luiz_ubuntu
(usa Ubuntu)
Enviado em 11/09/2012 - 11:47h
meu script esta assim olhe ai e me da uma ajudinha pq quando quero navega tenho que colocar proxy
#/bin/sh
#
# Limpa as regras do IPTABLES
/sbin/iptables -X
/sbin/iptables -F
/sbin/iptables -t nat -F
echo 1 > /proc/sys/net/ipv4/ip_forward
#==========================PROTECOES=============================
#Contra pactoes danificados ou suspeitos
#/sbin/iptables -A FORWARD -m unclean -j DROP
#Contra Ping
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP
#Contra Ping da Morte
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#Contra ataque SMURF
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
#Contra Ataques SYN-FLOOD
/sbin/iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
#Contra Scanners avancados (namp)
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe ip_conntrack
modprobe ip_nat_tftp
modprobe ip_nat_snmp_basic
modprobe ip_gre
modprobe ipt_state
# Liberando Porta 110 (pop-3)
/sbin/iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
# Liberando Porta 995 (spop-3)
/sbin/iptables -A FORWARD -p tcp --dport 995 -j ACCEPT
# Liberando Porta 993 (imaps)
/sbin/iptables -A FORWARD -p tcp --dport 993 -j ACCEPT
# Liberando Porta 25 (smtp)
/sbin/iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
# Liberando Porta 465 (smtp-s)
/sbin/iptables -A FORWARD -p tcp --dport 465 -j ACCEPT
# Liberando Porta 587 (submission para o Gmail)
/sbin/iptables -A FORWARD -p tcp --dport 587 -j ACCEPT
#redireciona 8080 para 80
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 8080 -j REDIRECT --to 80
# Redirecionamento squid
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
## Bloqueios rede msn
# Esta regra bloqueia qualquer host da rede conectar no MSN pela porta 1863
/sbin/iptables -A FORWARD -i eth0 -p tcp --dport 1863 -j REJECT
/sbin/iptables -A FORWARD -i eth0 -d loginnet.passport.com -j REJECT
# Bloqueia https
#/sbin/iptables -A FORWARD -s 192.168.0.11 -p tcp --dport 443 -j DROP
#/sbin/iptables -A FORWARD -s 192.168.0.24 -p tcp --dport 443 -j DROP
#/sbin/iptables -A FORWARD -s 192.168.0.28 -p tcp --dport 443 -j DROP
#/sbin/iptables -A FORWARD -s 192.168.0.35 -p tcp --dport 443 -j DROP
# Esta regra bloqueia qualquer host da rede na porta https para ao conectar no Facebook.
#/sbin/iptables -A FORWARD -i eth0 -m tcp -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 443 -j DROP
#/sbin/iptables -A FORWARD -i eth0 -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 443 -j DROP
#/sbin/iptables -A FORWARD -i eth0 -m tcp -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 443 -j DROP
#/sbin/iptables -A FORWARD -i eth0 -m tcp -p tcp -d 74.119.76.0/22 --dport 443 -j DROP
#/sbin/iptables -A FORWARD -i eth0 -m tcp -p tcp -d 69.171.255.0/24 --dport 443 -j DROP
#/sbin/iptables -A FORWARD -i eth0 -m tcp -p tcp -d 69.171.240.0/20 --dport 443 -j DROP
#/sbin/iptables -A FORWARD -i eth0 -m tcp -p tcp -d 69.171.239.0/24 --dport 443 -j DROP
#/sbin/iptables -A FORWARD -i eth0 -m tcp -p tcp -d 69.171.224.0/20 --dport 443 -j DROP
#/sbin/iptables -A FORWARD -i eth0 -m tcp -p tcp -d 31.13.76.0/24 --dport 443 -j DROP
#/sbin/iptables -A FORWARD -i eth0 -m tcp -p tcp -d 31.13.69.0/24 --dport 443 -j DROP
#/sbin/iptables -A FORWARD -i eth0 -m tcp -p tcp -d 31.13.64.0/19 --dport 443 -j DROP
#/sbin/iptables -A FORWARD -i eth0 -m tcp -p tcp -d 31.13.24.0/21 --dport 443 -j DROP
#/sbin/iptables -A FORWARD -i eth0 -m tcp -p tcp -d 204.15.20.0/22 --dport 443 -j DROP
#/sbin/iptables -A FORWARD -i eth0 -m tcp -p tcp -d 173.252.70.0/24 --dport 443 -j DROP
#/sbin/iptables -A FORWARD -i eth0 -m tcp -p tcp -d 173.252.64.0/19 --dport 443 -j DROP
/sbin/iptables -N FACEBOOK
/sbin/iptables -I FORWARD -i eth1 -j FACEBOOK
for i in `cat /etc/squid3/regras/ipfacebook`;do
/sbin/iptables -A FACEBOOK -d $i -j REJECT
done
#Libera porta 6556 monitoramento nagios
#/sbin/iptables -A INPUT -p tcp --dport 6556 -j ACCEPT
#/sbin/iptables -A INPUT -p udp --dport 6556 -j ACCEPT
#Libera porta 80
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 80 -j ACCEPT
#Libera porta 3000 Ntop
/sbin/iptables -A INPUT -p tcp --dport 3000 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 3000 -j ACCEPT
#Libera porta 3306
#/sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
#/sbin/iptables -A INPUT -p udp --dport 3306 -j ACCEPT
#Redirciona a porta externa 3306 para servidor interno mysql na mesma porta
#/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3306 -j DNAT --to 192.168.0.253
#Redirecionamentos externos
# FTP
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 20 -j DNAT --to 192.168.0.205
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to 192.168.0.205
#/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 2223 -j DNAT --to 192.168.0.253:22
# Habilitando o NAT - compartilhamento de internet
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
o que tem errado ai
abraço