Iptables mata bind

**Bruno** · 15-10-2004, 20:37

galera me ajudem!!!!!
eu pegei um script de firewall do nosso amigo fdotta

ele tá funcionando perfeitamente porem quando eu inicio o firewall ele mata o bind ou seja o dns não resolve os nomes para fora da rede ou melhor ele não resolve nomes pois o email continua funcionando
ele não funciona no registro.br
alguem pode me ajuda
segue abaixo os script
#! /bin/sh
# ************************************************************
# * -=- Configuracao do FIREWALL -=- *
# * *
# * Criado por: Fernando Dotta *
# * Ultima Mod.: 05/05/2004 *
# * *
# * Adaptadores de Rede *
# * ------------------- *
# * *
# * eth0: rede externa (internet) *
# * eth3: rede interna (nvfra.net) *
# * eth1: servidor apache (www) - nao implementado *
# * *
# ************************************************************
. /firewall/firewall.conf
IPTABLES="/usr/sbin/iptables"

INTERNAL_INTERFACE="eth0"
EXTERNAL_INTERFACE_1="eth1"
LAN="10.0.0.0/24"

# -=- [ Carrega os Modulos ] -=-
depmod -a
modprobe ip_tables
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe iptable_nat
modprobe iptable_filter
modprobe ip_conntrack
modprobe ipt_LOG
modprobe ipt_state
modprobe ipt_MASQUERADE

# -=- [ Pega numero do IP do Speedy ] -=-

#preip=`ip -4 addr list ppp0 | awk '{print $2}'`
#IP=`echo $preip | awk '{print $2}'`

# -=- [ Apaga todas as resgras do Firewall ] -=-
$IPTABLES -F
$IPTABLES -Z
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

# -=- [ Protecao de entrada (INPUT) ] -=-
$IPTABLES -I INPUT -i lo -j ACCEPT
$IPTABLES -I OUTPUT -o lo -j ACCEPT
$IPTABLES -I INPUT -i ! lo -s 127.0.0.0/255.0.0.0 -j DROP
$IPTABLES -A INPUT -p tcp ! --syn -i $INTERNAL_INTERFACE -j ACCEPT
# $IPTABLES -A INPUT -s 10.0.0.0/8 -i $INTERNAL_INTERFACE -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/12 -i $INTERNAL_INTERFACE -j DROP
# $IPTABLES -A INPUT -s 192.168.0.0/16 -i $INTERNAL_INTERFACE -j DROP
$IPTABLES -A INPUT -s 224.0.0.0/4 -i $INTERNAL_INTERFACE -j DROP
$IPTABLES -A INPUT -s 240.0.0.0/5 -i $INTERNAL_INTERFACE -j DROP

# -=- [ Regras Gerais do Firewall ] -=-
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i $INTERNAL_INTERFACE -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i $EXTERNAL_INTERFACE_1 -j ACCEPT

# -=- [ Servicos Externos Permitidos na interface 1 ] -=-
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE_1 -s 0/0 -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE_1 -s 0/0 -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE_1 -s 0/0 -p tcp --dport 23 -j DROP
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE_1 -s 0/0 -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE_1 -s 0/0 -p tcp --dport 80 -j DROP
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE_1 -s 0/0 -p tcp --dport 443 -j DROP
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE_1 -s 0/0 -p tcp --dport 6881 -j ACCEPT

# -=- [ Protecoes Extras ] -=-
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 135 -i $INTERNAL_INTERFACE -j REJECT
$IPTABLES -N syn-flood
$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -p tcp --syn -j syn-flood
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP
#
# OBS: [ Protecoes Extras ] 1) protecao contra pacotes indesejaveis
# 2) protecao contra syn-flood
# 3) protecao contra ping da morte
# 4) protecao contra worms
# 5-8) protecao contra IP spoofing

# -=- [ Portas Bloqueadas (MSN) ] -=-
# $IPTABLES -A FORWARD -s LAN -p tcp --dport 1863 -j REJECT
# $IPTABLES -A FORWARD -s LAN -d loginnet.passport.com -j REJECT
#
# -=- [ Portas Bloqueadas (MSN) ] -=-
# $IPTABLES -A FORWARD -s LAN -d webmessenger.msn.com -j REJECT
#
# -=- [ Liberacao do VPN ] -=-
# $IPTABLES -A INPUT -p udp -i $EXTERNAL_INTERFACE_1 --sport 500 --dport 500 -j ACCEPT
# $IPTABLES -A OUTPUT -p udp -o $EXTERNAL_INTERFACE_1 --sport 500 --dport 500 -j ACCEPT
# $IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
# $IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# $IPTABLES -A INPUT -p 50 -i $EXTERNAL_INTERFACE_1 -j ACCEPT
# $IPTABLES -A OUTPUT -p 50 -o $EXTERNAL_INTERFACE_1 -j ACCEPT
# $IPTABLES -A INPUT -p 50 -j ACCEPT
# $IPTABLES -A OUTPUT -p 50 -j ACCEPT
# $IPTABLES -A FORWARD -d $LOCALNET -j ACCEPT
# $IPTABLES -A FORWARD -s $LOCALNET -i $INTERNAL_INTERFACE -j ACCEPT

# -=- [ Roteamento da REDE ] -=-
$IPTABLES -A INPUT -j DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE_1 -o $INTERNAL_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE_1 -j ACCEPT
# $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE_1 -j SNAT --to $IP
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE_1 -j MASQUERADE

# -=- [ Logs ] -=-
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIREWALL: NEW syn: "
$IPTABLES -A INPUT -p tcp --dport 21 -i $EXTERNAL_INTERFACE_1 -j LOG --log-level 6 --log-prefix "FIREWALL: ftp: "
$IPTABLES -A INPUT -p tcp --dport 23 -i $EXTERNAL_INTERFACE_1 -j LOG --log-level 6 --log-prefix "FIREWALL: telnet: "
$IPTABLES -A INPUT -p tcp --dport 25 -i $EXTERNAL_INTERFACE_1 -j LOG --log-level 6 --log-prefix "FIREWALL: smtp: "
$IPTABLES -A INPUT -p tcp --dport 80 -i $EXTERNAL_INTERFACE_1 -j LOG --log-level 6 --log-prefix "FIREWALL: http: "
$IPTABLES -A INPUT -p tcp --dport 110 -i $EXTERNAL_INTERFACE_1 -j LOG --log-level 6 --log-prefix "FIREWALL: pop3: "
$IPTABLES -A INPUT -p udp --dport 111 -i $EXTERNAL_INTERFACE_1 -j LOG --log-level 6 --log-prefix "FIREWALL: rpc: "
$IPTABLES -A INPUT -p tcp --dport 113 -i $EXTERNAL_INTERFACE_1 -j LOG --log-level 6 --log-prefix "FIREWALL: identd: "
$IPTABLES -A INPUT -p tcp --dport 137:139 -i $EXTERNAL_INTERFACE_1 -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
$IPTABLES -A INPUT -p udp --dport 137:139 -i $EXTERNAL_INTERFACE_1 -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
$IPTABLES -A INPUT -p tcp --dport 161:162 -i $EXTERNAL_INTERFACE_1 -j LOG --log-level 6 --log-prefix "FIREWALL: snmp: "
$IPTABLES -A INPUT -p tcp --dport 6667:6668 -i $EXTERNAL_INTERFACE_1 -j LOG --log-level 6 --log-prefix "FIREWALL: irc: "
$IPTABLES -A INPUT -p tcp --dport 3128 -i $EXTERNAL_INTERFACE_1 -j LOG --log-level 6 --log-prefix "FIREWALL: squid: "

# -=- [ Diminuindo DELAY de sevicos especiaisi ] -=-
$IPTABLES -t mangle -A INPUT -p tcp --dport 22 -j TOS --set-to Minimize-Delay

$IPTABLES -t mangle -A INPUT -p tcp --dport 21 -j TOS --set-to Minimize-Delay

desde ja agradeço

**Bruno** · 15-10-2004, 22:40

galera consegui
adicionei a seguite regra
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE_1 -s 0/0 -p udp --dport 53 -j ACCEPT

bouncer · 15-10-2004, 22:44

Agora vai

IPTABLES -A INPUT -i $EXTERNAL_INTERFACE_1 -s 0/0 -p tcp --dport 53 -j ACCEPT

IPTABLES -A INPUT -i $EXTERNAL_INTERFACE_1 -s 0/0 -p udp --dport 53 -j ACCEPT

**Bruno** · 20-10-2004, 17:42

na verdade naum é nada destar regras é que no /etc/resolv.conf
o nameserver eu tava colocando o ip externo
mudei para o localhost 127.0.0.1

e ficou 10

garupeiro · 20-10-2004, 19:24

vc achando que o problema era uma coisa complicada e era uma coisa tao simples q as vezes acabamos esquecendo disso!!!

eu sempre começo do facil para o dificl quando alguma coisa ta errado (tbm depois de apanha muitas vezes) 8)

Iptables mata bind

Ferramentas de Tópicos