Firewall Wizards mailing list archives

IPtables + PCAnywhere

From: "Wellington Lopes Moraes" <wlopesm () terra com br>
Date: Tue, 4 May 2004 06:35:33 -0400
Hi there! I´m beginning to work with iptables and I got a big problem...

I have the following situation:

- A server with 2 network interfaces (eth0 and eth1) as follows:

LAN_IP="192.168.0.21"
LAN_IFACE="eth0"

INET_IP="192.168.7.106"
INET_IFACE="eth1"

PCANY="192.168.0.32" (computer that have PCAnywhere).

I have 1 computer in the Lan interface that has PCAnywhere installed, and I
need to make sure that this computer can access and be accessed by other
computers via PCAnywhere.

I put the following lines in my iptables script:

iptables -t nat -A PREROUTNING -p tcp -m tcp --dport 5631 -j DNAT
--to-destination $PCANY/32
iptables -t nat -A POSTROUTING -d $PCANY/32 -j MASQUERADE
iptables -t filter -A FORWARD -i eth0 -o eth1 -p tcp -m state --dport 5631
--syn --state NEW -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth1 -p udp --dport 5632 -j ACCEPT
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

But I keep unable to use this computer with PCAnywhere. Is there any hint to
help me? I attached my script in the message.

Thanks,
Wellington

==========================================================================

#!/bin/sh

echo -e "linha: 09"

#[]-----------------------------------------------------------[]
#[ Rede local                                                  ]
#[]-----------------------------------------------------------[]

PCANY="192.168.0.52"
LAN_IP="192.168.0.21"
LAN_IP_RANGE="192.168.0.0/0"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth0"

#[]-----------------------------------------------------------[]
#[ Localhost                                                   ]
#[]-----------------------------------------------------------[]

LO_IFACE="lo"
LO_IP="127.0.0.1"

#[]-----------------------------------------------------------[]
#[ Internet                                                    ]
#[]-----------------------------------------------------------[]

INET_IP="192.168.7.106"
INET_IFACE="eth1"

#[]-----------------------------------------------------------[]
#[ Outras                                                      ]
#[]-----------------------------------------------------------[]

UNIVERSAL="0.0.0.0/0"

#[]-----------------------------------------------------------[]
#[ Configuracoes Adotadas pelo firewal ( netfilter )           ]
#[]-----------------------------------------------------------[]

LOGLEVEL="7"
LIMITLEVEL="5/minute"
LOG_TARGET="LOG --log-level 7 --log-prefix "

#[]-----------------------------------------------------------[]
#[ IPTables                                                    ]
#[]-----------------------------------------------------------[]

IPTABLES="/sbin/iptables"
echo -e "linha: 60"
#[]-----------------------------------------------------------o]
#[ 2. Modulos que serao carregados                             ]
#[]-----------------------------------------------------------[]

/sbin/depmod -a

echo -e "linha: 70"
# #### Adiciona suporte ao iptables.
# Adcionando os modulos para regras usadas pelo firewall
# como LOG, REJECT and MASQUARADE

/sbin/modprobe  ip_conntrack
/sbin/modprobe  ip_conntrack_ftp
/sbin/modprobe  ip_nat_ftp
/sbin/modprobe  ip_tables
/sbin/modprobe  iptable_filter
/sbin/modprobe  iptable_mangle
/sbin/modprobe  iptable_nat
/sbin/modprobe  ipt_LOG
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE

#[]-----------------------------------------------------------[]
#[ 3. Servicos                                                 ]
#[]-----------------------------------------------------------[]
echo -e "linha: 85"
# #### Desabilitando o ping
  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# #### Desabilitando resposta a broadcast ICMP
  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# #### Desabilitando redirecionamento de ICMP
for file in /proc/sys/net/ipv4/conf/*/accept_redirects; do
  echo "0" > $file
done

# #### Habilitando protecao de mensagens de bad error
  echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# #### Habilitando Log de pacotes spoofed
for file in /proc/sys/net/ipv4/conf/*/log_martians; do
  echo "1" > $file
done

# #### Desliga o filtro contra pacotes de ip's marcianos
# obs : isto eh feito por causa do esquema de rotea-
# mento adotado entre o [link-adsl-intranet]
for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
  echo 0 > $file
done

# #### Habilitando o ip forward
# Permite que pacotes sejam repassados para a 
# rede interna.
  echo "1" > /proc/sys/net/ipv4/ip_forward

echo -e "linha: 114"
#[]-----------------------------------------------------------[]
#[ 4. Regras do Iptables                                       ]
#[ Seta as Regras padrao de INPUT, FORWARD e OUTPUT.           ]
#[]-----------------------------------------------------------[]

# #### Limpando qualquer regra anterior
# --> Elimina regras default <--
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# --> Elimina regras criadas <--
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X


# #### Adicionando regras padrao
# Com estas linha informamos ao iptables que TODOS
# os pacotes serao descartados. Os pacotes aceitos
# serao definidos abaixo.
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#[]-----------------------------------------------------------[]
#[ bad_tcp_packets                                             ]
#[ ---------------                                             ]
#[ Regra adotada para pacotes mal formados                     ]
#[]-----------------------------------------------------------[]

$IPTABLES -N bad_tcp_packets
$IPTABLES -F bad_tcp_packets

# spoofed IP's

# #### Bloqueio para pacotes supeitos
# Nao permite pacotes vindos de redes com enderecos ip's
# invalidos para a internet. Esta verificacao ocorre para 
# todos os pacotes que entram na interfaces do Link 

# ( bloqueia para o link )
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 0.0.0.0/8  -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 1.0.0.0/8  -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 23.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 31.0.0.0/8 -j DROP

#$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 65.0.0.0/8 -j DROP
#$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 66.0.0.0/7 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 68.0.0.0/6 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 75.0.0.0/5 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 80.0.0.0/4 -j DROP

$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 128.0.0.0/16    -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 128.9.64.26/32  -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 128.66.0.0/12   -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12   -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 191.255.0.0/16  -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.0.0.0/24    -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.0.1.0/24    -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.0.2.0/24    -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.0.1.0/24    -j DROP
#$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 197.0.0.0/16    -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 197.0.0.0/8     -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 201.0.0.0/8     -j DROP

$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 223.255.255.0/24 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 240.0.0.0/5      -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 240.0.0.0/5      -j DROP

#[]-----------------------------------------------------------[]
#[ Bloqueio de derminadas portas perigosas                     ]
#[]-----------------------------------------------------------[]
$IPTABLES -N deny_ports
$IPTABLES -F deny_ports

echo -e "linha: 218"

# #### NFS, X, SMB
$IPTABLES -A deny_ports -p tcp -i ! $LAN_IFACE --dport 137:139 -m limit
--limit $LIMITLEVEL -j $LOG_TARGET "Netbios SRC:"
$IPTABLES -A deny_ports -p tcp -o ! $LAN_IFACE --sport 137:139 -m limit
--limit $LIMITLEVEL -j $LOG_TARGET "Netbios DST:"
$IPTABLES -A deny_ports -p tcp -i ! $LAN_IFACE --dport 137:139 -j REJECT
--reject-with tcp-reset
$IPTABLES -A deny_ports -p tcp -o ! $LAN_IFACE --sport 137:139 -j REJECT
--reject-with tcp-reset

# -----------------------------------------------------------
$IPTABLES -A deny_ports -p tcp --dport 1433 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "MS-SQL DST: "
$IPTABLES -A deny_ports -p tcp --sport 1433 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "MS-SQL SRC: "
$IPTABLES -A deny_ports -p tcp --dport 1433 -j REJECT --reject-with
tcp-reset
$IPTABLES -A deny_ports -p tcp --sport 1433 -j REJECT --reject-with
tcp-reset

$IPTABLES -A deny_ports -p tcp --dport 2049 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "NFS DST: "
$IPTABLES -A deny_ports -p tcp --sport 2049 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "NFS SRC: "
$IPTABLES -A deny_ports -p tcp --dport 2049 -j REJECT --reject-with
tcp-reset
$IPTABLES -A deny_ports -p tcp --sport 2049 -j REJECT --reject-with
tcp-reset

$IPTABLES -A deny_ports -p udp --dport 2049 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "NFS DST: "
$IPTABLES -A deny_ports -p udp --sport 2049 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "NFS SRC: "
$IPTABLES -A deny_ports -p udp --dport 2049 -j REJECT --reject-with
icmp-host-unreachable
$IPTABLES -A deny_ports -p udp --sport 2049 -j REJECT --reject-with
icmp-host-unreachable

$IPTABLES -A deny_ports -p tcp --dport 5432 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "POSTGRES-SQL DST: "
$IPTABLES -A deny_ports -p tcp --sport 5432 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "POSTGRES-SQL SRC: "
$IPTABLES -A deny_ports -p tcp --dport 5432 -j REJECT --reject-with
tcp-reset
$IPTABLES -A deny_ports -p tcp --sport 5432 -j REJECT --reject-with
tcp-reset

$IPTABLES -A deny_ports -p tcp --dport 6000:6063 -m limit --limit
$LIMITLEVEL -j $LOG_TARGET "X Window System DST: "
$IPTABLES -A deny_ports -p tcp --sport 6000:6063 -m limit --limit
$LIMITLEVEL -j $LOG_TARGET "X Window System SRC: "
$IPTABLES -A deny_ports -p tcp --dport 6000:6063 -j REJECT --reject-with
tcp-reset
$IPTABLES -A deny_ports -p tcp --sport 6000:6063 -j REJECT --reject-with
tcp-reset


# Regra repedida pois nao posso usar o mport
$IPTABLES -A deny_ports -p tcp --dport 10498 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "Mstream DST: "
$IPTABLES -A deny_ports -p tcp --sport 10498 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "Mstream SRC: "
$IPTABLES -A deny_ports -p tcp --dport 10498 -j REJECT --reject-with
tcp-reset
$IPTABLES -A deny_ports -p tcp --sport 10498 -j REJECT --reject-with
tcp-reset

$IPTABLES -A deny_ports -p tcp --dport 12754 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "Mstream DST: "
$IPTABLES -A deny_ports -p tcp --sport 12754 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "Mstream SRC: "
$IPTABLES -A deny_ports -p tcp --dport 12754 -j REJECT --reject-with
tcp-reset
$IPTABLES -A deny_ports -p tcp --sport 12754 -j REJECT --reject-with
tcp-reset


# -----------------------------------------------------------
## Possivel rpc.statd exploit shell

$IPTABLES -A deny_ports -p tcp --dport 9704 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "rpc.statd(9704) Shell:"
$IPTABLES -A deny_ports -p tcp --sport 9704 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "rpc.statd(9704) Shell:"

$IPTABLES -A deny_ports -p tcp --dport 9704 -j REJECT --reject-with
tcp-reset
$IPTABLES -A deny_ports -p tcp --sport 9704 -j REJECT --reject-with
tcp-reset

# -----------------------------------------------------------
## Possivel snmp sploit

$IPTABLES -A deny_ports -p udp --dport 7 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "SNMP SPLOIT:"
$IPTABLES -A deny_ports -p udp --dport 7 -j DROP

# -----------------------------------------------------------
## NetBus e NetBus Pro

$IPTABLES -A deny_ports -p tcp --dport 20034 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "NetBus Pro:"
$IPTABLES -A deny_ports -p tcp --dport 12345:12346 -m limit --limit
$LIMITLEVEL -j $LOG_TARGET "NetBus:"
$IPTABLES -A deny_ports -p tcp --dport 20034 -j REJECT --reject-with
tcp-reset
$IPTABLES -A deny_ports -p tcp --dport 12345:12346 -j REJECT --reject-with
tcp-reset

# -----------------------------------------------------------
## Trinoo
$IPTABLES -A deny_ports -p tcp --sport 27665 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "Trinoo:"
$IPTABLES -A deny_ports -p tcp --dport 27665 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "Trinoo:"
$IPTABLES -A deny_ports -p tcp --sport 27665 -j REJECT --reject-with
tcp-reset
$IPTABLES -A deny_ports -p tcp --dport 27665 -j REJECT --reject-with
tcp-reset

# Regra repedida, pois nao posso usar o mport
$IPTABLES -A deny_ports -p udp --sport 27444 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "Trinoo:"
$IPTABLES -A deny_ports -p udp --dport 27444 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "Trinoo:"
$IPTABLES -A deny_ports -p udp --sport 27444 -j REJECT --reject-with
icmp-host-unreachable
$IPTABLES -A deny_ports -p udp --dport 27444 -j REJECT --reject-with
icmp-host-unreachable

$IPTABLES -A deny_ports -p udp --sport 31335 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "Trinoo:"
$IPTABLES -A deny_ports -p udp --dport 31335 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "Trinoo:"
$IPTABLES -A deny_ports -p udp --sport 31335 -j REJECT --reject-with
icmp-host-unreachable
$IPTABLES -A deny_ports -p udp --dport 31335 -j REJECT --reject-with
icmp-host-unreachable


# -----------------------------------------------------------
## Back Orifice

$IPTABLES -A deny_ports -p tcp --dport 31337 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "BackOrifice-TCP:"
$IPTABLES -A deny_ports -p udp --dport 31337 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "BackOrifice-UDP:"

$IPTABLES -A deny_ports -p tcp --sport 31337 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "BackOrifice-TCP:"
$IPTABLES -A deny_ports -p udp --sport 31337 -m limit --limit $LIMITLEVEL -j
$LOG_TARGET "BackOrifice-UDP:"

$IPTABLES -A deny_ports -p tcp --dport 31337 -j REJECT --reject-with
tcp-reset
$IPTABLES -A deny_ports -p udp --dport 31337 -j REJECT --reject-with
icmp-host-unreachable

$IPTABLES -A deny_ports -p tcp --sport 31337 -j REJECT --reject-with
tcp-reset
$IPTABLES -A deny_ports -p udp --sport 31337 -j REJECT --reject-with
icmp-host-unreachable

#[]-----------------------------------------------------------[]
#[ Regras usadas para permitir netbios                         ]
#[]-----------------------------------------------------------[]

$IPTABLES -N allow_netbios
$IPTABLES -F allow_netbios

# -----------------------------------------------------------
## Permite que maquinas acessem  o servico netbios.

$IPTABLES -A allow_netbios -p tcp --sport 445 -j ACCEPT
$IPTABLES -A allow_netbios -p tcp --dport 445 -j ACCEPT

$IPTABLES -A allow_netbios -p tcp --sport 137:139 -j ACCEPT
$IPTABLES -A allow_netbios -p tcp --dport 137:139 -j ACCEPT

$IPTABLES -A allow_netbios -p udp --sport 137:139 -j ACCEPT
$IPTABLES -A allow_netbios -p udp --dport 137:139 -j ACCEPT

#[]-----------------------------------------------------------[]
#[  Regras de Acesso                                           ]
#[]-----------------------------------------------------------[]

echo -e "linha: 349"

# #### Regras para solitacoes icmp  ####
$IPTABLES -N icmp_packets
$IPTABLES -F icmp_packets

# #### Regras para pacotes tcp ####
# -> Entrando
$IPTABLES -N tcp_packets_in
$IPTABLES -F tcp_packets_in

# <- Saida
$IPTABLES -N tcp_packets_out
$IPTABLES -F tcp_packets_out

# #### Regras para pacotes udp ####
# -> Entrando
$IPTABLES -N udp_packets_in
$IPTABLES -F udp_packets_in

# <- Saida
$IPTABLES -N udp_packets_out
$IPTABLES -F udp_packets_out


# #### Regra para pacotes permitidos - tcp ####
$IPTABLES -N allowed
$IPTABLES -F allowed
# $IPTABLES -A allowed -p TCP --syn -j ACCEPT
# $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
# $IPTABLES -A allowed -p TCP -j DROP
$IPTABLES -A allowed -p TCP -j ACCEPT


# #### regras para ICMP ####
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

echo -e "linha: 389"

# #### regras para TCP ####
# -> Trafego de entrada

# [ FTP ]
$IPTABLES -A tcp_packets_in  -p TCP -s $UNIVERSAL --dport 20   -j allowed
$IPTABLES -A tcp_packets_in  -p TCP -s $UNIVERSAL --sport 20   -j allowed

$IPTABLES -A tcp_packets_in  -p TCP -s $UNIVERSAL --dport 21   -j allowed
$IPTABLES -A tcp_packets_in  -p TCP -s $UNIVERSAL --sport 21   -j allowed

# [ E-MAIL ]
$IPTABLES -A tcp_packets_in  -p TCP -s $UNIVERSAL --dport 25   -j allowed

# [ DNS ]
$IPTABLES -A tcp_packets_in  -p TCP -s $UNIVERSAL --dport 53   -j allowed
$IPTABLES -A tcp_packets_in  -p TCP -s $UNIVERSAL --sport 53   -j allowed

# [ HTTP ]
$IPTABLES -A tcp_packets_in  -p TCP -s $UNIVERSAL --dport 80   -j allowed
$IPTABLES -A tcp_packets_in  -p TCP -s $UNIVERSAL --sport 80   -j allowed

# [ E-MAIL / POP3 ]
$IPTABLES -A tcp_packets_in  -p TCP -s $UNIVERSAL --dport 110  -j allowed
$IPTABLES -A tcp_packets_in  -p TCP -s $UNIVERSAL --sport 110  -j allowed

# [ HTTPS ]
$IPTABLES -A tcp_packets_in  -p TCP -s $UNIVERSAL --dport 443  -j allowed
$IPTABLES -A tcp_packets_in  -p TCP -s $UNIVERSAL --sport 443  -j allowed


#PCANYWHERE

iptables -t nat -A PREROUTNING -p tcp -m tcp --dport 5631 -j DNAT
--to-destination $PCANY/32
iptables -t nat -A POSTROUTING -d $PCANY/32 -j MASQUERADE
iptables -t filter -A FORWARD -i eth0 -o eth1 -p tcp -m state --dport 5631
--syn --state NEW -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth1 -p udp --dport 5632 -j ACCEPT
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


# ####
# <- Trafego de saida

# [ FTP ]
$IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --sport 20   -j allowed
$IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --dport 20   -j allowed

$IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --dport 21   -j allowed
$IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --sport 21   -j allowed

# [ E-MAIL ]
$IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --dport 25   -j allowed
$IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --sport 25   -j allowed

# [ DNS ]
$IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --dport 53   -j allowed
$IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --sport 53   -j allowed

# [ HTTP ]
$IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --dport 80   -j allowed
$IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --sport 80   -j allowed

# [ E-MAIL / POP3  ]
$IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --dport 110  -j allowed
$IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --sport 110  -j allowed

# [ NEWS ]
$IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --dport 119  -j allowed
$IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --sport 119  -j allowed

# [ HTTPS  ]
$IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --dport 443  -j allowed
$IPTABLES -A tcp_packets_out -p TCP -d $UNIVERSAL --sport 443  -j allowed

# #### regras para UDP ####
# -> Trafego de entrada

# [ FTP ]
$IPTABLES -A udp_packets_in -p UDP -s $UNIVERSAL --source-port 20  -j ACCEPT
$IPTABLES -A udp_packets_in -p UDP -s $UNIVERSAL --source-port 21  -j ACCEPT

# [ EMAIL ]
$IPTABLES -A udp_packets_in -p UDP -s $UNIVERSAL --source-port 25  -j ACCEPT

# [ DNS ]
$IPTABLES -A udp_packets_in -p UDP -s $UNIVERSAL --source-port 53  -j ACCEPT

# [ E-MAIL / POP3 ]
$IPTABLES -A udp_packets_in -p UDP -s $UNIVERSAL --source-port 110 -j ACCEPT

# [ HTTPS ]
$IPTABLES -A udp_packets_in -p UDP -s $UNIVERSAL --source-port 443 -j ACCEPT


# <- Trafego de saida

# [ FTP ]
$IPTABLES -A udp_packets_out -p UDP -d $UNIVERSAL --dport 20  -j ACCEPT
$IPTABLES -A udp_packets_out -p UDP -d $UNIVERSAL --dport 21  -j ACCEPT

# [ EMAIL ]
$IPTABLES -A udp_packets_out -p UDP -d $UNIVERSAL --dport 25  -j ACCEPT

# [ DNS ]
$IPTABLES -A udp_packets_out -p UDP -d $UNIVERSAL --dport 53  -j ACCEPT

# [ HTTPS ]
$IPTABLES -A udp_packets_out -p UDP -d $UNIVERSAL --dport 443  -j ACCEPT
$IPTABLES -A udp_packets_out -p UDP -d $UNIVERSAL --sport 443  -j ACCEPT


echo -e "linha: 424"

#[]-----------------------------------------------------------[]
#[ Habilita o IP Forwarding para a traducao de endereco com a  ]
#[ rede interna                                                ]
#[]-----------------------------------------------------------[]


# Mascara tudo que sair pela interface da rede
$IPTABLES -t nat -A POSTROUTING -p ALL -o $INET_IFACE -j SNAT --to $INET_IP

# #### Evita Forward de pacotes com solicitacoes para portas negadas
$IPTABLES -A FORWARD -p tcp -j deny_ports

# #### Permitir Netbios ( Acho que nao sera o nosso caso!! )
# $IPTABLES -A FORWARD -p tcp -j allow_netbios

echo -e "linha: 446"

#[]-----------------------------------------------------------[]
#[ Accept the packets we actually want to forward              ]
#[]-----------------------------------------------------------[]


# #### FORWARD de pacotes vindos da internet 
# -> Com origem da internet 
$IPTABLES -A FORWARD -i $INET_IFACE -j ACCEPT

# #### FORWARD de pacotes vindos da intranet
# -> Com origem na rede interna ( com destino ao link )
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j tcp_packets_out
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j udp_packets_out

# -> Maquinas da rede que tem permissao para pacotes icmp ( ping )
# [ SERVIDOR DE EMAIL ]
# $IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -s 192.168.0.1 -p ICMP
-j ACCEPT
# [ SERVIDOR WEB ]
# $IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -s 192.168.0.4 -p ICMP
-j ACCEPT

$IPTABLES -A FORWARD -j LOG --log-level DEBUG --log-prefix "IPT FORWARD -
erro : "
# $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT FORWARD pacote abortado: "

# #### Rejeita todos os pacotes restantes
iptables -A FORWARD -s $UNIVERSAL -d $UNIVERSAL -j DROP

echo -e "linha: 459"

#[]-----------------------------------------------------------[]
#[ Habilita o IP Forwarding para a traducao de endereco com a  ]
#[ rede externa                                                ]
#[]-----------------------------------------------------------[]
# [ PROXY ]
# Forca o usuario a configurar o proxy 
# Obs: redirecionando qualquer conexao com a porta 80 para o porta 3129,
onde esta 
# habilitado um servidor web com uma pagina solitando para fazer a
configuracao.
$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 -j REDIRECT
--to-port 3129

echo -e "linha: 470"

# $IPTABLES -t nat  -A PREROUTING  -j LOG --log-level DEBUG --log-prefix
"PREROUTING: "
# $IPTABLES -t nat  -A PREROUTING  -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "PREROUTING pacote abortado: "

echo -e "linha: 497"

#[]-----------------------------------------------------------[]
#[  Regras de Acesso ( input )                                 ]
#[]-----------------------------------------------------------[]


# $IPTABLES -A INPUT -j LOG --log-level DEBUG --log-prefix "IPT INPUT : "

# #### Elimina pacotes supeitos
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

# #### Regras para pacotes vindos da internet
# -> Pelo link
$IPTABLES -A INPUT -p TCP  -i $INET_IFACE -j tcp_packets_in
$IPTABLES -A INPUT -p UDP  -i $INET_IFACE -j udp_packets_in
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p UDP  -i $INET_IFACE -j deny_ports

# #### Regras para redes especiais que nao partem da internet
$IPTABLES -A INPUT -p ALL  -i $LAN_IFACE  -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL  -i $LO_IFACE   -s $LO_IP   -j ACCEPT
$IPTABLES -A INPUT -p ALL  -i $LO_IFACE   -s $LAN_IP  -j ACCEPT
$IPTABLES -A INPUT -p ALL  -i $LO_IFACE   -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL  -i $LAN_IFACE  -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL  -d $INET_IP    -m state --state
ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -j LOG --log-level DEBUG --log-prefix "IPT INPUT : "
# $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT INPUT pacote abortado: "

echo -e "linha: 537"

#[]-----------------------------------------------------------[]
#[  Regras de Acesso ( output )                                ]
#[]-----------------------------------------------------------[]


# #### Bloqueia para pacotes suspeitos na saida
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

# Regras de saida para pacotes da rede interna
$IPTABLES -A OUTPUT -p ALL  -s $LAN_IP -j ACCEPT

# Regras de saida para pacotes da rede interna
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

# Regra especial de OUTPUT para decidir quais IP's permitir
$IPTABLES -A OUTPUT -p ALL -s $LO_IP   -j ACCEPT

$IPTABLES -A OUTPUT -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT : "

# #### Loga todos os pacotes que nao estejam definidos acima
# $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT OUTPUT pacote abortado: "

echo -e "linha: 567"

#[]-----------------------------------------------------------[]


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:

IPtables + PCAnywhere Wellington Lopes Moraes (May 04)
- Re: IPtables + PCAnywhere Ionut Boldizsar (May 05)
- <Possible follow-ups>
- RE: IPtables + PCAnywhere Madsen, Villy (May 06)
- RE: IPtables + PCAnywhere Madsen, Villy (May 06)