[FUGSPBR] IPFW+NAT+squid (--> help!!!)

Joao Paulo Marques Mattos jpmmattos em terra.com.br
Qui Ago 12 23:13:07 BRT 2004 

Segue um exemplo de firewall com ipfw (FreeBSD4.10) fazendo NAT somente para
IPs permitidos e SQUID liberado para o resto.

[]'S

JP-UX

P.S.: Este eh um exemplo!!! se tiver duvida pergunte !

--------------INICIO--------------

#!/bin/sh
# Regras de Firewall (ipfw - IP firewall and traffic shaper control program)
# Escrito por: Joao Paulo Marques Mattos
# Data: 12/08/2004
#
# para que este script funcione eh necessario que seja indicado a
localizacao
# dele no arquivo "/etc/rc.conf", procure por: firewall_enable="YES"
# e insira na proxima linha: firewall_script="/etc/firewall/fwrules"

# define o comando do firewall (igual ao /etc/rc.firewall) para simplificar
# a referencia. facilita a leitura.
fwcmd="/sbin/ipfw"

# define a interface externa e o seu IP
exteth="fxp1"
extIP="200.200.200.200"

# define a interface interna
inteth="fxp0"

# define as LAN's confiaveis
LanTrust1="192.168.1.0/24"
LanTrust2="192.168.2.0/24"
LanTrust3="192.168.3.0/24"
LanTrust4="192.168.4.0/24"

# define os IP's com acesso ao NAT
ACESSO_LIVRE="192.168.1.1 192.168.4.9 192.168.2.2 192.168.2.17 192.168.45.18
192.168.3.19"

# redes invalidas bloqueadas RFCs 1045 1918 1192
NET_DENY_RFC="10.0.0.0/8 172.16.0.0/12 0.0.0.0/8 169.254.0.0/16 192.0.2.0/24
224.0.0.0/4 240.0.0.0/4"

# forca a remocao das regras atuais antes de carregar
$fwcmd -f flush

############################################################################
######
# Liberacao - Liberar todo trafego de LanTrust3 para este servidor
############################################################################
######

$fwcmd add 1000 allow ip from $LanTrust3 to me
$fwcmd add 1000 allow ip from me to $LanTrust3

############################################################################
######
# BLOQUEIOS - bloquear todo trafego nao autorizado
############################################################################
######

# BLOQUEIO DE REDES INVALIDAS

if [ -n "$NET_DENY_RFC" ] ; then
        for DENY_RFC in $NET_DENY_RFC ; do
                $fwcmd add deny all from $DENY_RFC to any
                $fwcmd add deny all from any to $DENY_RFC
        done
fi

############################################################################
######
# Verifica todo o trafego entrante...
# em caso positivo pula para a regra 50000
############################################################################
######

$fwcmd add skipto 50000 all from any to me in recv $exteth

############################################################################
######
# Filtra e verifica todo trafego sainte e (com regras dinamicas)
# todo trafego entrante
############################################################################
######

if [ -n "$ACESSO_LIVRE" ] ; then
        for MASQ in $ACESSO_LIVRE ; do
                $fwcmd add skipto 40000 tcp from $MASQ/32 to any out xmit
$exteth keep-state
        done
fi

# POP INTERNO
$fwcmd add skipto 40000 tcp from any to $extIP 110 out xmit $exteth
keep-state
$fwcmd add skipto 40000 tcp from $extIP 110 to any out xmit $exteth
keep-state

# SMTP INTERNO
$fwcmd add skipto 40000 tcp from any to $extIP 25 out xmit $exteth
keep-state
$fwcmd add skipto 40000 tcp from $extIP 25 to any out xmit $exteth
keep-state

# HTTP INTERNO
$fwcmd add skipto 40000 tcp from any to $extIP 80 out xmit $exteth
keep-state
$fwcmd add skipto 40000 tcp from $extIP 80 to any out xmit $exteth
keep-state

############################################################################
######
# permite todas as conexoes confiaveis - interface interna
############################################################################
######

# localhost
$fwcmd add allow ip from any to any via lo0

# ICMP liberado para interface interna
$fwcmd add allow icmp from any to any via $inteth

# SSH liberado somente para interface interna
$fwcmd add allow tcp from any 1024-65535 to any 22 via $inteth
$fwcmd add allow tcp from any 22 to any 1024-65535 via $inteth

# SMTP liberado somente para interface interna
$fwcmd add allow tcp from any 1024-65535 to any 25 via $inteth
$fwcmd add allow tcp from any 25 to any 1024-65535 via $inteth

# DNS liberado para interface interna
$fwcmd add allow tcp from any 1024-65535 to any 53 via $inteth
$fwcmd add allow tcp from any 53 to any 1024-65535 via $inteth
$fwcmd add allow udp from any 1024-65535 to any 53 via $inteth
$fwcmd add allow udp from any 53 to any 1024-65535 via $inteth
$fwcmd add allow udp from any 137 to any 53 via $inteth
$fwcmd add allow udp from any 53 to any 137 via $inteth

# HTTP liberado somente para interface interna
$fwcmd add allow tcp from any 1024-65535 to any 80 via $inteth
$fwcmd add allow tcp from any 80 to any 1024-65535 via $inteth

# POP liberado somente para interface interna
$fwcmd add allow tcp from any 1024-65535 to any 110 via $inteth
$fwcmd add allow tcp from any 110 to any 1024-65535 via $inteth

# IDENT liberado somente para interface interna
$fwcmd add allow tcp from any 1024-65535 to any 113 via $inteth
$fwcmd add allow tcp from any 113 to any 1024-65535 via $inteth

# SNMP liberado para interface interna, IP interno
$fwcmd add allow udp from any 161 to me 1024-65535 via $inteth
$fwcmd add allow udp from me 1024-65535 to any 161 via $inteth

# HTTPS liberado somente para interface interna
$fwcmd add allow tcp from any 1024-65535 to any 443 via $inteth
$fwcmd add allow tcp from any 443 to any 1024-65535 via $inteth

# MSN liberado somente para interface interna
$fwcmd add allow tcp from any 1024-65535 to any 1863 via $inteth
$fwcmd add allow tcp from any 1863 to any 1024-65535 via $inteth
$fwcmd add allow udp from any 1024-65535 to any 7001 via $inteth

# SQUID liberado para interface interna, IP interno
$fwcmd add allow tcp from any 1024-65535 to me 3128 via $inteth
$fwcmd add allow tcp from me 3128 to any 1024-65535 via $inteth

# ICQ liberado somente para interface interna
$fwcmd add allow tcp from any 1024-65535 to any 5190 via $inteth
$fwcmd add allow tcp from any 5190 to any 1024-65535 via $inteth

# conexoes iniciadas pelo servidor
$fwcmd add allow tcp from any to any out xmit $exteth setup
$fwcmd add allow udp from any to any out xmit $exteth

# uma vez que uma conexao foi estabelecida, permite que fique aberta
$fwcmd add allow tcp from any to any via $exteth established

# ICMP (para ping e traceroute funcionarem)
$fwcmd add allow icmp from any to any

# Libera e loga o resto do trafego da interface interna
$fwcmd add allow log ip from any to any via $inteth

# Pra ter certeza de que nao passara nada que nao for permitido
$fwcmd add deny log ip from any to any

############################################################################
######
# Somente passarao por estas regras em duas circunstancias:
# 1) Qualquer pacote sainte que recebeu a flag keep-state
# 2) Qualquer pacote entrante que encontrar uma regra dinamica
############################################################################
######

# NAT
$fwcmd add 40000 divert natd all from any to any out xmit $exteth

############################################################################
######
# permite todas as conexoes confiaveis
############################################################################
######

# Interface interna
$fwcmd add allow ip from any to any via $inteth

# conexoes iniciadas pelo servidor
$fwcmd add allow tcp from any to any out xmit $exteth setup
$fwcmd add allow udp from any to any out xmit $exteth

# uma vez que uma conexao foi estabelecida, permite que fique aberta
$fwcmd add allow tcp from any to any via $exteth established

# ICMP (para ping e traceroute funcionarem)
$fwcmd add allow icmp from any to any

# DNS
$fwcmd add allow udp from any 53 to any 1024-65535 in via $exteth

# Liberacao de todo resto com log para debug
$fwcmd add allow log all from any to any

# Pra ter certeza de que nao passara nada que nao for permitido
$fwcmd add deny log all from any to any

############################################################################
######
# Somente passarao por estas regras trafego entrante. Precisamos
# definir o que queremos aceitar ou nao. A flag ckeck-state
# ira disparar a regra dinamica e pular para a 40000
############################################################################
######

$fwcmd add 50000 divert natd all from any to any in recv $exteth
$fwcmd add check-state

# conexoes iniciadas pelo servidor
$fwcmd add allow tcp from any to any out xmit $exteth setup
$fwcmd add allow udp from any to any out xmit $exteth

# uma vez que uma conexao foi estabelecida, permite que fique aberta
$fwcmd add allow tcp from any to any via $exteth established

# TCP - SMTP, DNS, HTTP
$fwcmd add allow tcp from any to me 25 in recv $exteth
$fwcmd add allow tcp from any 25 to me 1024-65535 in recv $exteth
$fwcmd add allow tcp from any to any 53 in recv $exteth
$fwcmd add allow tcp from any 1024-65535 to me 80 in recv $exteth

# UDP - DNS
$fwcmd add allow udp from any 53 to any in
$fwcmd add allow udp from any to any 53 in

# ICMP (para ping e traceroute funcionarem)
$fwcmd add allow icmp from any to any

# rejeita o resto
$fwcmd add deny log all from any to any

--------------FIM--------------

_______________________________________________________________
Para enviar um novo email para a lista: fugspbr em fugspbr.org
Sair da Lista: http://lists.fugspbr.org/listinfo.cgi
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/

Mais detalhes sobre a lista de discussão freebsd