- eth0 (dhcp - acesso a internet)
- eth1 (10.0.0.1 - rede local)
Crie o arquivo /etc/init.d/firewall com o seguinte conteúdo:
#!/bin/bash
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
IPT=/sbin/iptables
INICIAR (){
# Politica padrao
$IPT -F
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -A INPUT -i lo -p ALL -j ACCEPT
$IPT -A INPUT -i eth1 -p ALL -j ACCEPT
# Acesso a internet
#$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# liberacao da porta 80 (HTTP)
$IPT -A FORWARD -p tcp -s 192.168.0.0/24 -d 0/0 --dport 80 -j ACCEPT
$IPT -A FORWARD -p tcp -s 0/0 -d 192.168.0.0/24 --sport 80 -j ACCEPT
# liberacao da porta 443 (HTTPS)
$IPT -A FORWARD -p tcp -s 192.168.0.0/24 -d 0/0 --dport 443 -j ACCEPT
$IPT -A FORWARD -p tcp -s 0/0 -d 192.168.0.0/24 --sport 443 -j ACCEPT
# liberacao da porta 53 (DNS)
$IPT -A FORWARD -p udp -s 192.168.0.0/24 -d 0/0 --dport 53 -j ACCEPT
$IPT -A FORWARD -p udp -s 0/0 -d 192.168.0.0/24 --sport 53 -j ACCEPT
# liberacao do ping (ICMP)
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A FORWARD -p icmp -s 192.168.0.0/24 -d 0/0 --icmp-type 8 -j ACCEPT
$IPT -A FORWARD -p icmp -s 0/0 -d 192.168.0.0/24 --icmp-type 0 -j ACCEPT
# liberacao da porta 8080 (TOMCAT)
$IPT -A FORWARD -p tcp -s 192.168.0.0/24 -d 0/0 --dport 8080 -j ACCEPT
$IPT -A FORWARD -p tcp -s 0/0 -d 192.168.0.0/24 --sport 8080 -j ACCEPT
}
PARAR (){
$IPT -F
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -F -t nat
}
case "$1" in
start)
echo "Iniciando Firewall"
INICIAR
sleep 1
;;
stop)
echo "Desativando Firewall"
PARAR
sleep 1
;;
restart)
echo "Desativando Firewall"
PARAR
sleep 1
echo "Iniciando Firewall"
INICIAR
sleep 1
;;
*)
echo "start|stop|restart"
exit 1
esac
exit 0
Salve o conteúdo e execute os seguintes comando:
chmod 755 /etc/init.d/firewall
update-rc.d firewall defaults
/etc/init.d/firewall start
