Categorias
Tutoriais

Script completo Iptables para rede corporativa com LAN/DMZ e filtro de ataques!

script-completo-iptables-para-rede-corporativa-com-lan-dmz-e-filtro-de-ataques

Por muito tempo fiquei procurando scripts de firewall utilizando o Iptables para controlar uma rede corporativa. Então, hoje estou publicando um script completo utilizando o Iptables, incluindo LAN/DMZ e um excelente filtro de ataques.

Principais características deste script completo para IPtables

Após muitas pesquisas consegui finalmente criar o script abaixo, onde o administrador poderá facilmente:

  • Redirecionar portas para determinados servidores em sua DMZ;
  • Adicionar novas regras, pois o script está documentando;
  • As regras inclusas neste script já inclui conexões do DNS SERVER, Servidor de EMAIL, VNC, SSH e outras regras que ajudaram muito a administração de tráfego de rede;
  • Filtros prontos contra ataques de DDoS;
  • A cada execusão do script as regras são apagadas e recriadas.

Script completo para IPtables

Este script foi desenvolvido para distribuições REDHAT/CENTOS e FEDORA, porem é facilmente adaptável a qualquer distribuição alterando a variável $IPTABLES e a localização dos MÓDULOS.

# SCRIPT FIREWALL
# Autor: Adriano Frare

# Versao 1.0

#!/bin/sh

# AUXILIA no DEGUB do script

# Remova o # abaixo para DEBUG

#set -x

lan_ip=”192.168.x.1?
lan_if=”ethX”
lan2_ip=”192.168.4.1?
lan2_if=”ethX”
wan_ip=”IP-PUBLICO-DA-REDE”
wan_if=”ethx ou ppp0?
dmz_ip=”192.168.X.1?
dmz_if=”ethX”
lo_if=”lo”
lo_ip=”127.0.0.1?

dc=”192.168.2.2?
postgresql=”192.168.2.x”
itchief=”192.168.2.10?
mail=”192.168.2.2?
srv025=”192.168.2.x”
ecm=”192.168.2.x”
zimbra=”192.168.2.x”
proxy=”192.168.2.x”
proxyport=”8080?
storage=”192.168.2.x”
vps100=”192.168.2.x”
srv039=”192.168.2.x”

IPTABLES=”/sbin/iptables”

# Module loading

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_contract_ftp
/sbin/modprobe ipt_nat_ftp

# Enable Forwarding

echo “1” > /proc/sys/net/ipv4/ip_forward

# Syn Flood Protection

echo “1” > /proc/sys/net/ipv4/tcp_syncookies

# Flush it before start

$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# Set policies

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# LOG
$IPTABLES -t nat -I PREROUTING -j LOG –log-level info –log-prefix “IPTABLES PREROUTING ”
$IPTABLES -t nat -I FORWARD -j LOG –log-level info –log-prefix “IPTABLES FORWARD: ”

# PROTECT RULES

### 1: Drop invalid packets ###
$IPTABLES -t mangle -A PREROUTING -m conntrack –ctstate INVALID -j DROP

### 2: Drop TCP packets that are new and are not SYN ###
$IPTABLES -t mangle -A PREROUTING -p tcp ! –syn -m conntrack –ctstate NEW -j DROP

### 3: Drop SYN packets with suspicious MSS value ###
$IPTABLES -t mangle -A PREROUTING -p tcp -m conntrack –ctstate NEW -m tcpmss ! –mss 536:65535 -j DROP

### 4: Block packets with bogus TCP flags ###
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN FIN,SYN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags FIN,ACK FIN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ACK,URG URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ACK,FIN FIN -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ACK,PSH PSH -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL ALL -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL NONE -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL FIN,PSH,URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL SYN,FIN,PSH,URG -j DROP
$IPTABLES -t mangle -A PREROUTING -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

### 5: Block spoofed packets ###
$IPTABLES -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
#$IPTABLES -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
#$IPTABLES -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP

### 6: Drop ICMP (you usually don’t need this protocol) ###
#$IPTABLES -t mangle -A PREROUTING -p icmp -j DROP

### 7: Drop fragments in all chains ###
#$IPTABLES -t mangle -A PREROUTING -f -j DROP

### 8: Limit connections per source IP ###
$IPTABLES -A INPUT -p tcp -m connlimit –connlimit-above 111 -j REJECT –reject-with tcp-reset

### 9: Limit RST packets ###
$IPTABLES -A INPUT -p tcp –tcp-flags RST RST -m limit –limit 2/s –limit-burst 2 -j ACCEPT
$IPTABLES -A INPUT -p tcp –tcp-flags RST RST -j DROP

### 10: Limit new TCP connections per second per source IP ###
$IPTABLES -A INPUT -p tcp -m conntrack –ctstate NEW -m limit –limit 60/s –limit-burst 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m conntrack –ctstate NEW -j DROP

### 11: Use SYNPROXY on all ports (disables connection limiting rule) ###
# Hidden – unlock content above in “Mitigating SYN Floods With SYNPROXY” section

### SSH brute-force protection ###
$IPTABLES -A INPUT -p tcp –dport ssh -m conntrack –ctstate NEW -m recent –set
$IPTABLES -A INPUT -p tcp –dport ssh -m conntrack –ctstate NEW -m recent –update –seconds 60 –hitcount 10 -j DROP

### Protection against port scanning ###
$IPTABLES -N port-scanning
$IPTABLES -A port-scanning -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s –limit-burst 2 -j RETURN
$IPTABLES -A port-scanning -j DROP

############## INPUT chain ################

# Bad TCP packets we don’t want

$IPTABLES -A INPUT -p tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j REJECT –reject-with tcp-reset
$IPTABLES -A INPUT -p tcp ! –syn -m state –state NEW -j DROP

# Loopback

$IPTABLES -A INPUT -p ALL -i $lo_if -s $lo_ip -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $lo_if -s $lan_ip -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $lo_if -s $wan_ip -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $lo_if -s $dmz_ip -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $lo_if -s $lan2_ip -j ACCEPT

# Rules for LAN

$IPTABLES -A INPUT -i $lan_if -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $lan_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $lan_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $lan_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $lan_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $lan_if –dport 123 -j ACCEPT
$IPTABLES -A INPUT -p ICMP -i $lan_if –icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $lan_ip -m state –state ESTABLISHED,RELATED -j ACCEPT

#$IPTABLES -A INPUT -p TCP -i $lan_if –dport 80 -j ACCEPT
#$IPTABLES -A INPUT -p TCP -i $lan_if –dport 22 -j ACCEPT
#$IPTABLES -A INPUT -p TCP -i $lan_if –dport 3128 -j ACCEPT
#$IPTABLES -A INPUT -p ICMP -i $dmz_if –icmp-type echo-request -j ACCEPT
#$IPTABLES -A INPUT -p ICMP -i $lan_if -j ACCEPT
#$IPTABLES -A INPUT -p ALL -d $lan_ip -m state –state ESTABLISHED,RELATED -j ACCEPT

# Rules for LAN2

$IPTABLES -A INPUT -i $lan2_if -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $lan2_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $lan2_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $lan2_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $lan2_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $lan2_if –dport 123 -j ACCEPT
$IPTABLES -A INPUT -p ICMP -i $lan2_if –icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $lan2_ip -m state –state ESTABLISHED,RELATED -j ACCEPT

# Rules for DMZ

$IPTABLES -A INPUT -i $dmz_if -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $dmz_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $dmz_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $dmz_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $dmz_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $dmz_if –dport 123 -j ACCEPT
$IPTABLES -A INPUT -p ICMP -i $dmz_if –icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $dmz_ip -m state –state ESTABLISHED,RELATED -j ACCEPT

# Rules for WAN

$IPTABLES -A INPUT -p ICMP -i $wan_if –icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $wan_ip -m state –state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -p TCP -i $wan_if -s $itchief_home –dport 22 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –dport 22 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –dport 80 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –dport 81 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –dport 54322 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –dport 445 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $wan_if –dport 53 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if –sport 53 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $wan_if –sport 53 -j ACCEPT

# Log weird packets that don’t match the above.

$IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level info –log-prefix “IPTABLES INPUT blocked: ”

############### FORWARD chain ################

# Bad TCP packets we don’t want

$IPTABLES -A FORWARD -p tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j REJECT –reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp ! –syn -m state –state NEW -j DROP

# Rules for LAN

$IPTABLES -A FORWARD -p ALL -i $lan_if -o $lan_if -j ACCEPT
$IPTABLES -A FORWARD -i $wan_if -o $lan_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $lan_if -o $wan_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $lan_if -o $dmz_if -m state –state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -p ICMP -i $lan_if -j ACCEPT
#$IPTABLES -A FORWARD -p ALL -i $lan_if -o $lan_if -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if -o $dmz_if –dport 110 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if -o $dmz_if –dport 143 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if -o $dmz_if –dport 25 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if -o $dmz_if –dport 80 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if -o $dmz_if –dport 22 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if -o $dmz_if –dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p UDP -i $lan_if -o $dmz_if –dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p ICMP -i $lan_if -o $dmz_if -j ACCEPT
##$IPTABLES -A FORWARD -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $lan_if –dport 5190 -j ACCEPT
#$IPTABLES -A FORWARD -p ALL -s $itchief -i $lan_if -j ACCEPT
#$IPTABLES -A FORWARD -p UDP -s $dc -i $lan_if –dport 123 -j ACCEPT

# Rules for LAN2

$IPTABLES -A FORWARD -p ALL -i $lan2_if -o $lan2_if -j ACCEPT
$IPTABLES -A FORWARD -i $wan_if -o $lan2_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $lan2_if -o $wan_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $lan2_if -o $dmz_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

# Rules for DMZ

$IPTABLES -A FORWARD -p ALL -i $dmz_if -o $dmz_if -j ACCEPT
$IPTABLES -A FORWARD -i $wan_if -o $dmz_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $dmz_if -o $wan_if -m state –state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $dmz_if -o $dmz_if -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

#$IPTABLES -A FORWARD -p UDP -i $dmz_if -o $lan_if -s $mail –dport 123 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $dmz_if -o $lan_if -s $mail –dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p UDP -i $dmz_if -o $lan_if -s $mail –dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $dmz_if -o $lan_if -s $mail –sport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p UDP -i $dmz_if -o $lan_if -s $mail –sport 53 -j ACCEPT

# Rules for WAN

#VPS100 – VNC
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $unraid –dport 5908 -j ACCEPT
#VPS100 – RDP
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $vps100 –dport 3389 -j ACCEPT

# ANDROID
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $unraid –dport 5909 -j ACCEPT
# SSH ZIMBRA
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $unraid –dport 22 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -i $wan_if -d $srv025 –dport 21 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $srv025 –dport 20 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $srv025 –dport 1024: -j ACCEPT
$IPTABLES -A FORWARD -p TCP -m tcp -d $dmz_ip –dport 445 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -m tcp -d $postgresql –dport 22 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $wan_if -d $postgresql –dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $postgresql –dport 5432 -j ACCEPT
$IPTABLES -A FORWARD -p UDP -i $wan_if -d $postgresql –dport 5432 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $srv025 –dport 9001 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $srv039 –dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $ecm –dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $ecm –dport 8080 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $ecm –dport 8009 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $ecm –dport 8000 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $ecm –dport 8443 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $ecm –dport 8005 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $zimbra –dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $wan_if -d $zimbra –dport 7071 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $wan_if -d $dc –dport 3389 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $wan_if -d $mail –dport 25 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $wan_if -d $mail –dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p UDP -i $wan_if -d $mail –dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -i $wan_if -d $mail –dport 80 -j ACCEPT
$IPTABLES -A FORWARD -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

# Log weird packets that don’t match the above.

$IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level info –log-prefix “IPTABLES FORWARD blocked: ”

############### NAT table ################

# PROXY HTTP – LAN2
#$IPTABLES -t nat -A PREROUTING -i $lan2_if -p tcp –dport 80 -j DNAT –to-destination $proxy:$proxyport
# HTTPS – LAN2
#$IPTABLES -t nat -A PREROUTING -i $lan2_if -p tcp –dport 443 -j DNAT –to-destination $proxy:$proxyport

#$IPTABLES -t nat -A POSTROUTING -s 192.168.2.1/24 -o $wan_if -j SNAT –to-source $wan_ip
$IPTABLES -t nat -A POSTROUTING -o $wan_if -j MASQUERADE

# VPS100 – VNC
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 5908 -j DNAT –to-destination $unraid:5908
# VPS100 – RDP
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 4389 -j DNAT –to-destination $vps100:3389
# ANDROID
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 5909 -j DNAT –to-destination $unraid:5909
# SSH – UNRAID
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 224 -j DNAT –to-destination $unraid:22

$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 443 -j DNAT –to-destination $dmz_ip:445
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 222 -j DNAT –to-destination $postgresql:22
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 5432 -j DNAT –to-destination $postgresql:5432
$IPTABLES -t nat -A PREROUTING -p UDP -m udp -d $wan_ip –dport 5432 -j DNAT –to-destination $postgresql:5432
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 2525 -j DNAT –to-destination $zimbra:25
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 7071 -j DNAT –to-destination $zimbra:7071
#$IPTABLES -t nat -A PREROUTING -p TCP -i $wan_if –dport 223 -j DNAT –to-destination $ecm:22
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 225 -j DNAT –to-destination $srv039:22
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 223 -j DNAT –to-destination $ecm:22
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 8080 -j DNAT –to-destination $ecm:8080
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 8009 -j DNAT –to-destination $ecm:8009
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 8443 -j DNAT –to-destination $ecm:8443
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 8005 -j DNAT –to-destination $ecm:8005
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 8000 -j DNAT –to-destination $ecm:8000
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 2121 -j DNAT –to-destination $srv025:21
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 2120 -j DNAT –to-destination $srv025:20
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 1024:65535 -j DNAT –to-destination $srv025:1024-65535
$IPTABLES -t nat -A PREROUTING -p TCP -m tcp -d $wan_ip –dport 9001 -j DNAT –to-destination $srv025:9001
#$IPTABLES -t nat -A PREROUTING -p TCP -i $wan_if –dport 3777 -j DNAT –to-destination $dc:3389
#$IPTABLES -t nat -A PREROUTING -p TCP -i $wan_if –dport 25 -j DNAT –to-destination $mail
#$IPTABLES -t nat -A PREROUTING -p TCP -i $wan_if –dport 53 -j DNAT –to-destination $mail
#$IPTABLES -t nat -A PREROUTING -p UDP -i $wan_if –dport 53 -j DNAT –to-destination $mail
#$IPTABLES -t nat -A PREROUTING -p TCP -i $wan_if –dport 80 -j DNAT –to-destination $mail
#$IPTABLES -t nat -A PREROUTING -p TCP -i $lan_if -d $wan_ip -j DNAT –to-destination $mail
#$IPTABLES -t nat -A OUTPUT -p TCP -d $wan_ip -j DNAT –to-destination $mail

echo “Iptables rules have been reloaded!”

AJUDA

Caso tenha dificuldade com o IPTABLES, abaixo estou incluindo alguns artigos do site SEMPREUPDATE para ajudar na comprensão do script.

Script pronto para Iptables, ajuste como quiser!

Por Adriano Frare

Especialista em segurança. Certificado CISSP e Certicate Ethical Hacking. Gerente de projetos experiente com um histórico comprovado de trabalho no setor de administração governamental. Hábil em Planejamento Estratégico, ITIL, Project Management Office (PMO), Gerenciamento de Serviços de TI e Project Management Body of Knowledge (PMBOK), Certificado Digital (PKI), Segurança (CEH), CISSP, vendas usando métodos Soluction Selling (IBM).

Sair da versão mobile