Bloqueio de Redes, Prolemas de Acesso
bem la vai outro pepino amigos ahIUahiUh
:D
eu tinha postado o "NETBIOS blablabla"
mas realmente oq eu vi, foi um pepinaooo!
aqui vai
##################################
# Bloqueia acesso entre as redes #
##################################
#iptables -t filter -A FORWARD -d 192.168.100.0/24 -s 192.168.0.0/24 -j ACCEPT
#iptables -t filter -A FORWARD -d 192.168.0.0/24 -s 192.168.100.0/24 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.1.0/24 -s 192.168.1.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.2.0/24 -s 192.168.2.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.3.0/24 -s 192.168.3.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.4.0/24 -s 192.168.4.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.5.0/24 -s 192.168.5.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.6.0/24 -s 192.168.6.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.7.0/24 -s 192.168.7.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.8.0/24 -s 192.168.8.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.9.0/24 -s 192.168.9.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.10.0/24 -s 192.168.10.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.11.0/24 -s 192.168.11.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.12.0/24 -s 192.168.12.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.13.0/24 -s 192.168.13.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.14.0/24 -s 192.168.14.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.15.0/24 -s 192.168.15.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.16.0/24 -s 192.168.16.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.17.0/24 -s 192.168.17.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.18.0/24 -s 192.168.18.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.19.0/24 -s 192.168.19.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.20.0/24 -s 192.168.20.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.100.0/24 -s 192.168.100.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -p tcp --dport 137 -j DROP
iptables -t filter -A FORWARD -d 192.168.0.0/8 -s 192.168.0.0/8 -j DROP
iptables -t filter -A FORWARD -s 192.168.0.0/8 -d 192.168.0.0/8 -j DROP
tentei todos esses iptables, comentado, descomentado, sozinho, invertido de todas as formas..
mas o problema da netbios esta mais avançado no conectiva 10 esse iptables e essas regras de bloqueio de rede nao funcionaram
pois estou na rede 192.168.10.10 (meu ip no win) e dou um ping em 192.168.4.1 e responde
e se no win eu der uma mapeamento via net use z: \\192.168.4.1\c ele se conecta!!
nao esta bloqueado o trafego de redes
acham que seja a versao do iptables, pois no conectiva 9 fucionava apenas com
iptables -t filter -A FORWARD -d 192.168.0.0/8 -s 192.168.0.0/8 -j DROP
e soh isso..
aguardo respostas
obrigado
Bloqueio de Redes, Prolemas de Acesso
mas pelo q eu vi ali ta -j ACCEPT
eh ao invez de usa /24 usa /16
Bloqueio de Redes, Prolemas de Acesso
desculpa
mas coloquei duas linhas erradas pra vcs
as primeiras
#iptables -t filter -A FORWARD -d 192.168.100.0/24 -s 192.168.0.0/24 -j ACCEPT
#iptables -t filter -A FORWARD -d 192.168.0.0/24 -s 192.168.100.0/24 -j ACCEPT
nao faz parte desse caso
eh otro caso dos radios que eu mexo aqui
desculpa ae
Bloqueio de Redes, Prolemas de Acesso
no meu caso aqui na empresa eu desativei o protocolo ipx, até agora ta blz, agora se sua rede necessita do mesmo, ai lasko hehehhe
ei vez de input usar forward
Bloqueio de Redes, Prolemas de Acesso
Se ainda está pingando é problema de regras de Iptables mesmo!!
olha esse script abaixo resolveu 100% meus problemas desse tipo que vc ta relatando!!
Outro lance importante é bloquear o Netbios e tbm a porta que o Windows usa pra trafegar arquivos quando o compartilhamento está ativado, nesse caso a porta 445 ta bem descrito a baixo!!
Não coloquei os comentários pra não ficar tão gigantesco!!
iptables -t filter -A FORWARD -d 192.0.0.0/8 -s 192.0.0.0/8 -j DROP
iptables -A FORWARD -m unclean -j DROP
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -i eth0 -o eth0 -m pkttype --pkt-type multicast -j DROP
iptables -A FORWARD -i eth0 -o eth0 -m pkttype --pkt-type broadcast -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp -d 0.0.0.0/0 --sport 135 -j DROP
iptables -A FORWARD -p tcp -d 0.0.0.0/0 --sport 136 -j DROP
iptables -A FORWARD -p tcp -d 0.0.0.0/0 --sport 137 -j DROP
iptables -A FORWARD -p tcp -d 0.0.0.0/0 --sport 138 -j DROP
iptables -A FORWARD -p tcp -d 0.0.0.0/0 --sport 139 -j DROP
iptables -A FORWARD -p tcp -d 0.0.0.0/0 --sport 445 -j DROP
iptables -A FORWARD -p udp -d 0.0.0.0/0 --sport 135 -j DROP
iptables -A FORWARD -p udp -d 0.0.0.0/0 --sport 136 -j DROP
iptables -A FORWARD -p udp -d 0.0.0.0/0 --sport 137 -j DROP
iptables -A FORWARD -p udp -d 0.0.0.0/0 --sport 138 -j DROP
iptables -A FORWARD -p udp -d 0.0.0.0/0 --sport 139 -j DROP
iptables -A FORWARD -p udp -d 0.0.0.0/0 --sport 445 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --sport 135 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --sport 136 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --sport 137 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --sport 138 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --sport 139 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --sport 445 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --sport 135 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --sport 136 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --sport 137 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --sport 138 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --sport 139 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --sport 445 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --sport 135 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --sport 136 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --sport 137 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --sport 138 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --sport 139 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --sport 445 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --sport 135 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --sport 136 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --sport 137 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --sport 138 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --sport 139 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --sport 445 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --dport 135 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --dport 136 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --dport 137 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --dport 138 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --dport 139 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --dport 445 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --dport 135 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --dport 136 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --dport 137 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --dport 138 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --dport 139 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --dport 445 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 135 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 136 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 137 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 138 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 139 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 445 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --dport 135 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --dport 136 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --dport 137 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --dport 138 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --dport 139 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --dport 445 -j DROP
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.145.2 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.145.3 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.145.4 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.145.5 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.165.65.2 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.164.78.2 -o eth1 -j MASQUERADE
Bloqueio de Redes, Prolemas de Acesso
obrigado ae pessoal
agora consegui fazer funcionar
mas na realidade foi outro problema
vou colar aki meu rc.local
#################
# Ativa modulos #
#################
modprobe via-rhine
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
##############################
# Ativa roteamento no kernel #
##############################
echo "1" > /proc/sys/net/ipv4/ip_forward
###############################
# Protecao contra IP spoofing #
###############################
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
###############
# Zera regras #
###############
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
###############################
# Determina a politica padrao #
###############################
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP
###################################
# Dropar pacotes TCP indesejaveis #
###################################
#iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
###############################
# Dropar pacotes mal formados #
###############################
iptables -A INPUT -i eth0 -m unclean -j DROP
################################################
# Aceita os pacotes que realmente devem entrar #
################################################
#iptables -A INPUT -i ! eth0 -j ACCEPT
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
##########################
# Protecao contra trinoo #
##########################
iptables -N TRINOO
iptables -A TRINOO -j DROP
iptables -A INPUT -p TCP -i eth0 --dport 27444 -j TRINOO
iptables -A INPUT -p TCP -i eth0 --dport 27665 -j TRINOO
iptables -A INPUT -p TCP -i eth0 --dport 31335 -j TRINOO
iptables -A INPUT -p TCP -i eth0 --dport 34555 -j TRINOO
iptables -A INPUT -p TCP -i eth0 --dport 35555 -j TRINOO
###########################
# Protecao contra trojans #
###########################
iptables -N TROJAN
iptables -A TROJAN -j DROP
iptables -A INPUT -p TCP -i eth0 --dport 666 -j TROJAN
iptables -A INPUT -p TCP -i eth0 --dport 4000 -j TROJAN
iptables -A INPUT -p TCP -i eth0 --dport 6000 -j TROJAN
iptables -A INPUT -p TCP -i eth0 --dport 6006 -j TROJAN
iptables -A INPUT -p TCP -i eth0 --dport 16660 -j TROJAN
#########################
# Protecao contra worms #
#########################
iptables -A FORWARD -p tcp --dport 135 -i eth1 -j REJECT
#############################
# Protecao contra syn-flood #
#############################
iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
#################################
# Protecao contra ping da morte #
#################################
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#################################
# Protecao contra port scanners #
#################################
iptables -N SCANNER
iptables -A SCANNER -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL NONE -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL ALL -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i eth0 -j SCANNER
##################################
# Bloqueia acesso entre as redes #
##################################
iptables -t filter -A FORWARD -d 192.0.0.0/8 -s 192.0.0.0/8 -j DROP
o resto nao faz parte entao eu tirei, mas onde eu fexei as linhas
eh onde tava me atrapalhando e eu nao tinha notado, soh assim fui testando e agora funcionou!
Bloqueio de Redes, Prolemas de Acesso
isso eh um firewall ou uma biblia? HEEHE to zuadno :)
Bloqueio de Redes, Prolemas de Acesso
Citação:
Postado originalmente por Brenno
isso eh um firewall ou uma biblia? HEEHE to zuadno :)
e tem muito mais amigo
AHuiaHAU :D
Bloqueio de Redes, Prolemas de Acesso
meu filter da uns 5 linhas e meu nat 3 linhas, por isso q eu zuei ehheeheh
meu estilo de firewall vem do rede hat, então ñ necessito disso tudo..
eu uso debian e adaptei o firewall do red hat pro debian, fico muito foda, quem tiver tempo, eu recomendo fazer o mesmo..
abraço
Bloqueio de Redes, Prolemas de Acesso
Caro hellmans,
Vc pode tirar muitas linhas ae do seu script.. que no meu ver nao fazem efeito nenhum...
exemplo...
para que vc usa regras e criaçao de novas chains com o -j DROP se sua politica default ja faz isso ?
nao existe a necessidade de vc ficar dropando pacotes em regras em uma politica que por default ja ira fazer isso com pacotes que nao sejam aceitos por alguma regra da chain...
[]'s