All pastes #2099004 Raw Edit

Mine

public text v1 · immutable
#2099004 ·published 2012-01-04 12:21 UTC
rendered paste body
#### FIREWAL ####


#!/bin/bash

# modprobe eh usado para carregar modulos do kernel
MOD=$(which modprobe)

# iptables
IPT=$(which iptables)

# Interfaces de rede
I_LINK1="eth0"
I_LINK2="eth2"
I_LAN="eth1"

function start() {
# Carrega o modulo do kernel
  $MOD ip_tables
  modprobe iptable_nat

  # Limpa as regras anteriores
  stop;

  # Habilita redirecionamento de IP
  echo 1 > /proc/sys/net/ipv4/ip_forward
  echo "0" > /proc/sys/net/ipv4/conf/default/rp_filter

  #Compartilhando links
  iptables -t nat -A POSTROUTING -s 10.1.1.0/8 -o eth2 -j MASQUERADE
  iptables -t nat -A POSTROUTING -s 10.1.1.0/8 -o eth0 -j MASQUERADE

  iptables -P INPUT ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -P OUTPUT ACCEPT

  #liberando trágo de rede local (127.0.0.1)
  iptables -A INPUT -i lo -j ACCEPT

  #Liberando SIP
  iptables -A INPUT -p tcp -m tcp --dport 5060 -s 187.0.0.0/255.0.0.0 -j ACCEPT
  iptables -A INPUT -p udp -m udp --dport 5060 -s 187.0.0.0/255.0.0.0 -j ACCEPT
  iptables -A INPUT -p tcp -m tcp --dport 5060 -s 189.0.0.0/255.0.0.0 -j ACCEPT
  iptables -A INPUT -p udp -m udp --dport 5060 -s 189.0.0.0/255.0.0.0 -j ACCEPT
  iptables -A INPUT -p tcp -m tcp --dport 5060 -s 200.0.0.0/255.0.0.0 -j ACCEPT
  iptables -A INPUT -p udp -m udp --dport 5060 -s 200.0.0.0/255.0.0.0 -j ACCEPT
  iptables -A INPUT -p tcp -m tcp --dport 5060 -s 201.0.0.0/255.0.0.0 -j ACCEPT
  iptables -A INPUT -p udp -m udp --dport 5060 -s 201.0.0.0/255.0.0.0 -j ACCEPT

  #Liberando Voz
  iptables -A INPUT -p tcp -m tcp --dport 10000:20000 -s 187.0.0.0/255.0.0.0 -j ACCEPT
  iptables -A INPUT -p udp -m udp --dport 10000:20000 -s 187.0.0.0/255.0.0.0 -j ACCEPT
  iptables -A INPUT -p tcp -m tcp --dport 10000:20000 -s 189.0.0.0/255.0.0.0 -j ACCEPT
  iptables -A INPUT -p udp -m udp --dport 10000:20000 -s 189.0.0.0/255.0.0.0 -j ACCEPT
  iptables -A INPUT -p tcp -m tcp --dport 10000:20000 -s 200.0.0.0/255.0.0.0 -j ACCEPT
  iptables -A INPUT -p udp -m udp --dport 10000:20000 -s 200.0.0.0/255.0.0.0 -j ACCEPT
  iptables -A INPUT -p tcp -m tcp --dport 10000:20000 -s 201.0.0.0/255.0.0.0 -j ACCEPT
  iptables -A INPUT -p udp -m udp --dport 10000:20000 -s 201.0.0.0/255.0.0.0 -j ACCEPT

  # Aceitando conexoes de entrada
  iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  iptables -A INPUT -p tcp --dport 142 -j ACCEPT
  iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  iptables -A INPUT -p tcp --dport 81 -j ACCEPT


##### Toda navegacao sai pela ADSL, o resto pelo link dedicado

  # Saida dos pacotes pela ADSL
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dport 3389 -j MARK --set-mark 2
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dport 80 -j MARK --set-mark 2
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dport 0:65535 -j MARK --set-mark 2
  $IPT -t mangle -A PREROUTING -i $I_LAN -p udp --dport 0:65535 -j MARK --set-mark 2

  # Saida dos pacotes pelo Link Dedicado
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dport 22 -j MARK --set-mark 1
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dport 142 -j MARK --set-mark 1
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dst 187.53.232.107 -j MARK --set-mark 1
  $IPT -t mangle -A PREROUTING -i $I_LAN -p tcp --dst 200.228.195.167 -j MARK --set-mark 1 #Servidor SanMartin WEB

  # Liberando Rede Local
  iptables -A INPUT -p tcp -s 10.1.1.0/255.0.0.0 -j ACCEPT
  iptables -A INPUT -p udp -s 10.1.1.0/255.0.0.0 -j ACCEPT


  #Liberando pacotes que realmente devem estabelecer conexã
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

  #Liberando ping
  iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
  iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

  # Forward de portas para o servidor de backup
  iptables -t nat -A PREROUTING -d 187.5.250.106 -p tcp --dport 22 -j DNAT --to 10.1.1.52:22

  iptables -t nat -A PREROUTING -i $I_LINK1 -p tcp --dport 34684 -j DNAT --to 10.1.1.30

  # Servidor WEB Maquina virtual
  iptables -t nat -A PREROUTING -d 187.5.250.106 -p tcp --dport 81 -j DNAT --to 10.1.1.88:80
  #iptables -t nat -A POSTROUTING -s 10.1.1.88 -p tcp --sport 81 -j SNAT --to 187.5.250.106

  # teste do lyric
  # iptables -t nat -A PREROUTING -i $I_LAN -d 74.125.65.141 -j DNAT --to 10.1.1.249

  echo "Firewall iniciado."

}

function stop() {
# Limpa a tabela mangle
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F -t filter
iptables -F -t nat
iptables -F -t mangle
iptables -X -t filter
iptables -X -t nat
iptables -X -t mangle
iptables -Z -t filter
iptables -Z -t nat
iptables -Z -t mangle
  echo "Firewall parado."

}


case $1 in
  'start') start; exit ;;
  'stop') stop; exit ;;
  'restart') stop; start; exit ;;
  *) start; exit ;;
esac


#### ROTAS #####


#!/bin/bash

# DEFINICAO DOS GATEWAYS (IPs FICTICIOS)
GW_LINK1=187.5.250.105
GW_LINK2=192.168.1.1

# PLACAS DE REDE
ETH_LINK1=eth0
ETH_LINK2=eth2

function start() {
  # Limpa o cache de rotas
  ip route flush cache
  # Pacotes com marcacao 1 vao para o link1
  ip rule add fwmark 1 prio 20 table link1
  # Pacotes com marcacao 2 vao para o link2
  ip rule add fwmark 2 prio 20 table link2
  # Associa a rota do link1 a interface de rede e tabela correspondentes
  ip route add default via $GW_LINK1 dev $ETH_LINK1 table link1
  # Associa a rota do link1 a interface de rede e tabela correspondentes
  ip route add default via $GW_LINK2 dev $ETH_LINK2 table link2
  # Adiciona a rota padrao ao link1
  route add default gw $GW_LINK1
  echo "Tabela de roteamento criada."
}

function stop() {
  # Limpa o cache
  ip route flush cache
  # Deleta as regras de acordo com as marcacoes
  ip rule del fwmark 2
  ip rule del fwmark 3
  # Deleta a rota padrao
  route del default
  echo "Limpeza da tabela de roteamento concluida."
}

case $1 in
  'start') start; exit ;;
  'stop') stop; exit ;;
  'restart') stop; start; exit ;;
  *) start; exit ;;
esac