Tenho uma maquina Linux para conexão com a Internet aonde se encontra o firewall. Possuo duas placas de Rede conforme as seguintes configurações:
eth0
DEVICE=eth0
outboot=yes
bootproto = static
ipaddr=192.168.0.2
netmask=255.255.255.0
gateway=192.168.0.1
eth1
DEVICE=eth1
outboot=yes
bootproto=static
ipaddr=10.0.0.138
netmask=255.255.255.0
gateway=
Toda Minha Rede é Windows 2000 com ip fixo para cada estação nas minha maquinas windows esta assim configura o tcp/ip:
IPadress=10.0.0.xx
subnet mask=255.255.255.0
Default Gateway=10.0.0.138
e assim por diante
no SSHD A PORTA MUDEI PARA: 37941 e permitir root = no
Agora vejam minha configuração no rc.firewall:
#!/bin/bash
iptables -F
iptables -F -t nat
iptables -Z
iptables -Z -t nat
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
RESERVED_NET="0.0.0.0/8
10.0.0.0/8 \
127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.2.0/24 \
192.88.99.0/24 192.168.0.0/16 \
198.18.0.0/15 224.0.0.0/4 240.0.0.0/4"
for NET in $RESERVED_NET ;
do
iptables -A FORWARD -i eth1 -o eth0 -d $NET -j DROP
done
#SERVIDORES
#iptables -A FORWARD -i eth1 -o eth0 -s 10.0.0.1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -s 10.0.0.2 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -s 10.0.0.15 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 135:139 -j DROP
iptables -A FORWARD -i eth1 -o eth0 -p udp --dport 135:139 -j DROP
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 445 -j DROP
iptables -A FORWARD -i eth1 -o eth0 -p udp --dport 445 -j DROP
#radio - windows media player
iptables -A FORWARD -p tcp --dport 1755 -j REJECT
iptables -A FORWARD -p udp --dport 1755 -j REJECT
#icq
iptables -A FORWARD -p tcp --dport 5190 -j REJECT
iptables -A FORWARD -p tcp --dport 4000 -j REJECT
iptables -A FORWARD -d login.icq.com -j REJECT
#MSN 6.2 anterior
iptables -A FORWARD -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -d 64.4.13.0/24 -j REJECT
#msn 7.0
iptables -I FORWARD -p tcp --dport 1900 -j DROP
iptables -I FORWARD -p udp --dport 1900 -j DROP
iptables -A OUTPUT -o eth1 -s 0/0 -d 207.46.104.0/8 -p tcp --dport 80 -j REJECT
iptables -A OUTPUT -o eth1 -s 0/0 -d 207.46.104.0/16 -p tcp --dport 80 -j REJECT
iptables -A OUTPUT -o eth1 -s 0/0 -d 207.46.106.0/8 -p tcp --dport 80 -j REJECT
iptables -A OUTPUT -o eth1 -s 0/0 -d 207.46.106.0/16 -p tcp --dport 80 -j REJECT
iptables -A OUTPUT -o eth1 -s 0/0 -d 207.46.110.0/8 -p tcp --dport 80 -j REJECT
iptables -A OUTPUT -o eth1 -s 0/0 -d 207.46.110.0/16 -p tcp --dport 80 -j REJECT
iptables -A OUTPUT -o eth1 -s 0/0 -d 207.46.196.0/16 -p tcp --dport 80 -j REJECT
iptables -A OUTPUT -o eth1 -s 0/0 -d 207.46.248.0/16 -p tcp --dport 80 -j REJECT
iptables -A FORWARD -p tcp --sport 1863 -j REJECT
iptables -A FORWARD -d 64.4.13.0/24 -j REJECT
iptables -A FORWARD -d 207.46.110.0/24 -j REJECT
#iptables -A FORWARD -i eth0 -o eth1 -d 10.0.0.1 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -d 10.0.0.2 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -d 10.0.0.15 -j ACCEPT
PORTAS="20,21,22,23,25,53,80,110,443,2222,37941,8080,5190"
#SAIDA
iptables -A FORWARD -p tcp -i eth1 -o eth0 -m multiport --dports $PORTAS -j ACCEPT
iptables -A FORWARD -p udp -i eth1 -o eth0 -m multiport --dports $PORTAS -j ACCEPT
#iptables -A FORWARD -p icmp -i eth1 -o eth0 -j ACCEPT
#O RETORNO
iptables -A FORWARD -p tcp -i eth0 -o eth1 -m multiport --sports $PORTAS -j ACCEPT
iptables -A FORWARD -p udp -i eth0 -o eth1 -m multiport --sports $PORTAS -j ACCEPT
#iptables -A FORWARD -p icmp -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -s 10.0.0.0/24 -p tcp --dport 1863 -j DROP
iptables -A FORWARD -s 10.0.0.0/24 -d loginnet.passport.com -j DROP
#iptables -I INPUT -p tcp --dport 37941 -j ACCEPT
#iptables -I INPUT -p tcp --dport 37941 -j ACCEPT
#ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#MASCARAR
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j REDIRECT --to 3128
iptables -t nat -A PREROUTING -i etho -p tcp --dport 443 -j REDIRECT --to 3128
#iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 37941 --syn -j ACCEPT
#PROXY-TRANSPARENTE
#iptables -t nat -A PREROUTING -p tcp -s 10.0.0.0/24 --dport 80 -j REDIRECT --to 3128
#iptables -t nat -A PREROUTING -p udp -s 10.0.0.0/24 --dport 80 -j REDIRECT --to 3128
#iptables -t nat -A PREROUTING -p tcp -s 10.0.0.0/24 --dport 8080 -j REDIRECT --to 3128
#iptables -t nat -A PREROUTING -p udp -s 10.0.0.0/24 --dport 8080 -j REDIRECT --to 3128
#HOST NA REDE INTERNA
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 4899 -j DNAT --to 10.0.0.1:4899
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 4899 -j DNAT --to 10.0.0.1:4899
# aqui eu queria fazer o dnat para acessar o SSH externamente de minha casa, pois localmente esta fazendo sem problemas
iptables -t nat -A PREROUTING -i eth0 --dport 37941 -j DNAT --to-dest 192.168.0.2
iptables -A FORWARD -p tcp -i eth0 --dport 37941 -d 192.168.0.2 -j ACCEPT
o que sera que esta dando errado?
Yuri[/b]