Liberação de Portas e redirecionamento [RESOLVIDO]

caio.thimons
(usa Ubuntu)

Enviado em 07/02/2012 - 10:07h

amigão consegui executar ele , porém ja vi tds os comandos, porém fla que da um erro:
olha ahiw:
/usr/local/bin# firewall.sh
/usr/local/bin/firewall.sh: linha 7 : # echo##limpando regras exixtentes##: comandos não encontrado
/usr/local/bin/firewall.sh: linha 14 : echo## Definindo politica (nega entrada e permite saida ): comando não encontrado
iptables v1.4.10: --tcp-flags equires two args
try "iptables -h" or 'iptables --help' for more information.
liberando o INPUT externo
/usr/local/bin/firewall.sh: linha 76: $'echo## fecando portas n/303/243o abertas acima##: comando não encontrado
/usr/local/bin/firewall.sh: linha 83: echocompartilhando internet: comando nã encontrado
/usr/local/bin/firewall.sh: linha 86: echofirewall ativo: comando não encontrado


deu desse geito os erros...


Brigadão amiigo por tentar me ajudar xD

caio.thimons
(usa Ubuntu)

Enviado em 07/02/2012 - 10:09h

haa antes de tudo eu coloquei tbm #!/bin/bash

andrecanhadas
(usa Debian)

Enviado em 07/02/2012 - 10:29h

Quanto ao #/bin/bash ta certo esqueci agora o restante dos erros parece que sumiu as aspas.
Só comentas as linhas que estão dando erro com um # no inicio

caio.thimons
(usa Ubuntu)

Enviado em 07/02/2012 - 10:53h

agora só fico assim:

iptables v1.4.10: --tcp-flags equires two args
try "iptables -h" or 'iptables --help' for more information.


mais uma pergunta é aqui que libero as portas internas tbm..?

echo "liberando o INPUT externo"

iptables -A INPUT -i eth1 -p tcp -m multiport --dport 1050,8086,80 -j ACCEPT

parece que esta funcionando porém não esta ainda direcionando, estou aqui em um site para ver a portas abertas estão aberta apenas as 8086 e 1050 (menos mau) porém as outras que ponho ahiw nesse comando não estão liberadas...

VLWSS...

andrecanhadas
(usa Debian)

Enviado em 07/02/2012 - 10:58h

Sim adiciona uma , e a porta
ex:
iptables -A INPUT -i eth1 -p tcp -m multiport --dport 1050,8086,80,110,443,21 -j ACCEPT

Apos isso tem que salvar e rodar de novo

andrecanhadas
(usa Debian)

Enviado em 07/02/2012 - 11:03h

Ainda tem erros

Comenta as linhas:

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP

E vai descomentando e salvando e tentando rodar pra ver qual delas ta errada.

caio.thimons
(usa Ubuntu)

Enviado em 07/02/2012 - 11:06h

só mais uma pergunat a rede eth1 é que recebe a internet e a eth0 conexão local para liberar as portas para os usuarios e re interna local não tem que por o eth0 ou é o eth1 mesmo, desculpa é que euu sou novo em ubuntu...

andrecanhadas
(usa Debian)

Enviado em 07/02/2012 - 11:14h

Na realidade não pois aqui:

## Estabelece relação de confiança entre maquinas da rede local eth0(rede local)
iptables -A INPUT -i eth0 -s 10.0.0.0/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Esta dizendo que sua rede interna não tem bloqueio em nenhuma porta no seu firewall

caio.thimons
(usa Ubuntu)

Enviado em 07/02/2012 - 11:30h

cara to entrando em um site que mostra as portas... cara tds as portas estão fechado somente a 8086, 1050 que não...
então vo tentar o VALID_CHECK

andrecanhadas
(usa Debian)

Enviado em 07/02/2012 - 11:35h

Posta seu script como ele esta no momento:
cat /usr/local/firewall.sh

caio.thimons
(usa Ubuntu)

Enviado em 07/02/2012 - 11:55h

#!/bin/bash

############# Script###########
################################################################################
#################### Inicio Firewall ###########################################
################################################################################

#echo"## Limpando as Regras existentes #######"
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -Z

#echo"## Definindo politica padrão (Nega entrada e permite saida)"
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

################################################################################
######################## Protege contra ataques diversos #######################
################################################################################

###### Protege contra synflood
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

###### Protecao contra ICMP Broadcasting ######
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
###### Protetecao Contra IP Spoofing
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

###### Protecao diversas contra portscanners, ping of death, ataques DoS, pacotes danificados e etc.
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-reply -m limit --limit 1/s -j DROP
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -N VALID_CHECK
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP

################################################################################
############################ Input Rede Interna #################################
################################################################################
## Estabelece relação de confiança entre maquinas da rede local eth0(rede local)##
iptables -A INPUT -i eth0 -s 10.0.0.0/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

################################################################################
############################ Liberando o INPUT #################################
################################################################################
echo "liberando o INPUT externo"

iptables -A INPUT -i eth1 -p tcp -m multiport --dport 1050,8086,80,8080,21,22,23,24 -j ACCEPT

################################################################################
############################ Redirecionamentos #################################
################################################################################
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 1050 -j DNAT --to-destination 10.0.0.50:1050
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8086 -j DNAT --to-destination 10.0.0.153:8086

################################################################################
############################ Drop Input #################################
################################################################################
#echo"## Fechando portas não abertas acima ##"
#iptables -A INPUT -i eth1 -j REJECT

################################################################################
############################ Compartilhamento Internet #########################
################################################################################
echo"Compartilhando Internet"
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
echo"Firewall Ativo"
################################################################################
######################## Fim ###################################
##############################################################################



desse cehito indentico só coloquei comentario no DROP INPUT
#iptables -A INPUT -i eth1 -j REJECT

andrecanhadas
(usa Debian)

Enviado em 07/02/2012 - 12:12h

Vc tem esses serviços que usam as portas 80,21,23,24 rodando no seu firewall?