+ Responder ao Tópico



  1. #1
    rafaelmontek
    Visitante

    Padrão não acha eth1

    Meu pc tem duas placas de rede...

    eth0 Link encap:Ethernet Endereço de HW 00:E0:7D:B5:63:86
    inet end.: 192.168.254.3 Bcast:192.168.254.255 Masc:255.255.255.0
    endereço inet6: fe80::2e0:7dff:feb5:6386/64 Escopo:Link


    eth1 Link encap:Ethernet Endereço de HW 00:90:27:79:22:72
    inet end.: 192.168.1.4 Bcast:192.168.1.255 Masc:255.255.255.0
    endereço inet6: fe80::290:27ff:fe79:2272/64 Escopo:Link

    e quando eu starto meu script ele da os seguintes erros...

    iptables: Unknown error 4294967295
    iptables: Unknown error 4294967295
    iptables v1.3.5: host/network `eth1' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.3.5: host/network `eth1' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.3.5: host/network `eth1' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.3.5: host/network `eth1' not found
    Try `iptables -h' or 'iptables --help' for more information.


    meu script...

    #!/bin/sh

    # Variáveis
    # -------------------------------------------------------
    iptables=/sbin/iptables
    IF_EXTERNA=eth0
    IF_INTERNA=eth1


    # Ativa módulos
    # -------------------------------------------------------
    #/sbin/modprobe iptable_nat
    /sbin/modprobe ip_conntrack
    /sbin/modprobe ip_conntrack_ftp
    /sbin/modprobe ip_nat_ftp
    /sbin/modprobe ipt_LOG
    /sbin/modprobe ipt_REJECT
    /sbin/modprobe ipt_MASQUERADE


    # Ativa roteamento no kernel
    # -------------------------------------------------------
    echo "1" > /proc/sys/net/ipv4/ip_forward


    # Proteção contra IP spoofing
    # -------------------------------------------------------
    #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter


    # Zera regras
    # -------------------------------------------------------
    $iptables -F
    $iptables -X
    $iptables -F -t nat
    $iptables -X -t nat
    $iptables -F -t mangle
    $iptables -X -t mangle


    # Determina a política padrão
    # -------------------------------------------------------
    $iptables -P INPUT DROP
    $iptables -P OUTPUT DROP
    $iptables -P FORWARD DROP


    #################################################
    # Tabela FILTER
    #################################################


    # Dropa pacotes TCP indesejáveis
    # -------------------------------------------------------
    $iptables -A FORWARD -p tcp -m tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIREWALL: NEW sem syn: "
    $iptables -A FORWARD -p tcp -m tcp ! --syn -m state --state NEW -j DROP


    # Dropa pacotes mal formados
    # -------------------------------------------------------
    $iptables -A INPUT -i $IF_EXTERNA -m unclean -j LOG --log-level 6 --log-prefix "FIREWALL: pac mal formado: "
    $iptables -A INPUT -i $IF_EXTERNA -m unclean -j DROP


    # Aceita os pacotes que realmente devem entrar
    # -------------------------------------------------------
    $iptables -A INPUT -i ! $IF_EXTERNA -j ACCEPT
    $iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
    $iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT


    # Proteção contra trinoo
    # -------------------------------------------------------
    $iptables -N TRINOO
    $iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
    $iptables -A TRINOO -j DROP
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27444 -j TRINOO
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27665 -j TRINOO
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 31335 -j TRINOO
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 34555 -j TRINOO
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 35555 -j TRINOO


    # Proteção contra tronjans
    # -------------------------------------------------------
    $iptables -N TROJAN
    $iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
    $iptables -A TROJAN -j DROP
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 4000 -j TROJAN
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6000 -j TROJAN
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6006 -j TROJAN
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 16660 -j TROJAN


    # Proteção contra worms
    # -------------------------------------------------------
    $iptables -A FORWARD -p tcp --dport 135 -i $IF_INTERNA -j REJECT


    # Proteção contra syn-flood
    # -------------------------------------------------------
    $iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT


    # Proteção contra ping da morte
    # -------------------------------------------------------
    $iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT


    # Proteção contra port scanners
    # -------------------------------------------------------
    $iptables -N SCANNER
    $iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: port scanner: "
    $iptables -A SCANNER -j DROP
    $iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXTERNA -j SCANNER
    $iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXTERNA -j SCANNER
    $iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXTERNA -j SCANNER
    $iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXTERNA -j SCANNER
    $iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXTERNA -j SCANNER
    $iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXTERNA -j SCANNER
    $iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXTERNA -j SCANNER


    # Loga tentativa de acesso a determinadas portas
    # -------------------------------------------------------
    $iptables -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: ftp: "
    $iptables -A INPUT -p tcp --dport 23 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: telnet: "
    $iptables -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: smtp: "
    $iptables -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: http: "
    $iptables -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: pop3: "
    $iptables -A INPUT -p udp --dport 111 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: rpc: "
    $iptables -A INPUT -p tcp --dport 113 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: identd: "
    $iptables -A INPUT -p tcp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
    $iptables -A INPUT -p udp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
    $iptables -A INPUT -p tcp --dport 161:162 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: snmp: "
    $iptables -A INPUT -p tcp --dport 6667:6668 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: irc: "
    $iptables -A INPUT -p tcp --dport 3128 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: squid: "


    # Libera acesso externo a determinadas portas
    # -------------------------------------------------------
    $iptables -A INPUT -p tcp --dport 22 -i $IF_EXTERNA -j ACCEPT


    #################################################
    # Tabela NAT
    #################################################


    #Ativa mascaramento de saída
    # -------------------------------------------------------
    $iptables -t filter -A FORWARD -d 0/0 -s $IF_INTERNA -o $IF_EXTERNA -j ACCEPT
    $iptables -t filter -A FORWARD -d $IF_INTERNA -s 0/0 -i $IF_EXTERNA -j ACCEPT
    $iptables -t nat -A POSTROUTING -o $IF_EXTERNA -j MASQUERADE
    $iptables -t filter -A INPUT -s $IF_INTERNA -d 0/0 -j ACCEPT
    $iptables -t filter -A OUTPUT -d $IF_INTERNA -s 0/0 -j ACCEPT



    #Proxy Transparente
    # -------------------------------------------------------
    #$iptables -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 80 -j REDIRECT --to-port 2000



  2. #2
    mhp
    Visitante

    Padrão Re: não acha eth1

    Achei uns erros no seu script, os parâmetros -d (--destination) e -s (--source) devem ser aplicados a endereços e não a interfaces:

    Citação Postado originalmente por rafaelmontek

    #Ativa mascaramento de saída
    # -------------------------------------------------------
    $iptables -t filter -A FORWARD -d 0/0 -s $IF_INTERNA -o $IF_EXTERNA -j ACCEPT
    $iptables -t filter -A FORWARD -d $IF_INTERNA -s 0/0 -i $IF_EXTERNA -j ACCEPT
    $iptables -t nat -A POSTROUTING -o $IF_EXTERNA -j MASQUERADE
    $iptables -t filter -A INPUT -s $IF_INTERNA -d 0/0 -j ACCEPT
    $iptables -t filter -A OUTPUT -d $IF_INTERNA -s 0/0 -j ACCEPT
    Troque o -d por -o e o -s por -i, vai ficar assim:
    Código :
    #Ativa mascaramento de saída
    # -------------------------------------------------------
    $iptables -t filter -A FORWARD -d 0/0 -i $IF_INTERNA -o $IF_EXTERNA -j ACCEPT
    $iptables -t filter -A FORWARD -o $IF_INTERNA -s 0/0 -i $IF_EXTERNA -j ACCEPT
    $iptables -t nat -A POSTROUTING -o $IF_EXTERNA -j MASQUERADE
    $iptables -t filter -A INPUT -i $IF_INTERNA -d 0/0 -j ACCEPT
    $iptables -t filter -A OUTPUT -o $IF_INTERNA -s 0/0 -j ACCEPT

    Se quiser depurar melhor o script, insira na segunda linha:
    Código :
    set -x
    vai dar para ver quais linhas estão gerando erro.



  3. #3

    Padrão Re: não acha eth1

    referente a esse erro:

    ptables: Unknown error 4294967295
    ptables: Unknown error 4294967295
    ptables v1.3.5: host/network `eth1' not found
    Try `iptables -h' or 'iptables --help' for more information.
    #ptables v1.3.5: host/network `eth1' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.3.5: host/network `eth1' not found
    Try `iptables -h' or 'iptables --help' for more information.
    #ptables v1.3.5: host/network `eth1' not found
    Try `iptables -h' or 'iptables --help' for more information.
    vi que vc ta usando o ipt 1.3.5 com certeza vc deve estar usando o kernel 2.4, nao que o ipt nao funcione no kernel 2.4 mas vc precisa recompilalo verifique artigos na under sobre isso