Olá
Gostaria de ajuda com meu firewall, não estou conseguindo liberar nehuma porta de saida direto pelo firewall antes que ele entre no PROXY TRANSPARENTE, gostaria de liberar a saida das portas 110(POP) 443(HTTPS) p/ internet. segue meu firewall,
meu firewall é baseado no exemplo do focalinux.
PS.: so navego pela internet pelo proxy transparente, não consigo acessar a internet direto.
quando eu tiro a linha de redirecionamento do proxy transp. eu nao acesso nada na internet...
OBS: ppp+ é uma vpn para uma empresa, não é saida para internet. A interface de internet é ETH1.
#!/bin/sh
clear
logger "Iniciando firewall IPtables... [OK]"
#
##################################################################################################
echo " "
echo " "
#
############################
## DEFINICAO DE VARIAVEIS ##
############################
# INICIO DAS CONFIGURACOES #
############################
#
LAN_ALL="10.0.0.0/8"
LAN_SP="10.32.76.0/25"
LAN_SSA="10.4.1.0/24"
LAN_ROT1="10.6.1.0/29"
LAN_ROT2="10.5.1.0/24"
LAN_TUN0="10.8.1.0/25"
LAN_TUN1="10.7.1.0/25"
#
IP_ETH0="10.32.76.10"
IP_ETH1="200.xxx.xxx.2"
IP_ETH2="10.6.1.1"
#
IP_TUN0="10.8.1.1"
IP_TUN1="10.7.1.2"
#
GETWAY1="200.xxx.xxx.1"
#
IP_RTM1="10.0.64.11"
IP_RTM2="10.0.64.75"
#
OPEN_PORTS="110 444"
#
##################################################################################################
# NAO MODIFICAR NENHUMA CONFIGURACAO APARTIR DA LINHA ABAIXO, SOMENTE O ADMINISTRADOR DO FIREWALL
##################################################################################################
#
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
#
##################################################################################################
################################ DEFINICAO DE POLITICAS #########################################
##################################################################################################
#
echo "Limpando e criando politicas ..."
echo " "
#
# TABELA FILTER #
echo -n "Limpando todas as tabelas e recriando-as"
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
echo " [OK]"
echo " "
echo -n " => Criando Tabela filter"
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
echo " [OK]"
# TABELA NAT #
echo " "
echo -n " => Criando Tabela nat"
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING DROP
echo " [OK]"
# TABELA MANGLE #
echo " "
echo -n " => Criando Tabela mangle"
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
echo " [OK]"
#
iptables -Z
#
echo " "
echo -n "Habilitando Roteamento de pacotes ..."
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i
done
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "2048" > /proc/sys/net/ipv4/ip_conntrack_max
#
echo " [OK]"
#
echo""
echo -n "PROTECAO CONTRA PING OF DEATH"
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
echo " [OK]"
echo""
echo -n "PROTECAO CONTRA SYNC-FLOOD, DOS"
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
echo " [OK]"
echo""
echo -n "LOG DE PACOTES MORTOS POR INATIVIDADE"
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level INFO --log-prefix "FIREWALL:ARQMORTOS "
echo " [OK]"
echo""
echo -n "PROTECAO CONTRA SACANNERS AVANCADOS"
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
echo " [OK]"
#
##################################################
################# TABELA FILTER ##################
##################################################
#
##################################################
################# CHAIN INPUT ####################
# #
# CRIAR UM CHAIN INTERNET #
# #
echo " "
echo -n "Criando Chain INTERNET e configurando chain INPUT ..."
iptables -N INTERNET
#
# LIBERANDO O TRAFEGO DO INPUT NA LOOPBACK E #
# REDE INTERNA #
#
iptables -A INPUT -i lo -j ACCEPT
#
iptables -A INPUT -s $LAN_ALL -i eth0 -j ACCEPT
iptables -A INPUT -s $LAN_ALL -i eth1 -j ACCEPT
iptables -A INPUT -s $LAN_ALL -i eth2 -j ACCEPT
#
# LIBERANDO O TRAFEGO DO INPUT NAS VPNS #
#
iptables -A INPUT -s $LAN_ALL -i ppp+ -j ACCEPT
iptables -A INPUT -s $LAN_ALL -i tun+ -j ACCEPT
#
# #
# TRAFEGO DE INTERNET REDIRECIONADAS P/ CHAIN #
# "INTERNET" #
#
iptables -A INPUT -i eth1 -j INTERNET
#
# CONEXAO DESCONHECIDA EH REGISTRADA E DERRUBADA #
#
iptables -A INPUT -j LOG --log-prefix "FIREWALL: INPUT "
iptables -A INPUT -j DROP
#
echo " [OK]"
##################################################
################# CHAIN FORWARD ##################
# #
# LIBERANDO TRAFEGO DE PACOTES ENTRE SSA - SP #
# IDA/VOLTA #
#
echo " "
echo -n "Trafego entre as REDES SSA-SP"
iptables -A FORWARD -s $LAN_SP -d $LAN_SSA -j ACCEPT
iptables -A FORWARD -s $LAN_SSA -d $LAN_SP -j ACCEPT
# #
# LIBERANDO TRAFEGO DE PACOTES P/ OS TUNEIS VPNS #
# IDA/VOLTA #
# #
iptables -A FORWARD -s $LAN_SP -d $LAN_TUN0 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -d $LAN_TUN1 -j ACCEPT
iptables -A FORWARD -s $LAN_TUN0 -d $LAN_SP -j ACCEPT
iptables -A FORWARD -s $LAN_TUN1 -d $LAN_SP -j ACCEPT
echo " [OK]"
#
# PROTECAO CONTRA WORMS #
#
iptables -I FORWARD -p udp --dport 1434 -j DROP
#
#
# BARRANDO NETWARE PARA MANUTENCAO ou MIGRACAO #
#
#iptables -A FORWARD -s 10.32.76.2 -d $LAN_SSA -j DROP
#iptables -A FORWARD -s $LAN_SSA -d 10.32.76.2 -j DROP
#
# Permite redirecionamento de conexoes entre in-
# terfaces locais especificadas abaixo qualquer
# trafego indo/vindo p/ outras interfaces serao
# bloqueadas.
#
# TRAFEGO NAS INTERFACES #
#
echo " "
echo -n "Trafego entre as INTERFACES"
# eth0 - Eternet
iptables -A FORWARD -s $LAN_SP -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i eth0 -o eth2 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i eth0 -o tun1 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i eth0 -o ppp0 -j ACCEPT
# eth1 - Eternet
iptables -A FORWARD -s $LAN_SP -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i eth1 -o eth2 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i eth1 -o tun0 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i eth1 -o tun1 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i eth1 -o ppp0 -j ACCEPT
# eth2 - Eternet
iptables -A FORWARD -s $LAN_SP -i eth2 -o eth0 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i eth2 -o eth1 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i eth2 -o tun0 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i eth2 -o tun1 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i eth2 -o ppp0 -j ACCEPT
# tun0 - Tuneo
iptables -A FORWARD -s $LAN_SP -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i tun0 -o eth1 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i tun0 -o eth2 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i tun0 -o tun1 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i tun0 -o ppp0 -j ACCEPT
# tun1 - Tuneo
iptables -A FORWARD -s $LAN_SP -i tun1 -o eth0 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i tun1 -o eth1 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i tun1 -o eth2 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i tun1 -o tun0 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i tun1 -o ppp0 -j ACCEPT
# ppp0 - Tuneo Microsoft
iptables -A FORWARD -s $LAN_SP -i ppp0 -o eth0 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i ppp0 -o eth1 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i ppp0 -o eth2 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i ppp0 -o tun0 -j ACCEPT
iptables -A FORWARD -s $LAN_SP -i ppp0 -o tun1 -j ACCEPT
echo " [OK]"
#
#
# TRAFEGO DA RTM #
#
echo " "
echo -n "Trafego RTM"
iptables -A FORWARD -s $IP_RTM1 -j ACCEPT
iptables -A FORWARD -s $IP_RTM2 -j ACCEPT
iptables -A FORWARD -d $IP_RTM1 -j ACCEPT
iptables -A FORWARD -d $IP_RTM1 -j ACCEPT
#
iptables -A FORWARD -j LOG --log-level INFO --log-prefix "FIREWALL: FORWARD "
iptables -A FORWARD -j DROP
echo " [OK]"
#
#
##################################################
################### CHAIN INTERNET ###############
#
# DESCARTA TODOS OS PACOTES INVALIDOS #
#
echo " "
echo -n "Carregando Chain INTERNET"
iptables -A INTERNET -m state --state INVALID -j DROP
#
iptables -A INTERNET -p udp -m udp --dport 1194 -j ACCEPT
#
# BLOQUEIA QUALQUER TENTATIVA DE NOVA CONEXAO #
# DE FORA PARA ESTE SERVER #
#
iptables -A INTERNET -m state --state ! ESTABLISHED,RELATED -j LOG --log-level INFO --log-prefix "Firewall:INTERNET-IN"
iptables -A INTERNET -m state --state ! ESTABLISHED,RELATED -j DROP
iptables -A INTERNET -j ACCEPT
echo " [OK]"
#
#
#
##################################################
# TABELA NAT #
##################################################
#
##################################################
############### CHAIN POSTROUTING ################
#
# PERMITE QUALQUER CONEXAO VINDAS #
# DAS LO, ETH0 E ETH2 #
#
echo " "
echo -n "Carregando Chain POSTROUTING"
iptables -t nat -A POSTROUTING -o lo -j ACCEPT
iptables -t nat -A POSTROUTING -s $LAN_SP -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -s $LAN_SP -o eth2 -j ACCEPT
#
# TRAFEGO DE INTERNET #
#
iptables -t nat -A POSTROUTING -s $LAN_SP -o eth1 -j SNAT --to $IP_ETH1
#
#
# TRAFEGO DE PACOTES PELA REDE DOS ROTEADORES #
# SP-SSA #
#
iptables -t nat -A POSTROUTING -s $LAN_ROT1 -d $LAN_SSA -j SNAT --to $IP_ETH2
#
# ABRIR PORTAR PARA CONEXAO DIRETA #
#
for PORTAS in $OPEN_PORTS; do
iptables -t nat -A POSTROUTING -s $LAN_SP -o eth1 -p tcp --dport $PORTAS -j SNAT --to $IP_ETH1
done
#
# TRAFEGO DE PACOTES PELA VPN #
#
iptables -t nat -A POSTROUTING -s $LAN_SP -o tun1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $LAN_SP -o tun0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $LAN_SP -o ppp+ -j MASQUERADE
#
# QUALQUER OUTRA ORIGEM DE TRAFEGO DESCONHECIDA #
# INDO PARA ETH0 VINDAS DA INTERNET (ETH1) SERAO #
# BLOQUEADAS NA REGRA ABAIXO E REGISTRADA NO LOG #
#
iptables -t nat -A POSTROUTING -o eth0 -d $LAN_SP -j LOG --log-prefix "FIREWALL: SNAT DESCONHECIDO "
iptables -t nat -A POSTROUTING -o etho -d $LAN_SP -j DROP
#
# O TRAFEGO INDO P/ INTERFACE DE INTERNET NAO #
# DEVERA SER BLOQUEADO #
#
iptables -t nat -A POSTROUTING -o eth1 -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun+ -j ACCEPT
#
# REGISTRA TRAFEGO DESCONEHCIDO E BLOQUEIA #
iptables -t nat -A POSTROUTING -j LOG --log-prefix "FIREWALL: SNAT "
iptables -t nat -A POSTROUTING -j DROP
#
echo " [OK]"
#
##################################################
############### CHAIN PREROUTING #################
#
echo " "
echo -n "Carregando Chain PREROUTING"
iptables -t nat -A PREROUTING -s $LAN_ALL -i eth0 -p tcp --dport http -j REDIRECT --to-port 3128
echo " [OK]"
#
# PRIORIDADE DE PACOTES "
#
echo ""
echo -n "PRIORIZANDO PACOTES DE SAIDA"
iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 53 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 80 -j TOS --set-tos 16
echo " [OK]"
echo ""
echo ""
echo " [ REGRAS DO FIREWALL ATUALIZADAS ] "
echo""
-
23-08-2006, 16:41 #1
- Ingresso
- Apr 2006
- Posts
- 20
Liberar Portas FIREWALL AVANÇADO
-
23-08-2006, 21:55 #2
- Ingresso
- Mar 2006
- Posts
- 67
Re: Liberar Portas FIREWALL AVANÇADO
Cara, POP não passa pelo squid [proxy]. Tráfego http sim,
Como seu policiamento padrão nos chains INPUT e FORWARD é DROP, é necessário aceitar [ACCEPT] esse tipo de tráfego.
Ex:
iptables -A INPUT -s placa_de_rede -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -s placa_de_rede -p tcp --dport 443 -j ACCEPT
[*] Não li todo seu firewall ;]
-
24-08-2006, 13:49 #3
- Ingresso
- Apr 2006
- Posts
- 20
Re: Liberar Portas FIREWALL AVANÇADO
Consegui, era o problema no meu forwad p/ interfaces que sem querer deixei somente com origem S e nao tinha destino D, na hora de COPY COLE eu esqueci de mudar
Obrigado
Citação