johnnyb
(usa Fedora)
Enviado em 16/07/2012 - 13:03h
amigo pegue o dhcp que te postei e altere para 192.168.2.1
e deixe o dhcp escutar apenas a interface local
E SEGUE UM MODELO DE FIREWALL PARA VC ALTERAR QUALQUER COISA POSTE AI BLZ
lembrando que em1 e nome da placa local
eth0 nome da placa externa
192.168.3.0/24 esse e meu range de ip troque pelo seu blz
#!/bin/bash
echo "Iniciando Firewall....................................[ OK ]"
### Limpando as regras ###
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat
iptables -F -t nat
echo "Limpando as regras ...................................[ OK ]"
# Ativando os modulos
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_queue
modprobe ip_tables
modprobe ipt_LOG
modprobe ipt_MARK
modprobe ipt_MASQUERADE
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_TOS
modprobe ipt_limit
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ipt_tos
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
echo "Carregando os modulos ................................[ OK ]"
### Compartilhando a conexao ###
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -i em1 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "teste.................................................[ OK ]"
### Bloqueio porta 135 ###
iptables -I INPUT -p tcp --sport 135 -j DROP
iptables -I INPUT -p udp --sport 135 -j DROP
iptables -I INPUT -p tcp --dport 135 -j DROP
iptables -I INPUT -p udp --dport 135 -j DROP
echo "135...................................................[ OK ]"
### Aceita Ping ###
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
echo "PING..................................................[ OK ]"
### Habilitando ssh e ftp ###
iptables -A INPUT -p tcp -m tcp -s 0/0 --dport 21 -d 0/0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 0/0 --dport 22 -d 0/0 -j ACCEPT
echo "ssh...................................................[ OK ]"
### Portas De Serviço ###
iptables -A INPUT -p tcp -m multiport -p tcp --dports 25,53,80,110,143,443,465,783,993,995,3306 -j ACCEPT
iptables -A INPUT -p tcp -m multiport -p udp --dports 25,53,80,110,143,443,465,783,993,995,3306 -j ACCEPT
echo "email.................................................[ OK ]"
### Proibir Navegação externa pelo servidor proxy ###
iptables -t filter -A INPUT -i eth0 -p tcp --dport 3128 -j DROP
echo "squid.................................................[ OK ]"
### Especificando a Conexao entre as Interfaces ###
iptables -t filter -A FORWARD -s 192.168.3.0/24 -i em1 -o eth0 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.3.0/24 -i eth0 -o em1 -j ACCEPT
echo "filter................................................[ OK ]"
### LIBERACAO INICIAL DE PORTAS ###
### Gmail 465,955; RECEITANET 3456 ; CONECTIVIDADE SOCIAL 2631; Serasa 3007, DATASUS 5582 ###
iptables -t nat -A POSTROUTING -o eth0 -m multiport -p tcp --dports 20,21,22,25,53,110,465,995 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -m multiport -p tcp --dports 1479,2083,2631,3007,3456,5582 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -m multiport -p udp --dports 20,21,53,443,5582 -j MASQUERADE
echo "liberando portas......................................[ OK ]"
### ESPECIAL CONECTIVIDADE ###
iptables -t nat -A PREROUTING -i em1 -d 200.201.174.0/24 -j ACCEPT
iptables -t filter -A FORWARD -i em1 -d 200.201.174.0/24 -j ACCEPT
echo "especial..............................................[ OK ]"