Pessoal to tentando direcionar as requisições http e dns do firewall para o servidor dns/web mas acho que não tá dando muito certo.. hehehehe
Quando tento configurar meu dominio na Fapesp da "Tempo Esgotado".
Segue meu script do firewall pra vcs verem onde to errando...
-------------------------------- Inicio do firewall ---------------------------------
#!/bin/bash
#modprobe iptable
modprobe iptable_filter
modprobe iptable_nat
modprobe iptable_mangle
modprobe ipt_conntrack
modprobe ipt_TOS
modprobe ipt_MASQUERADE
modprobe ipt_LOG
##### Zera todas as regras anteriores #####
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
##### Definicao de politicas #####
## Tabela filter
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
## Tabela nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
## Tabela mangle
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
##### Protecoes #####
## IP Spoofing ##
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 >$i
done
## Ping da morte ##
iptables -t filter -A internet -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -t filter -A internet -j DROP
## Syn Flood ##
iptables -t filter -A internet -p tcp --syn -m limit --limit 2/s -j ACCEPT
iptables -t filter -A internet -j DROP
##### Ativa o redirecionamento de pacotes #####
echo "1" >/proc/sys/net/ipv4/ip_forward
##### Numero maximo de conexoes simultaneas #####
echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max
#################################################
### Tabela Filter ###
#################################################
##### Chain INPUT #####
## Usado para tratar o trafego vindo da net ##
iptables -N internet
## Aceita todo trafego vindo/indo para loopback ##
iptables -A INPUT -i lo -j ACCEPT
## Todo trafego vindo da rede interna tbm eh aceito ##
iptables -A INPUT -s 192.168.1.0/24 -i eth2 -j ACCEPT
## Conexoes vindas de fora (eth0) saum tratadas pelo chain "internet" ##
iptables -A INPUT -i eth0 -j internet
## Qualquer outra conexaum desconhecida eh registrada e derrubada ##
iptables -A INPUT -j LOG --log-prefix "FIREWALL: INPUT "
iptables -A INPUT -j DROP
##### Chain FORWARD #####
## Permite redirecionamento de conexoes entre as interfaces locais. ##
## Qualquer trafego vindo/indo para outras interfaces serah bloqueada ##
iptables -A FORWARD -d 192.168.1.0/24 -i eth0 -o eth2 -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -i eth2 -o eth0 -j ACCEPT
iptables -A FORWARD -j LOG --log-prefix "FIREWALL: FORWARD "
iptables -A FORWARD -j DROP
##### Chain internet #####
## Aceita todas as mensagens icmp vindas da internet com certa limitacao ##
iptables -A internet -p icmp -m limit --limit 2/s -j ACCEPT
## Aceita o trafego vindo da internet para os servicos WEB e DNS (portas 80/53) ##
iptables -A internet -p tcp --dport 80 -j ACCEPT
iptables -A internet -p tcp --dport 53 -j ACCEPT
iptables -A internet -p udp --dport 53 -j ACCEPT
## Esses servicos serao registrados e bloqueados ##
iptables -A internet -p tcp --dport 21 -j LOG --log-prefix "FIREWALL: ftp "
iptables -A internet -p tcp --dport 25 -j LOG --log-prefix "FIREWALL: smtp "
iptables -A internet -p tcp --dport 110 -j LOG --log-prefix "FIREWALL: pop3 "
iptables -A internet -p tcp --dport 113 -j LOG --log-prefix "FIREWALL: identd "
iptables -A internet -p udp --dport 111 -j LOG --log-prefix "FIREWALL: rpc "
iptables -A internet -p tcp --dport 111 -j LOG --log-prefix "FIREWALL: rpc "
iptables -A internet -p udp --dport 137:139 -j LOG --log-prefix "FIREWALL: samba "
iptables -A internet -p tcp --dport 137:139 -j LOG --log-prefix "FIREWALL: samba "
## Bloqueia qualquer tentativa de acesso de fora para essa maquina ##
iptables -A internet -m state --state ! ESTABLISHED,RELATED -j LOG --log-prefix "FIREWALL: ppp-in "
iptables -A internet -m state --state ! ESTABLISHED,RELATED -j DROP
## Qualquer outro tipo de trafego eh aceito ##
iptables -A internet -j ACCEPT
#################################################
### Tabela NAT ###
#################################################
##### Chain POSTROUTING #####
## Permite qualquer conexao vinda com destino ao lo e rede local para eth1 ##
iptables -t nat -A POSTROUTING -o lo -j ACCEPT
iptables -t nat -A POSTROUTING -o eth2 -j ACCEPT
## Direciona conexoes para WebServer e DNS (portas 80/53) ##
iptables -t nat -A PREROUTING -p tcp -d 200.x.x.x --dport 80 -j DNAT --to 192.168.1.1:80
iptables -t nat -A PREROUTING -p tcp -d 200.x.x.x --dport 53 -j DNAT --to 192.168.1.1:53
iptables -t nat -A PREROUTING -p udp -d 200.x.x.x --dport 53 -j DNAT --to 192.168.1.1:53
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.1 --sport 80 -j SNAT --to 200.x.x.x
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.1 --sport 53 -j SNAT --to 200.x.x.x
iptables -t nat -A POSTROUTING -p udp -s 192.168.1.1 --sport 53 -j SNAT --to 200.x.x.x
iptables -t nat -A POSTROUTING -j LOG --log-prefix "FIREWALL: Acesso 80/53 "
## Eh feito o masquerading ##
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
## Registra e bloqueia qualquer outro tipo de trafego desconhecido ##
iptables -t nat -A POSTROUTING -j LOG --log-prefix "FIREWALL: SNAT "
iptables -t nat -A POSTROUTING -j DROP
#################################################
### Tabela magle ###
#################################################
iptables -t mangle -A OUTPUT -o eth2 -p tcp --dport 21 -j TOS --set-tos 0x10
iptables -t mangle -A OUTPUT -o eth2 -p tcp --dport 23 -j TOS --set-tos 0x10
iptables -t mangle -A OUTPUT -o eth2 -p tcp --dport 6665:6668 -j TOS --set-tos 0x10
iptables -t mangle -A OUTPUT -o eth2 -p udp --dport 53 -j TOS --set-tos 0x10
---------------------------------- Fim do firewall ---------------------------------
Digitando no browser o IP interno do servidor (192.168.1.1) consigo acessar a pagina do Apache e também dando um telnet 192.168.1.1 53 também da certo....
Mas se tento com o IP da internet não funciona...
Qualquer ajuda eu agradeço.