[Bug 821] New: Rosa
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Tue May 21 20:41:54 CEST 2013
https://bugzilla.netfilter.org/show_bug.cgi?id=821
Summary: Rosa
Product: iptables
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P5
Component: iptables
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: andoandre at gmail.com
Estimated Hours: 0.0
#!/bin/csh
###############################################################################
# firewall - netfilter based by infortron
###############################################################################
###############################################################################
# vamos levantar o roteamento no firewall
echo 1 > /proc/sys/net/ipv4/ip_forward
#!/bin/bash
# liberar marcianos
#for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
# /usr/bin/echo 0 > $i
# done
###############################################################################
###############################################################################
# vamos levantar os "probs" no firewall
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
###############################################################################
###############################################################################
set ipexterno = `ifconfig eth0|grep inet|head -1|awk '{print $3}'`
set ipinterno = `ifconfig eth1|grep inet|head -1|awk '{print $3}'`
set infortron = '189.47.133.38/32'
set infortron2 = '200.211.36.2/32'
set redeinterna = '192.168.0.0/24'
###############################################################################
###############################################################################
### vamos dar um flush nas regras do firewall
iptables -F
iptables -F -t nat
iptables -X
iptables -X -t nat
###############################################################################
###############################################################################
# aplicando as regras contra ataques de negacao de servico
# contra ping of death
# iptables -t nat -A PREROUTING -i eth1 -p icmp --icmp-type echo-request -m
limit --limit 1/s -j ACCEPT
# contra ataques syn-flood
# iptables -t nat -A PREROUTING -i eth1 -p tcp -m limit --limit 1/s -j ACCEPT
# contra port scanners avancados (nmap)
# iptables -t nat -A PREROUTING -i eth1 -p tcp --tcp-flags SYN,ACK FIN,RST -m
limit --limit 1/s -j ACCEPT
###############################################################################
# Liberar nomes Infortron
iptables -A INPUT -s suporte.infortron.com.br -j ACCEPT
# IP Para atualizacoes e manutencao "Andre"
iptables -t nat -A PREROUTING -s 192.168.0.240 -j ACCEPT
#Google Drive
iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/24 -d clients3.google.com
-j ACCEPT
###############################################################################
# Vamos logar as entradas mais importantes do firewall
iptables -A INPUT -s 187.115.128.180 -j ACCEPT
iptables -A INPUT -s 189.47.133.38 -j ACCEPT
iptables -A INPUT -s 200.211.36.2 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --syn -j LOG
###############################################################################
iptables -A FORWARD -d www.adobe.com -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d get.adobe.com -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d www.bb.com.br -p tcp -j ACCEPT
iptables -A FORWARD -d 201.76.59.4 -p tcp -j ACCEPT
iptables -A FORWARD -d 201.82.108.8 -p tcp -j ACCEPT
iptables -A FORWARD -d 201.76.59.4 -p udp -j ACCEPT
iptables -A FORWARD -d 201.82.108.8 -p udp -j ACCEPT
###############################################################################
### aplicando as regras de INPUT
### liberando conexoes para empresas
# iptables -A INPUT -s x.y.z.w -j ACCEPT
### liberando conexao para localhost
iptables -A INPUT -i lo -j ACCEPT
### liberando conexao para rede interna
iptables -A FORWARD -p gre -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -s 10.0.2.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 50000 -j ACCEPT
iptables -A OUTPUT -p udp --dport 50000 -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p 47 -j ACCEPT
iptables -A INPUT -p udp --dport 1723 -j ACCEPT
iptables -A OUTPUT -p 47 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/16 -j ACCEPT
iptables -A INPUT -s 192.168.50.0/24 -j ACCEPT
iptables -I INPUT -p tcp --dport 1723 -i eth0 -j ACCEPT
iptables -I INPUT -p 47 -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -s $redeinterna -j ACCEPT
### liberando conexao para infortron
iptables -A INPUT -s 189.47.133.38 -j ACCEPT
iptables -A INPUT -s 200.148.184.98 -j ACCEPT
iptables -A INPUT -s 201.26.37.248 -j ACCEPT
### liberando pacotes icmp (ping)
iptables -A INPUT -p icmp -j ACCEPT
### dropando conexoes ssh ao servidor
iptables -A INPUT -p tcp --dport 22 -j DROP
### dropando conexoes ao proxy provenientes da Internet
iptables -A INPUT -p tcp --dport 8080 -j DROP
### liberando conexoes para portas altas
iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp --dport 1024:65535 -j ACCEPT
# cameras
#iptables -A INPUT -p tcp --dport 14 -j ACCEPT
### dropando o restante das conexoes
iptables -A INPUT -j DROP
###############################################################################
###############################################################################
### habilitando o roteamento entre as unidades
# iptables -t nat -A PREROUTING -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
# iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
###############################################################################
###############################################################################
### liberando canais e tuneis de criptografia
# -> IP Security Protocol (FreeS/WAN IPSEC)
# -> IPSEC: IP-in-IP encapsulation (tunnel mode)
# -> IPSEC: Authentication Header
# -> HMAC-MD5 authentication algorithm
# -> HMAC-SHA1 authentication algorithm
# -> IPSEC: Encapsulating Security Payload
# -> 3DES encryption algorithm
# -> IPSEC: IP Compression
# -> IPSEC: Debugging Option
# iptables -t nat -A PREROUTING -p esp -s x.y.z.w -j DNAT --to-destination
10.129.2.55
# iptables -t nat -A PREROUTING -p ah x.y.z.w -j DNAT --to-destination
10.129.2.55
###############################################################################
###############################################################################
### aplicando as regras de PREROUTING/POSTROUTING
### aplicando as regras para proxy transparente
#iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT
--to-ports 8080
###
### regras para rede interna (servicos permitidos)
# iptables -t nat -A PREROUTING -p icmp -j ACCEPT
### Google Drive
iptables -t nat -A PREROUTING -m multiport -p tcp -s 192.168.0.0/24 --dport
443,5222 -j ACCEPT
iptables -t nat -A PREROUTING -m multiport -p udp -s 192.168.0.0/24 --dport
443,5222 -j ACCEPT
###
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 14 -j DNAT
--to-destination 192.168.0.3
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3550 -j DNAT
--to-destination 192.168.0.3
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4550 -j DNAT
--to-destination 192.168.0.3
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5550 -j DNAT
--to-destination 192.168.0.3
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 6550 -j DNAT
--to-destination 192.168.0.3
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4899 -j DNAT
--to-destination 192.168.0.1
iptables -t nat -A PREROUTING -s 192.168.0.4 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.0.64 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.0.88 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.0.83 -j ACCEPT
iptables -t nat -A PREROUTING -m mac --mac-source 60:EB:69:41:83:E5 -j ACCEPT
iptables -t nat -A PREROUTING -m mac --mac-source 4C:0F:6E:29:63:3B -j ACCEPT
iptables -t nat -A PREROUTING -m mac --mac-source 88:AE:1B:EA:A2:89 -j ACCEPT
iptables -t nat -A PREROUTING -m mac --mac-source 00:23:15:7b:37:f4 -j ACCEPT
iptables -t nat -A PREROUTING -m multiport -p tcp -m mac --mac-source
8c:a9:82:51:08:3e --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -m multiport -p tcp -m mac --mac-source
f0:bf:97:12:41:f3 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -m multiport -p tcp -m mac --mac-source
00:23:15:7b:37:f4 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -m multiport -p tcp -m mac --mac-source
88:AE:1d:EA:A2:89 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -m multiport -p tcp -m mac --mac-source
4C:0F:6E:29:63:3B --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -m multiport -p tcp -m mac --mac-source
60:EB:69:41:83:E5 --dport 80 -j ACCEPT
#Rodrigo
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 54:53:ED:B6:7C:25 -j
ACCEPT
iptables -A FORWARD -m mac --mac-source 54:53:ED:B6:7C:25 -j ACCEPT
#Rodrigo
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 08:3E:8E:D7:51:0F -j
ACCEPT
iptables -A FORWARD -m mac --mac-source 08:3E:8E:D7:51:0F -j ACCEPT
#Rodrigo
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 00:26:22:1F:02:4F -j
ACCEPT
iptables -A FORWARD -m mac --mac-source 00:26:22:1F:02:4F -j ACCEPT
#Rodrigo
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 00:90:F5:94:A8:F1 -j
ACCEPT
iptables -A FORWARD -m mac --mac-source 00:90:F5:94:A8:F1 -j ACCEPT
#Vitor Wireless
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 94:39:E5:4D:B9:D5 -j
ACCEPT
iptables -A FORWARD -m mac --mac-source 94:39:E5:4D:B9:D5 -j ACCEPT
#Vitor Rede
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 54:04:A6:A7:85:6E -j
ACCEPT
iptables -A FORWARD -m mac --mac-source 54:04:A6:A7:85:6E -j ACCEPT
#Edmara RH
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 00:E0:4D:C6:09:E1 -j
ACCEPT
iptables -A FORWARD -m mac --mac-source 00:E0:4D:C6:09:E1 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 8c:a9:82:51:08:3e -j
ACCEPT
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source f0:bf:97:12:41:f3 -j
ACCEPT
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 00:23:15:7b:37:f4 -j
ACCEPT
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 88:AE:1d:EA:A2:89 -j
ACCEPT
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 4C:0F:6E:29:63:3B -j
ACCEPT
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 60:EB:69:41:83:E5 -j
ACCEPT
iptables -t nat -A PREROUTING -p tcp -m mac --mac-source 00:E0:4D:C6:09:E1 -j
ACCEPT
iptables -A FORWARD -m mac --mac-source 00:E0:4D:C6:09:E1 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 60:EB:69:41:83:E5 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 4C:0F:6E:29:63:3B -j ACCEPT
iptables -A FORWARD -m mac --mac-source 88:AE:1B:EA:A2:89 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:23:15:7b:37:f4 -j ACCEPT
iptables -A FORWARD -s 192.168.0.4 -j ACCEPT
iptables -A FORWARD -s 192.168.0.64 -j ACCEPT
iptables -A FORWARD -s 192.168.0.88 -j ACCEPT
iptables -A FORWARD -s 192.168.0.83 -j ACCEPT
iptables -A FORWARD -m multiport -p tcp -m mac --mac-source 8c:a9:82:51:08:3e
--dport 80 -j ACCEPT
iptables -A FORWARD -m multiport -p tcp -m mac --mac-source f0:bf:97:12:41:f3
--dport 80 -j ACCEPT
iptables -A FORWARD -m multiport -p tcp -m mac --mac-source 00:23:15:7b:37:f4
--dport 80 -j ACCEPT
iptables -A FORWARD -m multiport -p tcp -m mac --mac-source 88:AE:1d:EA:A2:89
--dport 80 -j ACCEPT
iptables -A FORWARD -m multiport -p tcp -m mac --mac-source 4C:0F:6E:29:63:3B
--dport 80 -j ACCEPT
iptables -A FORWARD -m multiport -p tcp -m mac --mac-source 60:EB:69:41:83:E5
--dport 80 -j ACCEPT
iptables -A FORWARD -m multiport -p tcp -m mac --mac-source 00:E0:4D:C6:09:E1
--dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -m mac --mac-source 00:E0:4D:C6:09:E1 -j ACCEPT
iptables -A FORWARD -p tcp -m mac --mac-source 8c:a9:82:51:08:3e -j ACCEPT
iptables -A FORWARD -p tcp -m mac --mac-source f0:bf:97:12:41:f3 -j ACCEPT
iptables -A FORWARD -p tcp -m mac --mac-source 00:23:15:7b:37:f4 -j ACCEPT
iptables -A FORWARD -p tcp -m mac --mac-source 88:AE:1d:EA:A2:89 -j ACCEPT
iptables -A FORWARD -p tcp -m mac --mac-source 4C:0F:6E:29:63:3B -j ACCEPT
iptables -A FORWARD -p tcp -m mac --mac-source 60:EB:69:41:83:E5 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/24 --dport 2631 -j ACCEPT
iptables -t nat -A PREROUTING -d 200.201.174.204 -j ACCEPT
iptables -t nat -A PREROUTING -d 200.201.160.0/20 -j ACCEPT
iptables -t nat -A POSTROUTING -d 200.201.160.0/20 -j MASQUERADE
iptables -A FORWARD -d 200.201.160.0/20 -j ACCEPT
iptables -t nat -A PREROUTING -d 200.201.160.0/20 -j ACCEPT
iptables -t nat -A POSTROUTING -d 200.201.160.0/20 -j MASQUERADE
iptables -A FORWARD -d 200.201.160.0/20 -j ACCEPT
iptables -t nat -A PREROUTING -d 200.201.174.207 -j ACCEPT
iptables -t nat -A POSTROUTING -d 200.201.174.207 -j MASQUERADE
iptables -A FORWARD -d 200.201.174.207 -j ACCEPT
iptables -t nat -A PREROUTING -d 200.201.174.204 -j ACCEPT
iptables -t nat -A POSTROUTING -d 200.201.174.204 -j MASQUERADE
iptables -A FORWARD -d 200.201.174.204 -j ACCEPT
## vnc infortron
iptables -t nat -A PREROUTING -m multiport -p tcp -s 192.168.0.0/24 --dport
5959,5960,5961,5962,5963 -j ACCEPT
iptables -A FORWARD -m multiport -p tcp -s 192.168.0.0/24 --dport 1863 -j DROP
#iptables -t nat -A PREROUTING -m multiport -p tcp -s 192.168.0.0/24 --dport
1863 -j DROP
# Proxy
iptables -A FORWARD -m multiport -p tcp -s 192.168.0.0/24 --dport 80 -j DROP
iptables -A FORWARD -m multiport -p tcp -s 192.168.0.0/24 --dport 443 -j DROP
### liberando as conexoes de PREROUTING e POSTROUTING
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
### conexoes via internet fazem direcionamento para rede interna
iptables -t nat -A PREROUTING -s 176.0.0.0/8 -p tcp --dport 3389 -j DNAT
--to-destination 192.168.0.4
iptables -t nat -A PREROUTING -s 177.0.0.0/8 -p tcp --dport 3389 -j DNAT
--to-destination 192.168.0.4
iptables -t nat -A PREROUTING -s 178.0.0.0/8 -p tcp --dport 3389 -j DNAT
--to-destination 192.168.0.4
iptables -t nat -A PREROUTING -s 179.0.0.0/8 -p tcp --dport 3389 -j DNAT
--to-destination 192.168.0.4
iptables -t nat -A PREROUTING -s 186.0.0.0/8 -p tcp --dport 3389 -j DNAT
--to-destination 192.168.0.4
iptables -t nat -A PREROUTING -s 187.0.0.0/8 -p tcp --dport 3389 -j DNAT
--to-destination 192.168.0.4
iptables -t nat -A PREROUTING -s 188.0.0.0/8 -p tcp --dport 3389 -j DNAT
--to-destination 192.168.0.4
iptables -t nat -A PREROUTING -s 189.0.0.0/8 -p tcp --dport 3389 -j DNAT
--to-destination 192.168.0.4
iptables -t nat -A PREROUTING -s 189.0.0.0/8 -p udp --dport 3389 -j DNAT
--to-destination 192.168.0.4
iptables -t nat -A PREROUTING -s 200.0.0.0/8 -p tcp --dport 3389 -j DNAT
--to-destination 192.168.0.4
iptables -t nat -A PREROUTING -s 200.0.0.0/8 -p udp --dport 3389 -j DNAT
--to-destination 192.168.0.4
iptables -t nat -A PREROUTING -s 201.0.0.0/8 -p tcp --dport 3389 -j DNAT
--to-destination 192.168.0.4
iptables -t nat -A PREROUTING -s 201.0.0.0/8 -p udp --dport 3389 -j DNAT
--to-destination 192.168.0.4
#iptables -t nat -A PREROUTING -s 187.0.0.0/8 -i eth0 -p tcp --dport 3390 -j
DNAT --to-destination 192.168.0.1:3389
#iptables -t nat -A PREROUTING -s 188.0.0.0/8 -i eth0 -p tcp --dport 3390 -j
DNAT --to-destination 192.168.0.1:3389
#iptables -t nat -A PREROUTING -s 189.0.0.0/8 -i eth0 -p tcp --dport 3390 -j
DNAT --to-destination 192.168.0.1:3389
#iptables -t nat -A PREROUTING -s 189.0.0.0/8 -i eth0 -p udp --dport 3390 -j
DNAT --to-destination 192.168.0.1:3389
#iptables -t nat -A PREROUTING -s 200.0.0.0/8 -i eth0 -p tcp --dport 3390 -j
DNAT --to-destination 192.168.0.1:3389
#iptables -t nat -A PREROUTING -s 200.0.0.0/8 -i eth0 -p udp --dport 3390 -j
DNAT --to-destination 192.168.0.1:3389
#iptables -t nat -A PREROUTING -s 201.0.0.0/8 -i eth0 -p tcp --dport 3390 -j
DNAT --to-destination 192.168.0.1:3389
#iptables -t nat -A PREROUTING -s 201.0.0.0/8 -i eth0 -p udp --dport 3390 -j
DNAT --to-destination 192.168.0.1:3389
###
###############################################################################
### END
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the netfilter-buglog
mailing list