Debian + Iptables

cyberwalk
(usa Debian)

Enviado em 01/04/2007 - 13:32h

Olá a todos!

Estou tentando montar um sercidor em Linux que faça meu compartilhamento de internet e a proteção na rede.


Estou com o Debian e instalado o Iptables 1.3.6.
Duas interfaces de rede, a eth0 para a internet e a eth1 para a rede local.

A eth0 está configurada com um IP estatico, 10.0.0.2, assim como a eth1 está configurada com um IP da minha rede interna.
O PPPoE está configurado corrtamente, uma vez que consigo concetar ao VELOX e navegar normalmente. O problema é, quando carrego o script que fiz para carregar as regras do Iptables, nada mais funciona na internet.

Abaixo está o script que fiz, baseado no GUIA/Foca:
================================================

#!/bin/bash

#########################################################
# Variáveis #
########################################################

#iptables=/sbin/iptables

#--------------------------------------------------------
#########################################################
# Ativa Módulos #
#########################################################

/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_conntrack
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_LOG

#--------------------------------------------------------
#########################################################
# Ativa roteamento no kernel #
#########################################################

echo "1" > /proc/sys/net/ipv4/ip_forward

#---------------------------------------------------------
##########################################################
# Zera regras #
##########################################################

iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat

#---------------------------------------------------------
##########################################################
# Bloqueio contra IP Spoofing #
##########################################################

for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 >$i
done

#----------------------------------------------------------
###########################################################
# Determina a política padrão #
###########################################################

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

#----------------------------------------------------------
###########################################################
# Tabela Filter #
###########################################################

### Chain INPUT ###
#----------------------------------------------------------
iptables -N PPP-INPUT
iptables -A INPUT -i ppp+ -j PPP-INPUT
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -j DROP

#----------------------------------------------------------

### Chain FORWARD ###
#----------------------------------------------------------

#----------------------------------------------------------

### Chain PPP-INPUT ###
#----------------------------------------------------------
iptables -A PPP-INPUT -p icmp -m limit --limit 2/s -j ACCEPT
iptables -A PPP-INPUT -j DROP

#----------------------------------------------------------

#----------------------------------------------------------
###########################################################
# NAT #
###########################################################

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -p tcp --dport 80 -j LOG --log-prefix "FW:www"
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -p tcp --dport 80 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -p tcp --dport 110 -j LOG --log-prefix "FW:POP"
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -p tcp --dport 110 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -p tcp --dport 25 -j LOG --log-prefix "FW:SMTP"
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -p tcp --dport 25 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -d 192.168.1.0/24 -j LOG --log-prefix "FW:SNAT_Desconecida"
iptables -t nat -A POSTROUTING -o eth1 -d 192.168.1.0/24 -j DROP
iptables -t nat -A POSTROUTING -j LOG --log-prefix "FW:Desconhecido"
iptables -t nat -j DROP
=================================================

É justamente quando carrego essas regtras que não consuigo fazer mais nada na internet.

Abaixo está o ifconfig.
================================================
istha-srv:~/firewall# ifconfig
eth0 Link encap:Ethernet HWaddr 00:D0:09:C1:F1:39
inet addr:10.0.0.2 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::2d0:9ff:fec1:f139/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:120381 errors:0 dropped:0 overruns:0 frame:0
TX packets:84080 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:173728522 (165.6 MiB) TX bytes:6844692 (6.5 MiB)
Interrupt:3 Base address:0xd400

eth1 Link encap:Ethernet HWaddr 00:02:44:63:4C:4A
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::202:44ff:fe63:4c4a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:202 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:21135 (20.6 KiB) TX bytes:3329 (3.2 KiB)
Interrupt:11 Base address:0xd000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)

ppp0 Link encap:Point-to-Point Protocol
inet addr:189.13.125.122 P-t-P:200.217.72.96 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:117493 errors:0 dropped:0 overruns:0 frame:0
TX packets:81167 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:170970327 (163.0 MiB) TX bytes:4965530 (4.7 MiB)
=================================================

No syslog, quando tento pingar ou acessar alguma pagina, aparece o seguinte:
================================================
Apr 1 12:44:40 localhost kernel: FW:DesconhecidoIN= OUT=ppp0 SRC=189.13.125.122 DST=207.46.27.64 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45192 DF PROTO=TCP SPT=39643 DPT=1863 WINDOW=5808 RES=0x00 SYN URGP=0
Apr 1 12:45:03 localhost kernel: FW:DesconhecidoIN= OUT=ppp0 SRC=189.13.125.122 DST=207.46.26.69 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43512 DF PROTO=TCP SPT=56322 DPT=1863 WINDOW=5808 RES=0x00 SYN URGP=0
Apr 1 12:45:27 localhost kernel: FW:DesconhecidoIN= OUT=ppp0 SRC=189.13.125.122 DST=65.54.171.29 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23397 DF PROTO=TCP SPT=39451 DPT=1863 WINDOW=5808 RES=0x00 SYN URGP=0
Apr 1 12:45:39 localhost kernel: FW:DesconhecidoIN= OUT=ppp0 SRC=189.13.125.122 DST=207.46.26.191 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4802 DF PROTO=TCP SPT=38926 DPT=1863 WINDOW=5808 RES=0x00 SYN URGP=0
Apr 1 12:45:51 localhost kernel: FW:DesconhecidoIN= OUT=ppp0 SRC=189.13.125.122 DST=207.46.26.198 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16016 DF PROTO=TCP SPT=40388 DPT=1863 WINDOW=5808 RES=0x00 SYN URGP=0
Apr 1 12:50:10 localhost kernel: FW:DesconhecidoIN= OUT=ppp0 SRC=189.13.125.122 DST=200.149.55.140 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=59599 DF PROTO=UDP SPT=32837 DPT=53 LEN=43
Apr 1 12:50:10 localhost kernel: FW:DesconhecidoIN= OUT=ppp0 SRC=189.13.125.122 DST=216.239.37.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43100 SEQ=1
Apr 1 12:50:11 localhost kernel: FW:DesconhecidoIN= OUT=ppp0 SRC=189.13.125.122 DST=216.239.37.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43100 SEQ=2
Apr 1 12:51:31 localhost kernel: FW:DesconhecidoIN= OUT=ppp0 SRC=189.13.125.122 DST=207.46.27.41 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=51578 DF PROTO=TCP SPT=38039 DPT=1863 WINDOW=5808 RES=0x00 SYN URGP=0
Apr 1 12:52:03 localhost kernel: FW:DesconhecidoIN= OUT=ppp0 SRC=189.13.125.122 DST=207.46.26.106 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41211 DF PROTO=TCP SPT=34377 DPT=1863 WINDOW=5808 RES=0x00 SYN URGP=0
================================================

Eunão consigo fazer exatamente nada, quando carergo as regras, pra poder usar a internet denovo, tenho de apagar todos os chains na mão e ai sim, volta todo o trafego.

Se alguem puder me ajudar eu agradeceria.
Abraços!

bilizoi
(usa Slackware)

Enviado em 23/05/2007 - 07:58h

Amigo, eu percebi duas coisas (não sei se vai resolver): para o acesso à internet do seu servidor, você não liberou o INPUT. Para o acesso da sua rede interna à internet, a sua política padrão da chain FORWARD está drop, ou seja, ele não vai permitir que ningué saia. Nesse caso ou você muda a política padrão ou faz uma outra regra para liberar o acesso da rede interna (eu recomendo a última opção).

Espero ter ajudado...

ipfirewall
(usa Ubuntu)

Enviado em 12/05/2014 - 08:54h

Amigo concordo com nosso colega acima. O erro esta nas regras não colocadas, tipo você colocou INPUT DROP o que quer dizer que nada vai entrar no
Firewall, e se nada estiver entrando vc teim que acressentar regras de ACCEPT para, tcp,udp e icmp pra poder ter resposta da web.