################################
    # CHAINS DE INPUT, OUTPUT
    #################################################################

    cria_regras_INPUTOUTPUT() {

    #Libera tudo ateh a casa arrumar
    $IPTABLES -A INPUT -j ACCEPT
    $IPTABLES -A OUTPUT -j ACCEPT

    #LIbera interface local
    $IPTABLES -A INPUT -j ACCEPT -i $IF_LOC
    $IPTABLES -A OUTPUT -j ACCEPT -o $IF_LOC

    # Recusa pacotes invaálidos em primeiro lugar
    $IPTABLES -A INPUT -j END_INVALID -m state --state INVALID

    ### Serviços que rodam na máquina

    # Aceita ssh da Telecorp (manutenção)
    $IPTABLES -A INPUT -j ACCEPT -p tcp -s $IP_TELECORP --dport ssh
    $IPTABLES -A OUTPUT -j ACCEPT -p tcp -d $IP_TELECORP --sport ssh

    #Aceita que o firewall acesse a web
    $IPTABLES -A INPUT -j ACCEPT -p tcp --sport 80
    $IPTABLES -A OUTPUT -j ACCEPT -p tcp --dport 80

    #Aceita squid
    $IPTABLES -A INPUT -j ACCEPT -s $NET_INT -p tcp --dport squid
    $IPTABLES -A OUTPUT -j ACCEPT -p tcp --sport squid

    #Aceita que o firewall faca ssh pra fora
    $IPTABLES -A INPUT -j ACCEPT -p tcp --sport ssh
    $IPTABLES -A OUTPUT -j ACCEPT -p tcp --dport ssh

    #Aceita conexao com o no-ip.com
    $IPTABLES -A INPUT -j ACCEPT -p tcp --sport 8245
    $IPTABLES -A OUTPUT -j ACCEPT -p tcp --dport 8245

    # Testa por broadcasts e descarta (sem logar)
    $IPTABLES -A INPUT -j DROP -d $BRO_INT
    $IPTABLES -A INPUT -j DROP -d $BRO_EXT
    $IPTABLES -A INPUT -j DROP -d 255.255.255.255
    $IPTABLES -A OUTPUT -j DROP -d $BRO_INT
    $IPTABLES -A OUTPUT -j DROP -d $BRO_EXT
    $IPTABLES -A OUTPUT -j DROP -d 255.255.255.255

    # Aceita conexoes da rede interna
    $IPTABLES -A INPUT -j ACCEPT -s $NET_INT
    $IPTABLES -A OUTPUT -j ACCEPT -d $NET_INT

    # Aceita consultas a DNSs externos
    $IPTABLES -A INPUT -j ACCEPT -p udp --sport domain --dport 1024:
    $IPTABLES -A OUTPUT -j ACCEPT -p udp --sport 1024: --dport domain
    $IPTABLES -A INPUT -j ACCEPT -p udp --dport domain
    $IPTABLES -A OUTPUT -j ACCEPT -p udp --sport domain

    # Checa por trojans, para logar diferenciado
    $IPTABLES -A INPUT -j TROJAN_CHECK -m state --state NEW

    # Recusa e loga todo o resto
    $IPTABLES -A INPUT -j END_INPUT
    $IPTABLES -A OUTPUT -j END_OUTPUT

    }

    #################################################################
    # CHAINS DE FORWARD
    #################################################################

    cria_regras_FORWARD() {

    # Se for inválido, jogamos fora
    $IPTABLES -A FORWARD -j END_INVALID -m state --state INVALID

    # Se já está estabelecida, pode passar
    $IPTABLES -A FORWARD -j ACCEPT -m state --state ESTABLISHED

    # Se relacionada, pode passar (inclusive ftp & cia caem aqui)
    $IPTABLES -A FORWARD -j ACCEPT -m state --state RELATED

    ## Apenas conexões NEW daqui pra frente

    # Checa por trojans (para registrar no log se encontrar)
    $IPTABLES -A FORWARD -j TROJAN_CHECK
    $IPTABLES -A FORWARD -j ACCEPT -s 192.168.0.0/24 -d 192.168.10.0/24
    $IPTABLES -A FORWARD -j ACCEPT -s 192.168.10.0/24 -d 192.168.0.0/24
    $IPTABLES -A FORWARD -j INT2EXT -s $NET_INT -o $IF_EXT

    $IPTABLES -A FORWARD -j EXT2INT -i $IF_EXT -d $NET_INT

    # Se sobreviver, dropa e loga
    $IPTABLES -A FORWARD -j END_FORWARD

    }


    #################################################################
    # CHAINS DIRECIONAIS
    #################################################################


    ### INT2EXT

    cria_regras_INT2EXT() {

    $IPTABLES -N INT2EXT

    $IPTABLES -A INT2EXT -j ACCEPT

    $IPTABLES -A INT2EXT -p tcp --dport 25 -j ACCEPT
    $IPTABLES -A INT2EXT -p tcp --dport 110 -j ACCEPT
    $IPTABLES -A INT2EXT -p tcp --dport 21 -j ACCEPT
    $IPTABLES -A INT2EXT -p tcp --dport 20 -j ACCEPT
    $IPTABLES -A INT2EXT -p tcp --dport 1299 -j ACCEPT

    # Bloqueia o que sobrou
    $IPTABLES -A INT2EXT -j END_INT2EXT

    }


    ### EXT2INT

    cria_regras_EXT2INT() {

    $IPTABLES -N EXT2INT

    $IPTABLES -A EXT2INT -j ACCEPT -d 192.168.0.10
    $IPTABLES -A EXT2INT -j ACCEPT -d 192.168.0.188
    $IPTABLES -A EXT2INT -j ACCEPT -d 192.168.0.4
    $IPTABLES -A EXT2INT -j ACCEPT -d 192.168.0.9

    # Nenhum accept, simplesmente nega tudo
    $IPTABLES -A EXT2INT -j END_EXT2INT

    }

    #################################################################
    # CHAINS AUXILIARES
    #################################################################

    cria_regras_auxiliares() {

    ### END_INPUT
    $IPTABLES -N END_INPUT
    #$IPTABLES -A END_INPUT -j LOG --log-prefix "FIREWALL: End_Input! "
    $IPTABLES -A END_INPUT -j DROP

    ### END_OUTPUT
    $IPTABLES -N END_OUTPUT
    $IPTABLES -A END_OUTPUT -j LOG --log-prefix "FIREWALL: End_Output! "
    $IPTABLES -A END_OUTPUT -j DROP

    ### END_FORWARD
    $IPTABLES -N END_FORWARD
    $IPTABLES -A END_FORWARD -j LOG --log-prefix "FIREWALL: End_Forward! "
    $IPTABLES -A END_FORWARD -j DROP

    ### END_INVALID
    $IPTABLES -N END_INVALID
    $IPTABLES -A END_INVALID -j LOG --log-prefix "FIREWALL: Invalid! "
    $IPTABLES -A END_INVALID -j DROP

    ### END_TROJAN
    $IPTABLES -N END_TROJAN
    $IPTABLES -A END_TROJAN -j LOG --log-prefix "FIREWALL: Trojan! "
    $IPTABLES -A END_TROJAN -j DROP

    ### END_INT2EXT
    $IPTABLES -N END_INT2EXT
    $IPTABLES -A END_INT2EXT -j LOG --log-prefix "FIREWALL: End_Int2Ext! "
    $IPTABLES -A END_INT2EXT -j DROP

    ### END_EXT2INT
    $IPTABLES -N END_EXT2INT
    $IPTABLES -A END_EXT2INT -j LOG --log-prefix "FIREWALL: End_Ext2Int! "
    $IPTABLES -A END_EXT2INT -j DROP


    ### TROJANS
    # Alguns trojans, os mais comuns
    # Nào é necessário checar por trojans se você adota a política de
    # tudo fechado, abrem-se as excessões. Mas, você pode querer verificar
    # mesmo assim, para poder registrar um log mais específico (nosso caso).
    $IPTABLES -N TROJAN_CHECK
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 555 # phAse zero
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 555 # phAse zero
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 1243 # Sub-7, SubSeven
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 1243 # Sub-7, SubSeven
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 3129 # Masters Paradise
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 3129 # Masters Paradise
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 6670 # DeepThroat
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 6670 # DeepThroat
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 6711 # Sub-7, SubSeven
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 6711 # Sub-7, SubSeven
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 6969 # GateCrasher
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 6969 # GateCrasher
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 12345 # NetBus
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 12345 # NetBus
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 21544 # GirlFriend
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 21544 # GirlFriend
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 23456 # EvilFtp
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 23456 # EvilFtp
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 27374 # Sub-7, SubSeven
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 27374 # Sub-7, SubSeven
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 30100 # NetSphere
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 30100 # NetSphere
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 31789 # Hack'a'Tack
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 31789 # Hack'a'Tack
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 31337 # BackOrifice, and many others
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 31337 # BackOrifice, and many others
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p tcp --dport 50505 # Sockets de Troie
    $IPTABLES -A TROJAN_CHECK -j END_TROJAN -p udp --dport 50505 # Sockets de Troie

    }



    #################################################################
    # SCRIPT INIT DO SYSV
    #################################################################

    case "$1" in
    start)
    echo -n "Configurando regras do firewall: "
    destroi_regras && cria_regras && \
    echo_success || echo_failure
    echo ""
    #touch /var/lock/subsys/iptables
    ;;

    stop)
    echo -n "Removendo regras do firewall: "
    destroi_regras && \
    echo_success || echo_failure
    echo ""
    #rm -f /var/lock/subsys/iptables
    ;;

    stopopen)
    echo -n "Removendo regras e abrindo firewall: "
    abre_regras && \
    echo_success || echo_failure
    echo ""
    #rm -f /var/lock/subsys/iptables
    ;;

    restart)
    # isso não é um daemon, então não é necessário dar "stop"
    # foi deixado aqui para os que esperam que ele exista
    $0 start
    ;;

    status)
    $IPTABLES --list -n
    ;;

    *)
    echo "Uso: $0 {start|stop|stopopen|restart|status}"
    esac




  2. #3
    Lion_Black
    eu mesmo uma vez precisei fazer o redirecionamento da porta do SQL Server ... e tb abri um topico nesse forum .... é so pesquisar pelo forum a porta 1433. ´so colocar na pesquisa do forum 1433 que ele acha na hora..


    Valeu maluco?






Tópicos Similares

  1. redirecionamento da porta 1433
    Por Lion_Black no fórum Servidores de Rede
    Respostas: 27
    Último Post: 19-07-2005, 16:52
  2. Como direcionar porta VNC? e como fazer backup's geral?
    Por nikolas no fórum Sistemas Operacionais
    Respostas: 1
    Último Post: 15-02-2005, 07:45
  3. direcionar porta 21 para rede interna
    Por mcyberx no fórum Servidores de Rede
    Respostas: 3
    Último Post: 08-01-2005, 00:41
  4. direcionar porta - iptables
    Por no fórum Servidores de Rede
    Respostas: 1
    Último Post: 23-10-2003, 12:58
  5. Porta 1433
    Por no fórum Servidores de Rede
    Respostas: 4
    Último Post: 23-10-2003, 00:21

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L