Recomendados
Más contenido relacionado
Más de Cassio Ramos
Más de Cassio Ramos (20)
Exemplo de Script Iptables
- 1. #### SCRIPT DE REGRAS - FIREWALL #### #!/bin/bash ## ## CARREGANDO MODULOS #/sbin/depmod -a modprobe iptable_nat modprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe iptable_filter modprobe ipt_LOG modprobe ipt_limit modprobe ipt_state modprobe ip_nat_ftp ###APAGANDO TODAS AS REGRAS ### /sbin/iptables -F /sbin/iptables -t nat -F ### APLICANDO POLITICAS PADRAO ### # /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP ### Inicio das Regras #### # ### INICIO DAS REGRAS DA CADEIA INPUT #### # /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -s 172.16.50.0/24 -p tcp --dport 3128 -j ACCEPT #/sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT #/sbin/iptables -A INPUT -p TCP --dport 22 -j ACCEPT #/sbin/iptables -A INPUT -p TCP --dport 80 -j ACCEPT # #/sbin/iptables -A INPUT -s 172.16.50.0/24 -p tcp --dport 22 -j ACCEPT /sbin/iptables -A INPUT -j LOG --log-prefix "INPUT-DROP" # #INICIO DAS REGRAS DA CADEIA OUTPUT /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -s 172.16.49.100 -p tcp --dport 80 -j ACCEPT /sbin/iptables -A OUTPUT -j LOG --log-prefix "OUTPUT-DROP" # ### INICIO DAS REGRAS DA CADEIA FORWARD #### # /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -p icmp -j ACCEPT #/sbin/iptables -A FORWARD -s 10.0.0.2 -d 172.16.50.0/24 -j ACCEPT # #/sbin/iptables -A FORWARD -m state --state INVALID -j DROP #/sbin/iptables -A FORWARD -p tcp -d 172.16.49.165 --syn --dport 80 -j ACCEPT #/sbin/iptables -A FORWARD -p tcp -d 172.16.50.10 --syn --dport 80 -j ACCEPT
- 2. #/sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp -d 172.16.49.165 --syn --dport 80 -j ACCEPT #/sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 172.16.49.101 --syn --dport 22 -j ACCEPT #/sbin/iptables -A FORWARD -p tcp -d 172.16.49.101 --dport 3389 -j ACCEPT #/sbin/iptables -A FORWARD -p tcp -d 172.16.50.30 --dport 3389 -j ACCEPT # #/sbin/iptables -A FORWARD -i eth1 -o eth0 -s 172.16.50.0/24 -p tcp --match multiport --dports 21,80,443 -j ACCEPT #/sbin/iptables -A FORWARD -i eth1 -o eth0 -p udp --dport 53 -j ACCEPT ### LOG FORWARD ##### /sbin/iptables -A FORWARD -j LOG --log-prefix "FORWARD-DROP" # # # # # # # # ############################# Regras de NAT ENTRADA # # #iptables --list PREROUTING -t nat # #/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d 172.16.49.101 --dport 80 -j DNAT --to 172.16.50.10:80 #/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.16.49.101 --dport 3389 -j DNAT --to-destination 172.16.50.30 #/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.16.49.101 -j DNAT --to- destination 172.16.50.30 # ############################# Regra de NAT - SAIDA/MASCARAMENTO - SAIDA # # #/sbin/iptables -t nat -A POSTROUTING -s 172.16.50.10 -j SNAT --to-source 172.16.49.101 #/sbin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o eth0 -j SNAT --to- source 172.16.49.100 # # # #nat dinamico #iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to 200.200.217.40-200.200.217.111 /sbin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -j MASQUERADE # ### FIM DAS REGRAS - FIREWALL ### #/sbin/iptables -A INPUT -s 10.204.144.0/20 -p udp --sport 520 -j ACCEPT
- 3. #/sbin/iptables -A INPUT -p udp --sport 123 -j ACCEPT #/sbin/iptables -A INPUT -p icmp -s 172.16.49.144 -j ACCEPT #/sbin/iptables -A INPUT -p tcp -s 172.16.49.144 --dport 80 -j ACCEPT #/sbin/iptables -A INPUT -p tcp -i $INT -s 200.244.230.216 --dport 22 -j ACCEPT #/sbin/iptables -A INPUT -p tcp -i $INT -s 200.244.230.107 --dport 22 -j ACCEPT #/sbin/iptables -A INPUT -p udp -i $INT -s 200.244.193.176 --sport 53 -j ACCEPT # #/sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 172.16.50.2 --syn --dport 22 - m state --state NEW -j ACCEPT