Firewall Wizards mailing list archives
IPtables + PCAnywhere
From: "Wellington Lopes Moraes" <wlopesm () terra com br>
Date: Tue, 4 May 2004 06:35:33 -0400
Hi there! I´m beginning to work with iptables and I got a big problem... I have the following situation: - A server with 2 network interfaces (eth0 and eth1) as follows: LAN_IP="192.168.0.21" LAN_IFACE="eth0" INET_IP="192.168.7.106" INET_IFACE="eth1" PCANY="192.168.0.32" (computer that have PCAnywhere). I have 1 computer in the Lan interface that has PCAnywhere installed, and I need to make sure that this computer can access and be accessed by other computers via PCAnywhere. I put the following lines in my iptables script: iptables -t nat -A PREROUTNING -p tcp -m tcp --dport 5631 -j DNAT --to-destination $PCANY/32 iptables -t nat -A POSTROUTING -d $PCANY/32 -j MASQUERADE iptables -t filter -A FORWARD -i eth0 -o eth1 -p tcp -m state --dport 5631 --syn --state NEW -j ACCEPT iptables -t filter -A FORWARD -i eth0 -o eth1 -p udp --dport 5632 -j ACCEPT iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT But I keep unable to use this computer with PCAnywhere. Is there any hint to help me? I attached my script in the message. Thanks, Wellington ========================================================================== #!/bin/sh echo -e "linha: 09" #[]-----------------------------------------------------------[] #[ Rede local ] #[]-----------------------------------------------------------[] PCANY="192.168.0.52" LAN_IP="192.168.0.21" LAN_IP_RANGE="192.168.0.0/0" LAN_BCAST_ADRESS="192.168.255.255" LAN_IFACE="eth0" #[]-----------------------------------------------------------[] #[ Localhost ] #[]-----------------------------------------------------------[] LO_IFACE="lo" LO_IP="127.0.0.1" #[]-----------------------------------------------------------[] #[ Internet ] #[]-----------------------------------------------------------[] INET_IP="192.168.7.106" INET_IFACE="eth1" #[]-----------------------------------------------------------[] #[ Outras ] #[]-----------------------------------------------------------[] UNIVERSAL="0.0.0.0/0" #[]-----------------------------------------------------------[] #[ Configuracoes Adotadas pelo firewal ( netfilter ) ] #[]-----------------------------------------------------------[] LOGLEVEL="7" LIMITLEVEL="5/minute" LOG_TARGET="LOG --log-level 7 --log-prefix " #[]-----------------------------------------------------------[] #[ IPTables ] #[]-----------------------------------------------------------[] IPTABLES="/sbin/iptables" echo -e "linha: 60" #[]-----------------------------------------------------------o] #[ 2. Modulos que serao carregados ] #[]-----------------------------------------------------------[] /sbin/depmod -a echo -e "linha: 70" # #### Adiciona suporte ao iptables. # Adcionando os modulos para regras usadas pelo firewall # como LOG, REJECT and MASQUARADE /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #[]-----------------------------------------------------------[] #[ 3. Servicos ] #[]-----------------------------------------------------------[] echo -e "linha: 85" # #### Desabilitando o ping echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all # #### Desabilitando resposta a broadcast ICMP echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # #### Desabilitando redirecionamento de ICMP for file in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo "0" > $file done # #### Habilitando protecao de mensagens de bad error echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # #### Habilitando Log de pacotes spoofed for file in /proc/sys/net/ipv4/conf/*/log_martians; do echo "1" > $file done # #### Desliga o filtro contra pacotes de ip's marcianos # obs : isto eh feito por causa do esquema de rotea- # mento adotado entre o [link-adsl-intranet] for file in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $file done # #### Habilitando o ip forward # Permite que pacotes sejam repassados para a # rede interna. echo "1" > /proc/sys/net/ipv4/ip_forward echo -e "linha: 114" #[]-----------------------------------------------------------[] #[ 4. Regras do Iptables ] #[ Seta as Regras padrao de INPUT, FORWARD e OUTPUT. ] #[]-----------------------------------------------------------[] # #### Limpando qualquer regra anterior # --> Elimina regras default <-- $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F # --> Elimina regras criadas <-- $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X # #### Adicionando regras padrao # Com estas linha informamos ao iptables que TODOS # os pacotes serao descartados. Os pacotes aceitos # serao definidos abaixo. $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP #[]-----------------------------------------------------------[] #[ bad_tcp_packets ] #[ --------------- ] #[ Regra adotada para pacotes mal formados ] #[]-----------------------------------------------------------[] $IPTABLES -N bad_tcp_packets $IPTABLES -F bad_tcp_packets # spoofed IP's # #### Bloqueio para pacotes supeitos # Nao permite pacotes vindos de redes com enderecos ip's # invalidos para a internet. Esta verificacao ocorre para # todos os pacotes que entram na interfaces do Link # ( bloqueia para o link ) $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 0.0.0.0/8 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 1.0.0.0/8 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 23.0.0.0/8 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 31.0.0.0/8 -j DROP #$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 65.0.0.0/8 -j DROP #$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 66.0.0.0/7 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 68.0.0.0/6 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 75.0.0.0/5 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 80.0.0.0/4 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 128.0.0.0/16 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 128.9.64.26/32 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 128.66.0.0/12 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 191.255.0.0/16 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.0.0.0/24 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.0.1.0/24 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.0.2.0/24 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.0.1.0/24 -j DROP #$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 197.0.0.0/16 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 197.0.0.0/8 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 201.0.0.0/8 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 223.255.255.0/24 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 240.0.0.0/5 -j DROP $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 240.0.0.0/5 -j DROP #[]-----------------------------------------------------------[] #[ Bloqueio de derminadas portas perigosas ] #[]-----------------------------------------------------------[] $IPTABLES -N deny_ports $IPTABLES -F deny_ports echo -e "linha: 218" # #### NFS, X, SMB $IPTABLES -A deny_ports -p tcp -i ! $LAN_IFACE --dport 137:139 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "Netbios SRC:" $IPTABLES -A deny_ports -p tcp -o ! $LAN_IFACE --sport 137:139 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "Netbios DST:" $IPTABLES -A deny_ports -p tcp -i ! $LAN_IFACE --dport 137:139 -j REJECT --reject-with tcp-reset $IPTABLES -A deny_ports -p tcp -o ! $LAN_IFACE --sport 137:139 -j REJECT --reject-with tcp-reset # ----------------------------------------------------------- $IPTABLES -A deny_ports -p tcp --dport 1433 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "MS-SQL DST: " $IPTABLES -A deny_ports -p tcp --sport 1433 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "MS-SQL SRC: " $IPTABLES -A deny_ports -p tcp --dport 1433 -j REJECT --reject-with tcp-reset $IPTABLES -A deny_ports -p tcp --sport 1433 -j REJECT --reject-with tcp-reset $IPTABLES -A deny_ports -p tcp --dport 2049 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "NFS DST: " $IPTABLES -A deny_ports -p tcp --sport 2049 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "NFS SRC: " $IPTABLES -A deny_ports -p tcp --dport 2049 -j REJECT --reject-with tcp-reset $IPTABLES -A deny_ports -p tcp --sport 2049 -j REJECT --reject-with tcp-reset $IPTABLES -A deny_ports -p udp --dport 2049 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "NFS DST: " $IPTABLES -A deny_ports -p udp --sport 2049 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "NFS SRC: " $IPTABLES -A deny_ports -p udp --dport 2049 -j REJECT --reject-with icmp-host-unreachable $IPTABLES -A deny_ports -p udp --sport 2049 -j REJECT --reject-with icmp-host-unreachable $IPTABLES -A deny_ports -p tcp --dport 5432 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "POSTGRES-SQL DST: " $IPTABLES -A deny_ports -p tcp --sport 5432 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "POSTGRES-SQL SRC: " $IPTABLES -A deny_ports -p tcp --dport 5432 -j REJECT --reject-with tcp-reset $IPTABLES -A deny_ports -p tcp --sport 5432 -j REJECT --reject-with tcp-reset $IPTABLES -A deny_ports -p tcp --dport 6000:6063 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "X Window System DST: " $IPTABLES -A deny_ports -p tcp --sport 6000:6063 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "X Window System SRC: " $IPTABLES -A deny_ports -p tcp --dport 6000:6063 -j REJECT --reject-with tcp-reset $IPTABLES -A deny_ports -p tcp --sport 6000:6063 -j REJECT --reject-with tcp-reset # Regra repedida pois nao posso usar o mport $IPTABLES -A deny_ports -p tcp --dport 10498 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "Mstream DST: " $IPTABLES -A deny_ports -p tcp --sport 10498 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "Mstream SRC: " $IPTABLES -A deny_ports -p tcp --dport 10498 -j REJECT --reject-with tcp-reset $IPTABLES -A deny_ports -p tcp --sport 10498 -j REJECT --reject-with tcp-reset $IPTABLES -A deny_ports -p tcp --dport 12754 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "Mstream DST: " $IPTABLES -A deny_ports -p tcp --sport 12754 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "Mstream SRC: " $IPTABLES -A deny_ports -p tcp --dport 12754 -j REJECT --reject-with tcp-reset $IPTABLES -A deny_ports -p tcp --sport 12754 -j REJECT --reject-with tcp-reset # ----------------------------------------------------------- ## Possivel rpc.statd exploit shell $IPTABLES -A deny_ports -p tcp --dport 9704 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "rpc.statd(9704) Shell:" $IPTABLES -A deny_ports -p tcp --sport 9704 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "rpc.statd(9704) Shell:" $IPTABLES -A deny_ports -p tcp --dport 9704 -j REJECT --reject-with tcp-reset $IPTABLES -A deny_ports -p tcp --sport 9704 -j REJECT --reject-with tcp-reset # ----------------------------------------------------------- ## Possivel snmp sploit $IPTABLES -A deny_ports -p udp --dport 7 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "SNMP SPLOIT:" $IPTABLES -A deny_ports -p udp --dport 7 -j DROP # ----------------------------------------------------------- ## NetBus e NetBus Pro $IPTABLES -A deny_ports -p tcp --dport 20034 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "NetBus Pro:" $IPTABLES -A deny_ports -p tcp --dport 12345:12346 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "NetBus:" $IPTABLES -A deny_ports -p tcp --dport 20034 -j REJECT --reject-with tcp-reset $IPTABLES -A deny_ports -p tcp --dport 12345:12346 -j REJECT --reject-with tcp-reset # ----------------------------------------------------------- ## Trinoo $IPTABLES -A deny_ports -p tcp --sport 27665 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "Trinoo:" $IPTABLES -A deny_ports -p tcp --dport 27665 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "Trinoo:" $IPTABLES -A deny_ports -p tcp --sport 27665 -j REJECT --reject-with tcp-reset $IPTABLES -A deny_ports -p tcp --dport 27665 -j REJECT --reject-with tcp-reset # Regra repedida, pois nao posso usar o mport $IPTABLES -A deny_ports -p udp --sport 27444 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "Trinoo:" $IPTABLES -A deny_ports -p udp --dport 27444 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "Trinoo:" $IPTABLES -A deny_ports -p udp --sport 27444 -j REJECT --reject-with icmp-host-unreachable $IPTABLES -A deny_ports -p udp --dport 27444 -j REJECT --reject-with icmp-host-unreachable $IPTABLES -A deny_ports -p udp --sport 31335 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "Trinoo:" $IPTABLES -A deny_ports -p udp --dport 31335 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "Trinoo:" $IPTABLES -A deny_ports -p udp --sport 31335 -j REJECT --reject-with icmp-host-unreachable $IPTABLES -A deny_ports -p udp --dport 31335 -j REJECT --reject-with icmp-host-unreachable # ----------------------------------------------------------- ## Back Orifice $IPTABLES -A deny_ports -p tcp --dport 31337 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "BackOrifice-TCP:" $IPTABLES -A deny_ports -p udp --dport 31337 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "BackOrifice-UDP:" $IPTABLES -A deny_ports -p tcp --sport 31337 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "BackOrifice-TCP:" $IPTABLES -A deny_ports -p udp --sport 31337 -m limit --limit $LIMITLEVEL -j $LOG_TARGET "BackOrifice-UDP:" $IPTABLES -A deny_ports -p tcp --dport 31337 -j REJECT --reject-with tcp-reset $IPTABLES -A deny_ports -p udp --dport 31337 -j REJECT --reject-with icmp-host-unreachable $IPTABLES -A deny_ports -p tcp --sport 31337 -j REJECT --reject-with tcp-reset $IPTABLES -A deny_ports -p udp --sport 31337 -j REJECT --reject-with icmp-host-unreachable #[]-----------------------------------------------------------[] #[ Regras usadas para permitir netbios ] #[]-----------------------------------------------------------[] $IPTABLES -N allow_netbios $IPTABLES -F allow_netbios # ----------------------------------------------------------- ## Permite que maquinas acessem o servico netbios. $IPTABLES -A allow_netbios -p tcp --sport 445 -j ACCEPT $IPTABLES -A allow_netbios -p tcp --dport 445 -j ACCEPT $IPTABLES -A allow_netbios -p tcp --sport 137:139 -j ACCEPT $IPTABLES -A allow_netbios -p tcp --dport 137:139 -j ACCEPT $IPTABLES -A allow_netbios -p udp --sport 137:139 -j ACCEPT $IPTABLES -A allow_netbios -p udp --dport 137:139 -j ACCEPT #[]-----------------------------------------------------------[] #[ Regras de Acesso ] #[]-----------------------------------------------------------[] echo -e "linha: 349" # #### Regras para solitacoes icmp #### $IPTABLES -N icmp_packets $IPTABLES -F icmp_packets # #### Regras para pacotes tcp #### # -> Entrando $IPTABLES -N tcp_packets_in $IPTABLES -F tcp_packets_in # <- Saida $IPTABLES -N tcp_packets_out $IPTABLES -F tcp_packets_out # #### Regras para pacotes udp #### # -> Entrando $IPTABLES -N udp_packets_in $IPTABLES -F udp_packets_in # <- Saida $IPTABLES -N udp_packets_out $IPTABLES -F udp_packets_out # #### Regra para pacotes permitidos - tcp #### $IPTABLES -N allowed $IPTABLES -F allowed # $IPTABLES -A allowed -p TCP --syn -j ACCEPT # $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT # $IPTABLES -A allowed -p TCP -j DROP $IPTABLES -A allowed -p TCP -j ACCEPT # #### regras para ICMP #### $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT echo -e "linha: 389" # #### regras para TCP #### # -> Trafego de entrada # [ FTP ] $IPTABLES -A tcp_packets_in -p TCP -s $UNIVERSAL --dport 20 -j allowed $IPTABLES -A tcp_packets_in -p TCP -s $UNIVERSAL --sport 20 -j allowed $IPTABLES -A tcp_packets_in -p TCP -s $UNIVERSAL --dport 21 -j allowed $IPTABLES -A tcp_packets_in -p TCP -s $UNIVERSAL --sport 21 -j allowed # [ E-MAIL ] $IPTABLES -A tcp_packets_in -p TCP -s $UNIVERSAL --dport 25 -j allowed # [ DNS ] $IPTABLES -A tcp_packets_in -p TCP -s $UNIVERSAL --dport 53 -j allowed $IPTABLES -A tcp_packets_in -p TCP -s $UNIVERSAL --sport 53 -j allowed # [ HTTP ] $IPTABLES -A tcp_packets_in -p TCP -s $UNIVERSAL --dport 80 -j allowed $IPTABLES -A tcp_packets_in -p TCP -s $UNIVERSAL --sport 80 -j allowed # [ E-MAIL / POP3 ] $IPTABLES -A tcp_packets_in -p TCP -s $UNIVERSAL --dport 110 -j allowed $IPTABLES -A tcp_packets_in -p TCP -s $UNIVERSAL --sport 110 -j allowed # [ HTTPS ] $IPTABLES -A tcp_packets_in -p TCP -s $UNIVERSAL --dport 443 -j allowed $IPTABLES -A tcp_packets_in -p TCP -s $UNIVERSAL --sport 443 -j allowed #PCANYWHERE iptables -t nat -A PREROUTNING -p tcp -m tcp --dport 5631 -j DNAT --to-destination $PCANY/32 iptables -t nat -A POSTROUTING -d $PCANY/32 -j MASQUERADE iptables -t filter -A FORWARD -i eth0 -o eth1 -p tcp -m state --dport 5631 --syn --state NEW -j ACCEPT iptables -t filter -A FORWARD -i eth0 -o eth1 -p udp --dport 5632 -j ACCEPT iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # #### # <- Trafego de saida # [ FTP ] $IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --sport 20 -j allowed $IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --dport 20 -j allowed $IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --dport 21 -j allowed $IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --sport 21 -j allowed # [ E-MAIL ] $IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --dport 25 -j allowed $IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --sport 25 -j allowed # [ DNS ] $IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --dport 53 -j allowed $IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --sport 53 -j allowed # [ HTTP ] $IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --dport 80 -j allowed $IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --sport 80 -j allowed # [ E-MAIL / POP3 ] $IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --dport 110 -j allowed $IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --sport 110 -j allowed # [ NEWS ] $IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --dport 119 -j allowed $IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --sport 119 -j allowed # [ HTTPS ] $IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --dport 443 -j allowed $IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --sport 443 -j allowed # #### regras para UDP #### # -> Trafego de entrada # [ FTP ] $IPTABLES -A udp_packets_in -p UDP -s $UNIVERSAL --source-port 20 -j ACCEPT $IPTABLES -A udp_packets_in -p UDP -s $UNIVERSAL --source-port 21 -j ACCEPT # [ EMAIL ] $IPTABLES -A udp_packets_in -p UDP -s $UNIVERSAL --source-port 25 -j ACCEPT # [ DNS ] $IPTABLES -A udp_packets_in -p UDP -s $UNIVERSAL --source-port 53 -j ACCEPT # [ E-MAIL / POP3 ] $IPTABLES -A udp_packets_in -p UDP -s $UNIVERSAL --source-port 110 -j ACCEPT # [ HTTPS ] $IPTABLES -A udp_packets_in -p UDP -s $UNIVERSAL --source-port 443 -j ACCEPT # <- Trafego de saida # [ FTP ] $IPTABLES -A udp_packets_out -p UDP -d $UNIVERSAL --dport 20 -j ACCEPT $IPTABLES -A udp_packets_out -p UDP -d $UNIVERSAL --dport 21 -j ACCEPT # [ EMAIL ] $IPTABLES -A udp_packets_out -p UDP -d $UNIVERSAL --dport 25 -j ACCEPT # [ DNS ] $IPTABLES -A udp_packets_out -p UDP -d $UNIVERSAL --dport 53 -j ACCEPT # [ HTTPS ] $IPTABLES -A udp_packets_out -p UDP -d $UNIVERSAL --dport 443 -j ACCEPT $IPTABLES -A udp_packets_out -p UDP -d $UNIVERSAL --sport 443 -j ACCEPT echo -e "linha: 424" #[]-----------------------------------------------------------[] #[ Habilita o IP Forwarding para a traducao de endereco com a ] #[ rede interna ] #[]-----------------------------------------------------------[] # Mascara tudo que sair pela interface da rede $IPTABLES -t nat -A POSTROUTING -p ALL -o $INET_IFACE -j SNAT --to $INET_IP # #### Evita Forward de pacotes com solicitacoes para portas negadas $IPTABLES -A FORWARD -p tcp -j deny_ports # #### Permitir Netbios ( Acho que nao sera o nosso caso!! ) # $IPTABLES -A FORWARD -p tcp -j allow_netbios echo -e "linha: 446" #[]-----------------------------------------------------------[] #[ Accept the packets we actually want to forward ] #[]-----------------------------------------------------------[] # #### FORWARD de pacotes vindos da internet # -> Com origem da internet $IPTABLES -A FORWARD -i $INET_IFACE -j ACCEPT # #### FORWARD de pacotes vindos da intranet # -> Com origem na rede interna ( com destino ao link ) $IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j tcp_packets_out $IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j udp_packets_out # -> Maquinas da rede que tem permissao para pacotes icmp ( ping ) # [ SERVIDOR DE EMAIL ] # $IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -s 192.168.0.1 -p ICMP -j ACCEPT # [ SERVIDOR WEB ] # $IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -s 192.168.0.4 -p ICMP -j ACCEPT $IPTABLES -A FORWARD -j LOG --log-level DEBUG --log-prefix "IPT FORWARD - erro : " # $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD pacote abortado: " # #### Rejeita todos os pacotes restantes iptables -A FORWARD -s $UNIVERSAL -d $UNIVERSAL -j DROP echo -e "linha: 459" #[]-----------------------------------------------------------[] #[ Habilita o IP Forwarding para a traducao de endereco com a ] #[ rede externa ] #[]-----------------------------------------------------------[] # [ PROXY ] # Forca o usuario a configurar o proxy # Obs: redirecionando qualquer conexao com a porta 80 para o porta 3129, onde esta # habilitado um servidor web com uma pagina solitando para fazer a configuracao. $IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 -j REDIRECT --to-port 3129 echo -e "linha: 470" # $IPTABLES -t nat -A PREROUTING -j LOG --log-level DEBUG --log-prefix "PREROUTING: " # $IPTABLES -t nat -A PREROUTING -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "PREROUTING pacote abortado: " echo -e "linha: 497" #[]-----------------------------------------------------------[] #[ Regras de Acesso ( input ) ] #[]-----------------------------------------------------------[] # $IPTABLES -A INPUT -j LOG --log-level DEBUG --log-prefix "IPT INPUT : " # #### Elimina pacotes supeitos $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # #### Regras para pacotes vindos da internet # -> Pelo link $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets_in $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets_in $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j deny_ports # #### Regras para redes especiais que nao partem da internet $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -j LOG --log-level DEBUG --log-prefix "IPT INPUT : " # $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT pacote abortado: " echo -e "linha: 537" #[]-----------------------------------------------------------[] #[ Regras de Acesso ( output ) ] #[]-----------------------------------------------------------[] # #### Bloqueia para pacotes suspeitos na saida $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # Regras de saida para pacotes da rede interna $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT # Regras de saida para pacotes da rede interna $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # Regra especial de OUTPUT para decidir quais IP's permitir $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT : " # #### Loga todos os pacotes que nao estejam definidos acima # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT pacote abortado: " echo -e "linha: 567" #[]-----------------------------------------------------------[] _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- IPtables + PCAnywhere Wellington Lopes Moraes (May 04)
- Re: IPtables + PCAnywhere Ionut Boldizsar (May 05)
- <Possible follow-ups>
- RE: IPtables + PCAnywhere Madsen, Villy (May 06)
- RE: IPtables + PCAnywhere Madsen, Villy (May 06)