massaotoda
(usa CentOS)
Enviado em 04/06/2010 - 13:47h
Estou montando um firewall com squid, porém não está navegando, estou passando o script abaixo para ver se alguem em ajuda:
#!/bin/bash
echo
echo " Iniciando o FIREWALL"
echo
sleep 0.2
echo " Definindo variaveis"
IPTABLES="/sbin/iptables"
INT_IF="eth1"
EXT_IF="eth0"
INT_IP="192.168.0.254"
EXT_IP="192.168.1.250"
INT_REDE="192.168.0.0/24"
EXT_REDE="192.168.1.0/24"
INT_BCAST="192.168.0.255"
echo " Variaveis Setadas"
echo " - Interface INT ($INT_IF): $INT_IP"
echo " - Interface EXT ($EXT_IF): $EXT_IP"
echo " - Rede INT ($INT_IF): $INT_REDE"
echo " - Rede EXT ($EXT_IF): $EXT_REDE"
echo " - Broadcast INT ($INT_IF): $INT_BCAST"
echo " Setando Hosts"
#HOME1="192.168.3.1"
#HOME2="192.168.3.6"
#MAIL="192.168.10.2"
#ALEX="192.168.10.1"
echo " Habilitando o forward entre as interfaces"
sleep 0.2
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " Carregando os modulos necessarios"
sleep 0.2
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_tables
/sbin/modprobe ipt_multiport
/sbin/modprobe iptable_nat
echo " Limpando as regras da tabela nat"
sleep 0.2
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
$IPTABLES -X
$IPTABLES -X -t nat
$IPTABLES -X -t mangle
$IPTABLES -Z
$IPTABLES -Z -t nat
$IPTABLES -Z -t mangle
echo " Definindo as polices"
sleep 0.2
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
echo " Permitindo conexoes loopback"
sleep 0.2
$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -s $EXT_IP -j ACCEPT
$IPTABLES -A INPUT -s $INT_IP -j ACCEPT
echo " Permitindo acesso da internet para o firewall"
sleep 0.2
#$IPTABLES -A INPUT -s $HOME1 -d $EXT_IP -p tcp --dport 22 -j ACCEPT
#$IPTABLES -A INPUT -s $HOME2 -d $EXT_IP -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -d $EXT_IP -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -d $EXT_IP -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -d $EXT_IP -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -d $EXT_IP -p tcp --dport 443 -j ACCEPT
echo " Permitindo acesso da rede interna para o firewall"
sleep 0.2
#$IPTABLES -A INPUT -d $INT_IP -m mac --mac-source 00:40:F4:4F:17:15 -j ACCEPT
$IPTABLES -A INPUT -d $INT_IP -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -d $INT_IP -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -d $INT_IP -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -d $INT_IP -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -d $INT_IP -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -d $INT_IP -p tcp --dport 3128 -j ACCEPT
echo " Permitindo acesso da rede interna para internet"
sleep 0.2
$IPTABLES -A FORWARD -s $INT_REDE -p icmp -j ACCEPT
$IPTABLES -A FORWARD -s $INT_REDE -p tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s $INT_REDE -p udp --dport 53 -j ACCEPT
echo " Habilitando statefull"
sleep 0.2
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
echo " Habilitando o masquerade"
sleep 0.2
$IPTABLES -t nat -A POSTROUTING -j MASQUERADE
echo " Permitindo acesso da internet para a rede interna"
sleep 0.2
#$IPTABLES -A FORWARD -d $MAIL -p tcp --dport 3389 -j ACCEPT
#$IPTABLES -A FORWARD -d $MAIL -p tcp --dport 25 -j ACCEPT
#$IPTABLES -A FORWARD -d $ALEX -p tcp --dport 22 -j ACCEPT
echo " Redirecionando portas do Firewall para Servidores da rede interna"
sleep 0.2
#$IPTABLES -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 3389 -j DNAT --to $MAIL
#$IPTABLES -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 25 -j DNAT --to $MAIL
#$IPTABLES -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 5000 -j DNAT --to $ALEX:22
echo " Protecao contra ping da porte"
sleep 0.2
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#echo " Gerando Logs"
sleep 0.2
$IPTABLES -A INPUT -d $INT_IP -j LOG
$IPTABLES -A INPUT -d $EXT_IP -j LOG
$IPTABLES -A FORWARD -s $INT_REDE -j LOG
$IPTABLES -A FORWARD -d $INT_REDE -j LOG
echo " Habilitando proxy transparente"
sleep 0.2
# Para SQUID Local
$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128
# Para SQUID em outra Maquina
#$IPTABLES -t nat -A PREROUTING -s $INT_REDE -p tcp --dport 80 -j DNAT --to-destination 192.168.0.254:3128