Postado originalmente por
irado
bão.. já que tá rebelde mesmo, vamos usar a força bruta: use o MEU script de firewall, substituindo o que for apropriado para vc. Uma coisa te garanto: funciona, direitinho.
APÓS vc faze-lo funcionar aí (creio que sem dificuldades) vc pode torna-lo restrito - apenas algumas portas ao invés de todas, etc.
Experimente, basta um copy/paste e pronto.
#!/bin/bash -x
IPT=`which iptables`
NIC_INTERNA=eth2
NIC_CONTROLE=eth0
NIC_EXTERNA=eth1
REDE=192.168.101.0/24
PORTAS_AUTORIZADAS=119,110,113,25,80,443,22,5435,5377,6666:6667,6881:6891 #ainda não estão sendo usadas
#nntp,pop3,auth,smtp,http,https,ssh,irc #pode-se usar nomes das portas, ao invés de numeros.
modprobe iptable_nat
limpa(){
$IPT -F -t filter
$IPT -X -t filter
$IPT -F -t nat
$IPT -X -t nat
$IPT -F -t mangle
$IPT -X -t mangle
}
iniciar(){
# estabelecendo politicas
$IPT -t filter -P FORWARD DROP #-->
$IPT -t filter -P INPUT DROP #-->
$IPT -t filter -P OUTPUT DROP #--->
limpa
##--> regras TABELA FILTER, chain INPUT
$IPT -t filter -A INPUT -i lo -j ACCEPT
$IPT -t filter -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT # Echo Request
$IPT -t filter -A INPUT -i $NIC_CONTROLE -j ACCEPT
$IPT -t filter -A INPUT -i $NIC_INTERNA -j ACCEPT
$IPT -t filter -A INPUT -i tun+ -j ACCEPT
$IPT -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -t filter -A INPUT -p tcp -m multiport --destination-port domain,ntp,5435,10000 -j ACCEPT
$IPT -t filter -A INPUT -p udp -m multiport --destination-port domain,ntp -j ACCEPT
#----> so quando necessario fazer ftp a partir DESTA MAQUINA -- start
#$IPT -t filter -A INPUT -p tcp -m multiport --sport 20:21 -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -t filter -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
#----> so quando necessario fazer ftp -- stop
$IPT -t filter -A INPUT -p ALL -s $REDE -i $NIC_INTERNA -j ACCEPT
#$IPT -t filter -A INPUT -p tcp --syn -j LOG --log-prefix "** INPUT - DESCARTADOS **"
$IPT -t filter -A INPUT -p tcp --syn -j DROP
#
###--> regras TABELA FILTER, chain OUTPUT
#
$IPT -t filter -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -t filter -A OUTPUT -o $NIC_EXTERNA -p tcp -m multiport --dport domain,http,https -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A OUTPUT -p tcp -m multiport --dport domain,ntp -j ACCEPT
$IPT -t filter -A OUTPUT -p udp -m multiport --dport domain,ntp -j ACCEPT
$IPT -t filter -A OUTPUT -o lo -j ACCEPT
#----> so quando necessario fazer ftp DESTA MAQUINA -- start
#$IPT -t filter -A OUTPUT -o $NIC_EXTERNA -p tcp --dport ftp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPT -t filter -A OUTPUT -o $NIC_EXTERNA -p icmp --icmp-type echo-request -j ACCEPT
#$IPT -t filter -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
#$IPT -t filter -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
#----> so quando necessario fazer ftp -- stop
##--> regras TABELA FILTER, chain FORWARD
#
$IPT -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -t filter -A FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
$IPT -t filter -A FORWARD -s $REDE -d 0/0 -j ACCEPT
# --> NAT
###--> regras TABELA NAT, chain PREROUTING
#--> para o squid
$IPT -t nat -A PREROUTING -i $NIC_INTERNA -p tcp -d 0/0 --dport 80 -j REDIRECT --to-port 3128
$IPT -t nat -A PREROUTING -i $NIC_INTERNA -d 0/0 -j ACCEPT
###--> regras TABELA NAT, chain POSTROUTING
#
$IPT -t nat -A POSTROUTING -s $REDE -p ALL -o $NIC_EXTERNA -j MASQUERADE
}
encerrar(){
limpa
$IPT -t filter -P FORWARD ACCEPT
$IPT -t filter -P INPUT ACCEPT
$IPT -t filter -P OUTPUT ACCEPT
}
case "$1" in
start)
iniciar
;;
stop)
encerrar
limpa
;;
restart)
encerrar
iniciar
;;
*)
echo "Uso $0 {start | stop | restart}"
;;
esac
########
convém também usar o seguinte /etc/sysctl.conf:
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See sysctl.conf (5) for information.
# Uncomment the following to stop low-level messages on console
#kernel.printk=4 4 1 7
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next line to enable Spoof protection (reverse-path filter)
net.ipv4.conf.default.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# Uncomment the next line to enable packet forwarding for IPv6
#net.ipv6.conf.default.forwarding=1
net.ipv4.tcp_timestamps=0
net.ipv4.tcp_timestamps=0
net.ipv4.ip_forward=1
net.ipv4.tcp_syncookies=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.all.log_martians=1
#################
bem.. espero que agora tudo esteja resolvido. Isso aí funciona em empresa com aprox. 20 máquinas acessando tudo a que tem direito.
divirta-se.