Olá galera sou iniciante na area de firewall mas to montando um legalzinho.. Tenho 4 interfaces e 3 redes.. Estou com um probleminha basico que acho que e muito mais macete do que tecnico. Nao consigo fazer com que meu servidor pigue em uma maquina internet visto que antes de chegar a internet ainda temos 1 roteador. O que acontece é o seguinte, pingo num site(under-linux.org), resolve o nome no dns interno mas nao consegue passar os pacotes, daí quando libero a tabela INPUT geral iptables -P INPUT -ACCEPT funciona.... COmo resolver???? Alguem pode me dar um help??? Segue abaixo meu script. Abraços
#INICIANDO AS VARIAVEIS
#GATEWAY DA REDE
gateway="10.2.0.1"
# Interface da INTERNET
linkip="172.31.2.162"
linkif="eth3"
# Interface Laboratorio
labnet="10.1.0.0/16"
labip="10.2.0.1"
labif="eth1"
# Iterface ADM
admnet="10.2.0.0/16"
admip="10.2.0.1"
admif="eth0"
# Interface DIGITACAO
digitanet="192.168.3.0/24"
digitaip="192.168.3.1"
digitaif="eth2"
# Servidores
cavdados="10.2.0.2"
cavlablab="10.1.0.4"
cavlabadm="10.2.0.4"
cavrm="10.2.0.3"
cavnetlab="10.1.0.1"
cavnetadm="10.2.0.1"
cavnetdigita="192.168.3.1"
# Passo 1: Limpando as regras
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
echo "Cleaning all rules .........................[ OK ]"
# Definindo as politicas default das cadeias
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
echo "Setting default rules.......................[ OK ]"
# Passo 2: Desabilitando o trafego IP entre as placas de rede
#echo "0" > /proc/sys/net/ipv4/ip_forward
echo "Setting ip_forward: OFF.....................[ OK ]"
# Configurando a protecao anti-spoofing
#for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter; do
# echo "1" > $spoofing
#done
echo "Setting anti-spoofing protection............[ OK ]"
# ANTI-ROUTINGREDIRECT
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "Setting anti-redirects.....................[ OK ]"
# ANTI-ATACK
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "ANTI-ATACK setting is ON...................[ OK ]"
##################################################
# Iniciando protecao de ENTRADA PARA O SERVIDOR
#################################################
iptables -A INPUT -i lo -j ACCEPT
#Trafego vindo do roteador
#iptables -A INPUT -s $gateway -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A INPUT -s $gateway -j ACCEPT
#PORTA 80
iptables -A INPUT -s $admnet -p tcp --dport 80 -j ACCEPT
#PORTA 22
iptables -A INPUT -s $admnet -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s $digitanet -p tcp --dport 22 -j ACCEPT
#PORTA 10000 - WEBMIN
iptables -A INPUT -s $admnet -p tcp --dport 10000 -j ACCEPT
#PORTA 53 - DNS INTERNO
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
#PORTA 443 - SSL
iptables -A INPUT -s $admnet -p tcp --dport 443 -j ACCEPT
#PORTA 137,138,139 - NETBIOS SAMBA
iptables -A INPUT -s $admnet -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s $admnet -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s $admnet -p tcp --dport 139 -j ACCEPT
#PORTA 901 - MODULO SWAT
iptables -A INPUT -s $admnet -p tcp --dport 901 -j ACCEPT
#PORTA 3128 - SQUID
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
# PACOTES DE CONEXAO ACEITO
#iptables -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
#Faz log de invasoes no INPUT e BLOQUEIA
iptables -A INPUT -j LOG --log-prefix "FIREWALL: INPUT"
iptables -A INPUT -j DROP
echo "Setting rules for INPUT chain................[ OK ]"
###############################################################
#REGRAS MASCARAMENTO###########################################
##############################################################
#Ativando mascaramento (nat)
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 10.2.0.9 -o $linkadm -j MASQUERADE
echo "Ativando mascaramento para rede ADM.................[ OK ]"
#iptables -t nat -A POSTROUTING -s $digitanet -o $linkif -j MASQUERADE
echo "Ativando mascaramento para rede DIGITACAO...........[ OK ]"
#MASCARAMENTOS ESPECIAIS
#BIBLIOTECA
#iptables -t nat -A POSTROUTING -s 10.1.5.10 -o $linkif -j MASQUERADE
#SETED
#iptables -t nat -A POSTROUTING -s 10.1.5.50 -o $linkif -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 10.1.6.0/16 -o $linkif -j MASQUERADE
##############################################################
# REGRAS FORWARD
###############################################################
#PORTA 3128 - Aceita SQUID
#Rede ADM
#iptables -A FORWARD -s $admnet -o $linkif -p tcp --dport 3128 -j ACCEPT
#Rede Lab
#iptables -A FORWARD -s $labnet -o $linkif -p tcp --dport 3128 -j ACCEPT
#Rede Digita
#iptables -A FORWARD -s $digitanet -o linkif -p tcp --dport 3128 -j ACCEPT
#PORTA 53 - DNS EXTERNO
iptables -A FORWARD -s $admnet -o $linkif -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i $linkif -d $admnet -p udp --dport 53 -j ACCEPT
#PORTA 110 - POP3
#ADM
iptables -A FORWARD -s $admnet -o $linkif -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -i $linkif -d $admnet -p tcp --dport 110 -j ACCEPT
#DIGITA
iptables -A FORWARD -s $digitanet -o $linkif -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -i $linkif -d $digitanet -p tcp --dport 110 -j ACCEPT
#PORTA 25 - SMTP
#ADM
iptables -A FORWARD -s $admnet -o $linkif -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i $linkif -d $admnet -p tcp --dport 25 -j ACCEPT
#DIGITA
iptables -A FORWARD -s $digitanet -o $linkif -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i $linkif -d $digitanet -p tcp --dport 25 -j ACCEPT
#PORTA 443 - https
#ADM
iptables -A FORWARD -s $admnet -o $linkif -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i $linkif -d $admnet -p tcp --dport 443 -j ACCEPT
#DIGITA
iptables -A FORWARD -s $digitanet -o $linkif -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i $linkif -d $digitanet -p tcp --dport 443 -j ACCEPT
#PORTA 995 - SSL
#ADM
iptables -A FORWARD -s $admnet -o $linkif -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -i $linkif -d $admnet -p tcp --dport 995 -j ACCEPT
#DIGITA
iptables -A FORWARD -s $digitanet -o $linkif -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -i $linkif -d $digitanet -p tcp --dport 995 -j ACCEPT
#PORTA 21 - FTP
#ADM
iptables -A FORWARD -s $admnet -o $linkif -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i $linkif -d $admnet -p tcp --dport 21 -j ACCEPT
#DIGITA
iptables -A FORWARD -s $digitanet -o $linkif -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i $linkif -d $digitanet -p tcp --dport 21 -j ACCEPT
##TESTE
#iptables -A FORWARD -s 10.2.0.6 -d 10.1.0.100 -j ACCEPT
#iptables -A FORWARD -s 10.1.0.100 -d 10.2.0.6 -j ACCEPT
# SOCKETS VALIDOS NA CONEXAO
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
############################################################
# LIBERANDO TRAFEGO ENTRE AS REDES
###########################################################
#ADM/LAB
#SMB
iptables -A FORWARD -s $admnet -d $labnet -p tcp --dport 137 -j ACCEPT
iptables -A FORWARD -s $labnet -d $admnet -p tcp --dport 138 -j ACCEPT
iptables -A FORWARD -s $admnet -d $labnet -p tcp --dport 138 -j ACCEPT
iptables -A FORWARD -s $labnet -d $admnet -p tcp --dport 138 -j ACCEPT
iptables -A FORWARD -s $admnet -d $labnet -p tcp --dport 139 -j ACCEPT
iptables -A FORWARD -s $labnet -d $admnet -p tcp --dport 139 -j ACCEPT
iptables -A FORWARD -s $admnet -d $labnet -p udp --dport 137 -j ACCEPT
iptables -A FORWARD -s $labnet -d $admnet -p udp --dport 138 -j ACCEPT
iptables -A FORWARD -s $admnet -d $labnet -p udp --dport 138 -j ACCEPT
iptables -A FORWARD -s $labnet -d $admnet -p udp --dport 138 -j ACCEPT
iptables -A FORWARD -s $admnet -d $labnet -p udp --dport 139 -j ACCEPT
iptables -A FORWARD -s $labnet -d $admnet -p udp --dport 139 -j ACCEPT
iptables -A FORWARD -s $admnet -d $labnet -p tcp --dport 445 -j ACCEPT
iptables -A FORWARD -s $labnet -d $admnet -p tcp --dport 445 -j ACCEPT
iptables -A FORWARD -s $admnet -d $labnet -j ACCEPT
iptables -A FORWARD -s $labnet -d $admnet -j ACCEPT
#iptables -A FORWARD -s $admnet -p tcp -j ACCEPT
#Habilitando trafego IP
echo 1 >/proc/sys/net/ipv4/ip_forward
echo "Setting ip_forward: ON..........................[ OK ]"
#route add default gw $gateway
echo "Gateway padrao setado............................[ OK ]"
echo "FIREWALL em funcionamento.......................[ OK ]"
exit 0