Página 1 de 2 12 ÚltimoÚltimo
+ Responder ao Tópico



  1. Alguem pode me ajudar a montar um firewall com controle de ip x mac que não impessa do squid rodar?
    Pos montei um so que o squid não roda a 3128 ou seja nao navega
    fico grato com sua colaboração.
    firewall que montei:

    #!/bin/sh

    #Router=eth0
    #Via Cabo=eth1
    #Empresarial=eth2
    #Residencial=eth3

    # Ativa modulos
    modprobe ip_tables
    modprobe iptable_nat
    modprobe ip_conntrack
    modprobe ip_nat_ftp
    modprobe ipt_REJECT
    modprobe ipt_MASQUERADE

    # Zera regras
    iptables -F
    iptables -X
    iptables -F -t nat
    iptables -X -t nat
    iptables -F -t filter
    iptables -X -t filter


    # Determina a política padrão
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD DROP

    # Aceita os pacotes que realmente devem entrar
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Liberando portas
    #SSH
    iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
    #FTP
    iptables -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT
    #SMTP
    iptables -A INPUT -p tcp -s 0/0 --dport 25 -j ACCEPT
    #DNS
    iptables -A INPUT -p tcp -s 0/0 --dport 53 -j ACCEPT
    iptables -A INPUT -p udp -s 0/0 --dport 53 -j ACCEPT
    #PORTA SQUID 3128
    iptables -A INPUT -p tcp -s 0/0 --dport 3128 -j ACCEPT
    iptables -A INPUT -p udp -s 0/0 --dport 3128 -j ACCEPT
    #POP3
    iptables -A INPUT -p tcp -s 0/0 --dport 110 -j ACCEPT
    #WEB
    iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp --dport 6080 -j ACCEPT
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT

    #Webmin
    iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
    iptables -A INPUT -p udp --dport 10000 -j ACCEPT


    #Proteção contra Syn-floods
    iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

    #Proteção contra port scanners ocultos
    iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

    #Proteção contra ping da morte
    iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

    #Libera o loopback
    iptables -A OUTPUT -p tcp -s 127.0.0.1/8 -j ACCEPT

    #Fazendo redirecionamento de portas
    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to port 3128
    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j REDIRECT --to-port 3128

    # Controle de acesso IP X MAC

    #Liberando MAC x IP dos clientes

    #via cabo
    #Via SATT
    iptables -t filter -A FORWARD -d 0/0 -s 192.168.0.2 -m mac --mac-source 00:07:95:F9:2BF -j ACCEPT
    iptables -t filter -A FORWARD -d 192.168.0.2 -s 0/0 -j ACCEPT
    iptables -t filter -A INPUT -s 192.168.0.2 -d 0/0 -m mac --mac-source 00:07:95:F9:2BF -j ACCEPT
    iptables -t nat -A POSTROUTING -s 192.168.0.2 -o eth0 -j MASQUERADE

    #Fabricia - Loja Frente
    iptables -t filter -A FORWARD -d 0/0 -s 192.168.1.2 -m mac --mac-source 00:0D:61:398:96 -j ACCEPT
    iptables -t filter -A FORWARD -d 192.168.1.2 -s 0/0 -j ACCEPT
    iptables -t filter -A INPUT -s 192.168.1.2 -d 0/0 -m mac --mac-source 00:0D:61:398:96 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 192.168.1.2 -o eth0 -j MASQUERADE

    #cyber_baixo
    iptables -t filter -A FORWARD -d 0/0 -s 192.168.2.2 -m mac --mac-source 00:50:BF:45D:6E -j ACCEPT
    iptables -t filter -A FORWARD -d 192.168.2.2 -s 0/0 -j ACCEPT
    iptables -t filter -A INPUT -s 192.168.2.2 -d 0/0 -m mac --mac-source 00:50:BF:45D:63 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 192.168.2.2 -o eth0 -j MASQUERADE

    #via radio pessoa fisica
    #Wilton - meu cunhado
    iptables -t filter -A FORWARD -d 0/0 -s 193.168.1.2 -m mac --mac-source 00:0D:88:9D:B7:9E -j ACCEPT
    iptables -t filter -A FORWARD -d 193.168.1.2 -s 0/0 -j ACCEPT
    iptables -t filter -A INPUT -s 193.168.1.2 -d 0/0 -m mac --mac-source 00:0D:88:9D:B7:9E -j ACCEPT
    iptables -t nat -A POSTROUTING -s 193.168.1.2 -o eth0 -j MASQUERADE

    #Jose Evangelista - ZEZE
    iptables -t filter -A FORWARD -d 0/0 -s 193.168.0.2 -m mac --mac-source 00:0F:3D:40:CA:82 -j ACCEPT
    iptables -t filter -A FORWARD -d 193.168.0.2 -s 0/0 -j ACCEPT
    iptables -t filter -A INPUT -s 193.168.0.2 -d 0/0 -m mac --mac-source 00:0F:2D:40:CA:82 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 193.168.0.2 -o eth0 -j MASQUERADE

    #Clodoheldo
    iptables -t filter -A FORWARD -d 0/0 -s 193.168.2.2 -m mac --mac-source 00:E0:4C:6C:28:B2 -j ACCEPT
    iptables -t filter -A FORWARD -d 193.168.2.2 -s 0/0 -j ACCEPT
    iptables -t filter -A INPUT -s 193.168.2.2 -d 0/0 -m mac --mac-source 00:E0:4C:6C:28:B2 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 193.168.2.2 -o eth0 -j MASQUERADE

    #via radio empresarial
    #Net Games 1
    iptables -t filter -A FORWARD -d 0/0 -s 194.168.0.16 -m mac --mac-source 00:E0:7D:CB:14:89 -j ACCEPT
    iptables -t filter -A FORWARD -d 194.168.0.16 -s 0/0 -j ACCEPT
    iptables -t filter -A INPUT -s 194.168.0.16 -d 0/0 -m mac --mac-source 00:E0:7D:CB:14:89 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 194.168.0.16 -o eth0 -j MASQUERADE

    #Net Games 2
    iptables -t filter -A FORWARD -d 0/0 -s 194.168.0.17 -m mac --mac-source 00:08:54:19:03:29 -j ACCEPT
    iptables -t filter -A FORWARD -d 194.168.0.17 -s 0/0 -j ACCEPT
    iptables -t filter -A INPUT -s 194.168.0.17 -d 0/0 -m mac --mac-source 00:08:54:19:03:29 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 194.168.0.17 -o eth0 -j MASQUERADE

    #Net Games 3
    iptables -t filter -A FORWARD -d 0/0 -s 194.168.0.18 -m mac --mac-source 00:54:FC:81:0C:FA -j ACCEPT
    iptables -t filter -A FORWARD -d 194.168.0.18 -s 0/0 -j ACCEPT
    iptables -t filter -A INPUT -s 194.168.0.18 -d 0/0 -m mac --mac-source 00:54:FC:81:0C:FA -j ACCEPT
    iptables -t nat -A POSTROUTING -s 194.168.0.18 -o eth0 -j MASQUERADE

    #Net Games 4
    iptables -t filter -A FORWARD -d 0/0 -s 194.168.0.19 -m mac --mac-source 00:08:54:18:ED:49 -j ACCEPT
    iptables -t filter -A FORWARD -d 194.168.0.19 -s 0/0 -j ACCEPT
    iptables -t filter -A INPUT -s 194.168.0.19 -d 0/0 -m mac --mac-source 00:08:54:18:ED:49 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 194.168.0.19 -o eth0 -j MASQUERADE

    #Net Games 8
    iptables -t filter -A FORWARD -d 0/0 -s 194.168.0.29 -m mac --mac-source 00:08:54:18:ED:46 -j ACCEPT
    iptables -t filter -A FORWARD -d 194.168.0.29 -s 0/0 -j ACCEPT
    iptables -t filter -A INPUT -s 194.168.0.29 -d 0/0 -m mac --mac-source 00:08:54:18:ED:46 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 194.168.0.29 -o eth0 -j MASQUERADE


    #Compartilha a conexão
    echo 1 > /proc/sys/net/ipv4/ip_forward

    #Fecha o resto
    iptables -A INPUT -j DROP
    iptables -A FORWARD -j DROP

  2. Mas e essas outras portas abertas tao funcionando ???



  3. #3
    sim estão rodando direito...

  4. E o teu proxy ta rodando legalzinho ???

    So pra fazer um teste poe INPUT nessa regra

    #Libera o loopback
    iptables -A INPUT -p tcp -s 127.0.0.1/8 -j ACCEPT

    Valeu !!!



  5. #5
    o squid ta rodando file!!!
    agora fix oq c pediu pra fazer o teste e continuo do mesmo jeito
    no navegador diz q
    site da web encontrado e nao sai disso
    veio add esse msn tianguapontocom@hotmail.com






Tópicos Similares

  1. AP2000 com controle de MAC via Freeradius
    Por e-eduardo no fórum Redes
    Respostas: 1
    Último Post: 31-10-2006, 17:30
  2. AP COM CONTROLE DE MAC MIKROTIK
    Por squid_br no fórum Redes
    Respostas: 2
    Último Post: 18-10-2006, 15:17
  3. Star-os Controle de Mac e IP
    Por maylenon no fórum Redes
    Respostas: 13
    Último Post: 19-07-2005, 22:37
  4. Controle de MAC X IP usando ARP
    Por cleciorodrigo no fórum Servidores de Rede
    Respostas: 3
    Último Post: 27-06-2005, 07:55
  5. Firewall com controle de portas
    Por haas no fórum Servidores de Rede
    Respostas: 2
    Último Post: 29-03-2004, 15:27

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L