Denuncie   Favoritos   Indicar  

Firewall Iptables

1. Firewall Iptables

Magno Lima
magnolinux
(usa Debian)

Enviado em 03/09/2011 - 11:41h

Bom Dia Comunidade...

Estou com um problema totalmente novo e já tentei de tudo e até agora nada de solução. Estou usando debian squeeze 64 bits.

Tenho um Servidor firewall roteando a internet de um cliente, fiz a liberação da porta 80 e 443 a maior parte dos sites funcionam perfeitamente, agora outros não carregam, um bom exemplo é o yahoo.com.br / answer.yahoo.com.br.

monitoro o Log no iptables e a porta de saida é a 80, já está liberada e nada.

Monitoro o Log com o tcpdump e a porta de saida é a 80 que já está liberada, o pacote tem a volta perfeitamente.

Abaixo irei postar meu arquivo de configuração do iptables, retirei todas linha e deixei somente o basico.

Solução é liberar todo o forward para a rede interna, aí passa igual guaxo. "Mais jamais irei deixar meu forward liberado"


#!/bin/bash

echo "Ativando Firewall..."

# Limpando Tabelas
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F

# Excluindo Chain
iptables -t filter -X
iptables -t nat -X
iptables -t mangle -X

# Zerando Contadores
iptables -t filter -Z
iptables -t nat -Z
iptables -t mangle -Z

# Politica Padrao Filter
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT

# Roteamento de pacotes
echo 1 > /proc/sys/net/ipv4/ip_forward

# Nat Interno
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# White List
iptables -t filter -A INPUT -s 192.168.1.2 -p tcp --dport 22 -j ACCEPT

# Aceitar Pacotes estabilizados e relacionado a alguma conexao.
#iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Liberando Forward
iptables -t filter -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -t filter -A FORWARD -p udp --sport 53 -j ACCEPT

iptables -t filter -A FORWARD -p tcp --dport 80 -j ACCEPT
iptables -t filter -A FORWARD -p tcp --sport 80 -j ACCEPT

iptables -t filter -A FORWARD -p tcp --dport 443 -j ACCEPT
iptables -t filter -A FORWARD -p tcp --sport 443 -j ACCEPT

iptables -t filter -A FORWARD -j LOG --log-prefix "Monitoramento Forward..." --log-level warn
iptables -t filter -A INPUT -j LOG --log-prefix "Monitoramento Input..." --log-level warn


echo "Regras Adicionadas..."

Agora os logs do tcpdump..

root@srv:~# tcpdump -i eth0 -n host 192.168.1.2 and not port 22 and not arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

08:41:39.793905 IP 192.168.1.2.1448 > 8.8.8.8.53: 43448+ A? br.yahoo.com. (30)
08:41:39.851998 IP 8.8.8.8.53 > 192.168.1.2.1448: 43448 5/0/0 CNAME fp3.wg1.b.yahoo.com., CNAME any-fp3-lfb.wa1.b.yahoo.com., CNAME any-fp3-real.wa1.b.yahoo.com., A 67.195.160.76, A 69.147.125.65 (143)
08:41:39.852955 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [S], seq 789712867, win 65535, options [mss 1460,nop,nop,sackOK], length 0
08:41:40.034093 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [S.], seq 2510129369, ack 789712868, win 5840, options [mss 1440,nop,nop,sackOK], length 0
08:41:40.034325 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 1, win 65535, length 0
08:41:40.035048 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], seq 1:1441, ack 1, win 65535, length 1440
08:41:40.035089 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [P.], seq 1441:1587, ack 1, win 65535, length 146
08:41:40.250903 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], ack 1441, win 8640, length 0
08:41:40.258009 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], ack 1587, win 11520, length 0
08:41:40.660807 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 1:1453, ack 1587, win 11520, length 1452
08:41:40.661392 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 1453:1461, ack 1587, win 11520, length 8
08:41:40.661525 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 1461, win 65535, length 0
08:41:40.844849 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 1461:2913, ack 1587, win 11520, length 1452
08:41:40.858125 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 2921:4373, ack 1587, win 11520, length 1452
08:41:40.858496 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 4373:4381, ack 1587, win 11520, length 8
08:41:40.858632 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 2913, win 65535, options [nop,nop,sack 1 {2921:4373}], length 0
08:41:40.858668 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 2913, win 65535, options [nop,nop,sack 1 {2921:4381}], length 0
08:41:41.029057 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 2913:2921, ack 1587, win 11520, length 8
08:41:41.029264 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 4381, win 65535, length 0
08:41:41.044903 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 4381:5833, ack 1587, win 11520, length 1452
08:41:41.045263 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 5833:5841, ack 1587, win 11520, length 8
08:41:41.045489 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 5841, win 65535, length 0
08:41:41.210776 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 5841:7293, ack 1587, win 11520, length 1452
08:41:41.211099 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 7293:7301, ack 1587, win 11520, length 8
08:41:41.211338 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 7301, win 65535, length 0
08:41:41.226998 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 7301:8753, ack 1587, win 11520, length 1452
08:41:41.227506 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 8753, win 65535, length 0
08:41:41.240308 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 8761:10213, ack 1587, win 11520, length 1452
08:41:41.240673 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 8753:8761, ack 1587, win 11520, length 8
08:41:41.240895 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 8753, win 65535, options [nop,nop,sack 1 {8761:10213}], length 0
08:41:40.858668 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 2913, win 65535, options [nop,nop,sack 1 {2921:4381}], length 0
08:41:41.029057 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 2913:2921, ack 1587, win 11520, length 8
08:41:41.029264 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 4381, win 65535, length 0
08:41:41.044903 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 4381:5833, ack 1587, win 11520, length 1452
08:41:41.045263 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 5833:5841, ack 1587, win 11520, length 8
08:41:41.045489 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 5841, win 65535, length 0
08:41:41.210776 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 5841:7293, ack 1587, win 11520, length 1452
08:41:41.211099 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 7293:7301, ack 1587, win 11520, length 8
08:41:41.211338 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 7301, win 65535, length 0
08:41:41.226998 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 7301:8753, ack 1587, win 11520, length 1452
08:41:41.227506 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 8753, win 65535, length 0
08:41:41.240308 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 8761:10213, ack 1587, win 11520, length 1452
08:41:41.240673 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 8753:8761, ack 1587, win 11520, length 8
08:41:41.240895 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 8753, win 65535, options [nop,nop,sack 1 {8761:10213}], length 0
08:41:41.240934 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 10213, win 65535, length 0
08:41:41.250842 IP 192.168.1.2.1448 > 8.8.8.8.53: 21950+ A? l.yimg.com. (28)
08:41:41.307757 IP 8.8.8.8.53 > 192.168.1.2.1448: 21950 8/0/0 CNAME geoycs-l.gy1.b.yahoodns.net., CNAME fo-anyycs-l.ay1.b.yahoodns.net., A 98.137.80.34, A 98.137.80.50, A 98.137.80.49, A 98.137.80.31, A 98.137.80.32, A 98.137.80.33 (195)
08:41:41.308727 IP 192.168.1.2.1732 > 98.137.80.34.80: Flags [S], seq 1616301621, win 65535, options [mss 1460,nop,nop,sackOK], length 0
08:41:41.382154 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 10213:10221, ack 1587, win 11520, length 8
08:41:41.395784 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 10221:11673, ack 1587, win 11520, length 1452
08:41:41.396287 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 11673, win 65535, length 0
08:41:41.396388 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 11673:11681, ack 1587, win 11520, length 8
08:41:41.410071 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 11681:13133, ack 1587, win 11520, length 1452
08:41:41.410447 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 13133:13141, ack 1587, win 11520, length 8
08:41:41.410612 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 13133, win 65535, length 0
08:41:41.424135 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 13141:14593, ack 1587, win 11520, length 1452
08:41:41.424490 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 14593:14601, ack 1587, win 11520, length 8
08:41:41.424637 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 14593, win 65535, length 0
08:41:41.438164 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 14601:16053, ack 1587, win 11520, length 1452
08:41:41.438669 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 16053, win 65535, length 0
08:41:41.489332 IP 98.137.80.34.80 > 192.168.1.2.1732: Flags [S.], seq 527386867, ack 1616301622, win 5840, options [mss 1460,nop,nop,sackOK], length 0
08:41:41.489532 IP 192.168.1.2.1732 > 98.137.80.34.80: Flags [.], ack 1, win 65535, length 0
08:41:41.490116 IP 192.168.1.2.1732 > 98.137.80.34.80: Flags [P.], seq 1:911, ack 1, win 65535, length 910
08:41:41.566232 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 16053:16061, ack 1587, win 11520, length 8
08:41:41.579850 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 16061:17513, ack 1587, win 11520, length 1452
08:41:41.580218 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 17513:17521, ack 1587, win 11520, length 8
08:41:41.580365 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 17513, win 65535, length 0
08:41:41.593893 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 17521:18973, ack 1587, win 11520, length 1452
08:41:41.594397 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 18973, win 65535, length 0
08:41:41.607205 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 18981:20433, ack 1587, win 11520, length 1452
08:41:41.607572 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 18973:18981, ack 1587, win 11520, length 8
08:41:41.607710 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 18973, win 65535, options [nop,nop,sack 1 {18981:20433}], length 0
08:41:41.607748 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 20433, win 65535, length 0
08:41:41.608566 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 20433:20441, ack 1587, win 11520, length 8
08:41:41.622219 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 20441:21893, ack 1587, win 11520, length 1452
08:41:41.622601 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 21893:21901, ack 1587, win 11520, length 8
08:41:41.622788 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 21893, win 65535, length 0
08:41:41.636035 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 21901:23353, ack 1587, win 11520, length 1452
08:41:41.636401 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 23353:23361, ack 1587, win 11520, length 8
08:41:41.636558 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 23353, win 65535, length 0
08:41:41.650071 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 23361:24813, ack 1587, win 11520, length 1452
08:41:41.650554 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 24813, win 65535, length 0
08:41:41.698256 IP 98.137.80.34.80 > 192.168.1.2.1732: Flags [.], ack 911, win 7280, length 0
08:41:41.701533 IP 98.137.80.34.80 > 192.168.1.2.1732: Flags [P.], seq 1:287, ack 911, win 7280, length 286
08:41:41.750008 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 24813:24821, ack 1587, win 11520, length 8
08:41:41.763658 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 24821:26273, ack 1587, win 11520, length 1452
08:41:41.764040 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 26273:26281, ack 1587, win 11520, length 8
08:41:41.764170 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 26273, win 65535, length 0
08:41:41.777751 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 26281:27733, ack 1587, win 11520, length 1452
08:41:41.778251 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 27733, win 65535, length 0
08:41:41.778320 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 27733:27741, ack 1587, win 11520, length 8
08:41:41.792002 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 27741:29193, ack 1587, win 11520, length 1452
08:41:41.792377 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 29193:29201, ack 1587, win 11520, length 8
08:41:41.792524 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 29193, win 65535, length 0
08:41:41.805806 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 29201:30653, ack 1587, win 11520, length 1452
08:41:41.806173 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 30653:30661, ack 1587, win 11520, length 8
08:41:41.806310 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 30653, win 65535, length 0
08:41:41.819849 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 30661:32113, ack 1587, win 11520, length 1452
08:41:41.820367 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 32113, win 65535, length 0
08:41:41.833165 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 32121:33573, ack 1587, win 11520, length 1452
08:41:41.833666 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 32113, win 65535, options [nop,nop,sack 1 {32121:33573}], length 0
08:41:41.833780 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 32113:32121, ack 1587, win 11520, length 8
08:41:41.833910 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 33573, win 65535, length 0
08:41:41.847451 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 33581:35033, ack 1587, win 11520, length 1452
08:41:41.847815 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 33573:33581, ack 1587, win 11520, length 8
08:41:41.847968 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 33573, win 65535, options [nop,nop,sack 1 {33581:35033}], length 0
08:41:41.848004 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 35033, win 65535, length 0
08:41:41.848568 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 35033:35041, ack 1587, win 11520, length 8
08:41:41.862225 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 35041:36493, ack 1587, win 11520, length 1452
08:41:41.862722 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 36493, win 65535, length 0
08:41:41.862840 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 36493:36501, ack 1587, win 11520, length 8
08:41:41.874493 IP 192.168.1.2.1732 > 98.137.80.34.80: Flags [.], ack 287, win 65249, length 0
08:41:41.876280 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 36501:37953, ack 1587, win 11520, length 1452
08:41:41.876807 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 37953, win 65535, length 0
08:41:41.933102 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 37953:37961, ack 1587, win 11520, length 8
08:41:41.946742 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 37961:39413, ack 1587, win 11520, length 1452
08:41:41.947119 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 39413:39421, ack 1587, win 11520, length 8
08:41:41.947251 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 39413, win 65535, length 0
08:41:41.961042 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 39421:40873, ack 1587, win 11520, length 1452
08:41:41.961567 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 40873, win 65535, length 0
08:41:41.961692 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 40873:40881, ack 1587, win 11520, length 8
08:41:41.975126 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 40881:42333, ack 1587, win 11520, length 1452
08:41:41.975612 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 42333, win 65535, length 0
08:41:41.975690 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 42333:42341, ack 1587, win 11520, length 8
08:41:41.989373 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 42341:43793, ack 1587, win 11520, length 1452
08:41:41.989740 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 43793:43801, ack 1587, win 11520, length 8
08:41:41.989928 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 43793, win 65535, length 0
08:41:42.003430 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 43801:45253, ack 1587, win 11520, length 1452
08:41:42.003789 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 45253:45261, ack 1587, win 11520, length 8
08:41:42.003934 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 45253, win 65535, length 0
08:41:42.017463 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 45261:46713, ack 1587, win 11520, length 1452
08:41:42.017976 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 46713, win 65535, length 0
08:41:42.018072 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 46713:46721, ack 1587, win 11520, length 8
08:41:42.031786 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 46721:48173, ack 1587, win 11520, length 1452
08:41:42.032122 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 48173:48181, ack 1587, win 11520, length 8
08:41:42.032300 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 48173, win 65535, length 0
08:41:42.045554 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 48181:49633, ack 1587, win 11520, length 1452
08:41:42.045929 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [.], seq 49633:49641, ack 1587, win 11520, length 8
08:41:42.046047 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 49633, win 65535, length 0
08:41:42.053001 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [P.], seq 49641:50314, ack 1587, win 11520, length 673
08:41:42.053318 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 50314, win 64854, length 0
08:41:55.531026 IP 67.195.160.76.80 > 192.168.1.2.1731: Flags [F.], seq 50314, ack 1587, win 11520, length 0
08:41:55.531267 IP 192.168.1.2.1731 > 67.195.160.76.80: Flags [.], ack 50315, win 64854, length 0
08:41:55.707208 IP 98.137.80.34.80 > 192.168.1.2.1732: Flags [FP.], seq 28027:29075, ack 911, win 7280, length 1048
08:41:55.707622 IP 192.168.1.2.1732 > 98.137.80.34.80: Flags [.], ack 287, win 65249, options [nop,nop,sack 1 {28027:29076}], length 0


Pessoal muito obrigado e um abraço a todos

0 0
  • Quote

    •   


    2. Re: Firewall Iptables

    Perfil removido
    removido
    (usa Nenhuma)

    Enviado em 03/09/2011 - 12:23h

    Cara, não é o DNS????

    0 0
  • Quote

    • 3. Respota DNS

    Magno Lima
    magnolinux
    (usa Debian)

    Enviado em 03/09/2011 - 12:40h

    Vinicius, as estações estão com o dns da google 8.8.8.8 // 8.8.4.4 e no servidor está liberado a consulta no protocolo udp na porta 53.

    Se fosse o dns nenhum site iria funcionar, o meu problem são em alguns sites...

    o que eu posso fazer e efetuar um dsnlookups na estação para o site do yahoo e verificar a resolução de nome. Seria uma forma de acabar com a hipotese de dns.

    Se tiver mais alguma ideia, favor me enviar.

    0 0
  • Quote

    • 4. aux. de um amigo

    Perfil removido
    removido
    (usa Nenhuma)

    Enviado em 03/09/2011 - 13:24h

    fala amigão blz?

    bom... se está tentando liberar o forward para o hosts da sua rede interna, tem que mudar a politica padrão do FORWARD para ACCEPT, pois a mesma está como DROP (bloqueando) e está antes das regras de liberação das portas que queres liberar.

    se não for esse o problema retorna qual é o problema real e a solução que deseja.

    aguardo seu retorno.

    0 0
  • Quote

    • 5. Res: Eabreu

    Magno Lima
    magnolinux
    (usa Debian)

    Enviado em 05/09/2011 - 08:13h

    Bom Dia amigo,

    Então, o policiamento default do iptables funciona de uma forma diferente das regras criadas. Quando eu coloco a politica do iptables como drop estou dizendo ao firewall o seguinte, qualquer requisição que for gerada ele irá começar a verificar as regras caso não exista uma regra de liberação ele consulta a politica padrão e descarta o pacote. O policiamento so é usado caso não existe uma rega de liberação. Mais ainda, as regras que eu crio subscrevem o policiamento default do iptables.

    No meu caso as portas estão liberadas, eu consigo navegar na internet, somente alguns sites que não carregam.

    De toda maneira obrigado pelo retorno.

    um abraço

    0 0
  • Quote

    • 6. se não resolveu o problema, tenta assim...

    Perfil removido
    removido
    (usa Nenhuma)

    Enviado em 08/09/2011 - 17:34h

    valeu pelo esclarecimento do tópico anterior:


    #!/bin/bash

    echo "Ativando Firewall..."

    # Limpando Tabelas
    iptables -t filter -F
    iptables -t nat -F
    iptables -t mangle -F

    # Excluindo Chain
    iptables -t filter -X
    iptables -t nat -X
    iptables -t mangle -X

    # Zerando Contadores
    iptables -t filter -Z
    iptables -t nat -Z
    iptables -t mangle -Z

    # Politica Padrao Filter
    iptables -t filter -P INPUT DROP
    iptables -t filter -P FORWARD DROP
    iptables -t filter -P OUTPUT ACCEPT

    # Roteamento de pacotes
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # Nat Interno
    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE

    # White List
    # neste exemplo coloquei o endereço interno de sua rede como 192.168.1.0/24 e a placa de rede
    # conectada a rede interna é eth0
    iptables -A FORWARD -i eth0 -s 192.168.1.0/24 -j ACCEPT
    iptables -t filter -A INPUT -s 192.168.1.2 -p tcp --dport 22 -j ACCEPT

    # Aceitar Pacotes estabilizados e relacionado a alguma conexao.
    #iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    #iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Liberando Forward
    iptables -t filter -A FORWARD -p udp --dport 53 -j ACCEPT
    iptables -t filter -A FORWARD -p udp --sport 53 -j ACCEPT

    iptables -t filter -A FORWARD -p tcp --dport 80 -j ACCEPT
    iptables -t filter -A FORWARD -p tcp --sport 80 -j ACCEPT

    iptables -t filter -A FORWARD -p tcp --dport 443 -j ACCEPT
    iptables -t filter -A FORWARD -p tcp --sport 443 -j ACCEPT

    iptables -t filter -A FORWARD -j LOG --log-prefix "Monitoramento Forward..." --log-level warn
    iptables -t filter -A INPUT -j LOG --log-prefix "Monitoramento Input..." --log-level warn


    echo "Regras Adicionadas..."

    OBS: usei seu script de firewall porém coloquei duas regras no meio script.
    posta ai o resultado pra ver se deu certo, acredito que dê, desculpe pela demora pra responder.


    0 0
  • Quote





    • Patrocínio

    Site hospedado pelo provedor RedeHost.
    Linux banner

    Destaques

    Artigos

    Crie alias para as tarefas que possuam longas linhas de comando - bash e zsh

    Criando um gateway de internet com o Debian

    Configuração básica do Conky para mostrar informações sobre a sua máquina no Desktop

    Aprenda a criar músicas com Inteligência Artificial usando Suno AI

    Entendendo o que é URI, URL, URN e conhecendo as diferenças entre POST e GET

    Dicas

    Bloqueando propagandas no Youtube e outros sites com o uBlocker Origin

    Criando um Pen Drive Bootável no Linux

    Instalando Discord no Fedora 40

    Instalando Discord no Ubuntu 24.04 LTS

    Como instalar o XFCE4-terminal na sua distribuição Linux e integrá-lo ao sistema

    Tópicos

    Alguém do ramo de educação por aqui? [RESOLVIDO] (8)

    Travamento Arch Linux (8)

    problemas com artefatos na instalação (20)

    Como instalar/atua... o Ubuntu sem formatar o HD? [RESOLVIDO] (3)

    Não existe o slackbuild do bash no repositório slackbuild? (1)

    Top 10 do mês

    Scripts

    [Python] Adicione a opção Redimensionar e rotacionar imagens ao Nautilus

    [Shell Script] Script para desinstalar pacotes desnecessários no OpenSuse

    [Shell Script] Script para criar certificados de forma automatizada no OpenVpn

    [Shell Script] Conversor de vídeo com opção de legenda

    [C/C++] BRT - Bulk Renaming Tool

    A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.

    Site hospedado por: