Pessoal,
possuo um RH 7.4 como firewall e estou querendo barrar kazaa.
Queria atrav�z do iptables barrar msn e kazaa. T� dif�cil!
Tem um firewall com 3 placas de rede:
eth0=internet
eth1=rede interna(192.168...)
eth2=rede interna(10.0...)
um servidor de e-mail que recebe os email do firewall.
Gostaria que meu firewall continuasse redirecionando meus emails para meu serv de
e-mail (maquina interna) e os usu�rios s� acesse internet pelo proxy(squid no
firewall) e com isso poderia bloquear tudo (kazaa, msn, sites...)
Agrade�o a todos!
---- Vai no corpo do e-mail meu novo scrip que n�o funciona direito e eu j� estou meio
confusso! ----
# INICIA VARIAVEL IPTABLES
IPTABLES=/sbin/iptables
#
# VARIAVEIS DE LAN
Any="0.0.0.0/0"
localhost="127.0.0.1/32"
network="192.168.1.0/24"
clear
case "$1" in
start)
echo "Inicializando Firewall ........:"
/sbin/depmod -a
/sbin/modprobe ipt_LOG
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_filter
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#
# ZERA E CRIA CHAIN
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
# Syn-flood Schutz
echo "Enabling Syn-flood protection...............[OK]"
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Turn on IP forwarding
echo "Enabling ip_forward.........................[OK]"
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Furtive port scanner:
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit
1/s -j ACCEPT
# Ping of death:
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j
ACCEPT
# spoofing unterbinden #
#
echo "Enable No Spoofing...........................[OK]"
#
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#
# Interface lo
#
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p icmp -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p icmp -j ACCEPT
$IPTABLES -A INPUT -i eth2 -p icmp -j ACCEPT
#
# FORWARD / MASQUAREDE
#
$IPTABLES -A FORWARD -s $network -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $network -o eth0 -m state --state
NEW,ESTABLISHED,RELATE -j MASQUERADE
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# FTP ACCESS
#
$IPTABLES -A INPUT -p TCP -m state --state RELATED -j ACCEPT
#
echo "FORWARD / MASQUAREDE ........................[OK]"
#
# TRAVA DETERMINADOS IPS PARA ACESSO WEB, POP, SMTP
$IPTABLES -A FORWARD -s 192.168.1.89 -p tcp --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.89 -p tcp --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.89 -p tcp --dport 80 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i eth2 -s $network -p tcp --dport 80 -j
REDIRECT --to-port 3128
#REDIRECIONA (SERV DE EMAIL) para 110 / 25
iptables -t nat -A PREROUTING -t nat -p tcp -d 200.a.b.c --dport 110 -j DNAT
--to 10.0.0.2
iptables -t nat -A PREROUTING -t nat -p tcp -d 200.a.b.c --dport 25 -j DNAT
--to 10.0.0.2
#
echo "REDIRECT ....................................[OK]"
# BARRAR TODO O RESTO
#
$IPTABLES -A INPUT -i eth0 -p tcp --syn -j DROP
$IPTABLES -A INPUT -i eth0 ! -p tcp -j DROP
#
# EXECUCAO
#
touch /var/lock/subsys/firewall
echo "."
;;
stop)
echo "Finalizando Firewall:"
echo "Finalizacao do Firewall......................[OK]"
$IPTABLES -X
$IPTABLES -F
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
rm -f /var/lock/subsys/firewall
;;
restart)
$0 stop
$0 start
;;
status)
$IPTABLES -L -n
$IPTABLES -t nat -L -n
;;
*)
echo "Use: $0 {start|stop|restart|status}"
exit 1
;;
esac
exit 0
---------------------------------------------------------------------------
Esta lista � patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br
Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br
Regras de utiliza��o da lista: http://linux-br.conectiva.com.br
FAQ: http://www.zago.eti.br/menu.html
