brunorsantos
(usa Debian)
Enviado em 08/03/2016 - 14:50h
Boa tarde pessoal!
Estou a algum tempo quebrando a cabeça com um problema e gostaria muito da ajuda de vocês... vou descrever o meu cenário para compreenderem e poderem dar uma dica para solução ok.
Pois bem, tenho um Firewall com duas placas de rede, uma eth0 recebendo o link de adsl e outra eth1 que distribui o DHCP para minha rede local. Na empresa contém uma impressora em que os usuários digitalizam os documentos e são enviados nos respectivos email de cada um deles. Na configuração do meu modem adsl, configurei o DMZ apontando para o ip da minha eth0 com o objetivo do meu Firewall assumir o controle de entrada e saída de tráfego da minha rede, e é assim que eu gostaria de deixar configurado, certo?!
Quando eu defino o IP da minha eth0 na opção DMZ do meu modem, os usuários não conseguem mais enviar os documentos digitalizados na impressora. Ou seja, se eu deixar a opção DMZ vazia, o pessoal consegue digitalizar, mas se eu definir o IP da minha eth0 o pessoal não consegue mais. Até mudei as políticas padrão do Firewall para ACCEPT para não surtiu efeito, segue meu script e também uma análise do tcpdump quando faço o processo de digitalização na impressora e não dá certo.
#!/bin/bash
# Bloqueando trafego entre interfaces
echo 0 > /proc/sys/net/ipv4/ip_forward
# Carregando modulos basicos
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_state
/sbin/modprobe ipt_multiport
/sbin/modprobe iptable_mangle
# Zerando regras existentes
iptables -F -t filter
iptables -F -t nat
iptables -F -t mangle
# Definindo politica padrao
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Basic rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
# DNS
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 53 -j ACCEPT
iptables -A FORWARD -p udp --sport 53 -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
# Acesso Web FW
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
# Portas EMAIL
iptables -A FORWARD -p tcp --sport 143 -j ACCEPT
iptables -A FORWARD -p tcp --dport 143 -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --sport 20 -j ACCEPT
iptables -A FORWARD -p tcp --dport 20 -j ACCEPT
iptables -A FORWARD -p tcp --sport 21 -j ACCEPT
iptables -A FORWARD -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -p tcp --sport 587 -j ACCEPT
iptables -A FORWARD -p tcp --dport 587 -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --sport 995 -j ACCEPT
iptables -A FORWARD -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -p tcp --sport 220 -j ACCEPT
iptables -A FORWARD -p tcp --dport 220 -j ACCEPT
#teste liberação digitalização
iptables -A INPUT -p tcp --sport 587 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -A INPUT -p tcp --dport 587 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 587 -j ACCEPT
iptables -A INPUT -p tcp -s 200.234.210.12 -j ACCEPT
iptables -A OUTPUT -p tcp -d 200.234.210.12 -j ACCEPT
iptables -A INPUT -p tcp -d 200.234.210.12 -j ACCEPT
iptables -A OUTPUT -p tcp -s 200.234.210.12 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.234.210.12 -j ACCEPT
iptables -A FORWARD -p tcp -s 200.234.210.12 -j ACCEPT
iptables -A FORWARD -p tcp --sport 65532 -j ACCEPT
iptables -A FORWARD -p tcp --dport 65532 -j ACCEPT
iptables -A FORWARD -p tcp --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -p tcp --sport 1024:65535 -j ACCEPT
iptables -A FORWARD -p udp --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -p udp --sport 1024:65535 -j ACCEPT
iptables -A FORWARD -p tcp --sport 65534 -j ACCEPT
iptables -A FORWARD -p tcp --dport 65534 -j ACCEPT
# Samba
iptables -A FORWARD -p tcp --dport 445 -j ACCEPT
iptables -A FORWARD -p tcp --sport 445 -j ACCEPT
iptables -A FORWARD -p udp --dport 445 -j ACCEPT
iptables -A FORWARD -p udp --sport 445 -j ACCEPT
iptables -A FORWARD -p udp --dport 137 -j ACCEPT
iptables -A FORWARD -p udp --sport 137 -j ACCEPT
iptables -A FORWARD -p udp --dport 138 -j ACCEPT
iptables -A FORWARD -p udp --sport 138 -j ACCEPT
iptables -A FORWARD -p tcp --dport 139 -j ACCEPT
iptables -A FORWARD -p tcp --sport 139 -j ACCEPT
# Teste
iptables -A INPUT -p udp --sport 137 -j ACCEPT
iptables -A INPUT -p udp --dport 137 -j ACCEPT
iptables -A OUTPUT -p udp --sport 137 -j ACCEPT
iptables -A OUTPUT -p udp --dport 137 -j ACCEPT
iptables -A INPUT -p udp --sport 138 -j ACCEPT
iptables -A INPUT -p udp --dport 138 -j ACCEPT
iptables -A OUTPUT -p udp --sport 138 -j ACCEPT
iptables -A OUTPUT -p udp --dport 138 -j ACCEPT
iptables -A INPUT -p tcp --sport 139 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -p tcp --dport 139 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 139 -j ACCEPT
# Acesso SQUID
iptables -A INPUT -p tcp -i eth1 --dport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth1 --sport 3128 -j ACCEPT
# IPs Liberados
iptables -A FORWARD -p tcp -s 10.1.1.9 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.1.1.9 -j ACCEPT
iptables -A FORWARD -p tcp -s 10.1.1.7 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.1.1.7 -j ACCEPT
iptables -A FORWARD -p tcp -s 10.1.1.8 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.1.1.8 -j ACCEPT
iptables -A FORWARD -p tcp -s 10.1.1.15 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.1.1.15 -j ACCEPT
# Bloqueio de porta 80 e 443
#iptables -A FORWARD -p tcp -s 10.1.1.0/24 --dport 80 -j REJECT
#iptables -A FORWARD -p tcp -s 10.1.1.0/24 --dport 443 -j REJECT
# NAT rede
iptables -t nat -A POSTROUTING -o eth0 -s 10.1.1.0/24 -j MASQUERADE
# Liberando trafego entre interfaces
echo 1 > /proc/sys/net/ipv4/ip_forward
############################################################################
Agora a captura do tcpdump quando eu configuro o DMZ e a digitalização não dá certo
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:48:26.819471 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [S], seq 2820086251, win 16384, options [mss 1460,nop,wscale 0,nop,nop,TS val 1445 ecr 0], length 0
14:48:26.845094 IP 200.235.210.12.587 > 10.1.1.15.65532: Flags [S.], seq 545821476, ack 2820086252, win 14480, options [mss 1460,nop,nop,TS val 2858168621 ecr 1445,nop,wscale 10], length 0
14:48:26.845468 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [.], ack 1, win 17520, options [nop,nop,TS val 1445 ecr 2858168621], length 0
14:48:27.198170 IP 200.235.210.12.587 > 10.1.1.15.65532: Flags [P.], seq 1:53, ack 1, win 15, options [nop,nop,TS val 2858168975 ecr 1445], length 52
14:48:27.198527 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [.], ack 53, win 17468, options [nop,nop,TS val 1446 ecr 2858168975], length 0
14:48:27.202316 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [P.], seq 1:17, ack 53, win 17520, options [nop,nop,TS val 1446 ecr 2858168975], length 16
14:48:27.226821 IP 200.235.210.12.587 > 10.1.1.15.65532: Flags [.], ack 17, win 15, options [nop,nop,TS val 2858169004 ecr 1446], length 0
14:48:27.227415 IP 200.235.210.12.587 > 10.1.1.15.65532: Flags [P.], seq 53:217, ack 17, win 15, options [nop,nop,TS val 2858169004 ecr 1446], length 164
14:48:27.227697 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [.], ack 217, win 17356, options [nop,nop,TS val 1446 ecr 2858169004], length 0
14:48:27.229023 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [P.], seq 17:82, ack 217, win 17520, options [nop,nop,TS val 1446 ecr 2858169004], length 65
14:48:27.258359 IP 200.235.210.12.587 > 10.1.1.15.65532: Flags [P.], seq 217:254, ack 82, win 15, options [nop,nop,TS val 2858169035 ecr 1446], length 37
14:48:27.258740 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [.], ack 254, win 17483, options [nop,nop,TS val 1446 ecr 2858169035], length 0
14:48:27.263925 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [P.], seq 82:123, ack 254, win 17520, options [nop,nop,TS val 1446 ecr 2858169035], length 41
14:48:27.289655 IP 200.235.210.12.587 > 10.1.1.15.65532: Flags [P.], seq 254:268, ack 123, win 15, options [nop,nop,TS val 2858169066 ecr 1446], length 14
14:48:27.290035 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [.], ack 268, win 17506, options [nop,nop,TS val 1446 ecr 2858169066], length 0
14:48:27.290681 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [P.], seq 123:162, ack 268, win 17520, options [nop,nop,TS val 1446 ecr 2858169066], length 39
14:48:27.354459 IP 200.235.210.12.587 > 10.1.1.15.65532: Flags [.], ack 162, win 15, options [nop,nop,TS val 2858169132 ecr 1446], length 0
14:48:27.499816 IP 200.235.210.12.587 > 10.1.1.15.65532: Flags [P.], seq 268:282, ack 162, win 15, options [nop,nop,TS val 2858169276 ecr 1446], length 14
14:48:27.500122 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [.], ack 282, win 17506, options [nop,nop,TS val 1447 ecr 2858169276], length 0
14:48:27.503294 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [P.], seq 162:168, ack 282, win 17520, options [nop,nop,TS val 1447 ecr 2858169276], length 6
14:48:27.527908 IP 200.235.210.12.587 > 10.1.1.15.65532: Flags [.], ack 168, win 15, options [nop,nop,TS val 2858169305 ecr 1447], length 0
14:48:27.528905 IP 200.235.210.12.587 > 10.1.1.15.65532: Flags [P.], seq 282:319, ack 168, win 15, options [nop,nop,TS val 2858169306 ecr 1447], length 37
14:48:27.529148 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [.], ack 319, win 17483, options [nop,nop,TS val 1447 ecr 2858169306], length 0
14:48:27.530329 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [P.], seq 168:517, ack 319, win 17520, options [nop,nop,TS val 1447 ecr 2858169306], length 349
14:48:27.531900 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [.], seq 517:1965, ack 319, win 17520, options [nop,nop,TS val 1447 ecr 2858169306], length 1448
14:48:27.532088 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [.], seq 1965:3413, ack 319, win 17520, options [nop,nop,TS val 1447 ecr 2858169306], length 1448
14:48:27.532280 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [.], seq 3413:4861, ack 319, win 17520, options [nop,nop,TS val 1447 ecr 2858169306], length 1448
14:48:27.532404 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [.], seq 4861:6309, ack 319, win 17520, options [nop,nop,TS val 1447 ecr 2858169306], length 1448
14:48:27.532531 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [.], seq 6309:7757, ack 319, win 17520, options [nop,nop,TS val 1447 ecr 2858169306], length 1448
14:48:27.596645 IP 200.235.210.12.587 > 10.1.1.15.65532: Flags [.], ack 517, win 16, options [nop,nop,TS val 2858169374 ecr 1447], length 0
14:48:27.597472 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [.], seq 7757:9205, ack 319, win 17520, options [nop,nop,TS val 1447 ecr 2858169306], length 1448
14:48:27.597595 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [.], seq 9205:10653, ack 319, win 17520, options [nop,nop,TS val 1447 ecr 2858169306], length 1448
14:48:28.387951 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [.], seq 517:1965, ack 319, win 17520, options [nop,nop,TS val 1448 ecr 2858169306], length 1448
14:48:30.399059 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [.], seq 517:1965, ack 319, win 17520, options [nop,nop,TS val 1452 ecr 2858169306], length 1448
14:48:31.857894 ARP, Request who-has 10.1.1.15 tell 10.1.1.253, length 28
14:48:31.858149 ARP, Reply 10.1.1.15 is-at 00:00:74:ce:24:9d, length 46
14:48:34.421219 IP 10.1.1.15.65532 > 200.235.210.12.587: Flags [.], seq 517:1965, ack 319, win 17520, options [nop,nop,TS val 1460 ecr 2858169306], length 1448
^C
37 packets captured
37 packets received by filter
0 packets dropped by kernel