dhcp

alcirto
(usa Kurumin)

Enviado em 22/04/2010 - 09:43h

Pessoal olha fiz um servidor de dhcp com ip fixo, tenho duas placas de rede uma com ip da embratel fixo e uma com ip interno, ta tudo rodando sem erro só que as maquinas clientes não conseguem achar meu dhcp.
Olha so meu codigo:
#############################################
ddns-update-style none;
default-lease-time 600;
max-lease-time 7200;
authoritative;

subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.2 192.168.1.199;
option routers 192.168.1.10;
option broadcast-address 192.168.1.255;
option domain-name-servers 200.255.255.66,200.255.255.73;

####################################################################################
# marcacao das maquinas
####################################################################################

##########################################
### Maquina do X - Setor estoque
#########################################
host Estoque {
hardware ethernet 00:0A:E6:06:02:EE;
fixed-address 192.168.1.3;
}
}

Agora meu firewall abaixo

#!/bin/sh
echo "| Script Firewall - IPTABLES"
echo "| Criado por Alcir Teixeira"

# Variaveis
# -------------------------------------------------------
iptables=/sbin/iptables
IF_EXTERNA=eth0
IF_INTERNA=eth1


# Ativa modulos
# -------------------------------------------------------
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE


# Ativa roteamento no kernel
# -------------------------------------------------------
echo " | Ativando o redirecionamento"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "| OK.............................................[OK]"

# Protecao contra IP spoofing
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter


# Zera regras
# -------------------------------------------------------
$iptables -F
$iptables -X
$iptables -F -t nat
$iptables -X -t nat
$iptables -F -t mangle
$iptables -X -t mangle


# Determina a politica padrao
# -------------------------------------------------------
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP

#################################################
#Aceita tudo na entrada da interface de loopback, maquina local
#################################################

$iptables -A INPUT -j ACCEPT -i lo


#################################################
# Tabela FILTER
#################################################

# Aceita os pacotes que realmente devem entrar
# -------------------------------------------------------
$iptables -A INPUT -i ! $IF_EXTERNA -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT


# Protecao contra trinoo
# -------------------------------------------------------
$iptables -N TRINOO
$iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
$iptables -A TRINOO -j DROP
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27444 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27665 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 31335 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 34555 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 35555 -j TRINOO


# Protecao contra tronjans
# -------------------------------------------------------
$iptables -N TROJAN
$iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
$iptables -A TROJAN -j DROP
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 4000 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6000 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6006 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 16660 -j TROJAN


# Protecao contra worms
# -------------------------------------------------------
$iptables -A FORWARD -p tcp --dport 135 -i $IF_INTERNA -j REJECT


# Prote��o contra syn-flood
# -------------------------------------------------------
$iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT


# Protecao contra ping da morte
# -------------------------------------------------------
$iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT


# Protecao contra port scanners
# -------------------------------------------------------
$iptables -N SCANNER
$iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: port scanner: "
$iptables -A SCANNER -j DROP
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXTERNA -j SCANNER


# Loga tentativa de acesso a determinadas portas
# -------------------------------------------------------
$iptables -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: ftp: "
$iptables -A INPUT -p tcp --dport 23 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: telnet: "
$iptables -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: smtp: "
$iptables -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: http: "
$iptables -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: pop3: "
$iptables -A INPUT -p udp --dport 111 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: rpc: "
$iptables -A INPUT -p tcp --dport 113 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: identd: "
$iptables -A INPUT -p tcp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
$iptables -A INPUT -p udp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
$iptables -A INPUT -p tcp --dport 161:162 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: snmp: "
$iptables -A INPUT -p tcp --dport 6667:6668 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: irc: "
$iptables -A INPUT -p tcp --dport 3128 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: squid: "

# -------------------------------------------------------
#As regras abaixo sao referentes a regras de entrada, elas liberam os
#servicos que estao sendo utilizados pela rede. Todos os acessos externos
#devem ser declarados aqui, maquinas seguras tambem
# -------------------------------------------------------

$iptables -A INPUT -s 0/0 -d 0/0 -p tcp --dport smtp -j ACCEPT
$iptables -A INPUT -s 0/0 -d 0/0 -p tcp --dport pop3 -j ACCEPT
$iptables -A INPUT -s 0/0 -d 0/0 -p udp --dport domain -j ACCEPT
$iptables -A INPUT -s 0/0 -d 0/0 -p tcp --dport www -j ACCEPT
$iptables -A INPUT -s 0/0 -d 0/0 -p udp --dport www -j ACCEPT


# Libera acesso externo a determinadas portas
# -------------------------------------------------------
$iptables -A INPUT -p tcp --dport 22 -i $IF_EXTERNA -j ACCEPT
$iptables -A INPUT -p tcp --dport 5900 -i $IF_EXTERNA -j ACCEPT
$iptables -A INPUT -p tcp --dport 5800 -i $IF_EXTERNA -j ACCEPT

################################################################################
# MAQUINAS SEGURAS PARA ACESSO ou seja quem podera acessar tudo dentro da rede
################################################################################

######## Maquina Alcir - Dep. Informatica ########
$iptables -A FORWARD -s 192.168.1.63/255.255.255.0 -d 0/0 -p tcp -j ACCEPT
$iptables -A FORWARD -s 192.168.1.63/255.255.255.0 -d 0/0 -p udp -j ACCEPT
$iptables -A FORWARD -s 0/0 -d 192.168.1.63/255.255.255.0 -p tcp -j ACCEPT
$iptables -A FORWARD -s 0/0 -d 192.168.1.63/255.255.255.0 -p udp -j ACCEPT

######## Roteador do dep. de INformatica ########
$iptables -A FORWARD -s 192.168.1.165/255.255.255.0 -d 0/0 -p tcp -j ACCEPT
$iptables -A FORWARD -s 192.168.1.165/255.255.255.0 -d 0/0 -p udp -j ACCEPT
$iptables -A FORWARD -s 0/0 -d 192.168.1.165/255.255.255.0 -p tcp -j ACCEPT
$iptables -A FORWARD -s 0/0 -d 192.168.1.165/255.255.255.0 -p udp -j ACCEPT


######## Maquina do Leonardo ########
$iptables -A FORWARD -s 192.168.1.100/255.255.255.0 -d 0/0 -p tcp -j ACCEPT
$iptables -A FORWARD -s 192.168.1.100/255.255.255.0 -d 0/0 -p udp -j ACCEPT
$iptables -A FORWARD -s 0/0 -d 192.168.1.100/255.255.255.0 -p tcp -j ACCEPT
$iptables -A FORWARD -s 0/0 -d 192.168.1.100/255.255.255.0 -p udp -j ACCEPT

######## Maquina do Pendao - Contador ########
$iptables -A FORWARD -s 192.168.1.201/255.255.255.0 -d 0/0 -p tcp -j ACCEPT
$iptables -A FORWARD -s 192.168.1.201/255.255.255.0 -d 0/0 -p udp -j ACCEPT
$iptables -A FORWARD -s 0/0 -d 192.168.1.201/255.255.255.0 -p tcp -j ACCEPT
$iptables -A FORWARD -s 0/0 -d 192.168.1.201/255.255.255.0 -p udp -j ACCEPT



##################################################################################
# MAQUINAS SEGURAS PARA ACESSO ou seja quem podera acessar de fora nosso servidor
##################################################################################
#--------------------------------------------------------------------------------
#$iptables -A INPUT -s 200.251.53.2/255.255.255.255 -d 200.243.35.2/255.255.255.255 -p tcp --dport ssh -j ACCEPT #Casa Alcir
#$iptables -A INPUT -s 200.251.53.2/255.255.255.255 -d 200.243.35.2/255.255.255.0 -p icmp -j ACCEPT #casa do alcir
#-------------------------------------------------------------------------


#################################################
# Tabela NAT
#################################################


# Ativa mascaramento de saida
# -------------------------------------------------------
$iptables -A POSTROUTING -t nat -o $IF_EXTERNA -j MASQUERADE


# Proxy transparente
# -------------------------------------------------------
$iptables -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128

#################################################
# FIM DO FIREWALL PERSONALIZADO
#################################################

Para finalizar segue tambem meu proxy:


http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
visible_hostname Debian
error_directory /usr/share/squid/errors/Portuguese
cache_mgr informatica@insivi.com.br

cache_mem 64 MB
maximum_object_size_in_memory 64 kb
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
log_ip_on_direct on

cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
cache_access_log /var/log/squid/access.log
cache_store_log /var/log/squid/store.log

refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280

# acl - Recomendadas
#*****************************************************************************************************************
#
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
#
# acl - Personalizadas
#*****************************************************************************************************************
# Olhar com pessoal da contabilidade e liberar portas para programas especificos
# *** Define portas liberadas
acl Safe_ports port 3050 # Interbase/Firebird
acl Safe_ports port 23000 # Serpro
acl Safe_ports port 13352 # SIRF
acl Safe_ports port 500 # FAP Digital
acl Safe_ports port 5009 # VNC
acl Safe_ports port 5008 # VNC
#*****************************************************************************************************************
#
# *** Define a rede interna (Intranet)
acl intranet src 192.168.1.0/255.255.255.255
#*****************************************************************************************************************
#
# *** Define PC(s) com privilegio total - CUIDADO!
acl admin arp "/etc/squid/list/admin.txt"
#*****************************************************************************************************************
# Sites lIBERADOS
acl sitesliberados url_regex -i "/etc/squid/list/sitesliberados.txt"

# *** Define a lista de sites improprios
acl site dstdomain -i "/etc/squid/list/site.txt"
#
#*****************************************************************************************************************
#
# *** Define a lista de palavras improprias
acl palavra url_regex -i "/etc/squid/list/palavra.txt"
#
#*****************************************************************************************************************
# *** Define downloads bloqueados
acl downloads urlpath_regex -i "/etc/squid/list/downloads.txt"
#*****************************************************************************************************************
#
#*****************************************************************************************************************
#
# *** Define PC(s) sem acesso a MSN (bloqueados) 24h/dia
#acl msn_block arp "/etc/squid/list/msn_block.txt"
acl msn dstdomain loginnet.passport.com
acl msnmessenger url_regex -i gateway.dll

#*****************************************************************************************************************
#
# *** Define PC(s) sem acesso a stremeang de video e audio 24h/dia
acl mimeaplicativo rep_mime_type -i "/etc/squid/list/mimeaplicativo.txt"
#*****************************************************************************************************************
# http_access - Recomendadas
#*****************************************************************************************************************
#
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#*****************************************************************************************************************
# http_access - Personalizadas
#****************************************************************************************************************
# sites liberados
http_access allow sitesliberados

# *** Nega sites improprios
http_access deny site
#*****************************************************************************************************************
# *** Nega palavras improprias
http_access deny palavra
#*****************************************************************************************************************
# *** Nega o downloads
http_access deny downloads !admin
#*****************************************************************************************************************
# *** Nega MSN ou webmessenger
#http_access deny msn_block !admin msn !admin
#http_access deny msn_block msnmessenger !admin
#*****************************************************************************************************************
# *** Nega Streaming
http_access deny mimeaplicativo !admin
#*****************************************************************************************************************
# Permite acesso da rede interna (Intranet)
http_access allow intranet
#*****************************************************************************************************************
# *** Nega tudo que nao foi liberado ou negado
http_access deny all



Pessoal porque não ta funcionando aparentemente não tem erro ja refiz tudo um monte de vez.
Caso alguem possa me dizer agradeço

krazy
(usa Debian)

Enviado em 17/09/2013 - 17:28h

Amigo, você mudou a politica da interface interna para DROP e esqueceu de colocar uma regra para aceitar as solicitações por parte dos clientes DHCP.
Apesar do post ser antigo, isto acontece com certa frequência, por isto resolvi responder.



Um abraço,


Andre Lorentz