Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Socorro com firewall
View unanswered posts
View posts from last 24 hours
View posts from last 7 days

 
Reply to topic    Gentoo Forums Forum Index Portuguese
View previous topic :: View next topic  
Author Message
Scirious
Tux's lil' helper
Tux's lil' helper


Joined: 19 Jan 2004
Posts: 75
Location: Brazil

PostPosted: Tue Dec 28, 2004 12:27 pm    Post subject: Socorro com firewall Reply with quote

Pessoal, sei que essa pergunta não se refere ao Gentoo, mas como aqui normalmente tem muitos experts e como não sei mais onde buscar ajuda, posto minha dúvida aqui mesmo esperando que alguém possa me ajudar.

Bem, tenho uma rede com acesso ADSL. Entre o modem roteador e a nossa rede, tenho um roteador linux (com o DNS nele) com duas placas de rede, a eth1 com a nossa rede de IP 172.16.0.0/16, e a eth0 com o modem em uma mini rede com IP 10.0.0.0/8.

A máquina linux é um Conectiva Linux 10. Como roteador e DNS ela funciona perfeitamente, mas quando habilito as funções de firewall a conexão com a internet adquire um comportamento estranho. Para inserir as regras no iptables, executo um script que foi criado tendo por base o exemplo do manual da Conectiva (só por base porque o próprio exemplo sequer executa com mensagem de erro bad interpreter) e o exemplo do Guia Foca Linux.

Já pensei em tudo que me ocorreu mas não consegui saber qual é o erro. O comportamento que ocorre é que, se a máquina já estava navegando antes, ele consegue continuar navegando em páginas web sem problemas. Se ela não estava navegando antes, nem adianta tentar porque não vai conseguir navegar. E em ambos os casos conexões pop e smtp, por exemplo, não funcionam.

O script usado para as regras segue abaixo:

Quote:

#!/bin/bash
#
# chkconfig: 345 11 89
#
# Script gerado com basde no exemplo do Guia Foca Linux e no manual do Conectiva 10.


SERVICE_NAME="iptables"

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# source init script configuration
. /etc/sysconfig/myfirewall

# Verificando a existência de conectividade
if [ ${NETWORKING} = "no" ]
then
gprintf "Sem serviço de rede!"
gprintf "IPTABLES NÃO INICIALIZADO!!!"
exit 0
fi

function start() {

gprintf "Iniciando o serviço de %s: " "IPtables"
echo

gprintf "Esvazinado todos os chains"
# Limpar os chains para evitar sujeiras
/usr/sbin/iptables -t filter -F
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t mangle -F
echo

gprintf " Definindo policiamento padrão"
#### Definindo Policiamento Padrão ####
# Tabela filter
/usr/sbin/iptables -t filter -P INPUT DROP
/usr/sbin/iptables -t filter -P OUTPUT ACCEPT
/usr/sbin/iptables -t filter -P FORWARD DROP
# Tabela nat
/usr/sbin/iptables -t nat -P PREROUTING ACCEPT
/usr/sbin/iptables -t nat -P OUTPUT ACCEPT
/usr/sbin/iptables -t nat -P POSTROUTING DROP
# Tabela mangle
/usr/sbin/iptables -t mangle -P INPUT ACCEPT
/usr/sbin/iptables -t mangle -P OUTPUT ACCEPT
/usr/sbin/iptables -t mangle -P FORWARD ACCEPT
/usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
/usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT
echo

gprintf " Ativando o redirecionamento de pacotes para NAT"
#### Ativando o Redirecionamento de Pacotes ####
echo 1 > /proc/sys/net/ipv4/ip_forward
echo

gprintf " Ativando proteção contra IP Spoofing"
#### Proteção contra IP Spoofing ####
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 >$i
done
echo

gprintf " Configurando a tabela filter"
########################################
# Tabela filter #
########################################
echo

gprintf " Permitindo toda a comunicação pela interface loopback"
/usr/sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -t filter -A FORWARD -i lo -j ACCEPT
/usr/sbin/iptables -t filter -A FORWARD -o lo -j ACCEPT
echo

gprintf " Criando proteção contra SYN Flood"
/usr/sbin/iptables -t filter -A INPUT -p tcp --syn -m limit --limit 10/s -j ACCEPT
echo

gprintf " Criando proteções contra ping da morte"
/usr/sbin/iptables -t filter -A INPUT -i eth1 -p icmp --icmp-type echo-request -m limit --limit 10/s -j ACCEPT
/usr/sbin/iptables -t filter -A INPUT -i eth0 -p icmp --icmp-type echo-reply -m limit --limit 10/s -j REJECT --reject-with net-unreach
echo

gprintf " Permitindo todo o tráfego já estabelecido"
/usr/sbin/iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo

gprintf " Permitindo todo o tráfego de mensagens ICMP"
/usr/sbin/iptables -t filter -A INPUT -p icmp -j ACCEPT
/usr/sbin/iptables -t filter -A FORWARD -p icmp -j ACCEPT
/usr/sbin/iptables -t filter -A OUTPUT -p icmp -j ACCEPT
echo

gprintf " Bloqueando toda a tentativa de conexão externa para a rede"
/usr/sbin/iptables -t filter -A INPUT -p tcp --syn -i eth0 -j REJECT --reject-with net-unreach
echo

gprintf " Configurando permissões de acesso a serviços de internet de usuários da rede interna"
echo

gprintf " HTTP"
/usr/sbin/iptables -t filter -A FORWARD -p tcp --dport http -j ACCEPT
echo

gprintf " HTTPS"
/usr/sbin/iptables -t filter -A FORWARD -p tcp --dport https -j ACCEPT
echo

gprintf " FTP"
/usr/sbin/iptables -t filter -A FORWARD -p tcp --dport ftp -j ACCEPT
echo

gprintf " FTP-DATA"
/usr/sbin/iptables -t filter -A FORWARD -p tcp --dport ftp-data -j ACCEPT
echo

gprintf " Serviços Autenticados"
/usr/sbin/iptables -t filter -A FORWARD -p tcp --dport auth -j ACCEPT
echo

gprintf " Serviços de e-mail"
/usr/sbin/iptables -t filter -A FORWARD -p tcp --dport pop3 -j ACCEPT
/usr/sbin/iptables -t filter -A FORWARD -p tcp --dport smtp -j ACCEPT
/usr/sbin/iptables -t filter -A FORWARD -p tcp --dport imap -j ACCEPT
echo

gprintf " RSYNC"
/usr/sbin/iptables -t filter -A FORWARD -p tcp --dport rsync -j ACCEPT
echo

gprintf " Permitindo MSN Messenger"
/usr/sbin/iptables -t filter -A FORWARD -p tcp --dport 1863 -j ACCEPT
echo

gprintf " Permitindo acesso de DNS à máquina local"
/usr/sbin/iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
/usr/sbin/iptables -t filter -A INPUT -p tcp --dport 5353 -j ACCEPT

echo

gprintf " Permitindo acesso SSH à máquina local a partir da rede interna"
/usr/sbin/iptables -t filter -A INPUT -i eth1 -s 172.16.0.0/16 -p tcp --dport ssh -j ACCEPT
echo

gprintf " Recusando todos os outros acessos"
/usr/sbin/iptables -t filter -A FORWARD -p tcp -j REJECT --reject-with net-unreach
/usr/sbin/iptables -t filter -A INPUT -p tcp -j REJECT --reject-with net-unreach
echo

gprintf "Configurando a tabela nat"
##################################
# Tabela nat #
##################################
echo

gprintf " Configurando SNAT"
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/usr/sbin/iptables -t nat -A POSTROUTING -o eth1 -j DROP
/usr/sbin/iptables -t nat -A POSTROUTING -j ACCEPT
echo

gprintf "Configurando a tabela mangle"
######################################
# Tabela mangle #
######################################
echo

gprintf " Configurando Mínima-Espera para HTTP e HTTPS"
/usr/sbin/iptables -t mangle -A PREROUTING -p tcp --dport http -j TOS --set-tos Minimize-Delay
/usr/sbin/iptables -t mangle -A PREROUTING -p tcp --dport https -j TOS --set-tos Minimize-Delay
/usr/sbin/iptables -t mangle -A OUTPUT -p tcp --dport http -j TOS --set-tos Minimize-Delay
echo

gprintf " Configurando Máximo-Processamento para FTP"
/usr/sbin/iptables -t mangle -A PREROUTING -p tcp --dport ftp-data -j TOS --set-tos Maximize-Throughput
echo

}

function stop() {
gprintf "Parando o serviço de %s: " "IPtables"
echo

gprintf " Limpando os chains"
/usr/sbin/iptables -t filter -F
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t mangle -F
echo

gprintf " Resetando o policiamento padrão"
#### Resetando o Policiamento Padrão ####
# Tabela filter
/usr/sbin/iptables -t filter -P INPUT ACCEPT
/usr/sbin/iptables -t filter -P OUTPUT ACCEPT
/usr/sbin/iptables -t filter -P FORWARD ACCEPT
# Tabela nat
/usr/sbin/iptables -t nat -P PREROUTING ACCEPT
/usr/sbin/iptables -t nat -P OUTPUT ACCEPT
/usr/sbin/iptables -t nat -P POSTROUTING ACCEPT
# Tabela mangle
/usr/sbin/iptables -t mangle -P INPUT ACCEPT
/usr/sbin/iptables -t mangle -P OUTPUT ACCEPT
/usr/sbin/iptables -t mangle -P FORWARD ACCEPT
/usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
/usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT
echo
}




# See how we were called.
case "$1" in
start)
start
RETVAL=$?
;;
stop)
stop
RETVAL=$?
;;

*)
printf $"Usage: %s {start|stop}\n" "$SERVICE_NAME"
echo
exit 1
esac

exit $RETVAL


Alguém sabe o que está acontecendo?
Grato,
Daniel Bittar.
Back to top
View user's profile Send private message
Kobal
Guru
Guru


Joined: 12 Feb 2004
Posts: 323
Location: Brasil / Brazil / Brésil / Brasilien / el Brasil

PostPosted: Tue Dec 28, 2004 4:16 pm    Post subject: Reply with quote

Pode tentar esse esquema, http://firehol.sourceforge.net/ .
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portuguese All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum