Olá pessoal.
Tenho um servidor RedHat9, com o firewall e roteamento do iptables.
Neste servidor tenho duas placas de rede:
eth_net=200.200.200.200 (eth1)
eth_local=192.168.0.1 (eth0)
Seguinte:
da rede local eu pingo o servidor
do servidor eu pingo a rede local
do servidor eu pingo a internet
da rede local eu NÃO PINGO a internet
Já revisei as regras do IPTABLES. Estas mesmas regras estao funcionando em outro servidor (identico). Talvez esqueci de instalar algo.
Vejam o script:
########################################################################
### Script de Firewall Utilizando IPTABLES ###
### Data: 02/09/2004 ###
########################################################################
### Variaveis ###
ipt=/sbin/iptables
modl=/sbin/modprobe
eth_local=eth0
eth_net=eth1
rede_local=192.168.0.0.0/24
rede_lan=192.168.0.
ip_saida=200.200.200.200
### Carregando os Modulos ###
$modl iptable_nat
$modl ip_tables
$modl ip_nat_ftp
$modl ip_conntrack
$modl ip_conntrack_ftp
$modl iptable_filter
$modl ipt_MASQUERADE
### Limpa Regras ### (-F = Flush)
$ipt -F
$ipt -t nat -F
$ipt -F INPUT
$ipt -F FORWARD
$ipt -F OUTPUT
### Determina a politica padrao ### (-P)
$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
$ipt -P FORWARD DROP
### Habilitando Roteamento IP ###
echo 1 > /proc/sys/net/ipv4/ip_forward
### Iniciando o Regras de Filtragem ###
$ipt -t filter -P INPUT ACCEPT
$ipt -t filter -P FORWARD ACCEPT
$ipt -t filter -P OUTPUT ACCEPT
### Regras NAT ###
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
### Habilitando a Protecao conta diversos ataques ###
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i
done
$ipt -A INPUT -m limit --limit 3/minute --limit-burst 1 -j LOG \
--log-level DEBUG --log-prefix "FIREWALL: Tempo Esg: "
$ipt -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
$ipt -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
### Regras do Firewall ###
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -i $eth_local -j ACCEPT
$ipt -A INPUT -i ALL -p icmp -m limit --limit 1/s -j ACCEPT
$ipt -A INPUT -i ALL -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -i ALL -p tcp --dport 53 -j ACCEPT
$ipt -A INPUT -i ALL -p udp --dport 53 -j ACCEPT
$ipt -A INPUT -i ALL -p tcp --dport 25 -j ACCEPT
$ipt -A INPUT -i ALL -p tcp --dport 110 -j ACCEPT
$ipt -A INPUT -i ALL -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -i ALL -p tcp --dport 443 -j ACCEPT
$ipt -A INPUT -i $eth_net -p tcp --dport 137 -j DROP
$ipt -A INPUT -i $eth_net -p tcp --dport 138 -j DROP
$ipt -A INPUT -i $eth_net -p tcp --dport 139 -j DROP
### Barrando P2P ###
#$ipt -A FORWARD -d 216.35.208.0/24 -j REJECT
#$ipt -A FORWARD -d 213.248.112.0/24 -j REJECT
#$ipt -A FORWARD -p tcp --dport 1214 -j REJECT
#$ipt -A FORWARD -p tcp --dport 4661:4662 -j REJECT
#$ipt -A FORWARD -p udp --dport 4665 -j REJECT
### Barrando MSN Messenger ###
#for x in `seq 2 254`; do
#$ipt -A FORWARD -s 0/0 -d 0/0 -p tcp --dport 1863 -j DROP
#$ipt -A OUTPUT -s $rede_local -p tcp --dport 1863 -j DROP
#$ipt -A OUTPUT -s $ip_saida -p tcp -d messenger.hotmail.com -j DROP
### Proxy Transparente Squid ####
#for j in `seq 2 254`; do
$ipt -t nat -A PREROUTING -i $eth_local -s $rede_local -p tcp --dport 80 -j REDIRECT --to-port 8080
### Reiniciando Regras Iptables ###
service iptables restart
########################################################################
### Fim do Arquivo ###
########################################################################