Iptables mais louco que o Batman [RESOLVIDO]
1. Iptables mais louco que o Batman [RESOLVIDO]
wiliampegoraro
(usa Outra)
Enviado em 15/08/2014 - 11:35h
Bom dia, nesta não tão animada sexta-feira pra mim, estou com um problema estranho, e não consigo encontrar uma solução.Distribuição: Debian 6
Internet: eth0
Lan: eth1
Quando eu paro meu iptables (/etc/init.d/firewall stop) INTERNET FUNCIONA
Quando eu inicio meu firewall (/etc/init.d/firewall start) INTERNET NÃO FUNCIONA
Segue meu iptables !!!!!!
#!/bin/sh
#ip-guardian
echo ""
uname -s -r -m -o
echo ""
echo " FIREWALL RAFITEC -- Firewall Iptables"
echo ""
firewall_start(){
echo ""
echo " Iniciando as Regras do Firewall .............................................."
echo ""
echo " Definindo Politica Padrao ...................................................."
echo ""
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
echo " Limpando as Regras Anteriores ......................................... [ OK ]"
echo ""
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t raw -F
echo " Ativando o Proxy Transparente SQUID ................................... [ OK ]"
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 443 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo " Ativando o IP forward ................................................. [ OK ]"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo " Protegendo contra Pings ( ignorando ) ................................. [ OK ]"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo " Protegendo contra IP spoofing ......................................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo " Protegendo contra diversos ataques .................................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo " Protegendo contra bogus responses ..................................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo " Protegendo contra IP synflood ......................................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
echo " Protegendo contra ICMP Broadcasting ................................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo " Protegendo contra alteracao de rota ................................... [ OK ]"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo " Protegendo contra Pings da Morte ...................................... [ OK ]"
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
echo " Protegendo contra traceroute .......................................... [ OK ]"
iptables -A INPUT -p udp --dport 33435:33525 -j LOG --log-prefix "_BLOCKED_: "
iptables -A INPUT -p udp --dport 33435:33525 -j DROP
echo " Protegendo contra portscanners, ping of death, ataques DoS, etc. ...... [ OK ]"
iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "_BLOCKED_: "
iptables -A INPUT -m state --state INVALID -j DROP
echo " Compartilhando a internet via IPTABLES .................................[ OK ]"
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo " Redirecionando portas DNS e NTP para o SQUID .......................... [ OK ]"
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 53 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 123 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo " Liberando conexao SSH ..................................................[ OK ] "
iptables -A INPUT -p tcp -m tcp --dport 22 -i eth0 -j ACCEPT
echo " Fechando portas UDP 1:1024 ............................................ [ OK ]"
iptables -A INPUT -p udp --dport 1:1024 -j LOG --log-prefix "_BLOCKED_UDP_: "
iptables -A INPUT -p udp --dport 1:1024 -j DROP
echo " Permitindo apenas respostas a conexoes iniciadas pela maquina ......... [ OK ]"
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo " Liberando a interface de loopback ..................................... [ OK ]"
iptables -A INPUT -i lo -j ACCEPT
echo " Bloqueando qualquer conexao que nao tenha sido permitida acima ........ [ OK ]"
iptables -A INPUT -p tcp --syn -j LOG --log-prefix "_BLOCKED_: "
iptables -A INPUT -p tcp --syn -j DROP
echo " Firewall em operacao .................................................. [ OK ]"
sleep 1
}
firewall_stop(){
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}
case "$1" in
"start")
firewall_start
;;
"stop")
firewall_stop
echo " Desativando todas as Regras do Firewall ................................ [ OK ]"
echo " firewall disabled "
sleep 1
;;
status)
echo -e " ============================== Table Filter ============================ ";
iptables -t filter -L -n
echo -e " ============================== Table Nat ============================= ";
iptables -t nat -L -n
echo -e " ============================== Table Mangle =========================== ";
iptables -t mangle -L -n
echo -e " ============================== Table Raw ============================ ";
iptables -t raw -L -n
;;
"restart")
echo " Reativando todas as Regras do Firewall ................................ [ OK ]"
sleep 1
firewall_stop; firewall_start
;;
*)
iptables -L -n
esac