Problemas com regras de Firewall

Felipe_ · 24-08-2004, 15:21

eae pessoal....
é o seguinte...

estou com as seguintes regras do firewall de meu pc particular..

iptables -F
iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 -limit 3/min
iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 -limit-burst 3 -j LOG
iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 -syn -j LOG
iptables -A INPUT -s 0/0 -d 0/0 -p icmp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p icmp -j LOG
iptables -A INPUT -s 0/0 -d 0/0 -p tcp -dport 20 -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp -dport 21 -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp -dport 25 -j DROP
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p tcp --dport 22 -j LOG
iptables -A INPUT -p tcp --dport 1024 -j ACCEPT
iptables -A INPUT -p tcp --dport 1024 -j LOG

mas quando dou o comando ./rc.local para carregar esse arquivo que contem as regras aparece isso :

[root@Felipe rc.d]# ./rc.local
iptables v1.2.9: multiple -i flags not allowed
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: multiple -i flags not allowed
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: multiple -s flags not allowed
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: multiple -d flags not allowed
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: multiple -d flags not allowed
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: multiple -d flags not allowed
Try `iptables -h' or 'iptables --help' for more information.

pq aparece "flags not allowed" ?????

e quando dou o comando iptables -L -v para ver as regras vejo que estao faltando 2 regras .....

[root@Felipe rc.d]# iptables -L -v
Chain INPUT (policy ACCEPT 16308 packets, 5242K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- any any anywhere anywhere
0 0 LOG icmp -- any any anywhere anywhere LOG level warning
0 0 DROP tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 LOG tcp -- any any anywhere anywhere tcp dpt:ssh LOG level warning
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:1024
0 0 LOG tcp -- any any anywhere anywhere tcp dpt:1024 LOG level warning

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 17042 packets, 1567K bytes)
pkts bytes target prot opt in out source destination

pq as primeiras nao entraram ???
alguem poderia me ajudar ???

Obrigado. :wink:

**1c3m4n** · 24-08-2004, 16:34

coloque --limit ao inves de -limit

Felipe_ · 24-08-2004, 16:57

e no caso pq aparece esse "flags not allowed" ? e a letra antes.

**1c3m4n** · 24-08-2004, 16:59

ops num tinha visto essa

eh --syn e nao -syn

Felipe_ · 24-08-2004, 17:03

agora ta aparecendo isso:

[root@Felipe rc.d]# ./rc.local
iptables v1.2.9: Unknown arg `--limit'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: Unknown arg `--limit-burst'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: multiple -d flags not allowed
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: multiple -d flags not allowed
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: multiple -d flags not allowed
Try `iptables -h' or 'iptables --help' for more information.

**1c3m4n** · 24-08-2004, 18:11

bom sao varias regras com problema....
vai executadando uma por uma pra achar o erro

Felipe_ · 24-08-2004, 18:27

root@Felipe rc.d]# iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 --limit 3/min
iptables v1.2.9: Unknown arg `--limit'
Try `iptables -h' or 'iptables --help' for more information.
[root@Felipe rc.d]# iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 -limit 3/min
iptables v1.2.9: multiple -i flags not allowed
Try `iptables -h' or 'iptables --help' for more information.

[root@Felipe rc.d]# iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 --limit-burst 3 -j LOG
iptables v1.2.9: Unknown arg `--limit-burst'
Try `iptables -h' or 'iptables --help' for more information.
[root@Felipe rc.d]# iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 -limit-burst 3 -j LOG
iptables v1.2.9: multiple -i flags not allowed
Try `iptables -h' or 'iptables --help' for more information.

[root@Felipe rc.d]# iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 --syn -j LOG
[root@Felipe rc.d]#

[root@Felipe rc.d]# iptables -A INPUT -s 0/0 -d 0/0 -p icmp -j DROP
[root@Felipe rc.d]#

[root@Felipe rc.d]# iptables -A INPUT -s 0/0 -d 0/0 -p icmp -j LOG
[root@Felipe rc.d]#

[root@Felipe rc.d]# iptables -A INPUT -s 0/0 -d 0/0 -p tcp -dport 20 -j DROP
iptables v1.2.9: multiple -d flags not allowed
Try `iptables -h' or 'iptables --help' for more information.

[root@Felipe rc.d]# iptables -A INPUT -s 0/0 -d 0/0 -p tcp -dport 21 -j DROP
iptables v1.2.9: multiple -d flags not allowed
Try `iptables -h' or 'iptables --help' for more information.

[root@Felipe rc.d]# iptables -A INPUT -s 0/0 -d 0/0 -p tcp -dport 25 -j DROP
iptables v1.2.9: multiple -d flags not allowed
Try `iptables -h' or 'iptables --help' for more information.

[root@Felipe rc.d]# iptables -A INPUT -p tcp --dport 22 -j LOG
[root@Felipe rc.d]#

[root@Felipe rc.d]# iptables -A INPUT -p tcp --dport 22 -j DROP
[root@Felipe rc.d]#

[root@Felipe rc.d]# iptables -A INPUT -p tcp --dport 1024 -j ACCEPT
[root@Felipe rc.d]#

[root@Felipe rc.d]# iptables -A INPUT -p tcp --dport 1024 -j LOG
[root@Felipe rc.d]#

**1c3m4n** · 24-08-2004, 18:34

[root@Felipe rc.d]# iptables -A INPUT -s 0/0 -d 0/0 -p tcp -dport 20 -j DROP
iptables v1.2.9: multiple -d flags not allowed
Try `iptables -h' or 'iptables --help' for more information.
[root@Felipe rc.d]# iptables -A INPUT -s 0/0 -d 0/0 -p tcp -dport 21 -j DROP
iptables v1.2.9: multiple -d flags not allowed
Try `iptables -h' or 'iptables --help' for more information.
[root@Felipe rc.d]# iptables -A INPUT -s 0/0 -d 0/0 -p tcp -dport 25 -j DROP
iptables v1.2.9: multiple -d flags not allowed
Try `iptables -h' or 'iptables --help' for more information.

eh tudo --dport ai em cima e nao -dport

Felipe_ · 24-08-2004, 19:28

obrigado ic3_m4n

agora só mais uma coisa.....
adicionei mais alguns comandos...
quando dou o comando ./rc.local aparece isso

iptables v1.2.9: Couldn't load match `ultiport':/lib/iptables/libipt_ultiport.so: cannot open shared object file: No such file or directory

mas quando entro no /lib/iptables/
esse arquivo libipt_ultiport.so esta como libipt_multiport.so
pq ele esta lendo o nome errado ?? e ai nao consegue executar o comando....
tem como fazer ele ler o nome certo ?

Obrigado.

Felipe_ · 24-08-2004, 19:54

estou usando este comando que da aquele erro...

iptables -A INPUT -p tcp --multiport --destination-port 135,137,138,139 -j LOG
iptables -A INPUT -p udp --multiport --destination-port 137,138,139 -j LOG

Existe algum outro comando alem desse para registrar as tentativas de análise nas portas padrão em redes Microsoft ??

Obrigado.

ops:

Problemas com regras de Firewall

Ferramentas de Tópicos