Bom dia, estou com um probleminha no meu firewall.
Montei um proxy transparente e um iptables na mesma maquina, porém neste momento o proxy se encontra desabilitado.
O problema é, quando deixo a regra iptables -P FORWARD DROP, o acesso web nao funciona, mas outros serviço estão ok (MSN, SKYPE, GTALK, JDown...)
Segue as regas do iptables:
#!/bin/bash
## ----------------------------------
## Tabelas FILTER e NAT
## ----------------------------------
echo \ \ -\>IPTables: Apagando regras em tabelas FILTER e NAT
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
echo "Ativando compartilhamento "
# Ativando Roteamento de pacote
echo 1 > /proc/sys/net/ipv4/ip_forward
# NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo " Compartilhamento ativado"
# DESABILITANDO IPV6 (Melhora a Internet)
#echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo "IPv6 Desabilitado"
#------------------------------------
#REDIRECIONANDO ACESSO PORTA 80 P/ PORTA 3128 (PROXY TRANSPARENTE)
# iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/255.255.255.0 --dport 80 -j REDIRECT --to-port 3128
#------------------------------------
# PERMITE SESSOES ESTABELECIDAS
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#----------------------------------
# Configurando politicas
echo \ \ -\>IPTables: Configurando politicas para valores seguros
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
## ----------------------------------
## Configurando INPUT
echo \ \ -\>IPTables: Liberando que servicos e maquinas comuniquem com vc
#Permite entradas para uma faixa de enderecos local
sudo iptables -A INPUT -p tcp -s 192.168.1.0/255.255.255.0 -j ACCEPT
#LIBERA SQUID
iptables -t filter -A INPUT -i eth1 -p tcp --dport 3128 -j ACCEPT
#Local Host
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
#Libera o apache pra web
iptables -A INPUT -p tcp --dport 6080 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#Permite entradas na porta 80 (Apache)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
# iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
#Libera Ping
sudo iptables -A INPUT -p icmp -m icmp -j ACCEPT
# Permite localhost receba dados para localhost
sudo iptables -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT
# Permite que entre somente pacotes de uma conexao ja estabelecida
sudo iptables -A INPUT -p tcp --syn -j DROP
# Libera SSH
sudo iptables -A INPUT -s 192.168.1.0/255.255.255.0 -p tcp --dport 22 -j ACCEPT
#Protecoes contra ataques
iptables -A INPUT -m state --state INVALID -j DROP
echo \ \ -\> REGRAS INPUT EXECUTADAS
## ----------------------------------
## Configurando OUTPUT
## ----------------------------------
##----------------------------------
## Configurando FORWARD
##-----------------------------------
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#LIBERA PING
iptables -A FORWARD -p icmp -m icmp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp -m icmp -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#Libera somente as portas 80 e 443 direcionadaS
# iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/255.255.255.0 -m multiport --dport 80,443 -j REDIRECT --to-port 3128
#LIBERA ACESSO WEB
iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m multiport --dport 80,443 -j ACCEPT
# iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -p tcp --dport 3128 -j ACCEPT
#LIBERA MSN
iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -d loginnet.passport.com -j ACCEPT
#LIBERA DNS
iptables -A FORWARD -s 10.57.0.0/16 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s 10.57.0.0/16 -p udp --dport 53 -j ACCEPT
#LIBERA SMTP E POP3
iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -p tcp --dport 465 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -p tcp --dport 993 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -p tcp --dport 143 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -s 127.0.0.1/24 -j ACCEPT
#LIBERA SSH
iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -p tcp --dport 22 -j ACCEPT
#LIBERA CHAT POR VOZ
iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -p tcp --dport 4106 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -p udp -m multiport --dport 4106,6100 -j ACCEPT
#LIBERA GTALK
iptables -A FORWARD -d talk.l.google.com -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d chatenabled.mail.google.com -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d talk.google.com -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d talkx.l.google.com -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d talk.l.google.com -p tcp --dport 5222 -j ACCEPT
iptables -A FORWARD -d chatenabled.mail.google.com -p tcp --dport 5222 -j ACCEPT
iptables -A FORWARD -d talk.google.com -p tcp --dport 5222 -j ACCEPT
iptables -A FORWARD -d talkx.l.google.com -p tcp --dport 5222 -j ACCEPT
echo \ \ -\> REGRAS FORWARD EXECUTADAS
Espero que me ajudem, agradeço. Att. Everton