Perguntas & Respostas

Galera To com um problema com firewall aqui
seguinte:
Eu adiciono um script de firewall pra rodar masi o queacontece é que ele libera a rede interna normalmente compartilha a net com o squid tudo certo mais tem um pequeno problema ele nao navega tanto no cliente como no servidor eu ja tentei troacar algumas coisas aqui masi mesmo assim da problemas eu nao consiguo navegar

Interface de net = ppp0
interface conectada no cabo da net = eth0
interface de rede = eth1
faixa de ip rede interna = 192.168.0.0/24

Segue meu script pra analise

#!/bin/sh
# Script de Firewall com IPTABLES
# Criado por Fabio Mattes | Geleia
#

IPTABLES="/sbin/iptables"
MODPROBE="/sbin/modprobe"
#IPNET=`ifconfig|grep P-t-P|cut -f 2 -d":"|cut -f1 -d" "`
PNET=eth0 #Interface ligada na internet(mesma acima)
INTERMAQ=192.168.0.0 #Maquina interna rodando o VNCServer
#INTERBASE=20.0.0.3 #Maquina interna rodando o Servidor do Firebird

clear
echo "********************************************"
echo "* * * * *Iniciando SecFw Firewall* * * * * *"
echo "********************************************"
sleep 1
echo " Descarregando Regras do Firewall [OK] "
$IPTABLES -F
sleep 1
$IPTABLES -P INPUT DROP
echo " Configuracao de entrada [OK] "
sleep 1
$IPTABLES -P FORWARD DROP
echo " Configuracao de encaminhamento [OK] "
sleep 1
$IPTABLES -P OUTPUT DROP
echo " Configuracao de Saida [OK] "
#
echo " Ativando o Roteamento [OK]"
#/etc/rc.d/./rc.ip_forward restart
echo 1 > sh /proc/sys/net/ipv4/ip_forward
#echo 0 > /proc/sys/net/ipv4/tcp_ecn
#echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#
#echo " Ativando o No-Ip [OK]"
#killall noip2
#/etc/rc.d/./noip start
#
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE ip_queue
$MODPROBE ip_tables
$MODPROBE ipt_LOG
$MODPROBE ipt_MARK
$MODPROBE ipt_MASQUERADE
#$MODPROBE ipt_MIRROR
$MODPROBE ipt_REDIRECT
$MODPROBE ipt_REJECT
$MODPROBE ipt_TCPMSS
$MODPROBE ipt_TOS
$MODPROBE ipt_limit
$MODPROBE ipt_mac
$MODPROBE ipt_mark
$MODPROBE ipt_multiport
$MODPROBE ipt_owner
$MODPROBE ipt_state
$MODPROBE ipt_tcpmss
$MODPROBE ipt_tos
#$MODPROBE ipt_unclean
$MODPROBE iptable_filter
$MODPROBE iptable_mangle
$MODPROBE iptable_nat
echo " Carregando modulos [OK]"
echo "============================================"
sleep 2
echo " Iniciando Mascaramento"
# Forwarding e mascaramento da rede interna
#
#
# Conexao por ADSL
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPTABLES -A FORWARD -i eth1 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
$IPTABLES -A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
$IPTABLES -A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
$IPTABLES -A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#
# Conexao por MODEM
# OBS: CASO A CONEXAO COM INTERNET SEJA FEITA
# POR MODEM DESCOMENTE AS LINHAS ABAIXO E
# COMENTE AS LINHAS DA CONEXAO POR ADSL
#
#$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#$IPTABLES -A FORWARD -i ppp0 -j ACCEPT
#$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
echo "============================================"
sleep 1
echo " Carregando Regras "
# Regras para ICMP
#
echo " Iniciando ICMP ..."
#
$IPTABLES -A INPUT -p icmp -s 192.168.0.0/24 --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp -s 192.168.0.0/24 --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp -s 192.168.0.0/24 --icmp-type 5 -j ACCEPT
$IPTABLES -A INPUT -p icmp -s 192.168.0.0/24 --icmp-type 11 -j ACCEPT
#
sleep 2
echo " Regras ICMP iniciadas [OK] "
echo "============================================"
#
# Regras para TCP
#
sleep 2
echo " Iniciando Regras TCP ..."
#
$IPTABLES -A INPUT -p tcp -s 192.168.0.0/24 --dport 21 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 192.168.0.0/24 --dport 21 -j ACCEPT
echo " Porta 21 (FTP) [OK]"
sleep 1
$IPTABLES -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT
echo " Porta 22 [OK]"
sleep 1
$IPTABLES -A INPUT -p tcp -s 192.168.0.0/24 --dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 192.168.0.0/24 --dport 25 -j ACCEPT
echo " Porta 25 (POP) [OK]"
sleep 1
$IPTABLES -A INPUT -p tcp -s 192.168.0.0/24 --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 192.168.0.0/24 --dport 53 -j ACCEPT
echo " Porta 53 [OK]"
sleep 1
$IPTABLES -A INPUT -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT
echo " Porta 80 (HTTP) [OK]"
sleep 1
$IPTABLES -A INPUT -p tcp -s 192.168.0.0/24 --dport 8080 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 192.168.0.0/24 --dport 8080 -j ACCEPT
echo " Porta 8080 [OK]"
sleep 1
$IPTABLES -A INPUT -p tcp -s 192.168.0.0/24 --dport 110 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 192.168.0.0/24 --dport 110 -j ACCEPT
echo " Porta 110 (SMTP) [OK]"
sleep 1
$IPTABLES -A INPUT -p tcp -s 192.168.0.0/24 --dport 30001 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 192.168.0.0/24 --dport 30001 -j ACCEPT
echo " Porta 30001 (SSH) [OK]"
sleep 1
$IPTABLES -A INPUT -p tcp -s 192.168.0.0/24 --dport 8245 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 192.168.0.0/24 --dport 8245 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 192.168.0.0/24 --dport 5900 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 192.168.0.0/24 --dport 5900 -j ACCEPT
echo " Porta 8245 (NO-IP) [OK]"
sleep 1
$IPTABLES -A INPUT -p tcp -s 192.168.0.0/24 --dport 5432 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 192.168.0.0/24 --dport 5432 -j ACCEPT
echo " Porta 5432 (POSTGRESQL) [OK]"
sleep 1
#redir --lport=80 --laddr=192.168.0.1 --cport=3128 --caddr=192.168.0.1 &
#echo " Redirecionamento de Portas [OK]"
sleep 2
#
echo " Regras TCP iniciadas [OK]"
echo "============================================"
#
# Regras para UDP
#
sleep 2
echo " Iniciando regras UDP ..."
#
$IPTABLES -A INPUT -p udp -s 192.168.0.0/24 --source-port 53 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 192.168.0.0/24 --dport 5432 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -s 192.168.0.0/24 --dport 5432 -j ACCEPT
echo " Porta 53 [OK]"
sleep 2
echo " Regras UDP iniciadas [OK]"
echo "============================================"
#
# Regras para backdoors
#
sleep 1
echo " Inciando Regras para Backdoors ..."
#
#$IPTABLES -A INPUT -p tcp --dport 8080 -j LOG --log-prefix Apache
$IPTABLES -A INPUT -p tcp --dport 80 -j LOG --log-prefix Http
$IPTABLES -A INPUT -p tcp --dport 5042 -j LOG --log-prefix Wincrash
echo " Wincrash [OK]"
sleep 1
$IPTABLES -A INPUT -p tcp --dport 12345 -j LOG --log-prefix BackOrifice
echo " BackOrifice 12345 [OK]"
sleep 1
$IPTABLES -A INPUT -p tcp --dport 12346 -j LOG --log-prefix BackOrifice
echo " BackOrifice 12346 [OK]"
sleep 1
$IPTABLES -A INPUT -p tcp --dport 31335 -j LOG --log-prefix Trinoo
echo " Trinoo [OK]"
sleep 1
$IPTABLES -A INPUT -p tcp --dport 31337 -j LOG --log-prefix Netbus
echo " Netbus [OK]"
#$IPTABLES -I INPUT -j DROP -p tcp -s 192.168.0.0/24 -m string --string "cmd.exe"
sleep 2
echo " Regras para Backdoors iniciadas [OK]"
echo "============================================"
#
sleep 2
# Regras para PING
echo " Regras para PING ..."
# Ping e Ping da Morte
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j DROP
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s -j DROP
#
echo " Ping e Ping da Morte [OK]"
sleep 1
#
#Syn-flood
echo " Syn-Flood"
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j DROP
#
sleep 1
echo " Port Scanners [OK]"
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST, RST -j DROP
#
sleep 1
#echo " Pacotes danificados ou suspeitos [OK]"
#$IPTABLES -A FORWARD -m unclean -j DROP
#
sleep 2
echo " Regras para PING inciadas [OK]"
echo " Todas as regras carregadas com sucesso"
sleep 2
echo "============================================"
echo " "
echo "********************************************"
echo " SecFw Firewall Inciado com Sucesso "
echo "********************************************"
echo " Digite ./secfw status em /etc/rc.d para ver lista de regras iniciadas"
echo " "
#fim do arquivo