Galera, eu o fazendo o seguinte aqui na firma, tem 10 micros que podem acessar apenas um 1 site, e com metaframe, ou seja, daria rolo na hora de usar o suid, optei por fazer isso no iptables, mas na hora q eu podo o ip para acessar apenas 1 site, ele não consegue ir por nome, o firewall bloqueia o acesso ao dns : UDP (63 bytes) from 192.168.1.2:1033 to 200.204.0.10:53 on eth1
bom eu vou colar meu firewall pra vcs analizarem, lembrando q o ip 192.168.0.2 é minha WAN e o 192.168.1.255 é minha lan.....
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
###########################################################################
# 1. Module loading.
echo "carregando modulos"
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
echo "1" > /proc/sys/net/ipv4/ip_forward
# Regras para firewall comecam deste ponto em diante
echo "Limpando regras de firewall"
iptables -F
iptables -Z
iptables -X
iptables -t nat -F
echo "bloqueia tudo em todas as direcoes"
#iptables -P INPUT DROP
#iptables -P FORWARD DROP
#iptables -P OUTPUT ACCEPT
###############################################################################
# Esse blco é destinado ao bloqueios que venham
###############################################################################
iptables -A INPUT -p ALL -s 127.0.0.1 -i lo -j ACCEPT
iptables -A INPUT -p ALL -s 192.168.1.0/16 -i lo -j ACCEPT
iptables -A INPUT -p ALL -s 192.168.0.2 -i lo -j ACCEPT
# Libera as respostas dos DNS para meu firewall
iptables -A INPUT -p udp -s 0/0 --sport 53 -d 192.168.1.1 -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --sport 53 -d 192.168.0.2 -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --sport 53 -d 192.168.1.0/24 -j ACCEPT
# libera pings dentro de nossa rede
iptables -A INPUT -p icmp --icmp-type 8 -i eth1 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp -s 192.168.0.0/27 -d 192.168.0.2 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 -d 192.168.1.0/24 -j ACCEPT
#libera resposta para rede interna
iptables -A INPUT -p TCP -i eth1 --sport 80 -j ACCEPT
iptables -A INPUT -p TCP -i eth1 --sport 443 -j ACCEPT
iptables -A INPUT -p TCP -i eth1 --sport 20 -j ACCEPT
iptables -A INPUT -p TCP -i eth1 --sport 21 -j ACCEPT
iptables -A INPUT -p UDP -i eth1 --sport 21 -j ACCEPT
# descarta os pacotes invalidos para forward
#iptables -A FORWARD -m state --state INVALID -j DROP
# Aceita as conexões estabilizada e relacionadas com outros pcs da rede
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# libera rede interna a acessar o servidores dns
iptables -A FORWARD -p udp -s 192.168.1.0/24 -d 200.174.132.2 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.174.132.2 --sport 53 -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -p ALL -s 0/0 -d 0/0 -j ACCEPT
###############################################################################
echo "Liberando micros para tudo"
iptables -t nat -A POSTROUTING -p all -s 192.168.1.0/0 -d www.sjc.sp.gov.br -j MASQUERADE