pessoal estou com um baita problema, tinha um firewall rodando blz no conectva 8, mais tive que migrar para o Conectiva 10. agora estou com um problema nas regras do firewall. veja exemplo
conectiva 8
# Generated by iptables-save v2.9 on Mon Dec 15 20:50:37 2003
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# ENTRADA DNAT
-A PREROUTING -p tcp -d 200.253.101.131 --dport 5900 -j DNAT --to-destination 192.168.0.18
-A PREROUTING -p udp -d 200.253.101.131 --dport 5800 -j DNAT --to-destination 192.168.0.18
#
# Squid # ETH0( É EXEMPLO PONHA A INTERFACE DE SUA REDE INTERNA)
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#
# MASQUERADE ( INTERFACE DE REDE INTERNA)
-A POSTROUTING -o eth1 -j MASQUERADE
#
COMMIT
# Completed on Mon Dec 15 20:50:37 2003
# Generated by iptables-save v1.2.9 on Mon Dec 15 20:50:37 2003
*mangle
:PREROUTING ACCEPT [9:1243]
:INPUT ACCEPT [9:1243]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10:3755]
:POSTROUTING ACCEPT [10:3755]
COMMIT
# Completed on Mon Dec 15 20:50:37 2003
# Generated by iptables-save v1.2.9 on Mon Dec 15 20:50:37 2003
*filter
:FORWARD ACCEPT [0:0]
:Block - [0:0]
:INPUT ACCEPT [0:0]
:Users - [0:0]
:OUTPUT ACCEPT [0:0]
# LIBERAR PRA ACESSO EXTERNO
-A INPUT -p tcp -i eth1 --dport 5900 -j ACCEPT
-A INPUT -p udp -i eth1 --dport 5900 -j ACCEPT
-A INPUT -p udp -i eth1 --dport 5800 -j ACCEPT
-A INPUT -p tcp -i eth1 --dport 5800 -j ACCEPT
-A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT
-A INPUT -p udp -i eth1 --dport 22 -j ACCEPT
# DNS
#-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
#-A INPUT -p udp -m udp --dport 53 -j ACCEPT
# SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j Users
-A INPUT -j Block
# REGRAS COMPLEMENTARES DE FORWARD DO PCANYWARE
-A FORWARD -i eth1 -p tcp --dport 5800 -j ACCEPT
-A FORWARD -i eth1 -p udp --dport 5800 -j ACCEPT
-A FORWARD -i eth1 -p tcp --dport 5900 -j ACCEPT
-A FORWARD -i eth1 -p udp --dport 5900 -j ACCEPT
-A FORWARD -p icmp --icmp-type echo-request -j DROP
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
-A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
-A FORWARD -m unclean -j DROP
-A FORWARD -j Block
#
# CONEXOES EXTRENAS ETH1 ( INTERFACE DE INTERNET )
-A Block -m state -i eth1 --state NEW -j DROP
#
# Aceita conexões ja estabelecidas
-A Block -m state --state ESTABLISHED,RELATED -j ACCEPT
# FTP / SSH / Telnet / SMTP
-A Block -p tcp -m tcp --dport 20:25 -j ACCEPT
-A Block -p udp -m udp --dport 20:25 -j ACCEPT
# DNS
-A Block -p tcp -m tcp --dport 53 -j ACCEPT
-A Block -p udp -m udp --dport 53 -j ACCEPT
# http
-A Block -p tcp -m tcp --dport 80 -j ACCEPT
-A Block -p udp -m udp --dport 80 -j ACCEPT
# Pop-3
-A Block -p tcp -m tcp --dport 110 -j ACCEPT
-A Block -p udp -m udp --dport 110 -j ACCEPT
# https
-A Block -p tcp -m tcp --dport 443 -j ACCEPT
-A Block -p udp -m udp --dport 443 -j ACCEPT
# Proxy
-A Block -p tcp -m tcp --dport 3128 -j ACCEPT
-A Block -p udp -m udp --dport 3128 -j ACCEPT
# Altas Geral
-A Block -p tcp -m tcp --dport 1024:65535 -j ACCEPT
-A Block -p udp -m udp --dport 1024:65535 -j ACCEPT
# =========== ADM Nivel =============
# REGRA LIBERA
-A Users -m mac -s 192.168.252.228 --mac 00:40:f4:ab:0c:cf -j RETURN
#
# REGRA BLOQUEIA
-A Users -m mac -s 192.168.252.228 --mac 00:40:f4:ab:0c:cf -j DROP
#
-A Users
-A Block -j DROP
-A Users -j DROP
COMMIT
# Completed on Mon Dec 15 20:50:37 2003
agora nao consigo colocar essas regras no conectiva 10 sem que nao der erros.
alguem pode atualizar essas regras para nos ai. vai servir para outros tambem.