<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2963" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Olá comunidade, eu estou com um problema,
implementei um firewall com proxy ( squid ) no Fedora, a net está ok, o proxy
também, só que não consigo receber e-mails e nem enviar, e as portas no firewall
estão abertas para isso.<BR>esse é o meu firewall, se alguém puder me ajudar, eu
agradeço... Vamos criar uma lista de pessoas que queiram conversar via Google
Talk para tirar dúvidas? o meu é <A
href="mailto:brunorodeiro@gmail.com">brunorodeiro@gmail.com</A><BR>abraços...<BR>#!/bin/bash</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>stop
()<BR>{<BR> echo "0" >
/proc/sys/net/ipv4/ip_forward<BR>
iptables -F<BR> iptables
-X<BR>}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>start ()<BR>{</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>############################# Limpar as regras
primeiro<BR>/usr/sbin/iptables -F<BR>/usr/sbin/iptables -t nat
-F<BR>/usr/sbin/iptables -F -t mangle<BR>/usr/sbin/iptables -X -t
mangle</FONT></DIV>
<DIV> </DIV><FONT face=Arial size=2>
<DIV><BR>############################# Insere os modulos
kernel<BR>/sbin/modprobe iptable_nat<BR>/sbin/modprobe
iptable_mangle<BR>/sbin/modprobe ipt_conntrack<BR>/sbin/modprobe
ip_conntrack_ftp<BR>/sbin/modprobe ip_nat_ftp<BR>/sbin/modprobe ipt_multiport
<BR>/sbin/modprobe ipt_LOG<BR>/sbin/modprobe ipt_mark<BR>/sbin/modprobe
ipt_MARK</DIV>
<DIV> </DIV>
<DIV>echo 1 > /proc/sys/net/ipv4/ip_forward</DIV>
<DIV> </DIV>
<DIV>echo "0" > /proc/sys/net/ipv4/tcp_ecn</DIV>
<DIV> </DIV>
<DIV>###########################################<BR>#/usr/sbin/iptables -t nat
-A POSTROUTING -o eth0 -j MASQUERADE<BR>/usr/sbin/iptables -t nat -A POSTROUTING
-o eth1 -j MASQUERADE</DIV>
<DIV> </DIV>
<DIV>########### LOGS ######################<BR>/usr/sbin/iptables -t nat -A
PREROUTING -p tcp --dport 5190 -j LOG --log-prefix "LOG ICQ:
"<BR>/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 1863 -j LOG
--log-prefix "LOG MSN: "<BR>/usr/sbin/iptables -t nat -A PREROUTING -p tcp
--dport 22 -j LOG --log-prefix "Serviço SSH: "<BR>/usr/sbin/iptables -t nat -A
PREROUTING -p tcp --dport 21 -j LOG --log-prefix "Serviço FTP: "</DIV>
<DIV> </DIV>
<DIV>#####################################<BR># PROTECAO
EXTRA<BR>#####################################</DIV>
<DIV> </DIV>
<DIV>############## Brute Force ############<BR>/usr/sbin/iptables -A INPUT -p
tcp --syn --dport 22 -m recent --name sshattack --set<BR>/usr/sbin/iptables -A
INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60
--hitcount 3 -j LOG --log-prefix 'SSH REJECT: '<BR>/usr/sbin/iptables -A INPUT
-p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60
--hitcount 3 -j REJECT --reject-with tcp-reset<BR>/usr/sbin/iptables -A FORWARD
-p tcp --syn --dport 22 -m recent --name sshattack --set<BR>/usr/sbin/iptables
-A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds
60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '<BR>/usr/sbin/iptables -A
FORWARD -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60
--hitcount 3 -j REJECT --reject-with tcp-reset</DIV>
<DIV> </DIV>
<DIV>############# Proteção contra trojans
################<BR>/usr/sbin/iptables -N TROJAN<BR>/usr/sbin/iptables -A TROJAN
-m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan:
"<BR>/usr/sbin/iptables -A TROJAN -j DROP<BR>/usr/sbin/iptables -A INPUT -p TCP
-i eth0 --dport 666 -j TROJAN<BR>/usr/sbin/iptables -A INPUT -p TCP -i eth0
--dport 666 -j TROJAN<BR>/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 4000
-j TROJAN<BR>/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 6000 -j
TROJAN<BR>/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 6006 -j
TROJAN<BR>/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 16660 -j
TROJAN</DIV>
<DIV> </DIV>
<DIV>############## Proteção contra worms
#################<BR>/usr/sbin/iptables -A FORWARD -p tcp --dport 135 -i eth0 -j
REJECT </DIV>
<DIV> </DIV>
<DIV>############## SYN-flood ############<BR>/usr/sbin/iptables -A FORWARD -p
tcp --syn -m limit --limit 1/s -j ACCEPT</DIV>
<DIV> </DIV>
<DIV>############## ping da morte ########<BR>/usr/sbin/iptables -A FORWARD -p
icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT</DIV>
<DIV> </DIV>
<DIV>########### Port Scanners ###########<BR>/usr/sbin/iptables -A FORWARD -p
tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j DROP</DIV>
<DIV> </DIV>
<DIV>########## IP Spoofing ##############<BR>/usr/sbin/iptables -N
syn-flood<BR>/usr/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j
syn-flood<BR>/usr/sbin/iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j
DROP<BR>/usr/sbin/iptables -A INPUT -s 172.16.0.0/16 -i eth0 -j
DROP<BR>/usr/sbin/iptables -A INPUT -s 192.168.0.0/24 -i eth0 -j DROP</DIV>
<DIV> </DIV>
<DIV>######## anomalias de pacotes #######<BR>/usr/sbin/iptables -A FORWARD -m
unclean -j DROP</DIV>
<DIV> </DIV>
<DIV>################### CEF ########################<BR>/usr/sbin/iptables -t
nat -A PREROUTING -p tcp -d 200.201.174.0/16 -j ACCEPT<BR>/usr/sbin/iptables -A
FORWARD -p tcp -d 200.201.174.0/16 -j ACCEPT<BR>/usr/sbin/iptables -t nat -A
PREROUTING -p tcp -d 200.201.166.0/16 -j ACCEPT<BR>/usr/sbin/iptables -A FORWARD
-p tcp -d 200.201.166.0/16 -j ACCEPT</DIV>
<DIV> </DIV>
<DIV>############################# Redirecionar 80, 3128 -> 3128</DIV>
<DIV> </DIV>
<DIV>#/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 2100 -j DNAT
--to-destination 192.168.0.1:3128<BR>#/usr/sbin/iptables -t nat -A PREROUTING -p
tcp --dport 80 -s 192.168.0.0/24 -j DNAT --to-destination
192.168.0.1:3128<BR>iptables -t nat -A PREROUTING -i eth1 -p tcp -m multiport -s
192.168.0.0/24 --dport 80,443,563 -j REDIRECT --to-port 3128</DIV>
<DIV> </DIV>
<DIV>############################# Aceitar lista de portas
padrao<BR>/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 21
-j ACCEPT<BR>/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport
22 -j ACCEPT<BR>/usr/sbin/iptables -t nat -A PREROUTING -p tcp
--dport 23 -j ACCEPT -s 192.168.0.145<BR>/usr/sbin/iptables -t nat
-A PREROUTING -p tcp --dport 25 -j ACCEPT -s
192.168.0.0/24<BR>/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport
53 -j ACCEPT<BR>/usr/sbin/iptables -t nat -A PREROUTING -p tcp
--dport 80 -j ACCEPT -s 192.168.0.0/24<BR>/usr/sbin/iptables -t nat
-A PREROUTING -p tcp --dport 110 -j ACCEPT -s
192.168.0.0/24<BR>/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport
443 -j ACCEPT<BR>/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport
465 -j ACCEPT<BR>/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport
500 -j ACCEPT<BR>/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport
587 -j ACCEPT<BR>/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport
995 -j ACCEPT<BR>/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport
3306 -j ACCEPT -s 192.168.0.0/24<BR>/usr/sbin/iptables -t nat -A PREROUTING -p
tcp --dport 2100 -j ACCEPT -s 192.168.0.0/24<BR>/usr/sbin/iptables -t nat -A
PREROUTING -p tcp --dport 8080 -j ACCEPT -s 192.168.0.0/24<BR>/usr/sbin/iptables
-t nat -A PREROUTING -p tcp --dport 5017 -j ACCEPT -s 192.168.0.0/24</DIV>
<DIV> </DIV>
<DIV>########## ICQ ################<BR>/usr/sbin/iptables -t nat -A PREROUTING
-p tcp --dport 5190 -j ACCEPT -s 192.168.0.50</DIV>
<DIV> </DIV>
<DIV>########### MSN #######################<BR>/usr/sbin/iptables -t nat -A
PREROUTING -p tcp --dport 1863 -j ACCEPT -s 192.168.0.128 </DIV>
<DIV> </DIV>
<DIV><BR>######################################<BR># Filtros de portas
udp<BR>######################################<BR>/usr/sbin/iptables -t nat -A
PREROUTING -p udp --dport 53 -j ACCEPT<BR>/usr/sbin/iptables -t nat -A
PREROUTING -p tcp --dport 53 -j ACCEPT</DIV>
<DIV> </DIV>
<DIV><BR>########### Apos feitas as regras rejeitar todos os outros
pacotes<BR>/usr/sbin/iptables -t nat -p tcp -A PREROUTING -j
DROP<BR>/usr/sbin/iptables -t nat -p udp -A PREROUTING -j DROP</DIV>
<DIV> </DIV>
<DIV>}</DIV>
<DIV> </DIV>
<DIV>case $1 in<BR> start)<BR> echo -n Starting Firewall...<BR>
add_rules<BR> echo "Done"<BR> ;;<BR> stop)<BR> echo -n
Stoping Firewall...<BR> flush_rules<BR> echo
"Done"<BR> ;;<BR> restart)<BR> echo -n Restarting
Firewall...<BR> flush_rules<BR> add_rules<BR> echo
"Done"<BR> ;;<BR> status)<BR> echo "============================
Firewall rules:"<BR> iptables -L -n<BR> echo
"============================ Masquerade tables:"<BR> iptables -t nat -L
-n<BR> echo "============================ Mangle table:"<BR>
iptables -t mangle -L -n<BR> ;;<BR> *)<BR> echo Usar: "$0 {
status | start | stop | restart }"<BR>
;;<BR>esac</FONT></DIV></BODY></HTML>