jueves, 22 de noviembre de 2018

Firewall iptables linux, Ejemplo

Firewall iptables linux, Ejemplo
#!/bin/bash
# Firewall 
# Octubre del 2004
# Firewall.
# Freddy Perez +58 0426-530.95.11
# freperez98@gmail.com

echo "1" > /proc/sys/net/ipv4/conf/all/forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

 for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo "1" > $f
done

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo "0" > $f
done

WAN_IFACE="enp3s1"
LAN_IFACE="enp3s2"
LAN_NET="10.0.0.0/24"
ANYWHERE="0/0"

 DVR1_INT="10.0.0.20"
DVR2_INT="10.0.0.21"
DVR3_INT="10.0.0.21"

 SRVWW_INT="10.0.0.25"

 [ -z "$LAN_IP" ] && LAN_IP=`/sbin/ifconfig $LAN_IFACE | grep inet | cut -d : -f 2 | cut -d " " -f 1`
[ -z "$WAN_IP" ] && WAN_IP=`/sbin/ifconfig $WAN_IFACE | grep inet | cut -d : -f 2 | cut -d " " -f 1`
echo "FIREWALL `date`"
echo "WAN_IP "$WAN_IP
echo "LAN_IP "$LAN_IP

 # Limpia las Reglas
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X

/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P INPUT DROP

 # Accept Looalhost/loopback
/sbin/iptables --append INPUT -s 127.0.0.1/32 --in-interface lo --jump ACCEPT
/sbin/iptables --append INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 --jump ACCEPT

# Paquetes Incorrectos que no Queremos Recibir
/sbin/iptables --append FORWARD -p tcp ! --syn --match state --state NEW --jump DROP

 # Paquetes con mal enrutamiento
/sbin/iptables --append INPUT --source 255.255.255.255 --destination $ANYWHERE --jump DROP

# Todas las Conexiones establecidas por esta maquina (EL FW) Permitidas
/sbin/iptables --append INPUT -p all --destination $ANYWHERE -m state --state ESTABLISHED,RELATED -j ACCEPT

 #Compartir el Acceso SSH al FIREWALL
/sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 2025 -j ACCEPT

 # Permitir las entradas a los siguientes puertos

 /sbin/iptables -A FORWARD -i $WAN_IFACE -d $WAN_IP -p tcp -m state --dport 80 --state NEW -j ACCEPT
/sbin/iptables -A FORWARD -i $LAN_IFACE -d $LAN_IP -p tcp -m state --dport 80 --state NEW -j ACCEPT
# Todas las Conexiones que vengan de la DMZ al Firewall Permitidas
/sbin/iptables --append INPUT -p all --in-interface $LAN_IFACE --source $LAN_NET --destination $LAN_IP --jump ACCEPT
/sbin/iptables --append INPUT -p all --in-interface $LAN_IFACE --source $LAN_NET --destination $WAN_IP --jump ACCEPT

 # Todas Las Conexiones que vengan al puerto 80 Permitidas
/sbin/iptables -A FORWARD --in-interface $WAN_IFACE --destination $WAN_IP -p tcp -m state --dport 80 --state NEW -j ACCEPT
/sbin/iptables -A FORWARD --in-interface $LAN_IFACE --destination $WAN_IP -p tcp -m state --dport 80 --state NEW -j ACCEPT

 # ICMP, rules, Permitir los tipos de ICMP mas criticos
#/sbin/iptables --append INPUT -p icmp --icmp-type echo-reply --source $ANYWHERE --jump ACCEPT
#/sbin/iptables --append INPUT -p icmp --icmp-type echo-request --source $ANYWHERE --jump ACCEPT
#/sbin/iptables --append INPUT -p icmp --icmp-type time-exceeded --source $ANYWHERE --jump ACCEPT

 #Permitir la entrada al servidor WEB
/sbin/iptables --append INPUT --in-interface $WAN_IFACE --destination $WAN_IP -p tcp -m state --dport 80 --state NEW --jump ACCEPT
/sbin/iptables --append INPUT --in-interface $LAN_IFACE --destination $WAN_IP -p tcp -m state --dport 80 --state NEW --jump ACCEPT

 # WWW INT
/sbin/iptables -A FORWARD -i $WAN_IFACE -d $SRVWW_INT -p udp -m state --dport 80 --state NEW -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $WAN_IFACE -d $WAN_IP -p udp -m udp --dport 2026 -j DNAT --to-destination ${SRVWW_INT}:80
/sbin/iptables -A FORWARD -i $WAN_IFACE -d $SRVWW_INT -p tcp -m state --dport 80 --state NEW -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $WAN_IFACE -d $WAN_IP -p tcp -m tcp --dport 2026 -j DNAT --to-destination ${SRVWW_INT}:80

 # DVR1
/sbin/iptables -A FORWARD -i $WAN_IFACE -d $DVR1_INT -p udp -m state --dport 9100 --state NEW -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $WAN_IFACE -d $WAN_IP -p udp -m udp --dport 9100 -j DNAT --to-destination ${DVR1_INT}:9100
/sbin/iptables -A FORWARD -i $WAN_IFACE -d $DVR1_INT -p tcp -m state --dport 9100 --state NEW -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $WAN_IFACE -d $WAN_IP -p tcp -m tcp --dport 9100 -j DNAT --to-destination ${DVR1_INT}:9100

 /sbin/iptables -A FORWARD -i $WAN_IFACE -d $DVR1_INT -p udp -m state --dport 34567 --state NEW -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $WAN_IFACE -d $WAN_IP -p udp -m udp --dport 34567 -j DNAT --to-destination ${DVR1_INT}:34567
/sbin/iptables -A FORWARD -i $WAN_IFACE -d $DVR1_INT -p tcp -m state --dport 34567 --state NEW -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $WAN_IFACE -d $WAN_IP -p tcp -m tcp --dport 34567 -j DNAT --to-destination ${DVR1_INT}:34567

 # DVR3
/sbin/iptables -A FORWARD -i $WAN_IFACE -d $DVR3_INT -p udp -m state --dport 9102 --state NEW -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $WAN_IFACE -d $WAN_IP -p udp -m udp --dport 9102 -j DNAT --to-destination ${DVR3_INT}:9102
/sbin/iptables -A FORWARD -i $WAN_IFACE -d $DVR3_INT -p tcp -m state --dport 9102 --state NEW -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $WAN_IFACE -d $WAN_IP -p tcp -m tcp --dport 9102 -j DNAT --to-destination ${DVR3_INT}:9102

 /sbin/iptables -A FORWARD -i $WAN_IFACE -d $DVR3_INT -p udp -m state --dport 34568 --state NEW -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $WAN_IFACE -d $WAN_IP -p udp -m udp --dport 34568 -j DNAT --to-destination ${DVR3_INT}:34568
/sbin/iptables -A FORWARD -i $WAN_IFACE -d $DVR3_INT -p tcp -m state --dport 34568 --state NEW -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $WAN_IFACE -d $WAN_IP -p tcp -m tcp --dport 34568 -j DNAT --to-destination ${DVR3_INT}:34568

 # DVR2
/sbin/iptables -A FORWARD -i $WAN_IFACE -d $DVR2_INT -p udp -m state --dport 9101 --state NEW -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $WAN_IFACE -d $WAN_IP -p udp -m udp --dport 9101 -j DNAT --to-destination ${DVR2_INT}:9101
/sbin/iptables -A FORWARD -i $WAN_IFACE -d $DVR2_INT -p tcp -m state --dport 9101 --state NEW -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i $WAN_IFACE -d $WAN_IP -p tcp -m tcp --dport 9101 -j DNAT --to-destination ${DVR2_INT}:9101

 # Todo lo que salga va con el IP de la WAN
/sbin/iptables --table nat --append POSTROUTING --out-interface $WAN_IFACE --source $LAN_NET --jump SNAT --to-source $WAN_IP
/sbin/iptables --append FORWARD --in-interface $LAN_IFACE --source $LAN_NET --jump ACCEPT
/sbin/iptables --append FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

 #  LOG
#iptables -A INPUT -j LOG
#iptables -A FORWARD -j LOG
#iptables -A OUTPUT -j LOG

 echo "ACCESO COMPARTIDO"

Freddy Perez Computacion y Sistemas freperez98@gmail.com 0426-530.95.11 Aragua Venezuela
en No hay comentarios:
Etiquetas: , , ,
Suscribirse a: Entradas (Atom)

ODBC NO SE VE. MAPEANDO COMO UNIDAD DE RED

ODBC NO SE VE. MAPEANDO COMO UNIDAD DE RED Para configurar el  EnableLinkedConnections  valor de registro: Haga clic en Inicio, escriba rege...