This repository has been archived by the owner on Jun 21, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpacketfilter.startup
78 lines (55 loc) · 3.35 KB
/
packetfilter.startup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
ifconfig eth0 up
ifconfig eth1 up
ifconfig eth0 hw ether 04:00:00:00:01:00
ifconfig eth1 hw ether 04:00:00:00:01:01
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 up
# Todos pacotes nao permitidos sao proibidos
iptables-legacy -P INPUT DROP
iptables-legacy -P FORWARD DROP
iptables-legacy -P OUTPUT DROP
iptables-legacy -A INPUT -p icmp -j ACCEPT
iptables-legacy -A FORWARD -p icmp -j ACCEPT
iptables-legacy -A OUTPUT -p icmp -j ACCEPT
# Aceder ao WebServer
iptables-legacy -A FORWARD -d 1.2.3.1 -s 6.6.6.0/24 -p tcp --dport 22 -j ACCEPT
iptables-legacy -A FORWARD -s 1.2.3.1 -d 6.6.6.0/24 -p tcp --sport 22 -j ACCEPT
iptables-legacy -A FORWARD -d 1.2.3.1 -s 6.6.6.0/24 -p tcp --dport 80 -j ACCEPT
iptables-legacy -A FORWARD -s 1.2.3.1 -d 6.6.6.0/24 -p tcp --sport 80 -j ACCEPT
iptables-legacy -A FORWARD -d 1.2.3.1 -s 5.4.3.0/24 -p tcp --dport 22 -j ACCEPT
iptables-legacy -A FORWARD -s 1.2.3.1 -d 5.4.3.0/24 -p tcp --sport 22 -j ACCEPT
iptables-legacy -A FORWARD -d 1.2.3.1 -s 5.4.3.0/24 -p tcp --dport 80 -j ACCEPT
iptables-legacy -A FORWARD -s 1.2.3.1 -d 5.4.3.0/24 -p tcp --dport 80 -j ACCEPT
# Enviar para MailServer
iptables-legacy -A FORWARD -d 1.2.3.2 -s 6.6.6.0/24 -p tcp --dport 465 -j ACCEPT
iptables-legacy -A FORWARD -s 1.2.3.2 -d 6.6.6.0/24 -p tcp --sport 465 -j ACCEPT
iptables-legacy -A FORWARD -d 1.2.3.2 -s 6.6.6.0/24 -p tcp --dport 587 -j ACCEPT
iptables-legacy -A FORWARD -s 1.2.3.2 -d 6.6.6.0/24 -p tcp --sport 587 -j ACCEPT
iptables-legacy -A FORWARD -d 1.2.3.2 -s 5.4.3.0/24 -p tcp --sport 465 -j ACCEPT
iptables-legacy -A FORWARD -s 1.2.3.2 -d 5.4.3.0/24 -p tcp --dport 465 -j ACCEPT
iptables-legacy -A FORWARD -d 1.2.3.2 -s 5.4.3.0/24 -p tcp --sport 587 -j ACCEPT
iptables-legacy -A FORWARD -s 1.2.3.2 -d 5.4.3.0/24 -p tcp --dport 587 -j ACCEPT
#Maquinas DMZ pode entregar a outros MailServers
iptables-legacy -A FORWARD -s 1.2.3.2 -d 6.6.6.0/24 -p tcp --dport 465 -j ACCEPT
iptables-legacy -A FORWARD -s 6.6.6.0/24 -d 1.2.3.2 -p tcp --sport 465 -j ACCEPT
iptables-legacy -A FORWARD -s 1.2.3.2 -d 6.6.6.0/24 -p tcp --dport 587 -j ACCEPT
iptables-legacy -A FORWARD -s 6.6.6.0/24 -d 1.2.3.2 -p tcp --sport 587 -j ACCEPT
# Maquinas CRYPTOTEKK:
# Podem aceder a WebServers e MailServers na Internet e na CRYPTOTEKK
iptables-legacy -A FORWARD -s 1.2.4.0/24 -d 6.6.6.0/24 -p tcp --sport 22 -j ACCEPT
iptables-legacy -A FORWARD -d 1.2.4.0/24 -s 6.6.6.0/24 -p tcp --dport 22 -j ACCEPT
iptables-legacy -A FORWARD -s 1.2.4.0/24 -d 6.6.6.0/24 -p tcp --sport 80 -j ACCEPT
iptables-legacy -A FORWARD -d 1.2.4.0/24 -s 6.6.6.0/24 -p tcp --dport 80 -j ACCEPT
iptables-legacy -A FORWARD -s 1.2.4.0/24 -d 6.6.6.0/24 -p tcp --sport 465 -j ACCEPT
iptables-legacy -A FORWARD -d 1.2.4.0/24 -s 6.6.6.0/24 -p tcp --dport 465 -j ACCEPT
iptables-legacy -A FORWARD -s 1.2.4.0/24 -d 6.6.6.0/24 -p tcp --sport 587 -j ACCEPT
iptables-legacy -A FORWARD -d 1.2.4.0/24 -s 6.6.6.0/24 -p tcp --dport 587 -j ACCEPT
# Podem aceder ao FileServer
iptables-legacy -A FORWARD -s 5.4.3.0/24 -d 1.2.4.55/24 -p tcp --sport 445 -j ACCEPT
iptables-legacy -A FORWARD -d 5.4.3.0/24 -s 1.2.4.55/24 -p tcp --dport 445 -j ACCEPT
# Nenhum pacote pode sair zona com IP origem diferente da gama da sub-rede (1.2.0.0/20)
iptables-legacy -A FORWARD ! -s 1.2.0.0/20 -j DROP
# Nenhum pacote pode entrar com a gama da rede de destino (1.2.0.0/20)
iptables-legacy -A FORWARD -s 1.2.0.0/20 -d 1.2.0.0/20 -j DROP