Pessoal estou implementando um firewall com iptables, pra controle de MAC X IP, o mesmo esta funcionando, gostaria da opinião de vcs sobre o que pode ser melhorado, segue abaixo as regras do meu arquivo de firewall:
Pra funcionar utilizo 1 arquivo contendo o status, ip e o mac, exemplo do arquivo maclisti.conf
a;192.0.0.2;00:0E:2E:74:82:11
e as configurações do meu arquivo de firewall esta da seguinte forma firewall.conf:
#!/bin/bash
#### Configura as variaveis
IPT=/usr/sbin/iptables
MACLIST=/etc/rc.d/macslist.conf
#### Ativa Roteamento
echo "1" > /proc/sys/net/ipv4/ip_forward
#### Limpa as regras
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t filter -P FORWARD DROP
####
for i in `cat $MACLIST`; do
STATUS=`echo $i | cut -d ';' -f 1`
IPSOURCE=`echo $i | cut -d ';' -f 2`
MACSOURCE=`echo $i | cut -d ';' -f 3`
#### Verifica o MAC x IP do cliente
if [ $STATUS = "a" ]; then
$IPT -t filter -A FORWARD -d 0/0 -s $IPSOURCE -m mac --mac-source $MACSOURCE -j ACCEPT
$IPT -t filter -A FORWARD -d $IPSOURCE -s 0/0 -j ACCEPT
$IPT -t nat -A POSTROUTING -s $IPSOURCE -d 0/0 -j MASQUERADE
$IPT -t filter -A INPUT -s $IPSOURCE -d 0/0 -m mac --mac-source $MACSOURCE -j ACCEPT
$IPT -t filter -A OUTPUT -s $IPSOURCE -d 0/0 -j ACCEPT
#### Conectividade Social by Willian ([email protected])
$IPT -A INPUT -p tcp -s $IPSOURCE --sport 1024:65535 -d 200.201.173.0/24 --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -s $IPSOURCE --sport 1024:65535 -d 200.201.174.0/24 --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -s $IPSOURCE --sport 1024:65535 -d 200.201.166.0/24 --dport 80 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -s $IPSOURCE --sport 1024:65535 -d 200.201.173.0/24 --dport 80 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -s $IPSOURCE --sport 1024:65535 -d 200.201.174.0/24 --dport 80 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -s $IPSOURCE --sport 1024:65535 -d 200.201.166.0/24 --dport 80 -j ACCEPT
#### Proxy Transparente
$IPT -t nat -A PREROUTING -s $IPSOURCE -p tcp --dport 80 -j REDIRECT --to-port 8080
#### Bloqueia
else
$IPT -t filter -A FORWARD -m mac --mac-source $MACSOURCE -j DROP
$IPT -t filter -A INPUT -m mac --mac-source $MACSOURCE -j DROP
$IPT -t filter -A OUTPUT -m mac --mac-source $MACSOURCE -j DROP
fi
done
#### Ativa os modulos do iptables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ipt_conntrack
modprobe iptable_nat
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
Agradeço a ajuda de todos