Bloqueio de Redes, Prolemas de Acesso

[hellmans]

bem la vai outro pepino amigos ahIUahiUh

eu tinha postado o "NETBIOS blablabla"
mas realmente oq eu vi, foi um pepinaooo!
aqui vai

##################################
# Bloqueia acesso entre as redes #
##################################
#iptables -t filter -A FORWARD -d 192.168.100.0/24 -s 192.168.0.0/24 -j ACCEPT
#iptables -t filter -A FORWARD -d 192.168.0.0/24 -s 192.168.100.0/24 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.1.0/24 -s 192.168.1.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.2.0/24 -s 192.168.2.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.3.0/24 -s 192.168.3.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.4.0/24 -s 192.168.4.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.5.0/24 -s 192.168.5.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.6.0/24 -s 192.168.6.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.7.0/24 -s 192.168.7.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.8.0/24 -s 192.168.8.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.9.0/24 -s 192.168.9.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.10.0/24 -s 192.168.10.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.11.0/24 -s 192.168.11.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.12.0/24 -s 192.168.12.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.13.0/24 -s 192.168.13.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.14.0/24 -s 192.168.14.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.15.0/24 -s 192.168.15.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.16.0/24 -s 192.168.16.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.17.0/24 -s 192.168.17.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.18.0/24 -s 192.168.18.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.19.0/24 -s 192.168.19.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.20.0/24 -s 192.168.20.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -d 192.168.100.0/24 -s 192.168.100.0/24 -p tcp --dport 137 -j ACCEPT
#iptables -t filter -A INPUT -p tcp --dport 137 -j DROP

iptables -t filter -A FORWARD -d 192.168.0.0/8 -s 192.168.0.0/8 -j DROP
iptables -t filter -A FORWARD -s 192.168.0.0/8 -d 192.168.0.0/8 -j DROP



tentei todos esses iptables, comentado, descomentado, sozinho, invertido de todas as formas..
mas o problema da netbios esta mais avançado no conectiva 10 esse iptables e essas regras de bloqueio de rede nao funcionaram

pois estou na rede 192.168.10.10 (meu ip no win) e dou um ping em 192.168.4.1 e responde
e se no win eu der uma mapeamento via net use z: \\192.168.4.1\c ele se conecta!!

nao esta bloqueado o trafego de redes
acham que seja a versao do iptables, pois no conectiva 9 fucionava apenas com
iptables -t filter -A FORWARD -d 192.168.0.0/8 -s 192.168.0.0/8 -j DROP

e soh isso..
aguardo respostas
obrigado

mas pelo q eu vi ali ta -j ACCEPT
eh ao invez de usa /24 usa /16

[hellmans]

desculpa
mas coloquei duas linhas erradas pra vcs
as primeiras
#iptables -t filter -A FORWARD -d 192.168.100.0/24 -s 192.168.0.0/24 -j ACCEPT
#iptables -t filter -A FORWARD -d 192.168.0.0/24 -s 192.168.100.0/24 -j ACCEPT

nao faz parte desse caso
eh otro caso dos radios que eu mexo aqui
desculpa ae

[Brenno]

no meu caso aqui na empresa eu desativei o protocolo ipx, até agora ta blz, agora se sua rede necessita do mesmo, ai lasko hehehhe

ei vez de input usar forward

[Michael]

Se ainda está pingando é problema de regras de Iptables mesmo!!
olha esse script abaixo resolveu 100% meus problemas desse tipo que vc ta relatando!!
Outro lance importante é bloquear o Netbios e tbm a porta que o Windows usa pra trafegar arquivos quando o compartilhamento está ativado, nesse caso a porta 445 ta bem descrito a baixo!!
Não coloquei os comentários pra não ficar tão gigantesco!!


iptables -t filter -A FORWARD -d 192.0.0.0/8 -s 192.0.0.0/8 -j DROP

iptables -A FORWARD -m unclean -j DROP
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -i eth0 -o eth0 -m pkttype --pkt-type multicast -j DROP
iptables -A FORWARD -i eth0 -o eth0 -m pkttype --pkt-type broadcast -j DROP


iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j DROP
iptables -A INPUT -m state --state INVALID -j DROP


iptables -A FORWARD -p tcp -d 0.0.0.0/0 --sport 135 -j DROP
iptables -A FORWARD -p tcp -d 0.0.0.0/0 --sport 136 -j DROP
iptables -A FORWARD -p tcp -d 0.0.0.0/0 --sport 137 -j DROP
iptables -A FORWARD -p tcp -d 0.0.0.0/0 --sport 138 -j DROP
iptables -A FORWARD -p tcp -d 0.0.0.0/0 --sport 139 -j DROP
iptables -A FORWARD -p tcp -d 0.0.0.0/0 --sport 445 -j DROP

iptables -A FORWARD -p udp -d 0.0.0.0/0 --sport 135 -j DROP
iptables -A FORWARD -p udp -d 0.0.0.0/0 --sport 136 -j DROP
iptables -A FORWARD -p udp -d 0.0.0.0/0 --sport 137 -j DROP
iptables -A FORWARD -p udp -d 0.0.0.0/0 --sport 138 -j DROP
iptables -A FORWARD -p udp -d 0.0.0.0/0 --sport 139 -j DROP
iptables -A FORWARD -p udp -d 0.0.0.0/0 --sport 445 -j DROP

iptables -A INPUT -p tcp -d 0.0.0.0/0 --sport 135 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --sport 136 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --sport 137 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --sport 138 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --sport 139 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --sport 445 -j DROP

iptables -A INPUT -p udp -d 0.0.0.0/0 --sport 135 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --sport 136 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --sport 137 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --sport 138 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --sport 139 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --sport 445 -j DROP

iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --sport 135 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --sport 136 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --sport 137 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --sport 138 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --sport 139 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --sport 445 -j DROP

iptables -A OUTPUT -p udp -d 0.0.0.0/0 --sport 135 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --sport 136 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --sport 137 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --sport 138 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --sport 139 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --sport 445 -j DROP

iptables -A INPUT -p tcp -d 0.0.0.0/0 --dport 135 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --dport 136 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --dport 137 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --dport 138 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --dport 139 -j DROP
iptables -A INPUT -p tcp -d 0.0.0.0/0 --dport 445 -j DROP

iptables -A INPUT -p udp -d 0.0.0.0/0 --dport 135 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --dport 136 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --dport 137 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --dport 138 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --dport 139 -j DROP
iptables -A INPUT -p udp -d 0.0.0.0/0 --dport 445 -j DROP

iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 135 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 136 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 137 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 138 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 139 -j DROP
iptables -A OUTPUT -p tcp -d 0.0.0.0/0 --dport 445 -j DROP

iptables -A OUTPUT -p udp -d 0.0.0.0/0 --dport 135 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --dport 136 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --dport 137 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --dport 138 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --dport 139 -j DROP
iptables -A OUTPUT -p udp -d 0.0.0.0/0 --dport 445 -j DROP

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -s 192.168.145.2 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.145.3 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.145.4 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.145.5 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.165.65.2 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.164.78.2 -o eth1 -j MASQUERADE

[hellmans]

obrigado ae pessoal
agora consegui fazer funcionar
mas na realidade foi outro problema
vou colar aki meu rc.local

#################
# Ativa modulos #
#################
modprobe via-rhine
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ipt_REJECT
modprobe ipt_MASQUERADE

##############################
# Ativa roteamento no kernel #
##############################
echo "1" > /proc/sys/net/ipv4/ip_forward

###############################
# Protecao contra IP spoofing #
###############################
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

###############
# Zera regras #
###############
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle

###############################
# Determina a politica padrao #
###############################
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP

###################################
# Dropar pacotes TCP indesejaveis #
###################################
#iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

###############################
# Dropar pacotes mal formados #
###############################
iptables -A INPUT -i eth0 -m unclean -j DROP

################################################
# Aceita os pacotes que realmente devem entrar #
################################################
#iptables -A INPUT -i ! eth0 -j ACCEPT
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

##########################
# Protecao contra trinoo #
##########################
iptables -N TRINOO
iptables -A TRINOO -j DROP
iptables -A INPUT -p TCP -i eth0 --dport 27444 -j TRINOO
iptables -A INPUT -p TCP -i eth0 --dport 27665 -j TRINOO
iptables -A INPUT -p TCP -i eth0 --dport 31335 -j TRINOO
iptables -A INPUT -p TCP -i eth0 --dport 34555 -j TRINOO
iptables -A INPUT -p TCP -i eth0 --dport 35555 -j TRINOO

###########################
# Protecao contra trojans #
###########################
iptables -N TROJAN
iptables -A TROJAN -j DROP
iptables -A INPUT -p TCP -i eth0 --dport 666 -j TROJAN
iptables -A INPUT -p TCP -i eth0 --dport 4000 -j TROJAN
iptables -A INPUT -p TCP -i eth0 --dport 6000 -j TROJAN
iptables -A INPUT -p TCP -i eth0 --dport 6006 -j TROJAN
iptables -A INPUT -p TCP -i eth0 --dport 16660 -j TROJAN

#########################
# Protecao contra worms #
#########################
iptables -A FORWARD -p tcp --dport 135 -i eth1 -j REJECT

#############################
# Protecao contra syn-flood #
#############################
iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT

#################################
# Protecao contra ping da morte #
#################################
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#################################
# Protecao contra port scanners #
#################################
iptables -N SCANNER
iptables -A SCANNER -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL NONE -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL ALL -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i eth0 -j SCANNER

##################################
# Bloqueia acesso entre as redes #
##################################
iptables -t filter -A FORWARD -d 192.0.0.0/8 -s 192.0.0.0/8 -j DROP


o resto nao faz parte entao eu tirei, mas onde eu fexei as linhas
eh onde tava me atrapalhando e eu nao tinha notado, soh assim fui testando e agora funcionou!

[Brenno]

isso eh um firewall ou uma biblia? HEEHE to zuadno

[hellmans]

isso eh um firewall ou uma biblia? HEEHE to zuadno

e tem muito mais amigo
AHuiaHAU

[Brenno]

meu filter da uns 5 linhas e meu nat 3 linhas, por isso q eu zuei ehheeheh

meu estilo de firewall vem do rede hat, então ñ necessito disso tudo..
eu uso debian e adaptei o firewall do red hat pro debian, fico muito foda, quem tiver tempo, eu recomendo fazer o mesmo..

abraço

[whinston]

Michell, se vc quiser reduzir algumas linhas do seu firewall, use a sintaxe 135:139 ao inves de especificar 135, 136, 137, 138, 139 (intervalo).
Este Fw que vc postou, eu adaptei ele pra minha LAN e rodei.. Realmente é matador, não trafega nada, nem a internet, rsrsrs. Vc trava tudo e acessa via proxy ?

[Danilo_Montagna]

Caro hellmans,

Vc pode tirar muitas linhas ae do seu script.. que no meu ver nao fazem efeito nenhum...

exemplo...

para que vc usa regras e criaçao de novas chains com o -j DROP se sua politica default ja faz isso ?

nao existe a necessidade de vc ficar dropando pacotes em regras em uma politica que por default ja ira fazer isso com pacotes que nao sejam aceitos por alguma regra da chain...

[]'s