+ Responder ao Tópico



  1. #1

    Padrão Firewall que só roda no Conectiva 8

    Galera, boa noite. Estou passando uma situação chata de resolver com o Firewall que roda na empresa. A cerca de 3 anos atrás mais ou menos, o cpd era terceirizado. Foi instalado na época um servidor Conectiva Linux 8, com firewall, squid e roda perfeito. Os usuários acessam o que podem, etc. Mas agora recentemente, o pc onde está instalado esse firewall foi para o espaço, dando muitos problemas, até que compramos um pc novo que é um Pentium 4, com 256 mb de memória, 40 gb de hd.
    Instalei o Conectiva 10 até para ficar mais atualizado. Copiei o arquivo onde está o script do firewall que roda no Conectiva 8. Mas estranhamente os usuários windows, começaram a reclamar de coisas que rodavam que não rodam mais. Tipo sites de Bancos que acessam, agora fica o Java rodando e nada. Outlook Express que o pop e smtp era configurado para puxar da uol , yahoo, bol, etc e agora não funciona mais.
    Eu confesso que ainda não entendo legal de regras iptables. Procuro ler para aprender, mas não é um aprendizado assim tão simples.
    A nossa rede é com ip fixo da BrasilTelecom e o modem Alcatel Speed Touch Pro, foi configurado para deixar todas as portas abertas. O firewall instalado por terceiros é que determina as regras do que pode ou não trafegar na rede.
    Eu estou enviando o nosso script do firewall para quem puder, dar uma analisada e dar um retorno, do que pode estar acontecendo.
    Infelizmente é um arquivo bem gigante. Quando vejo alguns scripts de firewall aqui no Underlinux, me dá vontade de tentar instalar, mas sei lá se vai dar mais problemas. Estou enviando o nosso script do firewall , e nem sei se pelo tamanho , se posso enviar.
    Inclusive enquanto não consigo resolver o que está acontecendo , eu voltei para o servidor antigo que está com o Conectiva 8 e voltou tudo a funcionar perfeito.
    Mas vamos lá ........


    #!/bin/sh
    #
    #
    #
    echo .
    echo "Carregando as regras do Firewall !!! ... "
    echo .
    #
    ###############################################################################
    #
    # Local Settings
    #

    # sysctl location. If set, it will use sysctl to adjust the kernel parameters.
    # If this is set to the empty string (or is unset), the use of sysctl
    # is disabled.

    SYSCTL="/sbin/sysctl -w"

    # To echo the value directly to the /proc file instead
    # SYSCTL=""

    # IPTables Location - adjust if needed

    IPT="/usr/sbin/iptables"
    IPTS="/sbin/iptables-save"
    IPTR="/sbin/iptables-restore"

    # Internet Interface
    INET_IFACE="eth0"
    INET_ADDRESS="10.0.0.100"

    # Local Interface Information
    LOCAL_IFACE1="eth1"
    LOCAL_IP1="192.168.1.1"
    LOCAL_NET1="192.168.1.0/24"
    LOCAL_BCAST1="192.168.1.255"

    LOCAL_IFACE2="eth2"
    LOCAL_IP2="192.168.50.1"
    LOCAL_NET2="192.168.50.0/24"
    LOCAL_BCAST2="192.168.50.255"

    # Localhost Interface

    LO_IFACE="lo"
    LO_IP="127.0.0.1"

    # Save and Restore arguments handled here
    if [ "$1" = "save" ]
    then
    # echo -n "Saving firewall to /etc/sysconfig/iptables ... "
    echo -n "Salvando Firewall para /etc/sysconfig/iptables !!! ..."
    $IPTS > /etc/sysconfig/iptables
    # echo "done"
    echo "Terminado !!! ..."
    exit 0
    elif [ "$1" = "restore" ]
    then
    # echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
    echo -n "Restaurando Firewall de /etc/sysconfig/iptables !!! ... "
    $IPTR < /etc/sysconfig/iptables
    # echo "done"
    echo "Terminado !!! ..."
    exit 0
    fi

    ###############################################################################
    #
    # Load Modules
    #

    #echo "Loading kernel modules ..."

    echo "Carregando os modulos do kernel !!! ... "

    # You should uncomment the line below and run it the first time just to
    # ensure all kernel module dependencies are OK. There is no need to run
    # every time, however.

    # /sbin/depmod -a

    # Unless you have kernel module auto-loading disabled, you should not
    # need to manually load each of these modules. Other than ip_tables,
    # ip_conntrack, and some of the optional modules, I've left these
    # commented by default. Uncomment if you have any problems or if
    # you have disabled module autoload. Note that some modules must
    # be loaded by another kernel module.

    # core netfilter module
    /sbin/modprobe ip_tables

    # the stateful connection tracking module
    /sbin/modprobe ip_conntrack

    # filter table module
    /sbin/modprobe iptable_filter

    # mangle table module
    /sbin/modprobe iptable_mangle

    # nat table module
    /sbin/modprobe iptable_nat

    # LOG target module
    /sbin/modprobe ipt_LOG

    # This is used to limit the number of packets per sec/min/hr
    /sbin/modprobe ipt_limit

    # masquerade target module
    /sbin/modprobe ipt_MASQUERADE

    # filter using owner as part of the match
    /sbin/modprobe ipt_owner

    # REJECT target drops the packet and returns an ICMP response.
    # The response is configurable. By default, connection refused.
    /sbin/modprobe ipt_REJECT

    # This target allows packets to be marked in the mangle table
    /sbin/modprobe ipt_mark

    # This target affects the TCP MSS
    /sbin/modprobe ipt_tcpmss

    # This match allows multiple ports instead of a single port or range
    # /sbin/modprobe multiport

    # This match checks against the TCP flags
    /sbin/modprobe ipt_state

    # This match catches packets with invalid flags
    #/sbin/modprobe ipt_unclean

    # The ftp nat module is required for non-PASV ftp support
    /sbin/modprobe ip_nat_ftp

    # the module for full ftp connection tracking
    /sbin/modprobe ip_conntrack_ftp

    # the module for full irc connection tracking
    /sbin/modprobe ip_conntrack_irc

    # Carrega modulo tun para conexao do OpenVPN
    /sbin/modprobe tun


    ###############################################################################
    #
    # Kernel Parameter Configuration
    #

    # Required to enable IPv4 forwarding.
    # Redhat users can try setting FORWARD_IPV4 in /etc/sysconfig/network to true
    if [ "$SYSCTL" = "" ]
    then
    echo "1" > /proc/sys/net/ipv4/ip_forward
    else
    $SYSCTL net.ipv4.ip_forward="1"
    fi

    # This enables dynamic address hacking.
    # Set this if you have a dynamic IP address \(e.g. slip, ppp, dhcp\).
    #if [ "$SYSCTL" = "" ]
    #then
    # echo "1" > /proc/sys/net/ipv4/ip_dynaddr
    #else
    # $SYSCTL net.ipv4.ip_dynaddr="1"
    #fi

    # This enables source validation by reversed path according to RFC1812.
    # In other words, did the response packet originate from the same interface
    # through which the source packet was sent? It's recommended for single-homed
    # systems and routers on stub networks. Since those are the configurations
    # this firewall is designed to support, I turn it on by default.
    # Turn it off if you use multiple NICs connected to the same network.
    if [ "$SYSCTL" = "" ]
    then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
    else
    $SYSCTL net.ipv4.conf.all.rp_filter="1"
    fi

    # This option allows a subnet to be firewalled with a single IP address.
    # It's used to build a DMZ. Since that's not a focus of this firewall
    # script, it's not enabled by default, but is included for reference.
    # See: http://www.sjdjweis.com/linux/proxyarp/
    #if [ "$SYSCTL" = "" ]
    #then
    # echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
    #else
    # $SYSCTL net.ipv4.conf.all.proxy_arp="1"
    #fi


    ###############################################################################
    #
    # Flush Any Existing Rules or Chains
    #

    #echo "Flushing Tables ..."

    echo "Limpando as Tabelas !!! ... "

    # Reset Default Policies
    $IPT -P INPUT ACCEPT
    $IPT -P FORWARD ACCEPT
    $IPT -P OUTPUT ACCEPT
    $IPT -t nat -P PREROUTING ACCEPT
    $IPT -t nat -P POSTROUTING ACCEPT
    $IPT -t nat -P OUTPUT ACCEPT
    $IPT -t mangle -P PREROUTING ACCEPT
    $IPT -t mangle -P OUTPUT ACCEPT

    # Flush all rules
    $IPT -F
    $IPT -t nat -F
    $IPT -t mangle -F

    # Erase all non-default chains
    $IPT -X
    $IPT -t nat -X
    $IPT -t mangle -X

    if [ "$1" = "stop" ]
    then
    # echo "Firewall completely flushed! Now running with no firewall."
    echo "Firewall completamente descarregado. Processando agora sem Firewall !!! ..."
    exit 0
    fi

    ###############################################################################
    #
    # Rules Configuration
    #

    ###############################################################################
    #
    # Filter Table
    #
    ###############################################################################

    # Set Policies

    $IPT -P INPUT DROP
    $IPT -P OUTPUT DROP
    $IPT -P FORWARD DROP
    ###############################################################################
    #
    # User-Specified Chains
    #
    # Create user chains to reduce the number of rules each packet
    # must traverse.

    #echo "Create and populate custom rule chains ..."

    echo "Criando e customizando as regras !!! ... "

    # Create a chain to filter INVALID packets

    $IPT -N bad_packets

    # Create another chain to filter bad tcp packets

    $IPT -N bad_tcp_packets

    # Create separate chains for icmp, tcp (incoming and outgoing),
    # and incoming udp packets.

    $IPT -N icmp_packets

    # Used for UDP packets inbound from the Internet
    $IPT -N udp_inbound

    # Used to block outbound UDP services from internal network
    # Default to allow all
    $IPT -N udp_outbound

    # Used to allow inbound services if desired
    # Default fail except for established sessions
    $IPT -N tcp_inbound

    # Used to block outbound services from internal network
    # Default to allow all
    $IPT -N tcp_outbound

    ###############################################################################
    #
    # Populate User Chains
    #
    # bad_packets chain
    #
    # Drop INVALID packets immediately

    $IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
    --log-prefix "Invalid packet:"
    $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP

    # Then check the tcp packets for additional problems
    $IPT -A bad_packets -p tcp -j bad_tcp_packets

    # All good, so return
    $IPT -A bad_packets -p ALL -j RETURN

    # bad_tcp_packets chain
    #
    # All tcp packets will traverse this chain.
    # Every new connection attempt should begin with
    # a syn packet. If it doesn't, it is likely a
    # port scan. This drops packets in state
    # NEW that are not flagged as syn packets.

    # Return to the calling chain if the bad packets originate
    # from the local interface. This maintains the approach
    # throughout this firewall of a largely trusted internal
    # network.
    $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE1 -j RETURN
    $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE2 -j RETURN

    # However, I originally did apply this filter to the forward chain
    # for packets originating from the internal network. While I have
    # not conclusively determined its effect, it appears to have the
    # interesting side effect of blocking some of the ad systems.
    # Apparently some ad systems have the browser initiate a NEW
    # connection that is not flagged as a syn packet to retrieve
    # the ad image. If you wish to experiment further comment the
    # rule above. If you try it, you may also wish to uncomment the
    # rule below. It will keep those packets from being logged.
    # There are a lot of them.
    # $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE1 ! --syn -m state \
    # --state NEW -j DROP

    #$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
    # --log-prefix "New not syn:"
    $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

    # All good, so return
    $IPT -A bad_tcp_packets -p tcp -j RETURN

    # icmp_packets chain
    #
    # This chain is for inbound (from the Internet) icmp packets only.
    # Type 8 (Echo Request) is not accepted by default
    # Enable it if you want remote hosts to be able to reach you.
    # 11 (Time Exceeded) is the only one accepted
    # that would not already be covered by the established
    # connection rule. Applied to INPUT on the external interface.
    #
    # See: http://www.ee.siue.edu/~rwalden/networking/icmp.html
    # for more info on ICMP types.
    #
    # Note that the stateful settings allow replies to ICMP packets.
    # These rules allow new packets of the specified types.

    # Echo - uncomment to allow your system to be pinged.
    # $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

    # Time Exceeded
    $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

    # Not matched, so return so it will be logged
    $IPT -A icmp_packets -p ICMP -j RETURN

    # TCP & UDP
    # Identify ports at:
    # http://www.chebucto.ns.ca/~rakerman/port-table.html
    # http://www.iana.org/assignments/port-numbers

    # udp_inbound chain
    #
    # This chain describes the inbound UDP packets it will accept.
    # It's applied to INPUT on the external or Internet interface.
    # Note that the stateful settings allow replies.
    # These rules are for new requests.
    # It drops netbios packets (windows) immediately without logging.

    # Drop netbios calls
    # Please note that these rules do not really change the way the firewall
    # treats netbios connections. Connections from the localhost and
    # internal interface (if one exists) are accepted by default.
    # Responses from the Internet to requests initiated by or through
    # the firewall are also accepted by default. To get here, the
    # packets would have to be part of a new request received by the
    # Internet interface. You would have to manually add rules to
    # accept these. I added these rules because some network connections,
    # such as those via cable modems, tend to be filled with noise from
    # unprotected Windows machines. These rules drop those packets
    # quickly and without logging them. This prevents them from traversing
    # the whole chain and keeps the log from getting cluttered with
    # chatter from Windows systems.
    # Port 137 used for NetBios networking browsing
    # Port 138 used for NetBios name service
    # Port 139 used for files and printer sharing and other operations
    # Port 445 used by Windows 2000/XP when NetBios over TCP/IP is disabled
    # Port 901 used by SWAT
    $IPT -A udp_inbound -p UDP -s 0/0 --dport 137 -j DROP
    $IPT -A udp_inbound -p UDP -s 0/0 --dport 138 -j DROP

    #
    # Permite o trafego na porta 5000 para o OpenVPN
    #
    #$IPT -A udp_inbound -p UDP --sport 3000 -j ACCEPT
    #$IPT -A udp_inbound -p UDP --sport 5000 -j ACCEPT

    $IPT -A INPUT -p UDP --dport 5000 -j ACCEPT

    #$IPT -A OUTPUT -p UDP --dport 5000 -j ACCEPT
    #$IPT -A FORWARD -p UDP --dport 5000 -j ACCEPT

    #
    # Trafego de pacotes dos dispositivos TUN/TAP
    # para uso do OpenVPN
    #
    #/usr/sbin/iptables -A INPUT -i tun+ -j ACCEPT
    #/usr/sbin/iptables -A FORWARD -i tun+ -j ACCEPT
    #/usr/sbin/iptables -A INPUT -i tap+ -j ACCEPT
    #/usr/sbin/iptables -A FORWARD -i tap+ -j ACCEPT

    /usr/sbin/iptables -A INPUT -i tun0 -j ACCEPT
    /usr/sbin/iptables -A FORWARD -i tun0 -j ACCEPT
    /usr/sbin/iptables -A FORWARD -s 192.168.8.0/24 -d 192.168.1.0/24 -j ACCEPT
    /usr/sbin/iptables -A FORWARD -d 192.168.8.0/24 -s 192.168.1.0/24 -j ACCEPT

    # DNS Server
    # Configure the server to use port 53 as the source port for requests
    # Note, if you run a caching-only name server that only accepts queries
    # from the private network or localhost, you can comment out this line.
    $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 53 -j ACCEPT

    # If you don't query-source the server to port 53 and you have problems,
    # uncomment this rule. It specifically allows responses to queries
    # initiated to another server from a high UDP port. The stateful
    # connection rules should handle this situation, though.
    # $IPT -A udp_inbound -p UDP -s 0/0 --source-port 53 -j ACCEPT

    # External DHCP Server
    # Allow DHCP client request packets inbound from external network
    #$IPT -A udp_inbound -p UDP -s 0/0 --source-port 68 --destination-port 67 \
    # -j ACCEPT

    # Not matched, so return for logging
    $IPT -A udp_inbound -p UDP -j RETURN

    # udp_outbound chain
    #
    # This chain is used with a private network to prevent forwarding for
    # UDP requests on specific protocols. Applied to the FORWARD rule from
    # the internal network. Ends with an ACCEPT


    # No match, so ACCEPT
    $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

    # tcp_inbound chain
    #
    # This chain is used to allow inbound connections to the
    # system/gateway. Use with care. It defaults to none.
    # It's applied on INPUT from the external or Internet interface.

    # DOCSIS compliant cable modems
    # Some DOCSIS compliant cable modems send IGMP multicasts to find
    # connected PCs. The multicast packets have the destination address
    # 224.0.0.1. You can accept them. If you choose to do so,
    # Uncomment the rule to ACCEPT them and comment the rule to DROP
    # them The firewall will drop them here by default to avoid
    # cluttering the log
    # Drop them without logging.
    $IPT -A tcp_inbound -p TCP -d 224.0.0.1 -j DROP
    # The rule to accept the packets.
    # $IPT -A tcp_inbound -p TCP -d 224.0.0.1 -j ACCEPT

    # $IPT -A tcp_inbound -p TCP -d 172.17.10.10/32 -j ACCEPT

    # DNS Server - Allow TCP connections (zone transfers and large requests)
    # This is disabled by default. DNS Zone transfers occur via TCP.
    # If you need to allow transfers over the net you need to uncomment this line.
    # If you allow queries from the 'net, you also need to be aware that although
    # DNS queries use UDP by default, a truncated UDP query can legally be
    # submitted via TCP instead. You probably will never need it, but should
    # be aware of the fact.
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 53 -j ACCEPT

    #Porta 6881 BitTorrent
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 6881 -j ACCEPT

    # Web Server

    # HTTP
    # $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT

    # HTTPS (Secure Web Server)
    # $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT

    # FTP Server (Control)
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT

    # FTP Client (Data Port for non-PASV transfers)
    # $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT

    # Email Server (SMTP)
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT

    # Email Server (POP3)
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT

    # Email Server (SPOP3)
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 995 -j ACCEPT

    # Email Server (IMAP4)
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT

    # Email Server (IMAPS)
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 993 -j ACCEPT

    # sshd
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT

    # Not matched, so return so it will be logged
    $IPT -A tcp_inbound -p TCP -j RETURN

    # tcp_outbound chain
    #
    # This chain is used with a private network to prevent forwarding for
    # requests on specific protocols. Applied to the FORWARD rule from
    # the internal network. Ends with an ACCEPT


    # No match, so ACCEPT
    # $IPT -A tcp_outbound -p TCP -s 0/0 -j DROP

    # Drop www
    $IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 80 -j DROP
    $IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 443 -j DROP

    # FTP Server(FTP)
    $IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 21 -j ACCEPT
    $IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 20 -j ACCEPT

    # Email Server (SMTP)
    $IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 25 -j ACCEPT

    # Email Server (POP3)
    $IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 110 -j ACCEPT

    # Email Server (SPOP3)
    $IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 995 -j ACCEPT

    # Email Server (IMAP4)
    $IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 143 -j ACCEPT

    # Email Server (IMAPS)
    $IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 993 -j ACCEPT

    # sshd
    $IPT -A tcp_outbound -p TCP -d 0/0 --destination-port 22 -j ACCEPT

    $IPT -A tcp_outbound -p TCP -d 0/0 -j RETURN

    ###############################################################################
    #
    # INPUT Chain
    #

    #echo "Process INPUT chain ..."

    echo "Processa as regras INPUT !!! ... "

    # Allow all on localhost interface
    $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

    # Drop bad packets
    $IPT -A INPUT -p ALL -j bad_packets

    # Rules for the private network (accessing gateway system itself)
    $IPT -A INPUT -p ALL -i $LOCAL_IFACE1 -s $LOCAL_NET1 -j ACCEPT
    $IPT -A INPUT -p ALL -i $LOCAL_IFACE2 -s $LOCAL_NET2 -j ACCEPT
    $IPT -A INPUT -p ALL -i $LOCAL_IFACE1 -d $LOCAL_BCAST1 -j ACCEPT
    $IPT -A INPUT -p ALL -i $LOCAL_IFACE2 -d $LOCAL_BCAST2 -j ACCEPT

    # Allow DHCP client request packets inbound from internal network
    #$IPT -A INPUT -p UDP -i $LOCAL_IFACE1 --source-port 68 --destination-port 67 \
    # -j ACCEPT


    # Inbound Internet Packet Rules

    $IPT -A INPUT -p tcp --dport 53 -j ACCEPT
    $IPT -A INPUT -p tcp --sport 53 -j ACCEPT
    $IPT -A INPUT -p udp --dport 53 -j ACCEPT
    $IPT -A INPUT -p udp --sport 53 -j ACCEPT
    # Accept Established Connections
    $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
    -j ACCEPT

    # Route the rest to the appropriate user chain
    $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
    $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
    $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

    # Drop without logging broadcasts that get this far.
    # Cuts down on log clutter.
    # Comment this line if testing new rules that impact
    # broadcast protocols.
    $IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP

    #
    # Log packets that still don't match
    #$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
    # --log-prefix "INPUT packet died: "

    ###############################################################################
    #
    # FORWARD Chain
    #

    #echo "Process FORWARD chain ..."

    echo "Processa as regras FORWARD !!! ... "

    # Used if forwarding for a private network

    # Drop bad packets$IPT -A FORWARD -p ALL -j bad_packets

    # Accept TCP packets we want to forward from internal sources
    $IPT -A FORWARD -p tcp -i $LOCAL_IFACE1 -j tcp_outbound
    $IPT -A FORWARD -p tcp -i $LOCAL_IFACE2 -j tcp_outbound
    $IPT -A FORWARD -p tcp -o $LOCAL_IFACE1 -j tcp_outbound
    $IPT -A FORWARD -p tcp -o $LOCAL_IFACE2 -j tcp_outbound

    # Accept UDP packets we want to forward from internal sources
    $IPT -A FORWARD -p udp -i $LOCAL_IFACE1 -j udp_outbound
    $IPT -A FORWARD -p udp -i $LOCAL_IFACE2 -j udp_outbound
    $IPT -A FORWARD -p udp -o $LOCAL_IFACE1 -j udp_outbound
    $IPT -A FORWARD -p udp -o $LOCAL_IFACE2 -j udp_outbound

    # If not blocked, accept any other packets from the internal interface
    $IPT -A FORWARD -p ALL -i $LOCAL_IFACE1 -j ACCEPT
    $IPT -A FORWARD -p ALL -i $LOCAL_IFACE2 -j ACCEPT
    $IPT -A FORWARD -p ALL -o $LOCAL_IFACE1 -j ACCEPT
    $IPT -A FORWARD -p ALL -o $LOCAL_IFACE2 -j ACCEPT

    # Deal with responses from the internet
    $IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \

    #
    # Log packets that still don't match
    #$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
    # --log-prefix "FORWARD packet died: "


    ###############################################################################
    #
    # OUTPUT Chain
    #

    #echo "Process OUTPUT chain ..."

    echo "Processa as regras OUTPUT !!! ... "

    # Generally trust the firewall on output
    $IPT -A OUTPUT -p tcp --dport 53 -j ACCEPT
    $IPT -A OUTPUT -p tcp --sport 53 -j ACCEPT
    $IPT -A OUTPUT -p udp --dport 53 -j ACCEPT
    $IPT -A OUTPUT -p udp --sport 53 -j ACCEPT

    # However, invalid icmp packets need to be dropped
    # to prevent a possible exploit.
    $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP

    # Localhost
    $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
    $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

    # To internal network
    $IPT -A OUTPUT -p ALL -s $LOCAL_IP1 -j ACCEPT
    $IPT -A OUTPUT -p ALL -s $LOCAL_IP2 -j ACCEPT
    $IPT -A OUTPUT -p ALL -o $LOCAL_IFACE1 -j ACCEPT
    $IPT -A OUTPUT -p ALL -o $LOCAL_IFACE2 -j ACCEPT

    # To internet
    $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

    #
    # Log packets that still don't match
    #$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
    # --log-prefix "OUTPUT packet died: "

    ###############################################################################
    #
    # nat table
    #
    ###############################################################################

    # The nat table is where network address translation occurs if there
    # is a private network. If the gateway is connected to the Internet
    # with a static IP, snat is used. If the gateway has a dynamic address,
    # masquerade must be used instead. There is more overhead associated
    # with masquerade, so snat is better when it can be used.
    # The nat table has a builtin chain, PREROUTING, for dnat and redirects.
    # Another, POSTROUTING, handles snat and masquerade.

    #echo "Load rules for nat table ..."

    echo "Carrega as regras para Tabela NAT !!! ... "

    ###############################################################################
    #
    # PREROUTING chain
    #


    #$IPT -t nat -A PREROUTING -d $INET_ADDRESS \
    # -p udp -m udp --dport 4662 -j DNAT --to-destination 192.168.100.150

    #$IPT -t nat -A PREROUTING -d $INET_ADDRESS \
    # -p udp -m udp --dport 4663 -j DNAT --to-destination 192.168.100.150


    ###############################################################################
    #
    # POSTROUTING chain
    #

    $IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_ADDRESS


    ###############################################################################
    #
    # mangle table
    #
    ###############################################################################

    # The mangle table is used to alter packets. It can alter or mangle them in
    # several ways. For the purposes of this generator, we only use its ability
    # to alter the TTL in packets. However, it can be used to set netfilter
    # mark values on specific packets. Those marks could then be used in another
    # table like filter, to limit activities associated with a specific host, for
    # instance. The TOS target can be used to set the Type of Service field in
    # the IP header. Note that the TTL target might not be included in the
    # distribution on your system. If it is not and you require it, you will
    # have to add it. That may require that you build from source.

    #echo "Load rules for mangle table ..."

    echo "Carrega as regras para Tabela Mangle !!! ... "

    # Set the TTL in outbound packets to the same consistent value.
    # A value around 128 is a good value. Do not set this too high as
    # it will adversely affect your network. It is also considered bad
    # form on the Internet.
    # $IPT -t mangle -A OUTPUT -o $INET_IFACE -j TTL --ttl-set 128


    Desculpe-me pessoal, pelo texto muito longo. Se os nossos moderadores acharem que é inconveniente enviar texto longo assim, pode trancar o tópico ....

  2. #2
    Visitante

    Padrão Firewall com IP Tables

    Olá,

    Seu problema provavelmente está relacionado com o fato de ter passado de um kernel 2.4 para um 2.6, já que o iptables é um firewall inplementado diretamente no kernel do linux.

    Onde eu trabalho eu configurei um gateway fazendo NAT com squid e tudo funciona perfeitamente. É sabido que as vezes o proxy tem alguns problemas com autenticação em sites de bancos, mas isso deve ser resolvido dizendo-se ao squid para não fazer cache dos bancos que derem problema. Desculpe mas isso eu ainda não sei fazer, e ninguém aqui teve esse problema ainda. Mas copiar o arquivo de configuração do squid não deve trazer problemas, principalmente se esse conectiva 8 está com os pacotes atualizados.

    O que pega mesmo é o iptables, mas acho que consertar esse script de configuração não vale a pena, mesmo porque pelos comentários em inglês é possível pressupor que não foram os caras dessa empresa que instalou o servidor que criaram o script. Quem garante que esse script não foi gerado automaticamente por algum utilitário de configuração?

    O que eu lhe recomendo é começar a configuração do zero, e isso é bem mais fácil do que parece.

    Primeiramente eu lhe recomendo o ipkungfu, que é o que uso, ele ta meio velhinho mas ainda funciona bem, mesmo em meu Debian Sarge Kernel 2.6.8 compilado por mim.
    Você pode pega-lo em:
    www.linuxkungfu.org

    Outra ferramenta interessante é o Webmin, que a propósito também configura o squid, não usei ainda mas recomendo esse por ser bem suportado, já que é um projeto grande. Em breve eu pretendo dar uma boa fuçada nele, se eu for bem sucedido passarei a usa-lo ao invés do ipkungfu.
    www.webmin.com

    E outra ferramenta que encontrei que pode ser bem interessante é esse pacote de scripts do Daniel Robins, o criador do Gentoo. (Não use o Gentoo se você não quer correr o risco de abandonar o Conectiva, mas é uma ótima distribuição pra quem pretende aprender linux mais a fundo)
    Aí vai o link.
    http://geocities.yahoo.com.br/cesara...firewalls.html

    Certo?

    Espero ter ajudado.

    []'s