Alguém que tem facilidade com regras do iptables poderia analizar o firewall abaixo, pois acabo de cria-lo, lendo um livro de Iptables, mas não ficou legal.
Já que a conexão da Internet esta bem lenta, e o acesso externo para um terminal server não está funcionando.
OBS: aqui a rede tem 4 sub-redes sendo elas 192.168.0.0/24. 192.168.2.0/24 192.168.3.0/24 e 192.168.4.0/24
Sendo que as redes 192.168.2.0/24 até 192.168.4.0/24 são Vlans criadas direto num switch gerenciaveis.
Só tem 2 interfaces de rede eth0=rede local e eth1= intenet.
#!/bin/bash
#
iniciar(){
echo "1" >/proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" >/proc/sys/net/ipv4/tcp_syncookies
#echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo "0" >/proc/sys/net/ipv4/conf/all/accept_source_route
#
iniciar(){
iptables -F
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
modprobe ip_tables
modprobe ip_conntrack
modprobe iptable_filter
modprobe iptable_nat
modprobe ipt_LOG
modprobe ipt_limit
modprobe ipt_state
modprobe ipt_MASQUERADE
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
WAN_iface=eth1
LAN_iface=eth0
LAN_IP_range=192.168.0.0/16
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT
##################################################
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A INPUT -i $LAN_iface -j ACCEPT
iptables -t filter -A INPUT -i $WAN_iface -j ACCEPT
iptables -t filter -A INPUT -m multiport -p tcp --dport 25,80,110,443,1554,1863,1900,2222,3389 -j ACCEPT
iptables -t filter -I INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
##################################################
iptables -t filter -A FORWARD -s $LAN_IP_range -p tcp --dport 0:1024 -j LOG --log-prefix "FWALL: 0:1024 "
iptables -t filter -A FORWARD -s $LAN_IP_range -p tcp --dport 0:1024 -j ACCEPT
iptables -t filter -A FORWARD -s $LAN_IP_range -p tcp --dport 1554 -j ACCEPT
iptables -t filter -A FORWARD -s $LAN_IP_range -p tcp --dport 1900 -j ACCEPT
iptables -t filter -A FORWARD -s $LAN_IP_range -p tcp --dport 1863 -j LOG --log-prefix "FWALL: 1863 "
iptables -t filter -A FORWARD -s $LAN_IP_range -p tcp --dport 1863 -j ACCEPT
iptables -t filter -A FORWARD -s $LAN_IP_range -p tcp --dport 2222 -j LOG --log-prefix "FWALL: 2222 "
iptables -t filter -A FORWARD -s $LAN_IP_range -p tcp --dport 2222 -j ACCEPT
iptables -t filter -A FORWARD -s $LAN_IP_range -p tcp --dport 3389 -j LOG --log-prefix "FWALL: 3389 "
iptables -t filter -A FORWARD -s $LAN_IP_range -p tcp --dport 3389 -j ACCEPT
##################################################
itables -t filter -A FORWARD -s $LAN_IP_range -p tcp --dport 0:65535 -j DROP
iptables -t filter -A FORWARD -s $LAN_IP_range -p udp --dport 0:65535 -j DROP
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
##################################################
# Conectividade Social #
##################################################
iptables -t nat -I PREROUTING -p tcp --dport 80 -d 200.201.174.0/24 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp --dport 80 -d 200.252.47.0/24 -j ACCEPT
iptables -t nat -I PREROUTING -d 200.201.160.0/20 -j RETURN
iptables -t nat -I POSTROUTING -d 200.201.160.0/20 -j MASQUERADE
iptables -t filter -I FORWARD -d 200.201.160.0/20 -j ACCEPT
##################################################
# Direcionamentos #
##################################################
iptables -t nat -A PREROUTING -p tcp -i $WAN_iface --dport 3389 -j DNAT --to 192.168.0.4
iptables -t nat -A POSTROUTING -d 192.168.0.4 -j SNAT --to 192.168.0.1
#iptables -t nat -A PREROUTING -p tcp --dport 3389 -d 189.47.xxx.xxx -j DNAT --to 192.168.0.4
#iptables -t nat -A POSTROUTING -d 192.168.0.4 -j SNAT --to 192.168.0.1
##################################################
# Tratamento dos pacotes usando mangle #
##################################################
iptables -t mangle -A OUTPUT -o $WAN_iface -p tcp -m multiport --dports 3389 -j TOS --set-tos 16
iptables -t mangle -A PREROUTING -i $WAN_iface -p tcp -m multiport --dports 3389 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o $WAN_iface -p tcp -m multiport --dports 2222 -j TOS --set-tos 16
iptables -t mangle -A PREROUTING -i $WAN_iface -p tcp -m multiport --dports 2222 -j TOS --set-tos 16
################################################## ##################################################
iptables -t nat -A POSTROUTING -s $LAN_IP_range -o $WAN_iface -j MASQUERADE
##################################################
iptables -t nat -A PREROUTING -p tcp -i $LAN_iface --dport 80 -j REDIRECT --to-port 3128
echo "# Thanks a lot!."
exit 0;
}
parar(){
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
echo "Regras de firewall desativadas"
}
case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar ;;
*) echo "Use os parâtros start ou stop"
esac