IPTABLES FOWARD PADRAO DROP, NAO LER OS ACCEPTS
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
essa regra funciona, mas fica tudo aberto ainda hehehe do tipo:
iptables -P FORWARD DROP
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Eu queria que somente 110, 53 e 80 pudessem passar. mas tudo passa ainda. <IMG SRC="images/forum/icons/icon27.gif">
help me!
IPTABLES FOWARD PADRAO DROP, NAO LER OS ACCEPTS
IPTABLES FOWARD PADRAO DROP, NAO LER OS ACCEPTS
coloco nessa regra do mstat o DROP?
IPTABLES FOWARD PADRAO DROP, NAO LER OS ACCEPTS
ME ajudem plis!!!
Segue anexo todo meu rc.firewall
------------------------
#!/bin/sh
# Limpando as tabelas do iptables
iptables -F
iptables -t nat -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
echo "1" > /proc/sys/net/ipv4/ip_forward
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#REGRAS PADRAO
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Regras TCP liberando portas para loopback
iptables -A INPUT -p tcp -s 127.0.0.1/255.0.0.0 -d 0/0 -j ACCEPT
# Regras TCP/UDP liberando portas para rede local 192.168.
#TCP
iptables -A INPUT -p tcp -s 192.168.82.0/26 -d 0/0 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.82.64/26 -d 0/0 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.82.128/26 -d 0/0 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.82.192/26 -d 0/0 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.79.0/26 -d 0/0 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.79.64/26 -d 0/0 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/30 -d 0/0 -j ACCEPT
#UDP
iptables -A INPUT -p udp -s 192.168.82.0/26 -d 0/0 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.82.64/26 -d 0/0 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.82.128/26 -d 0/0 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.82.192/26 -d 0/0 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.79.0/26 -d 0/0 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.79.64/26 -d 0/0 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.0/30 -d 0/0 -j ACCEPT
# Regras TCP/UDP liberando portas para rede 200.199.140.184/29
#TCP
iptables -A INPUT -p tcp -s 200.199.95.0/24 -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 200.199.88.0/24 -d 0/0 --dport 22 -j ACCEPT
# Regras TCP/UDP bloqueando portas
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 22 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 3306 -j DROP
#iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 80 -j DROP
#iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 25 -j DROP
#iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 110 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 139 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 22 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 53 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 953 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 5454 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 6000 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 3306 -j DROP
#iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 80 -j DROP
#iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 25 -j DROP
#iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 110 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 137 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 138 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 161 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 143 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 993 -j DROP
#CONTROLE
#iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
#iptables -A FORWARD -p tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#PROTECAO
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -i eth2 -j DROP
iptables -A INPUT -s 172.16.0.0/16 -i eth2 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -i eth2 -j DROP
#NAT
iptables -A POSTROUTING -t nat -s 192.168.80.0/24 -o eth2 -j MASQUERADE
iptables -A POSTROUTING -t nat -s 192.168.0.0/30 -o eth2 -j MASQUERADE
iptables -A POSTROUTING -t nat -s 192.168.82.0/26 -o eth2 -j MASQUERADE
iptables -A POSTROUTING -t nat -s 192.168.82.64/26 -o eth2 -j MASQUERADE
iptables -A POSTROUTING -t nat -s 192.168.82.128/26 -o eth2 -j MASQUERADE
iptables -A POSTROUTING -t nat -s 192.168.82.192/26 -o eth2 -j MASQUERADE
iptables -A POSTROUTING -t nat -s 192.168.79.0/26 -o eth2 -j MASQUERADE
iptables -A POSTROUTING -t nat -s 192.168.79.64/26 -o eth2 -j MASQUERADE
# SNAT
iptables -t nat -A PREROUTING -p tcp -d 192.168.82.1 --dport 110 -j DNAT --to 200.185.109.50
iptables -t nat -A POSTROUTING -p tcp -s 200.185.109.50 --sport 110 -j SNAT --to 192.168.82.1
iptables -t nat -A PREROUTING -p tcp -d 192.168.82.2 --dport 110 -j DNAT --to 200.221.4.75
iptables -t nat -A POSTROUTING -p tcp -s 200.221.4.75 --sport 110 -j SNAT --to 192.168.82.1
iptables -t nat -A PREROUTING -p tcp -d 192.168.82.2 --dport 25 -j DNAT --to 200.221.4.40
iptables -t nat -A POSTROUTING -p tcp -s 200.221.4.40 --sport 25 -j SNAT --to 192.168.82.1
--to 192.168.82.4
echo "++++++++++++++++++++++++++++++++"
echo "+ FIREWALL CONFIGURADO +"
echo "++++++++++++++++++++++++++++++++"
Colocando o padrao do FOWARD em DROP nada passa, colocando aquela regra:
"iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT"
tudo passa :/ eu queria que só passe pela rede 110 25 e 53. <IMG SRC="images/forum/icons/icon27.gif">
alguem ai ja conseguiu fazer isso???
IPTABLES FOWARD PADRAO DROP, NAO LER OS ACCEPTS
Apague a regra que deixa tudo passar e faca assim:
iptables -A FORWARD -p tcp -s sua_rede --dport porta -j ACCEPT
por exemplo:
iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT