Firewall

**igorallan** · 08-06-2006, 19:10

Alguem pode me ajudar
tenho o seguinte firewall

#---------------------------------------------------------------------------
#Adiciona IPs virtuais
ifconfig eth0:1 201.59.6.243 netmask 255.255.255.248 broadcast 201.59.6.247

#Carregando Modulos do Kernel
/sbin/depmod -a
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_queue
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ip_tables
/sbin/modprobe ipt_length
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_multiport
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_state
#/sbin/modprobe ipt_unclean

#Variaveis para Regras

#Portas
TROJAN_PTCP="12345,12346"
TROJAN_PUDP="27444,31335"

#Redes
LAN_LO="127.0.0.1"
LAN_EXT="201.59.6.242"
LAN_INT="192.168.0.0/24"
LAN_DMZ="172.16.32.0/24"
LAN_RADIO="200.222.6.128/25"

#Dispositivos de rede
INT_EXT="eth0"
INT_INT="eth2"
INT_DMZ="eth3"
INT_RADIO="eth1"
INT_LO="lo"

#IP's Validos
FW_EXTIP="201.59.6.242"
FW_INTIP="192.168.0.254"
FW_DMZIP="172.16.32.254"
FW_RADIOIP="10.10.10.1"
HTTP_EXTIP="201.59.6.243"
HTTP_DMZIP="172.16.32.1"
NETTEC="200.166.203.195"
IGOR="200.222.6.130"
IGOR_NOTE="200.222.6.250"
IGOR_IDM="192.168.0.10"
AP_TV="200.222.6.252"
AP_CRUZ="200.222.6.251"

#--------------------------------------------------------------------------
#Habilita rota para a rede Wireless
route add -net 200.222.6.128 netmask 255.255.255.128 gw 10.10.10.2

#Protecoes do Kernel
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Apaga as regras
iptables -X
iptables -F
iptables -t nat -F
iptables -t nat -X

# Bloqueia todo o trafego (Fecha tudo)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#Habilita o StateFull Inspection
iptables -N ALLOWED
iptables -A ALLOWED -p tcp --syn -m state --state NEW -j ACCEPT
iptables -A ALLOWED -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A ALLOWED -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A ALLOWED -p tcp -j DROP

#Suporte NETTEC
iptables -A INPUT -s $NETTEC -d $FW_EXTIP -p tcp -m multiport --dport 22 -j ACCEPT
iptables -A INPUT -d $NETTEC -s $FW_EXTIP -p tcp -m multiport --sport 22 -j ACCEPT

#Igor Casa
iptables -A INPUT -s $IGOR -d $FW_EXTIP -p tcp -m multiport --dport 22 -j ACCEPT
iptables -A INPUT -d $IGOR -s $FW_EXTIP -p tcp -m multiport --sport 22 -j ACCEPT

#Igor Note
iptables -A INPUT -s $IGOR_NOTE -d $FW_EXTIP -p tcp -m multiport --dport 22 -j ACCEPT
iptables -A INPUT -d $IGOR_NOTE -s $FW_EXTIP -p tcp -m multiport --sport 22 -j ACCEPT

#Igor Casa
iptables -A INPUT -s $IGOR_IDM -d $FW_EXTIP -p tcp -m multiport --dport 22 -j ACCEPT
iptables -A INPUT -d $IGOR_IDM -s $FW_EXTIP -p tcp -m multiport --sport 22 -j ACCEPT

#SSH para os radios
iptables -A INPUT -s $FW_RADIOIP -d $AP_TV -p tcp -m multiport --dport 22 -j ACCEPT
iptables -A INPUT -d $FW_RADIOIP -s $AP_TV -p tcp -m multiport --sport 22 -j ACCEPT

iptables -A INPUT -s $FW_RADIOIP -d $AP_CRUZ -p tcp -m multiport --dport 22 -j ACCEPT
iptables -A INPUT -d $FW_RADIOIP -s $AP_CRUZ -p tcp -m multiport --sport 22 -j ACCEPT

#Bloqueia os Trojans
iptables -A INPUT -p tcp -i $INT_EXT -m multiport --dport 666 -j DROP
iptables -A INPUT -p udp -i $INT_EXT -m multiport --dport 666 -j DROP
iptables -A INPUT -p tcp -i $INT_EXT -m multiport --dport 4000 -j DROP
iptables -A INPUT -p udp -i $INT_EXT -m multiport --dport 4000 -j DROP
iptables -A INPUT -p tcp -i $INT_EXT -m multiport --dport 5190 -j DROP
iptables -A INPUT -p udp -i $INT_EXT -m multiport --dport 5190 -j DROP

iptables -A INPUT -p tcp -i $INT_EXT -m multiport --dport $TROJAN_PTCP -j DROP
iptables -A INPUT -p udp -i $INT_EXT -m multiport --dport $TROJAN_PUDP -j DROP

#Bloqueia SYN-FLOOD
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Pacote # SYN:"
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

#Habilita o Loopback
iptables -A INPUT -i $INT_LO -j ACCEPT
iptables -A FORWARD -i $INT_LO -j ACCEPT

#----------------------------------------------------------------------

# ******* SNAT *******

### Habilita NAT
iptables -t nat -A POSTROUTING -s $LAN_INT -d ! $LAN_INT -j SNAT --to-source $FW_EXTIP
iptables -t nat -A POSTROUTING -s $LAN_DMZ -d ! $LAN_DMZ -j SNAT --to-source $HTTP_EXTIP

# ******* FIM SNAT *******

# ******* DNAT *******

### Habilita DNAT
#iptables -t nat -A PREROUTING -i $INT_RADIO -p tcp -m multiport --dport 20,21,80,443 -j DNAT --to-destination $FW_EXTIP:8080
iptables -t nat -A PREROUTING -d $HTTP_EXTIP -p tcp -m multiport --dport 20,21,25,80,110,443 -j DNAT --to-destination $HTTP_DMZIP

# ******* FIM DNAT *******

#DNAT
#iptables -t nat -A PREROUTING -s ! $LAN_LAB -d $FW_EXTIP -p tcp -m multiport --dport 1719,1720,1721,1722,1723,1724,1725,1726,1727 -j DNAT --to-destination 10.0.4.250
#iptables -t nat -A PREROUTING -s ! $LAN_LAB -d $FW_EXTIP -p tcp -m multiport --dport 1728,1729,1730,1731,1732,1733,1734,1735,1736 -j DNAT --to-destination 10.0.4.250
#iptables -t nat -A PREROUTING -s ! $LAN_LAB -d $FW_EXTIP -p tcp -m multiport --dport 1737,1738,1739,1740,1741,1742,1743,1744,1745 -j DNAT --to-destination 10.0.4.250
#iptables -t nat -A PREROUTING -s ! $LAN_LAB -d $FW_EXTIP -p tcp -m multiport --dport 1746,1747,1748,1749,1750,23 -j DNAT --to-destination 10.0.4.250

#iptables -t nat -A PREROUTING -s ! $LAN_LAB -d $FW_EXTIP -p udp -m multiport --dport 1719,1720,1721,1722,1723,1724,1725,1726,1727 -j DNAT --to-destination 10.0.4.250
#iptables -t nat -A PREROUTING -s ! $LAN_LAB -d $FW_EXTIP -p udp -m multiport --dport 1728,1729,1730,1731,1732,1733,1734,1735,1736 -j DNAT --to-destination 10.0.4.250
#iptables -t nat -A PREROUTING -s ! $LAN_LAB -d $FW_EXTIP -p udp -m multiport --dport 1737,1738,1739,1740,1741,1742,1743,1744,1745 -j DNAT --to-destination 10.0.4.250
#iptables -t nat -A PREROUTING -s ! $LAN_LAB -d $FW_EXTIP -p udp -m multiport --dport 1746,1747,1748,1749,1750,23 -j DNAT --to-destination 10.0.4.250
#----------------------------------------------------------------------

#Libera Ping
#iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -s 200.222.x.xxx -p icmp -j ACCEPT
iptables -A INPUT -p icmp -j DROP
iptables -A FORWARD -p icmp -j DROP

#Libera os servicos (HTTP,HTTPS,SMTP/POP3,DNS,FTP,VNC)
iptables -A INPUT -p tcp -m multiport --dport 20,21,25,53,80,110,161,443,2631,3456,5900,5017,8013,8017,8080 -j ALLOWED
iptables -A INPUT -p tcp -m multiport --sport 20,21,25,53,80,110,161,443,2631,3456,5900,5017,8013,8017,8080 -j ALLOWED
iptables -A FORWARD -p tcp -m multiport --dport 20,21,25,53,80,110,161,443,2631,3456,5900,5017,8013,8017,8080 -j ALLOWED
iptables -A FORWARD -p tcp -m multiport --sport 20,21,25,53,80,110,161,443,2631,3456,5900,5017,8013,8017,8080 -j ALLOWED

#Radio Valdir
iptables -A INPUT -s 200.222.x.xxx -p tcp --dport 8080 -j DROP
iptables -A INPUT -s 200.222.x.xxx -p tcp --sport 8080 -j DROP
iptables -A INPUT -s 200.222.x.xxx -p udp --dport 8080 -j DROP
iptables -A INPUT -s 200.222.x.xxx -p udp --sport 8080 -j DROP
iptables -A OUTPUT -s 200.222.x.xxx -p tcp --dport 8080 -j DROP
iptables -A OUTPUT -s 200.222.x.xxx -p tcp --sport 8080 -j DROP
iptables -A OUTPUT -s 200.222.x.xxx -p udp --dport 8080 -j DROP
iptables -A OUTPUT -s 200.222.x.xxx -p udp --sport 8080 -j DROP
iptables -A FORWARD -s 200.222.x.xxx -p tcp --dport 8080 -j DROP
iptables -A FORWARD -s 200.222.x.xxx -p tcp --sport 8080 -j DROP
iptables -A FORWARD -s 200.222.x.xxx -p udp --dport 8080 -j DROP
iptables -A FORWARD -s 200.222.x.xxx -p udp --sport 8080 -j DROP

iptables -A INPUT -p udp -m multiport --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m multiport --sport 53 -j ACCEPT
iptables -A FORWARD -p udp -m multiport --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -m multiport --sport 53 -j ACCEPT

#Libera os servicos (UOL FONE)
iptables -A INPUT -p tcp -m multiport --dport 5060 -j ALLOWED
iptables -A INPUT -p tcp -m multiport --sport 5060 -j ALLOWED
iptables -A FORWARD -p tcp -m multiport --dport 5060 -j ALLOWED
iptables -A FORWARD -p tcp -m multiport --sport 5060 -j ALLOWED

iptables -A INPUT -p tcp --dport 10000:20000 -j ALLOWED
iptables -A INPUT -p tcp --sport 10000:20000 -j ALLOWED
iptables -A FORWARD -p tcp --dport 10000:20000 -j ALLOWED
iptables -A FORWARD -p tcp --sport 10000:20000 -j ALLOWED

iptables -A INPUT -p udp -m multiport --dport 5060 -j ACCEPT
iptables -A INPUT -p udp -m multiport --sport 5060 -j ACCEPT
iptables -A FORWARD -p udp -m multiport --dport 5060 -j ACCEPT
iptables -A FORWARD -p udp -m multiport --sport 5060 -j ACCEPT

iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT
iptables -A INPUT -p udp --sport 10000:20000 -j ACCEPT
iptables -A FORWARD -p udp --dport 10000:20000 -j ACCEPT
iptables -A FORWARD -p udp --sport 10000:20000 -j ACCEPT

# Regras de OUTPUT
iptables -A OUTPUT -j ACCEPT
p2p
echo "Carregando regras de P2P"
echo "Regras do Firewall carregadas com sucesso !!!"

Estou precisando bloquear a porta 8080 do item em negrito/italico e deixar liberado para o resto mas não estou conseguindo. Alguem pode me ajudar?

**viny_carvalho** · 09-06-2006, 10:22

Saudações Igor,

Que tal tentar algo mais simples ...

iptables -A INPUT -s 200.222.0.0/16 --dport 8080 -j DROP
iptables -A INPUT -s 200.222.0.0/16 --sport 8080 -j DROP
iptables -A OUTPUT -s 200.222.0.0/16 --dport 8080 -j DROP
iptables -A OUTPUT -s 200.222.0.0/16 --sport 8080 -j DROP
iptables -A FORWARD -s 200.222.0.0/16 --dport 8080 -j DROP
iptables -A FORWARD -s 200.222.0.0/16 --sport 8080 -j DROP

Abraço

Firewall

Ferramentas de Tópicos

Firewall

Re: Firewall