Regras não funciona - novo iptables

heitorchehad
(usa Fedora)

Enviado em 14/07/2011 - 09:07h

Bom dia,

Instalei o fedora15 e apartir daí minhas regras não funcionam, PREROUTING e INPUT, não consigo liberar meus acessos nas portas 3389,443,80,21,37777,4550..

minhas regras:

#!/bin/bash

## Habilita o roteamento
echo "1" > /proc/sys/net/ipv4/ip_forward

# Limpando as chains
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F

# Apagando os chains criados
iptables -t filter -X
iptables -t nat -X
iptables -t mangle -X

# Zerando os contadores
iptables -t filter -Z
iptables -t nat -Z
iptables -t mangle -Z


## Interna ##

iface_interna="em1"
ip_interna="192.168.0.254"
rede_interna="192.168.0.0/24"


## Internet ##

iface_internet="p3p1"
ip_internet="10.1.1.254"

## Servidores ##

##Libera Tudo ##
tudo="
192.168.0.254
192.168.0.251
192.168.0.1
192.168.0.252
192.168.0.199
192.168.0.104
"
# Ou
todarede="
192.168.0.0/24
"

##Libera Msn para Alguns Usuario ##
msnliberado="
192.168.0.0/24
"

##############################################################################
# REGRAS DE DNAT / SNAT #
##############################################################################

#### SNAT ( Alterando ou mascarando endereco de origem ) ####

# Permitir o acesso do sistema pelo ip publico
# -------------------------------------------------
iptables -t nat -A POSTROUTING -s $rede_interna -d 192.168.0.1 -j SNAT --to-source 192.168.0.254
iptables -t nat -A POSTROUTING -s $rede_interna -d 192.168.0.252 -j SNAT --to-source 192.168.0.254
iptables -t nat -A POSTROUTING -s $rede_interna -d 192.168.0.16 -j SNAT --to-source 192.168.0.254
iptables -t nat -A POSTROUTING -s $rede_interna -d 192.168.0.199 -j SNAT --to-source 192.168.0.199
iptables -t nat -A POSTROUTING -s $rede_interna -d 192.168.0.251 -j SNAT --to-source 192.168.0.254
iptables -t nat -A POSTROUTING -s $rede_interna -d 192.168.0.199 -j SNAT --to-source 192.168.0.199

## Regra SNAT que mascara a origem (IP) de saida
iptables -t nat -A POSTROUTING -s $rede_interna -o $iface_internet -j MASQUERADE

#### DNAT ( Redirecionamento de portas ) ####
# Liberar a porta 80 para o servidor Sharepoint
# --------------------------------------------------
iptables -t nat -A OUTPUT -d $inet_ip_publico -m tcp -p tcp --dport 21 -j DNAT --to-destination 192.168.0.199

## Regras servicos internos

iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to 192.168.0.252:3389

iptables -t nat -A PREROUTING -s $rede_interna -p tcp -m multiport --destination-ports 80,3128,8080 -d 200.201.169.0/24 -j ACCEPT

# Previdencia Social
#Regra FGR
iptables -t nat -A PREROUTING -s $rede_interna -p tcp -m multiport --destination-ports 80,3128,8080 -d 201.24.133.229 -j ACCEPT
iptables -t nat -A PREROUTING -s $rede_interna -p tcp -m multiport --destination-ports 80,3128,8080 -d 200.152.32.147 -j ACCEPT

# Caixa
iptables -t nat -A PREROUTING -s $rede_interna -p tcp -m multiport --destination-ports 80,3128,8080 -d 200.201.174.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -s $rede_interna -p tcp -m multiport --destination-ports 80,3128,8080 -d 200.201.169.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -s $rede_interna -p tcp -m multiport --destination-ports 5006,80,3128,8080 -d 186.215.92.145 -j ACCEPT
iptables -t nat -A PREROUTING -s $rede_interna -p tcp -m multiport --destination-ports 5006,80,3128,8080 -d 186.215.92.131 -j ACCEPT

## Regra usada para Proxy Transparente
## Regra que redireciona tudo que vier da rede interna com destino as portas 80,3128,8080 para o firewall na porta 3128
iptables -t nat -A PREROUTING -s $rede_interna -p tcp -m multiport --destination-ports 80,3128,8080 -j DNAT --to $ip_interna:3128

#### Politica default ####
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT


##############################################################################
# REGRAS DE INPUT #
##############################################################################


## Aceitando conexoes do tipo INPUT que estejam estabelecidas ou relacionadas
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## Liberando todas as conexoes de loopback
iptables -A INPUT -i lo -j ACCEPT

## Libera acesso ao SSH no firewall
iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 3389 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 37777 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 4550 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 3390 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT
## Libera acesso ao servidor Proxy no firewall
iptables -A INPUT -s $rede_interna -i $iface_interna -p tcp --dport 3128 -j ACCEPT

## Libera ping para o firewall
iptables -A INPUT -s 0/0 -p icmp -m icmp --icmp-type 8 -j ACCEPT

## Firewall resolve nome (DNS) para rede interna
iptables -A INPUT -s $rede_interna -p udp --dport 53 -j ACCEPT

## Habilitando log em nivel 5
iptables -A INPUT -j LOG --log-level 5

## Negando todas as demais tentativas de INPUT
iptables -A INPUT -j DROP


##############################################################################
# REGRAS DE FORWARD #
##############################################################################

## Libera tudo
for ip in $tudo; do
iptables -A FORWARD -s $ip -j ACCEPT
done

## Libera Msn
for ip in $msnliberado; do
iptables -A FORWARD -s $ip -j ACCEPT
done

#Bloqueia MSN Messenger
iptables -A FORWARD -s $rede_interna -p tcp --dport 1863 -j DROP
## Aceitando conexoes do tipo FORWARD que estejam estabelecidas ou relacionadas
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

## Libera acesso a porta 80 na internet
iptables -A FORWARD -s $rede_interna -i $iface_interna -o $iface_internet -p tcp --dport 80 -j ACCEPT

# Previdencia Social
iptables -A FORWARD -s $rede_interna -o $iface_internet -p tcp -m tcp -d 200.152.32.147 -j ACCEPT
iptables -A FORWARD -s $rede_interna -o $iface_internet -p udp -m udp -d 200.152.32.147 -j ACCEPT
iptables -A FORWARD -s $rede_interna -o $iface_internet -p tcp -m tcp -d 186.215.92.146 -j ACCEPT
# Receita
# --------

iptables -A FORWARD -s $rede_interna -i $iface_interna -o $iface_internet -p tcp --dport 3456 -j ACCEPT

# Conectividade
# -------------

iptables -A FORWARD -i $iface_interna -o $iface_internet -d 200.201.0.0/16 -j ACCEPT

#*********************************************************************************************************************
## Libera acesso a servidores DNS na internet
iptables -A FORWARD -s $rede_interna -p udp --dport 53 -j ACCEPT
#libera Porta pop
iptables -A FORWARD -s $rede_interna -p tcp --dport 25 -j ACCEPT
#libera Porta smtp
iptables -A FORWARD -s $rede_interna -p tcp --dport 110 -j ACCEPT
#liber Porta ftp
iptables -A FORWARD -s $rede_interna -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -s $rede_interna -p tcp --dport 4550 -j ACCEPT

#***************************************************************************************
#Libera porta TS
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -p tcp --dport 3390 -j ACCEPT
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp --dport 37777 -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp --dport 4550 -j ACCEPT
iptables -A FORWARD -p tcp --dport 19001 -j ACCEPT
iptables -A FORWARD -p tcp --dport 21 -j ACCEPT
# Libera a porta 80 para acesso ao Sharepoint
# ------------------------------------------------



iptables -A FORWARD -p tcp --dport 3128 -j ACCEPT

##Libera porta No IP
iptables -A FORWARD -s $rede_interna -d 10.1.1.1 -p tcp -j ACCEPT


#*****************************************************************************************
iptables -A FORWARD -s $rede_interna -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s $rede_interna -p tcp --dport 443 -j ACCEPT
#*****************************************************************************************

#SKYPE
iptables -A FORWARD -p tcp -s $rede_interna -d 0/0 --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -d $rede_interna -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p udp -s $rede_interna -d 0/0 -j ACCEPT
iptables -A FORWARD -p udp -d $rede_interna -s 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#*********************************************************************************************************************
## Liberando pacotes ICMP para internet
iptables -A FORWARD -s $rede_interna -i $iface_interna -p icmp -m icmp --icmp-type 8 -j ACCEPT

## Habilitando log em nivel 5
iptables -A FORWARD -j LOG --log-level 5

## Negando todas as demais tentativas de FORWARD
iptables -A FORWARD -j DROP

##############################################################################
# REGRAS DE OUTPUT #
##############################################################################

## Aceitando conexoes do tipo OUTPUT que estejam estabelecidas ou relacionadas
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
## Liberando todos os pacotes OUTPUT
iptables -A OUTPUT -j ACCEPT

## Salvando as regras do iptables
#iptables-save > /etc/sysconfig/iptables

service iptables save