- firewall barrando
+ Responder ao Tópico
-
firewall barrando
Olá pessoal, sou novato no Linux e estou tentando instalar um servidor de squid/firewall no Centos 5.4 mais estou tendo varios problemas com as regras, pois nao consigo liberar a porta do wts 3389 e do ssh 22. Na verdade eu ate fiz as regra e acho que esta correta mais nao consigo via net logar no servidor. Segue ai o firewall.sh se alguem puder da uma olhada e me ajuda ficarei muito grato.
#!/bin/bash
# -------------------------
# Habilita o roteamento
# -------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward
# ------------------------------------
# Carregando os Modulos do Iptables
# ------------------------------------
modprobe ip_conntrack
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ipt_LOG
modprobe ipt_limit
modprobe ipt_MASQUERADE
modprobe ipt_REJECT
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
# Limpando as chains
# ----------------------
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
# Apagando os chains criados
# ------------------------------
iptables -t filter -X
iptables -t nat -X
iptables -t mangle -X
# Zerando os contadores
# --------------------------
iptables -t filter -Z
iptables -t nat -Z
iptables -t mangle -Z
# -------------
# Variaveis
# -------------
# Interna ( MZ )
# ------------------
iface_interna="eth0"
# Internet ( INET )
# ---------------------
iface_internet="eth1"
# Servidores
# ---------------
servidor="192.168.1.1"
##############################################################################
# REGRAS DE DNAT / SNAT #
##############################################################################
# ------------------------------------------------------
# SNAT ( Alterando ou mascarando endereco de origem )
# ------------------------------------------------------
# Regra SNAT que mascara a origem (IP) de saida
# --------------------------------------------------
iptables -t nat -A POSTROUTING -o $iface_internet -j MASQUERADE
# Regra SNAT que muda o endereco de saida
# -------------------------------------------
#iptables -t nat -A POSTROUTING -o $iface_internet -j SNAT --to-source $ip_internet
# ---------------------------------------
# DNAT ( Redirecionamento de portas )
# ---------------------------------------
# Redireciona o trafego que chegar na porta 80 para estacao na rede interna (apache)
# --------------------------------------------------------------------------------------
#iptables -t nat -A PREROUTING -i $iface_internet -p tcp --dport 80 -j DNAT --to-destination $servidor
# Regra para redirecionar as portas do VNC (Final da porta equivalente ao final do IP na rede interna)
# -------------------------------------------------------------------------------------------------------
#iptables -t nat -A PREROUTING -i $iface_internet -p tcp --dport 59002 -j DNAT --to-destination 192.168.1.2:5900
#iptables -t nat -A PREROUTING -i $iface_internet -p tcp --dport 59003 -j DNAT --to-destination 192.168.1.3:5900
#iptables -t nat -A PREROUTING -i $iface_internet -p tcp --dport 59004 -j DNAT --to-destination 192.168.1.4:5900
# -------------------
# Politica default
# -------------------
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
##############################################################################
# REGRAS DE INPUT #
##############################################################################
# Aceitando conexoes do tipo INPUT que estejam estabelecidas ou relacionadas
# -------------------------------------------------------------------------------
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Liberando todas as conexoes de loopback
# -------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
# Libera acesso ao SSH no firewall
# -------------------------------------
iptables -A INPUT -i $iface_interna -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $iface_interna -p tcp --dport 23000 -j ACCEPT
# Libera acesso ao servidor apache rodando no firewall
# ---------------------------------------------------------
iptables -A INPUT -i $iface_interna -p tcp --dport 80 -j ACCEPT
# Libera acesso ao servidor Proxy no firewall
# -------------------------------------------------
iptables -A INPUT -i $iface_interna -p tcp --dport 3128 -j ACCEPT
# Libera ping para o firewall
# -------------------------------
iptables -A INPUT -i $iface_interna -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Firewall resolve nome (DNS) para rede interna
# ---------------------------------------------------
iptables -A INPUT -i $iface_interna -p udp --dport 53 -j ACCEPT
# Habilitando log em nivel 5
# -------------------------------
iptables -A INPUT -j LOG --log-level 5 --log-prefix "Iptables INPUT: "
# Negando todas as demais tentativas de INPUT
# -------------------------------------------------
iptables -A INPUT -j DROP
##############################################################################
# REGRAS DE FORWARD #
##############################################################################
# Aceitando conexoes do tipo FORWARD que estejam estabelecidas ou relacionadas
# ---------------------------------------------------------------------------------
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Libera acesso a porta 80 na internet
# -----------------------------------------
# iptables -A FORWARD -i $iface_interna -o $iface_internet -p tcp --dport 80 -j ACCEPT
# Libera VNC de fora para rede interna
# -----------------------------------------
iptables -A FORWARD -i $iface_internet -o $iface_interna -p tcp --dport 5900 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp --dport 2017 -j ACCEPT
iptables -A FORWARD -p tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -p tcp --dport 8009 -j ACCEPT
iptables -A FORWARD -p tcp --dport 55793 -j ACCEPT
iptables -A FORWARD -p tcp --dport 8017 -j ACCEPT
iptables -A FORWARD -p udp --dport 8017 -j ACCEPT
iptables -A FORWARD -p tcp --dport 1049 -j ACCEPT
iptables -A FORWARD -p tcp --dport 3456 -j ACCEPT
iptables -A FORWARD -d 200.199.226.130 -j ACCEPT
iptables -A FORWARD -d 200.244.109.93 -j ACCEPT
######### Porta DPI ######################
iptables -A FORWARD -p tcp --dport 24001 -j ACCEPT
# Libera portas e sites de banco etc
# -------------------------------------
####liberado banco brb#######
iptables -A FORWARD -d 200.11.16.130 -j ACCEPT
########################################## ENGECRED################
iptables -A FORWARD -d 200.252.146.151 -j ACCEPT
iptables -A FORWARD -d 200.252.146.131 -j ACCEPT
###################################################################
############## TERMINAL SERVER ####################################
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -i $iface_internet -p tcp --dport 3389 -j DNAT --to-destination 192.168.1.3:3389
iptables -t nat -A POSTROUTING -d 192.168.1.3 -j MASQUERADE
###################################################################
################ip liberado para CEDENTE ##########################
iptables -A FORWARD -p tcp --dport 5006 -j ACCEPT
iptables -A FORWARD -d 186.215.92.145 -j ACCEPT
iptables -A FORWARD -d 186.215.92.131 -j ACCEPT
### IP liberado para CONECTIVIDADE SOCIAL (CAGED, FGTS, SEFIP) ########
iptables -A FORWARD -d 200.201.173.68 -j ACCEPT
iptables -A FORWARD -d 200.201.174.207 -j ACCEPT
iptables -A FORWARD -d 200.201.174.204 -j ACCEPT
iptables -t nat -A PREROUTING -d 200.201.174.204 -j ACCEPT
iptables -A FORWARD -d 200.201.166.240 -j ACCEPT
iptables -A FORWARD -d 200.188.201.149 -j ACCEPT
iptables -t nat -A PREROUTING -d 200.188.201.149 -j ACCEPT
# Libera acesso a FTPs na internet
# -------------------------------------
iptables -A FORWARD -i $iface_interna -o $iface_internet -p tcp --dport 21 -j ACCEPT
# Libera acesso a servidores DNS na internet
# ----------------------------------------------
iptables -A FORWARD -i $iface_interna -o $iface_internet -p udp --dport 53 -j ACCEPT
# Liberando pacotes ICMP para internet
# -----------------------------------------
iptables -A FORWARD -i $iface_interna -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Habilitando log em nivel 5
# -------------------------------
iptables -A FORWARD -j LOG --log-level 5 --log-prefix "Iptables FORWARD: "
# Negando todas as demais tentativas de FORWARD
# ---------------------------------------------------
iptables -A FORWARD -j DROP
##############################################################################
# REGRAS DE OUTPUT #
##############################################################################
# Aceitando conexoes do tipo OUTPUT que estejam estabelecidas ou relacionadas
# -------------------------------------------------------------------------------
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Liberando todos os pacotes OUTPUT
# --------------------------------------
iptables -A OUTPUT -j ACCEPT
# Salvando as regras do iptables
# ----------------------------------
service iptables save
# -------
# Fim!
# -------
[email protected]
Citação