Modem GVT IP FIxo

alotus
(usa Fedora)

Enviado em 24/09/2009 - 11:03h

Pessoal, eu tinha um serviço com um firewall fazendo encaminhamento de mensagens de email vindas de fora da empresa para um servidor Lotus notes. Eu tinha duas placas de rede nesse servidor, uma para o IP real (eth0) da rede externa e outra com um ip para rede interna (eth1). O Iptables controlava tudo, acesso a internet, e é claro o envio e recebimento de mensagens do nosso servidor lotus notes. Recentemente contratamos o serviço de banda larga da GVT com ip fixo (O IP é no modem e ele é router pois basta liga-lo e a internet funciona sem problemas). Eu não estou conseguindo configurar o acesso a internet das outras máquinas da minha rede interna, pois eu não coloco o ip fixo na eth0 pois ele já está no modem GVT. Apenas configurei o ip da eth1 (ip da rede local). Eu configurei uma máquina da rede interna com o DNS da GVT e o ip da eth1 como gateway, mas não acessa. Sou meio iniciante no linux. O que estou fazendo errado?. Alguém poderia dar uma ajuda?

maninhx
(usa Slackware)

Enviado em 24/09/2009 - 12:32h

coloca aí as suas regras de compartilhamento de internet.

alotus
(usa Fedora)

Enviado em 24/09/2009 - 14:04h

Obrigado pela ajuda.

O Ip fixo fica no modem é : 189.x.x.110 (TG508 GVT)

Minha eth0 é:
192.168.1.64
gateway 192.168.1.1
Dns :200.175.5.139
200.175.89.139

Minha eth1 é:
192.168.0.4
mey Gateway: 192.168.1.64
Dns :200.175.5.139
200.175.89.139




Segue meu Iptables:
# Seta variáveis com interfaces e IPs
#

INET_IFACE="eth0"

LAN_IP="192.168.1.64"
LAN_IFACE="eth1"

LO_IFACE="lo"
LO_IP="127.0.0.1"

#########
# Define redes reservadas
#
RESERVED_NET="
0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 \
23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/8 37.0.0.0/8 \
39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 49.0.0.0/8 50.0.0.0/8 \
58.0.0.0/7 60.0.0.0/8 67.0.0.0/8 68.0.0.0/6 72.0.0.0/5 80.0.0.0/4 \
96.0.0.0/3 169.254.0.0/16 192.0.2.0/24 197.0.0.0/8 201.0.0.0/8 \
218.0.0.0/7 220.0.0.0/6 224.0.0.0/3"

#########
# iptables PATH
#

IPTABLES="/sbin/iptables"

#########
# Carrega módulos necessários
#

modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_tables
modprobe iptable_nat
modprobe ipt_state
#modprobe ipt_unclean
modprobe ipt_limit
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE

#########
# Seta parâmetros de kernel
#

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians

#########
# Limpa cadeias, apaga cadeias e seta políticas padrão para as cadeias
#

$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

########
# Loga pacotes spoofed
#

$IPTABLES -N log_spoofed
$IPTABLES -A log_spoofed -j LOG --log-prefix "FIREWALL - spoofed: " --log-level 7
$IPTABLES -A log_spoofed -j DROP

########
# Loga pacotes unclean
#

$IPTABLES -N log_unclean
$IPTABLES -A log_unclean -j LOG --log-prefix "FIREWALL - unclean: " --log-level 7
$IPTABLES -A log_unclean -j DROP

########
# Loga pacotes fragmentados
#

$IPTABLES -N log_fragmentado
$IPTABLES -A log_fragmentado -j LOG --log-prefix "FIREWALL - fragmentado: " --log-level 7
$IPTABLES -A log_fragmentado -j DROP

########
# Loga conexoes FTP
#

$IPTABLES -N log_ftp
$IPTABLES -A log_ftp -j LOG --log-prefix "FIREWALL - --FTP--: " --log-level 7
$IPTABLES -A log_ftp -j ACCEPT

#########
# Habilita NAT nos pacotes que entram
#

# Nat's do ppp0
iptables -A PREROUTING -t nat -i $INET_IFACE -p tcp --dport 25 -j DNAT --to 192.168.0.3:25
iptables -A PREROUTING -t nat -i $INET_IFACE -p tcp --dport 80 -j DNAT --to 192.168.0.3:80
iptables -A PREROUTING -t nat -i $INET_IFACE -p tcp --dport 110 -j DNAT --to 192.168.0.3:110
#iptables -A PREROUTING -t nat -i $LAN_IFACE -p tcp -d 189.x.x.110 -j DNAT --to 192.168.0.4:80
#iptables -A PREROUTING -t nat -i $LAN_IFACE -p tcp --dport 80 -j REDIRECT --to-port 3128

#########
# Habilita NAT nos pacotes que saem
#
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -o $INET_IFACE -j MASQUERADE

#########
# Permite pacotes na interface loopback
#

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#########
# Bloqueia pacotes unclean e fragmentados
#

#$IPTABLES -A INPUT -i $INET_IFACE -m unclean -j log_unclean --log-level 7
$IPTABLES -A INPUT -f -i $INET_IFACE -j log_fragmentado --log-level 7

#########
# Protege contra os "Ping of Death"
#
#$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#########
# Protege contra os ataques do tipo "Syn-flood, DoS, etc"
#
#$IPTABLES -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT

######### Protege contra port scanners avanços (Ex.: nmap)
#
#$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

######### Protege contra pacotes que podem procurar e obter informaçs da rede interna ...
#
#$IPTABLES -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

######### Protecoes contra ataques
#
#$IPTABLES -A INPUT -m state --state INVALID -j DROP

#########
# Verifica IP's spoofed
#

#$IPTABLES -A INPUT -i $LAN_IFACE ! -s 10.1.1.0/24 -j log_spoofed
#$IPTABLES -A INPUT -i $INET_IFACE -d 172.31.1.1 -j ACCEPT
#$IPTABLES -A INPUT -i $INET_IFACE -s 10.0.0.0/8 -j log_spoofed
#$IPTABLES -A INPUT -i $INET_IFACE -s 172.16.0.0/12 -j log_spoofed
#$IPTABLES -A INPUT -i $INET_IFACE -s 192.168.0.0/16 -j log_spoofed
#$IPTABLES -A INPUT -i $INET_IFACE -s 127.0.0.0/8 -j log_spoofed
#$IPTABLES -A INPUT -i $INET_IFACE -s 255.255.255.255 -j log_spoofed
#for NET in $RESERVED_NET; do
# $IPTABLES -A INPUT -i $INET_IFACE -s $NET -j log_spoofed
#done
#$IPTABLES -A OUTPUT -o $INET_IFACE -d 0.0.0.0 -j log_spoofed
#$IPTABLES -A OUTPUT -o $INET_IFACE -d 10.0.0.0/8 -j log_spoofed
#$IPTABLES -A OUTPUT -o $INET_IFACE -d 172.16.0.0/12 -j log_spoofed
#$IPTABLES -A OUTPUT -o $INET_IFACE -d 192.168.0.0/16 -j log_spoofed
#$IPTABLES -A OUTPUT -o $INET_IFACE -d 224.0.0.0/4 -j log_spoofed
#$IPTABLES -A OUTPUT -o $INET_IFACE -d 240.0.0.0/5 -j log_spoofed

#########
# Cadeia FORWARD
#

$IPTABLES -N good-bad
$IPTABLES -N bad-good
#$IPTABLES -N if-if

# Permite pacotes de conexões estabelecidas e relacionas
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -s 192.168.0.0/24 -o $INET_IFACE -j good-bad
$IPTABLES -A FORWARD -s 0.0.0.0/0 -o $LAN_IFACE -j bad-good
#$IPTABLES -A FORWARD -s 192.168.0.0/24 -o $LAN_IFACE -j if-if

# Dropa todos os outros pacote, logando-os
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level 7
--log-prefix "FIREWALL - forward drop: " --log-level 7

#########
# Acesso da rede interna para a Internet
#

#$IPTABLES -A good-bad -p tcp --dport :65000 -i $LAN_IFACE -j log_ftp
$IPTABLES -A good-bad -p tcp -s 192.168.0.3 --dport 25 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 443 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 25 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p udp --dport 53 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 1080 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 1081 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 3456 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 5800 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 5900 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 5631 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 5632 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 2631 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 8017 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 8080 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 1863 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 7001 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 3007 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 6881 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p icmp -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 465 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 995 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 5017 -i $LAN_IFACE -j ACCEPT
#########
#
# Acesso da Internet para os servidores
#

$IPTABLES -A bad-good -p tcp -d 192.168.0.3 --dport 25 -i $INET_IFACE -j ACCEPT
$IPTABLES -A bad-good -p tcp -d 192.168.0.3 --dport 80 -i $INET_IFACE -j ACCEPT
$IPTABLES -A bad-good -p tcp -d 192.168.0.3 --dport 110 -i $INET_IFACE -j ACCEPT

#########
# Cadeia INPUT
#

$IPTABLES -N bad-if
$IPTABLES -N good-if

$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "FW - input - New not syn:" --log-level 7
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -j bad-if
$IPTABLES -A INPUT -i $LAN_IFACE -j good-if
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "FIREWALL - input drop: " --log-level 7

$IPTABLES -A bad-if -p TCP --dport 5900 -j ACCEPT
$IPTABLES -A bad-if -p TCP --dport 1214 -j ACCEPT

$IPTABLES -A good-if -d 192.168.0.255 -j DROP
$IPTABLES -A good-if -d 255.255.255.255 -j DROP
$IPTABLES -A good-if -p TCP -s 192.168.0.0/24 --dport 3128 -j ACCEPT
$IPTABLES -A good-if -p UDP -s 192.168.0.0/24 -d 192.168.0.4 --dport 137 -j ACCEPT
$IPTABLES -A good-if -p TCP -s 192.168.0.0/24 -d 192.168.0.4 --dport 22 -j ACCEPT
#Libera SNMP na rede interna
#$IPTABLES -A if-if -p TCP -s 192.168.0.0/24 -d 192.168.0.3 --dport 80 -j ACCEPT
#$IPTABLES -A good-if -p TCP -s 192.168.0.0/24 --dport 53 -j ACCEPT
$IPTABLES -A good-if -p UDP -s 192.168.0.0/24 -d 192.168.0.4 --dport 161 -j ACCEPT
#Libera Apache na rede Interna
$IPTABLES -A good-if -p TCP -s 192.168.0.0/24 -d 192.168.0.4 --dport 85 -j ACCEPT
$IPTABLES -A good-if -p UDP -d 192.168.0.4 --dport 1900 -j DROP
$IPTABLES -A good-if -p ICMP -j ACCEPT

#########
# Cadeia OUTPUT
#

$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "FW - output New not syn:" --log-level 7
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -j ACCEPT

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "FIREWALL - output drop: " --log-level 7
}

stop() {
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains; do iptables -t $i -F; done && \
success $"Flushing all chains:" || \
failure $"Flushing all chains:"
for i in $chains; do iptables -t $i -X; done && \
success $"Removing user defined chains:" || \
failure $"Removing user defined chains:"
echo -n $"Resetting built-in chains to the default ACCEPT policy:"
iftable filter -P INPUT ACCEPT && \
iftable filter -P OUTPUT ACCEPT && \
iftable filter -P FORWARD ACCEPT && \
iftable nat -P PREROUTING ACCEPT && \
iftable nat -P POSTROUTING ACCEPT && \
iftable nat -P OUTPUT ACCEPT && \
iftable mangle -P PREROUTING ACCEPT && \
iftable mangle -P OUTPUT ACCEPT && \
success $"Resetting built-in chains to the default ACCEPT policy" || \
failure $"Resetting built-in chains to the default ACCEPT policy"
echo
rm -f /var/lock/subsys/iptables
}

case "$1" in
start)
start
;;

stop)
stop
;;

restart)
# "restart" is really just "start" as this isn't a daemon,
# and "start" clears any pre-defined rules anyway.
# This is really only here to make those who expect it happy
stop
start
;;

condrestart)
[ -e /var/lock/subsys/iptables ] && start
;;

status)
tables=`cat /proc/net/ip_tables_names 2>/dev/null`
for table in $tables; do
echo $"Table: $table"
iptables -t $table --list
done
;;

panic)
echo -n $"Changing target policies to DROP: "
iftable filter -P INPUT DROP && \
iftable filter -P FORWARD DROP && \
iftable filter -P OUTPUT DROP && \
iftable nat -P PREROUTING DROP && \
iftable nat -P POSTROUTING DROP && \
iftable nat -P OUTPUT DROP && \
iftable mangle -P PREROUTING DROP && \
iftable mangle -P OUTPUT DROP && \
success $"Changing target policies to DROP" || \
failure $"Changing target policies to DROP"
echo
iftable filter -F INPUT && \
iftable filter -F FORWARD && \
iftable filter -F OUTPUT && \
iftable nat -F PREROUTING && \
iftable nat -F POSTROUTING && \
iftable nat -F OUTPUT && \
iftable mangle -F PREROUTING && \
iftable mangle -F OUTPUT && \
success $"Flushing all chains:" || \
failure $"Flushing all chains:"
iftable filter -X INPUT && \
iftable filter -X FORWARD && \
iftable filter -X OUTPUT && \
iftable nat -X PREROUTING && \
iftable nat -X POSTROUTING && \
iftable nat -X OUTPUT && \
iftable mangle -X PREROUTING && \
iftable mangle -X OUTPUT && \
success $"Removing user defined chains:" || \
failure $"Removing user defined chains:"
;;

save)
echo -n $"Saving current rules to $IPTABLES_CONFIG: "
touch $IPTABLES_CONFIG
chmod 600 $IPTABLES_CONFIG
/sbin/iptables-save -c > $IPTABLES_CONFIG 2>/dev/null && \
success $"Saving current rules to $IPTABLES_CONFIG" || \
failure $"Saving current rules to $IPTABLES_CONFIG"
echo
;;

*)
echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
exit 1
esac

exit 0