Help with firewall

Marcelo Garcia / Supermar marcelo.garcia at supermar.com.br
Fri Jul 4 14:52:05 UTC 2008 

Hello All

I wrote a firewall at 2003. But now, I'm starting from zero, in a new 
server. Today it has squid trasparent, but this server will be apache and 
postfix server. When a start the script, the forward to the email is ok. But 
I can't access websites, and SSH. .I remember that I need opem the high 
doors to establishe conecction, but i did'nt rember it. Somebody can help me 
?

Tks a lot

Marcelo



ext='eth0'
int='eth1'
ipint='192.168.0.1'
redeint='192.168.0.0/16'
ipext='200.200.233.200'
redeext='200.200.233.0/255.255.255.192'
internet='0/0'
modprobe iptable_nat
####################3#Politicas padroes
iptables  -P INPUT  DROP
iptables  -P FORWARD DROP
#iptables  -P OUTPUT  DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Habilita o NAT + Proxy Transparente
#
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j SNAT --to-source 
200.200.233.200
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j 
REDIRECT --to-port 3128
##################### Libera Ping rede interna
iptables -A OUTPUT  -p icmp -s $ipext    -d $redeext  --icmp-type 8 -j 
ACCEPT
iptables -A INPUT   -p icmp -s $ipext    -d $redeext  --icmp-type 8 -j 
ACCEPT
iptables -A OUTPUT  -p icmp -s $ipext    -d $redeext  --icmp-type 0 -j 
ACCEPT
iptables -A INPUT   -p icmp -s $ipext    -d $redeext  --icmp-type 0 -j 
ACCEPT
##################### Libera DNS, HTTP, ICMP GW-Internet, Proxy
iptables -A OUTPUT  -p udp  -s $ipext    -d $internet --dport 53    -j 
ACCEPT
iptables -A INPUT   -p udp  -s $internet -d $ipext    --sport 53    -j 
ACCEPT
iptables -A OUTPUT  -p icmp -s $ipext    -d $internet --icmp-type 8 -j 
ACCEPT
iptables -A INPUT   -p icmp -s $internet -d $ipext    --icmp-type 0 -j 
ACCEPT
iptables -A OUTPUT  -p tcp  -s $ipint    -d $internet --dport 80    -j 
ACCEPT
iptables -A INPUT   -p tcp  -s $internet -d $ipint    --sport 80    -j 
ACCEPT
iptables -A OUTPUT  -p tcp  -s $ipint    -d $redeint  --dport 3128  -j 
ACCEPT
iptables -A INPUT   -p tcp  -s $redeint  -d $ipint    --sport 3128  -j 
ACCEPT
##################### Libera DNS / PING / HTTP / POP / SMTP p/ rede interna
iptables -A FORWARD -p udp  -s $redeint  -d $internet --dport 53    -j 
ACCEPT
iptables -A FORWARD -p udp  -s $internet -d $redeint  --sport 53    -j 
ACCEPT
iptables -A FORWARD -p icmp -s $redeint  -d $internet --icmp-type 8 -j 
ACCEPT
iptables -A FORWARD -p icmp -s $internet -d $redeint  --icmp-type 0 -j 
ACCEPT
iptables -A FORWARD -p tcp  -s $redeint  -d $internet --dport 80    -j 
ACCEPT
iptables -A FORWARD -p tcp  -s $internet -d $redeint  --sport 80    -j 
ACCEPT
iptables -A FORWARD -p tcp  -s $redeint  -d $internet --dport 25    -j 
ACCEPT
iptables -A FORWARD -p tcp  -s $internet -d $redeint  --sport 25    -j 
ACCEPT
iptables -A FORWARD -p tcp  -s $redeint  -d $internet --dport 110   -j 
ACCEPT
iptables -A FORWARD -p tcp  -s $internet -d $redeint  --sport 110   -j 
ACCEPT
##################### Libera SSH p/ rede interna
iptables -A INPUT   -p udp  -s $redeint  -d $ipint    --sport 22    -j 
ACCEPT
iptables -A OUTPUT  -p udp  -s $ipint    -d $redeint  --dport 22    -j 
ACCEPT

More information about the ubuntu-users mailing list