Olá pessoal! Estou com um pequeno problema com meu iptables. Estou rodando Salckware 10.1, com serviços de: PROXY + SSHD + HTTPD + DHCPD + FTP. Quando ativo o firewall (todo tempo) não consigo entrar na página desse servidor usando o IP dele, somento com localhost, sendo que quando desativado tudo funciona bem. Segue o meu arquivo de rc.firewall:
#!/bin/bash
firewall_start()
{
# Altera as políticas
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT DROP
# Abre para o DHCPD
/usr/sbin/iptables -A INPUT -i eth1 -p udp --sport 68 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth1 -p udp --dport 68 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth1 -p udp --sport 67 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth1 -p udp --dport 67 -j ACCEPT
# Abre para uma faixa de endereços da rede local
/usr/sbin/iptables -A INPUT -i eth0 -p all -s 132.42.92.0/255.255.255.0 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p all -d 132.42.92.0/255.255.255.0 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p all -s 192.168.0.0/255.255.255.0 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p all -d 192.168.0.0/255.255.255.0 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth1 -p all -s 132.42.92.0/255.255.255.0 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth1 -p all -d 132.42.92.0/255.255.255.0 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth1 -p all -s 192.168.0.0/255.255.255.0 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth1 -p all -d 192.168.0.0/255.255.255.0 -j ACCEPT
# Abre para a interface de loopback.
/usr/sbin/iptables -A INPUT -i lo -s 127.0.0.1/255.255.255.255 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o lo -d 127.0.0.1/255.255.255.255 -j ACCEPT
# HTTPD
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 80 -j ACCEPT
# FTP Cliente
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 20 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 20 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 21 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 21 -j ACCEPT
#FTP Servidor
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 20 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 21 -j ACCEPT
# SSH Servidor
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT
# SSH Cliente
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 22 -j ACCEPT
# DNS Cliente
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 53 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 53 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
# Libera o HTTP e o HTTPS
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --sport 443 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 443 -j ACCEPT
# Ignora mais algumas coisas ruins
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
# Compartilha a internet com proxy e carrega modulos necessarios
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
}
firewall_stop()
{
/usr/sbin/iptables -F
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -X
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
# Compartilha a internet com proxy
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
}
case "$1" in
"start")firewall_start;
echo "Firewall is runnig.";;
"stop")firewall_stop;
echo "Firewall is NOT runnig.";;
"restart")firewall_stop;
sleep 1;
firewall_start;
echo "Firewall was restarted and it is runnig.";;
*)/usr/sbin/iptables -L -n;;
esac
Tudos os serviços funcionam bem, só o httpd que não. Alguem percebe o erro?? Valeu!