Liberar Nova radio Uol iptables

JhoniVieceli
(usa Debian)

Enviado em 19/03/2010 - 16:11h

Olá pessoal!

Como algumas pessoas devem saber a radio uol mudou a forma como faz a transmissao da radio, e estou com problemas para liberar o acesso do pessoal da minha rede.
Fiz a captura de pacotes e pude perceber que ele utiliza a porta 1935 tcp e nome do servico eh rtmp.
Como medida complementar liberei tanto no FORWARD como no INPUT a porta 80 e a 1935 mais infelizmente nao deu certo.
Eh claro que o servidor que contém o firewall eh o unico que consegue acessar...

Se alguem souber da solucao ou ja teve esse problema por favor ajudem-me

vlw pessoal!

renato_pacheco
(usa Debian)

Enviado em 19/03/2010 - 17:06h

É bom vc colocar suas regras aki. Vamo tentá quebrar a kbça...

JhoniVieceli
(usa Debian)

Enviado em 19/03/2010 - 17:52h

Abaixo está meu script

Abraço!

#!/bin/bash
iniciar(){
#modprobe ip_conntrack_ftp
######## VARIAVEIS ###########

###INTERFACES####
IF_EXTERNA=eth0
IF_INTERNA=eth1
REDE_INTERNA=192.168.0.250
REDE_EXTERNA=192.168.1.250

#####SERVICOS#####
FTP1=21
FTP2=20
SMTP=25
DNS=53
HTTP=80
POP=110
IMAP=143
HTTPS=443
MYSQL=3306
ICQ=5190
NESSUS=1241
SAMBA1=139
SAMBA2=138
OPENFIRE1=5222
OPENFIRE2=5223
OPENFIRE3=7777
OPENFIRE4=7070
OPENFIRE5=5229
OPENFIRE6=9090
OPENFIRE7=9091

####LIMPAR FIREWALL####
# iptables -t filter -F
# iptables -t mangle -F
# iptables -t raw -F
iptables -F
iptables -Z
iptables -X
iptables -t nat -F

#####Ativa rotas######
echo "1" >/proc/sys/net/ipv4/ip_forward

#####Ativa syncookies######
echo "1" >/proc/sys/net/ipv4/tcp_syncookies

#### Carregar modulos de conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_sip
/sbin/modprobe ip_conntrack_h323
/sbin/modprobe ip_nat_sip
/sbin/modprobe ip_nat_h323


################################################################
##### Definição de Policiamento #####
################################################################

# Tabela filter
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP

#### Liberacao de conexoes estabelecidas #####
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#### Controlando acesso da rede interna ####
iptables -A FORWARD -p tcp -m multiport --dports $FTP1,$FTP2,$SMTP,$DNS,$HTTP,$POP,$IMAP,$HTTPS,$MYSQL -j ACCEPT
iptables -A FORWARD -p udp -j ACCEPT

#### ICQ bloqueio ###
iptables -A FORWARD -p tcp --dport $ICQ -j DROP
iptables -A FORWARD -p udp --dport $ICQ -j DROP

#### EMULE ###
iptables -A FORWARD -p tcp --dport 4661:4711 -j DROP
iptables -A FORWARD -p udp --dport 4661:4711 -j DROP

#### Bittorrent ####
iptables -A FORWARD -p tcp --dport 6881:6889 -j DROP

##### IP Spoofing #####
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 >$i
done

##### Protecao contra tamanho de ip ######
echo "2048" > /proc/sys/net/netfilter/nf_conntrack_max

#### Proteção contra ping da morte ######
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

##### Liberacao de ICMP ####
iptables -A FORWARD -p icmp --icmp-type 0 -m length --length :84 -m limit --limit 2/sec -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 3 -m limit --limit 2/sec -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 11 -m limit --limit 2/sec -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 12 -m limit --limit 2/sec -j ACCEPT

# rádio UOL
iptables -A FORWARD -p tcp --sport 1935 -j ACCEPT
iptables -A FORWARD -p udp --sport 1935 -j ACCEPT
iptables -A FORWARD -p tcp --sport $HTTP -j ACCEPT


#### Geracao de Logs ####
iptables -A FORWARD -j LOG --log-prefix "FIREWALL: Forward: "

###########################################################################
# Tabela filter #
##########################################################################

#### Liberacao de outros servicos www,ftp,dns,proxy
iptables -A INPUT -s $REDE_INTERNA -i $IF_INTERNA -p tcp -m tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i $IF_INTERNA -p tcp --dport $HTTP -j ACCEPT
iptables -A INPUT -i $IF_INTERNA -p tcp --dport $HTTPS -j ACCEPT
iptables -A INPUT -i $IF_INTERNA -p tcp --dport $FTP1 -j ACCEPT
iptables -A INPUT -i $IF_INTERNA -p tcp --dport $FTP2 -j ACCEPT
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -j ACCEPT
iptables -A INPUT -i $IF_INTERNA -p tcp --dport $DNS -j ACCEPT
iptables -A INPUT -i $IF_INTERNA -p udp --dport $DNS -j ACCEPT
iptables -A INPUT -i $IF_INTERNA -p tcp --dport $SAMBA1 -j ACCEPT
iptables -A INPUT -i $IF_INTERNA -p udp --dport $SAMBA1 -j ACCEPT
iptables -A INPUT -i $IF_INTERNA -p tcp --dport $SAMBA2 -j ACCEPT
iptables -A INPUT -i $IF_INTERNA -p udp --dport $SAMBA2 -j ACCEPT
iptables -A INPUT -i $IF_INTERNA -p tcp -m multiport --dports $OPENFIRE1,$OPENFIRE2,$OPENFIRE3,$OPENFIRE4,$OPENFIRE5,$OPENFIRE6,$OPENFIRE7 -j ACCEPT
iptables -A INPUT -i $IF_INTERNA -p udp -m multiport --dports $OPENFIRE1,$OPENFIRE2,$OPENFIRE3,$OPENFIRE4,$OPENFIRE5,$OPENFIRE6,$OPENFIRE7 -j ACCEPT
iptables -A INPUT -p tcp --sport 1935 -j ACCEPT
iptables -A INPUT -p udp --sport 1935 -j ACCEPT
iptables -A INPUT -p udp --sport 51977 -j ACCEPT
iptables -A INPUT -p tcp --sport 51977 -j ACCEPT


# iptables -A INPUT -p tcp --destination-port $NESSUS -j ACCEPT

#
# Aceita o tráfego vindo do lo e indo pro lo
iptables -A INPUT -i lo -j ACCEPT

#Conexão registrada
iptables -A INPUT -j LOG --log-prefix "FIREWALL: INPUT "


########################################################################
# # Tabela nat #
########################################################################


modprobe iptable_nat

##### Chain POSTROUTING #####

#Mascarede para rede interna
iptables -t nat -A POSTROUTING -o $IF_EXTERNA -j MASQUERADE


}

parar(){
iptables -F
iptables -Z
iptables -X
iptables -t nat -F

}

status(){
iptables -L -n
}

case "$1" in
"start")
iniciar
;;
"stop")
parar
;;
"status")
status
;;
*)
echo "utilize start,status ou stop"
esac

renato_pacheco
(usa Debian)

Enviado em 20/03/2010 - 08:39h

Kra, eu acho q a regra tá errada. Vc deve colocar --dport e não --sport. Tente assim.