Scribd Logo
Upload

Welcome to Scribd!

  • Firewall

    Uploaded by

    Arnaldo Velázquez
    0 views3 pages
    Firewall

    Original Title

    firewall

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Firewall

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    0 views3 pages

    Firewall

    Uploaded by

    Arnaldo Velázquez
    Firewall

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    #Creado por David Lujan

    #
    #!/bin/bash

    ##Declarando variaveis Globais

    iptables=/sbin/iptables

    ##Rede Interna
    LAN_IP="192.168.1.251"
    REDE_LAN="eth0"

    enable () {

    ##Acesso a smtp interno


    $iptables -I FORWARD -p tcp --dport 25 -j ACCEPT
    $iptables -I FORWARD -p tcp --dport 26 -j ACCEPT

    ##Acesso pop3
    $iptables -I FORWARD -p tcp --dport 110 -j ACCEPT
    $iptables -I FORWARD -p tcp --dport 995 -j ACCEPT

    #Usuarios que nao passan pelo PROXY


    #$iptables -t nat -A PREROUTING -s 192.168.1.79 -p tcp --dport 80 -j ACCEPT
    #$iptables -t nat -A PREROUTING -s 192.168.1.200 -p tcp --dport 80 -j ACCEPT

    # DROP FACEBOOK
    $iptables -I FORWARD -m tcp -p tcp --dport 443 -m string --string 'facebook' --algo
    bm -j REJECT
    $iptables -I FORWARD -m tcp -p tcp --dport 443 -m string --string 'twitter' --algo
    bm -j REJECT
    $iptables -I FORWARD -m tcp -p tcp --dport 443 -m string --string 'youtube' --algo
    bm -j REJECT

    #Paginas que nao passan pelo PROXY


    $iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --dport 80 -d
    www.kboing.com.br -j RETURN
    $iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --dport 80 -d
    www.ips.gov.py -j RETURN
    $iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --dport 80 -d
    servicios.ips.gov.py -j RETURN
    $iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --dport 80 -d
    www.informconf.com.py -j RETURN
    $iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --dport 443 -d
    www.informconf.com.py -j RETURN
    $iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --dport 80 -d
    portal.cnh.com -j RETURN
    $iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --dport 443 -d
    portal.cnh.com -j RETURN
    $iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --dport 80 -d tsje.gov.py -
    j RETURN

    # Tirando por IP ao MSN Messenger


    #$iptables -t nat -A PREROUTING -s 192.168.1.165 -p tcp --dport 1863 -j REJECT

    ##Proxy Transparente, redirecciona 80 a 8081 (squid)


    $iptables -t nat -A PREROUTING -i $REDE_LAN -p tcp --dport 80 -j REDIRECT --to 8081
    ##MASCARANDO OS PACOTES SAINT --ROUTER--
    $iptables -t nat -A POSTROUTING -o $REDE_LAN -j MASQUERADE
    ##Proxy Transparente, redirecciona 80 a 8081 (squid)
    $iptables -t nat -A PREROUTING -i $REDE_LAN -p tcp --dport 80 -j REDIRECT --to 8081

    ##MASCARANDO OS PACOTES SAINT --ROUTER--


    $iptables -t nat -A POSTROUTING -o $REDE_LAN -j MASQUERADE

    # LIBERANDO FACEBOOK PARA FULL


    face=`cat /etc/squid/acl/full | grep -v "#"`
    for face in $face; do
    $iptables -I FORWARD -m tcp -p tcp --dport 443 -s $face -m string --string
    'facebook' --algo bm -j ACCEPT
    $iptables -I FORWARD -m tcp -p tcp --dport 443 -s $face -m string --string
    'twitter' --algo bm -j ACCEPT
    $iptables -I FORWARD -m tcp -p tcp --dport 443 -s $face -m string --string
    'youtube' --algo bm -j ACCEPT
    $iptables -I FORWARD -m tcp -p tcp --dport 443 -s $face -m string --string
    'live' --algo bm -j ACCEPT
    done

    # LIBERANDO MSN PARA FULL


    msn2=`cat /etc/squid/acl/full | grep -v "#"`
    for msn2 in $msn2; do
    $iptables -A FORWARD -p tcp --dport 1863 -s $msn2 -j ACCEPT
    $iptables -A FORWARD -p tcp --dport 443 -s $msn2 -j ACCEPT
    done

    # LIBERANDO MSN PARA LIMITADO


    msn3=`cat /etc/squid/acl/limitado | grep -v "#"`
    for msn3 in $msn3; do
    $iptables -A FORWARD -p tcp --dport 1863 -s $msn3 -j ACCEPT
    $iptables -A FORWARD -p tcp --dport 443 -s $msn3 -j ACCEPT
    $iptables -I FORWARD -m tcp -p tcp --dport 443 -s $msn3 -m string --string
    'live' --algo bm -j ACCEPT
    done

    # BLOQUEANDO MSN PARA LIMITADO SIN MSN


    msn1=`cat /etc/squid/acl/limitadosinmsn | grep -v "#"`
    for msn1 in $msn1; do
    $iptables -A FORWARD -p tcp -s $msn1 --dport 1863 -j REJECT
    # $iptables -I FORWARD -m tcp -p tcp --dport 443 -s $msn1 -m string --string
    'live' --algo bm -j REJECT
    done
    # BLOQUENADO MSN PARA ZERO
    msn=`cat /etc/squid/acl/zero | grep -v "#"`
    for msn in $msn; do
    $iptables -A FORWARD -p tcp --dport 1863 -s $msn -j REJECT
    $iptables -I FORWARD -m tcp -p tcp --dport 443 -s $msn -m string --string
    'live' --algo bm -j REJECT
    done

    echo 1 > /proc/sys/net/ipv4/ip_forward


    }

    disable () {
    $iptables -F -t filter
    $iptables -X -t filter
    $iptables -F -t nat
    $iptables -X -t nat
    $iptables -F -t mangle
    $iptables -X -t mangle

    $iptables -P INPUT ACCEPT


    $iptables -P OUTPUT ACCEPT
    $iptables -P FORWARD ACCEPT

    }
    case "$1" in
    start)
    echo "FIREWALL INICIALIZADO"
    enable
    echo "OK........"
    ;;
    stop)
    echo "ENCERRANDO FIREWALL"
    disable
    echo "OK........."
    ;;
    *)
    echo "Uso: /etc/init.d/firewall {start|stop}"
    exit 1
    ;;
    esac

    exit 0

    You might also like