icefusion
(usa Debian)
Enviado em 01/10/2008 - 13:59h
continuo com o problema de não conseguir redirecionar o acesso ao terminal server do windows, não consigo enviar e receber emails pelos clientes de email outlook e incredimail xe e tb. E não consigo navegar na internet sem o proxy!
--------------------------------------------------------------------
fiz um teste com nmap:
--------------------------------------------------------------------
Starting Nmap 4.03 (
http://www.insecure.org/nmap/ ) at 2008-10-01 13:40 BRT
Interesting ports on r249-pr-tamanduatei.ibys.com.br (187.0.120.223):
(The 1665 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
915/tcp open unknown
948/tcp open unknown
2049/tcp open nfs
3128/tcp open squid-http
10000/tcp open snet-sensor-mgmt
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.0 - 2.5.20, Linux 2.5.25 - 2.6.8 or Gentoo 1.2 Linux 2.4.19 rc1-rc7, Linux 2.6.3 - 2.6.10
Nmap finished: 1 IP address (1 host up) scanned in 2.102 seconds
------------------------------------------------------------------
as configurações do firewall atuais são essas!
------------------------------------------------------------------
#!/bin/sh
#INET_ADDRESS=$(ifconfig ppp0 | grep inet | cut -d: -f2 | sed -e 's/ //' | cut -d" " -f1)
#INET_ADRESS ='ip addr show ppp0 | fgrep inet | cut -f6 -d " "'
iptables=/sbin/iptables
IF_EXTERNA=ppp0
IF_INTERNA=eth0
#Ativa modulos#
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#Ativa Roteamento no Kernel#
echo "1" > /proc/sys/net/ipv4/ip_forward
#Ativa Protecao contra IP spoofing#
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#Zera Regras#
$iptables -F
$iptables -X
$iptables -F -t nat
$iptables -X -t nat
$iptables -F -t mangle
$iptables -X -t mangle
#Determina Politica Padrao#
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
$iptables -P FORWARD DROP
#Liberando Portas
#Porta 3389
$iptables -A INPUT -p tcp --sport 3389 -j ACCEPT
$iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
$iptables -A OUTPUT -p tcp --sport 3389 -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 3389 -j ACCEPT
$iptables -A FORWARD -p tcp --sport 3389 -j ACCEPT
$iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
#Cria rota para servidor TERMINAL SERVER
#$iptables -t filter -A INPUT -i ppp0 -p tcp --dport 3389 -j ACCEPT
#$iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 3389 -j DNAT --to 192.168.1.4:3389
#$iptables -A FORWARD -p tcp -s 0/0 -d 192.168.1.4 --dport 3389 -j ACCEPT
#$iptables -A FORWARD -p tcp -d 0/0 -s 192.168.1.4 --sport 3389 -j ACCEPT
#$iptables -A PREROUTING -t nat -p tcp -d 187.10.120.223 --dport 3389 -j DNAT --to 192.168.1.4:3389
#$iptables -A FORWARD -s 0/0 -m tcp -p tcp -i ppp0 --dport 3389 -j ACCEPT
#$iptables -A FORWARD -s 192.168.1.4 -m tcp -p tcp --sport 3389 -j ACCEPT
#$iptables -t nat -A PREROUTING -s 0/0 -m tcp -p tcp -i ppp0 --dport 3389 -j DNAT --to-destination 192.168.1.4
#$iptables -A FORWARD -i eth1 -p tcp --dport 3389 -j ACCEPT
#$iptables -A PREROUTING -i eth1 -t nat -p tcp --dport 3389 -j DNAT --to 192.168.1.4:3389
#$iptables -A INPUT -i eth0 -p udp --dport 3389 -j ACCEPT
#$iptables -A FORWARD -i eth0 -o eth1 -s 0/0 -d 192.168.1.4 -p tcp --dport 3389 -j ACCEPT
#$iptables -A FORWARD -i eth0 -o eth1 -s 0/0 -d 192.168.1.4 -p udp --dport 3389 -j ACCEPT
#$iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j dnat --to-destination 192.168.1.4:3389
#$iptables -A FORWARD -i eth0 -d 192.168.1.4 -p tcp --dport 3389 -j ACCEPT
#$iptables -t nat -A PREROUTING -i eth0 -p udp --dport 3389 -j dnat --to-destination 192.168.1.4:3389
#$iptables -A FORWARD -i eth0 -d 192.168.1.4 -p tcp --dport 3389 -j ACCEPT
#$iptables -t nat -A PREROUTING -p tcp --dport 3389 -j dnat --to-destination 192.168.1.4
#Dropa pacotes TCP indesejaveis
$iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIREWALL: NEW sem syn: "
$iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
#Dropa pacotes mal formados
#$iptables -A INPUT -i $IF_EXTERNA -m unclean -j LOG --log-level 6 --log-prefix "FIREWALL pacote mal formado: "
#$iptables -A INPUT -i $IF_EXTERNA -m unclean -j DROP
#Aceita pacotes que realmente devem entrar
$iptables -A INPUT -i ! $IF_EXTERNA -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$iptables -A INPUT -p ICMP -i $IF_EXTERNA -j ACCEPT
#Protecao conta trinoo
$iptables -N TRINOO
$iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
$iptables -A TRINOO -j DROP
$iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 27444 -j TRINOO
$iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 27665 -j TRINOO
$iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 31335 -j TRINOO
$iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 34555 -j TRINOO
$iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 35555 -j TRINOO
#Protecao contra trojans
$iptables -N TROJAN
$iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
$iptables -A TROJAN -j DROP
$iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 666 -j TROJAN
$iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 4000 -j TROJAN
$iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 16660 -j TROJAN
#Protecao contra worms
$iptables -A FORWARD -p tcp --dport 135 -i $IF_INTERNA -j REJECT
#Protecao contra syn-flood
$iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
#Protecao contra ping da morte
$iptables -A FORWARD -p ICMP --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#Protecao contra port scanners
$iptables -N SCANNER
$iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: port scanner: "
$iptables -A SCANNER -j DROP
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXTERNA -j SCANNER
#Loga tentativa de acesso a determinadas portas
$iptables -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: ftp: "
$iptables -A INPUT -p tcp --dport 22 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: ssh: "
$iptables -A INPUT -p tcp --dport 23 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: telnet"
$iptables -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: smtp"
$iptables -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: http: "
$iptables -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: pop3"
$iptables -A INPUT -p tcp --dport 111 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: rpc: "
$iptables -A INPUT -p tcp --dport 113 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: identd"
$iptables -A INPUT -p tcp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba"
$iptables -A INPUT -p tcp --dport 161:162 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: snmp: "
$iptables -A INPUT -p tcp --dport 443 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: HTTPS: "
$iptables -A INPUT -p tcp --dport 3128 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: squid: "
$iptables -A INPUT -p tcp --dport 3389 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: WIN Terminal Server"
$iptables -A INPUT -p tcp --dport 5432 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: PostgreSQL: "
$iptables -A INPUT -p tcp --dport 6667:6668 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: irc: "
$iptables -A INPUT -p tcp --dport 8080 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: apache: "
$iptables -A INPUT -p tcp --dport 10000 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: webmin: "
#Libera acesso a determinadas Portas
$iptables -A INPUT -p tcp --dport 21 -j ACCEPT #ftp
$iptables -A INPUT -p tcp --dport 22 -j ACCEPT #ssh
$iptables -A INPUT -p tcp --dport 23 -j ACCEPT #telnet
$iptables -A INPUT -p tcp --dport 25 -j ACCEPT #smtp
$iptables -A INPUT -p tcp --dport 80 -j ACCEPT #http
$iptables -A INPUT -p tcp --dport 110 -j ACCEPT #pop3
$iptables -A INPUT -p tcp --dport 111 -j ACCEPT #rpc
$iptables -A INPUT -p tcp --dport 113 -j ACCEPT #identd
$iptables -A INPUT -p tcp --dport 137:139 -j ACCEPT #samba
$iptables -A INPUT -p tcp --dport 161:162 -j ACCEPT #snmp
$iptables -A INPUT -p tcp --dport 443 -j ACCEPT #https
$iptables -A INPUT -p tcp --dport 445 -j ACCEPT #smb
$iptables -A INPUT -p tcp --dport 3050 -j ACCEPT #firebird
$iptables -A INPUT -p tcp --dport 3128 -j ACCEPT #squid
$iptables -A INPUT -p tcp --dport 3389 -j ACCEPT #terminal server windows
$iptables -A INPUT -p tcp --dport 5432 -j ACCEPT #PostgreSQL
$iptables -A INPUT -p tcp --dport 6667:6668 -j ACCEPT #irc
$iptables -A INPUT -p tcp --dport 8080 -j ACCEPT #apache
$iptables -A INPUT -p tcp --dport 10000 -j ACCEPT #webmin
#Ativa mascaramento de saida
$iptables -t nat -A POSTROUTING -o $IF_EXTERNA -j MASQUERADE
#Libera acessos a rede interna
$iptables -A INPUT -i $IF_INTERNA -j ACCEPT
#$iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
$iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
------------------------------------------------------------------
vários testes diferentes ja foram feito pelo que vcs podem ver nos comandos comentados....
preciso abrir as portas 25, 110 e 3389 e as que eu desejar....
pra isso usei um monte de tipo de tentativa de abrir:
e ja não sei mais o que fazer!
------------------------------------------------------------------
exemplos de alternativas para tentar abrir a porta 3389.
-----------------------------------------------------------------
$IPTABLES -A INPUT -p TCP --dport 3389 -j ACCEPT
ou
$iptables -A INPUT -p tcp --sport 3389 -j ACCEPT
$iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
$iptables -A OUTPUT -p tcp --sport 3389 -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 3389 -j ACCEPT
$iptables -A FORWARD -p tcp --sport 3389 -j ACCEPT
$iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT