site parou de acessar externo do nada!! [RESOLVIDO]

1. site parou de acessar externo do nada!! [RESOLVIDO]

Bruno
brunooo

(usa Debian)

Enviado em 17/01/2012 - 12:13h

Boa tarde galera, o login é novo porém já utilizo o site/fórum há muito tempo!!

Estou alguns dias pesquisando o que pode ter acontecido de não conseguir acessar externamente o site! Parou de um dia para o outro, porém ssh, ftp, cameras, o resto tenho acesso normal...

Alguém tem uma luz do que pode ser? Já olhei os arquivos, resolv.conf , do bind , nsswitch, networks... e não houve mudanças, até o site do registro do domínio eu já dei uma olhada...

DETALHE: INTERNAMENTE funciona.

já dei um dig -x e um tracert pelo windows e traz a rota normalmente.

Aqui vai o firewall.sh

#!/bin/bash
###########################################################
echo "FIREWALL: Iniciando Firewall IPANEMA"
###########################################################
######################## VARIAVEIS ########################
###########################################################
echo " Carregando Variaveis..."
ETH_REDE="eth0"
ETH_WIRELESS="eth1"
ETH_INTERNET="eth2"
IP_GW_REDE="192.168.100.1"
IP_GW_WIRELESS="192.168.10.1"
IP_GW_INTERNET="10.0.0.3"
IP_INTERNET="189.1.183.177"
IP_CAMERAS="192.168.10.2"
IP_WIRELESS_IPANEMA="192.168.100.9"
IP_WIRELESS_MIAMI="192.168.100.10"

###########################################################
######################## POLITICAS ########################
###########################################################
echo " Carregando Politicas..."
echo "0" > /proc/sys/net/ipv4/tcp_ecn

iptables -F
iptables -t nat -F
iptables -t mangle -F

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#############
### DEBUG ###
#############
#iptables -A INPUT -p tcp --dport 25:65535 -j LOG --log-prefix "DEBUG INPUT: "
#iptables -A OUTPUT -p tcp --dport 25:65535 -j LOG --log-prefix "DEBUG OUTPUT: "
#iptables -A FORWARD -p tcp --dport 25:65535 -j LOG --log-prefix "DEBUG FORWARD: "

###########################################################
########################### NAT ###########################
###########################################################
echo " Carregando NAT..."
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o $ETH_INTERNET -j MASQUERADE

###########################################################
######################## PROTECOES ########################
###########################################################
echo " Carregando Protecoes..."
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-reply -m limit --limit 1/s -j RETURN
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" >$i
done

iptables -A INPUT -p icmp -m limit --limit 1/s -j LOG --log-level info --log-prefix "IPTABLES DROPPED ICMP: "
iptables -A INPUT -p tcp -m limit --limit 1/s -j LOG --log-level info --log-prefix "IPTABLES DROPPED TCP: "
iptables -A INPUT -p udp -m limit --limit 1/s -j LOG --log-level info --log-prefix "IPTABLES DROPPED UDP: "
iptables -A INPUT -f -m limit --limit 1/s -j LOG --log-level warning --log-prefix "IPTABLES DROPPED FRAGMENT: "
iptables -A INPUT -m limit --limit 1/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPTABLES INPUT packet died: "
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPTABLES INPUT packet died: "

###########################################################
################### PROXY Transparente ###################
###########################################################
# ADICIONAR OS SITES QUE DEREM PROBLEMAS LIBERANDO PARA NAO USAR PROXY
echo " Carregando Proxy Transparente..."
#############################
### WWW/MAIL rede interna ###
#############################
iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp --dport 80 -j REDIRECT --to-port 3128

##############################
### WWW/MAIL rede WIRELESS ###
##############################
iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp --dport 80 -j REDIRECT --to-port 3128

###########################################################
########################## INPUT ##########################
###########################################################
echo " Carregando Inputs..."
#iptables -A INPUT -p tcp --dport 21 -j LOG --log-prefix "IPTABLES INPUT FTP: "
#iptables -A INPUT -p tcp --dport 21 -j ACCEPT
#iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "IPTABLES INPUT SSH: "
#iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#iptables -A INPUT -p tcp --dport 25 -j LOG --log-prefix "IPTABLES INPUT SMTP: "
#iptables -A INPUT -p tcp --dport 25 -j ACCEPT
#iptables -A INPUT -p tcp --dport 80 -j LOG --log-prefix "IPTABLES INPUT HTTP: "
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --dport 110 -j LOG --log-prefix "IPTABLES INPUT POP3: "
#iptables -A INPUT -p tcp --dport 110 -j ACCEPT
#iptables -A INPUT -p tcp --dport 143 -j LOG --log-prefix "IPTABLES INPUT IMAP: "
#iptables -A INPUT -p tcp --dport 143 -j ACCEPT
#iptables -A INPUT -p tcp --dport 443 -j LOG --log-prefix "IPTABLES INPUT HTTPS: "
#iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#iptables -A INPUT -p tcp --dport 465 -j LOG --log-prefix "IPTABLES INPUT SMTPS: "
#iptables -A INPUT -p tcp --dport 465 -j ACCEPT
#iptables -A INPUT -p tcp --dport 993 -j LOG --log-prefix "IPTABLES INPUT IMAPS: "
#iptables -A INPUT -p tcp --dport 993 -j ACCEPT
#iptables -A INPUT -p tcp --dport 995 -j LOG --log-prefix "IPTABLES INPUT POP3S: "
#iptables -A INPUT -p tcp --dport 995 -j ACCEPT

#iptables -A INPUT -i $ETH_REDE -p tcp --dport 3050 -j LOG --log-prefix "IPTABLES FIREBIRD: "
#iptables -A INPUT -i $ETH_REDE -p tcp --dport 3050 -j ACCEPT

#iptables -A INPUT -i $ETH_REDE -p tcp --dport 3060 -j LOG --log-prefix "IPTABLES FIREBIRD: "
#iptables -A INPUT -i $ETH_REDE -p tcp --dport 3060 -j ACCEPT
#iptables -A INPUT -p tcp --dport 3128 -j LOG --log-prefix "IPTABLES SQUID: "
#iptables -A INPUT -p tcp --dport 3128 -j ACCEPT


###########################################################
#################### REDIRECIONAMENTOS ####################
###########################################################
echo " Carregando Redirecionamentos..."
###########################################################
########################### SIP ###########################
###########################################################
### LOG ###
###########
iptables -t nat -A PREROUTING -p tcp --dport 21 -j LOG --log-prefix "IPTABLES NAT PRE FTP: "
iptables -t nat -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix "IPTABLES NAT PRE SSH: "
iptables -t nat -A PREROUTING -p tcp --dport 25 -j LOG --log-prefix "IPTABLES NAT PRE SMTP: "
iptables -t nat -A PREROUTING -p tcp --dport 80 -j LOG --log-prefix "IPTABLES NAT PRE HTTP: "
iptables -t nat -A PREROUTING -p tcp --dport 110 -j LOG --log-prefix "IPTABLES NAT PRE POP3: "
iptables -t nat -A PREROUTING -p tcp --dport 143 -j LOG --log-prefix "IPTABLES NAT PRE IMAP: "
iptables -t nat -A PREROUTING -p tcp --dport 443 -j LOG --log-prefix "IPTABLES NAT PRE HTTPS: "
iptables -t nat -A PREROUTING -p tcp --dport 465 -j LOG --log-prefix "IPTABLES NAT PRE SMTPS: "
iptables -t nat -A PREROUTING -p tcp --dport 993 -j LOG --log-prefix "IPTABLES NAT PRE IMAPS: "
iptables -t nat -A PREROUTING -p tcp --dport 995 -j LOG --log-prefix "IPTABLES NAT PRE POP3S: "

#################################
### WWW/MAIL/FTP/SSH internet ###
#################################
echo " - WWW/MAIL/FTP/SSH internet"
#
# SOMENTE MUDAR O IP DESTINO SE NECESSARIO
#
#iptables -t nat -A PREROUTING -i $ETH_INTERNET -p tcp --dport 21 -j DNAT --to-dest 10.0.0.3:21 #FTP
#iptables -t nat -A PREROUTING -i $ETH_INTERNET -p tcp --dport 22 -j DNAT --to-dest 10.0.0.3:22 #SSH
#iptables -t nat -A PREROUTING -i $ETH_INTERNET -p tcp --dport 25 -j DNAT --to-dest 10.0.0.3:25 #SMTP
#iptables -t nat -A PREROUTING -i $ETH_INTERNET -p tcp --dport 80 -j DNAT --to-dest 10.0.0.3:80 #HTTP
#iptables -t nat -A PREROUTING -i $ETH_INTERNET -p tcp --dport 110 -j DNAT --to-dest 10.0.0.3:110 #POP3
#iptables -t nat -A PREROUTING -i $ETH_INTERNET -p tcp --dport 143 -j DNAT --to-dest 10.0.0.3:143 #IMAP
#iptables -t nat -A PREROUTING -i $ETH_INTERNET -p tcp --dport 443 -j DNAT --to-dest 10.0.0.3:443 #HTTPS
#iptables -t nat -A PREROUTING -i $ETH_INTERNET -p tcp --dport 465 -j DNAT --to-dest 10.0.0.3:465 #SMTPS
#iptables -t nat -A PREROUTING -i $ETH_INTERNET -p tcp --dport 993 -j DNAT --to-dest 10.0.0.3:993 #IMAPS
#iptables -t nat -A PREROUTING -i $ETH_INTERNET -p tcp --dport 995 -j DNAT --to-dest 10.0.0.3:995 #POP3S

#####################################
### WWW/MAIL/FTP/SSH rede interna ###
#####################################
echo " - WWW/MAIL/FTP/SSH rede interna"
#
# SOMENTE MUDAR O IP DESTINO SE NECESSARIO
#
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d $IP_INTERNET --dport 21 -j DNAT --to-dest 10.0.0.3:21
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d $IP_INTERNET --dport 22 -j DNAT --to-dest 10.0.0.3:22
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d $IP_INTERNET --dport 25 -j DNAT --to-dest 10.0.0.3:25
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d $IP_INTERNET --dport 80 -j DNAT --to-dest 10.0.0.3:80
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d $IP_INTERNET --dport 110 -j DNAT --to-dest 10.0.0.3:110
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d $IP_INTERNET --dport 143 -j DNAT --to-dest 10.0.0.3:143
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d $IP_INTERNET --dport 443 -j DNAT --to-dest 10.0.0.3:443
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d $IP_INTERNET --dport 465 -j DNAT --to-dest 10.0.0.3:465
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d $IP_INTERNET --dport 993 -j DNAT --to-dest 10.0.0.3:993
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d $IP_INTERNET --dport 995 -j DNAT --to-dest 10.0.0.3:995

#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d www.ipmfl.com --dport 21 -j DNAT --to-dest 10.0.0.3:21
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d www.ipmfl.com --dport 22 -j DNAT --to-dest 10.0.0.3:22
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d www.ipmfl.com --dport 25 -j DNAT --to-dest 10.0.0.3:25
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d www.ipmfl.com --dport 80 -j DNAT --to-dest 10.0.0.3:80
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d www.ipmfl.com --dport 110 -j DNAT --to-dest 10.0.0.3:110
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d www.ipmfl.com --dport 143 -j DNAT --to-dest 10.0.0.3:143
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d www.ipmfl.com --dport 443 -j DNAT --to-dest 10.0.0.3:443
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d www.ipmfl.com --dport 465 -j DNAT --to-dest 10.0.0.3:465
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d www.ipmfl.com --dport 993 -j DNAT --to-dest 10.0.0.3:993
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d www.ipmfl.com --dport 995 -j DNAT --to-dest 10.0.0.3:995

#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d mail.ipmfl.com --dport 21 -j DNAT --to-dest 10.0.0.3:21
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d mail.ipmfl.com --dport 22 -j DNAT --to-dest 10.0.0.3:22
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d mail.ipmfl.com --dport 25 -j DNAT --to-dest 10.0.0.3:25
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d mail.ipmfl.com --dport 80 -j DNAT --to-dest 10.0.0.3:80
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d mail.ipmfl.com --dport 110 -j DNAT --to-dest 10.0.0.3:110
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d mail.ipmfl.com --dport 143 -j DNAT --to-dest 10.0.0.3:143
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d mail.ipmfl.com --dport 443 -j DNAT --to-dest 10.0.0.3:443
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d mail.ipmfl.com --dport 465 -j DNAT --to-dest 10.0.0.3:465
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d mail.ipmfl.com --dport 993 -j DNAT --to-dest 10.0.0.3:993
#iptables -t nat -A PREROUTING -i $ETH_REDE -p tcp -d mail.ipmfl.com --dport 995 -j DNAT --to-dest 10.0.0.3:995

######################################
### WWW/MAIL/FTP/SSH rede wireless ###
######################################
echo " - WWW/MAIL/FTP/SSH rede wireless"
#
# SOMENTE MUDAR O IP DESTINO SE NECESSARIO
#
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d $IP_INTERNET --dport 21 -j DNAT --to-dest 10.0.0.3:21
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d $IP_INTERNET --dport 22 -j DNAT --to-dest 10.0.0.3:22
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d $IP_INTERNET --dport 25 -j DNAT --to-dest 10.0.0.3:25
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d $IP_INTERNET --dport 80 -j DNAT --to-dest 10.0.0.3:80
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d $IP_INTERNET --dport 110 -j DNAT --to-dest 10.0.0.3:110
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d $IP_INTERNET --dport 143 -j DNAT --to-dest 10.0.0.3:143
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d $IP_INTERNET --dport 443 -j DNAT --to-dest 10.0.0.3:443
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d $IP_INTERNET --dport 465 -j DNAT --to-dest 10.0.0.3:465
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d $IP_INTERNET --dport 993 -j DNAT --to-dest 10.0.0.3:993
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d $IP_INTERNET --dport 995 -j DNAT --to-dest 10.0.0.3:995

#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d www.ipmfl.com --dport 21 -j DNAT --to-dest 10.0.0.3:21
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d www.ipmfl.com --dport 22 -j DNAT --to-dest 10.0.0.3:22
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d www.ipmfl.com --dport 25 -j DNAT --to-dest 10.0.0.3:25
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d www.ipmfl.com --dport 80 -j DNAT --to-dest 10.0.0.3:80
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d www.ipmfl.com --dport 110 -j DNAT --to-dest 10.0.0.3:110
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d www.ipmfl.com --dport 143 -j DNAT --to-dest 10.0.0.3:143
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d www.ipmfl.com --dport 443 -j DNAT --to-dest 10.0.0.3:443
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d www.ipmfl.com --dport 465 -j DNAT --to-dest 10.0.0.3:465
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d www.ipmfl.com --dport 993 -j DNAT --to-dest 10.0.0.3:993
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d www.ipmfl.com --dport 995 -j DNAT --to-dest 10.0.0.3:995

#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d mail.ipmfl.com --dport 21 -j DNAT --to-dest 10.0.0.3:21
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d mail.ipmfl.com --dport 22 -j DNAT --to-dest 10.0.0.3:22
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d mail.ipmfl.com --dport 25 -j DNAT --to-dest 10.0.0.3:25
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d mail.ipmfl.com --dport 80 -j DNAT --to-dest 10.0.0.3:80
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d mail.ipmfl.com --dport 110 -j DNAT --to-dest 10.0.0.3:110
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d mail.ipmfl.com --dport 143 -j DNAT --to-dest 10.0.0.3:143
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d mail.ipmfl.com --dport 443 -j DNAT --to-dest 10.0.0.3:443
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d mail.ipmfl.com --dport 465 -j DNAT --to-dest 10.0.0.3:465
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d mail.ipmfl.com --dport 993 -j DNAT --to-dest 10.0.0.3:993
#iptables -t nat -A PREROUTING -i $ETH_WIRELESS -p tcp -d mail.ipmfl.com --dport 995 -j DNAT --to-dest 10.0.0.3:995


Tem + um pedaço que é sobre as cameras e o sistema....


#########################
########## FIM ##########
#########################
echo "FIREWALL: Terminado"


Obrigado



  


2. MELHOR RESPOSTA

André Canhadas
andrecanhadas

(usa Debian)

Enviado em 18/01/2012 - 11:32h

Os caras bloqueiam portas e nem avisam:
O certo seria eles entrarem em contato avisando sobre tal bloqueio.
Mas valeu o quebra cabeça.. Abraço

3. Descomentar linhas

André Canhadas
andrecanhadas

(usa Debian)

Enviado em 17/01/2012 - 12:53h

Descomentar as linhas:

#iptables -A INPUT -p tcp --dport 80 -j LOG --log-prefix "IPTABLES INPUT HTTP: "
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT




4. Re: site parou de acessar externo do nada!! [RESOLVIDO]

Bruno
brunooo

(usa Debian)

Enviado em 17/01/2012 - 13:19h

andrecanhadas escreveu:

Descomentar as linhas:

#iptables -A INPUT -p tcp --dport 80 -j LOG --log-prefix "IPTABLES INPUT HTTP: "
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT




André... já tinha feito isso e também não foi! já descomentei tudo e não foi :(



5. Saida do iptable

André Canhadas
andrecanhadas

(usa Debian)

Enviado em 17/01/2012 - 13:33h

brunooo escreveu:

andrecanhadas escreveu:

Descomentar as linhas:

#iptables -A INPUT -p tcp --dport 80 -j LOG --log-prefix "IPTABLES INPUT HTTP: "
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT




André... já tinha feito isso e também não foi! já descomentei tudo e não foi :(


Posta a saida do iptables:

iptables -L > /path/iptable.log


6. Re: site parou de acessar externo do nada!! [RESOLVIDO]

Bruno
brunooo

(usa Debian)

Enviado em 17/01/2012 - 13:40h

(só com a linha que você falou para descomentar)

iptables -L


Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG icmp -- anywhere anywhere limit: avg 1/sec burst 5 LOG level info prefix `IPTABLES DROPPED ICMP: '
LOG tcp -- anywhere anywhere limit: avg 1/sec burst 5 LOG level info prefix `IPTABLES DROPPED TCP: '
LOG udp -- anywhere anywhere limit: avg 1/sec burst 5 LOG level info prefix `IPTABLES DROPPED UDP: '
LOG all -f anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `IPTABLES DROPPED FRAGMENT: '
LOG all -- anywhere anywhere limit: avg 1/min burst 3 LOG level debug prefix `IPTABLES INPUT packet died: '
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPTABLES INPUT packet died: '
LOG tcp -- anywhere anywhere tcp dpt:www LOG level warning prefix `IPTABLES INPUT HTTP: '
ACCEPT tcp -- anywhere anywhere tcp dpt:www

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN icmp -- anywhere anywhere icmp echo-reply limit: avg 1/sec burst 5

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED



7. Ok

André Canhadas
andrecanhadas

(usa Debian)

Enviado em 17/01/2012 - 13:48h

A porta esta liberada pelo firewall o problema pode estar no servidor web ou se esta direcionado a porta 80 para outra maquina no firewall da outra maquina.

Faz um teste externamente usando: telnet ip_externo 80

Seu firewall ta servindo apenas para direcionar portas e compartilhar a internet.

Recomendo a politica INPUT DROP e liberar apenas as portas que necessitar.


8. Re: site parou de acessar externo do nada!! [RESOLVIDO]

Phillip Vieira
phrich

(usa Slackware)

Enviado em 17/01/2012 - 14:15h

Cara, desculpe se eu estiver errado, pois olhei seu script com pressa, mas vc não criou regra de FORWARD para o seu servidor certo?

Se eu estiver certo crie uma regra de forward, visto que seu web server está atrás do firewall.

iptables -A FORWARD -p tcp --dport 80 -d ip_do_servidor -j ACCEPT


9. Re: site parou de acessar externo do nada!! [RESOLVIDO]

Bruno
brunooo

(usa Debian)

Enviado em 17/01/2012 - 14:29h

André, ele não acessa... e o apache fica neste mesmo servidor

Abraços


10. Adicionar

André Canhadas
andrecanhadas

(usa Debian)

Enviado em 17/01/2012 - 15:22h

brunooo escreveu:

André, ele não acessa... e o apache fica neste mesmo servidor

Abraços


Muda o inicio do seu firewall: (Vai ativar todos os modulos se estiver algum desativado e limpar qualquer regra que estiver ativa)

/sbin/modprobe ip_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_queue
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_mangle
/sbin/modprobe ipt_state
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_multiport
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_string
## Limpando as Regras existentes #######
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -Z


11. Re: site parou de acessar externo do nada!! [RESOLVIDO]

Bruno
brunooo

(usa Debian)

Enviado em 17/01/2012 - 15:37h

André, obrigado pela ajuda e pela paciência, porém nada ainda! hehehehe :(

Abraços


12. Re: site parou de acessar externo do nada!! [RESOLVIDO]

Bruno
brunooo

(usa Debian)

Enviado em 17/01/2012 - 16:17h

será que estou esquecendo de ver algum outro arquivo? Pois é estranho, tudo funciona externo, menos a bendita porta 80...

já comparei os arquivos citados anteriormente com um backup de 1 mês atras e não teve modificação...

o site simplesmente de um dia para o outro parou!



01 02



Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts