Olá galera sou iniciante na area de firewall mas to montando um legalzinho.. Tenho 4 interfaces e 3 redes.. Estou com um probleminha basico que acho que e muito mais macete do que tecnico. Nao consigo fazer com que meu servidor pigue em uma maquina internet visto que antes de chegar a internet ainda temos 1 roteador. O que acontece é o seguinte, pingo num site(under-linux.org), resolve o nome no dns interno mas nao consegue passar os pacotes, daí quando libero a tabela INPUT geral iptables -P INPUT -ACCEPT funciona.... COmo resolver???? Alguem pode me dar um help??? Segue abaixo meu script. Abraços

#INICIANDO AS VARIAVEIS
#GATEWAY DA REDE
gateway="10.2.0.1"

# Interface da INTERNET
linkip="172.31.2.162"
linkif="eth3"

# Interface Laboratorio
labnet="10.1.0.0/16"
labip="10.2.0.1"
labif="eth1"

# Iterface ADM
admnet="10.2.0.0/16"
admip="10.2.0.1"
admif="eth0"

# Interface DIGITACAO
digitanet="192.168.3.0/24"
digitaip="192.168.3.1"
digitaif="eth2"

# Servidores

cavdados="10.2.0.2"
cavlablab="10.1.0.4"
cavlabadm="10.2.0.4"
cavrm="10.2.0.3"
cavnetlab="10.1.0.1"
cavnetadm="10.2.0.1"
cavnetdigita="192.168.3.1"

# Passo 1: Limpando as regras
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
echo "Cleaning all rules .........................[ OK ]"

# Definindo as politicas default das cadeias
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
echo "Setting default rules.......................[ OK ]"

# Passo 2: Desabilitando o trafego IP entre as placas de rede
#echo "0" > /proc/sys/net/ipv4/ip_forward
echo "Setting ip_forward: OFF.....................[ OK ]"

# Configurando a protecao anti-spoofing
#for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter; do
# echo "1" > $spoofing
#done
echo "Setting anti-spoofing protection............[ OK ]"

# ANTI-ROUTINGREDIRECT
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "Setting anti-redirects.....................[ OK ]"

# ANTI-ATACK
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "ANTI-ATACK setting is ON...................[ OK ]"

##################################################
# Iniciando protecao de ENTRADA PARA O SERVIDOR
#################################################

iptables -A INPUT -i lo -j ACCEPT

#Trafego vindo do roteador
#iptables -A INPUT -s $gateway -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

iptables -A INPUT -s $gateway -j ACCEPT

#PORTA 80

iptables -A INPUT -s $admnet -p tcp --dport 80 -j ACCEPT

#PORTA 22

iptables -A INPUT -s $admnet -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s $digitanet -p tcp --dport 22 -j ACCEPT

#PORTA 10000 - WEBMIN

iptables -A INPUT -s $admnet -p tcp --dport 10000 -j ACCEPT

#PORTA 53 - DNS INTERNO

iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT

#PORTA 443 - SSL

iptables -A INPUT -s $admnet -p tcp --dport 443 -j ACCEPT

#PORTA 137,138,139 - NETBIOS SAMBA

iptables -A INPUT -s $admnet -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s $admnet -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s $admnet -p tcp --dport 139 -j ACCEPT

#PORTA 901 - MODULO SWAT
iptables -A INPUT -s $admnet -p tcp --dport 901 -j ACCEPT

#PORTA 3128 - SQUID
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT

# PACOTES DE CONEXAO ACEITO
#iptables -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

#Faz log de invasoes no INPUT e BLOQUEIA
iptables -A INPUT -j LOG --log-prefix "FIREWALL: INPUT"
iptables -A INPUT -j DROP

echo "Setting rules for INPUT chain................[ OK ]"

###############################################################
#REGRAS MASCARAMENTO###########################################
##############################################################

#Ativando mascaramento (nat)
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 10.2.0.9 -o $linkadm -j MASQUERADE

echo "Ativando mascaramento para rede ADM.................[ OK ]"

#iptables -t nat -A POSTROUTING -s $digitanet -o $linkif -j MASQUERADE
echo "Ativando mascaramento para rede DIGITACAO...........[ OK ]"

#MASCARAMENTOS ESPECIAIS
#BIBLIOTECA
#iptables -t nat -A POSTROUTING -s 10.1.5.10 -o $linkif -j MASQUERADE
#SETED
#iptables -t nat -A POSTROUTING -s 10.1.5.50 -o $linkif -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 10.1.6.0/16 -o $linkif -j MASQUERADE

##############################################################
# REGRAS FORWARD
###############################################################


#PORTA 3128 - Aceita SQUID
#Rede ADM
#iptables -A FORWARD -s $admnet -o $linkif -p tcp --dport 3128 -j ACCEPT
#Rede Lab
#iptables -A FORWARD -s $labnet -o $linkif -p tcp --dport 3128 -j ACCEPT
#Rede Digita
#iptables -A FORWARD -s $digitanet -o linkif -p tcp --dport 3128 -j ACCEPT

#PORTA 53 - DNS EXTERNO
iptables -A FORWARD -s $admnet -o $linkif -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i $linkif -d $admnet -p udp --dport 53 -j ACCEPT


#PORTA 110 - POP3
#ADM
iptables -A FORWARD -s $admnet -o $linkif -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -i $linkif -d $admnet -p tcp --dport 110 -j ACCEPT

#DIGITA
iptables -A FORWARD -s $digitanet -o $linkif -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -i $linkif -d $digitanet -p tcp --dport 110 -j ACCEPT


#PORTA 25 - SMTP
#ADM
iptables -A FORWARD -s $admnet -o $linkif -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i $linkif -d $admnet -p tcp --dport 25 -j ACCEPT

#DIGITA
iptables -A FORWARD -s $digitanet -o $linkif -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i $linkif -d $digitanet -p tcp --dport 25 -j ACCEPT


#PORTA 443 - https
#ADM
iptables -A FORWARD -s $admnet -o $linkif -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i $linkif -d $admnet -p tcp --dport 443 -j ACCEPT

#DIGITA
iptables -A FORWARD -s $digitanet -o $linkif -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i $linkif -d $digitanet -p tcp --dport 443 -j ACCEPT


#PORTA 995 - SSL
#ADM
iptables -A FORWARD -s $admnet -o $linkif -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -i $linkif -d $admnet -p tcp --dport 995 -j ACCEPT

#DIGITA
iptables -A FORWARD -s $digitanet -o $linkif -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -i $linkif -d $digitanet -p tcp --dport 995 -j ACCEPT



#PORTA 21 - FTP
#ADM
iptables -A FORWARD -s $admnet -o $linkif -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i $linkif -d $admnet -p tcp --dport 21 -j ACCEPT

#DIGITA
iptables -A FORWARD -s $digitanet -o $linkif -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i $linkif -d $digitanet -p tcp --dport 21 -j ACCEPT


##TESTE

#iptables -A FORWARD -s 10.2.0.6 -d 10.1.0.100 -j ACCEPT
#iptables -A FORWARD -s 10.1.0.100 -d 10.2.0.6 -j ACCEPT


# SOCKETS VALIDOS NA CONEXAO
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT


############################################################
# LIBERANDO TRAFEGO ENTRE AS REDES
###########################################################

#ADM/LAB
#SMB
iptables -A FORWARD -s $admnet -d $labnet -p tcp --dport 137 -j ACCEPT
iptables -A FORWARD -s $labnet -d $admnet -p tcp --dport 138 -j ACCEPT

iptables -A FORWARD -s $admnet -d $labnet -p tcp --dport 138 -j ACCEPT
iptables -A FORWARD -s $labnet -d $admnet -p tcp --dport 138 -j ACCEPT

iptables -A FORWARD -s $admnet -d $labnet -p tcp --dport 139 -j ACCEPT
iptables -A FORWARD -s $labnet -d $admnet -p tcp --dport 139 -j ACCEPT

iptables -A FORWARD -s $admnet -d $labnet -p udp --dport 137 -j ACCEPT
iptables -A FORWARD -s $labnet -d $admnet -p udp --dport 138 -j ACCEPT

iptables -A FORWARD -s $admnet -d $labnet -p udp --dport 138 -j ACCEPT
iptables -A FORWARD -s $labnet -d $admnet -p udp --dport 138 -j ACCEPT

iptables -A FORWARD -s $admnet -d $labnet -p udp --dport 139 -j ACCEPT
iptables -A FORWARD -s $labnet -d $admnet -p udp --dport 139 -j ACCEPT

iptables -A FORWARD -s $admnet -d $labnet -p tcp --dport 445 -j ACCEPT
iptables -A FORWARD -s $labnet -d $admnet -p tcp --dport 445 -j ACCEPT

iptables -A FORWARD -s $admnet -d $labnet -j ACCEPT
iptables -A FORWARD -s $labnet -d $admnet -j ACCEPT





#iptables -A FORWARD -s $admnet -p tcp -j ACCEPT

#Habilitando trafego IP
echo 1 >/proc/sys/net/ipv4/ip_forward
echo "Setting ip_forward: ON..........................[ OK ]"
#route add default gw $gateway
echo "Gateway padrao setado............................[ OK ]"
echo "FIREWALL em funcionamento.......................[ OK ]"



exit 0