[Ubuntu-BR] Ajuda com firewall

Marcelo Garcia / Supermar marcelo.garcia em supermar.com.br
Sexta Julho 4 14:52:35 UTC 2008 

Pessoal,

O ultimo firewall q escrevi foi em 2003. Agora to recomecando do zero em um 
novo servidor. Por hora ele tem squid transparente, mas vai ter apache e 
email. Qdo ativo o firewall, o repasse de email esta ok, porem NAO navego, 
nem consigo acessar o ssh. Lembro que tem q abrir portas de retorno, mas nao 
sei como faz. Alguem pode olhar o script abaixo,e me dizer aonde estou 
pegado ?

Obrigado

Marcelo



ext='eth0'
int='eth1'
ipint='192.168.0.1'
redeint='192.168.0.0/16'
ipext='200.200.233.200'
redeext='200.200.233.0/255.255.255.192'
internet='0/0'
modprobe iptable_nat
####################3#Politicas padroes
iptables  -P INPUT  DROP
iptables  -P FORWARD DROP
#iptables  -P OUTPUT  DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Habilita o NAT + Proxy Transparente
#
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j SNAT --to-source 
200.200.233.200
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j 
REDIRECT --to-port 3128
##################### Libera Ping rede interna
iptables -A OUTPUT  -p icmp -s $ipext    -d $redeext  --icmp-type 8 -j 
ACCEPT
iptables -A INPUT   -p icmp -s $ipext    -d $redeext  --icmp-type 8 -j 
ACCEPT
iptables -A OUTPUT  -p icmp -s $ipext    -d $redeext  --icmp-type 0 -j 
ACCEPT
iptables -A INPUT   -p icmp -s $ipext    -d $redeext  --icmp-type 0 -j 
ACCEPT
##################### Libera DNS, HTTP, ICMP GW-Internet, Proxy
iptables -A OUTPUT  -p udp  -s $ipext    -d $internet --dport 53    -j 
ACCEPT
iptables -A INPUT   -p udp  -s $internet -d $ipext    --sport 53    -j 
ACCEPT
iptables -A OUTPUT  -p icmp -s $ipext    -d $internet --icmp-type 8 -j 
ACCEPT
iptables -A INPUT   -p icmp -s $internet -d $ipext    --icmp-type 0 -j 
ACCEPT
iptables -A OUTPUT  -p tcp  -s $ipint    -d $internet --dport 80    -j 
ACCEPT
iptables -A INPUT   -p tcp  -s $internet -d $ipint    --sport 80    -j 
ACCEPT
iptables -A OUTPUT  -p tcp  -s $ipint    -d $redeint  --dport 3128  -j 
ACCEPT
iptables -A INPUT   -p tcp  -s $redeint  -d $ipint    --sport 3128  -j 
ACCEPT
##################### Libera DNS / PING / HTTP / POP / SMTP p/ rede interna
iptables -A FORWARD -p udp  -s $redeint  -d $internet --dport 53    -j 
ACCEPT
iptables -A FORWARD -p udp  -s $internet -d $redeint  --sport 53    -j 
ACCEPT
iptables -A FORWARD -p icmp -s $redeint  -d $internet --icmp-type 8 -j 
ACCEPT
iptables -A FORWARD -p icmp -s $internet -d $redeint  --icmp-type 0 -j 
ACCEPT
iptables -A FORWARD -p tcp  -s $redeint  -d $internet --dport 80    -j 
ACCEPT
iptables -A FORWARD -p tcp  -s $internet -d $redeint  --sport 80    -j 
ACCEPT
iptables -A FORWARD -p tcp  -s $redeint  -d $internet --dport 25    -j 
ACCEPT
iptables -A FORWARD -p tcp  -s $internet -d $redeint  --sport 25    -j 
ACCEPT
iptables -A FORWARD -p tcp  -s $redeint  -d $internet --dport 110   -j 
ACCEPT
iptables -A FORWARD -p tcp  -s $internet -d $redeint  --sport 110   -j 
ACCEPT
##################### Libera SSH p/ rede interna
iptables -A INPUT   -p udp  -s $redeint  -d $ipint    --sport 22    -j 
ACCEPT
iptables -A OUTPUT  -p udp  -s $ipint    -d $redeint  --dport 22    -j 
ACCEPT

More information about the ubuntu-br mailing list