FIREWALL NAO LIBERA REDE [RESOLVIDO]

feliperossi
(usa Debian)

Enviado em 12/05/2008 - 11:19h

GALERA NAO FIZ DE TUDO, TENTEI DE TUDO
NAO TEM MAIS JEITO UEHUEUEH
MEU SERVIDOR DE FIREWALL NAO LIBERA ACESSO A NET
NA REDE, NAO TEM MAIS NDA NO SERVIDOR SOH FIREWALL RODANDO
bom vo explicar certinho tudo q se passa primeiro::
- uma maquina rodando soh firewall
- 2 placas de redes
- na eth0 vem o cabo direto do modem
- na eth1 vai pro switch distribuir na rede

o negocio eh o seguinte a rede nao acessa a net,
nem com reza brava, jah a maquina firewall acessa normal
VO MANDAR AI MEU SCRIPT DE FIREWALL

ME AJUDEM NAO SEI MAIS O Q FAZER E MEU CHEFE TA PELA BOA COMIGO

#!/bin/bash
#
# chkconfig: 2345 03 92
# description: Regras de firewall
#
#######################################
# Define variaveis
#######################################

WAN=eth0
LAN=eth1
REDE=192.168.1.0/24
#http,https,dns,smtp,pop3,ssh,ftp,jabber,jabber/s
SRV_TCP=80,443,53,25,110,22,21,5222,5223
SRV_UDP=53

IPT=/sbin/iptables

case $1 in

start)

echo "iniciando Firewall"

echo 1 > /proc/sys/net/ipv4/ip_forward

#######################################
# Define politicas default
#######################################
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
#######################################
# Limpa todas as regras
#######################################
$IPT -t filter -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -t raw -F
#########################################
# Liberar pacotes pertencentes a conexões
# permitidas
#########################################
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#########################################
# Liberar acessos da rede interna
#########################################
######## opcao 1 ########################
######## negar acesso a alguns servicos
######## e liberar o restante
#########################################
# Liberar tudo p/ o boss
#$IPT -A FORWARD -m mac --mac -source 00:11:D8:E6:5F:D4 -s 192.168.1.25 -j ACCEPT
### Negar acesso ao msn
#$IPT -A FORWARD -p tcp --dport 1863 -j DROP
#$IPT -A FORWARD -p tcp -m string --algo bm --from 40 --to 60 --string VER -j DROP
### Negar acesso ao googletalk
### Liberar primeiro servidor jabber da empresa(200.10.10.1)
#$IPT -A FORWARD -p tcp -m multiport -d 200.10.10.1 --dports 5222,5223 -j ACCEPT
#$IPT -A FORWARD -p tcp -m multiport --dports 5222,5223 -j DROP
### Liberar acessos restritos p/ o povo
#$IPT -A FORWARD -s 192.168.1.0./24 -i $SRV_TCP -j ACCEPT
##############################################
######## opcao 2 #############################
######## liberar acesso a alguns servicos
######## e negar o restante (politica default)
##############################################
$IPT -A FORWARD -s $WAN -p tcp -m multiport --dports 21,22,53,443,80,110 -j ACCEPT
#$IPT -A FORWARD -s $wAN -p udp -m udp --dport 53 -j ACCEPT
#$IPT -A FORWARD -d $wAN -p udp -m udp --sport 53 -j ACCEPT
#############################################
#$IPT -A OUTPUT -p tcp -m multiport --dports 21,25,53,80,110,443 -j ACCEPT
#$IPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
#$IPT -A INPUT -p udp -m udp --sport 53 -j ACCEPT
#### Liberar acesso ao proxy (local)
$IPT -A INPUT -s $WAN -i $REDE -p tcp -m tcp --dport 3128 -j ACCEPT

##############################################
# IMPEDIMOS QUE UM ATACANTE POSSA MALICIOSAMENTE ALTAERA ALGUMA ROTA
##############################################
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "Impedimos alterar alguma rota .......................[ OK ]"
#############################################
#CONTRA TROJANS
#############################################

$IPT -A INPUT -p TCP -i eth0 --dport 21 -j DROP
$IPT -A INPUT -p TCP -i eth0 --dport 22 -j DROP
$IPT -A INPUT -p TCP -i eth0 --dport 199 -j DROP
$IPT -A INPUT -p TCP -i eth0 --dport 443 -j DROP
$IPT -A INPUT -p TCP -i eth0 --dport 2049 -j DROP
$IPT -A INPUT -p TCP -i eth0 --dport 53 -j DROP
$IPT -A INPUT -p TCP -i eth0 --dport 23 -j DROP

$IPT -A INPUT -p TCP -i eth0 --dport 666 -j DROP
$IPT -A INPUT -p TCP -i eth0 --dport 4000 -j DROP
$IPT -A INPUT -p TCP -i eth0 --dport 6000 -j DROP
$IPT -A INPUT -p TCP -i eth0 --dport 6006 -j DROP
$IPT -A INPUT -p TCP -i eth0 --dport 16660 -j DROP
#############################################
#PROTECAO CONTRA TRINOO
#############################################
$IPT -A INPUT -p TCP -i eth0 --dport 27444 -j DROP
$IPT -A INPUT -p TCP -i eth0 --dport 27665 -j DROP
$IPT -A INPUT -p TCP -i eth0 --dport 31335 -j DROP
$IPT -A INPUT -p TCP -i eth0 --dport 34555 -j DROP
$IPT -A INPUT -p TCP -i eth0 --dport 35555 -j DROP

echo "Proteção contra trinoo ............................. [ OK ]"
#############################################
## PROTECAO CONTRA ACESSO EXTERNO SQUID
#############################################
$IPT -A INPUT -p TCP -i eth0 --dport 3128 -j DROP
$IPT -A INPUT -p TCP -i eth0 --dport 8080 -j DROP
echo "Proteção contra squid externo....................... [ OK ]"
#############################################
## PROTECAO CONTRA TELNET
#############################################
$IPT -A INPUT -p TCP -i eth0 --dport telnet -j DROP
echo "Proteção contra telnet ....................... [ OK ]"

#############################################
##CONTRA PORT SCANNERS
#############################################
#$IPT -N SCANNER
#$IPT -A SCANNER -m limit --limit 15/m -j LOG --log-prefix "FIREWALL: port scanner: "
#$IPT -A SCANNER -j DROP
#$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i eth0 -j SCANNER
#$IPT -A INPUT -p tcp --tcp-flags ALL NONE -i eth0 -j SCANNER
#$IPT -A INPUT -p tcp --tcp-flags ALL ALL -i eth0 -j SCANNER
#$IPT -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i eth0 -j SCANNER
#$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i eth0 -j SCANNER
#$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i eth0 -j SCANNER
#$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i eth0 -j SCANNER
echo "Scaner de Portas ....................................[ OK ]"

#############################################
# DROPA PACOTES TCP INDESEJAVEIS
#############################################
$IPT -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
#############################################
# DROPA PACOTES MAL FORMADOS
#############################################
#$IPT -A INPUT -i eth0 -m unclean -j DROP
#############################################
# PROTECAO CONTRA WORMS
#############################################
$IPT -A FORWARD -p tcp --dport 135 -i eth0 -j REJECT
#############################################
# PROTECAO CONTRA SYN-FLOOD
#############################################
$IPT -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
#############################################
# PROTECAO CONTRA PING DA MORTE
#############################################
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
echo "Caregando tabela filter ............................ [ OK ]"

#############################################
# CONFIGURANDO A PROTECAO ANTI-SPOOFING
#############################################
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter; do
# echo "1" > $spoofing
#done
echo "Protecao anti-spoofing ..............................[ OK ]"
###########SETANDO PROTECAO CONTRA ATAQUES
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for i in /proc/sys/net/ipv4/conf/*; do
echo 0 >$i/accept_redirects
echo 0 >$i/accept_source_route
echo 1 >$i/log_martians
echo 1 >$i/rp_filter;
done
echo "Protecao contra ataques .............................[ OK ]"
#############################################

#############################################
# Liberar acessos aa DMZ
#############################################
$IPT -A FORWARD -p tcp -d $WAN -m multiport --dports $SRV_TCP -j ACCEPT
$IPT -A FORWARD -p udp -d $WAN -m udp --dport $SRV_UDP -j ACCEPT
$IPT -A FORWARD -p udp -s $WAN -m udp --sport $SRV_UDP -j ACCEPT
$IPT -A FORWARD -p udp -s $WAN -m udp --dport $SRV_UDP -j ACCEPT
$IPT -A FORWARD -p udp -d $WAN -m udp --sport $SRV_UDP -j ACCEPT

#############################################
# Liberar pings
#############################################
$IPT -A FORWARD -m limit --limit 5/s -p icmp --icmp-type 0 -j ACCEPT
$IPT -A FORWARD -m limit --limit 5/s -p icmp --icmp-type 3 -j ACCEPT
$IPT -A FORWARD -m limit --limit 5/s -p icmp --icmp-type 5 -j ACCEPT
$IPT -A FORWARD -m limit --limit 5/s -p icmp --icmp-type 8 -j ACCEPT
$IPT -A FORWARD -m limit --limit 5/s -p icmp --icmp-type 11 -j ACCEPT
$IPT -A FORWARD -m limit --limit 5/s -p icmp --icmp-type 12 -j ACCEPT

#############################################
# Fazer masquerade da rede local
#############################################
$IPT -t nat -A POSTROUTING -s $WAN -o $LAN -j MASQUERADE

#############################################
# Fazer proxy transparente (nao funciona com autenticacao)
#############################################
#$IPT -t nat -A PREROUTING -s $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
;;

stop)
echo "limpando Firewall"
#######################################
# Define politicas default
#######################################
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#######################################
# Limpa todas as regras
#######################################
$IPT -t filter -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -t raw -F
#########################################
;;

status)

$IPT -L -n

;;

*)
echo "Opcoes validas: (start|stop|status)"
;;

esac

marcosmiras
(usa CentOS)

Enviado em 12/05/2008 - 17:04h

Tenta essa daqui...
iptables -t nat -A POSTROUTING -s eth1 -d 0.0.0.0/0 -o eth0 -j MASQUERADE

marcosmiras
(usa CentOS)

Enviado em 12/05/2008 - 17:06h

Ah! Coloca no início do teu script essa linha (caso for Fedora ou Red Hat):

service iptables stop

No começo do script!!!

feliperossi
(usa Debian)

Enviado em 12/05/2008 - 17:24h

entao jah fiz com o chkconfig iptables off
mas ta [*****] nao sei mais o q fazer
pra funcionar isso aki
meu deus

marcosmiras
(usa CentOS)

Enviado em 13/05/2008 - 12:04h

Crie um novo script com o seguinte conteúdo:

#!/bin/bash
iptables -X
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter

#Altere as variaveis de acordo com sua necessidade
localhost="127.0.0.0/8"
any="0.0.0.0/0"
lan="192.168.0.0/24"
if_lan="eth1"
if_wan="eth0"

iptables -A INPUT -s $localhost -d $any -j ACCEPT
iptables -A INPUT -s $lan -d $any -j ACCEPT
iptables -A FORWARD -i $if_lan -s $lan -d $any -j ACCEPT
iptables -t nat -A POSTROUTING -s $lan -d $any -o $if_wan -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward


Vê se rola...
[]'s

marcosmiras
(usa CentOS)

Enviado em 13/05/2008 - 12:05h

Ah! Evite usar caixa alta (caps look) no forum...

thudojorge
(usa Debian)

Enviado em 13/05/2008 - 12:25h

ok eu tava dando uma olhada no seu script e, ta agradavel, bem escrito.

simplesmente ou por distracao minha nao consigo ver uma linha levantando o modulo nat

acrescente a linha
modprob iptable_nat

elgio
(usa OpenSuSE)

Enviado em 13/05/2008 - 12:31h

Eta firewall confuso, tche!

Bem, como o teu problema é com a rede interna, APENAS O QUE ESTA NO FORWARD importa (além de algo na tabela nat).

A maioria está comentado, destaquei estes:

$IPT -P FORWARD DROP
OK

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Beleza!

$IPT -A FORWARD -s $WAN -p tcp -m multiport --dports 21,22,53,443,80,110 -j ACCEPT
Ops!
Eu colocaria INICIO DE CONEXÃO aqui, ou seja:

$IPT -A FORWARD -s $WAN -p tcp --syn -m multiport --dports 21,22,53,443,80,110 -j ACCEPT

As respostas irão casar com o STABLISHED,RELATED anterior.

$IPT -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
??????
Contra senso!
Pra que DROPAR pacotes NEW que não sejam início de conexão??? Esta regra é no mínimo desnecessária, pois já tem a do syn e STABLISHED!

#############################################
# PROTECAO CONTRA SYN-FLOOD
#############################################
$IPT -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT

Cara, isto é o maior conto da caroxinha que alguém já escreveu. TREMENDA BOBAGEM. Leia meu artigo sobre SYN flood. Tire isto e ajude a divulgar que isto é uma IDIOTICE!


Como vi que tu já faz o nat, talvez o teu problema seja a regra com o NEW que citei.

thudojorge
(usa Debian)

Enviado em 13/05/2008 - 12:31h

ok um pequeno erro de digitacao, acrescente
modprobe iptable_nat
antes da linha
echo 1 > /proc/sys/net/ipv4/ip_forward

vlw

elgio
(usa OpenSuSE)

Enviado em 13/05/2008 - 12:37h

Como tu tem variáveis e MUITAS regras comentadas, não vi logo.

Pelo que vi faltou isto:

PORTAST="20,21,80,443" # portas que tua rede pode acessar
PORTASU="53" # portas UDP que tua rede pode acessar

$IPT -A FORWARD -s $LAN -s $REDE -p tcp --syn -m multiport --dports $PORTAST -j ACCEPT

$IPT -A FORWARD -s $LAN -s $REDE -p udp -m multiport --dports $PORTASU -j ACCEPT

thudojorge
(usa Debian)

Enviado em 13/05/2008 - 12:53h

bom eu tava estudando o seu script com mais atencao. muitas variaveis usadas em locais "nao apropriados" eu acho.
entao eu sugiro que vc de uma olhada na pagina, na linha de comandos digite
lynx /usr/share/doc/iptables/html/NAT-HOWTO.html

Acredito que ai vc pode encontrar ajuda.
qualquer duvida posta ai

feliperossi
(usa Debian)

Enviado em 19/05/2008 - 17:37h

bom galera, mto obrigado ateh agora, jah consegui compartilhar net na rede, com as politicas tudo ACCEPT mas qdo seto as politicas padrao default
e seto as regras para liberação se servições especificos, como internet, etc
as maquinas da rede ainda nao estao conectdando,
pode ser q eu esteja errando em alguma regra....
vo passar o script e refiz tudo novamente

#!/bin/bash
#
# chkconfig: 2345 03 92
# description: Regras de firewall
#
#######################################
# Define variaveis
#######################################

WAN=10.1.1.10
LAN=192.168.1.10
REDE="192.168.1.0/24"
#http,https,dns,smtp,pop3,ssh,ftp,jabber,jabber/s
#SRV_TCP="80,443,53,25,110,22,21,5222,5223"
#SRV_UDP=53
#TROJAN_PORTS_TCP="12345,12346,1524,27665,31337"
#TROJAN_PORTS_UDP="12345,12346,27444,31335,31337"

#IPT=/sbin/iptables
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_MASQUERADE

case $1 in

start)

echo "Iniciando Firewall"

echo 1 > /proc/sys/net/ipv4/ip_forward

#######################################
# Define politicas default
#######################################
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#######################################
# Limpa todas as regras
#######################################
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t raw -F
#########################################
# Liberar pacotes pertencentes a conexões permitidas
#########################################
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### Liberar tudo p/ o boss
#iptables -A FORWARD -m mac --mac-source 00:18:8B:DF:F9:F7 -s 192.168.1.0 -j ACCEPT

### liberar acesso a alguns servicos
### e negar o restante (politica default)
##############################################
###REGRAS INPUT ##############################
iptables -A INPUT -p tcp -m multiport --dports 21,25,53,80,110,125,143,443 -j ACCEPT
iptables -A INPUT -d $REDE -j ACCEPT
iptables -A INPUT $eth1 -p tcp -m multiport --dports 21,25,53,80,110,125,143,443 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
##############################################
###REGRAS OUTPUT #############################
iptables -A OUTPUT -p tcp -m multiport --dports 21,25,53,80,110,125,143,443 -j ACCEPT
iptables -A OUTPUT -d $REDE -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 21,25,53,80,110,125,143,443 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
##############################################
###REGRAS FORWARD ############################
iptables -A FORWARD -i $eth1 -o $eth0 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d $REDE -j ACCEPT
iptables -A FORWARD -s $REDE -d $WAN -p tcp -m multiport --dports 21,25,53,80,110,125,143,443 -j ACCEPT
iptables -A FORWARD -s $REDE -p udp -m udp --dport 53 -j ACCEPT
iptables -A FORWARD -d $REDE -p udp -m udp --sport 53 -j ACCEPT

###LIBERA ACESSO A SERVICOS ESPECIFICOS
iptables -A FORWARD -s $REDE -d $WAN -p tcp -m multiport --dports 2082,2086,2095 -j ACCEPT

#### Liberar acesso ao proxy (local)
#iptables -A INPUT -s $REDE -i $WAN -p tcp -m tcp --dport 3128 -j ACCEPT


#############################################
# Fazer masquerade da rede local
#############################################
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#############################################
# Fazer proxy transparente sem autenticação
#############################################
#iptables -t nat -A PREROUTING -s $REDE -p tcp --dport 80 -j REDIRECT --to-port 3128

;;

stop)
echo "limpando Firewall"
#######################################
# Define politicas default
#######################################
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#######################################
# Limpa todas as regras
#######################################
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t raw -F
#########################################
;;

status)

#iptables -L -n

;;

*)
echo "Opcoes validas: (start|stop|status)"
;;

esac