Caros colegas,
estou aqui dinovo com mais um problema que h� tempos estamos tentando
resolver.
Estou enviando o nosso script de firewall, onde estamos tendo
dificuldades na libera��o de internet para a rede interna, e o outro
problema � que nosso servidor de e-mail n�o est� conseguindo fazer
relay em outros servidores de e-mail para que possam ser enviado e-
mails para fora da rede interna.
########################################################
S C R I P T
########################################################
#####################################################################
## INICIO SCRIPT GERADO INTERNAMENTE
#####################################################################
### FIREWALL
#!/bin/sh
### ATIVA E DESATIVA REGRAS ###
HR="S" # Habilitando Roteamento
HDF="S" # Habilitando Drop para FORWARD
HDI="S" # Habilitando Drop para INPUT
HDO="N" # Habilitando Drop para OUTPUT
### VARIAVEIS ###
REALNET=X.X.X.X/24 # IP valido na internet
LOCALNET=X.X.X.X/24 # Rede local
IPEF=X.X.X.X # IP Externo do Firewall
GI=X.X.X.X # IP gateway interno
GE=X.X.X.X # IP gateway Externo
DNSPE=X.X.X.X # IP DNS Primario Externo
DNSPI=X.X.X.X # IP DNS Primario Interno
DNSSE=X.X.X.X # IP DNS Secundario Externo
DNSSI=X.X.X.X # IP DNS Secundario Interno
EMAILE=X.X.X.X # IP EMAIL Externo
EMAILI=X.X.X.X # IP EMAIL Interno
RU=X.X.X.X # IP Nat da lan Unifenas
TVE=X.X.X.X # IP TV-CODER Externo
TVI=X.X.X.X # IP TV-CODER Interno
## Carregar Modulos ##
echo -en "ip_tables, "
/sbin/insmod ip_tables
echo -en "ip_conntrack, "
/sbin/insmod ip_conntrack
echo -en "ip_conntrack_ftp, "
/sbin/insmod ip_conntrack_ftp
echo -en "ip_conntrack_irc, "
/sbin/insmod ip_conntrack_irc
echo -en "iptable_nat, "
/sbin/insmod iptable_nat
echo -en "ip_nat_ftp, "
/sbin/insmod ip_nat_ftp
echo " enabling forwarding.."
## Habilitando Drop FORWARD ##
if [ "$HDF" = "S" ]; then
/sbin/iptables -P FORWARD DROP
fi
## Habilitando Drop INPUT ##
if [ "$HDI" = "S" ]; then
/sbin/iptables -P INPUT DROP
fi
## Habilitando Drop OUTPUT ##
if [ "$HDO" = "S" ]; then
/sbin/iptables -P OUTPUT DROP
fi
## Habilitando Roteamento ##
if [ "$HR" = "S" ]; then
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
fi
### Rede ###
# eth0
/sbin/ifconfig eth0 $IPEF netmask 255.255.255.192 up
/sbin/ifconfig eth0:0 $EMAILE netmask 255.255.255.192
/sbin/ifconfig eth0:1 $DNSSE netmask 255.255.255.192
/sbin/ifconfig eth0:2 $DNSPE netmask 255.255.255.192
/sbin/ifconfig eth0:3 $TVE netmask 255.255.255.192
/sbin/route add default gw $GE
/sbin/iptables -A FORWARD -j ACCEPT -i tap+
/sbin/iptables -A INPUT -i tun+ -j ACCEPT
/sbin/iptables -A FORWARD -i tun+ -j ACCEPT
/sbin/iptables -A INPUT -i tap+ -j ACCEPT
/sbin/iptables -t nat -I POSTROUTING -j MASQUERADE -s $LOCALNET
############################## NAT ###################################
# TV-CODER
/sbin/iptables -t nat -I PREROUTING -d $TVE -p tcp --dport 80 -j DNAT --
to-destination $TVI:80
/sbin/iptables -t nat -I PREROUTING -d $TVE -p udp --dport 80 -j DNAT --
to-destination $TVI:80
/sbin/iptables -t nat -I PREROUTING -d $TVE -p tcp --dport 554 -j DNAT -
-to-destination $TVI:554
/sbin/iptables -t nat -I PREROUTING -d $TVE -p udp --dport 554 -j DNAT -
-to-destination $TVI:554
# HTTP
/sbin/iptables -t nat -I PREROUTING -d $DNSPE -p tcp --dport 80 -j
DNAT --to-destination $DNSPI:80
/sbin/iptables -t nat -I PREROUTING -d $DNSPE -p udp --dport 80 -j
DNAT --to-destination $DNSPI:80
# DNS
/sbin/iptables -t nat -I PREROUTING -d $DNSPE -p tcp --dport 53 -j
DNAT --to-destination $DNSPI:53
/sbin/iptables -t nat -I PREROUTING -d $DNSPE -p udp --dport 53 -j
DNAT --to-destination $DNSPI:53
# WEBMAIL
/sbin/iptables -t nat -I PREROUTING -d $EMAILE -p tcp --dport 80 -j
DNAT --to-destination $EMAILI:80
/sbin/iptables -t nat -I PREROUTING -d $EMAILE -p udp --dport 80 -j
DNAT --to-destination $EMAILI:80
# EMAIL
/sbin/iptables -t nat -I PREROUTING -s $RU -d $EMAILE -p tcp --dport
110 -j DNAT --to-destination $EMAILI:110
/sbin/iptables -t nat -I PREROUTING -s $RU -d $EMAILE -p udp --dport
110 -j DNAT --to-destination $EMAILI:110
/sbin/iptables -t nat -I PREROUTING -d $EMAILE -p tcp --dport 25 -j
DNAT --to-destination $EMAILI:25
/sbin/iptables -t nat -I PREROUTING -d $EMAILE -p udp --dport 25 -j
DNAT --to-destination $EMAILI:25
# DNS Secundario
/sbin/iptables -t nat -I PREROUTING -d $DNSSE -p tcp --dport 53 -j
DNAT --to-destination $DNSSI:53
/sbin/iptables -t nat -I PREROUTING -d $DNSSE -p udp --dport 53 -j
DNAT --to-destination $DNSSI:53
# Rede Interna
#/sbin/iptables -t nat -I PREROUTING -s $LOCALNET -p tcp --dport 80 -j
DNAT --to-destination $IPEF:80
#/sbin/iptables -t nat -I PREROUTING -s $LOCALNET -p udp --dport 80 -j
DNAT --to-destination $IPEF:80
########################################################################
####################################
/etc/vpn/vpn2/bridge.sh
########################################################################
#####################################
## Acrescentando os Acessos FORWARD ##
if [ "$HDF" = "S" ]; then
# Liberando Telnet no roteador
/sbin/iptables -A FORWARD -j ACCEPT -p tcp --sport 23 -s 1.1.0.10 -d $GE
/sbin/iptables -A FORWARD -j ACCEPT -p tcp --sport 23 -d 1.1.0.10 -s $GE
/sbin/iptables -A FORWARD -j ACCEPT -p tcp --sport 23 -s 1.1.0.11 -d $GE
/sbin/iptables -A FORWARD -j ACCEPT -p tcp --sport 23 -d 1.1.0.11 -s $GE
# HTTP Rede Interna
/sbin/iptables -A FORWARD -j ACCEPT -s $LOCALNET -d any/0 -p tcp --
dport 80
/sbin/iptables -A FORWARD -j ACCEPT -s any/0 -d $LOCALNET -p tcp --
sport 80
# HTTP Rede Externa
/sbin/iptables -A FORWARD -j ACCEPT -d $DNSPI -s any/0 -p tcp --dport 80
/sbin/iptables -A FORWARD -j ACCEPT -d any/0 -s $DNSPI -p tcp --sport 80
# DNS
/sbin/iptables -A FORWARD -j ACCEPT -d $DNSPI -s any/0 -p udp --dport 53
/sbin/iptables -A FORWARD -j ACCEPT -d any/0 -s $DNSPI -p udp --sport 53
# WEBMAIL
/sbin/iptables -A FORWARD -j ACCEPT -d $EMAILI -s any/0 -p tcp --dport
80
/sbin/iptables -A FORWARD -j ACCEPT -d any/0 -s $EMAILI -p tcp --sport
80
# E-MAIL
/sbin/iptables -A FORWARD -j ACCEPT -d $EMAILI -p tcp --dport 25
/sbin/iptables -A FORWARD -j ACCEPT -s $EMAILI -p tcp --sport 25
# DNS Secundario
/sbin/iptables -A FORWARD -j ACCEPT -d $DNSSI -s any/0 -p udp --dport 53
/sbin/iptables -A FORWARD -j ACCEPT -d any/0 -s $DNSSI -p udp --sport 53
fi
########################################################################
##########################################
## Acrecestando os Acessos INPUT ##
if [ "$HDI" = "S" ]; then
# SERVICO SSH
/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 22 -s 1.1.0.10
/sbin/iptables -A INPUT -j ACCEPT -p udp --dport 22 -s 1.1.0.10
/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 22 -s 1.1.0.11
/sbin/iptables -A INPUT -j ACCEPT -p udp --dport 22 -s 1.1.0.11
/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 22 -s 1.1.0.13
/sbin/iptables -A INPUT -j ACCEPT -p udp --dport 22 -s 1.1.0.13
/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 22 -s 1.1.0.15
/sbin/iptables -A INPUT -j ACCEPT -p udp --dport 22 -s 1.1.0.15
/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 22 -s 1.1.0.17
/sbin/iptables -A INPUT -j ACCEPT -p udp --dport 22 -s 1.1.0.17
# Telnet no Roteador
/sbin/iptables -A INPUT -j ACCEPT -p tcp --sport 23 -s $IPEF -d $GE
/sbin/iptables -A INPUT -j ACCEPT -p tcp --sport 23 -d $IPEF -s $GE
# VPN
/sbin/iptables -A INPUT -j ACCEPT -p udp --dport 5000
/sbin/iptables -A INPUT -j ACCEPT -p udp --dport 5001
/sbin/iptables -A INPUT -j ACCEPT -p udp --dport 5002
# FTP no DNS Primary
/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 21 -s 1.1.0.2 -d $GI
/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 20 -s 1.1.0.2 -d $GI
/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 113 -s 1.1.0.2 -d $GI
/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 1024:65535 -s 1.1.0.2 -
d $GI
# EMAIL from UNIFENAS
/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 25 -s any/0
/sbin/iptables -A INPUT -j ACCEPT -p udp --dport 25 -s any/0
# Webmin
/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 10000 -s 1.1.0.11
/sbin/iptables -A INPUT -j ACCEPT -p udp --dport 10000 -s 1.1.0.11
# LIBERAR REDE INTERNA PARA PING
/sbin/iptables -A INPUT -j ACCEPT -i br0 -p icmp --icmp-type 0 -s
$LOCALNET -d $GI -m limit --limit 1/s
/sbin/iptables -A INPUT -j ACCEPT -i br0 -p icmp --icmp-type 8 -s
$LOCALNET -d $GI -m limit --limit 1/s
fi
#######################################################################
####### FIM DA CONFIGURACAO DO FIREWALL ## #######
#######################################################################
########################################################
F I M D O S C R I P T
########################################################
Grato,
+-------------------------------+
Ac�cio Amorelli Martins
(35) 8812-4181
(35) 3299-3521
(35) 3299-3520
Assessoria de Inform�tica HUAV
+-------------------------------+
---------------------------------------------------------------------------
Esta lista � patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br
Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br
Regras de utiliza��o da lista: http://linux-br.conectiva.com.br
FAQ: http://www.zago.eti.br/menu.html
