Prezados colegas, Quando levanto esse script de firewall meus clientes do POP3 (qmail) param de baixar msgs
SCRIPT: #!/bin/bash ######################################################################## ################################# ##### FIREWALL PROJETADO POR RODRIGO FORTES PARA ATENDER A APOLO TUBOS E EQUIPAMENTOS . 15/10/2003 ###### ######################################################################## ################################# # Variaveis PAVUNA="172.16.24.0/255.255.255.0" LORENA="172.16.22.0/255.255.255.0" SAMPA="172.16.23.0/255.255.255.0" SERVERLOGIX="172.16.24.1" KASPAROV="172.16.24.3" KARPOV="172.16.24.4" ALEKHINE="172.16.22.2" CAPABLANCA="172.16.23.2" ############################## ####### ROTAS E M�DULOS ###### ############################## # service network restart #Habilita Kernel para fazer roteamento echo 0 > /proc/sys/net/ipv4/ip_forward # Adiciona Rotas para as redes de Lorena e Sao Paulo e Default Gateway route add default gw 200.176.124.209 #Default Gateway route add -net 172.16.23.0 netmask 255.255.255.0 gw 172.16.24.11 #Sampa route add -net 172.16.22.0 netmask 255.255.255.0 gw 172.16.24.11 #Lorena # Carrega modulos escenciais modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ip_queue modprobe ip_tables modprobe ipt_LOG modprobe ipt_MARK modprobe ipt_MASQUERADE modprobe ipt_MIRROR modprobe ipt_REDIRECT modprobe ipt_REJECT modprobe ipt_TCPMSS modprobe ipt_TOS modprobe ipt_limit modprobe ipt_mac modprobe ipt_mark modprobe ipt_multiport modprobe ipt_owner modprobe ipt_state modprobe ipt_tcpmss modprobe ipt_tos modprobe ipt_unclean modprobe iptable_filter modprobe iptable_mangle modprobe iptable_nat ############################## ######### POL�TICAS ########## ############################## iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -t nat -F iptables -t mangle -F ############################## ########### INPUT ############ ############################## # Define politica da cadeia iptables -P INPUT DROP #iptables -A INPUT -j LOG --log-prefix "FIREWALL: INPUT " # Libera interface de loopback iptables -A INPUT -s 127.0.0.1 -j ACCEPT # Libera NTP iptables -A INPUT -s 200.20.186.93 -p udp --sport 123 -j ACCEPT # Permite a entrada as nossas ligacoes iptables -A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT # Abre acesso ao servidor SSH iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Abre acesso ao HTTP iptables -A INPUT -p tcp --dport 80 -j ACCEPT # Abre acesso ao HTTPS iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Abre acesso ao LDAP iptables -A INPUT -s $KARPOV -p tcp --dport 389 -j ACCEPT iptables -A INPUT -s $KASPAROV -p tcp --dport 389 -j ACCEPT iptables -A INPUT -s $ALEKHINE -p tcp --dport 389 -j ACCEPT iptables -A INPUT -s $CAPABLANCA -p tcp --dport 389 -j ACCEPT # Abre acesso ao SMTP iptables -A INPUT -p tcp --dport 25 -j ACCEPT # Abre acesso ao NFS iptables -A INPUT -p tcp -i eth1 --sport 2049 -j ACCEPT # Abre acesso ao IMAP iptables -A INPUT -p tcp --dport 143 -j ACCEPT # Abre acesso ao POP3 iptables -A INPUT -p tcp --dport 110 -j ACCEPT iptables -A INPUT -p udp --dport 110 -j ACCEPT # Abre acesso ao TOMCAT iptables -A INPUT -p tcp --dport 8080 -j ACCEPT # Abre acesso ao servidor de nomes iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 953 -j ACCEPT iptables -A INPUT -p udp --dport 953 -j ACCEPT # Abre acesso a porta do Webmin iptables -A INPUT -p tcp --dport 10000 -j ACCEPT # Filtro de "syn" FLOOD #iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT # Libera ping com filtro de FLOOD #iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT #iptables -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT #iptables -A INPUT -p icmp --icmp-type destination-unreachable -m limit --limit 1/s -j ACCEPT #iptables -A INPUT -p icmp --icmp-type time-exceeded -m limit --limit 1/s -j ACCEPT # Protecao contra port scanners suspeitos #iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT # Bloquear Multicast #iptables -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP #iptables -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP # Prote��o contra pacotes danificados ou suspeitos. #iptables -A FORWARD -m unclean -j DROP ############################## ########## FORWARD ########### ############################## #iptables -P FORWARD DROP ############################## ###### OUTPUT / MANGLE ####### ############################## # Acelerando a conexao com reducao de DELAY #iptables -A OUTPUT -p tcp -d 0/0 --dport 80 -t 0x01 0x10 #iptables -A OUTPUT -p tcp -d 0/0 --dport 22 -t 0x01 0x10 #iptables -A OUTPUT -p tcp -d 0/0 --dport 21 -t 0x01 0x10 #iptables -A OUTPUT -p tcp -d 0/0 --dport 110 -t 0x01 0x10 #iptables -A OUTPUT -p tcp -d 0/0 --dport 25 -t 0x01 0x10 #iptables -A OUTPUT -p tcp -d 0/0 --dport 10000 -t 0x01 0x10 iptables -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p tcp --dport 8080 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p tcp --dport 110 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p tcp --dport 25 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p tcp --dport 10000 -j TOS --set-tos Minimize-Delay ############################## ### LISTANDO ROTA E REGRAS ### ############################## # Exibe atuais regras route -n|tee firewall.txt iptables -nL|tee firewall.txt iptables -t nat -nL|tee firewall.txt iptables -t mangle -nL|tee firewall.txt cat /root/firewall.txt|mail -s "Regras do FireWall" [EMAIL PROTECTED] rm -rf /root/firewall.txt --------------------------------------------------------------------------- Esta lista � patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br Regras de utiliza��o da lista: http://linux-br.conectiva.com.br FAQ: http://www.zago.eti.br/menu.html
