Enrolado com Força...

claudio_Daniel23
(usa Debian)

Enviado em 08/01/2015 - 13:41h

Senhores, necessito de ajuda, ja li todas as possiveis materias aqui sobre exceções de IP no IPTABLES mais nada me ajudou, abaixo meu firewall para os senhores de darem uma mão, preciso apenas liberar o IP 192.168.0.13, para não gravar logs e passar por fora do squid...sem excessão de sites e portas.



FIREWALL

#!/bin/bash
# Firewall Master
# Autor:
# Suporte:
# Data:
# Descrição:
#
####################################################
################ Carregar Modulos ##################
####################################################
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_mangle
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_state
/sbin/modprobe ipt_tos
/sbin/modprobe ipt_TOS
/sbin/modprobe ipt_ttl
/sbin/modprobe ip_gre
#
#####################################################
################# Variaveis #########################
#####################################################
#
IPT='/sbin/iptables' # Filtro de pacotes iptables
IFEXT='eth0' # Interface Internet
#IPEXT='192.168.254.253' # End. IP Interface Internet
IFLAN1='eth1' # Interface LAN1
IPIFLAN1='192.168.0.1' # End. IP Interface LAN1
LAN1='192.168.0.0/24' # End. de rede IP LAN1
#
################# Zerar Chains #####################
#
$IPT -t filter -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -Z
#
############# Politicas Default das Chains ##########
#
# Tabela filter
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
# Tabela nat
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
# Tabela mangle
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
#---------------------------------#
# Ativar Filtros TCP/IP no Kernel #
#---------------------------------#
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
for i in /proc/sys/net/ipv4/conf/*; do
echo 0 > $i/accept_redirects
echo 0 > $i/accept_source_route
echo 1 > $i/log_martians
echo 0 > $i/rp_filter;
done
# Ativar Roteamento
echo "1" > /proc/sys/net/ipv4/ip_forward
#
##################### Filtros para todas as chains ###################
#
# Contra IP spoofing
$IPT -A INPUT -s $LAN1 -i $IFEXT -j DROP
$IPT -A FORWARD -s $LAN1 -i $IFEXT -j DROP
$IPT -A INPUT -s 127.0.0.0/8 -i $IFEXT -j DROP
$IPT -A FORWARD -s 127.0.0.0/8 -i $IFEXT -j DROP
$IPT -A INPUT -s 172.16.0.0/12 -i $IFEXT -j DROP
#$IPT -A INPUT -s 224.0.0.0/4 -i $IFEXT -j DROP
#$IPT -A INPUT -s 240.0.0.0/5 -i $IFEXT -j DROP
$IPT -t mangle -A PREROUTING -s $LAN1 -i $IFEXT -j DROP
# Contra Ping of Death
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Bloquear tracert
$IPT -A INPUT -p udp -i $IFEXT --dport 33435:33525 -j DROP
# Stateful Inspection
# Velox
#iptables -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
$IPT -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
#
##################### Regras para VPN ##########################
#
# CHAIN INPUT
#
# Portas TCP/UDP (OPENVPN)
# OPENVPN
$IPT -A INPUT -p udp --dport 1193 -j ACCEPT
$IPT -A INPUT -p tcp --dport 1193 -j ACCEPT
$IPT -A INPUT -p udp --dport 1194 -j ACCEPT
$IPT -A INPUT -p tcp --dport 1194 -j ACCEPT
$IPT -A INPUT -p udp --dport 1195 -j ACCEPT
$IPT -A INPUT -p tcp --dport 1195 -j ACCEPT
$IPT -A INPUT -p udp --dport 1196 -j ACCEPT
$IPT -A INPUT -p tcp --dport 1196 -j ACCEPT
$IPT -A INPUT -p udp --dport 1197 -j ACCEPT
$IPT -A INPUT -p tcp --dport 1197 -j ACCEPT
$IPT -A INPUT -p udp --dport 1198 -j ACCEPT
$IPT -A INPUT -p tcp --dport 1198 -j ACCEPT
$IPT -A INPUT -p udp --dport 1199 -j ACCEPT
$IPT -A INPUT -p tcp --dport 1199 -j ACCEPT
$IPT -A INPUT -i tun+ -j ACCEPT
#
# CHAIN FORWARD
#
# Protocolo GRE
#$IPT -A FORWARD -p 47 -j ACCEPT
# Liberar LAN
$IPT -A FORWARD -i tun+ -j ACCEPT
$IPT -A FORWARD -o tun+ -j ACCEPT
#
# POSTROUTING
#$IPT -t nat -A POSTROUTING -s 192.168.0.253 -o ppp0 -j MASQUERADE
#$IPT -t nat -A POSTROUTING -s 192.168.254.0/24 -o tun0 -j MASQUERADE
#
#-----------------------------------------------------------------------------------------
#
##################### Regras Tabela Filter ##########################
#
# CHAIN INPUT
#
# Interface Externa (Internet)
#-----------------------------
#
# Liberar DHCP P/ IFEXT
#$IPT -A INPUT -i $IFEXT -p tcp --sport 68 --dport 67 -j ACCEPT
#$IPT -A INPUT -i $IFEXT -p tcp --sport 67 --dport 68 -j ACCEPT
#$IPT -A INPUT -i $IFEXT -p udp --sport 68 --dport 67 -j ACCEPT
#$IPT -A INPUT -i $IFEXT -p udp --sport 67 --dport 68 -j ACCEPT
# Porta TCP SSH/HTTP/WEBMIN
#$IPT -A INPUT -i $IFEXT -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -i $IFEXT -p tcp --dport 2022 -j ACCEPT
#$IPT -A INPUT -i $IFEXT -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i $IFEXT -p tcp --dport 8081 -j ACCEPT
#$IPT -A INPUT -i $IFEXT -p tcp --dport 9090 -j ACCEPT
#$IPT -A INPUT -i $IFEXT -p tcp --dport 10000 -j ACCEPT
#PORTA 443
$IPT -A INPUT -i $IFEXT -p tcp --dport 443 -j ACCEPT
$IPT -A INPUT -s $LAN1 -i $IFLAN1 -m multiport -p tcp --dport 443 -d $IPIFLAN1 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -p tcp -m multiport --dport 443 -j ACCEPT
#
#
# Portas Jabber
$IPT -A INPUT -i $IFEXT -p tcp --dport 5222 -j ACCEPT
#$IPT -A INPUT -i $IFEXT -p tcp --dport 5269 -j ACCEPT
#$IPT -A INPUT -i $IFEXT -p tcp --dport 7777 -j ACCEPT
$IPT -A INPUT -i $IFEXT -p tcp -m tcp --dport 20 -j ACCEPT
$IPT -A INPUT -i $IFEXT -p tcp -m tcp --dport 21 -j ACCEPT
# Painel de controla
$IPT -A INPUT -i $IFEXT -p tcp -m tcp --dport 8081 -j ACCEPT
# Liberar INPUT para Caixa Economica
$IPT -A INPUT -i $IFEXT -p all -s 200.201.174.207 -j ACCEPT
# Liberar ICMP
$IPT -A INPUT -i $IFEXT -p icmp -j ACCEPT
# Ativar log para INPUT e Bloquear
$IPT -A INPUT -i $IFEXT -p tcp -m state --state NEW,INVALID -j LOG --log-level 6 --log-prefix "INPUT: NEGADO-IFEXT"
$IPT -A INPUT -i $IFEXT -p tcp -m state --state NEW,INVALID -j DROP
#
# Interface Interna (LAN COMJOL)
#-------------------------------
#
# Liberar serviços para loopback
$IPT -A INPUT -s 127.0.0.0/8 -i lo -j ACCEPT
# Liberar LAN para SAMBA (Downloads)
$IPT -A INPUT -s $LAN1 -i $IFLAN1 -m multiport -p tcp --dport 139,445 -d $IPIFLAN1 -j ACCEPT
# Liberar IP CPD/Atualizaçoes,Afins
$IPT -A INPUT -s 192.168.0.13 -i $IFLAN1 -d $IPIFLAN1 -j ACCEPT
# Liberar IP Suvinil (Atualizacao de Software)
#$IPT -A INPUT -s 192.168.0.100 -i $IFLAN1 -m multiport -p tcp --dport 139,445 -d $IFLAN1 -j ACCEPT
# Portas TCP/UDP (DNS)
$IPT -A INPUT -s $LAN1 -i $IFLAN1 -p udp --dport 53 -d $IPIFLAN1 -j ACCEPT
$IPT -A INPUT -s $LAN1 -i $IFLAN1 -p udp --sport 53 -d $IPIFLAN1 -j ACCEPT
$IPT -A INPUT -s $LAN1 -i $IFLAN1 -p tcp --dport 53 -d $IPIFLAN1 -j ACCEPT
$IPT -A INPUT -s $LAN1 -i $IFLAN1 -p tcp --sport 53 -d $IPIFLAN1 -j ACCEPT
# Portas TCP (SQUID,SSH,HTTP,WEBMIN)
$IPT -A INPUT -s $LAN1 -i $IFLAN1 -p tcp -m multiport --dport 631,904,3128,7070,2022,22,3000,3001,8081,10000 -d $IPIFLAN1 -j ACCEPT
# replicacao misql
$IPT -A INPUT -s 192.168.0.2/32 -i $IFLAN1 -p tcp --dport 3306 -j ACCEPT
# Liberar Jabber
$IPT -A INPUT -s $LAN1 -i $IFLAN1 -p tcp -m multiport --dport 9090,10015,5222,5223,5269,7777 -d $IPIFLAN1 -j ACCEPT
$IPT -A INPUT -s $LAN1 -i $IFLAN1 -p tcp -m tcp --dport 7777 -j ACCEPT
#
# Liberar ICMP
$IPT -A INPUT -i $IFLAN1 -p icmp -j ACCEPT
# Ativar log para INPUT e Bloquear
$IPT -A INPUT -i $IFLAN1 -d $IPIFLAN1 -p tcp -m state --state NEW,INVALID -j LOG --log-level 6 --log-prefix "INPUT: NEGADO-IFLAN1"
$IPT -A INPUT -i $IFLAN1 -d $IPIFLAN1 -p tcp -m state --state NEW,INVALID -j DROP
#
# Protecao contra SynFlood & Port scanners
#-----------------------------------------
#
# SynFlood
$IPT -A INPUT -p tcp --syn -m limit --limit 2/s -j ACCEPT
# Port scanners
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 15/m -j ACCEPT
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 15/m -j ACCEPT
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 15/m -j ACCEPT
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,SYN -m limit --limit 15/m -j ACCEPT
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 15/m -j ACCEPT
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 15/m -j ACCEPT
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 15/m -j ACCEPT
#--------------------------------------------------------------------------------------------------
#
# CHAIN FORWARD
#
# FACE LIBERADO
#$IPT -I FORWARD -p tcp --dport 443 -s 192.168.0.13 -m string --string 'facebook' --algo bm -j ACCEPT
#$IPT -I FORWARD -p tcp --sport 443 -s 192.168.0.13 -m string --string 'facebook' --algo bm -j ACCEPT
#$IPT -I FORWARD -p tcp --dport 443 -s 192.168.0.13 -m string --string 'facebook.com' --algo bm -j ACCEPT
#$IPT -I FORWARD -p tcp --sport 443 -s 192.168.0.13 -m string --string 'facebook.com' --algo bm -j ACCEPT
#$IPT -I FORWARD -p tcp --dport 443 -s 192.168.0.13 -m string --string 'channel.facebook.com' --algo bm -j ACCEPT
#$IPT -I FORWARD -p tcp --sport 443 -s 192.168.0.13 -m string --string 'channel.facebook.com' --algo bm -j ACCEPT
#$IPT -I FORWARD -p tcp --dport 443 -s 192.168.0.13 -m string --string 'fbcdn-sphotos-g-a.akamaihd.net' --algo bm -j ACCEPT
#$IPT -I FORWARD -p tcp --sport 443 -s 192.168.0.13 -m string --string 'fbcdn-sphotos-g-a.akamaihd.net' --algo bm -j ACCEPT
#$IPT -I FORWARD -p tcp --dport 443 -s 192.168.0.13 -m string --string 'fbcdn.net' --algo bm -j ACCEPT
#$IPT -I FORWARD -p tcp --sport 443 -s 192.168.0.13 -m string --string 'fbcdn.net' --algo bm -j ACCEPT

# Bloqueio para Serviços P2P
$IPT -I FORWARD -p tcp --dport 443 -m string --string 'facebook' --algo bm -j DROP
$IPT -I FORWARD -p tcp --sport 443 -m string --string 'facebook' --algo bm -j DROP
$IPT -I FORWARD -p tcp --dport 443 -m string --string 'facebook.com' --algo bm -j DROP
$IPT -I FORWARD -p tcp --sport 443 -m string --string 'facebook.com' --algo bm -j DROP
$IPT -I FORWARD -p tcp --dport 443 -m string --string 'channel.facebook.com' --algo bm -j DROP
$IPT -I FORWARD -p tcp --sport 443 -m string --string 'channel.facebook.com' --algo bm -j DROP
$IPT -I FORWARD -p tcp --dport 443 -m string --string 'fbcdn-sphotos-g-a.akamaihd.net' --algo bm -j DROP
$IPT -I FORWARD -p tcp --sport 443 -m string --string 'fbcdn-sphotos-g-a.akamaihd.net' --algo bm -j DROP
$IPT -I FORWARD -p tcp --dport 443 -m string --string 'fbcdn.net' --algo bm -j DROP
$IPT -I FORWARD -p tcp --sport 443 -m string --string 'fbcdn.net' --algo bm -j DROP
$IPT -A FORWARD -i $IFLAN1 -d 192.168.0.0/24 -m string --algo bm --string "facebook.com" -j LOG --log-prefix " acesso facebook: " --log-level alert
# Bloqueando NAPSTER
$IPT -A FORWARD -d 64.124.41.0/24 -j DROP
# Bloqueando IMESH
$IPT -A FORWARD -d 216.35.208.0/24 -j DROP
# Bloqueando Bearshare
$IPT -A FORWARD -p tcp --dport 6346 -j DROP
# Bloqueando WinMX
$IPT -A FORWARD -d 209.61.186.0/24 -j DROP
$IPT -A FORWARD -d 64.49.201.0/24 -j DROP
# Bloqueando Napigator
$IPT -A FORWARD -d 209.25.178.0/24 -j DROP
# Bloqueando Morpheus
$IPT -A FORWARD -d 206.142.53.0/24 -j DROP
$IPT -A FORWARD -p tcp --dport 1214 -j DROP
# Bloqueando KaZaa
$IPT -A FORWARD -d 213.248.112.0/24 -j DROP
$IPT -A FORWARD -p tcp --dport 1214 -j DROP
# Bloqueando Limewire
$IPT -A FORWARD -p tcp --dport 6346 -j DROP
# Bloqueando Audiogalax
$IPT -A FORWARD -d 64.245.58.0/23 -j DROP
# Bloqueando ICQ
$IPT -A FORWARD -p tcp --dport 5190 -j DROP
$IPT -A FORWARD -d login.icq.com -j DROP
# Bloqueando Yahoo Messenger
$IPT -A FORWARD -d scsa.yahoo.com -j DROP
# Bloqueando AIM
$IPT -A FORWARD -p tcp --dport 5190 -j DROP
$IPT -A FORWARD -d login.oscar.aol.com -j DROP
$IPT -A FORWARD -p tcp --dport 6667 -j DROP
$IPT -A FORWARD -p tcp --dport 6668 -j DROP
# MSN Messenger
$IPT -A FORWARD -d gateway.messenger.hotmail.com -j DROP
$IPT -A FORWARD -d 64.4.13.0/24 -j DROP
$IPT -A FORWARD -p tcp --dport 1863 -j DROP
# Proteger NAT
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
#
# Liberar LAN FORWARD (ADMINISTRATIVO)
#-------------------------------------
#
# Liberar Maquina Sergio/Jose(Diretoria)
# Liberar NTP - Servidor de Hora do Brasil
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d a.ntp.br -j ACCEPT
#$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d 187.84.229.94 -j ACCEPT
#_Liberar Acesso ao PepLINK
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d 10.2.2.1/32 -j ACCEPT
#_Liberar Servidor WTS-REPLICADOR / Palms
$IPT -A FORWARD -s 192.168.0.3 -i $IFLAN1 -o $IFEXT -j ACCEPT
#$IPT -A FORWARD -s 192.168.0.6 -i $IFLAN1 -o $IFEXT -j ACCEPT
$IPT -A FORWARD -s 192.168.0.9 -i $IFLAN1 -o $IFEXT -j ACCEPT
#_Liberar Servidor Orion (CentOS)
#$IPT -A FORWARD -s 192.168.0.10 -i $IFLAN1 -o $IFEXT -j ACCEPT
#CPD
$IPT -A FORWARD -s 192.168.0.13 -i $IFLAN1 -o $IFEXT -j ACCEPT
#_Liberar Caixa Economica
#$IPT -A FORWARD -s 192.168.0.174 -i $IFLAN1 -o $IFEXT -j ACCEPT
# Central WEB
$IPT -A FORWARD -s 192.168.0.240 -i $IFLAN1 -o $IFEXT -j ACCEPT
# Regina (Android)
$IPT -A FORWARD -s 192.168.0.145 -i $IFLAN1 -o $IFEXT -j ACCEPT
$IPT -A FORWARD -s 192.168.0.157 -i $IFLAN1 -o $IFEXT -j ACCEPT
$IPT -A FORWARD -s 192.168.0.158 -i $IFLAN1 -o $IFEXT -j ACCEPT
$IPT -A FORWARD -s 192.168.0.4 -i $IFLAN1 -o $IFEXT -j ACCEPT
# Liberar AD
#$IPT -A FORWARD -s 192.168.0.254 -i $IFLAN1 -o $IFEXT -j ACCEPT
# Portas HTTPS 443 (DNS)
#$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -p udp -m multiport --dport 443 -j ACCEPT
# Liberar IPs DVRs Rede 172
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d 172.16.1.245/32 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d 172.16.1.246/32 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d 172.16.1.247/32 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d 172.16.1.254/32 -j ACCEPT
# Liberar Dominio Comjol
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d www.comjol.com.br -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d mail.comjol.com.br -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d hospedainterativa.com.br -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d web02.hospedainterativa.com.br -j ACCEPT
# Filiais NO-IP
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d 187.60.78.76/32 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d comjolpmcabo.no-ip.org -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d comjolzncabo.no-ip.org -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d comjolpbvelox.no-ip.org -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d comjolpbcabo.no-ip.org -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d comjolparncabo.no-ip.org -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d comjolbr.no-ip.org -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d dvrpm.zapto.org -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d dvrzn.zapto.org -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d dvrpb.zapto.org -j ACCEPT
#$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d comjoldist.no-ip.org -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d planc.portalfornecedor.sienge.com.br -j ACCEPT
#_Libear Unicanet
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d www.unicanet.com.br -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d ftp.unicanet.com.br -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d unicanet.no-ip.org -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d smtp.unicanet.com.br -j ACCEPT
# Sefaz Virtual NFE
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d www.sefazvirtual.fazenda.gov.br -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d nfe.sefazvirtual.rs.gov.br -j ACCEPT
# ReceitaNET
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d 200.198.239.21/32 -j ACCEPT
# STREAN COMJOL - RADIO
#$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d www.exemplo.com.br -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d streaming15.hstbr.net -j ACCEPT
# SelfColor
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d wsselfcolor.suvinil.com.br -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d wsportal.suvinil.com.br -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d tempuri.org -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d 141.6.3.124 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d serverloft.com -j ACCEPT
# EXEMPLO
#$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d www.exemplo.com.br -j ACCEPT
#$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d www.exemplo.com.br -j ACCEPT
#$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d www.exemplo.com.br -j ACCEPT
#$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d www.exemplo.com.br -j ACCEPT
# Sefaz Virtual (Mudar roteamento para velox)
#$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o eth1 -d www.sefazvirtual.fazenda.gov.br -j ACCEPT
#_Liberar smtp unicanet (Herkmann)
#$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d smtp150.kinghost.net -j ACCEPT
# Liberar Receita (www.receita.fazenda.gov.br)
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d 161.148.231.100 -j ACCEPT
# Liberar SPC (Servico Protecao ao Credito)
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d www.spc.com.br -j ACCEPT
#_Liberar Para vendas externas
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d planc.portalfornecedor.sienge.com.br -j ACCEPT
#_Liberar Banco Itau
#$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -t www.itau.com.br -j ACCEPT
# LIberar POlibras
#$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d 201.12.23.139 -j ACCEPT
# Liberar CAT - Caixa Economica
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d cafe.dataprev.gov.br -j ACCEPT
# Cartao FortBrasil
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d slfortbrasil.conductor.com.br -j ACCEPT
# Update MSE
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d mscrl.microsoft.com -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d crl.microsoft.com -j ACCEPT
# LIberar Programa Cheque Caixa (chequecaixa.caixa.gov.br)
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d 200.201.169.67 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d 200.198.232.62 -j ACCEPT
#_Liberar icp conectividade social
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d 200.201.173.82 -j ACCEPT
# Liberar trampolim da vitoria (natalcard)
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d 00083.transdatasmart.com.br -j ACCEPT
# Liberar Toda a Rede para acessar a BR
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -d 189.89.69.50 -j ACCEPT
# Liberar Radar (Seguranca)
#$IPT -A FORWARD -s 192.168.0.5/32 -i $IFLAN1 -o $IFEXT -d 200.253.243.136 -j ACCEPT
# Portas TCP (FTP,HTTP,HTTPS)
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -p tcp -m multiport --dport 20,21,80,82,443,5017,8081,100,110,113,8080, -j ACCEPT
#$IPT -A FORWARD -s 192.168.0.150/32 -i $IFLAN1 -o $IFEXT -p udp -m multiport --dport 27396,27078,4569,5004,5017,5060 -j ACCEPT
#
# SOFTWARES DO GOVERNO
#---------------------
#
# Liberar SITEF (Cartos de credito)
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -d 172.30.96.231/32 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -d 201.24.110.100/32 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -d escolta1.gsurfnet.com -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -d 187.103.187.100/32 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -d 187.103.187.105/32 -j ACCEPT
# SEMUT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -d directa.natal.rn.gov.br -j ACCEPT
# Fortebrasil
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -d 200.178.19.116 -j ACCEPT
# CONECTIVADE SOCIAL
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 2631 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -d 200.201.174.0/24 -j ACCEPT
# RECEITANET
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 3456 -j ACCEPT
# DMS
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 2021 -j ACCEPT
# CAGEDNET
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 2500 -j ACCEPT
# GIMNET
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 1023 -j ACCEPT
# SIGAT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 1030 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 7778 -j ACCEPT
# CEF
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 2004 -j ACCEPT
# SINTEGRA
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 8017 -j ACCEPT
# RAIS
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 4449 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p udp --dport 4449 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --sport 4449 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p udp --sport 4449 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 3007 -j ACCEPT
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p udp --dport 3007 -j ACCEPT
#CPD
$IPT -A FORWARD -s 192.168.0.13 -i $IFLAN1 -p udp --dport 443 -j ACCEPT

# Sigat
#$IPT -A FORWARD -s 192.168.0.106 -i $IFLAN1 -p udp --dport 7778 -j ACCEPT
#$IPT -A FORWARD -s 192.168.0.106 -i $IFLAN1 -p tcp --dport 7778 -j ACCEPT
#$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 8443 -j ACCEPT
# Portas Altas
#$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 1024: -j ACCEPT
#$IPT -A FORWARD -d $LAN1 -i $IFEXT -p tcp --dport 1024: -j ACCEPT
#
# Liberar ICMP
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p icmp -j ACCEPT
# Ativar log P/ Forward e Bloquear (LAN)
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp -m state --state NEW,INVALID -j LOG --log-level 6 --log-prefix "FORWARD: NEGADO-IFLAN1"
$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp -m state --state NEW,INVALID -j DROP
#
# Protecao contra Synflood & Port scanners
#-----------------------------------------
#
# Synflood
$IPT -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
# Port scanners
$IPT -A FORWARD -p tcp -m limit --limit 15/m -j ACCEPT
#--------------------------------------------------------------------------------------------------
#
######################## Regras Tabela NAT ###########################
#
# CHAIN POSTROUTING
#
#_Liberar Servidor WTS-REPLICADOR / webservice
#$IPT -t nat -A POSTROUTING -s 192.168.0.4 -o $IFEXT -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 192.168.0.9 -o $IFEXT -j MASQUERADE
#_Liberar Servidor Orion (CentOS)
$IPT -t nat -A POSTROUTING -s 192.168.0.10 -o $IFEXT -j MASQUERADE
#teste CD
$IPT -t nat -A POSTROUTING -s 192.168.0.13 -o $IFEXT -j MASQUERADE
# Liberar Servidor Sitef
#$IPT -t nat -A POSTROUTING -s 192.168.0.6 -o $IFEXT -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 192.168.0.2 -o $IFEXT -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $LAN1 -d www.hipercard.com.br -o $IFEXT -j MASQUERADE
# LIBERAR END. P/ SOFTWARES DO GOVERNO (Conectivade Social)
$IPT -t nat -A POSTROUTING -s $LAN1 -d cmt.caixa.gov.br -o $IFEXT -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $LAN1 -d 200.201.174.0/24 -o $IFEXT -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $LAN1 -d 200.201.173.68 -o $IFEXT -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $LAN1 -d 200.201.173.82 -o $IFEXT -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $LAN1 -d 200.201.174.204 -o $IFEXT -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $LAN1 -d 200.201.166.200 -o $IFEXT -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $LAN1 -d 200.201.174.207 -o $IFEXT -j MASQUERADE
# Liberar NFE
$IPT -t nat -A POSTROUTING -s $LAN1 -d www.sefazvirtual.fazenda.gov.br -o $IFEXT -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $LAN1 -d ccd.serpro.gov.br -o $IFEXT -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $LAN1 -d www.nfe.fazenda.gov.br -o $IFEXT -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $LAN1 -d www.receita.fazenda.gov.br -o $IFEXT -j MASQUERADE
# EXEMPLO
#$IPT -t nat -A POSTROUTING -s $LAN1 -d www.exemplo.com.br -o $IFEXT -j MASQUERADE
#$IPT -t nat -A POSTROUTING -s $LAN1 -d www.exemplo.com.br -o $IFEXT -j MASQUERADE
#$IPT -t nat -A POSTROUTING -s $LAN1 -d www.exemplo.com.br -o $IFEXT -j MASQUERADE
#$IPT -t nat -A POSTROUTING -s $LAN1 -d www.exemplo.com.br -o $IFEXT -j MASQUERADE
#$IPT -t nat -A POSTROUTING -s $LAN1 -d www.exemplo.com.br -o $IFEXT -j MASQUERADE
# Trampolincard (cartoes de passagens)
#$IPT -t nat -A POSTROUTING -s $LAN1 -d transdatasmart.com.br -o $IFEXT -j MASQUERADE
# Cheque Caixa
$IPT -t nat -A POSTROUTING -s 192.168.0.68/32 -d chequecaixa.caixa.gov.br -o $IFEXT -j MASQUERADE
#$IPT -t nat -A POSTROUTING -s 192.168.0.177/32 -d 0/0 -o $IFEXT -j MASQUERADE
# teste
$IPT -t nat -A POSTROUTING -s $LAN1 -d 172.16.1.254/32 -o $IFEXT -j MASQUERADE
# Ativar log P/ Postrouting Porta 80 e Bloquear (LAN PB)
#$IPT -t nat -A POSTROUTING -s $LAN1 -o $IFEXT -p tcp --dport 80 -j LOG --log-prefix "POSTROUTING: HTTP-NEGADO"
#$IPT -t nat -A POSTROUTING -s $LAN1 -o $IFEXT -p tcp --dport 80 -j DROP
# Ativar SNAT
# SNAT LAN1
$IPT -t nat -A POSTROUTING -s $LAN1 -o $IFEXT -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.10.1.10 -o eth0 -j MASQUERADE
#
# CHAIN PREROUTING
#
# Liberar Conectividade Social
$IPT -t nat -A PREROUTING -s $LAN1 -i $IFLAN1 -d 200.201.174.0/24 -p tcp --dport 80 -j RETURN
$IPT -t nat -A PREROUTING -s $LAN1 -i $IFLAN1 -d 201.12.23.139/32 -p tcp --dport 80 -j RETURN
$IPT -t nat -A PREROUTING -s $LAN1 -i $IFLAN1 -d 200.201.166.200/32 -p tcp --dport 80 -j RETURN
$IPT -t nat -A PREROUTING -s $LAN1 -i $IFLAN1 -d 200.201.174.204 -p tcp --dport 2631 -j ACCEPT
# Proxy Transp. com Squid
#$IPT -t nat -A PREROUTING -s $LAN1 -i $IFLAN1 -p tcp --dport 80 -d ! 201.12.23.139/32 -j REDIRECT --to-port 3128
$IPT -t nat -A PREROUTING -s $LAN1 -i $IFLAN1 -p tcp --dport 80 -j REDIRECT --to-port 3128
#
#####################
# REDIRECIONAMENTOS #
#####################
#
# PPTP-VPN-TEF
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 1723 -j DNAT --to 192.168.0.3
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 113 -j DNAT --to 192.168.0.3
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p gre -j DNAT --to 192.168.0.3
# PCANNYWARE
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 5631 -j DNAT --to 192.168.0.3
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 5632 -j DNAT --to 192.168.0.3
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p udp --dport 5631 -j DNAT --to 192.168.0.3
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p udp --dport 5632 -j DNAT --to 192.168.0.3
# WTS (Windows Terminal Service)
#_WTS Servidor Replicador do Orion (VirtualBox no BD) (Pepo)
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 33891 -j DNAT --to 192.168.0.14:3389
#_WRS Servidor Orion (Unica)
$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 33890 -j DNAT --to 192.168.0.3:3389
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 2014 -j DNAT --to 192.168.0.10:22
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 3389 -j DNAT --to 192.168.0.3
# Servidor WEB-SERVICW
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 8888 -j DNAT --to 192.168.0.240:80
#_SSH_Web_Service
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 2222 -j DNAT --to 192.168.0.4:22
# Cameras EDRV
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 8099 -j DNAT --to 192.168.0.245:80
# FTP - Servidor Interno para prestadores de servicos (Unicanet, Horacerta, Fortes)
$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 20 -j DNAT --to 192.168.0.5
$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 21 -j DNAT --to 192.168.0.5
#$IPT -t nat -A PREROUTING -s 189.124.194.255 -i $IFEXT -p tcp --dport 3050 -j DNAT --to 192.168.0.16
# Regina
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 5900 -j DNAT --to 192.168.0.3
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 8888 -j DNAT --to 192.168.0.240:80
# SSH CENTOS (Palms)
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 2222 -j DNAT --to 192.168.0.4:22
#_Redirecionamento WEBSERVICE
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 8087 -j DNAT --to 192.168.0.4:80
# Redirecionamento Cameras QSEE (DVR)
$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 8099 -j DNAT --to 192.168.0.245:80
$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 6036 -j DNAT --to 192.168.0.245:6036
# DVR _ NOVO
$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 15961 -j DNAT --to 192.168.0.245:15961
$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 15962 -j DNAT --to 192.168.0.246:15962
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p udp --dport 15961 -j DNAT --to 192.168.0.246:15961
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p udp --dport 8200 -j DNAT --to 192.168.0.246:8200
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 8200 -j DNAT --to 192.168.0.246:8200
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 3500 -j DNAT --to 192.168.0.50:80
# Redirecionamento PC Cameras ( Geovision )
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 3500 -j DNAT --to 192.168.0.50:80
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 80 -j DNAT --to 192.168.0.50
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 3500 -j DNAT --to 192.168.0.50:80
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 3550 -j DNAT --to 192.168.0.50:3550
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 3650 -j DNAT --to 192.168.0.50:3650
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 4550 -j DNAT --to 192.168.0.50:4550
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p udp --dport 4550 -j DNAT --to 192.168.0.50:4550
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 5550 -j DNAT --to 192.168.0.50:5550
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p udp --dport 5550 -j DNAT --to 192.168.0.50:5550
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 6550 -j DNAT --to 192.168.0.50:6550
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p udp --dport 6550 -j DNAT --to 192.168.0.50:6550
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 2000 -j DNAT --to 192.168.0.50
# VNC Servidor TEF
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 2555 -j DNAT --to 192.168.0.16:22
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 53 -j DNAT --to 192.168.0.223
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 53 -j DNAT --to 192.168.0.227
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 53 -j DNAT --to 192.168.0.227
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 53 -j DNAT --to 192.168.0.2
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p udp --dport 53 -j DNAT --to 192.168.0.2
#$IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 80 -j DNAT --to 192.168.0.2
#
######################## Regras Tabela Mangle #########################
#
# CHAIN OUTPUT
#
# Mínimo de espera para os serviços Internet (Minimize-Delay)
$IPT -t mangle -A OUTPUT -o $IFEXT -p tcp --dport 21 -j TOS --set-tos 0x10
$IPT -t mangle -A OUTPUT -o $IFEXT -p tcp --dport 80 -j TOS --set-tos 0x10
$IPT -t mangle -A OUTPUT -o $IFEXT -p udp --dport 53 -j TOS --set-tos 0x10
# Máximo Processamento
$IPT -t mangle -A OUTPUT -o $IFEXT -p tcp --dport 20:21 -j TOS --set-tos 0x8
#------------------------------------------------------------------------
echo "Firewall ativado..."
# FIM
#/etc/rc.local

andr3ribeiro
(usa Arch Linux)

Enviado em 08/01/2015 - 15:42h

iptables -A FORWARD -s 192.168.0.13 -j ACCEPT
iptables -A FORWARD -d 192.168.0.13 -j ACCEPT
Essas regras liberarão tudo. Mas você deve colocar elas por primeiro porque o iptables lê as regras de cima para baixo e se encontrar algum conflito, vale a primeira regra das duas (ou mais) em conflito.


Palavras de Buckminster no tópico:

http://www.vivaolinux.com.br/topico/Squid-Iptables/Formas-de-liberar-portas-por-IP

claudio_Daniel23
(usa Debian)

Enviado em 08/01/2015 - 16:52h

fiz o teste que passou e nada...vc leu meu firewall?