IPTABLES está bloqueando a Internet

Iniciado por mackay, 15 de Janeiro de 2009, 17:21

tópico anterior - próximo tópico

mackay

Olá senhores, estou com um problema no script do meu IPTABLES. Quando eu "starto" ele a Internet pára de funcionar para a minha rede local, gostaria de saber dos senhores se eu errei em alguma regra ou esqueci de colocar alguma. Aí vai meu script.

#!/bin/bash
#############################################################################################
# VARIAVEIS
rede="10.155.89.0/24"
ethlocal="10.155.89.222"
ethinternet="200.139.0.221"
#############################################################################################
# VARIAVEIS DO IPTABLES

IPTABLES="/sbin/iptables"
MODPROBE="/sbin/modprobe"
#############################################################################################

function proc_configuration {
   
   echo 1 > /proc/sys/net/ipv4/ip_forward

   # Ignorando pacotes ICMP enviados por broadcast
   echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
   # Desabilitando origem dos pacotes roteados
   for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
      echo 0 > $i
   done
   # Enable TCP SYN Cookie Protection
   # echo 1 > /proc/sys/net/ipv4/tcp_syncookies
   # Disable ICMP Redirect Acceptance
   for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
      echo 0 > $i

   done
   # Don't send Redirects Messages
   for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
      echo 0 > $i
   done
   # Drop Spoofed Packets coming in on an interface, which if replied to,
   # would result in the reply going out a different interface
   for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
      echo 1 > $i
   done
   # Log packets with impossible addresses
   for i in /proc/sys/net/ipv4/conf/*/log_martians; do
      echo 1 > $i
   done
}

function load_modules {

   /sbin/depmod -a
   $MODPROBE ip_tables
   $MODPROBE ip_conntrack
   $MODPROBE iptable_filter
   $MODPROBE iptable_mangle
   $MODPROBE iptable_nat
   $MODPROBE ipt_LOG
   $MODPROBE ipt_limit
   $MODPROBE ipt_state

   $MODPROBE ip_nat_ftp
   $MODPROBE ipt_MASQUERADE
}

function stop_firewall {

   #Limpando regras das chains
   $IPTABLES --flush
   $IPTABLES -t nat --flush
   $IPTABLES -t mangle --flush

   #Removendo chains pre existentes
   $IPTABLES --delete-chain
   $IPTABLES -t nat --delete-chain
   $IPTABLES -t mangle --delete-chain

   #Setando politica padrao para todas as chains (ACCEPT)
   $IPTABLES -P INPUT ACCEPT
   $IPTABLES -P OUTPUT ACCEPT
   $IPTABLES -P FORWARD ACCEPT

   $IPTABLES -t mangle -P OUTPUT ACCEPT
   $IPTABLES -t mangle -P PREROUTING ACCEPT

   $IPTABLES -t nat -P OUTPUT ACCEPT
   $IPTABLES -t nat -P PREROUTING ACCEPT
   $IPTABLES -t nat -P POSTROUTING ACCEPT
}


function start_firewall {
#---------------------------------------------------------------------------------------
# CARREGANDO MODULOS

   load_modules
   proc_configuration
#----------------------------------------------------------------------------------------
# POLITICAS PADRAO
   
   #POLITICA PADRAO
   $IPTABLES -P INPUT DROP
   $IPTABLES -P OUTPUT ACCEPT
   $IPTABLES -P FORWARD DROP
   
   $IPTABLES -t nat -P OUTPUT ACCEPT
   $IPTABLES -t nat -P PREROUTING ACCEPT
   $IPTABLES -t nat -P POSTROUTING ACCEPT

   $IPTABLES -t mangle -P OUTPUT ACCEPT
   $IPTABLES -t mangle -P PREROUTING ACCEPT

#----------------------------------------------------------------------------------------
# REGRAS DE INPUT

   # REDE LOCAL
   $IPTABLES -A INPUT -i lo -j ACCEPT
   $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   $IPTABLES -A INPUT -i $ethlocal -s $rede -j ACCEPT
echo "| Liberando regras de INPUT                  |"
#-------------------------------------------------------------------------------------
#echo "| Liberando Acesso ao Servidor WEB - Porta 80                             |"
#$IPTABLES -A INPUT -i $ethinternet -s $internet -p tcp --dport 80 -j ACCEPT

#echo "| Liberando Acesso ao Servidor WEB - Porta 443                            |"
#$IPTABLES -A INPUT -i $ethinternet -s $internet -p tcp --dport 443 -j ACCEPT

#echo "| Liberando Acesso ao Servidor ftp - Porta 21                             |"
#$IPTABLES -A INPUT -i $ethinternet -s $internet -p tcp --dport 21 -j ACCEPT

echo "| Liberando Acesso ao Servidor SSH - Porta 22            |"
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

echo "| Liberando Ping para Rede Local                  |"
$IPTABLES -A INPUT -s $rede -p ICMP -j ACCEPT

#---------------------------------------------------------------------------------------
# REGRAS DE FORWARD

# prioridade de roteamento
$IPTABLES -t mangle -A POSTROUTING -s $rede -o $ethinternet -j TOS --set-tos 16

echo "| Definindo regras de retorno de Forward               |"
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "| Ativando Mascaramento                                                   |"
# Primeiro, ativar o mascaramento (nat).

$IPTABLES -t nat -A POSTROUTING -o $ethinternet -s $rede -j MASQUERADE

$IPTABLES -A FORWARD -i $ethlocal -p tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -i $ethlocal -p udp --dport 53 -j ACCEPT

#$IPTABLES -A FORWARD -i $ethlocal -p tcp --dport 6666:6669 -j ACCEPT

#----------------------------------------------------------------------------------------
# LIBERANDO PORTAS DE ACESSO DIVERSAS
#liberando msn
#$IPTABLES -A FORWARD -i $ethlocal -p tcp --dport 1863 -j ACCEPT

#liberando NTOP
#$IPTABLES -A FORWARD -i $ethlocal -p tcp --dport 3000 -j ACCEPT

#liberando ftp
$IPTABLES -A FORWARD -i $ethlocal -p tcp --dport 21 -j ACCEPT

#echo "| Redirecionado Solicitacoes para o Proxy - porta 3128                      |"
$IPTABLES -t nat -A PREROUTING -i $rede -p tcp --dport 80 -j REDIRECT --to 3128
$IPTABLES -A FORWARD -s $ethlocal -j ACCEPT
$IPTABLES -A FORWARD -d $ethlocal -j ACCEPT

# Redirecionando DNS
$IPTABLES -t nat -A PREROUTING -d $ethinternet -p tcp --dport 53 -j DNAT --to-destination 200.129.167.70
$IPTABLES -t nat -A PREROUTING -d $ethinternet -p udp --dport 53 -j DNAT --to-destination 200.129.167.70

#LIBERANDO MÁQUINAS
$IPTABLES -A FORWARD -i $ethlocal -s 10.155.89.8 -j ACCEPT

#===========================================================================================
#echo "| Redirecionado do MACKAY                                                 |"
#$IPTABLES -A FORWARD -i $ethinternet -s $internet -d 192.168.1.100 -j ACCEPT

#$IPTABLES -t nat -A PREROUTING -i $ethinternet -d 200.216.193.108 -j DNAT --to 192.168.1.100
#$IPTABLES -t nat -A POSTROUTING -s 192.168.1.100 -o $ethinternet -j SNAT --to 200.216.193.108

#============================================================================================
}

#######################################################################################################################
# FUNÇÕES DO FIREWALL
#######################################################################################################################
case "$1" in
   "start")
      echo "Iniciando firewall..."
      start_firewall
      echo "Pronto."
      ;;
      
   "stop")
      echo "Parando firewall..."
      stop_firewall
      echo "Pronto."
      ;;
      
   "restart")
      echo "Reiniciando firewall..."
      stop_firewall
      echo
      sleep 1
      start_firewall
      echo "Pronto."
      ;;   
   *)
      echo "Uso: $0 { start | stop | restart }"
      ;;
esac
########################################################################################################################

lfernandosg

amigo vc usa proxy?


para liberar a internet:

iptables -A POSTROUTING --src $IP_INTERNO/$INTMASK -o $IF_EXTERNO -j MASQUERADE -t nat   
iptables -t nat -A POSTROUTING -o $IF_EXTERNO -j MASQUERADE


onde:
$IP_INTERNO = o IP de sua placa de rede interna do servidor linux
$INTMASK = sua máscara
$IF_EXTERNO = sua interface de rede externa do servidor linux

agora se usa proxy tem que fazer redirecionamento da porta 80 para a prota do su proxy que normalmente usa a porta 3128
Dell Xps M1330/c2d 2.0Ghz/4GB ddr2/320GB sata/etc...

carlosaluisio

dica "bala": Use o firestarter.... ele faz tudo aí graficamente

evite tópicos duplicados, como esse.

sds. carlos
Ubuntu Lucid é 10 !!!

mackay

Uso proxy sim, porta 3128.
Coloquei a regra de redirecionamento lá no script.

$IPTABLES -t nat -A PREROUTING -i $IF_INT -p tcp --dport 80 -j REDIRECT --to 3128

lfernandosg

Dell Xps M1330/c2d 2.0Ghz/4GB ddr2/320GB sata/etc...