Analise de regras do iptables

[emerson2703]

Colegas, estou usando estas regras a 2 anos gostaria de sbaer aonde posso esta falhando nesta regras, utilizo a politica drop.

Código :

# Generated by iptables-save v1.3.5 on Sat Jul 11 14:45:48 2009
*nat
:PREROUTING ACCEPT [247:25323]
:POSTROUTING ACCEPT [7:415]
:OUTPUT ACCEPT [7:415]
 
# Liberacao do Sistema
-A PREROUTING -p tcp -d 192.168.0.107 -j ACCEPT
-A PREROUTING -p tcp -d 192.168.0.138 -j ACCEPT
-A PREROUTING -p tcp -d 172.16.7.107 -j ACCEPT
-A PREROUTING -p tcp -d 172.16.0.228 -j ACCEPT
 
-A PREROUTING -p tcp -d 172.16.11.121 -j ACCEPT
-A PREROUTING -p tcp -d 172.16.4.181 -j ACCEPT
 
 
# Bloqueio de acesso ao Sitema
-A PREROUTING -p tcp -d 192.168.0.137 -j ACCEPT
-A PREROUTING -p tcp -d 192.168.0.139 -j ACCEPT
 
# Direcionando para msn-proxy
#-A PREROUTING -i eth0 -p tcp --dport 1863 -j REDIRECT --to-port 1863
#-A PREROUTING -i eth2 -p tcp --dport 1863 -j REDIRECT --to-port 1863
 
# Caixa conectividade
 
-A PREROUTING -i eth0 -p tcp -d ! 200.201.174.207 --dport 80 -j REDIRECT --to-port 1994 
-I PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
-I PREROUTING -p tcp -d 200.223.0.0 -j ACCEPT
-A PREROUTING -p tcp -s 172.16.0.0 --dport 80 -d 200.201.174.207 -j RETURN 
-A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
#-A PREROUTING -i eth2 -p tcp --dport 22 -j REDIRECT --to-port 754
 
 
# Direcionando tudo para o Squid
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 1994
-A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 1994 
 
# Compartilhando a Internet
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE 
-A POSTROUTING -o eth2 -j MASQUERADE
 
 
 
 
COMMIT
# Completed on Sat Jul 11 14:45:48 2009
# Generated by iptables-save v1.3.5 on Sat Jul 11 14:45:48 2009
*filter
 
:INPUT DROP [3:287]
:FORWARD DROP [216:10833]
:OUTPUT DROP [14:1170]
 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
 
# Rede Local
-A INPUT -i lo -j ACCEPT 
-A INPUT -i eth0 -j ACCEPT 
-A INPUT -i eth1 -j ACCEPT 
-A INPUT -i eth2 -j ACCEPT
#-A INPUT -i ppp0 -j ACCEPT
 
# Internet
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
#Liberacao do msn-proxy
-A INPUT -p tcp --dport 25000:30000 -s 172.16.4.0/22 -j ACCEPT
 
#Conectividade social
 
-I FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT
-I FORWARD -p tcp -d 200.223.0.0 -j ACCEPT
#-A FORWARD -s tcp -d 200.201.174.204 --dport 2631 -j ACCEPT
#-A FORWARD -s tcp -d 200.201.174.204 --dport 80 -j ACCEPT
#-A FORWARD -s tcp -d 200.201.174.207 --dport 80 -j ACCEPT
-A FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT
 
#Ping da Morte
-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
 
#Contra syp floop
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 9666 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 9666 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9666 -j ACCEPT
 
# Protecao contra worms
-A FORWARD -p tcp --dport 135 -i $I_LAN -j DROP
 
 
# Liberacao Paygo
-A FORWARD -p udp --dport 500 -j ACCEPT
-A OUTPUT -p udp --dport 500 -j ACCEPT
-A INPUT -p udp --dport 500 -j ACCEPT
-A FORWARD -p udp --dport 4500 -j ACCEPT
-A INPUT -p udp --dport 4500 -j ACCEPT
-A OUTPUT -p udp --dport 4500 -j ACCEPT
 
#-A FORWARD -p udp --dport 500 -j ACCEPT
#-A FORWARD -p udp --dport 4500 -j ACCEPT
#-A FORWARD -p udp --dport 10000 -j ACCEPT
 
 
 
# Ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# Ping
-A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
 
# Liberando MSN
-A FORWARD -p tcp -m tcp --dport 1863 -j ACCEPT
 
#-A FORWARD -d 67.215.65.132 -p tcp --dport 443 -j ACCEPT
#-A FORWARD -i eth0 -d wwwss.bradesco.com.br -p tcp --dport 443 -j 
 
# Liberacao de Internet e Sistema
 
# Internet
-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
 
# DNS Firewall
-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT 
 
 
# Caixa Economica
 
-A FORWARD -p tcp -m tcp --dport 2681 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 2631 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2631 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2631 -j ACCEPT
 
# Liberacao de Envio e Recebimento de E-mail
# Recebimento
-A FORWARD -p tcp -m tcp --dport 110 -j ACCEPT 
# Envio
-A FORWARD -p tcp -m tcp --dport 465 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 945 -j ACCEPT
 
# Liberacao Conexao Remota (Teminal Server, VNC e Puty)
# Acesso e Mapeamento Remoto
-A INPUT -p tcp --dport 3389 -j ACCEPT
-A INPUT -p udp --dport 3389 -j ACCEPT
-A FORWARD -p tcp --dport 3389 -j ACCEPT
-A FORWARD -p udp --dport 3389 -j ACCEPT
-A OUTPUT -p tcp --dport 3389 -j ACCEPT
-A OUTPUT -p udp --dport 3389 -j ACCEPT
 
#Telnet
-A FORWARD -p tcp --dport 23 -j ACCEPT
-A FORWARD -p udp --dport 23 -j ACCEPT
-A INPUT -p tcp --dport 23 -j ACCEPT
-A INPUT -p udp --dport 23 -j ACCEPT
-A OUTPUT -p tcp --dport 23 -j ACCEPT
-A OUTPUT -p udp --dport 23 -j ACCEPT
 
#Mysql
 
-A FORWARD -p tcp --dport 3306 -j ACCEPT
-A FORWARD -p udp --dport 3306 -j ACCEPT
-A INPUT -p tcp --dport 3306 -j ACCEPT
-A INPUT -p udp --dport 3306 -j ACCEPT
-A OUTPUT -p tcp --dport 3306 -j ACCEPT
-A OUTPUT -p udp --dport 3306 -j ACCEPT
 
 
 
#vpn auditoria
 
-A INPUT -p tcp --dport 4500 -j ACCEPT
-A INPUT -p udp --dport 4500 -j ACCEPT
-A FORWARD -p tcp --dport 4500 -j ACCEPT
-A FORWARD -p udp --dport 4500 -j ACCEPT
-A OUTPUT -p tcp --dport 4500 -j ACCEPT
-A OUTPUT -p udp --dport 4500 -j ACCEPT
 
 
-A FORWARD -p udp --dport 161 -j ACCEPT
-A INPUT -p udp --dport 137 -j ACCEPT
-A INPUT -p udp --dport 138 -j ACCEPT
-A FORWARD -p udp --dport 139 -j ACCEPT
-A FORWARD -p udp --dport 137 -j ACCEPT
-A FORWARD -p udp --dport 138 -j ACCEPT
-A FORWARD -p tcp --dport 139 -j ACCEPT
-A INPUT -p udp --dport 137 -j ACCEPT
-A INPUT -p udp --dport 138 -j ACCEPT
-A INPUT -p udp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p udp --dport 445 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 137 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 138 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 139 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 445 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 389 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 445 -j ACCEPT
 
#VPN
 
-A INPUT -p tcp --dport 1723 -j ACCEPT
-A INPUT -p udp --dport 1723 -j ACCEPT
-A FORWARD -p tcp --dport 1723 -j ACCEPT
-A FORWARD -p udp --dport 1723 -j ACCEPT
-A OUTPUT -p tcp --dport 1723 -j ACCEPT
-A OUTPUT -p udp --dport 1723 -j ACCEPT
 
 
# Liberando Redes Externas
-A FORWARD -d 10.101.0.0/24 -j ACCEPT
-A FORWARD -d 10.102.0.0/24 -j ACCEPT
-A FORWARD -d 10.103.0.0/24 -j ACCEPT
-A FORWARD -d 10.104.0.0/24 -j ACCEPT
#FTp
-A FORWARD -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
 
-A FORWARD -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# VNC
-A FORWARD -p tcp -m tcp --dport 4901 -j ACCEPT
 
# Puty
#-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 754 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 754 -j ACCEPT
 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
 
# Rede Local
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -o eth0 -j ACCEPT 
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth2 -j ACCEPT
#-A OUTPUT -o ppp0 -j ACCEPT 
 
# Internet
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
 
# Ping
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
 
 
COMMIT
# Completed on Sat Jul 11 14:45:48 2009
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed

[demattos]

mas responde o que vc quer saber exatamente da regra?qual e o erro q ocorre

[emerson2703]

não esta ocorrendo falha mais, eu gostaria de uma analise as regras para ve se estou falhando na segurança.