O firewall esta dando erro nao conecta [RESOLVIDO]

1. O firewall esta dando erro nao conecta [RESOLVIDO]

Andre chagas ramos
andre_ramos

(usa openSUSE)

Enviado em 20/07/2009 - 16:23h

O meu firewall esta dando erro ele nao conecta, quando na politica geral eu coloco drop em input e output ele nao conecta se eu colcar accept ele conecta blz, alguem pode me ajudar?

segue o script:

#!/bin/bash
iniciar () {

# Compartilha a conexao

modprobe ip_nat_ftp
modprobe iptable_nat
IPTABLES=/usr/sbin/iptables
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo "Ativando compartilhamento!"

# Proxy tranparente
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

# Politicas de acesso geral

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

#################################################################

$IPTABLES -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

########## loopback #############################################

$IPTABLES -A OUTPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT
################################################################

# localhost

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

######### Conectividade Social ###################################
INTERNA=eth0 #placa de rede ligada a rede interna
CAIXA=200.201.174.0/24 # IP da Caixa a ser liberado para toda a rede
iptables -t nat -A PREROUTING -i $INTERNA -d 200.201.174.0/24 -j ACCEPT
iptables -t filter -A FORWARD -i $INTERNA -d 200.201.174.0/24 -j ACCEPT

########## Tabelas ################################################

# INPUT ( Pacotes que entra na rede)

$IPTABLES -A INPUT -p tcp -s 10.1.1.0/8 -d 201.76.49.33 --dport 110 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 10.1.1.0/8 -d 201.76.49.33 --dport 25 -j ACCEPT

$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
# ftp
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
# smtp
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
# ssh
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
# dns
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
# pop3
$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
# http
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
# HTTPS
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 563 -j ACCEPT

#--------------------------------------------------------------------

# OUTPUT ( Pacotes que sai da rede)

$IPTABLES -A OUTPUT -p tcp -s 10.1.1.0/8 -d 201.76.49.33 --dport 110 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 10.1.1.0/8 -d 201.76.49.33 --dport 25 -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 20 -j ACCEPT
# ftp
$IPTABLES -A OUTPUT -p tcp --dport 21 -j ACCEPT
# smtp
$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT
# ssh
$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT
# dns
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
# pop3
$IPTABLES -A OUTPUT -p tcp --dport 110 -j ACCEPT
# httpd
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
# HTTPS
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 563 -j ACCEPT

#--------------------------------------------------------------------

# FORWARD - REDE LOCAL

$IPTABLES -A FORWARD -p tcp --dport 20 -j ACCEPT
# ftp
$IPTABLES -A FORWARD -p tcp --dport 21 -j ACCEPT
# SSH
$IPTABLES -A FORWARD -p tcp --dport 22 -j ACCEPT
# smtp
$IPTABLES -A FORWARD -p tcp --dport 25 -j ACCEPT
# SMTP
$IPTABLES -A FORWARD -p tcp --sport 25 -j ACCEPT
# dns
$IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT
# pop3
$IPTABLES -A FORWARD -p tcp --dport 110 -j ACCEPT
# pop3
$IPTABLES -A FORWARD -p tcp --sport 110 -j ACCEPT
# POP
$IPTABLES -A FORWARD -p tcp --dport 8333 -j ACCEPT
# HTTPS
$IPTABLES -A FORWARD -p tcp --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 563 -j ACCEPT
# msn
$IPTABLES -A FORWARD -s 10.1.1.0/8 -p tcp --dport 1863 -j REJECT

$IPTABLES -A FORWARD -s 10.1.1.0/8 -j ACCEPT
########################################################################

echo "Firewall Ativado"
}
parar(){
iptables -F
iptables -t nat -F
echo "Regras de firewall e compartilhamento desativados"
}

case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar ;;
*) echo "Use os parametros start ou stop"
esac



  


2. Re: O firewall esta dando erro nao conecta [RESOLVIDO]

Emerson Cosmo
emerson.cosmo

(usa Debian)

Enviado em 20/07/2009 - 16:42h

Andre Ramos,
SOu novato em linux, mais percebi dois erros na regra, e se tiver erra por favor galera me corrigem ai!!!
o primeiro erro que vi é que esta mascarando a rede no inicio da instrução e o segundo erro que vi foi que vc está mandando limpar as tabelas no final de tudo (iptables - F e iptables -t nat -F), tenta colocar essa regra no inicio do procedimento, segue abaixo minha regra comentada espero que ajude.


#!/bin/sh
#############
##variaveis##
#############
IPT=$(which iptables)
iptables=/sbin/iptables
externo=eth0
interno=eth1
eto= IPEXTERNO
NET="0/0"
PA=1024:65535
LO=127.0.0.1
####################
##Limpando tabelas##
####################
$iptables -F
$iptables -t nat -F
$iptables -t mangle -F

###################
##Ativando modulo##
###################
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

##############################
##Modulo FTP PASSIVO e ATIVO##
##############################
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_tables
modprobe iptable_nat
############################
##Protecao contra spoofing##
############################
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

##################################
##Determinando a politica padrao##
##################################
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP

######################
##LIberando LOOPBACK##
######################
$iptables -A INPUT -i lo -d $LO -j ACCEPT
$iptables -A OUTPUT -o lo -d $LO -j ACCEPT

#####################
##Regras de filtros##
#####################
#Aceitar pacotes que realmente devem entrar
#------------------------------------------
$iptables -A INPUT -i ! $externo -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

#Protecao contra worms
#----------------------
$iptables -A FORWARD -p tcp --dport 135 -i $interno -j REJECT

#Protecao contra syn-flood
#-------------------------
$iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT

#Protecao contra port scanners
#------------------------------
$iptables -N SCANNER
$iptables -A SCANNER -j DROP
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $externo -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $externo -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $externo -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $externo -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $externo -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $externo -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $externo -j SCANNER

##Liberando resolucao de nome
$iptables -A OUTPUT -p udp -s $eto --sport $PA -d $NET --dport 53 -j ACCEPT
$iptables -A INPUT -p udp -s $NET --sport 53 -d $eto --dport $PA -j ACCEPT

##Liberando navegacao http e https
$iptables -A OUTPUT -p tcp -s $eto --sport $PA -d $NET --dport 80 -j ACCEPT
$iptables -A INPUT -p tcp -s $NET --sport 80 -d $eto --dport $PA -j ACCEPT
$iptables -A OUTPUT -p tcp -s $eto --sport $PA -d $NET --dport 443 -j ACCEPT
$iptables -A INPUT -p tcp -s $NET --sport 443 -d $eto --dport $PA -j ACCEPT

################################################
##Liberando acesso externo a determinada porta##
################################################
$iptables -A INPUT -p tcp --dport 22 -i $externo -j ACCEPT
$iptables -A INPUT -p tcp --dport 22 -i $interno -j ACCEPT

#############
##Regra MSN##
#############
##liberando
$iptables -I FORWARD -s 192.168.5.14 -p tcp --dport 1863 -j ACCEPT
$iptables -I FORWARD -s 192.168.5.14 -d loginnet.password.com -j ACCEPT
$iptables -I FORWARD -s 192.168.5.14 -d hotmail.com -j ACCEPT
$iptables -I FORWARD -s 192.168.5.14 -d hotmail.com.br -j ACCEPT

##bloqueio
$iptables -I FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j DROP
$iptables -I FORWARD -s 192.168.0.0/24 -d loginnet.password.com -j DROP
$iptables -I FORWARD -s 192.168.0.0/24 -d hotmail.com -j DROP
$iptables -I FORWARD -s 192.168.0.0/24 -d hotmail.com.br -j DROP

#####################
## Regra POP e SMTP##
#####################
$iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -o $externo -m multiport -p tcp --dport 25,110,995 -j MASQUERADE

#################
##liberando FTP##
#################
$iptables -A INPUT -p tcp --dport 20 -j ACCEPT
$iptables -A INPUT -p tcp --dport 21 -j ACCEPT
$iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT
$iptables -A OUTPUT -p tcp --sport 21 -j ACCEPT


###################
##Mascarando REDE##
###################
$iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
$iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -o eth0 -j MASQUERADE



3. Re: O firewall esta dando erro nao conecta [RESOLVIDO]

Andre chagas ramos
andre_ramos

(usa openSUSE)

Enviado em 21/07/2009 - 09:04h

muito obrigado, funcionou blz






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts