Squid Firewall

1. Squid Firewall

cesarnt
(usa Debian)

Enviado em 08/05/2017 - 21:12h

Boa noite, montei um firewall funciona tudo certinho mais quando implemento o squid ele para as maquinas nao tem acesso a internet. segue meu firewall

#!/bin/bash
case $1 in
start)
iptables -F
iptables -F -t nat
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#Ativa Roteamento
echo 1 > /proc/sys/net/ipv4/ip_forward

#Libera acesso internet
iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o eth0 -j MASQUERADE

#rede interna
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT

#libera ping
iptables -A INPUT -p icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

#libera ping para o servidor

iptables -A OUTPUT -p icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

#libera samba interno

iptables -A INPUT -p udp --dport 137 -j ACCEPT
iptables -A INPUT -p udp --dport 138 -j ACCEPT
iptables -A INPUT -p tcp --dport 139 -j ACCEPT

iptables -A OUTPUT -p udp --sport 137 -j ACCEPT
iptables -A OUTPUT -p udp --sport 138 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 139 -j ACCEPT

#prerouting

iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 10.0.10.100

#acesso remoto rdp
iptables -t nat -A PREROUTING -p tcp --dport 3389 -i eth0 -j DNAT --to 10.0.10.10

#libera acesso internet para rede interna

iptables -A FORWARD -s 10.0.10.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp --sport 80 -d 10.0.10.0/24 -j ACCEPT
iptables -A FORWARD -s 10.0.10.0/24 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -p udp --sport 53 -d 10.0.10.0/24 -j ACCEPT
iptables -A FORWARD -s 10.0.10.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp --sport 443 -d 10.0.10.0/24 -j ACCEPT
iptables -A FORWARD -p ICMP -j ACCEPT

#emails

iptables -A FORWARD -s 10.0.10.0/24 -p udp --dport 587 -j ACCEPT
iptables -A FORWARD -p udp --sport 587 -d 10.0.10.0/24 -j ACCEPT
iptables -A FORWARD -s 10.0.10.0/24 -p udp --dport 110 -j ACCEPT
iptables -A FORWARD -p udp --sport 110 -d 10.0.10.0/24 -j ACCEPT

iptables -A FORWARD -p tcp --dport 80 -d 10.0.10.100 -j ACCEPT
iptables -A FORWARD -s 10.0.10.100 -p tcp --sport 80 -j ACCEPT

#acesso remoto rdp
iptables -A FORWARD -p tcp --dport 3389 -d 10.0.10.10 -j ACCEPT
iptables -A FORWARD -s 10.0.10.10 -p tcp --sport 3389 -j ACCEPT

# Regras de Forward squid
iptables -A FORWARD -s 10.0.10.0/24 -p tcp --dport 3128 -j ACCEPT
iptables -A FORWARD -p tcp --sport 3128 -d 10.0.10.0/24 -j ACCEPT

#ssh
#iptables -A OUTPUT -p tcp --sport 22 -d 10.0.10.2 -j ACCEPT
#iptables -A INPUT -p tcp --dport 22 -s 10.0.10.2 -j ACCEPT

#servidor sendo acessado
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -p tcp --sport 3128 -j ACCEPT

;;
stop)

echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -F -t nat
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

;;
restart)
$0 stop
$0 start
;;
esac

0 0

Quote