Re: iptables problema simples.
cara verifiquei seu script iptables e vi que ele apresenta alguns erros,
por exemplo voce definiu a politica como ACCEPT, ou seja, tudo pode
entrar e sair de sua rede a mesnos que vocÊ bloquei explicitamente.
vi tb q vc criou regras de DROP que deveriam ser ACCEPT.
recomendo vc dar uma estudada nas documentacoes sobre seguranca
existentes no debian e no site www.netfilter.org (site oficial do
iptables)
até
dsales
Em Sáb, 2007-04-21 às 16:01 +0100, Silvino Silva escreveu:
> Olá
>
>
> Tenho a Simples configuração de iptables;
>
>
> # Tabela filter
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
>
> # Tabela nat
> iptables -t nat -P PREROUTING ACCEPT
> iptables -t nat -P OUTPUT ACCEPT
> iptables -t nat -P POSTROUTING ACCEPT
> # Tabela mangle
> iptables -t mangle -P INPUT ACCEPT
> iptables -t mangle -P PREROUTING ACCEPT
> iptables -t mangle -P FORWARD ACCEPT
> iptables -t mangle -P POSTROUTING ACCEPT
> iptables -t mangle -P OUTPUT ACCEPT
>
> # Habilitar IP forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/ip_dynaddr
>
>
> #cria uma nova cadeia athinput
> iptables -N athin
> iptables -N athout
>
> echo "##########################Cadeia
> Filter#############################"
> #Aceita loopback
> iptables -A INPUT -i lo -j DROP
>
> #Cria uma cadeia para as conexões da interenet chamada athin
> iptables -A INPUT -i ath0 -j athin
>
> #Cria uma cadeia para as conexões de desntro para fora
> iptables -A OUTPUT -o ath0 -j athout
>
>
> #aceita a rede local
> iptables -A INPUT -i eth0 -j DROP
>
> #Tudo o resto é rejeitado e rejistado
> iptables -A INPUT -j DROP
>
> echo "##########################Cadeia
> FORWARD#############################"
> iptables -A FORWARD -j DROP
> echo "##########################Cadeia
> athin###############################"
> #Aceitas respostas de destino inatingível e ping com um limite de 2
> por segundo
> iptables -A athin -p icmp --icmp-type 3 -m limit --limit 2/s -j ACCEPT
> iptables -A athin -m state --state INVALID -j DROP
>
>
> #Aceita conecções para o apache
> iptables -A athin -p tcp --dport 80 -j ULOG --ulog-prefix "FIREWALL:
> Apache"
> iptables -A athin -p tcp --dport 80 -j ACCEPT
>
> #Aceita serviço de HTML
> iptables -A athin -p tcp --sport 80: --dport 1024: -j ACCEPT
>
> #Resposta de DNS
> iptables -A athin -p udp --sport 53 --dport 1024: -j ACCEPT
>
> #rejeita tudo o resto
> iptables -A athin -j ULOG --ulog-nlgroup 1 --ulog-prefix "FIREWALL:
> Excluido"
> iptables -A athin -j DROP
>
> echo "##########################Cadeia
> OUT###############################"
>
> #Pedido de Serviço HTML
> iptables -A athout -p tcp --dport 80 -j ACCEPT
>
> #Pedido de Serviço DNS
> iptables -A athout -p udp --dport 53 -j ACCEPT
>
> #Tudo o resto Rejeitado
> iptables -A athout -j DROP
>
> echo "##########################Cadeia
> NAT###############################"
> # iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -j DNAT --to
> 200.200.217.40-200.200.217.50:1024:5000
> # iptables -t nat -A PREROUTING -j DNAT -p udp --dport 53 -i eth0
> --to-destination 195.22.0.136
> # iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 53 -i eth0
> --to-destination 195.22.0.136
> #
> # #iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o ath0 -j
> MASQUERADE
> # iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE
>
> exit 0
>
> Mas se correr o nmap com as opções
>
> nmap -sT -F -P0 192.168.1.253
>
> Devolve;
>
> Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-04-21
> 15:53 WEST
> Interesting ports on silvinosilva.no-ip.org (192.168.1.253):
> Not shown: 656 closed ports, 581 filtered ports
> PORT STATE SERVICE
> 80/tcp open http
> 6017/tcp open xmail-ctrl
>
> Nmap finished: 1 IP address (1 host up) scanned in 13.222 seconds
>
> Eu não autorizo no iptables 6017/tcp open xmail-ctrl
>
> :( Onde esta o meu erro ?
Reply to: