A todos que me ajudaram estou enviando um script que eu fiz com base nas ajudas e tb em tutoriais...
Est� funcioando blz.
s� queria saber oq falta nele para torna minha rede mais segura contra acessos externos.
Obrigado,
Rafael.
Segue abaixo o script:
#!/bin/sh
#
#
# Rafael Nery
# fev/2004
##############################################################################
#################################################################################
#Carga dos M�dulos necess�rios
#
#/sbin/depmod -a
#/sbin/modprobe ip_tables
#/sbin/modporbe ip_conntrack
#/sbin/modprobe iptable_filter
#/sbin/modprobe iptable_mangle
#/sbin/modprobe iptable_nat
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_limit
#/sbin/modprobe ipt_state
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ipt_conntrack_ftp
#/sbin/modprobe ipt_conntrack_irc
#
##########################################################################################
# Flush
/usr/sbin/iptables -F
/usr/sbin/iptables -Z
/usr/sbin/iptables -X
/usr/sbin/iptables -t nat -F
# Regras /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -P FORWARD DROP /usr/sbin/iptables -P OUTPUT ACCEPT
#
# Habilitando roteamento...
#
echo "1" > /proc/sys/net/ipv4/ip_forward
# echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #
# Agora uma regra que toda a conex�o estabilizada ou relacionada com meu
# firewall deve ser mantinda e n�o analizada pelas proximas regras
/usr/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Libera as portas dos DNS para meu Firewall /usr/sbin/iptables -A INPUT -p udp -s 200.204.0.10 --sport 53 -j ACCEPT /usr/sbin/iptables -A INPUT -p udp -s 200.204.0.138 --sport 53 -j ACCEPT
# Acesso ao Squid
/usr/sbin/iptables -A INPUT -p TCP -i eth1 -s 192.168.1.0/24 --dport 3128 -j ACCEPT
# Libera resposta de servidores www para meu squid /usr/sbin/iptables -A INPUT -p TCP -i eth1 --sport 80 -j ACCEPT /usr/sbin/iptables -A INPUT -p TCP -i eth1 --sport 443 -j ACCEPT /usr/sbin/iptables -A INPUT -p TCP -i eth1 --sport 20 -j ACCEPT /usr/sbin/iptables -A INPUT -p UDP -i eth1 --sport 21 -j ACCEPT
# FORWARD #/usr/sbin/iptables -A FORWARD -m state --state INVALID -j DROP /usr/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# OUTLOOK
/usr/sbin/iptables -A FORWARD -p udp -s 192.168.1.0/24 -d 200.204.0.10 --dport 53 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p udp -s 192.168.1.0/24 -d 200.204.0.138 --dport 53 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p udp -s 200.204.0.10 --sport 53 -d 192.168.1.0/24 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p udp -s 200.204.0.138 --sport 53 -d 192.168.1.0/24 -j ACCEPT
# Liberar portas para minha rede interna acessar servidores externos /usr/sbin/iptables -A FORWARD -p TCP -s 192.168.1.0/24 --dport 25 -j ACCEPT /usr/sbin/iptables -A FORWARD -p TCP -s 192.168.1.0/24 --dport 110 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p tcp --sport 25 -j ACCEPT /usr/sbin/iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
#Dropar
#/usr/sbin/iptables -A FORWARD -j LOG --log-prefix "pacotes forward descartados"
#/usr/sbin/iptables -A FORWARD -j DROP
# masquerade /usr/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE -o ppp0 #/usr/sbin/iptables -A FORWARD -i ppp0 -j ACCEPT ## # ############################################################################################
--------------------------------------------------------------------------- Esta lista � patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br
Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br Regras de utiliza��o da lista: http://linux-br.conectiva.com.br FAQ: http://www.zago.eti.br/menu.html
