otoni.sm
(usa Ubuntu)
Enviado em 29/12/2010 - 20:26h
Olá galera, boa noite!
Instalei o samba e configurei no modo PDC e coloquei uma maquina windows XP em dominio, tudo funcionando beleza, porém ao rodar um script de firewall não esta sendo possivel mais salvar as alterações feitas em qualquer perfil que eu venha a logar nessa maquina. Quando eu limpo as regras de firewall volta a funcionar normalmente...
Os script de firewall não foi criado por mim, apenas fiz modificações para se adaptar a minha rede, não sei muita coisa ainda de iptables, mas estou estudando. Gostaria de solicatar ao senhores uma ajuda para descobrir que regra esta bloqueando as portas do SAMBA.
obs.: as linhas comentadas foi as regras que tentei adicionar para liberar cominicação do SAMBA
segue abaixo o script e desde já agradeço!
#!/bin/bash
#Descripiton: Firewall
#
#chkconfig: 2345 98 30
#processname: firewall
#
# Declarando Variaveis
PATH=/sbin:/bin:/usr/sbin:/usr/bin
IPTABLES="/sbin/iptables"
PROGRAMA="/etc/init.d/firewall"
# Interfaces de Rede
WAN=eth0
LAN=eth1
REDE="192.168.99.0/24"
# Declarando Variaveis de Cores
COLLOR=";tput sgr0"
AZUL="{TEXTO}33[01;34m"
VERDE="{TEXTO}33[01;32m"
VERMELHO="{TEXTO}33[01;31m"
AMARELO="{TEXTO}33[01;33m"
PRETO="{TEXTO}33[01;38m"
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_state
/sbin/modprobe ipt_multiport
/sbin/modprobe iptable_mangle
/sbin/modprobe ipt_tos
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_mark
/sbin/modprobe ipt_MARK
/sbin/modprobe ip_gre
case "$1" in
start)
echo -e "$AZUL"
echo ":::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::"
echo "| Script de Firewall - IPTABLES |"
echo "| Modificado por: Otoniel S. Martins |"
echo "| Membro da comunidade Viva o Linux |"
echo "| Técnico em Informática |"
echo "| otoni.sm@hotmail.com |"
echo "| uso: firewall start|stop|restart |"
echo ":::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::"
echo -e "$VERDE"
echo ":::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::"
echo "| |"
echo "| INICIANDO CONFIGURACOES DO FIREWALL COM IPTABLES |"
echo "| |"
echo ":::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::"
echo -e $AMARELO
echo -e "LIMPANDO REGRAS DE FIREWALL [$VERDE OK $AMARELO]"
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t mangle -F
$IPTABLES -t nat -F
$IPTABLES -X
echo -e "MUDANDO REGRA PADRAO DO IPTABLES [$VERDE OK $AMARELO]"
# Tabela filter
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# Tabela nat
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
# Tabela mangle
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
echo -e "ATIVANDO ROTEAMENTO DO FIREWALL [$VERDE OK $AMARELO]"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo -e "ATIVANDO RELATED E ESTABILISHED [$VERDE OK $AMARELO]"
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
echo -e "ATIVANDO FLUXO INTERNO ENTRE PACOTES [$VERDE OK $AMARELO]"
$IPTABLES -A INPUT -m state -i lo --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -m state -o lo --state NEW -j ACCEPT
echo -e "ATIVANDO FLUXO DE ICMP INTERNO E EXTERNO [$VERDE OK $AMARELO]"
$IPTABLES -I INPUT -p icmp -j ACCEPT
#echo -e "LIBERANDO PORTAS DE COMUNICACAO DO SAMBA # [$VERDE OK $AMARELO]"
#$IPTABLES -A INPUT -p udp --dport 137 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 138 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 139 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT
echo -e "ATIVANDO BLOQUEIO DE PING DA MORTE [$VERDE OK $AMARELO]"
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
$IPTABLES -N PING-MORTE
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j PING-MORTE
$IPTABLES -A PING-MORTE -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A PING-MORTE -j DROP
echo -e "ATIVANDO BLOQUEIO DE ATAQUES SSH DE FORCA BRUTA [$VERDE OK $AMARELO]"
$IPTABLES -N SSH-BRUT-FORCE
$IPTABLES -A INPUT -i $WAN -p tcp --dport 22 -j SSH-BRUT-FORCE
$IPTABLES -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A SSH-BRUT-FORCE -j DROP
echo -e "ATIVANDO BLOQUEIO DE ANTI-SPOOFINGS [$VERDE OK $AMARELO]"
$IPTABLES -A INPUT -s 10.0.0.0/8 -i $WAN -j DROP
$IPTABLES -A INPUT -s 127.0.0.0/8 -i $WAN -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/12 -i $WAN -j DROP
$IPTABLES -A INPUT -s 192.168.0.0/16 -i $WAN -j DROP
echo -e "APLICANDO REGRAS INPUT/OUTPUT [$VERDE OK $AMARELO]"
# Porta No-Ip
$IPTABLES -A OUTPUT -p tcp -m state -s 0/0 --dport 8245 --state NEW -j ACCEPT
#PING
$IPTABLES -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
#DNS
$IPTABLES -A INPUT -p udp -m state -i $LAN --dport 53 --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m state -o $WAN --dport 53 --state NEW -j ACCEPT
#SSH
$IPTABLES -A INPUT -s $REDE -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m state -s $REDE --dport 22 --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state -s 201.65.227.146 -i $WAN --dport 22 --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state -i ! $WAN --dport 22 --state NEW -j ACCEPT
#WINS
$IPTABLES -A INPUT -p tcp -m state -i $LAN --dport 1512 --state NEW -j ACCEPT
$IPTABLES -A INPUT -p udp -m state -i $LAN --dport 1512 --state NEW -j ACCEPT
#SQUID
$IPTABLES -A INPUT -p tcp -m state -m multiport -i $LAN --dport 3128 --state NEW -j ACCEPT
#MULTIPORTAS
$IPTABLES -A INPUT -p tcp -m state --sport 443 --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m state -m multiport --dport 21,25,53,67,80,110,143,443,465,587,8017,8080,4455 --state NEW -j ACCEPT
#PORTA 80 DO FIREWALL
$IPTABLES -A INPUT -p tcp -m state --dport 80 --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state -i $LAN --dport 6891:6900 --state NEW -j ACCEPT
#echo -e "APLICANDO PORTA DO WEBMIN [$VERDE OK $AMARELO]"
$IPTABLES -A INPUT -p tcp -m state -s $REDE -i $LAN --dport 10000 --state NEW -j ACCEPT
#$IPTABLES -A INPUT -p tcp -m state -s 201.65.227.146 -i $WAN --dport 10000 --state NEW -j ACCEPT
echo -e "APLICANDO REGRAS DA VPN [$VERDE OK $AMARELO]"
$IPTABLES -A INPUT -p tcp -m tcp -m multiport -m state -i $WAN --ports 1723 --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
$IPTABLES -A INPUT -i $LAN -s 0/0 -d 0/0 -p 43 -j ACCEPT
$IPTABLES -A INPUT -i $WAN -s 0/0 -d 0/0 -p 43 -j ACCEPT
$IPTABLES -A INPUT -p 47 -j ACCEPT
$IPTABLES -A FORWARD -p 47 -j ACCEPT
$IPTABLES -A FORWARD -p 43 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -m multiport -s $REDE -o $WAN --dports 1723 --state NEW -j ACCEPT
echo -e "ATIVANDO LOG INPUT/OUTPUT [$VERDE OK $AMARELO]"
$IPTABLES -A INPUT -j LOG --log-prefix "BLOCKED - IN:"
$IPTABLES -A OUTPUT -j LOG --log-prefix "BLOCKED - OUT:"
echo -e "APLICANDO REGRAS PARA CADEIA FORWARD [$VERDE OK $AMARELO]"
$IPTABLES -A FORWARD -p tcp -m state -s $REDE -d 192.168.99.1 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -m multiport -s $REDE -o $WAN --dports 21,25,110,143,443,587,990,8017,8090,8080 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -m multiport -s $REDE -o $WAN --dports 139,445,631,3001:3003,3389,33274,7123,4455 --state NEW -j ACCEPT
#Liberando DNS
$IPTABLES -A FORWARD -p udp -i $LAN --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m state -s $REDE -d 0/0 --state NEW --dport 53 -j ACCEPT
#Liberando Portas 25/110 POP/SMTP
$IPTABLES -A FORWARD -i $LAN -o $WAN -p tcp --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -o $WAN -p tcp --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -o $LAN -i $WAN -p tcp --sport 25 -j ACCEPT
$IPTABLES -A FORWARD -o $LAN -i $WAN -p tcp --sport 110 -j ACCEPT
#Liberando Conectividade Social CEF
$IPTABLES -A FORWARD -p tcp -m state -d 200.201.174.207 -i $LAN --dport 80 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -d 200.201.174.204 -i $LAN --dport 2631 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -d 200.201.166.200 -i $LAN --dport 80 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -d 200.201.173.68 -i $LAN --dport 80 --state NEW -j ACCEPT
#Spybot
$IPTABLES -A FORWARD -p tcp -m state -d 212.227.80.166 -i $LAN --dport 80 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -d 208.113.208.17 -i $LAN --dport 80 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -d 205.234.175.175 -i $LAN --dport 80 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -d 87.106.8.215 -i $LAN --dport 80 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -d 85.214.22.87 -i $LAN --dport 80 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -d 64.50.236.214 -i $LAN --dport 80 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -d 66.28.139.22 -i $LAN --dport 80 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -d 82.165.26.45 -i $LAN --dport 80 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -d 212.227.132.227 -i $LAN --dport 80 --state NEW -j ACCEPT
#Accesstage S.A.
$IPTABLES -A FORWARD -p tcp -m state -d 200.212.31.46 -i $LAN --dport 1414 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -d 200.225.81.33 -i $LAN --dport 1414 --state NEW -j ACCEPT
#SERPRO - Servico de Processamento de Dados
$IPTABLES -A FORWARD -p tcp -m state -d 161.148.185.130 -i $LAN --dport 3456 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -d 161.148.185.46 -i $LAN --dport 3007 --state NEW -j ACCEPT
#Telemar
$IPTABLES -A FORWARD -p tcp -m state -s 200.165.105.202 -i $LAN --sport 8090 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp -m state -s 200.165.105.202 -i $LAN --sport 8090 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -d 200.165.105.202 -i $LAN --dport 8090 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp -m state -d 200.165.105.202 -i $LAN --dport 8090 --state NEW -j ACCEPT
#Brasil Telecom S/A
$IPTABLES -A FORWARD -p tcp -m state -s 200.140.120.15 -i $LAN --sport 6060 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -d 200.140.120.15 -i $LAN --dport 6060 --state NEW -j ACCEPT
#Akamai Technologies
$IPTABLES -A FORWARD -p tcp -m state -d 72.246.48.0/24 --dport 80 --state NEW -j ACCEPT
#Microsoft Corp
$IPTABLES -A FORWARD -p tcp -m state -d 207.46.20.0/24 --dport 80 --state NEW -j ACCEPT
#Emp Proc de Dados do Estado do ES
$IPTABLES -A FORWARD -p tcp -m state -d 200.165.60.135 -i $LAN --dport 1081 --state NEW -j ACCEPT
#Cat - Comunicacao de Acidente de Trabalho
$IPTABLES -A FORWARD -p tcp -m state -i $LAN -o $WAN --dport 5017 --state NEW -j ACCEPT
#Liberando portas Wplex
#Acesso ao servidor wplax
$IPTABLES -A FORWARD -p tcp -m state -m multiport -d 200.146.61.140 -i $LAN -o $WAN --dport 80,8096 --state NEW -j ACCEPT
#Acesso vnc wplex x empresa
$IPTABLES -A FORWARD -p tcp -m state -s 201.34.141.191 -d 192.168.1.12 -i $WAN --dport 5900 --state NEW -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $WAN --dport 5900 -j DNAT --to-destination 192.168.1.12:5900
#Liberando portas para Receita Net
$IPTABLES -A FORWARD -p tcp -m state -m multiport -s $REDE -o $WAN --dports 3456 --state NEW -j ACCEPT
#Liberando porta de Login.tj.es.gov.br
$IPTABLES -A FORWARD -p tcp -m state -d 200.216.185.221 -i $LAN --dport 4455 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -d 200.216.185.221 -i $LAN --dport 80 --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m state -d 208.64.140.139 -i $LAN --dport 443 --state NEW -j ACCEPT
#Liberando porta 3389 servidor de dados
$IPTABLES -A FORWARD -p tcp -m state -d 211.1.98.6 -i $WAN --dport 3389 --state NEW -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $WAN --dport 3389 -j DNAT --to-destination 211.1.98.6:3389
#Liberando Portas de Acesso GedasCOM
$IPTABLES -A FORWARD -p tcp -m state -m multiport -s $REDE -o $WAN --dports 5169,990:996,80,443,21,2010 --state NEW -j ACCEPT
#Liberando Portas de Acesso ao VoIP
#$IPTABLES -A FORWARD -s 211.1.98.99 -j ACCEPT
#$IPTABLES -A FORWARD -s 211.1.98.0/24 -j ACCEPT
#$IPTABLES -A FORWARD -s 211.1.98.89 -j ACCEPT
# $IPTABLES -A FORWARD -s 192.168.1.0/24 -j ACCEPT
echo -e "ATIVANDO ACESSO PROTOCOLO ICMP [$VERDE OK $AMARELO]"
$IPTABLES -A FORWARD -p icmp -m state -d 67.0.0.0/255.0.0.0 -i $LAN --icmp-type 8 --state NEW -j ACCEPT
echo -e "ATIVANDO LOGS FORWARD [$VERDE OK $AMARELO]"
$IPTABLES -A FORWARD -j LOG --log-prefix "BLOCKED - FWD:"
echo -e "APLICANDO REGRAS DA CADEIA NAT [$VERDE OK $AMARELO]"
# $IPTABLES -t nat -A PREROUTING -p tcp -i $LAN --dport 80 -j REDIRECT --to-ports 3128
$IPTABLES -t nat -A POSTROUTING -s $REDE -o $WAN -j MASQUERADE
# $IPTABLES -t nat -A POSTROUTING -p tcp -s ! $REDE -d $REDE -m multiport --dport 80,22 -j SNAT --to-source 192.168.1.254
echo -e "ATIVANDO LOGS PREROUTING [$VERDE OK $AMARELO]"
# $IPTABLES -t nat -A PREROUTING -j LOG --log-prefix "BLOCKED - NAT-PRE:"
# $IPTABLES -t nat -A POSTROUTING -j LOG --log-prefix "BLOCKED - NAT-POST:"
echo -e $VERDE
echo ":::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::"
echo "| |"
echo "| FINALIZANDO O PROCESSO DE CARREGAMENTO DO FIREWALL |"
echo "| |"
echo "| FIREWALL PREPARADO |"
echo "| |"
echo ":::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::"
echo -e $PRETO;tput sgr0
echo
sleep 3
;;
stop)
echo -e $VERMELHO
echo -e "LIMPANDO REGRAS DO FIREWALL $AMARELO [$VERDE OK $AMARELO]"
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t mangle -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -Z
echo -e $VERMELHO
echo -e "ATIVANDO REGRA PADRAO SEM FIREWALL $AMARELO [$VERDE OK $AMARELO]"
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo
echo ":::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::"
echo "| |"
echo "| FIREWALL PARADO |"
echo "| |"
echo ":::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::"
echo -e $PRETO;tput sgr0
echo
;;
restart)
$PROGRAMA stop
$PROGRAMA start
;;
*)
echo "Use: $N {start|stop|restart}" >&2
echo -e "{TEXTO}33[01;31mATENCAO";tput sgr0
echo "{TEXTO}33[01;37mVoce não colocou nenhum argumento ou argumento desconhecido, entao por padrão sera dado em 5 segundos um restart no firewall";tput sgr0
sleep 5
$PROGRAMA restart
exit 1
esac
exit 0