thiagocoimbra23
(usa Debian)
Enviado em 24/11/2010 - 12:21h
boa tarde arlindo, verifiquei seu firewaal, estava faltando alguns bloqueios na cadeia forward, apenas alterei a parte que bloqueia o msn, e estou colocando seu script de firewall abaixo ja alterado, por gentileza testar depois responder se funcionou, desde já agradesço fique com DEUS..
#!/bin/sh
PATH="/sbin:/bin:/usr/sbin:/usr/bin"
IPTABLES="/sbin/iptables"
PROGRAMA="/etc/init.d/firewall"
CAT="cafe.dataprev.gov.br"
# carregar modulos
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_state
/sbin/modprobe ipt_multiport
/sbin/modprobe iptable_mangle
/sbin/modprobe ipt_tos
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_mark
/sbin/modprobe ipt_MARK
#/sbin/modprobe ipt_layer7
WAN="eth0"
LAN="eth1"
REDE_INTERNA="192.168.0.0/255.255.255.0"
#REDE_EXTERNA="192.168.254.27/255.255.255.0"
HOSTNAME="ecofibra"
case "$1" in
start)
#mensagem de inicializao
echo 'iniciando firewall... '
# flush
$IPTABLES -F
#$IPTABLES -F INPUT
#$IPTABLES -F OUTPUT
#$IPTABLES -F FORWARD
#$IPTABLES -t mangle -F
$IPTABLES -t nat -F
#$IPTABLES -X
#Habilitando o Roteamento
echo 1 > /proc/sys/net/ipv4/ip_forward
#Mascaramento da Rede Interna
$IPTABLES -t nat -A POSTROUTING -o $WAN -s $REDE_INTERNA -j MASQUERADE
#Proxy Transparente
$IPTABLES -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
####### Redirecionamento de porta/ip
#msn-proxy
###$IPTABLES -t nat -I PREROUTING -i $LAN -p tcp --dport 1863 -j REDIRECT --to 1863
#WTS
$IPTABLES -t nat -I PREROUTING -i $WAN -p tcp --dport 3389 -j DNAT --to 192.168.0.1
#### CHAIN INPUT ####
$IPTABLES -P INPUT DROP
$IPTABLES -I INPUT -s 192.168.0.0/24 -j ACCEPT
$IPTABLES -I INPUT -p icmp -s 192.168.0.0/24 -j ACCEPT
$IPTABLES -A INPUT -p ALL -s $REDE_INTERNA -i $LAN -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 10000 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $LAN --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 3306 -j ACCEPT
$IPTABLES -A INPUT -p udp -i $LAN --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
###$IPTABLES -A INPUT -p tcp $LAN 110 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
###### CHAIN FORWARD #####
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -I FORWARD -i $LAN -o $WAN -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -I FORWARD -s $REDE_INTERNA -p tcp -d $CAT --dport 5017 -j ACCEPT
$IPTABLES -I FORWARD -s $CAT -p tcp -d $REDE_INTERNA --dport 5017 -j ACCEPT
$IPTABLES -nat -A PREROUTING -s $REDE_INTERNA -d !$CAT -p tcp --dport 5017 REDIRECT --to-port 3128
#aqui eu tento bloquear a porta do msn
$iptables -A FORWARD -s 198.164.0.0/24 -p tcp --dport 1863 -j REJECT
$iptables -A FORWARD -s 198.164.0.0/24 -d loginnet.passport.com -j REJECT
$iptables -A FORWARD -s 198.164.0.0/24 -d messenger.hotmail.com -j REJECT
$iptables -A FORWARD -s 198.164.0.0/24 -d webmessenger.msn.com -j REJECT
$iptables -A FORWARD -p tcp --dport 1080 -j DROP
$iptables -A FORWARD -s 198.164.0.0/24 -p tcp --dport 1080 -j REJECT
#### CHAIN OUTPUT ####
#$IPTABLES -P OUTPUT DROP
#$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#habilitando o fluxo interno entre os processos
$IPTABLES -I INPUT -i lo -j ACCEPT
$IPTABLES -I OUTPUT -o lo -j ACCEPT
echo "OK...FIREWALL HABILITADO !"
;;
stop)
$IPTABLES -F
#$IPTABLES -P INPUT
#$IPTABLES -P OUTPUT
#$IPTABLES -P FORWARD
#$IPTABLES -t mangle -F
#$IPTABLES -t nat -F
#$IPTABLES -X
#$IPTABLES -Z
$IPTABLES -F
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo 'Firewall Desabilitado - Politica padrao setada para ACCEPT'
;;
restart)
$PROGRAMA stop
$PROGRAMA start
;;
*)
echo 'Use: $N {start|stop|restart}' >&2
echo -e '{TEXTO}33[01;31mATENO'; tput sgr0
echo 'PARAMETROS INCORRETOS! O Firewall sera reativado...aguarde !'