Citação:
Postado originalmente por mastellaro
exemplo de meu firewall
NOTA:::: depois de criar o rc.firewall de permissão de execução com o comando chmod +x /etc/rc.d/rc.firewall
Criando o rc.firewall
vi /etc/rc.d/rc.firewall
##/etc/rc.d/rc.firewall
####
iptables -F
iptables -F -t nat
## Firewall Provi
echo 1 > /proc/sys/net/ipv4/ip_forward #habilita recurso FORWARD no KERNEL
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
##IP Spoofing
iptables -A INPUT -s 172.16.0.0/16 -i eth0 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -i eth0 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
##Drop WAN IP
iptables -A INPUT -i ETH0 -s 218.14.146.50 -j DROP
iptables -A INPUT -i ETH0 -s 200.255.222.70 -j DROP
iptables -A INPUT -i ETH0 -s 220.132.90.171 -j DROP
iptables -A INPUT -i ETH0 -s 68.183.55.114 -j DROP
iptables -A INPUT -i ETH0 -s 211.171.255.0 -j DROP
iptables -A INPUT -i ETH0 -s 200.150.60.0 -j DROP
iptables -A INPUT -i ETH0 -s 212.23.178.135 -j REJECT
###
##Open Ports
###
#iptables -A INPUT -p tcp --destination-port 21 -j ACCEPT
#iptables -A INPUT -p udp --destination-port 21 -j ACCEPT
#iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
#iptables -A INPUT -p udp --destination-port 4672 -j ACCEPT
############################
###Redirect Clients squid ##
############################
##Squid Redirect port 80 to 3128
##iptables -t nat -A PREROUTING -i eth1 -s 0.0.0.0/0.0.0.0 -p tcp --dport 80 -j REDIRECT --to-port 3128 #todos-all
iptables -t nat -A PREROUTING -i eth1 -s 10.221.0.242 -p tcp --dport 80 -j REDIRECT --to-port 3128 #kally
iptables -t nat -A PREROUTING -i eth1 -s 10.223.0.218 -p tcp --dport 80 -j REDIRECT --to-port 3128 #valgney.residencia
iptables -t nat -A PREROUTING -i eth1 -s 10.223.0.226 -p tcp --dport 80 -j REDIRECT --to-port 3128 #mauricio.residencia
##end firewall - É claro que meu rc.firewall é gigante, apenas pequei parte dele como exemplo !!!
[email protected]