Ai galera....resolvi os meus problemas...vou passar scripts...para vcs nao sei se vai resolver para vcs pra min ta blz agora..desde ja agradeco a ajuda de todos.LEMBRO QUE TBM NAO SEI SE ASSIM TO PROTEGIDO SO SEI QUE O MESSENGER JA ERA.
#FIREAL
firewall_start(){
# Abre para uma faixa de endereços da rede local
iptables -A INPUT -p tcp -s 192.168.1.0/255.255.255.0 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.0/255.255.255.0 -j ACCEPT
#============================ BLOQUEIO MESSENGER E OUTROS =====================================
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 1024:65535 -j DROP
iptables -A FORWARD -s 192.168.1.0/24 -p udp --dport 1024:65535 -j DROP
#===============================================================================================
# Abre uma porta (inclusive para a Internet)
iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
# Abre uma porta (inclusive para a Internet)
iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
# Abre uma porta (inclusive para a Internet)
iptables -A INPUT -p tcp --destination-port 8080 -j ACCEPT
# Ignora pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Protege contra synflood
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Proteção contra ICMP Broadcasting
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Bloqueia traceroute
iptables -A INPUT -p udp --dport 33435:33525 -j DROP
# Proteções diversas contra portscanners, ping of death, ataques DoS, etc.
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
iptables -A FORWARD -m unclean -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -N VALID_CHECK
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP
# Abre para a interface de loopback.
# Esta regra é essencial para o KDE e outros programas gráficos funcionarem adequadamente.
#iptables -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT
#iptables -A INPUT -i lo -j ACCEPT
#=============================================================================================================#
#************************ LIBERACAO PARA CAIXA SEFIP CNS******************************************************#
#=============================================================================================================#
iptables -A INPUT -p all -s 200.201.166.200 -j ACCEPT
iptables -A INPUT -p all -s 200.152.40.23 -j ACCEPT
iptables -A INPUT -p all -s 200.152.40.50 -j ACCEPT
iptables -A FORWARD -p all -s 200.201.166.200 -j ACCEPT
iptables -A FORWARD -p all -s 200.151.40.23 -j ACCEPT
iptables -A FORWARD -p all -s 200.151.40.50 -j ACCEPT
iptables -A INPUT -p all -s 200.201.174.207 -j ACCEPT
iptables -A FORWARD -p all -s 200.201.174.207 -j ACCEPT
iptables -A INPUT -p all -s 200.201.174.204 -j ACCEPT
iptables -A FORWARD -p all -s 200.201.174.204 -j ACCEPT
iptables -A INPUT -p all -s 200.201.173.68 -j ACCEPT
iptables -A FORWARD -p all -s 200.201.173.68 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A INPUT -p tcp --syn -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 3128 -m state --state NEW -j ACCEPT
#FAZENDO O MASCARAMENTO PARA O CNS
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 200.201.174.202 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 200.201.174.203 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 200.201.174.204 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 200.201.174.205 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 200.201.174.206 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 200.201.174.207 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 200.201.174.208 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 200.201.174.209 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 200.252.47.237 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 200.201.166.100 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 200.201.174.68 -j MASQUERADE
iptables -t nat -I POSTROUTING -d 192.168.1.0/24 -s 200.201.173.68 -j MASQUERADE
iptables -t nat -I PREROUTING -s 192.168.1.0/24 -d 200.201.174.0/24 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.1.0/24 -d 200.201.173.0/24 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.1.0/24 -d 200.201.166.0/24 -j ACCEPT
#=========================================================================================================================#
#****************************** FIM **************************************************************************************#
#=========================================================================================================================#
# Fecha as portas udp de 1 a 1024, abre para o localhost
iptables -A INPUT -p udp -s 127.0.0.1/255.0.0.0 -j ACCEPT
iptables -A INPUT -p udp --dport 1:1024 -j DROP
iptables -A INPUT -p udp --dport 59229 -j DROP
# Esta regra é o coração do firewall do Kurumin,
# ela bloqueia qualquer conexão que não tenha sido permitida acima, justamente por isso ela é a última da cadeia.
iptables -A INPUT -p tcp --syn -j DROP
/etc/skel-fix/firewall-msg
}
firewall_stop(){
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}
case "$1" in
"start")
firewall_start
;;
"stop")
firewall_stop
echo "O kurumin-firewall está sendo desativado"
sleep 2
echo "ok."
;;
"restart")
echo "O kurumin-firewall está sendo desativado"
sleep 1
echo "ok."
firewall_stop; firewall_start
;;
*)
iptables -L -n
esac
#================== FIM#=============
#=========CONFIGURACOES COMPLETA DO SQUID.CONFIG
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 16 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 16 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 512 16 256
cache_access_log /var/log/squid/access.log
visible_hostname kurumin
ftp_user [email protected]
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
#============ LIVRES PARA ACESSO =======================================
acl livre dstdom_regex "/etc/squid/livre"
http_access allow livre
#LIBERACAO PATRAO....AQUI LIBERA TUDO PARA OS CHEFAOS. ATE MESSENGER E OUTROS
acl rede src 192.168.1.0/24
acl especial src "/etc/squid/especial"
http_access deny rede !especial
# src 192.168.1.0/24 = minha rede exemplo vc adqua a sua
# /24=mascara 255.255.255.0
#acl especial libera os patroes, os ips deles estao dentro do arq.txt neste caminho eu criei
#=================== PROXY TRANSPARENTE
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
#===FIM
#espero ter ajuda alguem........valeu galera