Tenho um servidor com iptables, NAT e proxy para filtrar toda minha rede. O problema é: colocando um determinado ip (ou end www ou bloqueio de portas...) nas regras de INPUT DROP ou FORWARD DROP do iptables, os computadores que estam atras desse não sofrem alteração alguma, ou seja, eles ainda acessam o site ou o ip ou as portas... Aparentemente a camada do NAT é superior ao iptables e este ultimo nada filtra senão o tráfego da propria máquina. Poderia usar o iptables em todas as máquinas da minha rede (são todas Slack!! hehe!! , mas a idéia do firewall centralizado vai para o espaço! Será que alguem sabe o acontece aqui, tem alguma idéia ou algo assim? Valeu!
Segue o firewall que estou usando:
#!/bin/bash

firewall_start()
{
# Altera a politica de INPUT FORWARD
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT DROP

# Abre o DHCPD
/usr/sbin/iptables -A INPUT -i eth1 -p udp --sport 68 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth1 -p udp --dport 68 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth1 -p udp --sport 67 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth1 -p udp --dport 67 -j ACCEPT

# Abre o TFTP
/usr/sbin/iptables -A INPUT -i eth1 -p tcp --sport 69 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth1 -p tcp --dport 69 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth1 -p udp --sport 69 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth1 -p udp --dport 69 -j ACCEPT

# Abre para uma faixa de endereços da rede local
/usr/sbin/iptables -A INPUT -i eth1 -p all -s 10.0.0.0/255.255.255.0 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth1 -p all -d 10.0.0.0/255.255.255.0 -j ACCEPT

# Abre para a interface de loopback.
/usr/sbin/iptables -A INPUT -i lo -s 127.0.0.1/255.255.255.255 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o lo -d 127.0.0.1/255.255.255.255 -j ACCEPT

# Abre o HTTPD
#/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
#/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT
#/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
#/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 80 -j ACCEPT

# FTP Cliente
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 20 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 20 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 21 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 21 -j ACCEPT

# FTP Servidor
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 20 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 21 -j ACCEPT

# SSH Servidor
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 443 -j ACCEPT

# SSH Cliente
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 22 -j ACCEPT

# DNS Cliente
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 53 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 53 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT

# Libera o HTTP e o HTTPS
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 443 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 443 -j ACCEPT

# Libera o pop3 e smtp
#/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 110 -j ACCEPT
#/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 110 -j ACCEPT
#/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 25 -j ACCEPT
#/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 25 -j ACCEPT

# Bloqueio do https-orkut <- não bloqueia nas clientes!!
/usr/sbin/iptables -A FORWARD -d 64.233.171.86 -j DROP
/usr/sbin/iptables -A INPUT -s 64.233.171.86 -d 10.0.0.0/24 -j DROP
/usr/sbin/iptables -A OUTPUT -d 64.233.171.86 -s 10.0.0.0/24 -j DROP
/usr/sbin/iptables -A FORWARD -d 64.233.171.85 -j DROP
/usr/sbin/iptables -A INPUT -s 64.233.171.85 -d 10.0.0.0/24 -j DROP
/usr/sbin/iptables -A OUTPUT -d 64.233.171.85 -s 10.0.0.0/24 -j DROP

# Bloquia sites do tipo proxy anonimo e etc...
#/usr/local/squid/bin/bloqueia_proxy

# Ignora mais algumas coisas ruins
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route

/usr/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
/usr/sbin/iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
/usr/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
/usr/sbin/iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
/usr/sbin/iptables -A FORWARD -m unclean -j DROP
/usr/sbin/iptables -A INPUT -p udp -s 0/0 -i eth0 --dport 33435:33525 -j DROP
/usr/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/usr/sbin/iptables -A INPUT -i eth0 -p udp -j REJECT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j DROP
/usr/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type host-unreachable -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type source-quench -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p icmp -j REJECT --reject-with icmp-host-unreachable

}

firewall_stop()
{
/usr/sbin/iptables -F
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -X
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT

}

case "$1" in
"start")firewall_start;
echo "Firewall is runnig.";;

"stop")firewall_stop;
echo "Firewall is NOT runnig.";;

"restart")firewall_stop;
sleep 1;
firewall_start;
echo "Firewall was restarted and it is runnig.";;

*)/usr/sbin/iptables -L -n;;
esac

# Roteamento milagroso para ALUNOS
#echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
#echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp

# Compartilha a internet com proxy e carrega modulos necessarios
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #compartilha net
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3222 #redireciona para o proxy