Perguntas & Respostas

FIREWALL / SQUID

Estou com a seguinte dificuldade ..

1° Tenho a empressão que meu Firewall não está funcionando.
Só funciona algumas regras quando digito direto no prompt.
Uso proxy transparente e quando entro no orkut no horario do almoço que está liberado no Squid ...elel não abre a tela de login.
Segue abaixo o firewall e sua localização.

/etc/init.d/firewall


#!/bin/bash
#/etc/init.d/firewall
#update-rc.d: 2345 90 10
#description: firewall
#f [ ${NETWORKING} 'no' ]

# IPTABLES = "/sbin/ip6tables"
# prog=firewall
start)

#Definindo parâmetors iniciais
INTERFACE_EXT="eth0"
IP_INTERFACE_EXT="192.168.0.0"
IP_REDE_EXT="192.168.0.215"
MASCARA_EXT="255.255.255.0"
$IPTABLES -F
$IPTABLES -F -t -nat
$IPTABLES -F -t mangle
#MASCARAMENTO DE IP
$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT -to 192.168.0.215
#spoofing
$IPTABLES -A INPUT -s 127.0.0.0/8 -d 0.0.0.0/0 -i $INTERFACE_EXT -j DROP
# iptables -A INPUT -p tcp --dport 5656 -j ACCEPT
#Habilita proxy transparente
# $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp -dport 80 -j REDIRECT -to-port 3128
   




################# PORTAS DAS CAMERAS #####################################

$iptables -t nat -A PREROUTING -p tcp -d 192.168.1.12 --dport 80 -j DNAT --to-destination 192.168.0.10:80
$iptables -t nat -A PREROUTING -p tcp -d 192.168.1.12    --dport 4550 -j DNAT --to-destination 192.168.0.10:4550
$iptables -t nat -A PREROUTING -p tcp -d 192.168.1.12 --dport 5550 -j DNAT --to-destination 192.168.0.10:5550

# $iptables -t nat -A POSTROUTING -d 192.168.0.10 -s 0/0 -p tcp --dport 90 -j SNAT --to 192.168.0.10
# $iptables -t nat -A POSTROUTING -d 192.168.0.10 -s 0/0 -p tcp --dport 4550 -j SNAT --to 192.168.0.10
# $iptables -t nat -A POSTROUTING -d 192.168.0.10 -s 0/0 -p tcp --dport 5550 -j SNAT --to 192.168.0.10

######################## FIM PORTAS CAMERAS ##################################

#Permite telnet
# $IPTABLES -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 -dport 23 -i $INTERFACE_EXT -j ACCEPT
#Permite conexões TCP de saída
$IPTABLES -A OUTPUT -p tcp -o $INTERFACE_EXT -j ACCEPT
$IPTABLES -A INPUT -p tcp ! -syn -i $INTERFACE_EXT -j ACCEPT
#dns UDP
$IPTABLES -A OUTPUT -p udp -s 0.0.0.0/0 -dport 53 -o $INTERFACE_EXT -j ACCEPT
$IPTABLES -A INPUT -p udp -s 0.0.0.0/0 -dport 53 -i $INTERFACE_EXT -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 0.0.0.0/0 -dport 53 -o $INTERFACE_EXT -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0.0.0.0/0 -dport 53 -i $INTERFACE_EXT -j ACCEPT
#permite conexões ssh,www,smtp,ftp,news,tcp de entrada
$IPTABLES -A INPUT -p tcp -s 0.0.0./0 -d 0.0.0.0/0 --dport 23 -i $INTERFACE_EXT -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0.0.0.0/0 -d $IP_INTERFACE_EXT -dport 22 -i $INTERFACE_EXT -j ACCEPT
$IPTABLES -A INPUT -p tcp -d 0.0.0.0/0 -dport 80 -i $INTERFACE_EXT -j ACCEPT
$IPTABLES -A INPUT -p tcp -d 0.0.0.0/0 -dport 25 -i $INTERFACE_EXT -j ACCEPT
$IPTABLES -A INPUT -d 0.0.0.0/0 -dport 21 -i $INTERFACE_EXT -j ACCEPT
$IPTABELS -A INPUT -p tcp -d 0.0.0.0/0 -dport 110 -i $INTERFACE_EXT -j ACCEPT

$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
$IPTABLES -L
$IPTALBES -L -t nat
$IPTABLES -L -t mangle

# /usr/sbin/brctl addbr br0

# Add the Ethernet interface to use with the bridge
# /usr/sbin/brctl addif br0 eth0
# /usr/sbin/brctl addif br0 eth1
#/usr/sbin/brctl addif bro eth2

# Start up the Ethernet interface
/sbin/ifconfig eth0 192.168.0.0
/sbin/ifconfig eth1 192.168.0.3
# /sbin/ifconfig eth2 192.168.0.1

# Configure the bridge ethernet
# The bridge will be correct and invisible ( transparent firewall ).
# It's hidden in a traceroute and you keep your real gateway on the
# other computers. Now if you want you can config a gateway on your
# bridge and choose it as your new gateway for the other computers.

# /sbin/ifconfig br0 10.1.1.4 netmask 255.0.0.0 broadcast 127.0.0.0

# I have added this internal IP to create my NAT
# ip addr add 10.1.1.4/210 dev br0
/sbin/route add default gw 192.168.0.1 iptables -F FORWARD
iptables -P FORWARD DROP
iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Some funny rules but not in a classic Iptables sorry ...
# Limit ICMP
# iptables -A FORWARD -p icmp -m limit --limit 4/s -j ACCEPT
# Match string, a good simple method to block some VIRUS very quickly
# iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe"

# Block all MySQL connection just to be sure
# iptables -A FORWARD -p tcp -s 0/0 -d 192.168.0.0/24 --dport 3306 -j DROP

# Linux Mail Server Rules

# Allow FTP-DATA ( 20 ) , FTP ( 21 ) , SSH ( 22 )
iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 192.168.0.0/24 --dport 20:22 -j ACCEPT

# Allow the Mail Server to connect to the outside
# Note: This is *not* needed for the previous connections
# (remember: stateful filtering) and could be removed.
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 0/0 -j ACCEPT

# WWW Server Rules

# Allow HTTP ( 80 ) connections with the WWW server
iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 192.168.0.0/24 --dport 80 -j ACCEPT

# Allow HTTPS ( 443 ) connections with the WWW server
iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 192.168.0.0/24 --dport 443 -j ACCEPT

# Allow the WWW server to go out
# Note: This is *not* needed for the previous connections
# (remember: stateful filtering) and could be removed.
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 0/0 -j ACCEPT



####################RDP####################

#iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to 192.168.0.116