Ai, depois de uma madruga de testes resolvi todos dos problemas. Bom, realmente o FORWARD precisa ficar aberto, logo mudei essa política. Ficou assim:
#!/bin/bash
# Autor: RENAN DE SOUZA RODRIGUES - [email protected]
# Agradecimentos: www.guiadohardware.net ; under-linux.org
firewall_start()
{
# Altera a politica de INPUT FORWARD OUTPUT
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT DROP
# Abre para o DHCPD
/usr/sbin/iptables -A INPUT -i eth1 -p udp --sport 68 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth1 -p udp --dport 68 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth1 -p udp --sport 67 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth1 -p udp --dport 67 -j ACCEPT
# Abre o HTTPD
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 80 -j ACCEPT
# Abre para uma faixa de endereços da rede local
/usr/sbin/iptables -A INPUT -i eth0 -p all -s 134.41.35.0/255.255.255.0 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p all -d 134.41.35.0/255.255.255.0 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p all -s 192.168.0.0/255.255.255.0 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p all -d 192.168.0.0/255.255.255.0 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth1 -p all -s 134.41.35.0/255.255.255.0 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth1 -p all -d 134.41.35.0/255.255.255.0 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth1 -p all -s 192.168.0.0/255.255.255.0 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth1 -p all -d 192.168.0.0/255.255.255.0 -j ACCEPT
# Abre para a interface de loopback.
/usr/sbin/iptables -A INPUT -i lo -s 127.0.0.1/255.255.255.255 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o lo -d 127.0.0.1/255.255.255.255 -j ACCEPT
# FTP Cliente
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 20 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 20 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 21 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 21 -j ACCEPT
#FTP Servidor
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 20 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 21 -j ACCEPT
# SSH Servidor
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT
# SSH Cliente
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 22 -j ACCEPT
# DNS Cliente
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 53 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 53 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
# Libera o HTTP e o HTTPS
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 443 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 443 -j ACCEPT
# Ignora mais algumas coisas ruins
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
# Compartilha a internet com proxy e carrega modulos necessarios
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
}
firewall_stop()
{
/usr/sbin/iptables -F
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -X
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
# Compartilha a internet com proxy
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
}
case "$1" in
"start")firewall_start;
echo "Firewall is runnig.";;
"stop")firewall_stop;
echo "Firewall is NOT runnig.";;
"restart")firewall_stop;
sleep 1;
firewall_start;
echo "Firewall was restarted and it is runnig.";;
*)/usr/sbin/iptables -L -n;;
esac
É isso ai galera! Problema resolvidos total!! Tudo rodando perfeitamente. Valeu as opiniões.
[]'s