in

Iptables – Script completo para rede corporativa incluindo LAN/DMZ e filtro de ATAQUES

IPTABLES uma ferramenta muito útil para todos os administradores de rede

Por muito tempo fiquei procurando scripts de firewall utilizando o IPTABLES para controlar uma rede corporativa. Então, hoje estou publicando um script completo utilizando o IPTABLES, incluindo LAN/DMZ e um excelente filtro de ataques.

Principais características do SCRIPT.

Após muitas pesquisas consegui finalmente criar o script abaixo, onde o administrador poderá facilmente:

  • Redirecionar portas para determinados servidores em sua DMZ;
  • Adicionar novas regras, pois o script está documentando;
  • As regras inclusas neste script já inclui conexões do DNS SERVER, Servidor de EMAIL, VNC, SSH e outras regras que ajudaram muito a administração de tráfego de rede;
  • Filtros prontos contra ataques de DDOS;
  • A cada execusão do script as regras são apagadas e recriadas.

FIREWALL – SCRIPT

Este script foi desenvolvido para distribuições REDHAT/CENTOS e FEDORA, porem é facilmente adaptável a qualquer distribuição alterando a variável $IPTABLES e a localização dos MÓDULOS.

# SCRIPT FIREWALL

# Autor: Adriano Frare

# Versao 1.0

#!/bin/sh

# AUXILIA no DEGUB do script

# Remova o # abaixo para DEBUG

#set -x

lan_ip=”192.168.x.1″
lan_if=”ethX”
lan2_ip=”192.168.4.1″
lan2_if=”ethX”
wan_ip=”IP-PUBLICO-DA-REDE”
wan_if=”ethx ou ppp0″
dmz_ip=”192.168.X.1″
dmz_if=”ethX”
lo_if=”lo”
lo_ip=”127.0.0.1″

dc=”192.168.2.2″
postgresql=”192.168.2.x”
itchief=”192.168.2.10″
mail=”192.168.2.2″
srv025=”192.168.2.x”
ecm=”192.168.2.x”
zimbra=”192.168.2.x”
proxy=”192.168.2.x”
proxyport=”8080″
storage=”192.168.2.x”
vps100=”192.168.2.x”
srv039=”192.168.2.x”

IPTABLES=”/sbin/iptables”

# Module loading

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_contract_ftp
/sbin/modprobe ipt_nat_ftp

# Enable Forwarding

echo “1” > /proc/sys/net/ipv4/ip_forward

# Syn Flood Protection

echo “1” > /proc/sys/net/ipv4/tcp_syncookies

# Flush it before start

$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# Set policies

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# LOG
$IPTABLES -t nat -I PREROUTING -j LOG –log-level info –log-prefix “IPTABLES PREROUTING ”
$IPTABLES -t nat -I FORWARD -j LOG –log-level info –log-prefix “IPTABLES FORWARD: ”

# PROTECT RULES

### 1: Drop invalid packets ###
$IPTABLES -t mangle -A PREROUTING -m conntrack –ctstate INVALID -j DROP

### 2: Drop TCP packets that are new and are not SYN ###
$IPTABLES -t mangle -A PREROUTING -p tcp ! –syn -m conntrack –ctstate NEW -j DROP

### 3: Drop SYN packets with suspicious MSS value ###
$IPTABLES -t mangle -A PREROUTING -p tcp -m conntrack –ctstate NEW -m tcpmss ! –mss 536:65535 -j DROP

### 4: Block packets with bogus TCP flags ###
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN FIN,SYN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags FIN,ACK FIN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ACK,URG URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ACK,FIN FIN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ACK,PSH PSH -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL ALL -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL NONE -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL FIN,PSH,URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL SYN,FIN,PSH,URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

### 5: Block spoofed packets ###
$IPTABLES -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
#$IPTABLES -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
#$IPTABLES -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP

### 6: Drop ICMP (you usually don’t need this protocol) ###
#$IPTABLES -t mangle -A PREROUTING -p icmp -j DROP

### 7: Drop fragments in all chains ###
#$IPTABLES -t mangle -A PREROUTING -f -j DROP

### 8: Limit connections per source IP ###
$IPTABLES -A INPUT -p tcp -m connlimit –connlimit-above 111 -j REJECT –reject-with tcp-reset

### 9: Limit RST packets ###
$IPTABLES -A INPUT -p tcp –tcp-flags RST RST -m limit –limit 2/s –limit-burst 2 -j ACCEPT
$IPTABLES -A INPUT -p tcp –tcp-flags RST RST -j DROP

### 10: Limit new TCP connections per second per source IP ###
$IPTABLES -A INPUT -p tcp -m conntrack –ctstate NEW -m limit –limit 60/s –limit-burst 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m conntrack –ctstate NEW -j DROP

### 11: Use SYNPROXY on all ports (disables connection limiting rule) ###
# Hidden – unlock content above in “Mitigating SYN Floods With SYNPROXY” section

### SSH brute-force protection ###
$IPTABLES -A INPUT -p tcp –dport ssh -m conntrack –ctstate NEW -m recent –set
$IPTABLES -A INPUT -p tcp –dport ssh -m conntrack –ctstate NEW -m recent –update –seconds 60 –hitcount 10 -j DROP

### Protection against port scanning ###
$IPTABLES -N port-scanning
$IPTABLES -A port-scanning -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s –limit-burst 2 -j RETURN
$IPTABLES -A port-scanning -j DROP

############## INPUT chain ################

# Bad TCP packets we don’t want

$IPTABLES -A INPUT -p tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j REJECT –reject-with tcp-reset
$IPTABLES -A INPUT -p tcp ! –syn -m state –state NEW -j DROP

# Loopback

$IPTABLES -A INPUT -p ALL -i $lo_if -s $lo_ip -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $lo_if -s $lan_ip -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $lo_if -s $wan_ip -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $lo_if -s $dmz_ip -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $lo_if -s $lan2_ip -j ACCEPT

# Rules for LAN

$IPTABLES -A INPUT -i $lan_if -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $lan_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $lan_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $lan_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $lan_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $lan_if –dport 123 -j ACCEPT
$IPTABLES -A INPUT -p ICMP -i $lan_if –icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $lan_ip -m state –state ESTABLISHED,RELATED -j ACCEPT

#$IPTABLES -A INPUT -p TCP -i $lan_if –dport 80 -j ACCEPT
#$IPTABLES -A INPUT -p TCP -i $lan_if –dport 22 -j ACCEPT
#$IPTABLES -A INPUT -p TCP -i $lan_if –dport 3128 -j ACCEPT
#$IPTABLES -A INPUT -p ICMP -i $dmz_if –icmp-type echo-request -j ACCEPT
#$IPTABLES -A INPUT -p ICMP -i $lan_if -j ACCEPT
#$IPTABLES -A INPUT -p ALL -d $lan_ip -m state –state ESTABLISHED,RELATED -j ACCEPT

# Rules for LAN2

$IPTABLES -A INPUT -i $lan2_if -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $lan2_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $lan2_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $lan2_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $lan2_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $lan2_if –dport 123 -j ACCEPT
$IPTABLES -A INPUT -p ICMP -i $lan2_if –icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $lan2_ip -m state –state ESTABLISHED,RELATED -j ACCEPT

# Rules for DMZ

$IPTABLES -A INPUT -i $dmz_if -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $dmz_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $dmz_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $dmz_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $dmz_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $dmz_if –dport 123 -j ACCEPT
$IPTABLES -A INPUT -p ICMP -i $dmz_if –icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $dmz_ip -m state –state ESTABLISHED,RELATED -j ACCEPT

# Rules for WAN

$IPTABLES -A INPUT -p ICMP -i $wan_if –icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $wan_ip -m state –state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -p TCP -i $wan_if -s $itchief_home –dport 22 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –dport 22 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –dport 80 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –dport 81 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –dport 54322 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –dport 445 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $wan_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $wan_if –sport 53 -j ACCEPT

# Log weird packets that don’t match the above.

$IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level info –log-prefix “IPTABLES INPUT blocked: ”

############### FORWARD chain ################

# Bad TCP packets we don’t want

$IPTABLES -A FORWARD -p tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j REJECT –reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp ! –syn -m state –state NEW -j DROP

# Rules for LAN

$IPTABLES -A FORWARD -p ALL -i $lan_if -o $lan_if -j ACCEPT
$IPTABLES -A FORWARD -i $wan_if -o $lan_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $lan_if -o $wan_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $lan_if -o $dmz_if -m state –state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -p ICMP -i $lan_if -j ACCEPT
#$IPTABLES -A FORWARD -p ALL -i $lan_if -o $lan_if -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if -o $dmz_if –dport 110 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if -o $dmz_if –dport 143 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if -o $dmz_if –dport 25 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if -o $dmz_if –dport 80 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if -o $dmz_if –dport 22 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if -o $dmz_if –dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p UDP -i $lan_if -o $dmz_if –dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p ICMP -i $lan_if -o $dmz_if -j ACCEPT
##$IPTABLES -A FORWARD -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if –dport 5190 -j ACCEPT
#$IPTABLES -A FORWARD -p ALL -s $itchief -i $lan_if -j ACCEPT
#$IPTABLES -A FORWARD -p UDP -s $dc -i $lan_if –dport 123 -j ACCEPT

# Rules for LAN2

$IPTABLES -A FORWARD -p ALL -i $lan2_if -o $lan2_if -j ACCEPT
$IPTABLES -A FORWARD -i $wan_if -o $lan2_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $lan2_if -o $wan_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $lan2_if -o $dmz_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

# Rules for DMZ

$IPTABLES -A FORWARD -p ALL -i $dmz_if -o $dmz_if -j ACCEPT
$IPTABLES -A FORWARD -i $wan_if -o $dmz_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $dmz_if -o $wan_if -m state –state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $dmz_if -o $dmz_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

#$IPTABLES -A FORWARD -p UDP -i $dmz_if -o $lan_if -s $mail –dport 123 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $dmz_if -o $lan_if -s $mail –dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p UDP -i $dmz_if -o $lan_if -s $mail –dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $dmz_if -o $lan_if -s $mail –sport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p UDP -i $dmz_if -o $lan_if -s $mail –sport 53 -j ACCEPT

# Rules for WAN

#VPS100 – VNC
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $unraid –dport 5908 -j ACCEPT
#VPS100 – RDP
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $vps100 –dport 3389 -j ACCEPT

# ANDROID
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $unraid –dport 5909 -j ACCEPT
# SSH ZIMBRA
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $unraid –dport 22 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -i $wan_if -d $srv025 –dport 21 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $srv025 –dport 20 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $srv025 –dport 1024: -j ACCEPT
$IPTABLES -A FORWARD -p TCP -m tcp -d $dmz_ip –dport 445 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -m tcp -d $postgresql –dport 22 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $wan_if -d $postgresql –dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $postgresql –dport 5432 -j ACCEPT
$IPTABLES -A FORWARD -p UDP -i $wan_if -d $postgresql –dport 5432 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $srv025 –dport 9001 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $srv039 –dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $ecm –dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $ecm –dport 8080 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $ecm –dport 8009 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $ecm –dport 8000 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $ecm –dport 8443 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $ecm –dport 8005 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $zimbra –dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $zimbra –dport 7071 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $wan_if -d $dc –dport 3389 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $wan_if -d $mail –dport 25 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $wan_if -d $mail –dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p UDP -i $wan_if -d $mail –dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $wan_if -d $mail –dport 80 -j ACCEPT
$IPTABLES -A FORWARD -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

# Log weird packets that don’t match the above.

$IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level info –log-prefix “IPTABLES FORWARD blocked: ”

############### NAT table ################

# PROXY HTTP – LAN2
#$IPTABLES -t nat -A PREROUTING -i $lan2_if -p tcp –dport 80 -j DNAT –to-destination $proxy:$proxyport
# HTTPS – LAN2
#$IPTABLES -t nat -A PREROUTING -i $lan2_if -p tcp –dport 443 -j DNAT –to-destination $proxy:$proxyport

#$IPTABLES -t nat -A POSTROUTING -s 192.168.2.1/24 -o $wan_if -j SNAT –to-source $wan_ip
$IPTABLES -t nat -A POSTROUTING -o $wan_if -j MASQUERADE

# VPS100 – VNC
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 5908 -j DNAT –to-destination $unraid:5908
# VPS100 – RDP
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 4389 -j DNAT –to-destination $vps100:3389
# ANDROID
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 5909 -j DNAT –to-destination $unraid:5909
# SSH – UNRAID
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 224 -j DNAT –to-destination $unraid:22

$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 443 -j DNAT –to-destination $dmz_ip:445
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 222 -j DNAT –to-destination $postgresql:22
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 5432 -j DNAT –to-destination $postgresql:5432
$IPTABLES -t nat -A PREROUTING -p UDP -m udp -d $wan_ip –dport 5432 -j DNAT –to-destination $postgresql:5432
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 2525 -j DNAT –to-destination $zimbra:25
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 7071 -j DNAT –to-destination $zimbra:7071
#$IPTABLES -t nat -A PREROUTING -p TCP -i $wan_if –dport 223 -j DNAT –to-destination $ecm:22
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 225 -j DNAT –to-destination $srv039:22
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 223 -j DNAT –to-destination $ecm:22
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 8080 -j DNAT –to-destination $ecm:8080
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 8009 -j DNAT –to-destination $ecm:8009
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 8443 -j DNAT –to-destination $ecm:8443
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 8005 -j DNAT –to-destination $ecm:8005
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 8000 -j DNAT –to-destination $ecm:8000
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 2121 -j DNAT –to-destination $srv025:21
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 2120 -j DNAT –to-destination $srv025:20
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 1024:65535 -j DNAT –to-destination $srv025:1024-65535
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 9001 -j DNAT –to-destination $srv025:9001
#$IPTABLES -t nat -A PREROUTING -p TCP -i $wan_if –dport 3777 -j DNAT –to-destination $dc:3389
#$IPTABLES -t nat -A PREROUTING -p TCP -i $wan_if –dport 25 -j DNAT –to-destination $mail
#$IPTABLES -t nat -A PREROUTING -p TCP -i $wan_if –dport 53 -j DNAT –to-destination $mail
#$IPTABLES -t nat -A PREROUTING -p UDP -i $wan_if –dport 53 -j DNAT –to-destination $mail
#$IPTABLES -t nat -A PREROUTING -p TCP -i $wan_if –dport 80 -j DNAT –to-destination $mail
#$IPTABLES -t nat -A PREROUTING -p TCP -i $lan_if -d $wan_ip -j DNAT –to-destination $mail
#$IPTABLES -t nat -A OUTPUT -p TCP -d $wan_ip -j DNAT –to-destination $mail

echo “Iptables rules have been reloaded!”

AJUDA

Caso tenha dificuldade com o IPTABLES, abaixo estou incluindo alguns artigos do site SEMPREUPDATE para ajudar na comprensão do script.

Video Aula – Firewall com iptables!

Script pronto para Iptables, ajuste como quiser!

Written by Adriano Frare

Escritor do livro Aplicações Avançadas em LINUX com mais de 20 anos trabalhando com LINUX e UNIX.

Google paga 5 dólares para coletar dados de rostos

Google paga 5 dólares para coletar dados de rostos

Como configurar o Quad 9 DNS no Ubuntu 16.04 e Ubuntu 17.10

Como configurar o Quad 9 DNS no Ubuntu