Perguntas & Respostas

Galera problemas com firewall

preciso acessar uma conta de e-mail do UOL com o outlook e meu firewall nao esta deixando acredito que seja isso eu consiguo enviar os e-mails mas nao consiguo envia-los de jeito nenhum to ficando loco ja com isso aqui faz uma semana que estou batendop em cima e nada.
segue o meu script de firewall

#!/bin/sh


echo "####INICIO DO SCRIPT DE FIREWALL####"
   
   
   
   
echo "###Setando Protecao Contra Ataques###"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for i in /proc/sys/net/ipv4/conf/*; do
echo 0 >$i/accept_redirects
echo 0 >$i/accept_source_route
echo 1 >$i/log_martians
echo 1 >$i/rp_filter;
done
echo "OK"
   
sleep 1

echo "###Opcões de configuracão###"
LAN_IP_RANGE="192.168.0.0/255.255.255.0"
LAN_IP="192.168.0.0/255.255.255.0"
LAN_BCAST_ADRESS="192.168.0.255/255.255.255.0"
LOCALHOST_IP="127.0.0.1/8"
INET_IFACE="ppp0"
LAN_IFACE="eth1"
IPTABLES="/sbin/iptables"
echo "OK"

sleep 1
   
echo "###Limpando Regras###"
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo "OK"

sleep 1
   
echo "###Carregando os modulos necessários do IPTABLES###"
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
echo "OK"
   
sleep 1

echo "###Habilita o IPFORWARD###"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "OK"
   
sleep 1

echo "###Protecao contra spoof de IP###"
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo "OK"

sleep 1

echo "###Forcando uso do Proxy###"
$IPTABLES -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -p tcp --dport 80 -j DROP
echo "OK"
   
sleep 1

echo "###Conectividade Social###"
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -d ! 200.201.174.0/24 --dport 80 -j REDIRECT --to-port 8080
$IPTABLES -A FORWARD -s 192.168.0.5 -p TCP --dport 2631 -j ACCEPT
#$IPTABLES -A FORWARD -s 10.0.0.115 -p TCP --dport 2631 -j ACCEPT
#$IPTABLES -A FORWARD -s 10.0.0.126 -p TCP --dport 2631 -j ACCEPT
#$IPTABLES -A FORWARD -s 10.0.0.162 -p TCP --dport 2631 -j ACCEPT
echo "OK"
   
sleep 1

echo "###Liberando SSH somente para enderecos confiaveis###"
$IPTABLES -A INPUT -p tcp -s 192.168.0.0/255.255.255.0 --dport 30001 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -s 200.150.230.82 --dport 22 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -s 200.162.12.62 --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p TCP -s 0/0 --dport 30001 -j ACCEPT
#$IPTABlES -A INPUT -p TCP -s 0/0 --dport 110 -j ACCEPT
#$IPTABLES -A INPUT -p TCP -s 0/0 --sport 110 -j ACCEPT
echo "OK"
   
sleep 1
   
echo "###Ip's Indesejaveis###"
$IPTABLES -A INPUT -i eth0 -p tcp -s 195.122.194.234 -j DROP
echo "OK"

sleep 1
   
echo "###Habilita IP Forwarding and Masquerading simples###"
$IPTABLES -t nat -A POSTROUTING -o $LAN_IFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
echo "OK"
   
sleep 1
   
echo "###Pacotes alterados de TCP indesejáveis se ferram aqui###"
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Novo pacote não syn:"
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
echo "OK"
   
sleep 1
   
echo "###Redirecinamento de Servicos###"
$IPTABLES -t nat -A PREROUTING -d 0/0 -p tcp --dport 3389 -j DNAT --to 192.168.0.2:3389
echo "OK"
   
sleep 1

echo "###Aceita os pacotes que realmente devem entrar###"
$IPTABLES -t filter -A FORWARD -j ACCEPT -p tcp --dport 25
$IPTABLES -t filter -A FORWARD -j ACCEPT -p tcp --dport 3389
$IPTABLES -t filter -A FORWARD -j ACCEPT -p tcp --dport 80
$IPTABLES -t filter -A FORWARD -j ACCEPT -p tcp --dport 20:21
$IPTABLES -t filter -A FORWARD -j ACCEPT -p tcp --dport 8081
$IPTABLES -t filter -A FORWARD -j ACCEPT -p tcp --dport 1024
$IPTABLES -t filter -A FORWARD -j ACCPET -p all --dport 110
$IPTABLES -t filter -A FORWARD -j ACCEPT -p tcp --dport 53
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -j ACCEPT -p all --dport 110
echo "OK"
   
sleep 1
   
echo "###Cria cadeias separadas para ICMP, TCP e UDP passarem###"
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
$IPTABLES -N allowed
echo "OK"
   
sleep 1
   
echo "###A cadeia allowed para conexoes TCP###"
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
echo "OK"
   
sleep 1
   
#echo "###Regras ICMP###"
#$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
#$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
#$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
#$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#echo "OK"
   
sleep 1
   
echo "###Regras TCP###"
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 20 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 30001 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3389 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 809 -j allowed
echo "OK"
   
sleep 1
   
echo "###Regras UDP###"
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
echo "OK"
   
sleep 1

#echo "###Bloqueio do MSN###"
#$IPTABLES -A FORWARD -p TCP --dport 1863 -j REJECT
#$IPTABLES -A FORWARD -d 64.4.13.0/24 -j REJECT
#$IPTABLES -A FORWARD -s 192.168.10.0/255.255.255.0 -d messenger.hotmail.com -j REJECT
#$IPTABLES -A FORWARD -s 192.168.10.0/255.255.255.0 -d baym-gw31.msgr.hotmail.com -j REJECT
#echo "OK"
   
echo "###Bloqueio Kazaa###"
$IPTABLES -A FORWARD -d 213.248.112.0/24 -j REJECT
$IPTABLES -A FORWARD -p TCP --dport 1214 -j REJECT
echo "OK"
   
sleep 1

echo "###Cadeia PREROUTING###"
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/255.255.255.0 -j DROP
echo "OK"
   
sleep 1
   
echo "###Cadeia INPUT###"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Novo pacote não syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
echo "OK"
   
sleep 1
   
echo "###Regras para pacotes vindos da internet###"
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE --dport 27665 -j DROP
echo "OK"
   
sleep 1
   
echo "###Proteção contra TRINOO###"
$IPTABLES -A INPUT -p TCP -i $INET_IFACE --dport 27444 -j DROP
$IPTABLES -A INPUT -p TCP -i $INET_IFACE --dport 1214 -j DROP
$IPTABLES -A INPUT -p TCP -i $INET_IFACE --dport 31335 -j DROP
echo "OK"
   
sleep 1

echo "###Protecão contra Tronjans###"
$IPTABLES -A INPUT -p TCP -i $INET_IFACE --dport 666 -j DROP
$IPTABLES -A INPUT -p TCP -i $INET_IFACE --dport 666 -j DROP
$IPTABLES -A INPUT -p TCP -i $INET_IFACE --dport 4000 -j DROP
echo "OK"

sleep 1
   
echo "###Protecao contra acesso externo ao Squid###"
$IPTABLES -A INPUT -p TCP -i $INET_IFACE --dport 3128 -j DROP
#$IPTABLES -A INPUT -p TCP -i $INET_IFACE --dport 8080 -j DROP
echo "OK"
   
sleep 1
   
echo "###Proteção contra acesso externo ao NETBIOS###"
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -d 200.204.148.125 --dport 137:8000 -j DROP
echo "OK"
   
sleep 1
   
echo "###Proteção contra acesso externo ao TELNET###"
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -d 0/0 --dport telnet -j DROP
echo "OK"
   
sleep 1
   
echo "###Regras para rede interna e localhost###"
#$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LAN_IP_RANGE -j ACCEPT
echo "OK"
   
sleep 1
   
echo "###Cadeia OUTPUT###"
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Novo pacote nao syn:"
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
echo "OK"
   
sleep 1
   
#echo "###Habilitando Seguranca###"
#iptables -A INPUT -p tcp -i eth0 -j REJECT --reject-with tcp-reset
#iptables -A INPUT -p udp -i eth0 -j REJECT --reject-with icmp-port-unreachable
#echo "OK"
   
#sleep 1
   
echo "### Libera Acesso ao POP3 ###"
$IPTABLES -A FORWARD -p tcp --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 110 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp --sport 110 -j DNAT --to 200.221.4.5:110
$IPTABLES -t nat -A PREROUTING -p tcp --dport 110 -j DNAT --to 200.221.4.5:110
#$IPTABLES -t nat -A PREROUTING -p tcp --dport 110 -j DNAT --to 200.221.2.45:110
$IPTABLES -t nat -A PREROUTING -p tcp --dport 110 -j DNAT --to 66.249.93.111:965
# Acesso ao servidor POP3
# fazendo o mascaramento dos pacotes da rede interna para o POP3
#$IPTABLES -A POSTROUTING -o eth0 -p tcp -s 192.168.0.0/24 -d 200.221.4.5 --dport 110 -j MASQUERADE -t nat
# permitindo o FORWARD da rede interna para o POP3
#$IPTABLES -A FORWARD -o eth0 -p tcp -s 192.168.0.0/24 -d 200.221.4.5 --dport 110 -j ACCEPT
# permitindo o FORWARD do POP3 para a rede interna
#$IPTABLES -A FORWARD -o eth1 -p tcp -s 192.168.0.0/24 -d 200.221.4.5 --sport 110 -j ACCEPT
#$IPTABLES -A FORWARD -d pop.gmail.com -p tcp -m tcp --dport 995 -j ACCEPT
#$IPTABLES -A FORWARD -s pop.gmail.com -p tcp -m tcp --sport 995 -j ACCEPT
#$IPTABLES -A FORWARD -d pop3.uol.com.br -p tcp --dport 110 -j ACCEPT
#$IPTABLES -A FORWARD -s pop3.uol.com.br -p tcp --sport 110 -j ACCEPT

echo "OK"
   
sleep 1
   
echo "### Libera Acesso ao SMTP###"
$IPTABLES -A FORWARD -p tcp --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to 200.221.4.131:25
$IPTABLES -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to 66.249.93.111:465

#$IPTABLES -A FORWARD -d 200.221.4.131 -p tcp -m tcp --sport 25 -j ACCEPT
#$IPTABLES -A FORWARD -d 200.221.4.131 -p tcp -m tcp --sport 25 -j ACCEPT
# Acesso ao servidor SMTP
# fazendo o mascaramento dos pacotes da rede interna para o SMTP
#$IPTABLES -A POSTROUTING -o ppp0 -p tcp -s 192.168.0.0/24 -d 0.0.0.0 --dport 25 -j MASQUERADE -t nat
# permitindo o FORWARD da rede interna para o SMTP
#$IPTABLES -A FORWARD -o ppp0 -p tcp -s 192.168.0.0/24 -d 0.0.0.0 --dport 25 -j ACCEPT
# permitindo o FORWARD do SMTP para a rede interna
#$IPTABLES -A FORWARD -o eth1 -p tcp -s 192.168.0.0/24 -d 0.0.0.0 --sport 25 -j ACCEPT
echo "OK"

sleep 1

echo "###Seta a politica default para INPUT, FORWARD e OUTPUT###"
#$IPTABLES -A INPUT -p tcp --syn -j DROP
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -P OUTPUT ACCEPT
echo "OK"

sleep 1

echo "#####FIM DO SCRIPT DE FIREWALL#####"
   
OBS.: Acima usei os endereço de IP do UOL pois com os endereço normais nao passava no meu firewall e nao chegava até os clientes da rede. Meu Outlook esta configurado com os ip ao inves dos hosts
OBS. 2:Se eu configurar um cliente de mail no meu servidor ele recebe agora se eu tento em qq maqiuna da rede nao vai nem a pau

Desde ja Agradeço

_cabelo_