Achei um erro, mas como ninguém perguntou nada ... Fabiano
Em 14/03/06, debopen<[EMAIL PROTECTED]> escreveu: > #!/bin/sh > > # Variaveis > IPTABLES="/sbin/iptables" > MOD="/sbin/modprobe" > WAN="ppp+" > LAN="eth+" > REDE="192.168.0.0/24" > DNS="200.204.0.10, 200.204.0.138" > > > case "$1" in > start) > echo -e "Iniciando Firewall TCL ... " > > depmod -a > $MOD ip_tables > $MOD iptable_filter > $MOD ip_conntrack > $MOD ip_conntrack_ftp > $MOD iptable_nat > $MOD ip_nat_ftp > $MOD ipt_LOG > $MOD ipt_state > $MOD ipt_MASQUERADE > > > #Limpando as Chains > $IPTABLES -F > $IPTABLES -t nat -F > $IPTABLES -X > $IPTABLES -Z > > > #Politica Padrão > $IPTABLES -P INPUT DROP > $IPTABLES -P FORWARD DROP > $IPTABLES -P OUTPUT ACCEPT > > > #Setando o Kernel para IP_Dinamico Mascarado > echo "1" > /proc/sys/net/ipv4/ip_dynaddr > > #Habilitando IP_Forwarding > echo "1" > /proc/sys/net/ipv4/ip_forward > > #Ativando Protecao no Kernel > for tcl in /proc/sys/net/ipv4/conf/*/rp_filter; do > echo 1 > $tcl > done > > #Ativando SynCookies para Protecao no Kernel > echo "1" > /proc/sys/net/ipv4/tcp_syncookies > > ##################TABELA INPUT######################## > > $IPTABLES -A INPUT -i lo -j ACCEPT > $IPTABLES -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT > $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > #Porta FTP Data $IPTABLES -A INPUT -i $WAN -p tcp --dport 20 -j ACCEPT > #Porta FTP $IPTABLES -A INPUT -i $WAN -p tcp --dport 21 -j ACCEPT > #Porta Telnet $IPTABLES -A INPUT -i $WAN -p tcp --dport 23 -j ACCEPT > #Porta Ssh $IPTABLES -A INPUT -i $WAN -p tcp --dport 22 -j ACCEPT > $IPTABLES -A INPUT -i $WAN -p tcp --dport 25 -j ACCEPT > $IPTABLES -A INPUT -i $WAN -p tcp --dport 110 -j ACCEPT > $IPTABLES -A INPUT -i $WAN -p tcp --dport 80 -j ACCEPT > $IPTABLES -A INPUT -i $WAN -p tcp --dport 443 -j ACCEPT > $IPTABLES -A INPUT -i $WAN -p tcp --dport 1863 -j ACCEPT > $IPTABLES -A INPUT -i $WAN -p tcp --dport 4444 -j ACCEPT > $IPTABLES -A INPUT -i $WAN -p tcp --dport $DNS -j ACCEPT > $IPTABLES -A INPUT -i $WAN -p udp --dport $DNS -j ACCEPT > > > #Opcao dois -> Libera conexoes de retorno dos servicos ativos na > rede interna > #$IPTABLES -A INPUT -i $WAN -p tcp -m --multiport --dport 20, 21, > 23, 25, 110, 80, 443, 53, 1863, 4444 -j ACCEPT > > > #Como eu vou ter que acessar esta Maquina Remotamente, para > Manutenção ou > #configuracoes que se mostrarem necessarias. Vou permitir o acesso > ao SSH. > $IPTABLES -A INPUT -i $WAN -p tcp --dport 2222 -j ACCEPT > > > #A interface que está para a internet é a PPP0, é bom sempre logar > o pacote > #para saber o que ele é. Regras para ping, isso varia muito de > Admin para Admin > #eu tenho o costume de só permitir ping da rede interna para fora, > para ver se > #tem problemas na conexão com a internet, para poder verificar se o > server está on-line. > $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT > $IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT > > > #Protecao contra enderecos spoofados da internet > $IPTABLES -A INPUT -i $INTER -s 10.0.0.0/8 -j DROP > $IPTABLES -A INPUT -i $INTER -s 172.16.0.0/12 -j DROP > $IPTABLES -A INPUT -i $INTER -s 192.168.0.0/16 -j DROP > > > #Ja temos tudo o que eu precisamos,vamos mandar todo o resto embora. > $IPTABLES -A INPUT -p tcp -i $WAN -j LOG --log-level DEBUG > --log-prefix "TCP Descartado:" > $IPTABLES -A INPUT -p icmp -i $WAN -j LOG --log-level DEBUG > --log-prefix "ICMP Descartado:" > $IPTABLES -A INPUT -j DROP > > ##################TABELA FORWARD###################### > > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > #Porta FTP Data $IPTABLES -A FORWARD -i $LAN -p tcp --sport 20 -j > ACCEPT > #Porta FTP $IPTABLES -A FORWARD -i $LAN -p tcp --sport 21 -j > ACCEPT > #Porta Telnet $IPTABLES -A FORWARD -i $LAN -p tcp --sport 23 -j > ACCEPT > #Porta Ssh $IPTABLES -A FORWARD -i $LAN -p tcp --sport 22 -j > ACCEPT > $IPTABLES -A FORWARD -i $LAN -p tcp --sport 25 -j ACCEPT > $IPTABLES -A FORWARD -i $LAN -p tcp --sport 110 -j ACCEPT > $IPTABLES -A FORWARD -i $LAN -p tcp --sport 80 -j ACCEPT > $IPTABLES -A FORWARD -i $LAN -p tcp --sport 443 -j ACCEPT > $IPTABLES -A FORWARD -i $LAN -p tcp --sport 1863 -j ACCEPT > $IPTABLES -A FORWARD -i $LAN -p tcp --sport 4444 -j ACCEPT > $IPTABLES -A FORWARD -i $LAN -p tcp --sport $DNS -j ACCEPT > $IPTABLES -A FORWARD -i $LAN -p udp --sport $DNS -j ACCEPT > > > #Opcao dois -->Libera as Conexoes da Rede Interna para Internet > #$IPTABLES -A FORWARD -i $LAN -p tcp -m --multiport --sport 20, 21, > 23, 25, 110, 80, 443, 53, 1863, 4444 -j ACCEPT > > > #Protecoes diversas contra PortScanners, Ping of Death, ataques > DoS, etc... > $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit > --limit 1/s -j ACCEPT > $IPTABLES -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m > limit --limit 1/s -j ACCEPT > $IPTABLES -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP > $IPTABLES -A FORWARD -m unclean -j DROP > > > #Em muitas distribuições com o Kernel 2.6 é necessário usar um quarto > #comando ao compartilhar uma conexão ADSL. Este comando ajusta os > #tamanhos dos pacotes recebidos do modem ao MTU usado na rede local. > $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m \ > tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu > > ##################TABELA NAT#################### > > #Acesso de Fora para Rede Local tendo Classe de IP 192.168.0.0 > > #$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222 > -j DNAT --to-destination 192.168.0.2:2222 > #$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222 > -j DNAT --to-destination 192.168.0.3:2222 > #$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222 > -j DNAT --to-destination 192.168.0.4:2222 > #$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222 > -j DNAT --to-destination 192.168.0.5:2222 > #$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222 > -j DNAT --to-destination 192.168.0.6:2222 > #$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222 > -j DNAT --to-destination 192.168.0.7:2222 > #$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222 > -j DNAT --to-destination 192.168.0.8:2222 > #$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222 > -j DNAT --to-destination 192.168.0.9:2222 > #$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp -d $LAN --dport 2222 > -j DNAT --to-destination 192.168.0.10:2222 > > > #Aqui vai a simples linha que vai compartilhar o acesso a Internet. > $IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE > > ;; > stop) > echo "Parando Firewall TCL ... " > $IPTABLES -X > $IPTABLES -F > $IPTABLES -P INPUT ACCEPT > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -P FORWARD ACCEPT > > $IPTABLES -t nat -F > $IPTABLES -t nat -X > $IPTABLES -t nat -P PREROUTING ACCEPT > $IPTABLES -t nat -P POSTROUTING ACCEPT > $IPTABLES -t nat -P OUTPUT ACCEPT > > ;; > restart) > $0 stop > $0 start > ;; > status) > $IPTABLES -L -n > $IPTABLES -t nat -L -n > ;; > *) > echo "Use: $0 {start|stop|restart|status}" > exit 1 > ;; > esac > exit 0 > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- Abraços, Fabiano