michelrbc
(usa Red Hat)
Enviado em 18/02/2010 - 09:30h
Bom dia pessoal, estou com o seguinte problema e não consigo localizar minha falha.
Possuo um link dedicado telefônica e está na eth1. Minha rede local está na ETH2.
Tenho um redirecionamento de porta para um servidor IIS, porém quando acesso de dentro da rede, coloco o endereço dele e acesso sem problemas. Se estiver fora da rede e acessar pelo endereço sistema.xxx.com.br também consigo acessar sem problemas, porém se estiver dentro da rede e tentar acessar o endereço sistema.xxx.com.br não tenho acesso.
Estou resolvendo o endereço normalmente, mas não consigo exibir no navegador. Se utilzar o ultrasuf a página abre.
Gostaria de um auxílio, pois necessito de uma solução com urgência.
Segue regras do meu firewall para que possam analisar.
Desde já agradeço a atenção
#################################################################
touch /var/lock/subsys/local
###########################
##### Carrega regras de firewall
###########################
echo "Carregando regras de firewall....."
# Limpa as regras do IPTABLES
iptables -X
iptables -F
iptables -t nat -F
#==========================PROTECOES=============================
#Contra pactoes danificados ou suspeitos
iptables -A FORWARD -m unclean -j DROP
#Contra Ping
iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP
#Contra Ping da Morte
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#Contra ataque SMURF
iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
#Contra Ataques SYN-FLOOD
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
#Contra Scanners avancados (namp)
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe ip_conntrack
#### Habilitando o NAT - compartilhamento de internet
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth2 -s 192.168.0.0/24 -j MASQUERADE
iptables -A INPUT -p tcp -i eth1 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth2 --dport 80 -j ACCEPT
#Redireciona WeBERP
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.15:80
# Redireciona acesso remoto para Servidor ERP - SQL
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 32000 -j DNAT --to 192.168.0.11:1433
iptables -t nat -A PREROUTING -p udp -i eth1 --dport 32000 -j DNAT --to 192.168.0.11:1433
# Redireciona acesso remoto para Servidor Domínio
iptables -t nat -I PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.10:3389
iptables -t nat -I PREROUTING -p udp --dport 3389 -j DNAT --to-destination 192.168.0.10:3389
# Redireciona acesso remoto para Servidor de Câmeras
iptables -t nat -I PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.0.64:80
iptables -t nat -I PREROUTING -p udp --dport 8080 -j DNAT --to-destination 192.168.0.64:80
iptables -t nat -I PREROUTING -p tcp --dport 4550 -j DNAT --to-destination 192.168.0.64:4550
iptables -t nat -I PREROUTING -p udp --dport 4550 -j DNAT --to-destination 192.168.0.64:4550
iptables -t nat -I PREROUTING -p tcp --dport 5550 -j DNAT --to-destination 192.168.0.64:5550
iptables -t nat -I PREROUTING -p udp --dport 5550 -j DNAT --to-destination 192.168.0.64:5550
# Aceita conexões da Conectividade Social
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 200.201.173.68 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 200.201.166.200 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 200.201.174.204 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 200.201.174.207 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 200.201.173.68 -j SNAT --to 187.9.15.34
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 200.201.166.200 -j SNAT --to 187.9.15.34
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 200.201.174.204 -j SNAT --to 187.9.15.34
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 200.201.174.207 -j SNAT --to 187.9.15.34
iptables -A FORWARD -s 192.168.0.0/24 -d obsupgdp.caixa.gov.br -j ACCEPT
iptables -A FORWARD -s obsupgdp.caixa.gov.br -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -d cmt.caixa.gov.br -j ACCEPT
iptables -A FORWARD -s cmt.caixa.gov.br -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -d 200.201.174.207 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -d 200.201.174.204 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.160/20 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 200.201.0.0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 200.201.173.68 -j ACCEPT
#BLOQUEAR ACESSO AO ORKUT POR HTTPS
iptables -t filter -A INPUT -d 216.239.51.85 -p tcp --dport 443 -j DROP
iptables -t filter -A OUTPUT -d 216.239.51.85 -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d 216.239.51.85 -p tcp --dport 443 -j DROP
iptables -t filter -A INPUT -d 216.239.37.85 -p tcp --dport 443 -j DROP
iptables -t filter -A OUTPUT -d 216.239.37.85 -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d 216.239.37.85 -p tcp --dport 443 -j DROP
iptables -t filter -A INPUT -d images.orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A OUTPUT -d images.orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d images.orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A INPUT -d
www.orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A OUTPUT -d
www.orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d
www.orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A INPUT -d orkut.com -p tcp --dport 433 -j DROP
iptables -t filter -A OUTPUT -d orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d orkut.com -p tcp --dport 443 -j DROP
#LIBERAR MSN
#Essa regra libera host especifico ao acesso
#alessandra
iptables -A FORWARD -s 192.168.0.101 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.0.101 -d loginnet.passport.com -j ACCEPT
iptables -A FORWARD -s 192.168.0.101 -d config.messenger.msn.com -j ACCEPT
iptables -A FORWARD -s 192.168.0.101 -d gateway.messenger.hotmail.com -j ACCEPT
iptables -A FORWARD -s 192.168.0.101 -d gw.msnmessenger.akadns.net -j ACCEPT
# Esta regra bloqueia qualquer host da rede ao conectar no MSN:
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 5223 -j REJECT
iptables -A FORWARD -s 192.168.0.0/24 -d loginnet.passport.com -j REJECT
iptables -A FORWARD -s 192.168.0.0/24 -d config.messenger.msn.com -j REJECT
iptables -A FORWARD -s 192.168.0.0/24 -d messenger.msn.com -j REJECT
iptables -A FORWARD -s 192.168.0.0/24 -d 200.46.110.0/24 -j REJECT
iptables -A FORWARD -s 192.168.0.0/24 -d 64.4.13.0/24 -j REJECT
iptables -A FORWARD -s 192.168.0.0/24 -d messenger.msn.ca -j REJECT
iptables -A FORWARD -s 192.168.0.0/24 -d webmessenger.msn.com -j REJECT
iptables -A FORWARD -s 192.168.0.0/24 -d c.msn.com -j REJECT
iptables -A FORWARD -s 192.168.0.0/24 -d tkfiles.storage.msn.com -j REJECT
iptables -A filter -d gateway.messenger.hotmail.com -j REJECT
iptables -A filter -d gw.msnmessenger.akadns.net -j REJECT
iptables -t filter -A INPUT -d by2.omega.contacts.msn.com -p tcp --dport 443 -j DROP
iptables -t filter -A OUPUT -d by2.omega.contacts.msn.com -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d by2.omega.contacts.msn.com -p tcp --dport 443 -j DROP
iptables -t filter -A INPUT -d urs.microsoft.com -p tcp --dport 443 -j DROP
iptables -t filter -A OUPUT -d urs.microsoft.com -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d urs.microsoft.com -p tcp --dport 443 -j DROP