+ Responder ao Tópico



  1. #1
    rafaelmontek
    Meu pc tem duas placas de rede...

    eth0 Link encap:Ethernet Endereço de HW 00:E0:7D:B5:63:86
    inet end.: 192.168.254.3 Bcast:192.168.254.255 Masc:255.255.255.0
    endereço inet6: fe80::2e0:7dff:feb5:6386/64 Escopo:Link


    eth1 Link encap:Ethernet Endereço de HW 00:90:27:79:22:72
    inet end.: 192.168.1.4 Bcast:192.168.1.255 Masc:255.255.255.0
    endereço inet6: fe80::290:27ff:fe79:2272/64 Escopo:Link

    e quando eu starto meu script ele da os seguintes erros...

    iptables: Unknown error 4294967295
    iptables: Unknown error 4294967295
    iptables v1.3.5: host/network `eth1' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.3.5: host/network `eth1' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.3.5: host/network `eth1' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.3.5: host/network `eth1' not found
    Try `iptables -h' or 'iptables --help' for more information.


    meu script...

    #!/bin/sh

    # Variáveis
    # -------------------------------------------------------
    iptables=/sbin/iptables
    IF_EXTERNA=eth0
    IF_INTERNA=eth1


    # Ativa módulos
    # -------------------------------------------------------
    #/sbin/modprobe iptable_nat
    /sbin/modprobe ip_conntrack
    /sbin/modprobe ip_conntrack_ftp
    /sbin/modprobe ip_nat_ftp
    /sbin/modprobe ipt_LOG
    /sbin/modprobe ipt_REJECT
    /sbin/modprobe ipt_MASQUERADE


    # Ativa roteamento no kernel
    # -------------------------------------------------------
    echo "1" > /proc/sys/net/ipv4/ip_forward


    # Proteção contra IP spoofing
    # -------------------------------------------------------
    #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter


    # Zera regras
    # -------------------------------------------------------
    $iptables -F
    $iptables -X
    $iptables -F -t nat
    $iptables -X -t nat
    $iptables -F -t mangle
    $iptables -X -t mangle


    # Determina a política padrão
    # -------------------------------------------------------
    $iptables -P INPUT DROP
    $iptables -P OUTPUT DROP
    $iptables -P FORWARD DROP


    #################################################
    # Tabela FILTER
    #################################################


    # Dropa pacotes TCP indesejáveis
    # -------------------------------------------------------
    $iptables -A FORWARD -p tcp -m tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIREWALL: NEW sem syn: "
    $iptables -A FORWARD -p tcp -m tcp ! --syn -m state --state NEW -j DROP


    # Dropa pacotes mal formados
    # -------------------------------------------------------
    $iptables -A INPUT -i $IF_EXTERNA -m unclean -j LOG --log-level 6 --log-prefix "FIREWALL: pac mal formado: "
    $iptables -A INPUT -i $IF_EXTERNA -m unclean -j DROP


    # Aceita os pacotes que realmente devem entrar
    # -------------------------------------------------------
    $iptables -A INPUT -i ! $IF_EXTERNA -j ACCEPT
    $iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
    $iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT


    # Proteção contra trinoo
    # -------------------------------------------------------
    $iptables -N TRINOO
    $iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
    $iptables -A TRINOO -j DROP
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27444 -j TRINOO
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27665 -j TRINOO
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 31335 -j TRINOO
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 34555 -j TRINOO
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 35555 -j TRINOO


    # Proteção contra tronjans
    # -------------------------------------------------------
    $iptables -N TROJAN
    $iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
    $iptables -A TROJAN -j DROP
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 4000 -j TROJAN
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6000 -j TROJAN
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6006 -j TROJAN
    $iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 16660 -j TROJAN


    # Proteção contra worms
    # -------------------------------------------------------
    $iptables -A FORWARD -p tcp --dport 135 -i $IF_INTERNA -j REJECT


    # Proteção contra syn-flood
    # -------------------------------------------------------
    $iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT


    # Proteção contra ping da morte
    # -------------------------------------------------------
    $iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT


    # Proteção contra port scanners
    # -------------------------------------------------------
    $iptables -N SCANNER
    $iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: port scanner: "
    $iptables -A SCANNER -j DROP
    $iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXTERNA -j SCANNER
    $iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXTERNA -j SCANNER
    $iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXTERNA -j SCANNER
    $iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXTERNA -j SCANNER
    $iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXTERNA -j SCANNER
    $iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXTERNA -j SCANNER
    $iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXTERNA -j SCANNER


    # Loga tentativa de acesso a determinadas portas
    # -------------------------------------------------------
    $iptables -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: ftp: "
    $iptables -A INPUT -p tcp --dport 23 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: telnet: "
    $iptables -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: smtp: "
    $iptables -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: http: "
    $iptables -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: pop3: "
    $iptables -A INPUT -p udp --dport 111 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: rpc: "
    $iptables -A INPUT -p tcp --dport 113 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: identd: "
    $iptables -A INPUT -p tcp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
    $iptables -A INPUT -p udp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
    $iptables -A INPUT -p tcp --dport 161:162 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: snmp: "
    $iptables -A INPUT -p tcp --dport 6667:6668 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: irc: "
    $iptables -A INPUT -p tcp --dport 3128 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: squid: "


    # Libera acesso externo a determinadas portas
    # -------------------------------------------------------
    $iptables -A INPUT -p tcp --dport 22 -i $IF_EXTERNA -j ACCEPT


    #################################################
    # Tabela NAT
    #################################################


    #Ativa mascaramento de saída
    # -------------------------------------------------------
    $iptables -t filter -A FORWARD -d 0/0 -s $IF_INTERNA -o $IF_EXTERNA -j ACCEPT
    $iptables -t filter -A FORWARD -d $IF_INTERNA -s 0/0 -i $IF_EXTERNA -j ACCEPT
    $iptables -t nat -A POSTROUTING -o $IF_EXTERNA -j MASQUERADE
    $iptables -t filter -A INPUT -s $IF_INTERNA -d 0/0 -j ACCEPT
    $iptables -t filter -A OUTPUT -d $IF_INTERNA -s 0/0 -j ACCEPT



    #Proxy Transparente
    # -------------------------------------------------------
    #$iptables -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 80 -j REDIRECT --to-port 2000



  2. #2
    mhp
    Achei uns erros no seu script, os parâmetros -d (--destination) e -s (--source) devem ser aplicados a endereços e não a interfaces:

    Citação Postado originalmente por rafaelmontek

    #Ativa mascaramento de saída
    # -------------------------------------------------------
    $iptables -t filter -A FORWARD -d 0/0 -s $IF_INTERNA -o $IF_EXTERNA -j ACCEPT
    $iptables -t filter -A FORWARD -d $IF_INTERNA -s 0/0 -i $IF_EXTERNA -j ACCEPT
    $iptables -t nat -A POSTROUTING -o $IF_EXTERNA -j MASQUERADE
    $iptables -t filter -A INPUT -s $IF_INTERNA -d 0/0 -j ACCEPT
    $iptables -t filter -A OUTPUT -d $IF_INTERNA -s 0/0 -j ACCEPT
    Troque o -d por -o e o -s por -i, vai ficar assim:
    Código :
    #Ativa mascaramento de saída
    # -------------------------------------------------------
    $iptables -t filter -A FORWARD -d 0/0 -i $IF_INTERNA -o $IF_EXTERNA -j ACCEPT
    $iptables -t filter -A FORWARD -o $IF_INTERNA -s 0/0 -i $IF_EXTERNA -j ACCEPT
    $iptables -t nat -A POSTROUTING -o $IF_EXTERNA -j MASQUERADE
    $iptables -t filter -A INPUT -i $IF_INTERNA -d 0/0 -j ACCEPT
    $iptables -t filter -A OUTPUT -o $IF_INTERNA -s 0/0 -j ACCEPT

    Se quiser depurar melhor o script, insira na segunda linha:
    Código :
    set -x
    vai dar para ver quais linhas estão gerando erro.



  3. referente a esse erro:

    ptables: Unknown error 4294967295
    ptables: Unknown error 4294967295
    ptables v1.3.5: host/network `eth1' not found
    Try `iptables -h' or 'iptables --help' for more information.
    #ptables v1.3.5: host/network `eth1' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.3.5: host/network `eth1' not found
    Try `iptables -h' or 'iptables --help' for more information.
    #ptables v1.3.5: host/network `eth1' not found
    Try `iptables -h' or 'iptables --help' for more information.
    vi que vc ta usando o ipt 1.3.5 com certeza vc deve estar usando o kernel 2.4, nao que o ipt nao funcione no kernel 2.4 mas vc precisa recompilalo verifique artigos na under sobre isso






Tópicos Similares

  1. conf nao acha modulo da placa de video!!
    Por daniell no fórum Servidores de Rede
    Respostas: 0
    Último Post: 30-09-2004, 22:56
  2. win98 não acha server dhcp
    Por danielbonfim no fórum Servidores de Rede
    Respostas: 1
    Último Post: 18-04-2004, 04:20
  3. sarg nao acha o log do squid!
    Por no fórum Servidores de Rede
    Respostas: 2
    Último Post: 08-04-2004, 11:30
  4. Tinha uma gravadora e agora o redhat não acha o driver de CD
    Por raphaelcm no fórum Sistemas Operacionais
    Respostas: 2
    Último Post: 24-03-2004, 15:30
  5. CBQ não acha modulo
    Por Zephirot no fórum Servidores de Rede
    Respostas: 1
    Último Post: 03-07-2003, 17:06

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L