PROXY TRANSPARENTE

Iniciado por tecno_tiago, 22 de Novembro de 2005, 12:48

tópico anterior - próximo tópico

tecno_tiago

olá amigos, ja tentei de tudo mas não consigo fazer proxy tranparente em minha rede, estou mandando meu firewall para voçês revisarem e ver se tem algo de errado.
echo carregando os modulos
modprobe ip_tables
modprobe iptable_nat

echo resetando regras
iptables -F
iptables -t nat -F
iptables -Z

echo fechando FORWARD
iptables -A FORWARD -j DROP

echo protege contra pacotes mal formados
iptables -A FORWARD -m unclean -j DROP

echo Protege contra os "Ping of Death"
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

echo Protege contra os ataques do tipo "Syn-flood, DoS, etc"
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT

echo Permitir repassamento NAT DNAT SNAT de pacotes etabilizados e os relatados
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

echo protege contra port scanners avançados
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

echo Protege contra pacotes que podem procurar e obter informações da rede interna ...
iptables -A FORWARD -p tcp --tcp-flags ALL SYN,ACK -j DROP

echo Bloqueando traceroute
iptables -A INPUT -p udp -s 0/0 -i wlan0 --dport 33435:33525 -j DROP

echo Protecoes contra ataques
iptables -A INPUT -m state --state INVALID -j DROP

echo Performance - Setando acesso a web com delay minimo
iptables -t mangle -A OUTPUT -o wlan0  -p tcp --dport 53 -j TOS --set-tos Minimize-Delay
iptables  -t mangle -A OUTPUT -o wlan0 -p tcp --dport 80 -j TOS --set-tos Minimize-Delay

echo Deixa passar as portas UDP do servidores DNS, e Rejeitar o restante
iptables -A INPUT -i wlan0 -p udp -s x.x.x.x -j ACCEPT
iptables -A INPUT -i wlan0 -p udp -s x.x.x.x -j ACCEPT
iptables -A INPUT -i wlan0 -p udp -s x.x.x.x -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s 192.168.0.0 -j ACCEPT
iptables -A INPUT -i wlan0 -p udp -j REJECT

echo libera acesso interno da rede
iptables -A INPUT -p tcp --syn -s 192.168.0.0 -j ACCEPT
iptables -A OUTPUT -p tcp --syn -s 192.168.0.0 -j ACCEPT
iptables -A FORWARD -p tcp --syn -s 192.168.0.0 -j ACCEPT
iptables -A INPUT -p tcp --syn -i wlan0 -j ACCEPT
iptables -A OUTPUT -p tcp --syn -o wlan0 -j ACCEPT
iptables -A FORWARD -p tcp --syn -i wlan0 -j ACCEPT

echo libera o loopback
iptables -A OUTPUT -p tcp --syn -s 127.0.0.1/8 -j ACCEPT
iptables -A INPUT -p tcp --syn -s 127.0.0.1/8 -j ACCEPT

echo libera conexoes de fora pra dentro
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 1181 -j ACCEPT
iptables -A INPUT -p tcp --dport 23 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j REJECT

echo de dentro pra fora
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 1181 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 23 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 10000 -j ACCEPT


echo libera o bittorrent
iptables -A INPUT -p tcp --dport 1214 -j ACCEPT
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 1214 -j DNAT --to-dest 192.168.0.0
iptables -A FORWARD -p tcp -i wlan0 --dport 1214 -d 192.168.0.0 -j ACCEPT
iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 1214 -j DNAT --to-dest 192.168.0.0
iptables -A FORWARD -p udp -i wlan0 --dport 1214 -d 192.168.0.0 -j ACCEPT
iptables -A FORWARD -p tcp -i wlan0 --dport 6881:6889 -j ACCEPT
iptables -A INPUT -p tcp --dport 6881:6889 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 6881:6889 -j ACCEPT

echo faz o icq receber arquivos
iptables -A INPUT -p tcp --dport 2000:3000 -j ACCEPT
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 2000:3000 -j DNAT --to-dest 192.168.0.0
iptables -A FORWARD -p tcp -i wlan0 --dport 2000:3000 -d 192.168.0.0 -j ACCEPT
iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 2000:3000 -j DNAT --to-dest 192.168.0.0
iptables -A FORWARD -p udp -i wlan0 --dport 2000:3000 -d 192.168.0.0 -j ACCEPT

echo libera mirc
iptables -A FORWARD -i wlan0 -p tcp --dport 6660:6669 -j ACCEPT
iptables -A INPUT -p tcp --dport 6660:6669 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 6660:6669 -j ACCEPT
iptables -A INPUT -p udp --dport 113 -j ACCEPT
iptables -A OUTPUT -p udp --sport 113 -j ACCEPT

echo mascarando ips liberados
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o wlan0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

echo messenger aceitar arquivos
iptables -A INPUT -p tcp --dport 1863 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1863 -j ACCEPT
iptables -A INPUT -p udp --dport 5190:6901 -j ACCEPT
iptables -A OUTPUT -p udp --sport 5190:6901 -j ACCEPT
iptables -A INPUT -p tcp --dport 6891:6900 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 6891:6900 -j ACCEPT
iptables -A INPUT -p tcp --dport 6901 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 6901 -j ACCEPT

echo liberando vnc
iptables -A INPUT -p tcp --dport 5500 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 5500 -j ACCEPT
iptables -A INPUT -p tcp --dport 5800 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 5800 -j ACCEPT
iptables -A INPUT -p tcp --dport 5900 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 5900 -j ACCEPT

echo liberando kazaa e e-mule
iptables -A INPUT -p tcp -i wlan0 --dport 4661 -j ACCEPT
iptables -A INPUT -p udp -i wlan0 --dport 4661 -j ACCEPT
iptables -A OUTPUT -p tcp -o wlan0 --dport 4661 -j ACCEPT
iptables -A OUTPUT -p udp -o wlan0 --dport 4661 -j ACCEPT
iptables -A INPUT -p tcp -i wlan0 --dport 1572 -j ACCEPT
iptables -A INPUT -p udp -i wlan0 --dport 1572 -j ACCEPT
iptables -A OUTPUT -p tcp -o wlan0 --dport 1572 -j ACCEPT
iptables -A OUTPUT -p udp -o wlan0 --dport 1572 -j ACCEPT

echo proxy tranparente
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

echo bloqueando udps
iptables -A INPUT -i wlan0 -p udp --dport 0:30000 -j DROP

echo bloqueia tudo
iptables -A INPUT -p tcp --syn -j DROP

echo negando pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

desde ja agradeço a atenção.