Problemas com redirecionamento de portas

Iniciado por Lucas Peregrino, 09 de Novembro de 2009, 13:52

tópico anterior - próximo tópico

Lucas Peregrino

boa tarde gente to postando aqui meu firewall pra da uma olhada pois nao consigo redirecionar as portas pra fazer conexao libero no meu modem mais nao passa pelo servidor quem poder da uma luz ai pois a minha ja queimo muito obrigado
#DIGITE

## Ativa Modulos
# -------------------------------------------------------
modprobe ip_tables
modprobe ip_conntrack
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ipt_LOG
modprobe ipt_limit
modprobe ipt_state
modprobe ipt_REDIRECT
modprobe ipt_owner
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

## Zera regras
# -------------------------------------------------------
iptables -F
iptables -Z
iptables -X
iptables -t nat -F

## Determina a politica padrao
# -------------------------------------------------------
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

## Ativa roteamento no kernel
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

echo "0" > /proc/sys/net/ipv4/conf/eth1/accept_redirects

echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects

echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

## ICMP
# -------------------------------------------------------
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 10/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP

## Abre para a interface de loopback.
# -------------------------------------------------------
iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.0 -i lo -j ACCEPT
iptables -A INPUT -s 192.168.2.0 -i lo -j ACCEPT

## ACCEPT (libera) pacotes de retorno da internet
# -------------------------------------------------------
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

## DNS - Libera a resolucao de nomes
# -------------------------------------------------------
#INPUT
iptables -A INPUT -p udp -s 192.168.2.0/24 --sport 53 -d 200.165.132.147 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.2.0/24 --sport 53 -d 200.165.132.155 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 53 -j ACCEPT
#FORWARD
iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.2.0/24 -d 200.165.132.147 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.2.0/24 -d 200.165.132.155 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.165.132.147 -d 192.168.2.0/24 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.165.132.155 -d 192.168.2.0/24 --dport 53 -j ACCEPT

## DHCP
# -------------------------------------------------------
iptables -A INPUT -p udp -s 192.168.2.0/24 --sport 79 -d 192.168.2.254 -j ACCEPT

## Liberando alguns ips pra ping
# -------------------------------------------------------
iptables -A INPUT -p icmp --icmp-type 8 -i eth0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp -s 192.168.2.0/24 -d 0/0 -j ACCEPT

## Mascaramento de rede para acesso externo
# -------------------------------------------------------
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

## Redirencionar portas 80 para 3128
# -------------------------------------------------------
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128

## Fechando LocalHost:
# -------------------------------------------------------
iptables -A INPUT -m tcp -p tcp -s 127.0.0.1 --dport 3129 -j DROP

## Libera a conexao para a rede interna
# -------------------------------------------------------iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE

## TLL
# -------------------------------------------------------
iptables -t mangle -A OUTPUT -o eth1 -j TTL --ttl-set 128

## Aceita conexoes vindas da rede interna com destino ao web server
# -------------------------------------------------------
iptables -A INPUT -p tcp -i eth0 --syn --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --syn --dport 443 -j ACCEPT

## Create separate chains for ICMP, TCP and UDP to traverse
# -------------------------------------------------------
iptables -N allowed
iptables -N tcp_packets
iptables -N udp_packets
iptables -N icmp_packets

## Abre para uma faixa de endereco da rede local
# -------------------------------------------------------
sudo iptables -A INPUT -p tcp --syn -i eth0 -j ACCEPT

## Abre uma porta (inclusive para a Internet)
# -------------------------------------------------------
iptables -A INPUT -s 192.168.2.0/24 -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT    # http
iptables -A INPUT -p tcp --dport 443 -j ACCEPT   # https
iptables -A INPUT -p tcp --dport 3129 -j ACCEPT  # Squid
iptables -A INPUT -p tcp --dport 22 -j ACCEPT    #Dyndns
iptables -A INPUT -p tcp --dport 25 -j ACCEPT    # Email
iptables -A INPUT -p tcp --dport 110 -j ACCEPT   # Email
iptables -A INPUT -p tcp --dport 465 -j ACCEPT   # Email
iptables -A INPUT -p tcp --dport 995 -j ACCEPT   # Email
iptables -A INPUT -p tcp --dport 332 -j ACCEPT   # Webmin
iptables -A INPUT -p tcp --dport 6689 -j ACCEPT  # SSH
iptables -A INPUT -p tcp --dport 1863 -j ACCEPT  # Msn
iptables -A INPUT -p tcp --dport 4199 -j ACCEPT  # NFe
iptables -A INPUT -p tcp --dport 5959 -j ACCEPT  # NFe
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT  # TServer
iptables -A INPUT -p tcp --dport 1080 -j ACCEPT  # Socks
iptables -A INPUT -p tcp --dport 2006 -j ACCEPT  # COBCaixa
iptables -A INPUT -p tcp --dport 1024 -j ACCEPT  # Caixa
iptables -A INPUT -p tcp --dport 65535 -j ACCEPT # Caixa
iptables -A INPUT -p tcp --dport 3456 -j ACCEPT  # Receitanet
iptables -A INPUT -p tcp --dport 5900 -j ACCEPT
iptables -A INPUT -p tcp --dport 5800 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT  # Mysql
iptables -A INPUT -p tcp --dport 3310 -j ACCEPT  # Mysql

## Terminal Server
# -------------------------------------------------------
iptables -t nat -A PREROUTING -p tcp --dport 3389 -i eth1 -j DNAT --to 192.168.2.253:3389

## Liberando SSH (porta 6689 e 22 )
# -------------------------------------------------------
iptables -A INPUT -p tcp --dport 6689 -j ACCEPT

## Liberando SSH Externo
# -------------------------------------------------------
iptables -t nat -A PREROUTING -p tcp --dport 6689 -i eth1 -j DNAT --to 192.168.2.254:6689

## Liberando SSH em Servidor web
# -------------------------------------------------------
iptables -t nat -A PREROUTING -d 192.168.1.253 -p tcp --dport 80 -j DNAT --to 192.168.2.55
iptables -A INPUT -p tcp --dport 80 -i eth0 -j ACCEPT

## Liberando Webmin  (porta 332)
# -------------------------------------------------------
iptables -A INPUT -i eth0 -p tcp --dport 332 -j ACCEPT

## Liberando acesso Webmin externo
# -------------------------------------------------------
iptables -A INPUT -i eth1 -p tcp --dport 332 -j ACCEPT

## Libera o mysql
# -------------------------------------------------------
iptables -A INPUT -p tcp -i eth0 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 3310 -j ACCEPT

# Liberando acesso a NFE (Nota fiscal Eletronica)
# -------------------------------------------------------
iptables -t nat -A PREROUTING -i eth1 -d 200.189.133.249 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -I FORWARD -p tcp -i eth0 -d 200.189.133.249 --dport 4199:5656 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.189.133.249 --sport 4199:5656 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.189.133.249 --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -d 200.189.133.247 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -I FORWARD -p tcp -i eth0 -d 200.189.133.247 --dport 4199:5656 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.189.133.247 --sport 4199:5656 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.189.133.247 --dport 80 -j ACCEPT


## Caixa Economica
# -------------------------------------------------------
iptables -t nat -I PREROUTING -i eth0 -p tcp -d 200.201.174.0/24 --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -d 200.201.174.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -I FORWARD -p tcp -i eth0 -d 200.201.174.0/24 --dport 1024:65535 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.201.174.0/24 --sport 1024:65535 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.201.174.0/24 --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -d 200.201.173.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -I FORWARD -p tcp -i eth0 -d 200.201.173.0/24 --dport 1024:65535 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.201.173.0/24 --sport 1024:65535 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.201.173.0/24 --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -d 200.201.166.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -I FORWARD -p tcp -i eth0 -d 200.201.166.0/24 --dport 1024:65535 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.201.166.0/24 --sport 1024:65535 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.201.166.0/24 --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -d 200.201.162.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -I FORWARD -p tcp -i eth0 -d 200.201.162.0/24 --dport 1024:65535 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.201.162.0/24 --sport 1024:65535 -j ACCEPT
iptables -I FORWARD -p tcp -i eth0 -d 200.201.162.0/24 --dport 80 -j ACCEPT

## Liberar Conectividade Social para todos
# liberando acesso a toda a rede 200.201 e pode liberar sites alem da Caixa.
# -------------------------------------------------------
iptables -t nat -A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT

## Fechando as portas do samba caso fique de cara para a internet.
# -------------------------------------------------------
iptables -A INPUT -p tcp -i eth1 --syn --dport 139 -j DROP
iptables -A INPUT -p tcp -i eth1 --syn --dport 138 -j DROP

#Bloqueio de NetBios
# -------------------------------------------------------
iptables -t nat -A PREROUTING -p tcp --dport 445 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 135 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 137 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 138 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 139 -j DROP
iptables -t nat -A PREROUTING -p udp --dport 445 -j DROP
iptables -t nat -A PREROUTING -p udp --dport 135 -j DROP
iptables -t nat -A PREROUTING -p udp --dport 137 -j DROP
iptables -t nat -A PREROUTING -p udp --dport 138 -j DROP
iptables -t nat -A PREROUTING -p udp --dport 139 -j DROP

## Bloqueando U89 - software burlador de proxy
# -------------------------------------------------------
iptables -A FORWARD -p tcp --dport 9666 -j DROP

##Bloqueio de Multicast
# -------------------------------------------------------
iptables -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP
iptables -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP

##Bloqueio de Black Orifice
# -------------------------------------------------------
iptables -A INPUT -p tcp -i eth1 --dport 12345:12345 -j DROP
iptables -A INPUT -p udp -i eth1 --dport 12345:12345 -j DROP

##Bloqueio acesso X server
# -------------------------------------------------------
iptables -A INPUT -p tcp -i eth1 --dport 5999:6003 -j DROP
iptables -A INPUT -p udp -i eth1 --dport 5999:6003 -j DROP
iptables -A INPUT -p tcp -i eth1 --dport 7100 -j DROP

##Bloqueio de NetBus
# -------------------------------------------------------
iptables -A INPUT -p tcp -i eth1 --dport 31337 -j DROP
iptables -A INPUT -p udp -i eth1 --dport 31337 -j DROP

##Proteç Contra IP Spoofing
# -------------------------------------------------------
iptables -A INPUT -s 10.0.0.0/8 -i eth1 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -i eth1 -j DROP
iptables -A INPUT -s 172.16.0.0/16 -i eth1 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -i eth1 -j DROP

## Protecao diversas contra portscanners, ping of death, ataques DoS, etc.
# -------------------------------------------------------
#INPUT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state INVALID -j REJECT
iptables -A INPUT -p tcp -i eth1 --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j REJECT
iptables -A INPUT -p icmp -i eth1 -j DROP
iptables -A INPUT -p icmp --icmp-type echo-reply -s 0/0 -i eth1 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -s 0/0 -i eth1 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -s 0/0 -i eth1 -j ACCEPT
iptables -A OUTPUT -p icmp -o eth1 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -p icmp -j DROP
iptables -A INPUT -i eth1 -p tcp --syn -j DROP

#FORWARD
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --dport 135 -i eth1 -j REJECT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
iptabless -A FORWARD -j REJECT --reject-with icmp-port-unreachable

#VALID
iptables -N VALID_CHECK
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP

# Protecao contra port scanners
# -------------------------------------------------------
iptables -N SCANNER
iptables -A SCANNER -m limit --limit 5/m -j LOG --log-level 6 --log-prefix "FIREWALL: port scanner: "
iptables -A SCANNER -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i eth1 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL NONE -i eth1 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL ALL -i eth1 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i eth1 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i eth1 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i eth1 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i eth1 -j SCANNER

# Protecao contra tronjans
# -------------------------------------------------------
iptables -N TROJAN
iptables -A TROJAN -m limit --limit 5/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
iptables -A TROJAN -j DROP
iptables -A INPUT -p tcp -i eth1 --dport 666 -j TROJAN
iptables -A INPUT -p tcp -i eth1 --dport 666 -j TROJAN
iptables -A INPUT -p tcp -i eth1 --dport 4000 -j TROJAN
iptables -A INPUT -p tcp -i eth1 --dport 6000 -j TROJAN
iptables -A INPUT -p tcp -i eth1 --dport 6006 -j TROJAN
iptables -A INPUT -p tcp -i eth1 --dport 16660 -j TROJAN

# Protecao contra trinoo
# -------------------------------------------------------
iptables -N TRINOO
iptables -A TRINOO -m limit --limit 5/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
iptables -A TRINOO -j DROP
iptables -A INPUT -p tcp -i eth1 --dport 1524 -j TRINOO
iptables -A INPUT -p tcp -i eth1 --dport 27444 -j TRINOO
iptables -A INPUT -p tcp -i eth1 --dport 27665 -j TRINOO
iptables -A INPUT -p tcp -i eth1 --dport 31335 -j TRINOO
iptables -A INPUT -p tcp -i eth1 --dport 34555 -j TRINOO
iptables -A INPUT -p tcp -i eth1 --dport 35555 -j TRINOO

##Rejectando Ident Requeridos
# -------------------------------------------------------
iptables -A INPUT -p tcp -i eth1 --dport 113 -j REJECT
iptables -A INPUT -p udp -i eth1 --dport 113 -j REJECT

## Esta regra e coracao do firewall ,
# -------------------------------------------------------
iptables -A INPUT -p tcp --syn -j DROP