+ Responder ao Tópico



  1. #1
    slacklex
    OLa pessoal. Estou precisando liberar o LImewire, Kazaa para a rede no entanto nao estou conseguindo. Coloquei as seguintes regras mas não funcionou.

    $IPT -A INPUT -p tcp --destination-port 4666 -j ACCEPT
    $IPT -A FORWARD -j ACCEPT -p tcp --dport 4666
    $IPT -A OUTPUT -p tcp --sport 0:65535 --dport 4666:4666 -m state --state NEW -j ACCEPT

    Segue abaixo o firewall completo. O que esta errado? Obrigado.


    #!/bin/bash

    ################## Firewall LEX INFORMATICA ###########################


    ######### Carrega os m�dulos###############
    modprobe iptable_nat
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    modprobe iptable_nat
    modprobe ip_nat_ftp
    modprobe ipt_layer7

    # Define Variaveis
    IPT=/sbin/iptables
    INTNET=eth0
    EXTNET=eth1
    REDE=192.168.0.0/24

    # Limpando Regras
    $IPT -Z
    $IPT -X
    $IPT -F
    $IPT -t filter -F
    $IPT -t filter -X
    $IPT -t filter -Z
    $IPT -F INPUT
    $IPT -F OUTPUT
    $IPT -F FORWARD
    $IPT -t nat -F
    $IPT -t nat -X
    $IPT -t nat -Z
    $IPT -t mangle -F
    $IPT -t mangle -X
    $IPT -t mangle -Z
    $IPT -P INPUT DROP
    $IPT -P FORWARD DROP
    $IPT -P OUTPUT ACCEPT

    ##########################################################
    # REGRAS SYSCTL #
    ##########################################################

    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    # IGNORANDO BROADCASTS: "

    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
    # Protegendo contra Syn Flood: "

    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
    # Ativando LOG com end.de pacotes invalidos: "

    echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
    # Reduzindo Ataque DOS: "

    echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
    # Ativando KeepAlive: "

    echo "1" > /proc/sys/net/ipv4/tcp_window_scaling
    # Ativando tcp_scaling: "

    echo "0" > /proc/sys/net/ipv4/tcp_sack
    # Ativando ip_sack: "

    echo "1200" > /proc/sys/net/ipv4/tcp_max_syn_backlog
    # Ativando TCP Max Syn Backlog: "

    echo "0" > /proc/sys/net/ipv4/conf/all/bootp_relay
    # Ativando Protecao Bootp Relay: "

    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
    # Ativando Protecao Source Route: "

    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
    # Ativando Protecao Accept Redirects: "

    #echo "0" > /proc/sys/net/ipv4/conf/all/proxy_arp
    #echo "# Ativando Protecao Proxy Arp: "

    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
    # Ativando Secure Redirects: "

    echo 255 > /proc/sys/net/ipv4/ip_default_ttl
    # Confundir fingerprinting "

    echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    # Protecao contra responses bogus: "

    echo "1" > /proc/sys/net/ipv4/ip_dynaddr
    # Habilitando IP din�mico.."


    #######################TABELA NAT #######################################

    # Ativando NAT somente as portas especificadas abaixo para a rede interna p/ acesso a internet
    # 20,21 (ftp), 22(ssh), pop e smtp(110,25), dns(53), http(80), https(443), gmail(465,995), Receitanet(3456)
    # Conectividade Social(2631), ICQ(5090) e MSN(1863)

    $IPT -t nat -A POSTROUTING -s $REDE -o $EXTNET -m multiport -p tcp --dports 20,21,22,25,53,80,110,443,465,995,1479,2083,2631,3007,3456 -j MASQUERADE
    $IPT -t nat -A POSTROUTING -s $REDE -o $EXTNET -m multiport -p udp --dports 20,21,53,443 -j MASQUERADE

    $IPT -t nat -A POSTROUTING -o $EXTNET -s 192.168.0.0/24 -p tcp --dport 5090 -j MASQUERADE
    $IPT -t nat -A POSTROUTING -o $EXTNET -s 192.168.0.0/24 -p tcp --dport 1863 -j MASQUERADE

    # Permitindo acesso remoto ao servidor SSH da rede local
    $IPT -t nat -A PREROUTING -i $EXTNET -p tcp --dport 22 -j DNAT --to 192.168.0.2

    # Redirecionando todo o tr�fego interno � porta 80 para que v� para o Proxy Squid exceto CS da Caixa
    #$IPT -t nat -A PREROUTING -s 192.168.0.2 -p tcp --dport 3128 -j DROP
    $IPT -t nat -A PREROUTING -s $REDE -p tcp -d ! 200.201.174.0/24 --dport 80 -j REDIRECT --to-port 3128
    $IPT -t nat -A PREROUTING -s $REDE -p tcp --dport 80 -d ! 200.201.173.0/24 -j REDIRECT --to-port 3128
    $IPT -t nat -A PREROUTING -s $REDE -p tcp --dport 80 -d ! 200.201.166.0/24 -j REDIRECT --to-port 3128


    ##################### TABELA MANGLE ################################
    # Priorizando tipos de servi�os da rede http e https
    $IPT -t mangle -A OUTPUT -o $EXTNET -p tcp --dport 80 -j TOS --set-tos 0x08
    $IPT -t mangle -A OUTPUT -o $EXTNET -p tcp --dport 443 -j TOS --set-tos 0x08

    ##################### REGRAS DE BLOQUEIO DE PACOTES ###################

    # Fechando portas Time, Server X, Samba e RPC contra acessos externos
    $IPT -A INPUT -i $EXTNET -p tcp --dport 6000 -j LOG --log-level debug --log-prefix "X11SERVER"
    $IPT -A INPUT -i $EXTNET -p tcp -m multiport --dport 37,6000,139,111,887,2049,445 -j DROP

    # Bloqueia conex�es inv�lidas vindas da internet e loga algumas portas
    $IPT -A INPUT -m state --state INVALID -j LOG --log-level debug --log-prefix "INVALIDPACKET"
    $IPT -A INPUT -m state --state INVALID -j DROP
    $IPT -A INPUT -m state --state UNTRACKED -j LOG --log-level debug --log-prefix "UNTRACKED"
    $IPT -A INPUT -m state --state UNTRACKED -j DROP

    # Barra pacotes TCP indesej�veis e loga isso (Cuja nova conex�o N�O � iniciada com flag syn)
    $IPT -A FORWARD -p tcp -m tcp ! --syn -m state --state NEW -j LOG --log-level debug --log-prefix "NAO SYN: "
    $IPT -A FORWARD -p tcp -m tcp ! --syn -m state --state NEW -j DROP

    # Protecao quanto a ataques de datagramas malformados
    $IPT -A INPUT -i $EXTNET -m unclean -j LOG --log-level debug --log-prefix "DATAGRAMINVALID "
    $IPT -A INPUT -i $EXTNET -m unclean -j DROP

    # Prote��o contra o ataque Tracert
    $IPT -A FORWARD -p udp -s 0/0 -i $EXTNET --dport 33435:33525 -j DROP

    # Prote��o contra o trojan Wincrash e NetBus
    $IPT -A FORWARD -p tcp -m multiport --dport 5042,12345 -j LOG --log-level debug --log-prefix "WINCRASH"
    $IPT -A FORWARD -p tcp -m multiport --dport 5042,12345 -j DROP

    # Prote��o contra trinoo
    $IPT -A INPUT -p tcp -i $EXTNET -m multiport --dport 27444,27665,31335,34555,35555 -j DROP
    $IPT -A FORWARD -s $REDE -p tcp --dport 4861 -j DROP
    # Regras IPT LAYER 7
    # N�o permite que usu�rios da rede baixem ou fa�am upload de arquivos com extensao exe
    #$IPT -A FORWARD -m layer7 --l7proto fasttrack -d 192.168.0.0/24 -j ACCEPT



    ####################### REGRAS DE ACEITA��O DE PACOTES ##########################

    # Aceita os pacotes que podem entrar (libera��o de entrada)
    $IPT -A INPUT -p tcp --destination-port 4666 -j ACCEPT
    $IPT -A FORWARD -j ACCEPT -p tcp --dport 4666
    $IPT -A OUTPUT -p tcp --sport 0:65535 --dport 4666:4666 -m state --state NEW -j ACCEPT

    $IPT -A INPUT -i ! eth1 -j ACCEPT
    $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Regras para DNS
    $IPT -A FORWARD -s 192.168.0.0/24 -p udp --dport 53 -j ACCEPT

    # Permite trafego Http
    $IPT -A FORWARD -s 192.168.0.0/24 -o $EXTNET -p tcp --dport 80 -j DROP
    $IPT -A FORWARD -s 192.168.0.0/24 -o $EXTNET -p tcp --dport 443 -j DROP

    # Permitindo passagem para a porta do SSH
    $IPT -A FORWARD -i $EXTNET -p tcp -d 192.168.0.2 --dport 22 -j ACCEPT
    $IPT -A INPUT -p tcp --dport 22 -s 192.168.0.2 -j LOG --log-prefix "SSH CONNECTION"

    # Libera acesso de smtp (587) e pop (995) do GMAIL para fora para a rede local
    $IPT -A FORWARD -p tcp -s 192.168.0.0/24 -o $EXTNET -p tcp -dport 587 -j ACCEPT
    $IPT -A FORWARD -p tcp -d 192.168.0.0/24 -i $EXTNET -p tcp -sport 587 -j ACCEPT
    $IPT -A FORWARD -p tcp -s 192.168.0.0/24 -o $EXTNET -p tcp -dport 995 -j ACCEPT
    $IPT -A FORWARD -p tcp -d 192.168.0.0/24 -i $EXTNET -p tcp -sport 995 -j ACCEPT

    # Libera acesso ao DHCP interno da rede
    $IPT -A INPUT -p tcp -m multiport --dports 67,68 -j ACCEPT
    $IPT -A INPUT -p udp -m multiport --dports 67,68 -j ACCEPT
    $IPT -A INPUT -p tcp -m multiport --sports 67,68 -j ACCEPT
    $IPT -A INPUT -p udp -m multiport --sports 67,68 -j ACCEPT

    # Libera MSN so pro chefe e depois fecha pro resto da rede
    #$IPT -A FORWARD -o $EXTNET -s 192.168.0.2/24 -p tcp --dport 1863 -j LOG --log-level debug --log-prefix "MSNDOCHEFE"
    #$IPT -A FORWARD -o $EXTNET -s 192.168.0.2/24 -p tcp --dport 1863 -j ACCEPT
    #$IPT -A FORWARD -o $EXTNET -s 192.168.0.2/24 -p tcp -d 65.54.239.80 -j LOG --log-level debug --log-prefix "MSN"
    #$IPT -A FORWARD -o $EXTNET -s 192.168.0.2/24 -p tcp -d 65.54.239.80 -j ACCEPT
    #$IPT -A FORWARD -o $EXTNET -s 192.168.0.2/24 -p tcp -d 65.54.179.192 -j LOG --log-level debug --log-prefix "MESSENGER"
    #$IPT -A FORWARD -o $EXTNET -s 192.168.0.2/24 -p tcp -d 65.54.179.192 -j ACCEPT


    $IPT -A FORWARD -o $EXTNET -s 192.168.0.0/24 -p tcp -d 65.54.179.192 -j DROP
    $IPT -A FORWARD -o $EXTNET -s 192.168.0.0/24 -p tcp -d 65.54.239.80 -j DROP
    $IPT -A FORWARD -o $EXTNET -s 192.168.0.0/24 -p tcp -d 207.46.110.35 -j DROP
    $IPT -A FORWARD -o $EXTNET -s 192.168.0.0/24 -p tcp --dport 1863 -j DROP
    $IPT -A FORWARD -o $EXTNET -s 192.168.0.0/24 -p tcp -d loginnet.passport.com -j DROP

    # Prote��o contra Port Scanner Avan�ados
    $IPT -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
    $IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

    # Prote��o contra Ping da Morte
    $IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

    # Prote��o contra SYN-Floding
    $IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

  2. Kra eu libero o limewire aki assim:
    iptables -t filter -A FORWARD -p TCP --dport 6346 -j ACCEPT

    Agora tem q v o Kazaa qual a porta que ele usa e liberar da mesma forma






Tópicos Similares

  1. Liberar nat para uma maquina para suporte com NetMeeting
    Por maneirobh no fórum Servidores de Rede
    Respostas: 1
    Último Post: 05-11-2002, 15:46
  2. Liberar acesso externo via SSH
    Por Elvis no fórum Servidores de Rede
    Respostas: 1
    Último Post: 03-11-2002, 09:32
  3. Liberar indereço sem pedir autenticação no squid
    Por AndrewAmorimdaSilva no fórum Servidores de Rede
    Respostas: 3
    Último Post: 02-11-2002, 16:06
  4. Liberar ip com porta usando iptables
    Por AndrewAmorimdaSilva no fórum Servidores de Rede
    Respostas: 2
    Último Post: 26-10-2002, 10:11
  5. Liberar Kazaa em Firewall usando IPCHAINS
    Por omaha no fórum Servidores de Rede
    Respostas: 0
    Último Post: 01-10-2002, 08:13

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L