simples, cria um arquivo chamado rc.firewall (padr�o)
neste arquivo coloca todas as regras e um comando para desativar tudo e depois ativar, ent�o coloca no teu rc.local, quando precisar altera s� no rc.firewall e o executa normalmente. Abaixo tem um exemplo b�sico de rc.firewall Rog�rio R. Ara�jo Gerente de Telecomunica��es e Redes S.O Com�rcio e Servi�os Ltda [EMAIL PROTECTED] (98) 232 8126 Linux User #235776 #!/bin/sh # ELO Firewall v.1.1.4b - Firewall, transparent proxy and Masquerading utility # Description: This is the script I use in almost all my customers for # firewalling packets. In almost all situations, they have a local network # with no routed IP address, a firewall box using Linux with 2 network # adapters and a dedicated connetion to an ISP. # Author: Luciano Lima - [EMAIL PROTECTED] # # Inside network # using non routed Firewall with 2 or more # IP addresses network adapters # +--+ +--+ +--+ +--+ # | | | | intip1 | | | | # +--+ +--+ +--| | +--+ # /##/ /##/ | +--+ /##/ # | | | | | # +--------+--------+ | +------------> Internet # localnet1 / | extip / outside network # inside network | # |intip2 # +--------+-----------+ # | | # +--+ +--+ # | | | | Localnet2 / # +--+ +--+ inside network # /##/ /##/ # # Remember to compile the kernel with the options: # Network Options / # Network firewall # Socket filtering # IP firewalling # IP transparent proxy support (if you need it) # IP Masquerading # # compile kernel: make dep clean bzlilo modules modules_install # This script will load all common masquerade modules compiled # with the kernel #=======================================# # Enter your internal network addresses # You can enter more than one localnet if you have # Ex: LOCALNET="192.168.0.0/255.255.255.0" LOCALNET="100.100.1.0/255.255.255.0" # External IP address # Ex: 130.161.2.32/32 EXTIP="200.xxx.xxx.xxx/32" #=======================================# LH="127.0.0.1/255.255.255.255" HIPORTS="1024:65535" # Define wich machines you want to have access granted to anywhere # You can put how many hosts you want, separeted by space. # Uncomment if you need it. SECHOSTS="200.xxx.xxx.xxx/32 200.xxx.xxx.180/32" # Wich ports to deny with no log generated. # Basicly you need this when you dont want to have your syslog full due to # a deny that is not important. For example: if you don't use samba or any # netbios packet through the firewall, uncomment the two lines: #TCP_DENY_NOLOG="137 138 139" #UDP_DENY_NOLOG="137 138 139" # Ping - Accept only traceroute packet # If you want to enable ping from anywhere, comment this line #ICMP="destination-unreachable time-exceeded echo-reply" # List all tcp and udp ports to be accepted from outside network # separeted by space. See the ports list in /etc/services. TCP_INPUT_FROMOUTSIDE="ssh auth ftp ftp-data domain smtp pop-3 www" UDP_INPUT_FROMOUTSIDE="ssh domain pop-3 www snmp snmp-trap" # List all tcp and udp ports to be accepted from inside network TCP_INPUT_FROMINSIDE="ssh auth domain 3128 pop-3 smtp ftp ftp-data 137 138 139" UDP_INPUT_FROMINSIDE="ssh domain 3128 pop-3 137 138 139" # List outside ports to be accessed. Any ports needed to be accessed from # the server or from any inside station to outside network. You dont need # to add the ports that will be masqueraded, the script will do it for you. # # If you want to accept all packets to high ports, include 1024:65535. Doing # this you would enable BO and many others dangerous packets from inside # to outside network. # It's recommended that you examine all the needs from internal network and # accept only those ports. # TCP_OUT="auth https domain www ftp ftp-data telnet smtp whois pop-3 nntp" UDP_OUT="domain www https pop-3 snmp snmp-trap" # List the ports to be redirected to. I always need it to make transparent # proxy using SQUID. Remember to change the squid.conf properly to make # transparent proxying. # See: http://www.squid-cache.org/Doc/FAQ/FAQ.html # If you want to do it, uncomment the lines below and remove "www" from # TCP_MASQ and UDP_MASQ in the next session. TCP_TRANSPARENT="www" UDP_TRANSPARENT="www" REDIRECT_PORT="3128" # List all tcp and udp ports to be masqueraded # All ports like irc, icq, etc. must be explicity included here. Otherwise # a workstation with a non routed IP address will not work. # Consult /etc/service if you need to insert the port name. # # All ip_masq_... modules compiled with the kernel will be automaticaly # loaded by the script TCP_MASQ="26 246 81 pop-3 auth smtp telnet nntp https ftp ftp-data 137 138 139 1024:65535" UDP_MASQ="domain pop-3 https 137 138 139 1024:65535" # Its all you have to change. Normaly you dont need to change the lines below # If you have some comments, please send it to: # [EMAIL PROTECTED] # # Thanks. #=================================================== ipchains -F ipchains -A input -s xxx.xxx.1.200/32 -d 0/0 -j ACCEPT ipchains -A input -s xxx.xxx.1.1/32 -d 0/0 -j ACCEPT ipchains -A input -s xxx.xxx.2.254/32 -d 0/0 -j ACCEPT ipchains -A input -s xxx.xxx.3.254/32 -d 0/0 -j ACCEPT ipchains -A input -s xxx.xxx.4.254/32 -d 0/0 -j ACCEPT #ipchains -A input -s 192.168.0.200/32 -d 0/0 -j ACCEPT #ipchains -A input -s 192.168.0.5/24 -d 192.168.0.1/32 -j ACCEPT ipchains -A forward -s xxx.xxx.1.200/32 -d 0/0 -j MASQ ipchains -A forward -s 200.xxx.xxx.107/32 -d xxx.xxx.1.1/32 -j MASQ ipchains -A forward -p tcp -d 200.xxx.xxx.106/32 -j MASQ #===========# # I N P U T # #===========# ipchains -A input -s $LH -d $LH -j ACCEPT if [ -n "$TCP_DENY_NOLOG" ] ; then for I in `echo $TCP_DENY_NOLOG`; do ipchains -A input -p tcp -s 0/0 -d 0/0 $I -j DENY -l done fi if [ -n "$UDP_DENY_NOLOG" ] ; then for I in `echo $UDP_DENY_NOLOG`; do ipchains -A input -p udp -s 0/0 -d 0/0 $I -j DENY -l done fi if [ -n "$TCP_TRANSPARENT" ] ; then for I in `echo $TCP_TRANSPARENT` ; do for K in `echo $LOCALNET` ; do ipchains -A input -p tcp -s "$K" -d 0/0 $I -j REDIRECT $REDIRECT_PORT done done fi if [ -n "$UDP_TRANSPARENT" ] ; then for I in `echo $UDP_TRANSPARENT` ; do for K in `echo $LOCALNET` ; do ipchains -A input -p udp -s "$K" -d 0/0 $I -j REDIRECT $REDIRECT_PORT done done fi #=========# # P I N G # #=========# if [ -n "$ICMP" ] ; then for I in `echo $ICMP`; do ipchains -A input -p icmp -s 0/0 $I -d $EXTIP -j ACCEPT done ipchains -A input -p icmp -s 0/0 -d 0/0 -j DENY -l else ipchains -A input -p icmp -s 0/0 -d 0/0 -j ACCEPT fi if [ -n "$TCP_INPUT_FROMOUTSIDE" ] ; then for I in `echo $TCP_INPUT_FROMOUTSIDE`; do ipchains -A input -p tcp -s 0/0 -d $EXTIP $I -j ACCEPT done fi if [ -n "$TCP_INPUT_FROMINSIDE" ] ; then for I in `echo $TCP_INPUT_FROMINSIDE`; do for K in `echo $LOCALNET` ; do ipchains -A input -p tcp -s $K -d $K $I -j ACCEPT done done for K in `echo $LOCALNET` ; do ipchains -A input -p tcp -s $K -d $K -j DENY -l done fi if [ -n "$TCP_OUT" ] ; then for I in `echo $TCP_OUT`; do ipchains -A input -p tcp -s 0/0 $I -d $EXTIP $HIPORTS -j ACCEPT done fi if [ -n "$SECHOSTS" ] ; then for I in `echo $SECHOSTS`; do ipchains -A input -s $I -d 0/0 -j ACCEPT done fi if [ -n "$UDP_INPUT_FROMOUTSIDE" ] ; then for I in `echo $UDP_INPUT_FROMOUTSIDE`; do ipchains -A input -p udp -s 0/0 -d $EXTIP $I -j ACCEPT done fi if [ -n "$UDP_INPUT_FROMINSIDE" ] ; then for I in `echo $UDP_INPUT_FROMINSIDE`; do for K in `echo $LOCALNET` ; do ipchains -A input -p udp -s $K -d $K $I -j ACCEPT done done for K in `echo $LOCALNET` ; do ipchains -A input -p udp -s $K -d $K -j DENY -l done fi if [ -n "$UDP_OUT" ] ; then for I in `echo $UDP_OUT`; do ipchains -A input -p udp -s 0/0 $I -d $EXTIP $HIPORTS -j ACCEPT done fi #============# # Masquerade # #============# if [ -n "$TCP_MASQ" ] ; then for I in `echo $TCP_MASQ`; do for K in `echo $LOCALNET` ; do ipchains -A input -p tcp -s $K -d 0/0 $I -j ACCEPT done ipchains -A input -p tcp -s 0/0 $I -d $EXTIP $HIPORTS -j ACCEPT done fi if [ -n "$UDP_MASQ" ] ; then for I in `echo $UDP_MASQ`; do for K in `echo $LOCALNET` ; do ipchains -A input -p udp -s $K -d 0/0 $I -j ACCEPT done ipchains -A input -p udp -s 0/0 $I -d $EXTIP $HIPORTS -j ACCEPT done fi #if [ -n "$TCP_MASQ" ] ; then # modprobe ip_masq_irc # modprobe ip_masq_raudio # modprobe ip_masq_cuseem # modprobe ip_masq_vdolive # modprobe ip_masq_ftp # modprobe ip_masq_quake # modprobe ip_masq_user #fi #==============# # NEGA O RESTO # #==============# ipchains -A input -s 0/0 -d 0/0 -j DENY -l #===============# # F O R W A R D # #===============# #echo 1 > /proc/sys/net/ipv4/ip_forward #echo 1 > /proc/sys/net/ipv4/ip_dynaddr # Masquerade # if [ -n "$TCP_MASQ" ] ; then for I in `echo $TCP_MASQ`; do for K in `echo $LOCALNET` ; do ipchains -A forward -p tcp -s $K -d 0/0 $I -j MASQ done done fi if [ -n "$UDP_MASQ" ] ; then for I in `echo $UDP_MASQ`; do for K in `echo $LOCALNET` ; do ipchains -A forward -p udp -s $K -d 0/0 $I -j MASQ done done fi for I in `echo $SECHOSTS`; do ipchains -A forward -s $I -d 0/0 -j ACCEPT done # Deny all other forwards # ipchains -A forward -s 0/0 -d 0/0 -j DENY -l #=============# # O U T P U T # #=============# ipchains -P output ACCEPT Assinantes em 23/02/2002: 2249 Mensagens recebidas desde 07/01/1999: 155872 Historico e [des]cadastramento: http://linux-br.conectiva.com.br Assuntos administrativos e problemas com a lista: mailto:[EMAIL PROTECTED]
