Iptables
#!/bin/sh
# variaveis
# web
IF_WEB="eth1"
IP_WEB="IP_externo"
# intern
IF_INT="eth0"
IP_INT="IP_rede_interna"
# sapl
IP_SAP="IP_sistema"
# zimbra
IP_ZIM="IP_zimbra"
# mascara de rede
NTWRK="10.0.0.0/24"
# atalho para o iptables
IPT=`which iptables`
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -Z
$IPT -Z -t nat
$IPT -Z -t mangle
# ativacao de modulos
modprobe ip_tables
modprobe ip_conntrack
modprobe iptable_filter
modprobe iptable_nat
modprobe ipt_LOG
modprobe ipt_limit
modprobe ipt_state
modprobe ipt_MASQUERADE
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
# compartilhamento de internet
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# politicas padrao
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
###### regras de NAT ######
for ZIMPORT in `cat /etc/init.d/zimbra_ports`; do
$IPT -t nat -A PREROUTING -d $IP_WEB -p tcp --dport $ZIMPORT -j DNAT --to-destination $IP_ZIM:$ZIMPORT
done
$IPT -t nat -A PREROUTING -d $IP_WEB -p udp --dport 25 -j DNAT --to-destination $IP_ZIM:25
$IPT -t nat -A PREROUTING -d $IP_WEB -p udp --dport 26 -j DNAT --to-destination $IP_ZIM:26
# ips liberados
for IP in `cat /etc/init.d/ips`; do
$IPT -t nat -A POSTROUTING -s $IP/32 -o $IF_WEB -j MASQUERADE
done
# mascarando trafego em geral
for PORT in `cat /etc/init.d/ports`; do
$IPT -t nat -A POSTROUTING -p tcp -s $NTWRK -o $IF_WEB --dport $PORT -j MASQUERADE
$IPT -t nat -A POSTROUTING -p udp -s $NTWRK -o $IF_WEB --dport $PORT -j MASQUERADE
done
# nat do squid
$IPT -t nat -A PREROUTING -i $IF_INT -p tcp --dport 80 -j REDIRECT --to-port 3128
# nat do apache
$IPT -t nat -A PREROUTING -i $IF_INT -d $IP_WEB -p tcp --dport 80 -j RETURN
###### regras de INPUT ######
# loopback
$IPT -A INPUT -i lo -j ACCEPT
# dns
$IPT -A INPUT -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -p udp --dport 53 -j ACCEPT
# ssh
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
# protecao contra ip spoofing
$IPT -A INPUT -i $IF_WEB -s 10.0.0.0/8 -j DROP
$IPT -A INPUT -i $IF_WEB -s 10.0.0.0/8 -m limit --limit 3/s -j LOG --log-level info --log-prefix "FIREWALL: Spoofing - 10. --"
$IPT -A INPUT -i $IF_WEB -s 172.16.0.0/16 -j DROP
$IPT -A INPUT -i $IF_WEB -s 172.16.0.0/16 -m limit --limit 3/s -j LOG --log-level info --log-prefix "FIREWALL: Spoofing - 172.16. --"
$IPT -A INPUT -i $IF_WEB -s 192.168.0.0/16 -j DROP
$IPT -A INPUT -i $IF_WEB -s 192.168.0.0/16 -m limit --limit 3/s -j LOG --log-level info --log-prefix "FIREWALL: Spoofing - 192.168. --"
# apache
$IPT -A INPUT -p tcp -d $IP_WEB --dport 80 -j ACCEPT
# mascarando trafego em geral
for PORT in `cat /etc/init.d/ports`; do
$IPT -A INPUT -p tcp -i $IF_WEB --dport $PORT -j ACCEPT
$IPT -A INPUT -p udp -i $IF_WEB --dport $PORT -j ACCEPT
done
# squid
$IPT -A INPUT -p tcp -s $NTWRK --dport 3128 -j ACCEPT
###### regras de FORWARD #####
# loopback
$IPT -A FORWARD -i lo -j ACCEPT
# dns
$IPT -A FORWARD -p tcp --dport 53 -j ACCEPT
$IPT -A FORWARD -p udp --dport 53 -j ACCEPT
# protecao contra synflood
$IPT -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
# protecao contra ping da morte
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -A FORWARD -i $IF_WEB -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
###### logging ######
# log de navegacao
$IPT -A INPUT -m limit --limit 3/m --limit-burst 3 -j LOG --log-level info --log-prefix "Firewall: INPUT --"
$IPT -A OUTPUT -m limit --limit 3/m --limit-burst 3 -j LOG --log-level info --log-prefix "Firewall: OUTPUT --"
$IPT -A FORWARD -m limit --limit 3/m --limit-burst 3 -j LOG --log-level info --log-prefix "Firewall: FORWARD --"
$IPT -t nat -A PREROUTING -m limit --limit 3/m --limit-burst 3 -j LOG --log-level info --log-prefix "Firewall: NAT [pre] --"
$IPT -t nat -A POSTROUTING -m limit --limit 3/m --limit-burst 3 -j LOG --log-level info --log-prefix "Firewall: NAT [post] --"
Rodando esse script através de uma VM, a velocidade de navegação passando pelo squid ou não é basicamente a mesma.
O problema mesmo, é o acesso ao zimbra...