Olá pessoal,
Estou colocando um servidor aqui em casa para fazer como Firewall e NAT para minha rede interna.
Utilizo o Debian com o iptables só que estou fazendo algo errado nas regras pois quando executo o Shel com as regras todo o trafego é bloqueado.
Tenho duas interfaces, eth0 (Para a Internet) e eth1 (Para a Rede Interna) utilizo o Velox como provedor de acesso (Speedy em SP) , então tenho uma conexão PPPoE identificada como "ppp0"
O arquivo em shell que insere as regras no iptables é este:
.......................................................................................................................
#!/bin/bash
echo "Carregando Firewall"
#########################################################
# Variáveis #
########################################################
iptables=/sbin/iptables
#--------------------------------------------------------
#########################################################
# Ativa Módulos #
#########################################################
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_conntrack
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_LOG
#--------------------------------------------------------
#########################################################
# Ativa roteamento no kernel #
#########################################################
echo "1" > /proc/sys/net/ipv4/ip_forward
#---------------------------------------------------------
##########################################################
# Zera regras #
##########################################################
$iptables -F
$iptables -X
$iptables -F -t nat
$iptables -X -t nat
$iptables -F -t mangle
$iptables -X -t mangle
#---------------------------------------------------------
##########################################################
# Bloqueio contra IP Spoofing #
##########################################################
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 >$i
done
#----------------------------------------------------------
###########################################################
# Determina a política padrão #
###########################################################
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP
#----------------------------------------------------------
###########################################################
# Tabela Filter #
###########################################################
### Chain INPUT ###
#----------------------------------------------------------
$iptables -N PPP-INPUT
$iptables -A INPUT -i ppp0 -j PPP-INPUT
$iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
$iptables -A INPUT -j LOG --log-prefix "DROPPED:INPUT_Desc "
#$iptables -A INPUT -j DROP
#----------------------------------------------------------
### Chain OUTPUT ###
#----------------------------------------------------------
#$iptables -A OUTPUT -o ppp0 -p udp --sport 1024: --dport 53 -j ACCEPT
#$iptables -A OUTPUT -o ppp0 -p tcp --dport 80 -j ACCEPT
$iptables -A OUTPUT -j LOG --log-prefix "DROPPED:OUTPUT_Desc "
#----------------------------------------------------------
### Chain FORWARD ###
#----------------------------------------------------------
$iptables -A FORWARD -j LOG --log-prefix "DROPPED:FORWARD_Desc "
#----------------------------------------------------------
### Chain PPP-INPUT ###
#----------------------------------------------------------
$iptables -A PPP-INPUT -p icmp -m limit --limit 2/s -j ACCEPT
$iptables -A OUTPUT -j LOG --log-prefix "DROPPED:PPP-INPUTT_Desc "
$iptables -A PPP-INPUT -j DROP
#----------------------------------------------------------
#----------------------------------------------------------
###########################################################
# NAT #
###########################################################
$iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -p tcp --dport 80 -j LOG --log-prefix "FW:www"
$iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -p tcp --dport 80 -j MASQUERADE
$iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -p tcp --dport 110 -j LOG --log-prefix "FW:POP"
$iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -p tcp --dport 110 -j MASQUERADE
$iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -p tcp --dport 25 -j LOG --log-prefix "FW:SMTP"
$iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -p tcp --dport 25 -j MASQUERADE
$iptables -t nat -A POSTROUTING -o eth1 -d 192.168.1.0/24 -j LOG --log-prefix "FW:SNAT_Desconecida"
$iptables -t nat -A POSTROUTING -o eth1 -d 192.168.1.0/24 -j DROP
#$iptables -t nat -A POSTROUTING -j LOG --log-prefix "DROPPEDesconhecido "
$iptables -t nat -j DROP
................................................................................................................................
Executando o ifconfig, minhas interfaces estão configuradas da seguinte maneira:
................................................................................................................................
eth0 Link encap:Ethernet HWaddr 000:09:C1:F1:39
inet addr:10.0.0.2 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::2d0:9ff:fec1:f139/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21158 errors:0 dropped:0 overruns:0 frame:0
TX packets:19827 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6892774 (6.5 MiB) TX bytes:2512836 (2.3 MiB)
Interrupt:3 Base address:0xd400
eth1 Link encap:Ethernet HWaddr 00:02:44:63:4C:4A
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::202:44ff:fe63:4c4a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:134 errors:0 dropped:0 overruns:0 frame:0
TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:24488 (23.9 KiB) TX bytes:2957 (2.8 KiB)
Interrupt:11 Base address:0xd000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:660 (660.0 b) TX bytes:660 (660.0 b)
ppp0 Link encap:Point-to-Point Protocol
inet addr:189.13.139.95 P-t-P:200.217.72.96 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:20362 errors:0 dropped:0 overruns:0 frame:0
TX packets:19011 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:6396971 (6.1 MiB) TX bytes:2066882 (1.9 MiB)
................................................................................................................................
Quando eu executo o shell para inserir as regras, todo o trafego para a internet é bloqueado (ão tentei ainda nenhum trafego pela rede interna).
No syslog, sempre que tento acessar alguma pagina, aparece isso:
................................................................................................................................
Apr 2 02:52:26 localhost kernel: DROPPED:OUTPUT_Desc IN= OUT=ppp0 SRC=189.13.139.95 DST=200.149.55.140 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=51437 DF PROTO=UDP SPT=32813 DPT=53 LEN=42
Apr 2 02:52:26 localhost kernel: DROPPED:PPP-INPUTT_Desc IN= OUT=ppp0 SRC=189.13.139.95 DST=200.149.55.140 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=51437 DF PROTO=UDP SPT=32813 DPT=53 LEN=42
Apr 2 02:52:26 localhost kernel: DROPPED:OUTPUT_Desc IN= OUT=ppp0 SRC=189.13.139.95 DST=200.165.132.147 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=51437 DF PROTO=UDP SPT=32813 DPT=53 LEN=42
Apr 2 02:52:26 localhost kernel: DROPPED:PPP-INPUTT_Desc IN= OUT=ppp0 SRC=189.13.139.95 DST=200.165.132.147 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=51437 DF PROTO=UDP SPT=32813 DPT=53 LEN=42
................................................................................................................................
Sei quee u estou bloqueando tudo, mas o que eu não sei é o que exatamente eu tenho de liberar.
No syslog parece o meu IP do ppp0, tentando se conectar a um IP externo pela porta 53, mas como pode essa "saída" estar sendo tratada pelo chain PPP-INPUt se este chain só trata entradas pela ppp0 ?
Por favor, se alguem puder ajudar, eu agradeço.
Abs!