[CentOS-pt-br] Iptables!

Terça Setembro 6 17:03:25 UTC 2016

Sou novo com IPTABLES e SQUID, preciso liberar um determinado programa para acessar o endereço e portas abaixo relacionados sem passar pelo proxy. 

177.135.260.61:3051 
177.135.250.61:5836 
177.135.250.61:5837 
177.135.250.61:725 

As requisições de saída sairão do IP 172.16.0.48/255.255.255.192. 

Abaixo o script firewall.sh que utilizo. 

#!/bin/bash 
#___________.__________________________ __ _____ .____ .____ 
#\_ _____/| \______ \_ _____/ \ / \/ _ \ | | | | 
# | __) | || _/| __)_\ \/\/ / /_\ \| | | | 
# | \ | || | \| \\ / | \ |___| |___ 
# \___ / |___||____|_ /_______ / \__/\ /\____|__ /_______ \_______ \ 
# \/ \/ \/ \/ \/ \/ \/ 
##################################################################### 
# VARIAVEIS 
##################################################################### 
# -d ip de destino - rede destino - ip da rede 192.168.2.1 192.168.0.0/24 
# -s ip de origem - rede de origem - ip da internet 
# --sport NUMERO porta origem 
# --dport NUMERO porta destino 
# -j ACAO 
LOG_OPTIONS="--log-tcp-sequence --log-ip-options --log-tcp-options --log-level info" 
IPT="/sbin/iptables" 
### INTERFACE DA REDE EXTERNA INTERNET 
IF_EXT="eth0" 

### INTERFACE DA REDE INTERNA LAN 
IF_INT="eth1" 

### REDE INTERNA 
REDE_INTERNA="172.16.0.0/26" 

### PORTAS LIBERADAS TCP INPUT 
PORTAS_REDE_INTERNA="23 25 53 137 443 8080 1194 2928 3128 3389 80" 

### PORTAS LIBERADAS UDP INPUT 
PORTAS_UDP="53 161 3128" 

### Portas liberadas de fora internet para a rede interna 
PORTAS_FORWARD="23 25 53 443 8080 137 1194 2928 3389 3128" 

# ======== FORWARD LIBERADO PARA IP EXTERNO 
IP_FORWARD_EXTERNO=" 
189.2.188.173 
187.5.111.45 
" 
### FORWARD LIBERADO PARA IP DA REDE INTERNA 
### Informar os IP's da rede interna que poderão passar sem configurar o proxy 
IP_FORWARD_INTERNO=" 
172.16.0.3 
172.16.0.7 
172.16.0.25 
172.16.0.11 
172.16.0.50 
172.16.0.47 
172.16.0.38 
172.16.0.61 
172.16.0.24 
172.16.0.10 
172.16.0.9 
172.16.0.49 
172.16.0.18 
172.16.0.15 
172.16.0.36 
172.16.0.51 
172.16.0.39 
172.16.0.45 
172.16.0.29 
172.16.0.36 
" 
echo "INICIANDO FIREWALL ...................[OK]" 
##################################################################### 
# MODULOS 
##################################################################### 
/sbin/modprobe ip_conntrack 
/sbin/modprobe ip_conntrack_ftp 
/sbin/modprobe ip_nat_ftp 
/sbin/modprobe iptable_nat 
/sbin/modprobe ipt_tos 
/sbin/modprobe ipt_MASQUERADE 

echo "LIMPANDO AS REGRAS ...................[OK]" 
### APAGANDO REGRAS PADRAO 
$IPT -F 
$IPT -t nat -F 
$IPT -t mangle -F 

### APAGANDO CHAINS 
$IPT -X 
$IPT -t nat -X 
$IPT -t mangle -X 

### ZERANDO CONTADORES 
$IPT -Z 
$IPT -t nat -Z 
$IPT -t mangle -Z 

echo "APLICADO REGRAS PADRÕES ..............[OK]" 
###################################################################### 
# REGRAS PADROES 
###################################################################### 
$IPT -P INPUT DROP 
$IPT -P FORWARD DROP 
$IPT -P OUTPUT ACCEPT 

### HABILITANDO ROTEAMENTO NO KERNEL 
echo "1" > /proc/sys/net/ipv4/ip_forward 

###################################################################### 
# REGRAS DE NAT 
###################################################################### 
### COMPARTILHAR INTERNET 

#$IPT -t nat -A POSTROUTING -s $REDE_INTERNA -o $IF_EXT -j MASQUERADE 
$IPT -t nat -A POSTROUTING -o $IF_EXT -j MASQUERADE 

#Redirecionar 443 para 3128 
#$IPT -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 3128 

### PROXY TRANSPARENTE 
#$IPT -t nat -A PREROUTING -i $IF_EXT -p tcp --dport 80 -j DNAT --to 10.1.1.1:3128 
#$IPT -t nat -A PREROUTING -i $IF_INT -p tcp --dport 80 -j REDIRECT --to-port 3128 

### REDIRECIONAR ACESSO EXTERNO RDP PARA HOST INTERNO 
#$IPT -t nat -A PREROUTING -i $IF_EXT -p tcp --dport 3389 -j DNAT --to-destination 10.1.1.54:3389 
#$IPT -t filter -A FORWARD -i $IF_EXT -d 10.1.1.54 -p tcp --dport 3389 -j ACCEPT 

echo "APLICANDO REGRAS MANUAIS .............[OK]" 
##################################################################### 
# REGRAS INPUT 
##################################################################### 
$IPT -t filter -A INPUT -p tcp -i lo -j ACCEPT 
$IPT -t filter -A INPUT -p icmp -j ACCEPT 
$IPT -t filter -A INPUT -p tcp --dport 443 -j DROP 

for i in $PORTAS_REDE_INTERNA; do 
$IPT -t filter -A INPUT -p tcp --dport $i -j ACCEPT 
done 

for i in $PORTAS_UDP; do 
$IPT -A INPUT -p udp --dport $i -j ACCEPT 
done 

$IPT -t filter -A INPUT -m state --state INVALID,RELATED,ESTABLISHED -j ACCEPT 
$IPT -t filter -A INPUT -j LOG $LOG_OPTIONS --log-prefix "LOG_INPUT" 
$IPT -t filter -A INPUT -j DROP 

##################################################################### 
# REGRAS DE FORWARD 
##################################################################### 
### PORTAS FORWARD 
for i in $PORTAS_FORWARD; do 
$IPT -A FORWARD -p tcp --dport $i -j ACCEPT 
done 

### FORWARD EXTERNA INTERNET 
for i in $IP_FORWARD_EXTERNO; do 
$IPT -A FORWARD -d $i -j ACCEPT 
done 

### FORWARD INTERNO INTERNT 
for i in $IP_FORWARD_INTERNO; do 
$IPT -A FORWARD -s $i -j ACCEPT 
done 
### 

for i in $PORTAS_UDP; do 
$IPT -t filter -A FORWARD -p udp --dport $i -j ACCEPT 
done 

$IPT -t filter -A FORWARD -m state --state INVALID,RELATED,ESTABLISHED -j ACCEPT 
$IPT -t filter -A FORWARD -j LOG $LOG_OPTIONS --log-prefix "LOG_FORWARD" 
$IPT -t filter -A FORWARD -j DROP 

echo "FIREWALL INICIADO ....................[OK]" 

Gostaria da ajuda para saber o comando e onde colocar. 
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://lists.centos.org/pipermail/centos-pt-br/attachments/20160906/5ed31ef2/attachment.html>