====== IPTables (FAQ) ======

===== Configurando firewall no Debian/Ubuntu =====

Criar arquivo ''/etc/iptables.rules'' e incluir as regras abaixo:

<code bash>
*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections for script kiddies
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
-A INPUT -p tcp -m state --state NEW --dport 22022 -j ACCEPT

# Now you should read up on iptables rules and consider whether ssh access 
# for everyone is really desired. Most likely you will only allow access from certain IPs.

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
</code>

* O exemplo acima só libera **SSH**, **HTTP** e **HTTPS**, você pode adicionar outras portas logo abaixo das linhas que liberam as portas ''80'' e ''443''

Logo após crie o arquivo ''/etc/network/if-pre-up.d/iptables'' com o conteúdo descrito abaixo:
<code bash>
#!/bin/bash
iptables-restore < /etc/iptables.rules
</code>

Dê permissão de execução ao arquivo acima e o execute:
  # chmod +x /etc/network/if-pre-up.d/iptables
  # /etc/network/if-pre-up.d/iptables
  
No próximo boot, as regras de iptables serão aplicadas automaticamente.  
  
===== Configuração de NAT =====

  # echo 1 > /proc/sys/net/ipv4/ip_forward

**CentOS**

  # sysctl -w net.ipv4.ip_forward=1

Para persistir, edite ''/etc/sysctl.conf'':

  net.ipv4.ip_forward = 1

Use o comando abaixo para habilitar as alterações:

  # sysctl -p /etc/sysctl.conf

Roteamento da rede interna ''eth1'' para a ''eth0'':

  # /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  # /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
  # /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

===== Fontes =====
  * http://www.revsys.com/writings/quicktips/nat.html
  * https://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-firewall-ipt-fwd.html