Alguem pode me ajudar a montar um firewall com controle de ip x mac que não impessa do squid rodar?
Pos montei um so que o squid não roda a 3128 ou seja nao navega
fico grato com sua colaboração.
firewall que montei:
#!/bin/sh
#Router=eth0
#Via Cabo=eth1
#Empresarial=eth2
#Residencial=eth3
# Ativa modulos
modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_nat_ftp
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
# Zera regras
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t filter
iptables -X -t filter
# Determina a política padrão
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Aceita os pacotes que realmente devem entrar
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Liberando portas
#SSH
iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
#FTP
iptables -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT
#SMTP
iptables -A INPUT -p tcp -s 0/0 --dport 25 -j ACCEPT
#DNS
iptables -A INPUT -p tcp -s 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --dport 53 -j ACCEPT
#PORTA SQUID 3128
iptables -A INPUT -p tcp -s 0/0 --dport 3128 -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --dport 3128 -j ACCEPT
#POP3
iptables -A INPUT -p tcp -s 0/0 --dport 110 -j ACCEPT
#WEB
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 6080 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#Webmin
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -p udp --dport 10000 -j ACCEPT
#Proteção contra Syn-floods
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#Proteção contra port scanners ocultos
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#Proteção contra ping da morte
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#Libera o loopback
iptables -A OUTPUT -p tcp -s 127.0.0.1/8 -j ACCEPT
#Fazendo redirecionamento de portas
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j REDIRECT --to-port 3128
# Controle de acesso IP X MAC
#Liberando MAC x IP dos clientes
#via cabo
#Via SATT
iptables -t filter -A FORWARD -d 0/0 -s 192.168.0.2 -m mac --mac-source 00:07:95:F9:2BF -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.0.2 -s 0/0 -j ACCEPT
iptables -t filter -A INPUT -s 192.168.0.2 -d 0/0 -m mac --mac-source 00:07:95:F9:2BF -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.2 -o eth0 -j MASQUERADE
#Fabricia - Loja Frente
iptables -t filter -A FORWARD -d 0/0 -s 192.168.1.2 -m mac --mac-source 00:0D:61:398:96 -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.1.2 -s 0/0 -j ACCEPT
iptables -t filter -A INPUT -s 192.168.1.2 -d 0/0 -m mac --mac-source 00:0D:61:398:96 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.2 -o eth0 -j MASQUERADE
#cyber_baixo
iptables -t filter -A FORWARD -d 0/0 -s 192.168.2.2 -m mac --mac-source 00:50:BF:45D:6E -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.2.2 -s 0/0 -j ACCEPT
iptables -t filter -A INPUT -s 192.168.2.2 -d 0/0 -m mac --mac-source 00:50:BF:45D:63 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.2.2 -o eth0 -j MASQUERADE
#via radio pessoa fisica
#Wilton - meu cunhado
iptables -t filter -A FORWARD -d 0/0 -s 193.168.1.2 -m mac --mac-source 00:0D:88:9D:B7:9E -j ACCEPT
iptables -t filter -A FORWARD -d 193.168.1.2 -s 0/0 -j ACCEPT
iptables -t filter -A INPUT -s 193.168.1.2 -d 0/0 -m mac --mac-source 00:0D:88:9D:B7:9E -j ACCEPT
iptables -t nat -A POSTROUTING -s 193.168.1.2 -o eth0 -j MASQUERADE
#Jose Evangelista - ZEZE
iptables -t filter -A FORWARD -d 0/0 -s 193.168.0.2 -m mac --mac-source 00:0F:3D:40:CA:82 -j ACCEPT
iptables -t filter -A FORWARD -d 193.168.0.2 -s 0/0 -j ACCEPT
iptables -t filter -A INPUT -s 193.168.0.2 -d 0/0 -m mac --mac-source 00:0F:2D:40:CA:82 -j ACCEPT
iptables -t nat -A POSTROUTING -s 193.168.0.2 -o eth0 -j MASQUERADE
#Clodoheldo
iptables -t filter -A FORWARD -d 0/0 -s 193.168.2.2 -m mac --mac-source 00:E0:4C:6C:28:B2 -j ACCEPT
iptables -t filter -A FORWARD -d 193.168.2.2 -s 0/0 -j ACCEPT
iptables -t filter -A INPUT -s 193.168.2.2 -d 0/0 -m mac --mac-source 00:E0:4C:6C:28:B2 -j ACCEPT
iptables -t nat -A POSTROUTING -s 193.168.2.2 -o eth0 -j MASQUERADE
#via radio empresarial
#Net Games 1
iptables -t filter -A FORWARD -d 0/0 -s 194.168.0.16 -m mac --mac-source 00:E0:7D:CB:14:89 -j ACCEPT
iptables -t filter -A FORWARD -d 194.168.0.16 -s 0/0 -j ACCEPT
iptables -t filter -A INPUT -s 194.168.0.16 -d 0/0 -m mac --mac-source 00:E0:7D:CB:14:89 -j ACCEPT
iptables -t nat -A POSTROUTING -s 194.168.0.16 -o eth0 -j MASQUERADE
#Net Games 2
iptables -t filter -A FORWARD -d 0/0 -s 194.168.0.17 -m mac --mac-source 00:08:54:19:03:29 -j ACCEPT
iptables -t filter -A FORWARD -d 194.168.0.17 -s 0/0 -j ACCEPT
iptables -t filter -A INPUT -s 194.168.0.17 -d 0/0 -m mac --mac-source 00:08:54:19:03:29 -j ACCEPT
iptables -t nat -A POSTROUTING -s 194.168.0.17 -o eth0 -j MASQUERADE
#Net Games 3
iptables -t filter -A FORWARD -d 0/0 -s 194.168.0.18 -m mac --mac-source 00:54:FC:81:0C:FA -j ACCEPT
iptables -t filter -A FORWARD -d 194.168.0.18 -s 0/0 -j ACCEPT
iptables -t filter -A INPUT -s 194.168.0.18 -d 0/0 -m mac --mac-source 00:54:FC:81:0C:FA -j ACCEPT
iptables -t nat -A POSTROUTING -s 194.168.0.18 -o eth0 -j MASQUERADE
#Net Games 4
iptables -t filter -A FORWARD -d 0/0 -s 194.168.0.19 -m mac --mac-source 00:08:54:18:ED:49 -j ACCEPT
iptables -t filter -A FORWARD -d 194.168.0.19 -s 0/0 -j ACCEPT
iptables -t filter -A INPUT -s 194.168.0.19 -d 0/0 -m mac --mac-source 00:08:54:18:ED:49 -j ACCEPT
iptables -t nat -A POSTROUTING -s 194.168.0.19 -o eth0 -j MASQUERADE
#Net Games 8
iptables -t filter -A FORWARD -d 0/0 -s 194.168.0.29 -m mac --mac-source 00:08:54:18:ED:46 -j ACCEPT
iptables -t filter -A FORWARD -d 194.168.0.29 -s 0/0 -j ACCEPT
iptables -t filter -A INPUT -s 194.168.0.29 -d 0/0 -m mac --mac-source 00:08:54:18:ED:46 -j ACCEPT
iptables -t nat -A POSTROUTING -s 194.168.0.29 -o eth0 -j MASQUERADE
#Compartilha a conexão
echo 1 > /proc/sys/net/ipv4/ip_forward
#Fecha o resto
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP