- LIberar Limewire
+ Responder ao Tópico
-
LIberar Limewire
OLa pessoal. Estou precisando liberar o LImewire, Kazaa para a rede no entanto nao estou conseguindo. Coloquei as seguintes regras mas não funcionou.
$IPT -A INPUT -p tcp --destination-port 4666 -j ACCEPT
$IPT -A FORWARD -j ACCEPT -p tcp --dport 4666
$IPT -A OUTPUT -p tcp --sport 0:65535 --dport 4666:4666 -m state --state NEW -j ACCEPT
Segue abaixo o firewall completo. O que esta errado? Obrigado.
#!/bin/bash
################## Firewall LEX INFORMATICA ###########################
######### Carrega os m�dulos###############
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_layer7
# Define Variaveis
IPT=/sbin/iptables
INTNET=eth0
EXTNET=eth1
REDE=192.168.0.0/24
# Limpando Regras
$IPT -Z
$IPT -X
$IPT -F
$IPT -t filter -F
$IPT -t filter -X
$IPT -t filter -Z
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -t nat -F
$IPT -t nat -X
$IPT -t nat -Z
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -t mangle -Z
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
##########################################################
# REGRAS SYSCTL #
##########################################################
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# IGNORANDO BROADCASTS: "
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Protegendo contra Syn Flood: "
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# Ativando LOG com end.de pacotes invalidos: "
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
# Reduzindo Ataque DOS: "
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
# Ativando KeepAlive: "
echo "1" > /proc/sys/net/ipv4/tcp_window_scaling
# Ativando tcp_scaling: "
echo "0" > /proc/sys/net/ipv4/tcp_sack
# Ativando ip_sack: "
echo "1200" > /proc/sys/net/ipv4/tcp_max_syn_backlog
# Ativando TCP Max Syn Backlog: "
echo "0" > /proc/sys/net/ipv4/conf/all/bootp_relay
# Ativando Protecao Bootp Relay: "
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Ativando Protecao Source Route: "
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Ativando Protecao Accept Redirects: "
#echo "0" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "# Ativando Protecao Proxy Arp: "
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
# Ativando Secure Redirects: "
echo 255 > /proc/sys/net/ipv4/ip_default_ttl
# Confundir fingerprinting "
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Protecao contra responses bogus: "
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Habilitando IP din�mico.."
#######################TABELA NAT #######################################
# Ativando NAT somente as portas especificadas abaixo para a rede interna p/ acesso a internet
# 20,21 (ftp), 22(ssh), pop e smtp(110,25), dns(53), http(80), https(443), gmail(465,995), Receitanet(3456)
# Conectividade Social(2631), ICQ(5090) e MSN(1863)
$IPT -t nat -A POSTROUTING -s $REDE -o $EXTNET -m multiport -p tcp --dports 20,21,22,25,53,80,110,443,465,995,1479,2083,2631,3007,3456 -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $REDE -o $EXTNET -m multiport -p udp --dports 20,21,53,443 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $EXTNET -s 192.168.0.0/24 -p tcp --dport 5090 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $EXTNET -s 192.168.0.0/24 -p tcp --dport 1863 -j MASQUERADE
# Permitindo acesso remoto ao servidor SSH da rede local
$IPT -t nat -A PREROUTING -i $EXTNET -p tcp --dport 22 -j DNAT --to 192.168.0.2
# Redirecionando todo o tr�fego interno � porta 80 para que v� para o Proxy Squid exceto CS da Caixa
#$IPT -t nat -A PREROUTING -s 192.168.0.2 -p tcp --dport 3128 -j DROP
$IPT -t nat -A PREROUTING -s $REDE -p tcp -d ! 200.201.174.0/24 --dport 80 -j REDIRECT --to-port 3128
$IPT -t nat -A PREROUTING -s $REDE -p tcp --dport 80 -d ! 200.201.173.0/24 -j REDIRECT --to-port 3128
$IPT -t nat -A PREROUTING -s $REDE -p tcp --dport 80 -d ! 200.201.166.0/24 -j REDIRECT --to-port 3128
##################### TABELA MANGLE ################################
# Priorizando tipos de servi�os da rede http e https
$IPT -t mangle -A OUTPUT -o $EXTNET -p tcp --dport 80 -j TOS --set-tos 0x08
$IPT -t mangle -A OUTPUT -o $EXTNET -p tcp --dport 443 -j TOS --set-tos 0x08
##################### REGRAS DE BLOQUEIO DE PACOTES ###################
# Fechando portas Time, Server X, Samba e RPC contra acessos externos
$IPT -A INPUT -i $EXTNET -p tcp --dport 6000 -j LOG --log-level debug --log-prefix "X11SERVER"
$IPT -A INPUT -i $EXTNET -p tcp -m multiport --dport 37,6000,139,111,887,2049,445 -j DROP
# Bloqueia conex�es inv�lidas vindas da internet e loga algumas portas
$IPT -A INPUT -m state --state INVALID -j LOG --log-level debug --log-prefix "INVALIDPACKET"
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A INPUT -m state --state UNTRACKED -j LOG --log-level debug --log-prefix "UNTRACKED"
$IPT -A INPUT -m state --state UNTRACKED -j DROP
# Barra pacotes TCP indesej�veis e loga isso (Cuja nova conex�o N�O � iniciada com flag syn)
$IPT -A FORWARD -p tcp -m tcp ! --syn -m state --state NEW -j LOG --log-level debug --log-prefix "NAO SYN: "
$IPT -A FORWARD -p tcp -m tcp ! --syn -m state --state NEW -j DROP
# Protecao quanto a ataques de datagramas malformados
$IPT -A INPUT -i $EXTNET -m unclean -j LOG --log-level debug --log-prefix "DATAGRAMINVALID "
$IPT -A INPUT -i $EXTNET -m unclean -j DROP
# Prote��o contra o ataque Tracert
$IPT -A FORWARD -p udp -s 0/0 -i $EXTNET --dport 33435:33525 -j DROP
# Prote��o contra o trojan Wincrash e NetBus
$IPT -A FORWARD -p tcp -m multiport --dport 5042,12345 -j LOG --log-level debug --log-prefix "WINCRASH"
$IPT -A FORWARD -p tcp -m multiport --dport 5042,12345 -j DROP
# Prote��o contra trinoo
$IPT -A INPUT -p tcp -i $EXTNET -m multiport --dport 27444,27665,31335,34555,35555 -j DROP
$IPT -A FORWARD -s $REDE -p tcp --dport 4861 -j DROP
# Regras IPT LAYER 7
# N�o permite que usu�rios da rede baixem ou fa�am upload de arquivos com extensao exe
#$IPT -A FORWARD -m layer7 --l7proto fasttrack -d 192.168.0.0/24 -j ACCEPT
####################### REGRAS DE ACEITA��O DE PACOTES ##########################
# Aceita os pacotes que podem entrar (libera��o de entrada)
$IPT -A INPUT -p tcp --destination-port 4666 -j ACCEPT
$IPT -A FORWARD -j ACCEPT -p tcp --dport 4666
$IPT -A OUTPUT -p tcp --sport 0:65535 --dport 4666:4666 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i ! eth1 -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Regras para DNS
$IPT -A FORWARD -s 192.168.0.0/24 -p udp --dport 53 -j ACCEPT
# Permite trafego Http
$IPT -A FORWARD -s 192.168.0.0/24 -o $EXTNET -p tcp --dport 80 -j DROP
$IPT -A FORWARD -s 192.168.0.0/24 -o $EXTNET -p tcp --dport 443 -j DROP
# Permitindo passagem para a porta do SSH
$IPT -A FORWARD -i $EXTNET -p tcp -d 192.168.0.2 --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -s 192.168.0.2 -j LOG --log-prefix "SSH CONNECTION"
# Libera acesso de smtp (587) e pop (995) do GMAIL para fora para a rede local
$IPT -A FORWARD -p tcp -s 192.168.0.0/24 -o $EXTNET -p tcp -dport 587 -j ACCEPT
$IPT -A FORWARD -p tcp -d 192.168.0.0/24 -i $EXTNET -p tcp -sport 587 -j ACCEPT
$IPT -A FORWARD -p tcp -s 192.168.0.0/24 -o $EXTNET -p tcp -dport 995 -j ACCEPT
$IPT -A FORWARD -p tcp -d 192.168.0.0/24 -i $EXTNET -p tcp -sport 995 -j ACCEPT
# Libera acesso ao DHCP interno da rede
$IPT -A INPUT -p tcp -m multiport --dports 67,68 -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dports 67,68 -j ACCEPT
$IPT -A INPUT -p tcp -m multiport --sports 67,68 -j ACCEPT
$IPT -A INPUT -p udp -m multiport --sports 67,68 -j ACCEPT
# Libera MSN so pro chefe e depois fecha pro resto da rede
#$IPT -A FORWARD -o $EXTNET -s 192.168.0.2/24 -p tcp --dport 1863 -j LOG --log-level debug --log-prefix "MSNDOCHEFE"
#$IPT -A FORWARD -o $EXTNET -s 192.168.0.2/24 -p tcp --dport 1863 -j ACCEPT
#$IPT -A FORWARD -o $EXTNET -s 192.168.0.2/24 -p tcp -d 65.54.239.80 -j LOG --log-level debug --log-prefix "MSN"
#$IPT -A FORWARD -o $EXTNET -s 192.168.0.2/24 -p tcp -d 65.54.239.80 -j ACCEPT
#$IPT -A FORWARD -o $EXTNET -s 192.168.0.2/24 -p tcp -d 65.54.179.192 -j LOG --log-level debug --log-prefix "MESSENGER"
#$IPT -A FORWARD -o $EXTNET -s 192.168.0.2/24 -p tcp -d 65.54.179.192 -j ACCEPT
$IPT -A FORWARD -o $EXTNET -s 192.168.0.0/24 -p tcp -d 65.54.179.192 -j DROP
$IPT -A FORWARD -o $EXTNET -s 192.168.0.0/24 -p tcp -d 65.54.239.80 -j DROP
$IPT -A FORWARD -o $EXTNET -s 192.168.0.0/24 -p tcp -d 207.46.110.35 -j DROP
$IPT -A FORWARD -o $EXTNET -s 192.168.0.0/24 -p tcp --dport 1863 -j DROP
$IPT -A FORWARD -o $EXTNET -s 192.168.0.0/24 -p tcp -d loginnet.passport.com -j DROP
# Prote��o contra Port Scanner Avan�ados
$IPT -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Prote��o contra Ping da Morte
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Prote��o contra SYN-Floding
$IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
-
Kra eu libero o limewire aki assim:
iptables -t filter -A FORWARD -p TCP --dport 6346 -j ACCEPT
Agora tem q v o Kazaa qual a porta que ele usa e liberar da mesma forma