-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathHQ.startup
More file actions
81 lines (62 loc) · 4.08 KB
/
Copy pathHQ.startup
File metadata and controls
81 lines (62 loc) · 4.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
ip addr add dev eth0 10.0.2.69/30
ip link set dev eth0 up
ip addr add dev eth1 10.0.2.65/30
ip link set dev eth1 up
ip addr add dev eth2 192.168.0.6/29
ip link set dev eth2 up
ip addr add dev eth3 10.0.0.136/28
ip link set dev eth3 up
ip addr add dev eth4 10.0.0.152/28
ip link set dev eth4 up
ip addr add dev eth5 10.0.0.17/30
ip link set dev eth5 up
ip route add 10.0.2.80/28 via 10.0.0.130
/etc/init.d/zebra start
/etc/init.d/dhcp3-server start
/etc/init.d/snmpd start
#PROXY
iptables -t nat -A PREROUTING -i eth0 -s ! 10.0.0.131 -p tcp --dport 80 -j DNAT --to 10.0.0.131:3128
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.176/28 -d 10.0.0.131 -j SNAT --to 10.0.0.136
iptables -A FORWARD -s 10.0.0.176/28 -d 10.0.0.131 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -s ! 10.0.0.131 -p tcp --dport 80 -j DNAT --to 10.0.0.131:3128
iptables -t nat -A POSTROUTING -o eth1 -s 10.0.0.160/28 -d 10.0.0.131 -j SNAT --to 10.0.0.136
iptables -A FORWARD -s 10.0.0.160/28 -d 10.0.0.131 -i eth1 -o eth1 -p tcp --dport 3128 -j ACCEPT
iptables -A FORWARD -i eth5 -p TCP --dport 80 -j ACCEPT
iptables -A FORWARD -s ! 10.0.0.131 -p TCP --dport 80 -j DROP
#geral
iptables -A FORWARD -i eth5 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth5 -m state --state RELATED -j ACCEPT
#eth0 office2
iptables -A FORWARD -i eth5 -o eth0 -d 10.0.0.176/29 -j ACCEPT
iptables -A FORWARD -i eth0 -s 10.0.0.176/29 -o ! eth5 -d 192.168.0.0/16 -j DROP #bloquear acesso a máquinas internas com ip privado
iptables -A FORWARD -i eth0 -s 10.0.0.176/29 -o ! eth5 -p TCP --dport 23 -j DROP #bloquear acesso a telnet
iptables -A FORWARD -i eth0 -s 10.0.0.176/29 -o ! eth5 -p TCP --dport 111 -j DROP #bloquear acesso a rpcbind
iptables -A FORWARD -i eth0 -s 10.0.0.176/29 -o ! eth5 -p TCP --dport 199 -j DROP #bloquear acesso a smux
iptables -A FORWARD -i eth0 -o eth5 -d 10.0.0.128/26 -j DROP #protecao contra spoofing
#eth1 office1
iptables -A FORWARD -i eth5 -o eth1 -d 10.0.0.160/29 -j ACCEPT
iptables -A FORWARD -i eth1 -s 10.0.0.160/29 -o ! eth5 -d 192.168.0.0/16 -j DROP #bloquear acesso a máquinas internas com ip privado
iptables -A FORWARD -i eth1 -s 10.0.0.160/29 -o ! eth5 -p TCP --dport 23 -j DROP #bloquear acesso a telnet
iptables -A FORWARD -i eth1 -s 10.0.0.160/29 -o ! eth5 -p TCP --dport 111 -j DROP #bloquear acesso a rpcbind
iptables -A FORWARD -i eth1 -s 10.0.0.160/29 -o ! eth5 -p TCP --dport 199 -j DROP #bloquear acesso a smux
iptables -A FORWARD -i eth1 -o eth5 -d 10.0.0.128/26 -j DROP #protecao contra spoofing
#eth2 private servers
#eth3 public servers
iptables -A FORWARD -i eth5 -o eth3 -d 10.0.0.129 -s ! 10.0.0.128/26 -p TCP --dport 22 -j ACCEPT #ssh
iptables -A FORWARD -i eth5 -o eth3 -d 10.0.0.129 -s ! 10.0.0.128/26 -p TCP --dport 25 -j ACCEPT #smtp
iptables -A FORWARD -i eth5 -o eth3 -d 10.0.0.129 -s ! 10.0.0.128/26 -p TCP --dport 53 -j ACCEPT #dns
iptables -A FORWARD -i eth5 -o eth3 -d 10.0.0.129 -s ! 10.0.0.128/26 -p UDP --dport 53 -j ACCEPT #dns
iptables -A FORWARD -i eth5 -o eth3 -d 10.0.0.129 -s ! 10.0.0.128/26 -p TCP --dport 143 -j ACCEPT #imap
iptables -A FORWARD -i eth5 -o eth3 -d 10.0.0.130 -s ! 10.0.0.128/26 -p TCP --dport 22 -j ACCEPT #ssh
iptables -A FORWARD -i eth5 -o eth3 -d 10.0.0.130 -s ! 10.0.0.128/26 -p TCP --dport 53 -j ACCEPT #dns
iptables -A FORWARD -i eth5 -o eth3 -d 10.0.0.130 -s ! 10.0.0.128/26 -p UDP --dport 53 -j ACCEPT #dns
iptables -A FORWARD -i eth5 -o eth3 -d 10.0.0.130 -s ! 10.0.0.128/26 -p TCP --dport 80 -j ACCEPT #http
iptables -A FORWARD -i eth5 -o eth3 -d 10.0.0.130 -s ! 10.0.0.128/26 -p TCP --dport 443 -j ACCEPT #https
iptables -A FORWARD -i eth5 -o eth3 -d 10.0.0.130 -s ! 10.0.0.128/26 -p UDP --dport 1194 -j ACCEPT #vpn
iptables -A FORWARD -i eth5 -o eth3 -d 10.0.0.131 -s ! 10.0.0.128/26 -p TCP --dport 22 -j ACCEPT #ssh
iptables -A FORWARD -i eth3 -o eth5 -d 10.0.0.128/26 -j DROP #protecao contra spoofing
#eth4 admin services
iptables -A FORWARD -i eth4 -o eth5 -d 10.0.0.128/26 -j DROP #protecao contra spoofing
#drops
iptables -A FORWARD -s 192.168.0.0/16 -o eth5 -j DROP
iptables -A FORWARD -i eth5 -j DROP