Here is the full script:
#!/bin/bash
FW=/sbin/iptables
LOAD=/sbin/modprobe
#__________________________________________________________________________
# Carregando Modulo do IPTABLES
. /etc/rc.d/init.d/prodata/fw_modulos
# Carregando Variaveis
. /etc/rc.d/init.d/prodata/fw_variaveis
case "$1" in
stop)
$FW -F
$FW -X
$FW -F -t nat
$FW -X -t nat
$FW -F -t mangle
$FW -X -t mangle
$FW -P INPUT ACCEPT
$FW -P OUTPUT ACCEPT
$FW -P FORWARD ACCEPT
$FW -t nat -P POSTROUTING ACCEPT
$FW -t nat -P PREROUTING ACCEPT
$FW -t nat -P OUTPUT ACCEPT
echo -e "FIREWALL........STOPED!!!!\n"
;;
status)
$FW -L
$FW -L -t nat
;;
restart|reload)
$0 stop
$0 start
;;
start)
echo "FIREWALL...STARTING"
echo ""
#___________________________________________________________________________
# Habilita protecao do KERNEL
#___________________________________________________________________________
if [ $KERNEL = "sim" ]
then . /etc/rc.d/init.d/prodata/fw_kernel
fi
#___________________________________________________________________________
# Politica Padrao
#___________________________________________________________________________
$FW -P INPUT ACCEPT
$FW -P OUTPUT ACCEPT
$FW -P FORWARD ACCEPT
$FW -t nat -P POSTROUTING ACCEPT
$FW -t nat -P PREROUTING ACCEPT
$FW -t nat -P OUTPUT ACCEPT
#___________________________________________________________________________
# Limpa todas as Regras
#___________________________________________________________________________
$FW -F
$FW -F -t nat
$FW -X
$FW -X -t nat
#___________________________________________________________________________
# Cria politicas de LOGs
#___________________________________________________________________________
if [ $LOGS = "sim" ]
then . /etc/rc.d/init.d/prodata/fw_politicas
fi
#____________________________________________________________________________
___
# LOG de todos os pacotes INPUT/OUTPUT/FORWARD/PREROUTING/POSROUTING
#____________________________________________________________________________
___
#$FW -A INPUT -j LOG --log-level 3 --log-prefix "APB_INPUT_OK "
#$FW -A OUTPUT -j LOG --log-level 3 --log-prefix "APB_OUTPUT_OK "
#$FW -A FORWARD -j LOG --log-level 3 --log-prefix "APB_FORWARD_OK "
#$FW -t nat -A POSTROUTING -j LOG --log-level 3 --log-prefix
"APB_POSTROUTING_OK "
#$FW -t nat -A PREROUTING -j LOG --log-level 3 --log-prefix "APB_PREROUTING_OK
"
#$FW -t nat -A OUTPUT -j LOG --log-level 3 --log-prefix "APB_OUTPUT-ROUTING_OK
"
#___________________________________________________________________________
# Divulga Rotas
#___________________________________________________________________________
$FW -I INPUT -i $INT_INTRANET -p all -j ACCEPT
$FW -I OUTPUT -o $INT_INTRANET -p all -j ACCEPT
$FW -I FORWARD -o $INT_INTRANET -i $INT_INTRANET -p all -j ACCEPT
$FW -t nat -I PREROUTING -i $INT_INTRANET -p all -j ACCEPT
$FW -t nat -I POSTROUTING -o $INT_INTRANET -p all -j ACCEPT
$FW -t nat -I OUTPUT -o $INT_INTRANET -p all -j ACCEPT
#____________________________________________________________________________
___
# FW - Protecao contra Ataque: TCP SYN/FIN
#____________________________________________________________________________
___
$FW -A INPUT -p tcp -d $IP_INTERNET --tcp-flags SYN,FIN SYN,FIN -j LOG -m
limit --limit 10/m --log-level 3 --log-prefix="FW_PRODATA --> SYN_FIN packet"
$FW -A INPUT -p tcp -d $IP_INTERNET --tcp-flags SYN,FIN SYN,FIN -j DROP
#############################################################################
# #
# Inicio das REGRAS #
# #
#############################################################################
#____________________________________________________________________________
___
# Libera o LOOPBACK do Firewall
#____________________________________________________________________________
___
$FW -A INPUT -p ALL -i $INT_LOOPBACK -s $IP_LOOPBACK -j ACCEPT
$FW -A INPUT -p ALL -i $INT_LOOPBACK -s $IP_INTERNET -j ACCEPT
$FW -A INPUT -p ALL -i $INT_LOOPBACK -s $IP_INTRANET -j ACCEPT
$FW -A OUTPUT -p ALL -o $INT_LOOPBACK -j ACCEPT
$FW -t nat -A OUTPUT -p ALL -o $INT_LOOPBACK -j ACCEPT
$FW -t nat -A POSTROUTING -p ALL -o $INT_LOOPBACK -j ACCEPT
#____________________________________________________________________________
___
# FW - Sair com Tudo.
#____________________________________________________________________________
___
$FW -A OUTPUT -o $INT_LOOPBACK -s $IP_LOOPBACK -j ACCEPT
$FW -A OUTPUT -o $INT_INTRANET -s $IP_INTRANET -j ACCEPT
$FW -A OUTPUT -o $INT_INTERNET -s $IP_INTERNET -j ACCEPT
$FW -t nat -A OUTPUT -o $INT_LOOPBACK -s $IP_LOOPBACK -j ACCEPT
$FW -t nat -A OUTPUT -o $INT_INTRANET -s $IP_INTRANET -j ACCEPT
$FW -t nat -A OUTPUT -o $INT_INTERNET -s $IP_INTERNET -j ACCEPT
$FW -t nat -A POSTROUTING -o $INT_LOOPBACK -s $IP_LOOPBACK -j ACCEPT
$FW -t nat -A POSTROUTING -o $INT_INTRANET -s $IP_INTRANET -j ACCEPT
$FW -t nat -A POSTROUTING -o $INT_INTERNET -s $IP_INTERNET -j ACCEPT
#____________________________________________________________________________
___
# FW - PPTP SERVER
#____________________________________________________________________________
___
$FW -t nat -A POSTROUTING -o $INT_INTERNET -s $IP_VPN -j SNAT --to-source
$IP_INTERNET
$FW -t nat -A POSTROUTING -o $INT_INTRANET -d $IP_VPN -p tcp --dport 1723 -j
ACCEPT
$FW -t nat -A POSTROUTING -o $INT_INTRANET -d $IP_VPN -p 47 -j ACCEPT
$FW -t nat -A POSTROUTING -o $INT_INTERNET -p 47 -j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTERNET -p tcp --dport 1723 -j DNAT
--to-destination $IP_VPN
#$FW -t nat -A PREROUTING -i $INT_INTRANET -p 47 -j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTERNET -p 47 -j DNAT --to-destination
$IP_VPN
$FW -A FORWARD -i $INT_INTERNET -d $IP_VPN -p tcp --dport 1723 -j ACCEPT
$FW -A FORWARD -i $INT_INTERNET -d $IP_VPN -p 47 -j ACCEPT
$FW -A FORWARD -i $INT_INTRANET -s $IP_VPN -p tcp --sport 1723 -j ACCEPT
$FW -A FORWARD -i $INT_INTRANET -s $IP_VPN -p 47 -j ACCEPT
#____________________________________________________________________________
___
# FW - PPTP CLIENT
#____________________________________________________________________________
___
$FW -t nat -A POSTROUTING -o $INT_INTERNET -s $REDE_INTRANET -p 47 -j SNAT
--to-source $IP_INTERNET
$FW -A FORWARD -i $INT_INTRANET -s $REDE_INTRANET -p 47 -j ACCEPT
$FW -A FORWARD -i $INT_INTERNET -d $REDE_INTRANET -p 47 -j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTERNET -p tcp --sport 1723 -j ACCEPT
$FW -A FORWARD -i $INT_INTERNET -p tcp --sport 1723 -j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTRANET -p tcp --dport 1723 -j ACCEPT
$FW -A FORWARD -i $INT_INTRANET -p tcp --dport 1723 -j ACCEPT
#____________________________________________________________________________
___
# GERENCIA DE REDE - NAGIOS
#____________________________________________________________________________
___
#$FW -A INPUT -i $INT_INTRANET -d $IP_INTRANET -s $IP_NAGIOS -p all -j ACCEPT
#$FW -A OUTPUT -o $INT_INTRANET -s $IP_INTRANET -d $IP_NAGIOS -p all -j
ACCEPT
#$FW -t nat -A POSTROUTING -o $INT_INTERNET -p ICMP -s $IP_NAGIOS -j
MASQUERADE
#$FW -A INPUT -i $INT_INTRANET -s $IP_NAGIOS -p ICMP -j icmp_ping
#$FW -A OUTPUT -o $INT_INTRANET -d $IP_NAGIOS -p ICMP -j icmp_ping
#$FW -t nat -A PREROUTING -i $INT_INTRANET -s $IP_NAGIOS -p ICMP --icmp-type 8
-j ACCEPT
#____________________________________________________________________________
___
# IP SPOOFING - NEGA
#____________________________________________________________________________
___
$FW -A INPUT -i $INT_INTERNET -s $REDE_INTRANET -j DROP
#____________________________________________________________________________
___
# ICMP/TRACEROUTE/SMB - NEGA
#____________________________________________________________________________
___
#$FW -A INPUT -i $INT_INTERNET -d $IP_INTERNET -p icmp --icmp-type 8 -j DROP
#$FW -A INPUT -i $INT_INTERNET -d $IP_INTERNET -p icmp --icmp-type 3 -j DROP
$FW -A OUTPUT -o $INT_INTERNET -p icmp -j ICMPOUTBOUND
$FW -A INPUT -i $INT_INTERNET -p icmp -j ICMPINBOUND
$FW -A INPUT -i $INT_INTERNET -j SMB
#____________________________________________________________________________
___
# FW - PING Client - Firewall para Internet (Todos)
#____________________________________________________________________________
___
$FW -I INPUT -p ICMP -i $INT_INTERNET -j icmp_ping
$FW -I OUTPUT -p ICMP -o $INT_INTERNET -j icmp_ping
$FW -t nat -I PREROUTING -i $INT_INTERNET -p ICMP --icmp-type 8 -j ACCEPT
#____________________________________________________________________________
___
# FW - DNS Client - Firewall para Internet (Todos)
#____________________________________________________________________________
___
#
TCP__________________________________________________________________________
_
$FW -A INPUT -i $INT_INTERNET -s $ANYWHERE -d $IP_INTERNET -p tcp --sport 53
-j ACCEPT
$FW -A OUTPUT -o $INT_INTERNET -s $IP_INTERNET -p tcp --dport 53 -j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTERNET -p tcp -s $IP_INTERNET --dport 53 -j
ACCEPT
$FW -t nat -A OUTPUT -o $INT_INTERNET -p tcp -s $IP_INTERNET --dport 53 -j
ACCEPT
$FW -t nat -A POSTROUTING -o $INT_INTERNET -p tcp -s $IP_INTERNET --dport 53
-j ACCEPT
#
UDP__________________________________________________________________________
_
$FW -A INPUT -i $INT_INTERNET -s $ANYWHERE -d $IP_INTERNET -p udp --sport 53
-j ACCEPT
$FW -A OUTPUT -o $INT_INTERNET -s $IP_INTERNET -p udp --dport 53 -j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTERNET -p udp -s $IP_INTERNET --dport 53 -j
ACCEPT
$FW -t nat -A OUTPUT -o $INT_INTERNET -p udp -s $IP_INTERNET --dport 53 -j
ACCEPT
$FW -t nat -A POSTROUTING -o $INT_INTERNET -p udp -s $IP_INTERNET --dport 53
-j ACCEPT
#____________________________________________________________________________
___
# FW - TELNET client
#____________________________________________________________________________
___
$FW -A INPUT -i $INT_INTERNET -d $IP_INTERNET -p tcp --sport 23 -j ACCEPT
$FW -A OUTPUT -o $INT_INTERNET -s $IP_INTERNET -p tcp --dport 23 -j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTERNET -p tcp -s $IP_INTERNET --dport 23 -j
ACCEPT
$FW -t nat -A POSTROUTING -o $INT_INTERNET -p tcp -s $IP_INTERNET --dport 23
-j ACCEPT
$FW -t nat -A OUTPUT -o $INT_INTERNET -p tcp -s $IP_INTERNET --dport 23 -j
ACCEPT
#____________________________________________________________________________
___
# ACESSO RDP NA MAQUINA VTWEB
#____________________________________________________________________________
___
#$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET --dport 3389
\
# -j DNAT --to-destination $IP_VTWEB:3389
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_1
--dport 3389 \
-j DNAT --to-destination $IP_VTWEB:3389
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_2
--dport 3389 \
-j DNAT --to-destination $IP_VTWEB:3389
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_CMT
--dport 3389 \
-j DNAT --to-destination $IP_VTWEB:3389
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_VTWEB --dport 3389 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_VTWEB --dport
3389 -j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_VTWEB --sport
3389 -j TCPACCEPT
#____________________________________________________________________________
___
# ACESSO TELNET NA MAQUINA VTWEB
#____________________________________________________________________________
___
#$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET --dport 23
\
# -j DNAT --to-destination $IP_VTWEB:23
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_1
--dport 23 \
-j DNAT --to-destination $IP_VTWEB:23
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_2
--dport 23 \
-j DNAT --to-destination $IP_VTWEB:23
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_CMT
--dport 23 \
-j DNAT --to-destination $IP_VTWEB:23
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_VTWEB --dport 23 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_VTWEB --dport
23 -j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_VTWEB --sport
23 -j TCPACCEPT
#____________________________________________________________________________
___
# ACESSO MSDE NA MAQUINA VTWEB
#____________________________________________________________________________
___
#$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET --dport 1433
\
# -j DNAT --to-destination $IP_VTWEB:1433
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_1
--dport 1433 \
-j DNAT --to-destination $IP_VTWEB:1433
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_2
--dport 1433 \
-j DNAT --to-destination $IP_VTWEB:1433
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_CMT
--dport 1433 \
-j DNAT --to-destination $IP_VTWEB:1433
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_VTWEB --dport 1433 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_VTWEB --dport
1433 -j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_VTWEB --sport
1433 -j TCPACCEPT
#____________________________________________________________________________
___
# ACESSO VNC NA MAQUINA VTWEB
#____________________________________________________________________________
___
#$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET --dport 5900
\
# -j DNAT --to-destination $IP_VTWEB:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_1
--dport 5900 \
-j DNAT --to-destination $IP_VTWEB:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_2
--dport 5900 \
-j DNAT --to-destination $IP_VTWEB:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_CMT
--dport 5900 \
-j DNAT --to-destination $IP_VTWEB:5900
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_VTWEB --dport 5900 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_VTWEB --dport
5900 -j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_VTWEB --sport
5900 -j TCPACCEPT
#____________________________________________________________________________
___
# ACESSO RDP NA MAQUINA UDP
#____________________________________________________________________________
___
#$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET --dport
33891 \
# -j DNAT --to-destination $IP_UDP:3389
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_1
--dport 33891 \
-j DNAT --to-destination $IP_UDP:3389
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_2
--dport 33891 \
-j DNAT --to-destination $IP_UDP:3389
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_CMT
--dport 33891 \
-j DNAT --to-destination $IP_UDP:3389
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_UDP --dport 3389 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_UDP --dport
3389 -j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_UDP --sport
3389 -j TCPACCEPT
#____________________________________________________________________________
___
# ACESSO VNC NA MAQUINA UDP
#____________________________________________________________________________
___
#$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET --dport 5901
\
# -j DNAT --to-destination $IP_UDP:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_1
--dport 5901 \
-j DNAT --to-destination $IP_UDP:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_2
--dport 5901 \
-j DNAT --to-destination $IP_UDP:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_CMT
--dport 5901 \
-j DNAT --to-destination $IP_UDP:5900
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_UDP --dport 5900 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_UDP --dport
5900 -j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_UDP --sport
5900 -j TCPACCEPT
#____________________________________________________________________________
___
# ACESSO SQLPLUS NA MAQUINA BANCO
#____________________________________________________________________________
___
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_1
--dport 1521 \
-j DNAT --to-destination $IP_DB:1521
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_2
--dport 1521 \
-j DNAT --to-destination $IP_DB:1521
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_CMT
--dport 1521 \
-j DNAT --to-destination $IP_DB:1521
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_DB --dport 1521 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_DB --dport 1521
-j ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_DB --sport 1521
-j ACCEPT
#____________________________________________________________________________
___
# ACESSO SQLPLUS NA MAQUINA BANCO - RISC-A
#____________________________________________________________________________
___
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_1
--dport 1621 \
-j DNAT --to-destination $IP_RISC_A:1521
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_2
--dport 1621 \
-j DNAT --to-destination $IP_RISC_A:1521
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_CMT
--dport 1621 \
-j DNAT --to-destination $IP_RISC_A:1521
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_COTIA
--dport 1621 \
-j DNAT --to-destination $IP_RISC_A:1521
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_RISC_A --dport 1521
-j ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_RISC_A --dport
1521 -j ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_RISC_A --sport
1521 -j ACCEPT
#____________________________________________________________________________
___
# ACESSO VNC NA MAQUINA BANCO
#____________________________________________________________________________
___
#$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET --dport 5902
\
# -j DNAT --to-destination $IP_DB:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_1
--dport 5902 \
-j DNAT --to-destination $IP_DB:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_2
--dport 5902 \
-j DNAT --to-destination $IP_DB:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_CMT
--dport 5902 \
-j DNAT --to-destination $IP_DB:5900
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_DB --dport 5900 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_DB --dport 5900
-j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_DB --sport 5900
-j TCPACCEPT
#____________________________________________________________________________
___
# ACESSO VNC NA MAQUINA SCM
#____________________________________________________________________________
___
#$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET --dport 5903
\
# -j DNAT --to-destination $IP_SCM:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_1
--dport 5903 \
-j DNAT --to-destination $IP_SCM:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_2
--dport 5903 \
-j DNAT --to-destination $IP_SCM:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_CMT
--dport 5903 \
-j DNAT --to-destination $IP_SCM:5900
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_SCM --dport 5900 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_SCM --dport
5900 -j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_SCM --sport
5900 -j TCPACCEPT
#____________________________________________________________________________
___
# ACESSO VNC NA MAQUINA SP-1
#____________________________________________________________________________
___
#$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET --dport 5904
\
# -j DNAT --to-destination $IP_SP1:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_1
--dport 5904 \
-j DNAT --to-destination $IP_SP1:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_2
--dport 5904 \
-j DNAT --to-destination $IP_SP1:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_CMT
--dport 5904 \
-j DNAT --to-destination $IP_SP1:5900
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_SP1 --dport 5900 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_SP1 --dport
5900 -j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_SP1 --sport
5900 -j TCPACCEPT
#____________________________________________________________________________
___
# ACESSO VNC NA MAQUINA SP-2
#____________________________________________________________________________
___
#$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET --dport 5905
\
# -j DNAT --to-destination $IP_SP2:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_1
--dport 5905 \
-j DNAT --to-destination $IP_SP2:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_2
--dport 5905 \
-j DNAT --to-destination $IP_SP2:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_CMT
--dport 5905 \
-j DNAT --to-destination $IP_SP2:5900
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_SP2 --dport 5900 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_SP2 --dport
5900 -j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_SP2 --sport
5900 -j TCPACCEPT
#____________________________________________________________________________
___
# ACESSO VNC NA MAQUINA SP-3
#____________________________________________________________________________
___
#$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET --dport 5906
\
# -j DNAT --to-destination $IP_SP3:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_1
--dport 5906 \
-j DNAT --to-destination $IP_SP3:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_2
--dport 5906 \
-j DNAT --to-destination $IP_SP3:5900
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_CMT
--dport 5906 \
-j DNAT --to-destination $IP_SP3:5900
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_SP3 --dport 5900 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_SP3 --dport
5900 -j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_SP3 --sport
5900 -j TCPACCEPT
#____________________________________________________________________________
___
# DMZ - Liberando acesso da Internet para Intranet (DNAT)
#____________________________________________________________________________
___
#---------- HTTP://VTWEB.APB.COM.BR (80-TCP)
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET --dport 80 \
-j DNAT --to-destination $IP_VTWEB:80
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_VTWEB --dport 80 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_VTWEB --dport
80 -j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_VTWEB --sport
80 -j TCPACCEPT
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET --dport 443
\
-j DNAT --to-destination $IP_VTWEB:443
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_VTWEB --dport 443 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_VTWEB --dport
443 -j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_VTWEB --sport
443 -j TCPACCEPT
########################################
#Redirecionamento WormHole para Terminal Sacoma
#01/04/2009
#Cristiano
#Ricardo Souza
####################################
$FW -t nat -A PREROUTING -i bond0 -p tcp -d 200.143.33.135 --dport 1680 -j
DNAT --to 10.100.0.4:1680
###################
#Redirecionamento para Connect Direct
# Projeto BOm BV
####################
$FW -t nat -A PREROUTING -i bond0 -p tcp -d 200.143.33.135 --dport 1363 -j
DNAT --to 10.100.0.35:1363
$FW -t nat -A PREROUTING -i bond0 -p tcp -d 200.143.33.135 --dport 1364 -j
DNAT --to 10.100.0.35:1364
# SNAT
$FW -t nat -A POSTROUTING -s 10.100.0.35 -o bond0 -j SNAT --to 200.143.33.135
#############################
## alteracao realizada em 19/11/2008 22:47
# Ricardo Augusto e FKlemp
# redirecionamento do trafego do ip 200.143.33.132 para 10.100.0.6
# remover no dia 20/11 as 15 pm.
#---------- HTTP://VTWEB.APB.COM.BR (80-TCP)
#$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_WEB6 --dport 80 \
# -j DNAT --to-destination $IP_WEB6:80
#$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_WEB6 --dport 80 -j
ACCEPT
#$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_WEB6 --dport
80 -j TCPACCEPT
#$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_WEB6 --sport
80 -j TCPACCEPT
###################
#ALTERACAO REALIZADA PARA MIGRACAO DAS APLICACOES ENTRE OS SERVIDORES
10.100.0.5 6 E 7.
# nat para o servidor 10.100.0.6
####################
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET2 --dport 80
\
-j DNAT --to-destination $IP_WEB6:80
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_WEB6 --dport 80 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_WEB6 --dport 80
-j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_WEB6 --sport 80
-j TCPACCEPT
###############
# porta 443
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET2 --dport 443
\
-j DNAT --to-destination $IP_WEB6:443
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_WEB6 --dport 443 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_WEB6 --dport
443 -j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_WEB6 --sport
443 -j TCPACCEPT
###################
#ALTERACAO REALIZADA PARA MIGRACAO DAS APLICACOES ENTRE OS SERVIDORES
10.100.0.5 6 E 7.
# nat para o servidor 10.100.0.7
####################
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET3 --dport 80
\
-j DNAT --to-destination $IP_WEB7:80
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_WEB7 --dport 80 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_WEB7 --dport 80
-j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_WEB7 --sport 80
-j TCPACCEPT
###############
# porta 443
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET3 --dport 443
\
-j DNAT --to-destination $IP_WEB7:443
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_WEB7 --dport 443 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_WEB7 --dport
443 -j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_WEB7 --sport
443 -j TCPACCEPT
#---------- HTTP://COLOMBIA.CMTSP.COM.BR (9704-TCP)
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET --dport 9704
\
-j DNAT --to-destination $IP_BI:9704
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_BI --dport 9704 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_BI --dport 9704
-j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_BI --sport 9704
-j TCPACCEPT
#---------- Acesso GPRS (10000-TCP)
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET --dport 10000
\
-j DNAT --to-destination $IP_SCM:10000
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_SCM --dport 10000 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_SCM --dport
10000 -j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_SCM --sport
10000 -j TCPACCEPT
#---------- Acesso GPRS[BKP] (10000-TCP)
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET --dport 10001
\
-j DNAT --to-destination $IP_SCM2:10001
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_SCM2 --dport 10001 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_SCM2 --dport
10001 -j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_SCM2 --sport
10001 -j TCPACCEPT
#---------- FTP://VTWEB.APB.COM.BR (20:21-TCP)
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_2
--dport 21 \
-j DNAT --to-destination $IP_VTWEB:21
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_1
--dport 21 \
-j DNAT --to-destination $IP_VTWEB:21
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_2
--dport 20 \
-j DNAT --to-destination $IP_VTWEB:20
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_APB_1
--dport 20 \
-j DNAT --to-destination $IP_VTWEB:20
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_VTWEB --dport 20 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_VTWEB --dport
20 -j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_VTWEB --sport
20 -j TCPACCEPT
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_VTWEB --dport 21 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_VTWEB --dport
21 -j TCPACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_VTWEB --sport
21 -j TCPACCEPT
#############################################################################
######################
# #---------- Acesso GPRS[BKP] (10002-TCP)
#
#############################################################################
######################
$FW -t nat -I PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET --dport 10002
\
-j DNAT --to-destination $IP_SP3:10002
$FW -t nat -A POSTROUTING -p tcp -o $INT_INTRANET -d $IP_SP3 --dport 10002 -j
ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTERNET -o $INT_INTRANET -d $IP_SP3 --dport
10002 -j ACCEPT
$FW -A FORWARD -p TCP -i $INT_INTRANET -o $INT_INTERNET -s $IP_SP3 --sport
10002 -j ACCEPT
# Acesso vindo na porta 1518 para maquina UDP vindo da empresa Guarupas
$FW -t nat -A PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s
$IP_GUARUPAS --dport 1518 -j DNAT --to-destination $IP_UDP:1518
$FW -A FORWARD -p tcp -i $INT_INTERNET -o $INT_INTRANET -d $IP_UDP --dport
1518 -j ACCEPT
$FW -A FORWARD -p tcp -i $INT_INTRANET -o $INT_INTERNET -s $IP_UDP --sport
1518 -j ACCEPT
# Acesso na porta 7700 para maquina UDP Vindo da Empresa Talisma
#alteracao realizada a pedido do ADriano.
# a empresa Talisma nao consegue conectar no 200.143.33.132:7700
#$FW -t nat -A PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s
$IP_TALISMA --dport 7700 -j DNAT --to-destination $IP_UDP:7700
#$FW -A FORWARD -p tcp -i $INT_INTERNET -o $INT_INTRANET -d $IP_UDP --dport
7700 -j ACCEPT
#$FW -A FORWARD -p tcp -i $INT_INTRANET -o $INT_INTERNET -s $IP_UDP --sport
7700 -j ACCEPT
$FW -t nat -A PREROUTING -i bond0 -p tcp -d $IP_INTERNET --dport 7700 -j DNAT
--to $IP_UDP:7700
#----------------------------------------------------------------------------
---
# Acesso na porta 7700 para maquina UDP Vindo da Empresa ERT Sao Roque
#----------------------------------------------------------------------------
---
$FW -t nat -A PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s 0/0
--dport 2180 -j DNAT --to-destination $IP_UDP:2180
$FW -A FORWARD -p tcp -i $INT_INTERNET -o $INT_INTRANET -d $IP_UDP --dport
2180 -j ACCEPT
$FW -A FORWARD -p tcp -i $INT_INTRANET -o $INT_INTERNET -s $IP_UDP --sport
2180 -j ACCEPT
#----------------------------------------------------------------------------
-------
# Acesso na porta 1660 para maquina UDP Vindo da Empresa DELREY/ETT -
Carapicuiba
#----------------------------------------------------------------------------
-------
$FW -t nat -A PREROUTING -p tcp -i $INT_INTERNET -d $IP_INTERNET -s $IP_DELREY
--dport 1660 -j DNAT --to-destination $IP_UDP:1660
$FW -A FORWARD -p tcp -i $INT_INTERNET -o $INT_INTRANET -d $IP_UDP --dport
1660 -j ACCEPT
$FW -A FORWARD -p tcp -i $INT_INTRANET -o $INT_INTERNET -s $IP_UDP --sport
1660 -j ACCEPT
#############################################################################
#############################
# Acesso Worm Hole vindo da EMTU
#
#############################################################################
#############################
$FW -t nat -A PREROUTING -p tcp -i $INT_INTRANET -d $IP_INTRANET -s $IP_EMTU
--dport 2000 -j DNAT --to-destination $IP_UDP:2000
$FW -A FORWARD -p tcp -o $INT_INTRANET -d $IP_UDP --dport 2000 -j ACCEPT
$FW -A FORWARD -p tcp -i $INT_INTRANET -s $IP_UDP --sport 2000 -j ACCEPT
#____________________________________________________________________________
___
# SSH - Da Internet para o Firewall
#____________________________________________________________________________
___
for APB in `cat /etc/rc.d/init.d/prodata/fw_apb| awk 'BEGIN { FS = "#" } ; {
print $1 }'`
do
$FW -A INPUT -i $INT_INTERNET -s $APB -d $IP_INTERNET -p tcp --dport
22 -j ACCEPT
$FW -A OUTPUT -o $INT_INTERNET -s $IP_INTERNET -d $APB -p tcp --sport
22 -j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTERNET -p tcp -s $APB -d
$IP_INTERNET --dport 22 -j ACCEPT
done
#--------- Vindo da Rede_Intranet para o Firewall
$FW -A INPUT -i $INT_INTRANET -d $IP_INTRANET -p tcp --dport 22 -j ACCEPT
$FW -A OUTPUT -o $INT_INTRANET -s $IP_INTRANET -p tcp --sport 22 -j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTRANET -p tcp -d $IP_INTRANET --dport 22 -j
ACCEPT
#--------- Vindo do Firewall para INTRANET
$FW -A INPUT -i $INT_INTRANET -d $IP_INTRANET -p tcp --sport 22 -j TCPACCEPT
$FW -A OUTPUT -o $INT_INTRANET -s $IP_INTRANET -p tcp --dport 22 -j ACCEPT
$FW -t nat -A POSTROUTING -o $INT_INTRANET -p tcp -s $IP_INTRANET --dport 22
-j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTRANET -p tcp -d $IP_INTRANET --sport 22 -j
ACCEPT
$FW -t nat -A OUTPUT -o $INT_INTRANET -p tcp -s $IP_INTRANET --dport 22 -j
ACCEPT
#____________________________________________________________________________
___
# NAT - Da Rede_Intranet para INTERNET (TUDO)
#____________________________________________________________________________
___
#for NAT in `cat /etc/rc.d/init.d/fw_nat| awk 'BEGIN { FS = "#" } ; { print $1
}'`
# do
$FW -t nat -A POSTROUTING -o $INT_INTERNET -p tcp -s $REDE_INTRANET -j
MASQUERADE
$FW -t nat -A POSTROUTING -o $INT_INTERNET -p 47 -s $REDE_INTRANET -j
MASQUERADE
$FW -t nat -A POSTROUTING -o $INT_INTERNET -p udp -s $REDE_INTRANET -j
MASQUERADE
# done
#____________________________________________________________________________
___
# NAT - ACESSO FULL
#____________________________________________________________________________
___
for NAT_FULL in `cat /etc/rc.d/init.d/prodata/fw_nat_full| awk 'BEGIN { FS =
"#" } ; { print $1 }'`
do
$FW -t nat -A PREROUTING -i $INT_INTERNET -p all -s $NAT_FULL -j
ACCEPT
$FW -A FORWARD -i $INT_INTERNET -p all -s $NAT_FULL -j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTERNET -p all -d $NAT_FULL -j
ACCEPT
$FW -A FORWARD -i $INT_INTERNET -p all -d $NAT_FULL -j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTRANET -p all -s $NAT_FULL -j
ACCEPT
$FW -A FORWARD -i $INT_INTRANET -p all -s $NAT_FULL -j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTRANET -p all -d $NAT_FULL -j
ACCEPT
$FW -A FORWARD -i $INT_INTRANET -p all -d $NAT_FULL -j ACCEPT
done
#-------------APLIC. CLIENTES PERMITIDAS para REDE_INTRANET
(NAT)---------------
#-------------------------Regras para
INT_INTERNET------------------------------
#
TUDO_________________________________________________________________________
___________
#$FW -t nat -A PREROUTING -i $INT_INTERNET -p all -j ACCEPT
#$FW -A FORWARD -i $INT_INTERNET -p all -j ACCEPT
for PORTS in `cat /etc/rc.d/init.d/prodata/fw_ports| awk 'BEGIN { FS = "#" } ;
{ print $1 }'`
do
$FW -t nat -A PREROUTING -i $INT_INTERNET -p tcp --sport $PORTS -j ACCEPT
$FW -A FORWARD -i $INT_INTERNET -p tcp --sport $PORTS -j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTERNET -p udp --sport $PORTS -j ACCEPT
$FW -A FORWARD -i $INT_INTERNET -p udp --sport $PORTS -j ACCEPT
done
#
TUDO_________________________________________________________________________
_
#$FW -t nat -A PREROUTING -i $INT_INTRANET -p all -j ACCEPT
#$FW -A FORWARD -i $INT_INTRANET -p all -j ACCEPT
for PORTS in `cat /etc/rc.d/init.d/prodata/fw_ports| awk 'BEGIN { FS = "#" } ;
{ print $1 }'`
do
$FW -t nat -A PREROUTING -i $INT_INTRANET -p tcp --dport $PORTS -j
ACCEPT
$FW -A FORWARD -i $INT_INTRANET -p tcp --dport $PORTS -j ACCEPT
$FW -t nat -A PREROUTING -i $INT_INTRANET -p udp --dport $PORTS -j
ACCEPT
$FW -A FORWARD -i $INT_INTRANET -p udp --dport $PORTS -j ACCEPT
done
#____________________________________________________________________________
___
# POLITICA FINAL - NEGA TUDO
#____________________________________________________________________________
___
#$FW -A OUTPUT -m state -p icmp --state INVALID -j DROP
#$FW -A INPUT -i $INT_INTERNET -j DROP
#$FW -A OUTPUT -o $INT_INTERNET -j DROP
#$FW -A FORWARD -i $INT_INTERNET -j DROP
#$FW -A FORWARD -o $INT_INTERNET -j DROP
#$FW -A INPUT -i $INT_INTRANET -j DROP
#$FW -A OUTPUT -o $INT_INTRANET -j DROP
#$FW -A FORWARD -i $INT_INTRANET -j DROP
#$FW -A FORWARD -o $INT_INTRANET -j DROP
#____________________________________________________________________________
___
# LOG de TODAS as Regras
#____________________________________________________________________________
___
#$FW -A FORWARD -j LOG --log-level 3 --log-prefix "PRODATA_FORWARD "
#$FW -A FORWARD -j DROP
#$FW -A INPUT -j LOG --log-level 3 --log-prefix "PRODATA_INPUT "
#$FW -A INPUT -j DROP
#$FW -A OUTPUT -j LOG --log-level 3 --log-prefix "PRODATA_OUTPUT "
#$FW -A OUTPUT -j DROP
#$FW -t nat -A POSTROUTING -j LOG --log-level 3 --log-prefix
"PRODATA_POSTROUTING "
#$FW -t nat -A POSTROUTING -j DROP
#$FW -t nat -A PREROUTING -j LOG --log-level 3 --log-prefix
"PRODATA_PREROUTING "
#$FW -t nat -A PREROUTING -j DROP
#$FW -t nat -A OUTPUT -j LOG --log-level 3 --log-prefix
"PRODATA_OUTPUT_ROUTING "
#$FW -t nat -A OUTPUT -j DROP
echo ""
echo "FIREWALL....STARTED!!!!"
;;
*)
echo "Uso: ./fw_prodata.com.br (start|stop|restart|status)"
exit 1
;;
Esac
-----Mensagem original-----
De: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Em nome de Mark
Shroyer
Enviada em: segunda-feira, 4 de maio de 2009 15:34
Para: misc@openBSD.org
Assunto: Re: Migration from IPTABLES to PF
On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote:
> Hi,
>
> I have a firewall running on a Fedora Core 4 (STentz) with iptables. The
Guy
> Who installed it left our company some months ago.
> I spent some years far from iptables, now i have to migrate this firewall
to
> PF.
> THere are some 'special' features on this firewall, i need some
documentation
> or help about implementing this features at new firewall ( PF ).
>
> This is the iptables scripts:
>
> [...]
Is that actually all there is to the firewall setup?
This script creates a bunch of chains for performing various actions on
packets, but it doesn't actually add any rules to the filter table's
special INPUT, OUTPUT, or FORWARD chains that would jump processing
logic through these auxiliary chains. So unless there are some other
iptables commands hidden somewhere else, the logic defined in this
script will never be applied and your "firewall" will simply let
everything through.
What is the output of `iptables -L -n` on this machine?
--
Mark Shroyer
http://markshroyer.com/contact/
