Exemplo de Script Iptables

4,792 views
4,609 views

Published on

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,792
On SlideShare
0
From Embeds
0
Number of Embeds
693
Actions
Shares
0
Downloads
71
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Exemplo de Script Iptables

  1. 1. #### SCRIPT DE REGRAS - FIREWALL #####!/bin/bash#### CARREGANDO MODULOS#/sbin/depmod -amodprobe iptable_natmodprobe ip_tablesmodprobe ip_conntrackmodprobe ip_conntrack_ftpmodprobe iptable_filtermodprobe ipt_LOGmodprobe ipt_limitmodprobe ipt_statemodprobe ip_nat_ftp###APAGANDO TODAS AS REGRAS ###/sbin/iptables -F/sbin/iptables -t nat -F### APLICANDO POLITICAS PADRAO ####/sbin/iptables -P INPUT DROP/sbin/iptables -P OUTPUT DROP/sbin/iptables -P FORWARD DROP### Inicio das Regras ######## INICIO DAS REGRAS DA CADEIA INPUT #####/sbin/iptables -A INPUT -i lo -j ACCEPT/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT/sbin/iptables -A INPUT -s 172.16.50.0/24 -p tcp --dport 3128 -j ACCEPT#/sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT#/sbin/iptables -A INPUT -p TCP --dport 22 -j ACCEPT#/sbin/iptables -A INPUT -p TCP --dport 80 -j ACCEPT##/sbin/iptables -A INPUT -s 172.16.50.0/24 -p tcp --dport 22 -j ACCEPT/sbin/iptables -A INPUT -j LOG --log-prefix "INPUT-DROP"##INICIO DAS REGRAS DA CADEIA OUTPUT/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT/sbin/iptables -A OUTPUT -s 172.16.49.100 -p tcp --dport 80 -j ACCEPT/sbin/iptables -A OUTPUT -j LOG --log-prefix "OUTPUT-DROP"#### INICIO DAS REGRAS DA CADEIA FORWARD #####/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT/sbin/iptables -A FORWARD -p icmp -j ACCEPT#/sbin/iptables -A FORWARD -s 10.0.0.2 -d 172.16.50.0/24 -j ACCEPT##/sbin/iptables -A FORWARD -m state --state INVALID -j DROP#/sbin/iptables -A FORWARD -p tcp -d 172.16.49.165 --syn --dport 80 -j ACCEPT#/sbin/iptables -A FORWARD -p tcp -d 172.16.50.10 --syn --dport 80 -j ACCEPT
  2. 2. #/sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp -d 172.16.49.165 --syn --dport80 -j ACCEPT#/sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 172.16.49.101 --syn --dport22 -j ACCEPT#/sbin/iptables -A FORWARD -p tcp -d 172.16.49.101 --dport 3389 -j ACCEPT#/sbin/iptables -A FORWARD -p tcp -d 172.16.50.30 --dport 3389 -j ACCEPT##/sbin/iptables -A FORWARD -i eth1 -o eth0 -s 172.16.50.0/24 -p tcp --matchmultiport --dports 21,80,443 -j ACCEPT#/sbin/iptables -A FORWARD -i eth1 -o eth0 -p udp --dport 53 -j ACCEPT### LOG FORWARD #####/sbin/iptables -A FORWARD -j LOG --log-prefix "FORWARD-DROP"##################################### Regras de NAT ENTRADA###iptables --list PREROUTING -t nat##/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d 172.16.49.101 --dport 80 -jDNAT --to 172.16.50.10:80#/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.16.49.101 --dport 3389 -jDNAT --to-destination 172.16.50.30#/sbin/iptables -t nat -A PREROUTING -p tcp -d 172.16.49.101 -j DNAT --to-destination 172.16.50.30############################## Regra de NAT - SAIDA/MASCARAMENTO -SAIDA###/sbin/iptables -t nat -A POSTROUTING -s 172.16.50.10 -j SNAT --to-source172.16.49.101#/sbin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o eth0 -j SNAT --to-source 172.16.49.100####nat dinamico#iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to200.200.217.40-200.200.217.111/sbin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -j MASQUERADE#### FIM DAS REGRAS - FIREWALL ####/sbin/iptables -A INPUT -s 10.204.144.0/20 -p udp --sport 520 -j ACCEPT
  3. 3. #/sbin/iptables -A INPUT -p udp --sport 123 -j ACCEPT#/sbin/iptables -A INPUT -p icmp -s 172.16.49.144 -j ACCEPT#/sbin/iptables -A INPUT -p tcp -s 172.16.49.144 --dport 80 -j ACCEPT#/sbin/iptables -A INPUT -p tcp -i $INT -s 200.244.230.216 --dport 22 -j ACCEPT#/sbin/iptables -A INPUT -p tcp -i $INT -s 200.244.230.107 --dport 22 -j ACCEPT#/sbin/iptables -A INPUT -p udp -i $INT -s 200.244.193.176 --sport 53 -j ACCEPT##/sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 172.16.50.2 --syn --dport 22 -m state --state NEW -j ACCEPT

×