Firewall que só roda no Conectiva 8
Galera, boa noite. Estou passando uma situação chata de resolver com o Firewall que roda na empresa. A cerca de 3 anos atrás mais ou menos, o cpd era terceirizado. Foi instalado na época um servidor Conectiva Linux 8, com firewall, squid e roda perfeito. Os usuários acessam o que podem, etc. Mas agora recentemente, o pc onde está instalado esse firewall foi para o espaço, dando muitos problemas, até que compramos um pc novo que é um Pentium 4, com 256 mb de memória, 40 gb de hd.
Instalei o Conectiva 10 até para ficar mais atualizado. Copiei o arquivo onde está o script do firewall que roda no Conectiva 8. Mas estranhamente os usuários windows, começaram a reclamar de coisas que rodavam que não rodam mais. Tipo sites de Bancos que acessam, agora fica o Java rodando e nada. Outlook Express que o pop e smtp era configurado para puxar da uol , yahoo, bol, etc e agora não funciona mais.
Eu confesso que ainda não entendo legal de regras iptables. Procuro ler para aprender, mas não é um aprendizado assim tão simples.
A nossa rede é com ip fixo da BrasilTelecom e o modem Alcatel Speed Touch Pro, foi configurado para deixar todas as portas abertas. O firewall instalado por terceiros é que determina as regras do que pode ou não trafegar na rede.
Eu estou enviando o nosso script do firewall para quem puder, dar uma analisada e dar um retorno, do que pode estar acontecendo.
Infelizmente é um arquivo bem gigante. Quando vejo alguns scripts de firewall aqui no Underlinux, me dá vontade de tentar instalar, mas sei lá se vai dar mais problemas. Estou enviando o nosso script do firewall , e nem sei se pelo tamanho , se posso enviar.
Inclusive enquanto não consigo resolver o que está acontecendo , eu voltei para o servidor antigo que está com o Conectiva 8 e voltou tudo a funcionar perfeito.
Mas vamos lá ........
#!/bin/sh
#
#
#
echo .
echo "Carregando as regras do Firewall !!! ... "
echo .
#
###############################################################################
#
# Local Settings
#
# sysctl location. If set, it will use sysctl to adjust the kernel parameters.
# If this is set to the empty string (or is unset), the use of sysctl
# is disabled.
SYSCTL="/sbin/sysctl -w"
# To echo the value directly to the /proc file instead
# SYSCTL=""
# IPTables Location - adjust if needed
IPT="/usr/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"
# Internet Interface
INET_IFACE="eth0"
INET_ADDRESS="10.0.0.100"
# Local Interface Information
LOCAL_IFACE1="eth1"
LOCAL_IP1="192.168.1.1"
LOCAL_NET1="192.168.1.0/24"
LOCAL_BCAST1="192.168.1.255"
LOCAL_IFACE2="eth2"
LOCAL_IP2="192.168.50.1"
LOCAL_NET2="192.168.50.0/24"
LOCAL_BCAST2="192.168.50.255"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
# Save and Restore arguments handled here
if [ "$1" = "save" ]
then
# echo -n "Saving firewall to /etc/sysconfig/iptables ... "
echo -n "Salvando Firewall para /etc/sysconfig/iptables !!! ..."
$IPTS > /etc/sysconfig/iptables
# echo "done"
echo "Terminado !!! ..."
exit 0
elif [ "$1" = "restore" ]
then
# echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
echo -n "Restaurando Firewall de /etc/sysconfig/iptables !!! ... "
$IPTR < /etc/sysconfig/iptables
# echo "done"
echo "Terminado !!! ..."
exit 0
fi
###############################################################################
#
# Load Modules
#
#echo "Loading kernel modules ..."
echo "Carregando os modulos do kernel !!! ... "
# You should uncomment the line below and run it the first time just to
# ensure all kernel module dependencies are OK. There is no need to run
# every time, however.
# /sbin/depmod -a
# Unless you have kernel module auto-loading disabled, you should not
# need to manually load each of these modules. Other than ip_tables,
# ip_conntrack, and some of the optional modules, I've left these
# commented by default. Uncomment if you have any problems or if
# you have disabled module autoload. Note that some modules must
# be loaded by another kernel module.
# core netfilter module
/sbin/modprobe ip_tables
# the stateful connection tracking module
/sbin/modprobe ip_conntrack
# filter table module
/sbin/modprobe iptable_filter
# mangle table module
/sbin/modprobe iptable_mangle
# nat table module
/sbin/modprobe iptable_nat
# LOG target module
/sbin/modprobe ipt_LOG
# This is used to limit the number of packets per sec/min/hr
/sbin/modprobe ipt_limit
# masquerade target module
/sbin/modprobe ipt_MASQUERADE
# filter using owner as part of the match
/sbin/modprobe ipt_owner
# REJECT target drops the packet and returns an ICMP response.
# The response is configurable. By default, connection refused.
/sbin/modprobe ipt_REJECT
# This target allows packets to be marked in the mangle table
/sbin/modprobe ipt_mark
# This target affects the TCP MSS
/sbin/modprobe ipt_tcpmss
# This match allows multiple ports instead of a single port or range
# /sbin/modprobe multiport
# This match checks against the TCP flags
/sbin/modprobe ipt_state
# This match catches packets with invalid flags
#/sbin/modprobe ipt_unclean
# The ftp nat module is required for non-PASV ftp support
/sbin/modprobe ip_nat_ftp
# the module for full ftp connection tracking
/sbin/modprobe ip_conntrack_ftp
# the module for full irc connection tracking
/sbin/modprobe ip_conntrack_irc
# Carrega modulo tun para conexao do OpenVPN
/sbin/modprobe tun
###############################################################################
#
# Kernel Parameter Configuration
#
# Required to enable IPv4 forwarding.
# Redhat users can try setting FORWARD_IPV4 in /etc/sysconfig/network to true
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="1"
fi
# This enables dynamic address hacking.
# Set this if you have a dynamic IP address \(e.g. slip, ppp, dhcp\).
#if [ "$SYSCTL" = "" ]
#then
# echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#else
# $SYSCTL net.ipv4.ip_dynaddr="1"
#fi
# This enables source validation by reversed path according to RFC1812.
# In other words, did the response packet originate from the same interface
# through which the source packet was sent? It's recommended for single-homed
# systems and routers on stub networks. Since those are the configurations
# this firewall is designed to support, I turn it on by default.
# Turn it off if you use multiple NICs connected to the same network.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter="1"
fi
# This option allows a subnet to be firewalled with a single IP address.
# It's used to build a DMZ. Since that's not a focus of this firewall
# script, it's not enabled by default, but is included for reference.
# See: http://www.sjdjweis.com/linux/proxyarp/
#if [ "$SYSCTL" = "" ]
#then
# echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#else
# $SYSCTL net.ipv4.conf.all.proxy_arp="1"
#fi
###############################################################################
#
# Flush Any Existing Rules or Chains
#
#echo "Flushing Tables ..."
echo "Limpando as Tabelas !!! ... "
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
# echo "Firewall completely flushed! Now running with no firewall."
echo "Firewall completamente descarregado. Processando agora sem Firewall !!! ..."
exit 0
fi
###############################################################################
#
# Rules Configuration
#
###############################################################################
#
# Filter Table
#
###############################################################################
# Set Policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
###############################################################################
#
# User-Specified Chains
#
# Create user chains to reduce the number of rules each packet
# must traverse.
#echo "Create and populate custom rule chains ..."
echo "Criando e customizando as regras !!! ... "
# Create a chain to filter INVALID packets
$IPT -N bad_packets
# Create another chain to filter bad tcp packets
$IPT -N bad_tcp_packets
# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.
$IPT -N icmp_packets
# Used for UDP packets inbound from the Internet
$IPT -N udp_inbound
# Used to block outbound UDP services from internal network
# Default to allow all
$IPT -N udp_outbound
# Used to allow inbound services if desired
# Default fail except for established sessions
$IPT -N tcp_inbound
# Used to block outbound services from internal network
# Default to allow all
$IPT -N tcp_outbound
###############################################################################
#
# Populate User Chains
#
# bad_packets chain
#
# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "Invalid packet:"
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets
# All good, so return
$IPT -A bad_packets -p ALL -j RETURN
# bad_tcp_packets chain
#
# All tcp packets will traverse this chain.
# Every new connection attempt should begin with
# a syn packet. If it doesn't, it is likely a
# port scan. This drops packets in state
# NEW that are not flagged as syn packets.
# Return to the calling chain if the bad packets originate
# from the local interface. This maintains the approach
# throughout this firewall of a largely trusted internal
# network.
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE1 -j RETURN
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE2 -j RETURN
# However, I originally did apply this filter to the forward chain
# for packets originating from the internal network. While I have
# not conclusively determined its effect, it appears to have the
# interesting side effect of blocking some of the ad systems.
# Apparently some ad systems have the browser initiate a NEW
# connection that is not flagged as a syn packet to retrieve
# the ad image. If you wish to experiment further comment the
# rule above. If you try it, you may also wish to uncomment the
# rule below. It will keep those packets from being logged.
# There are a lot of them.
# $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE1 ! --syn -m state \
# --state NEW -j DROP
#$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
# --log-prefix "New not syn:"
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN
# icmp_packets chain
#
# This chain is for inbound (from the Internet) icmp packets only.
# Type 8 (Echo Request) is not accepted by default
# Enable it if you want remote hosts to be able to reach you.
# 11 (Time Exceeded) is the only one accepted
# that would not already be covered by the established
# connection rule. Applied to INPUT on the external interface.
#
# See: http://www.ee.siue.edu/~rwalden/networking/icmp.html
# for more info on ICMP types.
#
# Note that the stateful settings allow replies to ICMP packets.
# These rules allow new packets of the specified types.
# Echo - uncomment to allow your system to be pinged.
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN
# TCP & UDP
# Identify ports at:
# http://www.chebucto.ns.ca/~rakerman/port-table.html
# http://www.iana.org/assignments/port-numbers
# udp_inbound chain
#
# This chain describes the inbound UDP packets it will accept.
# It's applied to INPUT on the external or Internet interface.
# Note that the stateful settings allow replies.
# These rules are for new requests.
# It drops netbios packets (windows) immediately without logging.
# Drop netbios calls
# Please note that these rules do not really change the way the firewall
# treats netbios connections. Connections from the localhost and
# internal interface (if one exists) are accepted by default.
# Responses from the Internet to requests initiated by or through
# the firewall are also accepted by default. To get here, the
# packets would have to be part of a new request received by the
# Internet interface. You would have to manually add rules to
# accept these. I added these rules because some network connections,
# such as those via cable modems, tend to be filled with noise from
# unprotected Windows machines. These rules drop those packets
# quickly and without logging them. This prevents them from traversing
# the whole chain and keeps the log from getting cluttered with
# chatter from Windows systems.
# Port 137 used for NetBios networking browsing
# Port 138 used for NetBios name service
# Port 139 used for files and printer sharing and other operations
# Port 445 used by Windows 2000/XP when NetBios over TCP/IP is disabled
# Port 901 used by SWAT
$IPT -A udp_inbound -p UDP -s 0/0 --dport 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --dport 138 -j DROP
#
# Permite o trafego na porta 5000 para o OpenVPN
#
#$IPT -A udp_inbound -p UDP --sport 3000 -j ACCEPT
#$IPT -A udp_inbound -p UDP --sport 5000 -j ACCEPT
$IPT -A INPUT -p UDP --dport 5000 -j ACCEPT
#$IPT -A OUTPUT -p UDP --dport 5000 -j ACCEPT
#$IPT -A FORWARD -p UDP --dport 5000 -j ACCEPT
#
# Trafego de pacotes dos dispositivos TUN/TAP
# para uso do OpenVPN
#
#/usr/sbin/iptables -A INPUT -i tun+ -j ACCEPT
#/usr/sbin/iptables -A FORWARD -i tun+ -j ACCEPT
#/usr/sbin/iptables -A INPUT -i tap+ -j ACCEPT
#/usr/sbin/iptables -A FORWARD -i tap+ -j ACCEPT
/usr/sbin/iptables -A INPUT -i tun0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -i tun0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -s 192.168.8.0/24 -d 192.168.1.0/24 -j ACCEPT
/usr/sbin/iptables -A FORWARD -d 192.168.8.0/24 -s 192.168.1.0/24 -j ACCEPT
# DNS Server
# Configure the server to use port 53 as the source port for requests
# Note, if you run a caching-only name server that only accepts queries
# from the private network or localhost, you can comment out this line.
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 53 -j ACCEPT
# If you don't query-source the server to port 53 and you have problems,
# uncomment this rule. It specifically allows responses to queries
# initiated to another server from a high UDP port. The stateful
# connection rules should handle this situation, though.
# $IPT -A udp_inbound -p UDP -s 0/0 --source-port 53 -j ACCEPT
# External DHCP Server
# Allow DHCP client request packets inbound from external network
#$IPT -A udp_inbound -p UDP -s 0/0 --source-port 68 --destination-port 67 \
# -j ACCEPT
# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN
# udp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# UDP requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT
# No match, so ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
# tcp_inbound chain
#
# This chain is used to allow inbound connections to the
# system/gateway. Use with care. It defaults to none.
# It's applied on INPUT from the external or Internet interface.
# DOCSIS compliant cable modems
# Some DOCSIS compliant cable modems send IGMP multicasts to find
# connected PCs. The multicast packets have the destination address
# 224.0.0.1. You can accept them. If you choose to do so,
# Uncomment the rule to ACCEPT them and comment the rule to DROP
# them The firewall will drop them here by default to avoid
# cluttering the log
# Drop them without logging.
$IPT -A tcp_inbound -p TCP -d 224.0.0.1 -j DROP
# The rule to accept the packets.
# $IPT -A tcp_inbound -p TCP -d 224.0.0.1 -j ACCEPT
# $IPT -A tcp_inbound -p TCP -d 172.17.10.10/32 -j ACCEPT
# DNS Server - Allow TCP connections (zone transfers and large requests)
# This is disabled by default. DNS Zone transfers occur via TCP.
# If you need to allow transfers over the net you need to uncomment this line.
# If you allow queries from the 'net, you also need to be aware that although
# DNS queries use UDP by default, a truncated UDP query can legally be
# submitted via TCP instead. You probably will never need it, but should
# be aware of the fact.
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 53 -j ACCEPT
#Porta 6881 BitTorrent
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 6881 -j ACCEPT
# Web Server
# HTTP
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
# HTTPS (Secure Web Server)
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT
# FTP Server (Control)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT
# FTP Client (Data Port for non-PASV transfers)
# $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
# Email Server (SMTP)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT
# Email Server (POP3)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT
# Email Server (SPOP3)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 995 -j ACCEPT
# Email Server (IMAP4)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT
# Email Server (IMAPS)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 993 -j ACCEPT
# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN
# tcp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT
# No match, so ACCEPT
# $IPT -A tcp_outbound -p TCP -s 0/0 -j DROP
# Drop www
$IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 80 -j DROP
$IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 443 -j DROP
# FTP Server(FTP)
$IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 21 -j ACCEPT
$IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 20 -j ACCEPT
# Email Server (SMTP)
$IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 25 -j ACCEPT
# Email Server (POP3)
$IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 110 -j ACCEPT
# Email Server (SPOP3)
$IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 995 -j ACCEPT
# Email Server (IMAP4)
$IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 143 -j ACCEPT
# Email Server (IMAPS)
$IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 993 -j ACCEPT
# sshd
$IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 22 -j ACCEPT
$IPT -A tcp_outbound -p TCP -d 0/0 -j RETURN
###############################################################################
#
# INPUT Chain
#
#echo "Process INPUT chain ..."
echo "Processa as regras INPUT !!! ... "
# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets
# Rules for the private network (accessing gateway system itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE1 -s $LOCAL_NET1 -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE2 -s $LOCAL_NET2 -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE1 -d $LOCAL_BCAST1 -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE2 -d $LOCAL_BCAST2 -j ACCEPT
# Allow DHCP client request packets inbound from internal network
#$IPT -A INPUT -p UDP -i $LOCAL_IFACE1 --source-port 68 --destination-port 67 \
# -j ACCEPT
# Inbound Internet Packet Rules
$IPT -A INPUT -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -p tcp --sport 53 -j ACCEPT
$IPT -A INPUT -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -p udp --sport 53 -j ACCEPT
# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
$IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP
#
# Log packets that still don't match
#$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
# --log-prefix "INPUT packet died: "
###############################################################################
#
# FORWARD Chain
#
#echo "Process FORWARD chain ..."
echo "Processa as regras FORWARD !!! ... "
# Used if forwarding for a private network
# Drop bad packets$IPT -A FORWARD -p ALL -j bad_packets
# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE1 -j tcp_outbound
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE2 -j tcp_outbound
$IPT -A FORWARD -p tcp -o $LOCAL_IFACE1 -j tcp_outbound
$IPT -A FORWARD -p tcp -o $LOCAL_IFACE2 -j tcp_outbound
# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE1 -j udp_outbound
$IPT -A FORWARD -p udp -i $LOCAL_IFACE2 -j udp_outbound
$IPT -A FORWARD -p udp -o $LOCAL_IFACE1 -j udp_outbound
$IPT -A FORWARD -p udp -o $LOCAL_IFACE2 -j udp_outbound
# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE1 -j ACCEPT
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE2 -j ACCEPT
$IPT -A FORWARD -p ALL -o $LOCAL_IFACE1 -j ACCEPT
$IPT -A FORWARD -p ALL -o $LOCAL_IFACE2 -j ACCEPT
# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
#
# Log packets that still don't match
#$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
# --log-prefix "FORWARD packet died: "
###############################################################################
#
# OUTPUT Chain
#
#echo "Process OUTPUT chain ..."
echo "Processa as regras OUTPUT !!! ... "
# Generally trust the firewall on output
$IPT -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 53 -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -p udp --sport 53 -j ACCEPT
# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
# To internal network
$IPT -A OUTPUT -p ALL -s $LOCAL_IP1 -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOCAL_IP2 -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE1 -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE2 -j ACCEPT
# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
#
# Log packets that still don't match
#$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
# --log-prefix "OUTPUT packet died: "
###############################################################################
#
# nat table
#
###############################################################################
# The nat table is where network address translation occurs if there
# is a private network. If the gateway is connected to the Internet
# with a static IP, snat is used. If the gateway has a dynamic address,
# masquerade must be used instead. There is more overhead associated
# with masquerade, so snat is better when it can be used.
# The nat table has a builtin chain, PREROUTING, for dnat and redirects.
# Another, POSTROUTING, handles snat and masquerade.
#echo "Load rules for nat table ..."
echo "Carrega as regras para Tabela NAT !!! ... "
###############################################################################
#
# PREROUTING chain
#
#$IPT -t nat -A PREROUTING -d $INET_ADDRESS \
# -p udp -m udp --dport 4662 -j DNAT --to-destination 192.168.100.150
#$IPT -t nat -A PREROUTING -d $INET_ADDRESS \
# -p udp -m udp --dport 4663 -j DNAT --to-destination 192.168.100.150
###############################################################################
#
# POSTROUTING chain
#
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_ADDRESS
###############################################################################
#
# mangle table
#
###############################################################################
# The mangle table is used to alter packets. It can alter or mangle them in
# several ways. For the purposes of this generator, we only use its ability
# to alter the TTL in packets. However, it can be used to set netfilter
# mark values on specific packets. Those marks could then be used in another
# table like filter, to limit activities associated with a specific host, for
# instance. The TOS target can be used to set the Type of Service field in
# the IP header. Note that the TTL target might not be included in the
# distribution on your system. If it is not and you require it, you will
# have to add it. That may require that you build from source.
#echo "Load rules for mangle table ..."
echo "Carrega as regras para Tabela Mangle !!! ... "
# Set the TTL in outbound packets to the same consistent value.
# A value around 128 is a good value. Do not set this too high as
# it will adversely affect your network. It is also considered bad
# form on the Internet.
# $IPT -t mangle -A OUTPUT -o $INET_IFACE -j TTL --ttl-set 128
Desculpe-me pessoal, pelo texto muito longo. Se os nossos moderadores acharem que é inconveniente enviar texto longo assim, pode trancar o tópico .... :help: :help: :help: