firewall: OUTPUT DROP

To: debian-user debian-user <debian-user-portuguese@lists.debian.org>
Subject: firewall: OUTPUT DROP
From: Flávio Barros <flaviobarros.gyn@pop.com.br>
Date: Thu, 12 Oct 2006 12:04:02 -0300
Message-id: <[🔎] 452E5962.4030909@pop.com.br>
Reply-to: flaviobarros.gyn@pop.com.br

Senhores, seria possível analisarem meu script de firewall ?

O problema é o seguinte: Quando adoto uma política OUTPUT DROP nãoconsigo navegar na Internet.


#!/bin/sh
IPTABLES=/sbin/iptables
IFLAN=eth0
IFWAN=eth1
LAN=172.21.5.0/24
WAN=172.18.0.0/16

# Ativando modulos
# -------------------------------------------------------
echo "Ativando modulos"
echo " "
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe sch_sfq
/sbin/modprobe sch_htb
/sbin/modprobe cls_u32

echo "Habilitando o filtro de ip ( seguranca ) Protecao contra IP spoofing"
echo " "
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth1/rp_filter

# Ativa roteamento no kernel
# -------------------------------------------------------
echo "Ativando repasse de pacotes"
echo " "
echo "1" > /proc/sys/net/ipv4/ip_forward

# Ativa syn cookies
# -------------------------------------------------------
echo "Ativando syn cookies"
echo " "
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Zera regras
# -------------------------------------------------------
echo "Limpando as regras antigas"
echo " "
$IPTABLES -F
$IPTABLES -X
$IPTABLES -F -t nat
$IPTABLES -X -t nat
$IPTABLES -F -t mangle
$IPTABLES -X -t mangle

echo "Definindo a politica padrao"
echo " "
# Determina a politica padrao
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

# Aceita pacotes que ja estabelecerao conexao ( Statefull)
#-----------------------------------------------
echo "Definindo regras Statefull"
echo " "
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Aceitando pela interface interna
#-----------------------------------------------
echo "Liberando icmp local"
echo " "
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Liberando ICMP para rede
#-----------------------------------------------
echo "Liberando icmp para rede"
echo " "
$IPTABLES -A INPUT -p icmp -s $LAN -j ACCEPT
$IPTABLES -A FORWARD -p icmp -s $LAN  -j ACCEPT

# Acesso ssh (firewall)
#-----------------------------------------------
echo "Liberando ssh"
echo " "
$IPTABLES -A INPUT -p tcp -i $IFLAN -s $LAN --dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $IFLAN -s $LAN --dport 22 -j ACCEPT

#DNS udp=consulta tcp=transferencia
echo "Liberando DNS"
echo " "
$IPTABLES -A FORWARD -p udp -s $LAN --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LAN --dport 53 -j ACCEPT

$IPTABLES -A FORWARD -p tcp -s $WAN --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $WAN --dport 53 -j ACCEPT

#DHCP
echo "Liberando DHCP"
echo " "
$IPTABLES -A FORWARD -p udp -i $IFLAN -s $LAN --dport 68 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $IFLAN -s $LAN --dport 67 -j ACCEPT

#E-Mail
echo "Liberando servico de e-mail"
echo " "
$IPTABLES -A FORWARD -p tcp -i $IFLAN -s $LAN --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $IFLAN -s $LAN --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $IFLAN -s $LAN --dport 143 -j ACCEPT

#LDAP, SAMBA e AD
echo "Liberando servico LDAP, SAMBA e AD"
echo " "
#Replicacao LDAP semef
$IPTABLES -A FORWARD -p tcp -i $IFWAN -s 172.18.1.164 --dport 389 -j ACCEPT

#Microsoft Naked CIFS
$IPTABLES -A FORWARD -p tcp -i $IFLAN -s $LAN --dport 445 -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $IFLAN -s $LAN --dport 445 -j ACCEPT

#NETBIOS Name Service
$IPTABLES -A FORWARD -p udp -i $IFLAN -s $LAN --dport 137 -j ACCEPT

#NETBIOS Datagram Service
$IPTABLES -A FORWARD -p udp -i $IFLAN -s $LAN --dport 138 -j ACCEPT

#NETBIOS session service
$IPTABLES -A FORWARD -p tcp -i $IFLAN -s $LAN --dport 139 -j ACCEPT

#https
echo "Liberando https"
echo " "
$IPTABLES -A FORWARD -p tcp -i $IFLAN -s $LAN --dport 443 -j ACCEPT

#http
echo "Liberando http para acesso ao Sarg"
echo " "
$IPTABLES -A INPUT -p tcp -i $IFLAN -s $LAN --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $IFLAN -s $LAN --dport 3128 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $IFLAN -s $LAN --dport 80 -j ACCEPT

# Proxy transparente
# ----------------------------
#echo "Ativando proxy transparente"
#echo " "

$IPTABLES -t nat -A PREROUTING -p tcp -d ! 172.0.0.0/8 --dport 80 -jREDIRECT --to-port 3128


#################################################
#                  Tabela NAT                   #
#################################################
# MASCARAMENTO
$IPTABLES -t nat -A POSTROUTING -o $IFWAN -j MASQUERADE

_______________________________________________________Você quer respostas para suas perguntas? Ou você sabe muito e quer compartilhar seu conhecimento? Experimente o Yahoo! Respostas !

http://br.answers.yahoo.com/

Reply to:

Follow-Ups:
- Re: firewall: OUTPUT DROP
  - From: Edmundo Valle Neto <edmundo.valle@terra.com.br>

Prev by Date: Re: Instalar Xubuntu por linha de comando
Next by Date: Re: libdvdcss
Previous by thread: Re: libdvdcss
Next by thread: Re: firewall: OUTPUT DROP
Index(es):
- Date
- Thread