<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div>Coloquei a regra conforme abaixo e estou recebendo as mensagens de erro logo a seguir.<br></div><div><br data-mce-bogus="1"></div><div>#### Regras para liberar o programa SPI ### inicio...<br>$IPT -t filter -I FORWARD -d 177.135.260.61 -p tcp -m multiport --dport 3051,5836,5837,725 -j ACCEPT<br>$IPT -t filter -I FORWARD -d 177.135.260.61 -p udp -m multiport --dport 3051,5836,5837,725 -j ACCEPT<br>#### Regras para liberar o programa SPI ### final...</div><div><br data-mce-bogus="1"></div><div>[root@proxy ~]# /etc/rc.d/init.d/firewall.sh<br>INICIANDO FIREWALL ...................[OK]<br>LIMPANDO AS REGRAS ...................[OK]<br>APLICADO REGRAS PADRÕES ..............[OK]<br>APLICANDO REGRAS MANUAIS .............[OK]<br>iptables v1.4.7: host/network `177.135.260.61' not found<br>Try `iptables -h' or 'iptables --help' for more information.<br>iptables v1.4.7: host/network `177.135.260.61' not found<br>Try `iptables -h' or 'iptables --help' for more information.<br>FIREWALL INICIADO ....................[OK]</div><div><br data-mce-bogus="1"></div><div>Coloquei as linhas de regras antes das linhas descritas abaixo.<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>$IPT -t filter -A FORWARD -m state --state INVALID,RELATED,ESTABLISHED -j ACCEPT<br>$IPT -t filter -A FORWARD -j LOG $LOG_OPTIONS --log-prefix "LOG_FORWARD"<br>$IPT -t filter -A FORWARD -j DROP<br></div><div><br></div><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><b>De: </b>centos-pt-br-request@centos.org<br><b>Para: </b>centos-pt-br@centos.org<br><b>Enviadas: </b>Quarta-feira, 7 de setembro de 2016 9:00:02<br><b>Assunto: </b>Digest CentOS-pt-br, volume 114, assunto 2<br></div><div><br></div><div data-marker="__QUOTED_TEXT__">Enviar submissões para a lista de discussão CentOS-pt-br para <br> centos-pt-br@centos.org<br><br>Para se cadastrar ou descadastrar via WWW, visite o endereço<br> https://lists.centos.org/mailman/listinfo/centos-pt-br<br>ou, via email, envie uma mensagem com a palavra 'help' no assunto ou<br>corpo da mensagem para <br> centos-pt-br-request@centos.org<br><br>Você poderá entrar em contato com a pessoa que gerencia a lista pelo<br>endereço<br> centos-pt-br-owner@centos.org<br><br>Quando responder, por favor edite sua linha Assunto assim ela será<br>mais específica que "Re: Contents of CentOS-pt-br digest..."<br><br><br>Tópicos de Hoje:<br><br> 1. Iptables! (Glenio Cortes Himmen)<br> 2. Assunto: Iptables! (Adroaldo Cavalheiro)<br> 3. Re: Iptables! (João Paulo Ferreira)<br><br><br>----------------------------------------------------------------------<br><br>Message: 1<br>Date: Tue, 6 Sep 2016 14:03:25 -0300 (BRT)<br>From: Glenio Cortes Himmen <glenio.11622x@aparecida.go.gov.br><br>To: CentOS-pt-br@centos.org<br>Subject: [CentOS-pt-br] Iptables!<br>Message-ID:<br> <1251459852.311112.1473181405819.JavaMail.zimbra@aparecida.go.gov.br><br>Content-Type: text/plain; charset="utf-8"<br><br>Sou novo com IPTABLES e SQUID, preciso liberar um determinado programa para acessar o endereço e portas abaixo relacionados sem passar pelo proxy. <br><br>177.135.260.61:3051 <br>177.135.250.61:5836 <br>177.135.250.61:5837 <br>177.135.250.61:725 <br><br>As requisições de saída sairão do IP 172.16.0.48/255.255.255.192. <br><br>Abaixo o script firewall.sh que utilizo. <br><br>#!/bin/bash <br>#___________.__________________________ __ _____ .____ .____ <br>#\_ _____/| \______ \_ _____/ \ / \/ _ \ | | | | <br># | __) | || _/| __)_\ \/\/ / /_\ \| | | | <br># | \ | || | \| \\ / | \ |___| |___ <br># \___ / |___||____|_ /_______ / \__/\ /\____|__ /_______ \_______ \ <br># \/ \/ \/ \/ \/ \/ \/ <br>##################################################################### <br># VARIAVEIS <br>##################################################################### <br># -d ip de destino - rede destino - ip da rede 192.168.2.1 192.168.0.0/24 <br># -s ip de origem - rede de origem - ip da internet <br># --sport NUMERO porta origem <br># --dport NUMERO porta destino <br># -j ACAO <br>LOG_OPTIONS="--log-tcp-sequence --log-ip-options --log-tcp-options --log-level info" <br>IPT="/sbin/iptables" <br>### INTERFACE DA REDE EXTERNA INTERNET <br>IF_EXT="eth0" <br><br>### INTERFACE DA REDE INTERNA LAN <br>IF_INT="eth1" <br><br>### REDE INTERNA <br>REDE_INTERNA="172.16.0.0/26" <br><br>### PORTAS LIBERADAS TCP INPUT <br>PORTAS_REDE_INTERNA="23 25 53 137 443 8080 1194 2928 3128 3389 80" <br><br>### PORTAS LIBERADAS UDP INPUT <br>PORTAS_UDP="53 161 3128" <br><br>### Portas liberadas de fora internet para a rede interna <br>PORTAS_FORWARD="23 25 53 443 8080 137 1194 2928 3389 3128" <br><br># ======== FORWARD LIBERADO PARA IP EXTERNO <br>IP_FORWARD_EXTERNO=" <br>189.2.188.173 <br>187.5.111.45 <br>" <br>### FORWARD LIBERADO PARA IP DA REDE INTERNA <br>### Informar os IP's da rede interna que poderão passar sem configurar o proxy <br>IP_FORWARD_INTERNO=" <br>172.16.0.3 <br>172.16.0.7 <br>172.16.0.25 <br>172.16.0.11 <br>172.16.0.50 <br>172.16.0.47 <br>172.16.0.38 <br>172.16.0.61 <br>172.16.0.24 <br>172.16.0.10 <br>172.16.0.9 <br>172.16.0.49 <br>172.16.0.18 <br>172.16.0.15 <br>172.16.0.36 <br>172.16.0.51 <br>172.16.0.39 <br>172.16.0.45 <br>172.16.0.29 <br>172.16.0.36 <br>" <br>echo "INICIANDO FIREWALL ...................[OK]" <br>##################################################################### <br># MODULOS <br>##################################################################### <br>/sbin/modprobe ip_conntrack <br>/sbin/modprobe ip_conntrack_ftp <br>/sbin/modprobe ip_nat_ftp <br>/sbin/modprobe iptable_nat <br>/sbin/modprobe ipt_tos <br>/sbin/modprobe ipt_MASQUERADE <br><br>echo "LIMPANDO AS REGRAS ...................[OK]" <br>### APAGANDO REGRAS PADRAO <br>$IPT -F <br>$IPT -t nat -F <br>$IPT -t mangle -F <br><br>### APAGANDO CHAINS <br>$IPT -X <br>$IPT -t nat -X <br>$IPT -t mangle -X <br><br>### ZERANDO CONTADORES <br>$IPT -Z <br>$IPT -t nat -Z <br>$IPT -t mangle -Z <br><br>echo "APLICADO REGRAS PADRÕES ..............[OK]" <br>###################################################################### <br># REGRAS PADROES <br>###################################################################### <br>$IPT -P INPUT DROP <br>$IPT -P FORWARD DROP <br>$IPT -P OUTPUT ACCEPT <br><br>### HABILITANDO ROTEAMENTO NO KERNEL <br>echo "1" > /proc/sys/net/ipv4/ip_forward <br><br>###################################################################### <br># REGRAS DE NAT <br>###################################################################### <br>### COMPARTILHAR INTERNET <br><br>#$IPT -t nat -A POSTROUTING -s $REDE_INTERNA -o $IF_EXT -j MASQUERADE <br>$IPT -t nat -A POSTROUTING -o $IF_EXT -j MASQUERADE <br><br>#Redirecionar 443 para 3128 <br>#$IPT -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 3128 <br><br>### PROXY TRANSPARENTE <br>#$IPT -t nat -A PREROUTING -i $IF_EXT -p tcp --dport 80 -j DNAT --to 10.1.1.1:3128 <br>#$IPT -t nat -A PREROUTING -i $IF_INT -p tcp --dport 80 -j REDIRECT --to-port 3128 <br><br>### REDIRECIONAR ACESSO EXTERNO RDP PARA HOST INTERNO <br>#$IPT -t nat -A PREROUTING -i $IF_EXT -p tcp --dport 3389 -j DNAT --to-destination 10.1.1.54:3389 <br>#$IPT -t filter -A FORWARD -i $IF_EXT -d 10.1.1.54 -p tcp --dport 3389 -j ACCEPT <br><br>echo "APLICANDO REGRAS MANUAIS .............[OK]" <br>##################################################################### <br># REGRAS INPUT <br>##################################################################### <br>$IPT -t filter -A INPUT -p tcp -i lo -j ACCEPT <br>$IPT -t filter -A INPUT -p icmp -j ACCEPT <br>$IPT -t filter -A INPUT -p tcp --dport 443 -j DROP <br><br>for i in $PORTAS_REDE_INTERNA; do <br>$IPT -t filter -A INPUT -p tcp --dport $i -j ACCEPT <br>done <br><br>for i in $PORTAS_UDP; do <br>$IPT -A INPUT -p udp --dport $i -j ACCEPT <br>done <br><br>$IPT -t filter -A INPUT -m state --state INVALID,RELATED,ESTABLISHED -j ACCEPT <br>$IPT -t filter -A INPUT -j LOG $LOG_OPTIONS --log-prefix "LOG_INPUT" <br>$IPT -t filter -A INPUT -j DROP <br><br>##################################################################### <br># REGRAS DE FORWARD <br>##################################################################### <br>### PORTAS FORWARD <br>for i in $PORTAS_FORWARD; do <br>$IPT -A FORWARD -p tcp --dport $i -j ACCEPT <br>done <br><br>### FORWARD EXTERNA INTERNET <br>for i in $IP_FORWARD_EXTERNO; do <br>$IPT -A FORWARD -d $i -j ACCEPT <br>done <br><br>### FORWARD INTERNO INTERNT <br>for i in $IP_FORWARD_INTERNO; do <br>$IPT -A FORWARD -s $i -j ACCEPT <br>done <br>### <br><br>for i in $PORTAS_UDP; do <br>$IPT -t filter -A FORWARD -p udp --dport $i -j ACCEPT <br>done <br><br>$IPT -t filter -A FORWARD -m state --state INVALID,RELATED,ESTABLISHED -j ACCEPT <br>$IPT -t filter -A FORWARD -j LOG $LOG_OPTIONS --log-prefix "LOG_FORWARD" <br>$IPT -t filter -A FORWARD -j DROP <br><br>echo "FIREWALL INICIADO ....................[OK]" <br><br>Gostaria da ajuda para saber o comando e onde colocar. <br>-------------- Próxima Parte ----------<br>Um anexo em HTML foi limpo...<br>URL: <http://lists.centos.org/pipermail/centos-pt-br/attachments/20160906/5ed31ef2/attachment-0001.html><br><br>------------------------------<br><br>Message: 2<br>Date: Tue, 6 Sep 2016 22:33:01 +0000 (UTC)<br>From: Adroaldo Cavalheiro <adroaldo_goncalves@yahoo.com.br><br>To: "Portuguese (Brazilian) CentOS mailing list"<br> <centos-pt-br@centos.org><br>Subject: [CentOS-pt-br] Assunto: Iptables!<br>Message-ID: <700822086.704018.1473201181100@mail.yahoo.com><br>Content-Type: text/plain; charset="utf-8"<br><br><br>Tenta isso.<br>iptables -A FORWARD -p tcp --dport 3051 -d 177.135.260.61 -j ACCEPTFaz o mesmo com as outras portas, é só repetir a regra.<br>Tirei deste Post no Vivaolinux.<br><br>Enviado do Yahoo Mail no Android <br> <br> Em 14:03 ter, 6 de set de PM, Glenio Cortes Himmen<glenio.11622x@aparecida.go.gov.br> escreveu: Sou novo com IPTABLES e SQUID, preciso liberar um determinado programa para acessar o endereço e portas abaixo relacionados sem passar pelo proxy.<br><br>177.135.260.61:3051<br>177.135.250.61:5836<br>177.135.250.61:5837<br>177.135.250.61:725<br>As requisições de saída sairão do IP 172.16.0.48/255.255.255.192.<br><br>Abaixo o script firewall.sh que utilizo.<br><br>#!/bin/bash<br>#___________.__________________________ __ _____ .____ .____<br>#\_ _____/| \______ \_ _____/ \ / \/ _ \ | | | |<br># | __) | || _/| __)_\ \/\/ / /_\ \| | | |<br># | \ | || | \| \\ / | \ |___| |___<br># \___ / |___||____|_ /_______ / \__/\ /\____|__ /_______ \_______ \<br># \/ \/ \/ \/ \/ \/ \/<br>#####################################################################<br># VARIAVEIS<br>#####################################################################<br># -d ip de destino - rede destino - ip da rede 192.168.2.1 192.168.0.0/24<br># -s ip de origem - rede de origem - ip da internet<br># --sport NUMERO porta origem<br># --dport NUMERO porta destino<br># -j ACAO<br>LOG_OPTIONS="--log-tcp-sequence --log-ip-options --log-tcp-options --log-level info"<br>IPT="/sbin/iptables"<br>### INTERFACE DA REDE EXTERNA INTERNET<br>IF_EXT="eth0"<br><br>### INTERFACE DA REDE INTERNA LAN<br>IF_INT="eth1"<br><br>### REDE INTERNA<br>REDE_INTERNA="172.16.0.0/26"<br><br>### PORTAS LIBERADAS TCP INPUT<br>PORTAS_REDE_INTERNA="23 25 53 137 443 8080 1194 2928 3128 3389 80"<br><br>### PORTAS LIBERADAS UDP INPUT<br>PORTAS_UDP="53 161 3128"<br><br>### Portas liberadas de fora internet para a rede interna<br>PORTAS_FORWARD="23 25 53 443 8080 137 1194 2928 3389 3128"<br><br># ======== FORWARD LIBERADO PARA IP EXTERNO<br>IP_FORWARD_EXTERNO="<br>189.2.188.173<br>187.5.111.45<br>"<br>### FORWARD LIBERADO PARA IP DA REDE INTERNA<br>### Informar os IP's da rede interna que poderão passar sem configurar o proxy<br>IP_FORWARD_INTERNO="<br>172.16.0.3<br>172.16.0.7<br>172.16.0.25<br>172.16.0.11<br>172.16.0.50<br>172.16.0.47<br>172.16.0.38<br>172.16.0.61<br>172.16.0.24<br>172.16.0.10<br>172.16.0.9<br>172.16.0.49<br>172.16.0.18<br>172.16.0.15<br>172.16.0.36<br>172.16.0.51<br>172.16.0.39<br>172.16.0.45<br>172.16.0.29<br>172.16.0.36<br>"<br>echo "INICIANDO FIREWALL ...................[OK]"<br>#####################################################################<br># MODULOS<br>#####################################################################<br>/sbin/modprobe ip_conntrack<br>/sbin/modprobe ip_conntrack_ftp<br>/sbin/modprobe ip_nat_ftp<br>/sbin/modprobe iptable_nat<br>/sbin/modprobe ipt_tos<br>/sbin/modprobe ipt_MASQUERADE<br><br>echo "LIMPANDO AS REGRAS ...................[OK]"<br>### APAGANDO REGRAS PADRAO<br>$IPT -F<br>$IPT -t nat -F<br>$IPT -t mangle -F<br><br>### APAGANDO CHAINS<br>$IPT -X<br>$IPT -t nat -X<br>$IPT -t mangle -X<br><br>### ZERANDO CONTADORES<br>$IPT -Z<br>$IPT -t nat -Z<br>$IPT -t mangle -Z<br><br>echo "APLICADO REGRAS PADRÕES ..............[OK]"<br>######################################################################<br># REGRAS PADROES<br>######################################################################<br>$IPT -P INPUT DROP<br>$IPT -P FORWARD DROP<br>$IPT -P OUTPUT ACCEPT<br><br>### HABILITANDO ROTEAMENTO NO KERNEL<br>echo "1" > /proc/sys/net/ipv4/ip_forward<br><br>######################################################################<br># REGRAS DE NAT<br>######################################################################<br>### COMPARTILHAR INTERNET<br><br>#$IPT -t nat -A POSTROUTING -s $REDE_INTERNA -o $IF_EXT -j MASQUERADE<br>$IPT -t nat -A POSTROUTING -o $IF_EXT -j MASQUERADE<br><br>#Redirecionar 443 para 3128<br>#$IPT -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 3128<br><br>### PROXY TRANSPARENTE<br>#$IPT -t nat -A PREROUTING -i $IF_EXT -p tcp --dport 80 -j DNAT --to 10.1.1.1:3128<br>#$IPT -t nat -A PREROUTING -i $IF_INT -p tcp --dport 80 -j REDIRECT --to-port 3128<br><br>### REDIRECIONAR ACESSO EXTERNO RDP PARA HOST INTERNO<br>#$IPT -t nat -A PREROUTING -i $IF_EXT -p tcp --dport 3389 -j DNAT --to-destination 10.1.1.54:3389<br>#$IPT -t filter -A FORWARD -i $IF_EXT -d 10.1.1.54 -p tcp --dport 3389 -j ACCEPT<br><br>echo "APLICANDO REGRAS MANUAIS .............[OK]"<br>#####################################################################<br># REGRAS INPUT<br>#####################################################################<br>$IPT -t filter -A INPUT -p tcp -i lo -j ACCEPT<br>$IPT -t filter -A INPUT -p icmp -j ACCEPT<br>$IPT -t filter -A INPUT -p tcp --dport 443 -j DROP<br><br>for i in $PORTAS_REDE_INTERNA; do<br> $IPT -t filter -A INPUT -p tcp --dport $i -j ACCEPT<br>done<br><br>for i in $PORTAS_UDP; do<br> $IPT -A INPUT -p udp --dport $i -j ACCEPT<br>done<br><br>$IPT -t filter -A INPUT -m state --state INVALID,RELATED,ESTABLISHED -j ACCEPT<br>$IPT -t filter -A INPUT -j LOG $LOG_OPTIONS --log-prefix "LOG_INPUT"<br>$IPT -t filter -A INPUT -j DROP<br><br>#####################################################################<br># REGRAS DE FORWARD<br>#####################################################################<br>### PORTAS FORWARD<br>for i in $PORTAS_FORWARD; do<br> $IPT -A FORWARD -p tcp --dport $i -j ACCEPT<br>done<br><br>### FORWARD EXTERNA INTERNET<br>for i in $IP_FORWARD_EXTERNO; do<br> $IPT -A FORWARD -d $i -j ACCEPT<br>done<br><br>### FORWARD INTERNO INTERNT<br>for i in $IP_FORWARD_INTERNO; do<br> $IPT -A FORWARD -s $i -j ACCEPT<br>done<br>###<br><br>for i in $PORTAS_UDP; do<br> $IPT -t filter -A FORWARD -p udp --dport $i -j ACCEPT<br>done<br><br>$IPT -t filter -A FORWARD -m state --state INVALID,RELATED,ESTABLISHED -j ACCEPT<br>$IPT -t filter -A FORWARD -j LOG $LOG_OPTIONS --log-prefix "LOG_FORWARD"<br>$IPT -t filter -A FORWARD -j DROP<br><br>echo "FIREWALL INICIADO ....................[OK]"<br><br>Gostaria da ajuda para saber o comando e onde colocar.<br> <br>-------------- Próxima Parte ----------<br>Um anexo em HTML foi limpo...<br>URL: <http://lists.centos.org/pipermail/centos-pt-br/attachments/20160906/a8d6e24a/attachment-0001.html><br><br>------------------------------<br><br>Message: 3<br>Date: Tue, 6 Sep 2016 23:51:26 -0300<br>From: João Paulo Ferreira <jferreira.ba@gmail.com><br>To: "Portuguese (Brazilian) CentOS mailing list"<br> <centos-pt-br@centos.org><br>Subject: Re: [CentOS-pt-br] Iptables!<br>Message-ID:<br> <CA+fqMVCoKcY0Ej+fz5py6wSuGcnghdU2AXdJ2GRihpW+OfDqYA@mail.gmail.com><br>Content-Type: text/plain; charset="utf-8"<br><br>iptables -t filter -I FORWARD -d 177.135.260.61 -p tcp -m multiport --dport<br>3051,5836,5837,725 -j ACCEPT<br>iptables -t filter -I FORWARD -d 177.135.260.61 -p udp -m multiport --dport<br>3051,5836,5837,725 -j ACCEPT<br><br>Como você não informou o protocolo da camada de transporte estou colocando<br>a regra para UDP e TCP.<br><br>Atenciosamente,<br><br>*João Paulo Ferreira*<br>*B.S. Ciência da Computação* - UNIVERSIDADE SALVADOR<br>*Esp. Redes de Computadores e Telecomunicações* - UNIVERSIDADE SALVADOR<br>*Novell Certified Linux Administrator* - NOVELL<br>*Certified Linux Professional Institute *- LPI<br>*CompTIA Linux+* - COMPTIA<br>*Mikrotik Certified Network Associate* - MIKROTIK<br>Cel.: +55 (71) 9918-1235 VIVO<br>Cel.: +55 (71) 8837-7080 OI<br>Skype.: joaopaulo.cf<br>G-Talk/Mail: jferreira.ba@gmail.com<br><br>Em 6 de setembro de 2016 14:03, Glenio Cortes Himmen <<br>glenio.11622x@aparecida.go.gov.br> escreveu:<br><br>> Sou novo com IPTABLES e SQUID, preciso liberar um determinado programa<br>> para acessar o endereço e portas abaixo relacionados sem passar pelo proxy.<br>><br>> 177.135.260.61:3051<br>> 177.135.250.61:5836<br>> 177.135.250.61:5837<br>> 177.135.250.61:725<br>><br>> As requisições de saída sairão do IP 172.16.0.48/255.255.255.192.<br>><br>> Abaixo o script firewall.sh que utilizo.<br>><br>> #!/bin/bash<br>> #___________.__________________________ __ _____ .____ .____<br>> #\_ _____/| \______ \_ _____/ \ / \/ _ \ | | | |<br>> # | __) | || _/| __)_\ \/\/ / /_\ \| | | |<br>> # | \ | || | \| \\ / | \ |___| |___<br>> # \___ / |___||____|_ /_______ / \__/\ /\____|__ /_______ \_______ \<br>> # \/ \/ \/ \/ \/ \/ \/<br>> #####################################################################<br>> # VARIAVEIS<br>> #####################################################################<br>> # -d ip de destino - rede destino - ip da rede 192.168.2.1<br>> 192.168.0.0/24<br>> # -s ip de origem - rede de origem - ip da internet<br>> # --sport NUMERO porta origem<br>> # --dport NUMERO porta destino<br>> # -j ACAO<br>> LOG_OPTIONS="--log-tcp-sequence --log-ip-options --log-tcp-options<br>> --log-level info"<br>> IPT="/sbin/iptables"<br>> ### INTERFACE DA REDE EXTERNA INTERNET<br>> IF_EXT="eth0"<br>><br>> ### INTERFACE DA REDE INTERNA LAN<br>> IF_INT="eth1"<br>><br>> ### REDE INTERNA<br>> REDE_INTERNA="172.16.0.0/26"<br>><br>> ### PORTAS LIBERADAS TCP INPUT<br>> PORTAS_REDE_INTERNA="23 25 53 137 443 8080 1194 2928 3128 3389 80"<br>><br>> ### PORTAS LIBERADAS UDP INPUT<br>> PORTAS_UDP="53 161 3128"<br>><br>> ### Portas liberadas de fora internet para a rede interna<br>> PORTAS_FORWARD="23 25 53 443 8080 137 1194 2928 3389 3128"<br>><br>> # ======== FORWARD LIBERADO PARA IP EXTERNO<br>> IP_FORWARD_EXTERNO="<br>> 189.2.188.173<br>> 187.5.111.45<br>> "<br>> ### FORWARD LIBERADO PARA IP DA REDE INTERNA<br>> ### Informar os IP's da rede interna que poderão passar sem configurar o<br>> proxy<br>> IP_FORWARD_INTERNO="<br>> 172.16.0.3<br>> 172.16.0.7<br>> 172.16.0.25<br>> 172.16.0.11<br>> 172.16.0.50<br>> 172.16.0.47<br>> 172.16.0.38<br>> 172.16.0.61<br>> 172.16.0.24<br>> 172.16.0.10<br>> 172.16.0.9<br>> 172.16.0.49<br>> 172.16.0.18<br>> 172.16.0.15<br>> 172.16.0.36<br>> 172.16.0.51<br>> 172.16.0.39<br>> 172.16.0.45<br>> 172.16.0.29<br>> 172.16.0.36<br>> "<br>> echo "INICIANDO FIREWALL ...................[OK]"<br>> #####################################################################<br>> # MODULOS<br>> #####################################################################<br>> /sbin/modprobe ip_conntrack<br>> /sbin/modprobe ip_conntrack_ftp<br>> /sbin/modprobe ip_nat_ftp<br>> /sbin/modprobe iptable_nat<br>> /sbin/modprobe ipt_tos<br>> /sbin/modprobe ipt_MASQUERADE<br>><br>> echo "LIMPANDO AS REGRAS ...................[OK]"<br>> ### APAGANDO REGRAS PADRAO<br>> $IPT -F<br>> $IPT -t nat -F<br>> $IPT -t mangle -F<br>><br>> ### APAGANDO CHAINS<br>> $IPT -X<br>> $IPT -t nat -X<br>> $IPT -t mangle -X<br>><br>> ### ZERANDO CONTADORES<br>> $IPT -Z<br>> $IPT -t nat -Z<br>> $IPT -t mangle -Z<br>><br>> echo "APLICADO REGRAS PADRÕES ..............[OK]"<br>> ######################################################################<br>> # REGRAS PADROES<br>> ######################################################################<br>> $IPT -P INPUT DROP<br>> $IPT -P FORWARD DROP<br>> $IPT -P OUTPUT ACCEPT<br>><br>> ### HABILITANDO ROTEAMENTO NO KERNEL<br>> echo "1" > /proc/sys/net/ipv4/ip_forward<br>><br>> ######################################################################<br>> # REGRAS DE NAT<br>> ######################################################################<br>> ### COMPARTILHAR INTERNET<br>><br>> #$IPT -t nat -A POSTROUTING -s $REDE_INTERNA -o $IF_EXT -j MASQUERADE<br>> $IPT -t nat -A POSTROUTING -o $IF_EXT -j MASQUERADE<br>><br>> #Redirecionar 443 para 3128<br>> #$IPT -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 3128<br>><br>> ### PROXY TRANSPARENTE<br>> #$IPT -t nat -A PREROUTING -i $IF_EXT -p tcp --dport 80 -j DNAT --to<br>> 10.1.1.1:3128<br>> #$IPT -t nat -A PREROUTING -i $IF_INT -p tcp --dport 80 -j REDIRECT<br>> --to-port 3128<br>><br>> ### REDIRECIONAR ACESSO EXTERNO RDP PARA HOST INTERNO<br>> #$IPT -t nat -A PREROUTING -i $IF_EXT -p tcp --dport 3389 -j DNAT<br>> --to-destination 10.1.1.54:3389<br>> #$IPT -t filter -A FORWARD -i $IF_EXT -d 10.1.1.54 -p tcp --dport 3389 -j<br>> ACCEPT<br>><br>> echo "APLICANDO REGRAS MANUAIS .............[OK]"<br>> #####################################################################<br>> # REGRAS INPUT<br>> #####################################################################<br>> $IPT -t filter -A INPUT -p tcp -i lo -j ACCEPT<br>> $IPT -t filter -A INPUT -p icmp -j ACCEPT<br>> $IPT -t filter -A INPUT -p tcp --dport 443 -j DROP<br>><br>> for i in $PORTAS_REDE_INTERNA; do<br>> $IPT -t filter -A INPUT -p tcp --dport $i -j ACCEPT<br>> done<br>><br>> for i in $PORTAS_UDP; do<br>> $IPT -A INPUT -p udp --dport $i -j ACCEPT<br>> done<br>><br>> $IPT -t filter -A INPUT -m state --state INVALID,RELATED,ESTABLISHED -j<br>> ACCEPT<br>> $IPT -t filter -A INPUT -j LOG $LOG_OPTIONS --log-prefix "LOG_INPUT"<br>> $IPT -t filter -A INPUT -j DROP<br>><br>> #####################################################################<br>> # REGRAS DE FORWARD<br>> #####################################################################<br>> ### PORTAS FORWARD<br>> for i in $PORTAS_FORWARD; do<br>> $IPT -A FORWARD -p tcp --dport $i -j ACCEPT<br>> done<br>><br>> ### FORWARD EXTERNA INTERNET<br>> for i in $IP_FORWARD_EXTERNO; do<br>> $IPT -A FORWARD -d $i -j ACCEPT<br>> done<br>><br>> ### FORWARD INTERNO INTERNT<br>> for i in $IP_FORWARD_INTERNO; do<br>> $IPT -A FORWARD -s $i -j ACCEPT<br>> done<br>> ###<br>><br>> for i in $PORTAS_UDP; do<br>> $IPT -t filter -A FORWARD -p udp --dport $i -j ACCEPT<br>> done<br>><br>> $IPT -t filter -A FORWARD -m state --state INVALID,RELATED,ESTABLISHED -j<br>> ACCEPT<br>> $IPT -t filter -A FORWARD -j LOG $LOG_OPTIONS --log-prefix "LOG_FORWARD"<br>> $IPT -t filter -A FORWARD -j DROP<br>><br>> echo "FIREWALL INICIADO ....................[OK]"<br>><br>> Gostaria da ajuda para saber o comando e onde colocar.<br>><br>> _______________________________________________<br>> CentOS-pt-br mailing list<br>> CentOS-pt-br@centos.org<br>> https://lists.centos.org/mailman/listinfo/centos-pt-br<br>><br>><br>-------------- Próxima Parte ----------<br>Um anexo em HTML foi limpo...<br>URL: <http://lists.centos.org/pipermail/centos-pt-br/attachments/20160906/7ba77985/attachment-0001.html><br><br>------------------------------<br><br>_______________________________________________<br>CentOS-pt-br mailing list<br>CentOS-pt-br@centos.org<br>https://lists.centos.org/mailman/listinfo/centos-pt-br<br><br><br>Fim da Digest CentOS-pt-br, volume 114, assunto 2<br>*************************************************<br></div></div></body></html>