Semana passada postei um problema que tive com firewall. Depois de algumas sugestões, inclusive a leitura do guiafoca/iptables indicada pelo gatoseco... volto com algumas duvidas. Se alguem puder me ajudar ficarei muito grato. Tenho um server Linux/kurumin compartilhando internet e um proxy,SAMBA ja funcionando ha algum tempo. Agora estou tentando implementar um firewall. So que quando ativo o arquivo com as regras nada mais funciona. Nem o proxy e ate mesmo o Mozilla Firefox as vezes nem abre e nao navega. Vamos la:
INTERNET COMPARTILHADA VINDA DE OUTRO SERVIDOR
|-------------------------------------------------< |
eth0 - IP=192.168.0.167 gw= 192.168.0.105 | Esta esta compartilhada
eth1 - IP=192.168.2.90 gw= 192.168.0.167 ------> Rede Local/Proxy
Estacoes: IP= 192.168.2.x gw = 192.168.2.90 Direciona para eth1 (proxy)
Tudo funciona pefeito.
Quando Rodo o script com as regras abaixo fica tudo doido.
# !/bin/bash
# Firewall do Servidor
# Carlos Valcir Ramos - 01/09/2005
# comecando com o firewall...
# LIMPANDO AS TABELAS DO FIREWALL
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
#iptables -P INPUT -j DROP
#iptables -P OUTPUT -j DROP
#iptables -P FORWARD -j DROP
# LIBERA PARA LOOPBACK
iptables -A OUTPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# LIBERA ACESSO SOMENTE PARA REDE LOCAL PORTAS PARA INTERNET SSH, ETC
iptables -A INPUT -p tcp --destination-port 20 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 21 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 3128 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 8080 -j ACCEPT
# PORTAS PARA O SAMBA
iptables -A INPUT -i eth1 -m multiport -p tcp --dport 53,135,139,445 -j ACCEPT
iptables -A INPUT -i eth1 -m multiport -p udp --dport 53,137,138 -j ACCEPT
# ABRE PARA REDE LOCAL (eth1)
iptables -A INPUT -p tcp -s 192.168.2.0/24 -j ACCEPT
#ABRE PARA REDE EXTERNA DE ONDE ESTA O SERVIDOR INTERNET (eth0)
iptables -A INPUT -p tcp -s 192.168.0.0/24 -j ACCEPT
# COMPARTILHANDO INTERNET
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
# PARA NAO FUGIREM DO PROXY
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
# PARA PRIORIZAR O TRAFEGO HTTP/HTTPS
iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 443 -j TOS --set-tos 16
# BLOQUEANDO SCANERNS POSTMAP ATAQUES DOS E PING OF DEATH
#iptables echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# FECHANDO TUDO EXCETO O ABERTO ACIMA
iptables -A INPUT -p tcp --syn -j DROP
iptables -A INPUT -p tcp -j DROP
iptables -A OUTPUT -p tcp -j DROP
iptables -A FORWARD -p tcp -j DROP
# FIM DO FIREWALL
A pedido do GATOSECO veja a saida do lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
portmap 724 daemon 3u IPv4 2566 UDP *:sunrpc
portmap 724 daemon 4u IPv4 2567 TCP *:sunrpc (LISTEN)
cupsd 905 root 0u IPv4 2885 TCP *:ipp (LISTEN)
cupsd 905 root 2u IPv4 2886 UDP *:ipp
mysqld 1293 mysql 3u IPv4 3728 TCP ServerInternet:mysql (LISTEN)
postmaste 1403 postgres 3u IPv6 4052 TCP *ostgresql (LISTEN)
postmaste 1403 postgres 4u IPv4 4053 TCP *ostgresql (LISTEN)
postmaste 1403 postgres 6u IPv4 4059 UDP ServerInternet:32769->ServerInternet:32769
postmaste 1427 postgres 6u IPv4 4059 UDP ServerInternet:32769->ServerInternet:32769
sshd 1450 root 3u IPv6 4119 TCP *:ssh (LISTEN)
nmbd 2008 root 6u IPv4 4957 UDP *:netbios-ns
nmbd 2008 root 7u IPv4 4958 UDP *:netbios-dgm
nmbd 2008 root 8u IPv4 4960 UDP LinuxServer:netbios-ns
nmbd 2008 root 9u IPv4 4961 UDP LinuxServer:netbios-dgm
smbd 2039 root 20u IPv4 5001 TCP *:microsoft-ds (LISTEN)
smbd 2039 root 21u IPv4 5002 TCP *:netbios-ssn (LISTEN)
apache 2396 root 16u IPv4 5627 TCP *:www (LISTEN)
apache 2397 www-data 16u IPv4 5627 TCP *:www (LISTEN)
apache 2401 www-data 16u IPv4 5627 TCP *:www (LISTEN)
apache 2402 www-data 16u IPv4 5627 TCP *:www (LISTEN)
apache 2403 www-data 16u IPv4 5627 TCP *:www (LISTEN)
apache 2404 www-data 16u IPv4 5627 TCP *:www (LISTEN)
apache-ss 2409 root 16u IPv4 5660 TCP *:https (LISTEN)
apache-ss 2416 www-data 16u IPv4 5660 TCP *:https (LISTEN)
apache-ss 2417 www-data 16u IPv4 5660 TCP *:https (LISTEN)
apache-ss 2418 www-data 16u IPv4 5660 TCP *:https (LISTEN)
apache-ss 2419 www-data 16u IPv4 5660 TCP *:https (LISTEN)
apache-ss 2420 www-data 16u IPv4 5660 TCP *:https (LISTEN)
apache 2985 www-data 16u IPv4 5627 TCP *:www (LISTEN)
apache 2989 www-data 16u IPv4 5627 TCP *:www (LISTEN)
apache 2990 www-data 16u IPv4 5627 TCP *:www (LISTEN)
apache 7236 www-data 16u IPv4 5627 TCP *:www (LISTEN)
smbd 7549 root 5u IPv4 184234 UDP ServerInternet:32901
smbd 7549 root 24u IPv4 184233 TCP LinuxServer:netbios-ssn->192.168.2.98:1407 (ESTABLISHED)
squid 7754 proxy 6u IPv4 184965 UDP *:32902
squid 7754 proxy 8u IPv4 184967 TCP ServerInternet:42723->ServerInternet:42722 (ESTABLISHED)
squid 7754 proxy 9u IPv4 184970 TCP ServerInternet:42725->ServerInternet:42724 (ESTABLISHED)
squid 7754 proxy 10u IPv4 184973 TCP ServerInternet:42727->ServerInternet:42726 (ESTABLISHED)
squid 7754 proxy 11u IPv4 184976 TCP ServerInternet:42729->ServerInternet:42728 (ESTABLISHED)
squid 7754 proxy 12u IPv4 184979 TCP ServerInternet:42731->ServerInternet:42730 (ESTABLISHED)
squid 7754 proxy 17u IPv4 188529 TCP LinuxServer:3128->192.168.2.95:1287 (ESTABLISHED)
squid 7754 proxy 18u IPv4 184986 TCP *:3128 (LISTEN)
squid 7754 proxy 19u IPv4 184987 UDP *:icpv2
squid 7754 proxy 21u IPv4 188565 TCP ServerInternet:43030->207.68.178.16:www (ESTABLISHED)
squid 7754 proxy 22u IPv4 190141 TCP LinuxServer:3128->192.168.2.103:4052 (ESTABLISHED)
squid 7754 proxy 23u IPv4 188532 TCP LinuxServer:3128->192.168.2.95:1288 (ESTABLISHED)
squid 7754 proxy 24u IPv4 190104 TCP LinuxServer:3128->192.168.2.106:1250 (ESTABLISHED)
squid 7754 proxy 25u IPv4 190143 TCP ServerInternet:43078->201008177206.user.veloxzone.com.br:www (ESTABLISHED)
squid 7754 proxy 27u IPv4 190074 TCP LinuxServer:3128->192.168.2.60:1032 (ESTABLISHED)
squid 7754 proxy 28u IPv4 188571 TCP ServerInternet:43034->207.46.219.62:www (ESTABLISHED)
squid 7754 proxy 30u IPv4 190075 TCP LinuxServer:3128->192.168.2.60:1033 (ESTABLISHED)
squid 7754 proxy 31u IPv4 190079 TCP LinuxServer:3128->192.168.2.106:1248 (ESTABLISHED)
squid 7754 proxy 32u IPv4 190081 TCP ServerInternet:43041->sisgr.caixa.gov.br:https (ESTABLISHED)
squid 7754 proxy 36u IPv4 190111 TCP ServerInternet:43055->64.233.169.99:www (ESTABLISHED)
squid 7754 proxy 38u IPv4 190095 TCP LinuxServer:3128->192.168.2.60:1035 (ESTABLISHED)
squid 7754 proxy 39u IPv4 190097 TCP ServerInternet:43048->216.239.37.99:www (ESTABLISHED)
squid 7754 proxy 41u IPv4 190098 TCP ServerInternet:43049->a72-246-49-152.deploy.akamaitechnologies.com:www (ESTABLISHED)
squid 7754 proxy 42u IPv4 190101 TCP LinuxServer:3128->192.168.2.106:1249 (ESTABLISHED)
squid 7754 proxy 43u IPv4 190103 TCP ServerInternet:43051->sisgr.caixa.gov.br:https (ESTABLISHED)
squid 7754 proxy 44u IPv4 190106 TCP ServerInternet:43052->sisgr.caixa.gov.br:https (ESTABLISHED)
squid 7754 proxy 45u IPv4 190107 TCP LinuxServer:3128->192.168.2.106:1251 (ESTABLISHED)
squid 7754 proxy 46u IPv4 190109 TCP ServerInternet:43053->sisgr.caixa.gov.br:https (ESTABLISHED)
squid 7754 proxy 47u IPv4 190119 TCP LinuxServer:3128->192.168.2.60:1036 (ESTABLISHED)
ncsa_auth 7755 proxy 0u IPv4 184968 TCP ServerInternet:42722->ServerInternet:42723 (ESTABLISHED)
ncsa_auth 7755 proxy 1u IPv4 184968 TCP ServerInternet:42722->ServerInternet:42723 (ESTABLISHED)
ncsa_auth 7756 proxy 0u IPv4 184971 TCP ServerInternet:42724->ServerInternet:42725 (ESTABLISHED)
ncsa_auth 7756 proxy 1u IPv4 184971 TCP ServerInternet:42724->ServerInternet:42725 (ESTABLISHED)
ncsa_auth 7757 proxy 0u IPv4 184974 TCP ServerInternet:42726->ServerInternet:42727 (ESTABLISHED)
ncsa_auth 7757 proxy 1u IPv4 184974 TCP ServerInternet:42726->ServerInternet:42727 (ESTABLISHED)
ncsa_auth 7758 proxy 0u IPv4 184977 TCP ServerInternet:42728->ServerInternet:42729 (ESTABLISHED)
ncsa_auth 7758 proxy 1u IPv4 184977 TCP ServerInternet:42728->ServerInternet:42729 (ESTABLISHED)
ncsa_auth 7759 proxy 0u IPv4 184980 TCP ServerInternet:42730->ServerInternet:42731 (ESTABLISHED)
ncsa_auth 7759 proxy 1u IPv4 184980 TCP ServerInternet:42730->ServerInternet:42731 (ESTABLISHED)
sshd 8163 root 4u IPv6 188299 TCP LinuxServer:ssh->192.168.2.60:1027 (ESTABLISHED)
sshd 8163 root 8u IPv6 188406 TCP ip6-localhost:6010 (LISTEN)
sshd 8163 root 9u IPv4 188407 TCP ServerInternet:6010 (LISTEN)
telnet 8181 kurumin 3u IPv4 188349 TCP LinuxServer:43005->hospbocaiuva:telnet (ESTABLISHED)
Agrdeço a todos que puderem de alguma forma controbuir. Quero apenas colocar um firewall basico neste server.