nrj
(usa Debian)
Enviado em 02/03/2010 - 02:05h
Estou com problemas com compartilhamento de internet. Quando defino as políticas padrão no inicio (iptables -P FORWARD DROP) o compartilhamento não funciona. O problema está na liberação de consulta de dns que aparentemente não está funcionando:
iptables -A INPUT -p tcp (e udp) --dport 53 -j ACCEPT --> não funciona.
iptables -A FORWARD -p tcp (e udp) --dport 53 -j ACCEPT --> pinga uma fez e paralisa.
ai está parte do meu firewall...
#!/bin/bash
clear
echo -e " "
echo -e " "
echo -e "Iniciando Firewall ..."
echo " "
echo " "
#limpa regras
iptables -F
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -t nat -F
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
iptables -t nat -F OUTPUT
iptables -t mangle -F
iptables -t mangle -F PREROUTING
iptables -t mangle -F POSTROUTING
iptables -t mangle -F OUTPUT
iptables -t mangle -F INPUT
iptables -t mangle -F FORWARD
iptables -X
iptables -t filter -X
iptables -t nat -X
iptables -t mangle -X
iptables -Z
iptables -t filter -Z
iptables -t nat -Z
iptables -t mangle -Z
echo -n "Ajustando politicas padroes "
iptables -P INPUT DROP
iptables -P FORWARD DROP #o problema esta aqui
iptables -P OUTPUT ACCEPT
echo "[OK]"
# protecoes
# anti spoofing
echo -n "Setting anti-spoofing protection "
for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $spoofing
done
echo "[OK]"
# anti-redirects
echo -n "Setting anti-redirects "
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "[OK]"
# anti source route
echo -n "Setting anti-source_route "
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "[OK]"
# anti bugus response
echo -n "Setting anti-bugus_response "
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "[OK]"
# anti synflood protection
echo -n "Setting anti-synflood protection "
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "[OK]"
# ping ignore : interface externa eth0 wlan
echo -n "Ping Ignore "
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "[OK]"
echo -e " "
echo -e " "
#Protecoes com logs
# protecao contra pacotes tcp indesejaveis
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIREWALL: new sem syn:"
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
# protecao contra brute force
iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix "FIREWALL: ssh reject:"
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset
iptables -A FORWARD -p tcp --syn --dport 22 -m recent --name sshattack --set
iptables -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix "FIREWALL: ssh reject:"
iptables -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset
# protecao contra port scanners avancados
iptables -N SCANNER
iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: port scanner:"
iptables -A SCANNER -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL NONE -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL ALL -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i eth0 -j SCANNER
# loga tentativa de acesso a determinadas portas
iptables -A INPUT -p tcp --dport 21 -i eth0 -j LOG --log-level 6 --log-prefix "FIREWALL: ftp:"
iptables -A INPUT -p tcp --dport 22 -i eth0 -j LOG --log-level 6 --log-prefix "FIREWALL: ssh:"
# Bloqueios
# bloqueio squid
iptables -A INPUT -p tcp -i eth0 --dport 3128 -j DROP
# bloqueio telnet
iptables -A INPUT -p tcp --dport telnet -j DROP
# bloqueio tracertroute
iptables -A INPUT -p udp -s 0/0 -i eth0 --dport 33435:33525 -j DROP
# liberando acesso interno da rede
iptables -A INPUT -p tcp --syn -s 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -A OUTPUT -p tcp --syn -s 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -p tcp --syn -s 192.168.0.0/255.255.255.0 -j ACCEPT
# liberando loopback
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT
iptables -A FORWARD -s 127.0.0.1 -j ACCEPT
# compartilhamento da internet - ativar roteamento
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# ativando redirecionamento de pacotes
echo "1" >/proc/sys/net/ipv4/ip_forward
# manter conexoes ja estabelecidas para nao parar. aceita os pacotes que realmente devem entrar
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# melhora latencia de ssh pra fora
iptables -A PREROUTING -t mangle -p tcp --dport ssh -j TOS --set-tos Minimize-Delay
# libera a resolucao de nomes
iptables -t nat -A PREROUTING -p udp --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.0/24 --dport 53 -j ACCEPT
# libera lista de portas padrao
iptables -t nat -A PREROUTING -p tcp --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 25 -j ACCEPT