Problema Firewall ao Bloq MSN

1. Problema Firewall ao Bloq MSN

renan rosolem chinelatto
pok182

(usa Ubuntu)

Enviado em 03/03/2010 - 14:42h

Meu problema é o seguinte... coloquei uma regra para bloquiar MSN na empresa :
#Liberar MSN
iptables -A FORWARD -s 192.168.0.50 -p tcp --dport 1863 -j ACCEPT # Renan
iptables -A FORWARD -s 192.168.0.50 -d loginnet.passport.com -j ACCEPT #Renan

#Bloquiar MSN
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 192.168.0.0/24 -d loginnet.passport.com -j REJECT

Mais qnd reinicio o firewall, ele simplismente trava tudo, a conexao com a internet e com o putty cai, dai tenho que ir até o computador e reinicia-lo
Alguem tem ideia pq isso acontece???
Abaixo o meu firewall

modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward

# Zerando o Firewall (Flush)
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# LIBERAR EMAIL EMAIL
iptables -A FORWARD -p udp -s 192.168.0.0/24 -d 192.168.0.1 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.1 --sport 53 -d 192.168.0.0/24 -j ACCEPT

iptables -A FORWARD -p udp -s 192.168.0.0/24 -d 200.246.46.173 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.246.46.173 --sport 53 -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.0/24 -d 200.246.46.132 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.246.46.132 --sport 53 -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.0.0/24 --dport 25 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.0.0/24 --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE

#Liberar MSN
iptables -A FORWARD -s 192.168.0.50 -p tcp --dport 1863 -j ACCEPT # Renan
iptables -A FORWARD -s 192.168.0.50 -d loginnet.passport.com -j ACCEPT #Renan

iptables -A FORWARD -s 192.168.0.146 -p tcp --dport 1863 -j ACCEPT # Elide
iptables -A FORWARD -s 192.168.0.146 -d loginnet.passport.com -j ACCEPT #Elide

iptables -A FORWARD -s 192.168.0.28 -p tcp --dport 1863 -j ACCEPT # Bruno
iptables -A FORWARD -s 192.168.0.28 -d loginnet.passport.com -j ACCEPT # Bruno

iptables -A FORWARD -s 192.168.0.25 -p tcp --dport 1863 -j ACCEPT # Daniela
iptables -A FORWARD -s 192.168.0.25 -d loginnet.passport.com -j ACCEPT #Daniela

iptables -A FORWARD -s 192.168.0.78 -p tcp --dport 1863 -j ACCEPT # Evelise
iptables -A FORWARD -s 192.168.0.78 -d loginnet.passport.com -j ACCEPT # Evelise

iptables -A FORWARD -s 192.168.0.53 -p tcp --dport 1863 -j ACCEPT # Cirulli
iptables -A FORWARD -s 192.168.0.53 -d loginnet.passport.com -j ACCEPT # Cirulli

iptables -A FORWARD -s 192.168.0.26 -p tcp --dport 1863 -j ACCEPT # Lilian
iptables -A FORWARD -s 192.168.0.26 -d loginnet.passport.com -j ACCEPT #Lilian

iptables -A FORWARD -s 192.168.0.120 -p tcp --dport 1863 -j ACCEPT # Prisciliana
iptables -A FORWARD -s 192.168.0.120 -d loginnet.passport.com -j ACCEPT # Prisciliana

iptables -A FORWARD -s 192.168.0.69 -p tcp --dport 1863 -j ACCEPT # Rodrigo
iptables -A FORWARD -s 192.168.0.69 -d loginnet.passport.com -j ACCEPT #Rodrigo

iptables -A FORWARD -s 192.168.0.67 -p tcp --dport 1863 -j ACCEPT # Juliana

iptables -A FORWARD -s 192.168.0.67 -p tcp --dport 1863 -j ACCEPT # Juliana
iptables -A FORWARD -s 192.168.0.67 -d loginnet.passport.com -j ACCEPT # Juliana

iptables -A FORWARD -s 192.168.0.68 -p tcp --dport 1863 -j ACCEPT # Andressa
iptables -A FORWARD -s 192.168.0.68 -d loginnet.passport.com -j ACCEPT # Andressa

iptables -A FORWARD -s 192.168.0.63 -p tcp --dport 1863 -j ACCEPT # Flavia
iptables -A FORWARD -s 192.168.0.64 -d loginnet.passport.com -j ACCEPT # Flavia

#Bloquiar MSN
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 192.168.0.0/24 -d loginnet.passport.com -j REJECT



# Habilitando Masquerade e forwarding
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j MASQUERADE
#iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT

iptables -A FORWARD -s 192.168.126.129 -j ACCEPT
iptables -A FORWARD -s 192.168.0.128 -j ACCEPT
iptables -A FORWARD -s 192.168.0.49 -j ACCEPT
iptables -A FORWARD -s 192.168.0.179 -j ACCEPT
iptables -A FORWARD -s 192.168.0.95 -j ACCEPT
iptables -A FORWARD -s 192.168.0.109 -j ACCEPT
iptables -A FORWARD -s 192.168.0.88 -j ACCEPT
iptables -A FORWARD -s 192.168.0.186 -j ACCEPT
iptables -A FORWARD -s 192.168.0.50 -j ACCEPT
iptables -A FORWARD -s 192.168.0.80 -j ACCEPT
iptables -A FORWARD -s 192.168.0.254 -j ACCEPT
iptables -A FORWARD -s 192.168.0.11 -j ACCEPT
iptables -A FORWARD -s 192.168.0.63 -j ACCEPT
iptables -A FORWARD -s 192.168.0.147 -j ACCEPT
iptables -A FORWARD -s 192.168.0.93 -j ACCEPT
iptables -A FORWARD -s 192.168.0.65 -j ACCEPT
iptables -A FORWARD -s 192.168.0.71 -j ACCEPT
iptables -A FORWARD -s 192.168.0.138 -j ACCEPT
iptables -A FORWARD -s 192.168.0.28 -j ACCEPT
iptables -A FORWARD -s 192.168.0.146 -j ACCEPT
iptables -A FORWARD -s 192.168.0.26 -j ACCEPT
iptables -A FORWARD -s 192.168.0.25 -j ACCEPT
iptables -A FORWARD -s 192.168.0.68 -j ACCEPT
iptables -A FORWARD -s 192.168.0.69 -j ACCEPT
iptables -A FORWARD -s 192.168.0.101 -j ACCEPT
iptables -A FORWARD -s 192.168.0.59 -j ACCEPT
iptables -A FORWARD -s 192.168.0.49 -j ACCEPT
iptables -A FORWARD -s 192.168.0.56 -j ACCEPT
iptables -A FORWARD -s 192.168.0.144 -j ACCEPT
iptables -A FORWARD -s 192.168.0.48 -j ACCEPT
iptables -A FORWARD -s 192.168.0.47 -j ACCEPT
iptables -A FORWARD -s 192.168.0.51 -j ACCEPT
iptables -A FORWARD -s 192.168.0.58 -j ACCEPT
iptables -A FORWARD -s 192.168.0.46 -j ACCEPT
iptables -A FORWARD -s 192.168.0.156 -j ACCEPT
iptables -A FORWARD -s 192.168.0.12 -j ACCEPT
iptables -A FORWARD -s 192.168.0.14 -j ACCEPT
iptables -A FORWARD -s 192.168.0.53 -j ACCEPT
iptables -A FORWARD -s 192.168.0.30 -j ACCEPT
iptables -A FORWARD -s 192.168.0.53 -j ACCEPT
iptables -A FORWARD -s 192.168.0.30 -j ACCEPT
iptables -A FORWARD -s 192.168.0.186 -j ACCEPT
iptables -A FORWARD -s 192.168.0.35 -j ACCEPT
iptables -A FORWARD -s 192.168.0.78 -j ACCEPT





iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# STATE RELATED para Router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Rede interna tem acesso permitido
iptables -A INPUT -p tcp -s 127.0.0.1/255.255.255.255 -j ACCEPT
iptables -A INPUT -p udp -s 127.0.0.1/255.255.255.255 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A INPUT -p tcp -s 10.0.0.0/255.255.0.0 -j ACCEPT
iptables -A INPUT -p udp -s 10.0.0.0/255.255.0.0 -j ACCEPT
iptables -A INPUT -p udp -s 0.0.0.0/0.0.0.0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s 0.0.0.0/0.0.0.0 -j DROP

#Liberar computadores
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 0.0.0.0/0.0.0.0 --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.0/16 -s 0.0.0.0/0.0.0.0 --dport 443 -j ACCEPT

#Liberar Receita Federal
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 0.0.0.0/0.0.0.0 --dport 3456 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.0/16 -s 0.0.0.0/0.0.0.0 --dport 3456 -j ACCEPT

#Conectividade - CAD Unico
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 200.201.174.204 --dport 2631 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.0/16 -s 200.201.174.204 --dport 2631 -j ACCEPT

#Recarga de cartao Passe
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 174.133.30.170 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 174.133.30.194 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/16 --dport 3306 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.0/16 --dport 3306 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 200.171.74.227 --dport 1433 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.0.0/16 -s 200.171.74.227 --dport 1433 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 200.171.74.227 --dport 1434 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.0.0/16 -s 200.171.74.227 --dport 1434 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.0.0/16 -s 200.171.74.227 --dport 1446 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 200.171.74.227 --dport 1446 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 200.144.5.48 --dport 1498 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 200.144.5.48 --dport 1446 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.0.0/16 -s 200.144.5.48 --dport 1498 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.0.0/16 -s 200.144.5.48 --dport 1446 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.0/16 --dport 1446 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.0.0/16 -s 189.5.194.64 --dport 7486 -j ACCEPT

#iptables -A FORWARD -p tcp -s 192.168.0.52 -d www.claro.com.br -j ACCEPT
#iptables -A FORWARD -p udp -d 192.168.0.52 -s www.claro.com.br -j ACCEPT


iptables -A FORWARD -p tcp -s 192.168.0.0/16 --dport 3356 -j ACCEPT

iptables -A FORWARD -p tcp -s 192.168.0.0/16 --dport 3356 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.0/16 --dport 3356 -j ACCEPT

iptables -A FORWARD -p tcp -s 192.168.0.95 --dport 5900 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.95 --dport 5900 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.95 --dport 1863 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.95 --dport 1863 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.95 --dport 44405 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.95 --dport 44405 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.95 --dport 55901 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.95 --dport 55901 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.50 --dport 27442 -j ACCEPT



# Portas que estao abertas para a internet
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 221 -j ACCEPT
#Porta do Remote Desktop
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 587 -j ACCEPT
iptables -A INPUT -p tcp --dport 65432 -j ACCEPT
iptables -A INPUT -p tcp --dport 5432 -j ACCEPT
iptables -A INPUT -p tcp --dport 44405 -j ACCEPT
iptables -A INPUT -p tcp --dport 55901 -j ACCEPT
iptables -A INPUT -p tcp --dport 7486 -j ACCEPT
iptables -A INPUT -p tcp --dport 27015 -j ACCEPT
iptables -A INPUT -p tcp --dport 27442 -j ACCEPT

# Permitir ICMP
iptables -A INPUT -p icmp -j ACCEPT

iptables -t nat -A PREROUTING -d www.ciee.org.br -j ACCEPT
iptables -t nat -A PREROUTING -d redir.folha.com.br -j ACCEPT
iptables -t nat -A PREROUTING -d f.i.uol.com.br -j ACCEPT
iptables -t nat -A PREROUTING -d www.folha.com.br -j ACCEPT
iptables -t nat -A PREROUTING -d www.farmaciasdelimeira.com.br -j ACCEPT
iptables -t nat -A PREROUTING -d 200.234.200.68 -j ACCEPT
iptables -t nat -A PREROUTING -d www.pmas.sp.gov.br -j ACCEPT
iptables -t nat -A PREROUTING -d 200.144.6.210 -j ACCEPT
iptables -t nat -A PREROUTING -d 200.144.6.9 -j ACCEPT
iptables -t nat -A PREROUTING -d www.mds.gov.br -j ACCEPT
iptables -t nat -A PREROUTING -d 192.168.0.105 -j ACCEPT
iptables -t nat -A PREROUTING -d 201.65.178.130 -j ACCEPT
iptables -t nat -A PREROUTING -d www14.bancodobrasil.com.br -j ACCEPT
iptables -t nat -A PREROUTING -d 170.66.1.60 -j ACCEPT
iptables -t nat -A PREROUTING -d office.bancobrasil.com.br -j ACCEPT
iptables -t nat -A PREROUTING -d 170.66.1.60 -j ACCEPT
iptables -t nat -A PREROUTING -d office.bancobrasil.com.br -j ACCEPT
iptables -t nat -A PREROUTING -d 189.47.163.127 --dport 300 -j ACCEPT
iptables -t nat -A PREROUTING -d 189.5.194.64 --dport 7486 -j ACCEPT
iptables -t nat -A PREROUTING -d 189.5.194.64 -j ACCEPT
iptables -t nat -A PREROUTING -d 200.155.160.200 -j ACCEPT


# Direciona todo o trafego da porta 80 para o Squid
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.0.0/16 --dport 80 -j REDIRECT --to-port 3128

#Redireciona porta 3389 para o Windows
iptables -t nat -A PREROUTING -p tcp -d 201.62.122.32 --dport 3389 -j DNAT --to 192.168.0.249:3389
iptables -t nat -A POSTROUTING -d 192.168.0.249 -j SNAT --to 192.168.0.1
iptables -A FORWARD -p tcp -d 192.168.0.249 --dport 3389 -j ACCEPT

#Redireciona porta 3389 para o Windows
iptables -t nat -A PREROUTING -p tcp -d 201.62.122.32 --dport 3390 -j DNAT --to 192.168.0.250:3389
iptables -t nat -A POSTROUTING -d 192.168.0.250 -j SNAT --to 192.168.0.1
iptables -A FORWARD -p tcp -d 192.168.0.250 --dport 3389 -j ACCEPT

#Redireciona porta 5432 para o Windows
iptables -t nat -A PREROUTING -p tcp -d 201.62.122.32 --dport 5432 -j DNAT --to 192.168.0.250:5432
iptables -t nat -A POSTROUTING -d 192.168.0.250 -j SNAT --to 192.168.0.1
iptables -A FORWARD -p tcp -d 192.168.0.250 --dport 5432 -j ACCEPT

#Redireciona porta 5432 para o Windows
iptables -t nat -A PREROUTING -p tcp -d 201.62.122.32 --dport 65432 -j DNAT --to 192.168.0.250:65432
iptables -t nat -A POSTROUTING -d 192.168.0.250 -j SNAT --to 192.168.0.1
iptables -A FORWARD -p tcp -d 192.168.0.250 --dport 65432 -j ACCEPT

#Redireciona porta 5900 para o Windows (MArio)
iptables -t nat -A PREROUTING -p tcp -d 201.62.122.32 --dport 5900 -j DNAT --to 192.168.0.49:5900
iptables -t nat -A POSTROUTING -d 192.168.0.49 -j SNAT --to 192.168.0.1
iptables -A FORWARD -p tcp -d 192.168.0.49 --dport 5900 -j ACCEPT

#redireciona porta 8080 para porta 80 srvconan
iptables -t nat -A PREROUTING -p tcp -d 201.75.229.121 --dport 8080 -j DNAT --to 192.168.0.105:80
iptables -t nat -A POSTROUTING -d 192.168.0.105 -j SNAT --to 192.168.0.1
iptables -A FORWARD -p tcp -d 192.168.0.105 --dport 80 -j ACCEPT

#iptables -t nat -A PREROUTING -p tcp -d 187.2.29.193 --dport 8080 -j DNAT --to 192.168.0.105:80
#iptables -t nat -A POSTROUTING -d 192.168.0.105 -j SNAT --to 192.168.0.1
#iptables -A FORWARD -p tcp -d 192.168.0.105 --dport 80 -j ACCEPT

#iptables -t nat -A PREROUTING -p tcp -d 201.62.122.32 --dport 8080 -j DNAT --to 192.168.0.105:80

iptables -t nat -A PREROUTING -p tcp -d 201.75.229.121 --dport 8080 -j DNAT --to 192.168.0.105:80
iptables -t nat -A POSTROUTING -d 192.168.0.105 -j SNAT --to 192.168.0.1
iptables -A FORWARD -p tcp -d 192.168.0.105 --dport 80 -j ACCEPT

#Redireciona porta 300 para a porta 22 do SRVCONAN
iptables -t nat -A PREROUTING -p tcp -d 201.75.229.121 --dport 300 -j DNAT --to 192.168.0.105:22
iptables -t nat -A POSTROUTING -d 192.168.0.105 -j SNAT --to 192.168.0.1
iptables -A FORWARD -p tcp -d 192.168.0.105 --dport 22 -j ACCEPT


#iptables -t nat -A PREROUTING -p tcp -d 201.62.122.32 --dport 300 -j DNAT --to 192.168.0.105:22




  


2. Re: Problema Firewall ao Bloq MSN

renan rosolem chinelatto
pok182

(usa Ubuntu)

Enviado em 05/03/2010 - 11:32h

Quando reinicio o firewall (demora mais de 10 min p reiniciar) ele da essa msg:
root@ubuntu2:~# /etc/init.d/firewall
iptables v1.4.4: host/network `loginnet.passport.com' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4: host/network `loginnet.passport.com' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4: host/network `loginnet.passport.com' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4: host/network `loginnet.passport.com' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4: host/network `loginnet.passport.com' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4: host/network `loginnet.passport.com' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4: host/network `loginnet.passport.com' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4: host/network `loginnet.passport.com' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4: host/network `loginnet.passport.com' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4: host/network `loginnet.passport.com' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4: host/network `loginnet.passport.com' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4: host/network `loginnet.passport.com' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4: host/network `loginnet.passport.com' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4: host/network `loginnet.passport.com' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4: host/network `loginnet.passport.com' not found
Try `iptables -h' or 'iptables --help' for more information.







Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts