[26] Comentário enviado por riccelli_reis em 02/06/2016 - 14:10h
[25] Comentário enviado por krytico em 01/06/2016 - 14:02h
Olá! Parabéns pelo trabalho e obrigado por ter compartilhado!
Estou começando a me aventurar com linux, trabalho há um certo tempo com informática e resolvi aprendera configurar servidores linux.
Fiz tudo conforme os passos, cuidando os ips etc, porém, quando chego na parte do firewall, depois q inicio ele, não consigo acessar mais o servidor pela rede(nem pingar no ip do servidor consigo) e acessando pelo servidor, também não consigo pingar para lugar algum. Saberia me dizer o quê estou fazendo de errado? Ja refiz, sem mentiras, 15x! Sempre formatando e começando do zero.
Desde já agradeço.
Opa! Obrigado pelo elogio, desculpa pela demora e vamos lá! Algumas pessoas fizeram contato relatando o mesmo problema. Antes de resolver, por favor, envie os resultados dos seguintes comandos:
# ifconfig
# route -n
# cat /etc/network/interfaces
# cat /etc/resolv.conf
# cat /etc/hosts
# cat /etc/init.d/firewall
# cat /etc/dhcp/dhcpd.conf
No aguardo...
Abraço.
Opa, desculpe a demora pra responder. Segue as configurações solicitadas
root@server:/etc/squid3# ifconfig
eth0 Link encap:Ethernet Endereço de HW 00:05:00:a0:32:ba
inet end.: 192.168.1.73 Bcast:192.168.1.255 Masc:255.255.255.0
endereço inet6: fe80::205:ff:fea0:32ba/64 Escopo:Link
UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
RX packets:209977 errors:0 dropped:0 overruns:0 frame:0
TX packets:126038 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:1000
RX bytes:296591756 (282.8 MiB) TX bytes:11278443 (10.7 MiB)
eth1 Link encap:Ethernet Endereço de HW 00:1a:3f:7d:16:15
inet end.: 192.168.0.1 Bcast:192.168.255.255 Masc:255.255.0.0
UP BROADCASTMULTICAST MTU:1500 Métrica:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Loopback Local
inet end.: 127.0.0.1 Masc:255.0.0.0
endereço inet6: ::1/128 Escopo:Máquina
UP LOOPBACKRUNNING MTU:65536 Métrica:1
RX packets:123 errors:0 dropped:0 overruns:0 frame:0
TX packets:123 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:0
RX bytes:26502 (25.8 KiB) TX bytes:26502 (25.8 KiB)
root@server:/etc/squid3# route -n
Tabela de Roteamento IP do Kernel
Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
cat /etc/network/interfaces
root@server:/etc/squid3# cat /etc/network/interfaces
iface lo inet loopback
#Interface Internet
iface eth0 inet dhcp
#Interface Rede Local
iface eth1 inet static
address 192.168.0.1
netmask 255.255.0.0
broadcast 192.168.255.255
network 192.168.0.0
allow-hotplug eth0
allow-hotplug eth1
auto lo
auto eth0
auto eth1
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
#source /etc/network/interfaces.d/*
# The loopback network interface
#auto lo
#iface lo inet loopback
# The primary network interface
#allow-hotplug eth0
#iface eth0 inet dhcp
cat /etc/resolv.conf
nameserver 192.168.1.1
# cat /etc/hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# cat /etc/init.d/firewall
#!/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start Firewall at boot time
# Description: Enable service provided by Firewall Daemon.
### END INIT INFO
export TX="echo -e"
default(){
$TX ""
$TX ">>>>>>>>>>>>>>>>>> Iniciando Script de Firewall <<<<<<<<<<<<<<<<<< \n"
$TX "Exportar Variaveis................................................"
export IFNET=eth0
export IFLOC=eth1
export MP=/sbin/modprobe
export RMM="$(which rmmod)"
export IPT=/sbin/iptables
export SVC=/etc/init.d
export IP4=/proc/sys/net/ipv4
export IP4C=/proc/sys/net/ipv4/conf
export NETW=192.168.0.0/24
$TX ".................................................................. OK \n"
}
start() {
echo "Definir politicas padrao........................................."
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$TX ".................................................................. OK \n"
$TX "Desbloquear RP_Filter............................................."
if [ -e $IP4C/all/rp_filter ]; then
for f in $IP4C/*/rp_filter; do
$TX "0" > $f
done
fi
$TX ".................................................................. OK \n"
$TX "Bloquear tudo que for desnecessário............................"
$IPT -p tcp --dport 3128 -j DROP
$IPT -A INPUT -m iprange --src-range 192.168.1.1-192.168.255.254 -j DROP
$TX ".................................................................. OK \n"
$TX "Direcionar para Proxy-Cache......................................."
$IPT -t nat -A PREROUTING -i $IFLOC -s $NETW -p tcp --dport 80 -j REDIRECT --to-port 3180
$IPT -t nat -A PREROUTING -i $IFLOC -s $NETW -p tcp --dport 443 -j REDIRECT --to-port 31443
$TX ".................................................................. OK \n"
$TX "Compartilhar conexao.............................................."
$IPT -t nat -A POSTROUTING -o $IFNET -j MASQUERADE
if [ -e $IP4/ip_forward ]; then
$TX "1" > $IP4/ip_forward
else
$TX "Erro ao habilitar Forward!! Falha Grave no sistema................"
fi
$IPT -A FORWARD -s $NETW -j ACCEPT
$IPT -A FORWARD -d $NETW -j ACCEPT
$TX ".................................................................. OK \n"
$TX "Permitir Trafegos de entrada e Saida......................................"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -s $NETW -j ACCEPT
$IPT -P OUTPUT -j ACCEPT
$TX ".................................................................. OK \n"
$TX " "
$TX ">>>>>>>>>>>>>>>>>>>>>> Firewall Iniciado!! <<<<<<<<<<<<<<<<<<<<<< \n"
}
stop(){
$TX "Limpar todas as regras de firewall..............................."
export IPT=/sbin/iptables
export SVC=/etc/init.d
$IPT -X
$IPT -F
# Zerar contadores
$IPT -Z
# Definir politicas padrao
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$TX ".................................................................. OK \n"
$TX "Desfazer Compartilhamento........................................."
# Desativar trafego entre as placas de rede
$TX 0 > $IP4/ip_forward
# Ativar rp_filter
if [ -e $IP4C/all/rp_filter ]; then
for f in $IP4C/*/rp_filter; do
$TX "1" > $f
done
# Reiniciar servico de rede
$SVC/networking restart
fi
$TX ".................................................................. OK \n"
$TX ">>>>>>>>>>>>>>>>>>>>>> Firewall Parado!!! <<<<<<<<<<<<<<<<<<<<<< \n"
}
case "$1" in
inicio) while true; do
default
break
done
;;
start) while true; do
default
start
break
done
;;
stop) while true; do
stop
break
done
;;
restart) while true; do
stop
default
start
break
done
;;
esac
exit 0
# cat /etc/dhcp/dhcpd.conf
#
# Sample configuration file for ISC dhcpd for Debian
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;
default-lease-time 600;
max-lease-time 7200;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}