Olá senhores, estou com um problema no script do meu IPTABLES. Quando eu "starto" ele a Internet pára de funcionar para a minha rede local, gostaria de saber dos senhores se eu errei em alguma regra ou esqueci de colocar alguma. Aí vai meu script.
#!/bin/bash
#############################################################################################
# VARIAVEIS
rede="10.155.89.0/24"
ethlocal="10.155.89.222"
ethinternet="200.139.0.221"
#############################################################################################
# VARIAVEIS DO IPTABLES
IPTABLES="/sbin/iptables"
MODPROBE="/sbin/modprobe"
#############################################################################################
function proc_configuration {
echo 1 > /proc/sys/net/ipv4/ip_forward
# Ignorando pacotes ICMP enviados por broadcast
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Desabilitando origem dos pacotes roteados
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $i
done
# Enable TCP SYN Cookie Protection
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $i
done
# Don't send Redirects Messages
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $i
done
# Drop Spoofed Packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i
done
# Log packets with impossible addresses
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $i
done
}
function load_modules {
/sbin/depmod -a
$MODPROBE ip_tables
$MODPROBE ip_conntrack
$MODPROBE iptable_filter
$MODPROBE iptable_mangle
$MODPROBE iptable_nat
$MODPROBE ipt_LOG
$MODPROBE ipt_limit
$MODPROBE ipt_state
$MODPROBE ip_nat_ftp
$MODPROBE ipt_MASQUERADE
}
function stop_firewall {
#Limpando regras das chains
$IPTABLES --flush
$IPTABLES -t nat --flush
$IPTABLES -t mangle --flush
#Removendo chains pre existentes
$IPTABLES --delete-chain
$IPTABLES -t nat --delete-chain
$IPTABLES -t mangle --delete-chain
#Setando politica padrao para todas as chains (ACCEPT)
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
}
function start_firewall {
#---------------------------------------------------------------------------------------
# CARREGANDO MODULOS
load_modules
proc_configuration
#----------------------------------------------------------------------------------------
# POLITICAS PADRAO
#POLITICA PADRAO
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
#----------------------------------------------------------------------------------------
# REGRAS DE INPUT
# REDE LOCAL
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $ethlocal -s $rede -j ACCEPT
echo "| Liberando regras de INPUT |"
#-------------------------------------------------------------------------------------
#echo "| Liberando Acesso ao Servidor WEB - Porta 80 |"
#$IPTABLES -A INPUT -i $ethinternet -s $internet -p tcp --dport 80 -j ACCEPT
#echo "| Liberando Acesso ao Servidor WEB - Porta 443 |"
#$IPTABLES -A INPUT -i $ethinternet -s $internet -p tcp --dport 443 -j ACCEPT
#echo "| Liberando Acesso ao Servidor ftp - Porta 21 |"
#$IPTABLES -A INPUT -i $ethinternet -s $internet -p tcp --dport 21 -j ACCEPT
echo "| Liberando Acesso ao Servidor SSH - Porta 22 |"
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
echo "| Liberando Ping para Rede Local |"
$IPTABLES -A INPUT -s $rede -p ICMP -j ACCEPT
#---------------------------------------------------------------------------------------
# REGRAS DE FORWARD
# prioridade de roteamento
$IPTABLES -t mangle -A POSTROUTING -s $rede -o $ethinternet -j TOS --set-tos 16
echo "| Definindo regras de retorno de Forward |"
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "| Ativando Mascaramento |"
# Primeiro, ativar o mascaramento (nat).
$IPTABLES -t nat -A POSTROUTING -o $ethinternet -s $rede -j MASQUERADE
$IPTABLES -A FORWARD -i $ethlocal -p tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -i $ethlocal -p udp --dport 53 -j ACCEPT
#$IPTABLES -A FORWARD -i $ethlocal -p tcp --dport 6666:6669 -j ACCEPT
#----------------------------------------------------------------------------------------
# LIBERANDO PORTAS DE ACESSO DIVERSAS
#liberando msn
#$IPTABLES -A FORWARD -i $ethlocal -p tcp --dport 1863 -j ACCEPT
#liberando NTOP
#$IPTABLES -A FORWARD -i $ethlocal -p tcp --dport 3000 -j ACCEPT
#liberando ftp
$IPTABLES -A FORWARD -i $ethlocal -p tcp --dport 21 -j ACCEPT
#echo "| Redirecionado Solicitacoes para o Proxy - porta 3128 |"
$IPTABLES -t nat -A PREROUTING -i $rede -p tcp --dport 80 -j REDIRECT --to 3128
$IPTABLES -A FORWARD -s $ethlocal -j ACCEPT
$IPTABLES -A FORWARD -d $ethlocal -j ACCEPT
# Redirecionando DNS
$IPTABLES -t nat -A PREROUTING -d $ethinternet -p tcp --dport 53 -j DNAT --to-destination 200.129.167.70
$IPTABLES -t nat -A PREROUTING -d $ethinternet -p udp --dport 53 -j DNAT --to-destination 200.129.167.70
#LIBERANDO MÁQUINAS
$IPTABLES -A FORWARD -i $ethlocal -s 10.155.89.8 -j ACCEPT
#===========================================================================================
#echo "| Redirecionado do MACKAY |"
#$IPTABLES -A FORWARD -i $ethinternet -s $internet -d 192.168.1.100 -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $ethinternet -d 200.216.193.108 -j DNAT --to 192.168.1.100
#$IPTABLES -t nat -A POSTROUTING -s 192.168.1.100 -o $ethinternet -j SNAT --to 200.216.193.108
#============================================================================================
}
#######################################################################################################################
# FUNÇÕES DO FIREWALL
#######################################################################################################################
case "$1" in
"start")
echo "Iniciando firewall..."
start_firewall
echo "Pronto."
;;
"stop")
echo "Parando firewall..."
stop_firewall
echo "Pronto."
;;
"restart")
echo "Reiniciando firewall..."
stop_firewall
echo
sleep 1
start_firewall
echo "Pronto."
;;
*)
echo "Uso: $0 { start | stop | restart }"
;;
esac
########################################################################################################################
Tópico: IPTABLES está bloqueando a Internet (Lida 2493 vezes)