bom dia, pessoal eu estou com um firewall e estou com uma duvida em uma regra, gostaria de uma ajuda, pois nao estou entendendo ela:
iptables -t nat -A POSTROUTING -s $IP_FIREWALL -d 0/0 -j MASQUERADE
O problema, e que, se eu tiro essa regra o firewall para de funcionar, nao deixando a navegacao e envio de email.
O firewall que esta rodando na maquina e esse:
#!/bin/sh
# variaveis
# Carrega os modulos necessarios
## Limpar Regras ##
iptables -F
iptables -Z
iptables -X
iptables -t nat -F
iptables -t filter -F
## Definindo politica default como drop ##
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
## Conexão estabelecida e relatada deve ser mantida ##
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
## Regras INPUT ##
# LIBERANDO O TRAFEGO DO INPUT NA LOOPBACK E REDE INTERNA #
iptables -A INPUT -i lo -j ACCEPT
iptables -t nat -A POSTROUTING -s $IP_FIREWALL -d 0/0 -j MASQUERADE
# postgrey
iptables -I INPUT -p tcp -m state --state NEW -s 127.0.0.1 --dport 60000 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -s $LOCALNET --dport 20:21 -j ACCEPT #FTP
iptables -A INPUT -p tcp -m state --state NEW -s $LOCALNET --dport 22 -j ACCEPT #SSH
iptables -A INPUT -p tcp -m state --state NEW -s $LOCALNET --dport 4022 -j ACCEPT #SSH
iptables -A INPUT -p tcp -m state --state NEW -s $LOCALNET --dport 23 -j ACCEPT #TELNET
iptables -A INPUT -p udp -m state --state NEW -s $LOCALNET --dport 23 -j ACCEPT #TELNET
iptables -A INPUT -p udp -m state --state NEW -s $LOCALNET --dport 53 -j ACCEPT #DNS
iptables -A INPUT -p tcp -m state --state NEW -s $LOCALNET --dport 53 -j ACCEPT #DNS
iptables -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -s $LOCALNET --dport 110 -j ACCEPT #POP
iptables -A INPUT -p tcp -m state --state NEW -s $LOCALNET --dport 143 -j ACCEPT #IMAP
iptables -A INPUT -p tcp -m state --state NEW -s $LOCALNET --dport 5501 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -s $LOCALNET --dport 5502 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -s $LOCALNET --dport 5503 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -s $LOCALNET --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -s $LOCALNET --dport 5222 -j ACCEPT
# Liberando portas do firewall
iptables -A INPUT -p tcp -m state --state NEW -i $INET --dport 20:21 -j ACCEPT #FTP
iptables -A INPUT -p tcp -m state --state NEW -i $INET --dport 22 -j ACCEPT #SSH
iptables -A INPUT -p tcp -m state --state NEW -i $INET --dport 4022 -j ACCEPT #SSH
iptables -A INPUT -p tcp -m state --state NEW -i $INET --dport 80 -j ACCEPT #HTTP
iptables -A INPUT -p tcp -m state --state NEW -i $INET --dport 143 -j ACCEPT #IMAP
iptables -A INPUT -p tcp -m state --state NEW -i $INET --dport 5501 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -i $INET --dport 5502 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -i $INET --dport 5503 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -i $INET --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -i $INET --dport 5222 -j ACCEPT
## Regras FORWARD ##
# libera msn
iptables -A FORWARD -s 192.168.0.4 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.0.4 -d loginnet.passport.com -j ACCEPT
iptables -A FORWARD -s 192.168.0.11 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.0.11 -d loginnet.passport.com -j ACCEPT
iptables -A FORWARD -s 192.168.0.19 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.0.19 -d loginnet.passport.com -j ACCEPT
iptables -A FORWARD -s 192.168.0.3 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.0.3 -d loginnet.passport.com -j ACCEPT
iptables -A FORWARD -s 192.168.0.22 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.0.22 -d loginnet.passport.com -j ACCEPT
iptables -A FORWARD -s 192.168.0.43 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.0.43 -d loginnet.passport.com -j ACCEPT
#iptables -A FORWARD -s 192.168.0.44 -p tcp --dport 1863 -j ACCEPT
#iptables -A FORWARD -s 192.168.0.44 -d loginnet.passport.com -j ACCEPT
iptables -A FORWARD -s 192.168.0.14 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.0.14 -d loginnet.passport.com -j ACCEPT
# bloqueia MSN
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -p tcp -m state --state NEW -s $LOCALNET --dport 20:21 -j ACCEPT #FTP
iptables -A FORWARD -p tcp -m state --state NEW -s $LOCALNET --dport 22 -j ACCEPT #SSH
iptables -A FORWARD -p tcp -m state --state NEW -s $LOCALNET --dport 4022 -j ACCEPT #SSH
# regras para email
iptables -A FORWARD -p tcp --dport 25 -j DROP
IP_OF_MTA_HOST=200.175.55.18
iptables -A FORWARD -p tcp -s $IP_OF_MTA_HOST --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j LOG
iptables -A FORWARD -p tcp --dport 25 -j DROP
iptables -A FORWARD -p tcp -m state --state NEW -s $LOCALNET --dport 80 -j ACCEPT #HTTP
iptables -A FORWARD -p tcp -m state --state NEW -s $LOCALNET --dport 110 -j ACCEPT #POP
iptables -A FORWARD -p tcp -m state --state NEW -s $LOCALNET --dport 143 -j ACCEPT #IMAP
# Regra pra Outlook transformar Nome que ele possui no servoidor smtp e pop em um Ip: #
iptables -A FORWARD -p udp -s $LOCALNET -d $DNSP --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s $LOCALNET -d $DNSS --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s $DNSP --sport 53 -d $LOCALNET -j ACCEPT
iptables -A FORWARD -p udp -s $DNSS --sport 53 -d $LOCALNET -j ACCEPT
iptables -A FORWARD -j DROP
## Maquinas que nao passam pelo squid ##
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.229 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.62 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.52 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.4 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.39 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.3 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.5 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.29 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.22 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.146 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.48 -p tcp --dport 80 -j ACCEPT
# Serviços que a máquina precisará redirecionar (Transparent proxy)
iptables -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp --syn --dport 3128 -j ACCEPT
iptables -A INPUT -s 0/0 -p tcp --syn --dport 3128 -j DROP
iptables -t nat -A PREROUTING -i eth1 -d ! 200.201.174.0/24 \-p tcp --dport 80 -j REDIRECT --to-ports 3128
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -s 127.0.0.1 -p tcp --syn -j ACCEPT