pequena duvida, grande solução [RESOLVIDO]

apileofshit
(usa Slackware)

Enviado em 04/03/2009 - 18:57h

Ola, sou novato no linux estou estudando mto e me esforçando pra aprender, virei pinguim de paixão, entao vamos la.
na minha rede uso apenas os servicos.( DNS, DHCP, SAMBA, POSTFIX, (JA ATIVOS, e td OK )) (SSH, FIREWALL, E SQUID.(ESTOU FAZENDO E QUERO AJUDA) )
quero bloquear TD, que nao seja isso, tenho mto medo de invasao, etcs.
minha rede eh:
modem dlink 500b 10.1.10.1
eth0 = 10.1.10.2 rodando (DNS)
eth1 = 10.1.1.3 rodando (DHCP, SAMBA, POSTFIX)
(acho que o squid, e firewall entra na eth1?!?)
(os ips das extações ficaram 10.1.1.4 , .5 , .6 e assim vai ..)
(minhas duvidas são, deixo o DNS na eth0 ? ou passo pra eth1 ? )
( estou querendo trocar os ips, deixando eth0 10.1.1.2, e eth1 192.168.0.1
ou nao precisa ? )
(esse script ta bloqueando tudo e so liberando as portas que quero ?)
segue a baixo o script do scoff com minhas duvidas comentas !!

#/bin/bash

#Deleloped by Andrei/André

Internet=eth0
#configure a variavel Rede_Interna de acordo com a sua rede
Rede_Interna=10.1.1.0/24 (seria minha eth0) ????
Rede_Interna=10.1.10.0/24 (ou minha eth1) ????



NORMAL="\33[0m"
GOOD="\33[32;1m"
BAD="\33[31;1m"

ok_or_error() {
if [ "$?" = "0" ]; then
tput hpa 60
echo -ne "$GOOD[OK]"
else
tput hpa 60
echo -ne "$BAD[ERR]"
fi
echo -ne "$NORMAL\n"
}

fire_start() {

/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe iptable_nat

echo
echo "================================== =============================="
echo " | :: Setando as regras do Firewall :: | "
echo "================================== =============================="


#Regras Padrão das Chains --------------------------------------------
echo -n "Setting default rules"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
ok_or_error
#---------------------------------------------------------------------


# Desativando o IP Forward -------------------------------------------
echo -n "Setting ip_forward: OFF"
echo "0" > /proc/sys/net/ipv4/ip_forward
ok_or_error
#---------------------------------------------------------------------


# Anti Spoofing ------------------------------------------------------
echo -n "Setting anti-spoofing protection"
for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "0" > $spoofing
done
ok_or_error
#----------------------------------------------------------------------


# Anti-Redirects ------------------------------------------------------
echo -n "Setting anti-redirects"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
ok_or_error
#----------------------------------------------------------------------


# Anti source route -- ------------------------------------------------
echo -n "Setting anti-source_route"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
ok_or_error
#----------------------------------------------------------------------


# Anti bugus response -------------------------------------------------
echo -n "Setting anti-bugus_response"
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
ok_or_error
#----------------------------------------------------------------------


# Anti Synflood protection --------------------------------------------
echo -n "Setting anti-synflood protection"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
ok_or_error


# Ping ignore ---------------------------------------------------------
echo -n "Ping Ignore"
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
ok_or_error
#----------------------------------------------------------------------


# Chain INPUT --------------------------------------------------------
echo -n "Setting rules for INPUT"
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ok_or_error
#----------------------------------------------------------------------


# Chain FORWARD -------------------------------------------------------
echo -n "Setting rules for FORWARD"
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ok_or_error
#----------------------------------------------------------------------


# IP Masquerading (NAT) -----------------------------------------------
echo -n "Activating IP Mask"
iptables -t nat -A POSTROUTING -o $Internet -j MASQUERADE
ok_or_error
#----------------------------------------------------------------------


# INPUT--------------------------------------------------------------------------------
echo -n "Input manual rules"
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -s $Rede_Interna --dport 22 -j ACCEPT
iptables -A INPUT -p udp -s $Rede_Interna --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $Rede_Interna --dport 3128 -j ACCEPT
#AQUI E SO COLOCA AS PORTAS QUE QUERO LIBERA , ISSO EU SEI 53,139,3128,80, etcs etcs
ok_or_error
#--------------------------------------------------------------------------------------


# FORWARD------------------------------------------------------------------------------
echo -n "Forward manual rules"
iptables -A FORWARD -p tcp -s $Rede_Interna -j ACCEPT
ok_or_error
#--------------------------------------------------------------------------------------

# REDIRECIONAMENTO DE HOSTS------------------------------------------------------------
echo -n "Hosts Redirects manual rules"
#aqui vc pode colocar seus redirecionamentos DNAT e SNAT
ok_or_error
#----------------------------------------------------------------------------------------------------------


# REDIRECIONAMENTO DE PORTAS-------------------------------------------------------------------------------
echo -n "Ports Redirects manual rules"
#iptables -t nat -A PREROUTING -s $Rede_Interna -p tcp --dport 80 -j REDIRECT --to-port 3128
#QUANDO EU ARRUMAR O SQUID EU DESCOMENTO
ok_or_error
#----------------------------------------------------------------------------------------------------------


# IP Forward ON -------------------------------------------------------------------------------------------
echo -n "Setting ip_forward: ON"
echo "1" > /proc/sys/net/ipv4/ip_forward
ok_or_error
#----------------------------------------------------------------------------------------------------------

echo "================================== =============================="
echo " <<<--->>> Firewall Ativo! <<<--->>> "
echo "================================== =============================="
}




fire_stop() {
echo "Stopping Firewall..."
/usr/sbin/iptables -F
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t mangle -F
/usr/sbin/iptables -X
/usr/sbin/iptables -X -t nat
/usr/sbin/iptables -Z
/usr/sbin/iptables -F INPUT
/usr/sbin/iptables -F OUTPUT
/usr/sbin/iptables -F POSTROUTING -t nat
/usr/sbin/iptables -F PREROUTING -t nat


/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
ok_or_error
}


fire_restart() {
fire_stop
sleep 1
fire_start
}

case "$1" in
'start')
fire_start
;;
'stop')
fire_stop
;;
'restart')
fire_restart
;;
*)
echo "usage $0 start|stop|restart"
esac

apileofshit
(usa Slackware)

Enviado em 08/03/2009 - 21:38h

apileofshit
(usa Slackware)

Enviado em 08/03/2009 - 21:38h

valeu to usando ele, perfect salvo !

pelo
(usa Debian)

Enviado em 08/03/2009 - 21:50h

Valeu meu caro : )

albfneto
(usa openSUSE)

Enviado em 08/03/2009 - 21:51h

ol&#347;. não esqueça, colabora com o usuário. marca o tópico como resolvido e marca a melhor resposta...

pelo
(usa Debian)

Enviado em 10/03/2009 - 23:12h

Valeu dinovo
: )

apileofshit
(usa Slackware)

Enviado em 11/03/2009 - 22:33h

apileofshit
(usa Slackware)

Enviado em 11/03/2009 - 22:40h

tipo pelo, eu to c os seguintes problemas, meu outlook nao libera de jeitooooooo nem um! nem consigo pinga de dentro pra fora, veja como ta meu firewall

#!/bin/bash
#
# /etc/rc.d/rc.firewall
#
# Start/stop/restart Firewall
#
# To make Firewall start automatically at boot, make this
# file executable: chmod 755 /etc/rc.d/rc.firewall
#
# Variáveris #

LanExt=10.1.10.2
LanInt=10.1.1.3
Rede=10.1.1.0/24

# Modulos #

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

####################
### Função START ###
####################
firewall_start() {
echo "Iniciando o Firewall"

# Limpa as regras #

iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle

# Politicas padrao #

iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT

# Manter conexoes jah estabelecidas para nao parar
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Aceita todo o trafego vindo do loopback e indo pro loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
#######################
### LOG DO FIREWALL ###
#######################

#iptables -A INPUT -d $LanExt -p tcp --dport 22 -j LOG --log-level 6 --log-prefix "FIREWALL: SSH EXT 22"
#iptables -A INPUT -d $LanExt -p tcp --dport 21 -j LOG --log-level 6 --log-prefix "FIREWALL: FTP EXT 21"
#iptables -A INPUT -d $LanInt -p tcp --dport 22 -j LOG --log-level 6 --log-prefix "FIREWALL: SSH INT 22"
#iptables -A INPUT -d $LanInt -p tcp --dport 21 -j LOG --log-level 6 --log-prefix "FIREWALL: FTP INT 21"


###############################
# Proteções #
###############################

# Protege contra os "Ping of Death"
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 20/m -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 20/m -j ACCEPT

# Protege contra port scanners avançados (Ex.: nmap)
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 20/m -j ACCEPT

# Bloqueando tracertroute
iptables -A INPUT -p udp -s 0/0 -i eth0 --dport 33435:33525 -j REJECT

# Protecoes contra ataques
iptables -A INPUT -m state --state INVALID -j REJECT


###############################
# TABELA Input #
###############################
### Destino Externo ###

# Liberando Porta 22 (SSH)
#iptables -A INPUT -d $LanExt -p tcp --dport 22 -j LOG --log-level 6 --log-prefix "FIREWALL: SSH EXT 2222"
iptables -A INPUT -d $LanExt -p tcp --dport 2222 -j ACCEPT

# Liberando Porta 25 (email)
iptables -A INPUT -d $LanExt -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -d $LanExt -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -d $LanExt -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -d $LanExt -p tcp --dport 25 -j ACCEPT

# Liberando Porta 110 (Email)
iptables -A INPUT -d $LanExt -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -d $LanExt -p tcp --sport 110 -j ACCEPT
iptables -A FORWARD -d $LanExt -p tcp --sport 110 -j ACCEPT
iptables -A FORWARD -d $LanExt -p tcp --dport 110 -j ACCEPT

# Liberando porta 53 (DNS)
iptables -A FORWARD -p udp -s 10.1.1.0/24 -d 10.1.1.3 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 10.1.1.3 --sport 53 -d 10.1.1.0/24 -j ACCEPT
iptables -A FORWARD -p udp -s 10.1.10.0/24 -d 10.1.1.3 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 10.1.1.3 --sport 53 -d 10.1.10.0/24 -j ACCEPT

### Destino Interno ###

# Liberando Porta 22 (SSH)
iptables -A INPUT -d $LanInt -p tcp --dport 2222 -j ACCEPT

# Liberando porta 3128 (Squid)
iptables -A INPUT -d $LanInt -p tcp --dport 3128 -j ACCEPT

# Liberando Porta 80 (http)
iptables -A INPUT -d $LanInt -p tcp --dport 80 -j ACCEPT

# Liberando porta 53
iptables -A INPUT -d $LanInt -p tcp --dport 53 -j ACCEPT

# Liberando Porta 25 (email)
#iptables -A INPUT -d $LanInt -p tcp --dport 21 -j LOG --log-level 6 --log-prefix "FIREWALL: FTP INT 21"
iptables -A INPUT -d $LanInt -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -d $LanInt -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT

# Liberando Porta 110 (email)
iptables -A INPUT -d $LanInt -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -d $LanInt -p tcp --sport 110 -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT

# Liberando porta 3000 (NTOP)
iptables -A INPUT -d $LanInt -p tcp --dport 3000 -j ACCEPT


###############################
# TABELA Forward #
###############################
# Libera computador das regras do firewall
iptables -A FORWARD -s 10.1.1.112 -p tcp -j ACCEPT
iptables -A FORWARD -s 10.1.1.112 -p udp -j ACCEPT
iptables -A INPUT -p tcp -d 10.1.1.112 -s 0/0 -j ACCEPT
iptables -A OUTPUT -p tcp -s 0/0 -d 10.1.1.112 -j ACCEPT

### MSN ###
# Libera msn para o IP #
# nome
#iptables -A FORWARD -s 192.168.4.11 -p tcp --dport 1863 -j ACCEPT
# Bloqueio de MSN #

iptables -A FORWARD -s 10.1.1.0 -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -s 10.1.1.0 -d loginnet.passport.com -j DROP
iptables -A FORWARD -s 10.1.1.0/24 -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -s 10.1.1.0/24 -d loginnet.passport.com -j DROP
#iptables -A FORWARD -s 10.1.1.0/24 -d messenger.hotmail.com -j DROP
#iptables -A FORWARD -s 10.1.1.0/24 -d webmessenger.msn.com -j DROP
#iptables -A FORWARD -p tcp --dport 1080 -j DROP
#iptables -A FORWARD -s 10.1.1.0/24 -p tcp --dport 1080 -j DROP
iptables -A FORWARD -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -d 10.1.1.0/24 -j DROP

# Liberando Porta 2222 (SSH)
iptables -A FORWARD -s $Rede -p tcp --dport 2222 -j ACCEPT

# Liberando Porta 110 (pop-3)
iptables -A FORWARD -s $Rede -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -d $Rede -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -d $Rede -p tcp --sport 110 -j ACCEPT

# Liberando Porta 995 (spop-3)
iptables -A FORWARD -s $Rede -p tcp --dport 995 -j ACCEPT

# Liberando Porta 25 (smtp)
iptables -A FORWARD -s $Rede -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -d $Rede -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -d $Rede -p tcp --sport 25 -j ACCEPT

# Liberando Porta 465 (smtp-s)
iptables -A FORWARD -s $Rede -p tcp --dport 465 -j ACCEPT
iptables -A INPUT -d $Rede -p tcp --dport 465 -j ACCEPT
iptables -A OUTPUT -d $Rede -p tcp --sport 465 -j ACCEPT

# Liberando Porta 2121 (ftp)
#iptables -A FORWARD -s $Rede -p tcp --dport 2121 -j ACCEPT

# Liberando Porta 21 (ftp)
#iptables -A FORWARD -s $Rede -p udp --dport 21 -j ACCEPT
#iptables -A FORWARD -s $Rede -p udp --dport 20 -j ACCEPT

# Liberando porta 53 (DNS)
iptables -A FORWARD -s $Rede -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s $Rede -p udp --dport 53 -j ACCEPT

# Liberando porta 37 (Time)
iptables -A FORWARD -s $Rede -p tcp --dport 37 -j ACCEPT
iptables -A FORWARD -s $Rede -p udp --dport 37 -j ACCEPT

# Liberando porta 113 (auth)
iptables -A FORWARD -s $Rede -p tcp --dport 113 -j ACCEPT
iptables -A FORWARD -s $Rede -p udp --dport 113 -j ACCEPT

# Liberando porta 139 (netbios)
iptables -A FORWARD -s $Rede -p tcp --dport 139 -j ACCEPT
iptables -A FORWARD -s $Rede -p udp --dport 139 -j ACCEPT

# Liberando porta 143 (imap)
iptables -A FORWARD -s $Rede -p tcp --dport 143 -j ACCEPT
iptables -A FORWARD -s $Rede -p udp --dport 143 -j ACCEPT

# Liberando porta 445(microsoft-ds)
iptables -A FORWARD -s $Rede -p tcp --dport 445 -j ACCEPT
iptables -A FORWARD -s $Rede -p udp --dport 445 -j ACCEPT

# Liberando porta 631 (cups)
iptables -A FORWARD -s $Rede -p tcp --dport 631 -j ACCEPT
iptables -A FORWARD -s $Rede -p udp --dport 631 -j ACCEPT

# Liberando porta 3128 (squid)
iptables -A FORWARD -s $Rede -p tcp --dport 3128 -j ACCEPT
iptables -A FORWARD -s $Rede -p udp --dport 3128 -j ACCEPT

# Liberando porta 80
iptables -A FORWARD -s $Rede -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s $Rede -p udp --dport 80 -j ACCEPT
iptables -A OUTPUT -s $Rede -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s $Rede -p tcp --dport 80 -j ACCEPT

# Liberando samba
iptables -A FORWARD -p tcp --dport 137:139 -s 10.1.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 137:139 -s 10.1.1.0/24 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 137:139 -s 10.1.1.0/24 -j ACCEPT

# Regras forward para o funcionamento de redirecionamento de portas (NAT)
# Redirecionando porta 2222 (ssh)
#iptables -A FORWARD -p tcp --dport 5900 -j 2222
#ptables -A FORWARD -p tcp --dport 5800 -j ACCEPT
###############################
######### TABELA NAT ## #######
###############################

# Redireconamento de portas
# (nat para ssh)
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to 10.1.1.3:2222

# Mascaramento de rede para acesso externo #
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Proxy Transparente
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

# Liberando ping int e bloqueando externo
iptables -A INPUT -p icmp -d 10.1.1.0 -s 0/0 -j ACCEPT
iptables -A INPUT -p icmp -i eth0 -s 10.1.1.0 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

# Liberando outlook
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 25 -j DNAT --to-destination 10.1.10.2
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 110 -j DNAT --to-destination 10.1.10.2
iptables -A INPUT -p tcp -s 10.1.1.0/24 --sport 110 -d 0/0 -j ACCEPT
iptables -A FORWARD -p tcp -s 10.1.1.0/24 --sport 110 -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 110 -d 0/0 --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -d 0/0 --dport 110 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 110 -d 0/0 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s 10.1.1.0/24 --sport 110 -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 10.1.1.0/24 --sport 25 -d 0/0 -j ACCEPT
iptables -A FORWARD -p tcp -s 10.1.1.0/24 --sport 25 -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 25 -d 0/0 --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -d 0/0 --dport 25 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 25 -d 0/0 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s 10.1.1.0/24 --sport 25 -d 0/0 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d pop.terra.com.br -s 10.1.1.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d smtp.terra.com.br -s 10.1.1.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 10.1.1.0/24 --dport 25 -j ACCEPT


#Bloqueia todo o resto
#iptables -A INPUT -p tcp -j LOG --log-level 6 --log-prefix "FIREWALL: GERAL "
#iptables -A INPUT -p tcp --syn -j DROP
#iptables -A INPUT -p tcp -j DROP
#iptables -A INPUT -p udp -j DROP

}

##################
### Função STOP ##
##################
firewall_stop() {

echo "Parando firewall e funcionando apenas com mascaramento"
# Limpa as regras #

iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle

# Politicas padrao #

iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT

# Manter conexoes jah estabelecidas para nao parar
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Aceita todo o trafego vindo do loopback e indo pro loopback
iptables -t filter -A INPUT -i lo -j ACCEPT

###############################
# TABELA Forward #
###############################

### MSN ###

# Libera msn para o IP #


# nome
#iptables -A FORWARD -s 192.168.0.34 -p tcp --dport 1863 -j ACCEPT

# nome
#iptables -A FORWARD -s 192.168.0.5 -p tcp --dport 1863 -j ACCEPT


# Bloqueio de MSN #


#iptables -A FORWARD -s 192.168.1.0 -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -s 192.168.1.0 -d loginnet.passport.com -j DROP
#iptables -A FORWARD -s 198.164.1.0/24 -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -s 198.164.1.0/24 -d loginnet.passport.com -j DROP
#iptables -A FORWARD -s 198.164.1.0/24 -d messenger.hotmail.com -j DROP
#iptables -A FORWARD -s 198.164.1.0/24 -d webmessenger.msn.com -j DROP
#iptables -A FORWARD -p tcp --dport 1080 -j DROP
#iptables -A FORWARD -s 198.164.1.0/24 -p tcp --dport 1080 -j DROP
#iptables -A FORWARD -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -d 64.4.13.0/24 -j DROP

###############################
######### TABELA NAT ## #######
###############################


# Mascaramento de rede para acesso externo #
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE



echo "Regras Limpas e Firewall desabilitado"
}

firewall_restart() {
echo "Reiniciando Firewall"
firewall_stop
sleep 3
firewall_start
echo "Firewall Reiniciado"
}
case "$1" in
'start')
firewall_start
echo "Firewall Iniciado"
;;
'stop')
firewall_stop
;;
'restart')
firewall_restart
;;
*)
echo "Opções possíveis:"
echo "rc.firewall start"
echo "rc.firewall stop"
echo "rc.firewall restart"
esac



ja fiz d td ! nao vai! nem tirando o ip do firewall nao vai ajuda !

pelo
(usa Debian)

Enviado em 13/03/2009 - 14:27h

Meu caro,

Você colocou regras a mais e desnecessárias.
Você rodando ele como stop funciona?

Vamos fazer o seguinte: Criar um script só com as regras de email e veja se consegue.
#!/bin/bash

LanExt=10.1.10.2
LanInt=10.1.1.3
Rede=10.1.1.0/24
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -A FORWARD -s $Rede -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -s $Rede -p udp --dport 110 -j ACCEPT
iptables -A FORWARD -s $Rede -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -s $Rede -p udp --dport 995 -j ACCEPT
iptables -A FORWARD -s $Rede -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s $Rede -p udp --dport 25 -j ACCEPT
iptables -A FORWARD -s $Rede -p tcp --dport 465 -j ACCEPT
iptables -A FORWARD -s $Rede -p udp --dport 465 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

pelo
(usa Debian)

Enviado em 14/03/2009 - 13:55h

E ai meu caro....o que deu?

Sérgio Abrantes