Problemas com Iptables (shorewall), ajuda?

To: "lista debian" <debian-user-portuguese@lists.debian.org>
Subject: Problemas com Iptables (shorewall), ajuda?
From: "Adriano Maverick" <asb.maverick@gmail.com>
Date: Tue, 5 Jun 2007 12:12:17 -0300
Message-id: <483d02510706050812v469d2c95pc0ea038b90c181b8@mail.gmail.com>

Bom dia,
Estou com grande problema, estou tentando montar um servidor DNS, Firewall e de Email
Já esta instalado bind 8.4.6, Shorewall 2.2.3 e o Postfix 2.1.5. O servidor é um Debian 3.1 com duas placa de rede, a eth0 esta para a ADSL ( ppp0 ) e eth1 esta para rede interna...
Estou me perdendo na configuração do Iptables (Shorewall). Os problemas: o MSN não conecta, o servidor de email não recebe os emails e na navegação na internet alguns sites entra e outro não...
Vou listar a regras que o Shorewall gerou para Iptables:

Saindo da configuração do Firewall.
# Generated by iptables-save v1.2.11 on Tue Jun 5 12:09:08 2007

*mangle
:PREROUTING ACCEPT [706669:568366777]
:INPUT ACCEPT [370158:418977074]
:FORWARD ACCEPT [336511:149389703]

:OUTPUT ACCEPT [236010:23456634]
:POSTROUTING ACCEPT [574496:172689628]
:outtos - [0:0]
:pretos - [0:0]
-A PREROUTING -j pretos 
-A OUTPUT -j outtos 
COMMIT
# Completed on Tue Jun  5 12:09:08 2007

# Generated by iptables-save v1.2.11 on Tue Jun  5 12:09:08 2007
*nat
:PREROUTING ACCEPT [23296:1280099]
:POSTROUTING ACCEPT [1470:118393]
:OUTPUT ACCEPT [1470:118393]
:ppp0_masq - [0:0]
-A POSTROUTING -o ppp0 -j ppp0_masq 

-A ppp0_masq -s 192.168.0.0/255.255.255.0 -j SNAT --to-source 200.146.78.61 
COMMIT
# Completed on Tue Jun  5 12:09:08 2007
# Generated by iptables-save 
v1.2.11 on Tue Jun  5 12:09:08 2007
*filter
:INPUT DROP [1:48]
:FORWARD DROP [1:48]
:OUTPUT DROP [0:0]
:AllowICMPs - [0:0]
:Drop - [0:0]
:DropDNSrep - [0:0]
:DropSMB - [0:0]
:DropUPnP - [0:0]

:Reject - [0:0]
:RejectAuth - [0:0]
:RejectSMB - [0:0]
:all2all - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:eth1_fwd - [0:0]
:eth1_in - [0:0]
:fw2loc - [0:0]

:fw2net - [0:0]
:icmpdef - [0:0]
:loc2fw - [0:0]
:loc2net - [0:0]
:net2all - [0:0]
:net2fw - [0:0]
:ppp0_fwd - [0:0]
:ppp0_in - [0:0]
:reject - [0:0]
:shorewall - [0:0]
:smurfs - [0:0]

-A INPUT -i lo -j ACCEPT 
-A INPUT -i ppp0 -j ppp0_in 
-A INPUT -i eth1 -j eth1_in 
-A INPUT -j Reject 
-A INPUT -j reject 
-A FORWARD -i ppp0 -j ppp0_fwd 
-A FORWARD -i eth1 -j eth1_fwd 
-A FORWARD -j Reject 

-A FORWARD -j reject 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -o ppp0 -j fw2net 
-A OUTPUT -o eth1 -j fw2loc 
-A OUTPUT -j Reject 
-A OUTPUT -j reject 
-A AllowICMPs -p icmp -m icmp --icmp-type 3/4 -j ACCEPT 

-A AllowICMPs -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A Drop -j RejectAuth 
-A Drop -j dropBcast 
-A Drop -p icmp -j AllowICMPs 
-A Drop -j dropInvalid 
-A Drop -j DropSMB 
-A Drop -j DropUPnP 

-A Drop -p tcp -j dropNotSyn 
-A Drop -j DropDNSrep 
-A DropDNSrep -p udp -m udp --sport 53 -j DROP 
-A DropSMB -p udp -m udp --dport 135 -j DROP 
-A DropSMB -p udp -m udp --dport 137:139 -j DROP 
-A DropSMB -p udp -m udp --dport 445 -j DROP 

-A DropSMB -p tcp -m tcp --dport 135 -j DROP 
-A DropSMB -p tcp -m tcp --dport 139 -j DROP 
-A DropSMB -p tcp -m tcp --dport 445 -j DROP 
-A DropUPnP -p udp -m udp --dport 1900 -j DROP 
-A Reject -j RejectAuth 

-A Reject -j dropBcast 
-A Reject -p icmp -j AllowICMPs 
-A Reject -j dropInvalid 
-A Reject -j RejectSMB 
-A Reject -j DropUPnP 
-A Reject -p tcp -j dropNotSyn 
-A Reject -j DropDNSrep 
-A RejectAuth -p tcp -m tcp --dport 113 -j reject 

-A RejectSMB -p udp -m udp --dport 135 -j reject 
-A RejectSMB -p udp -m udp --dport 137:139 -j reject 
-A RejectSMB -p udp -m udp --dport 445 -j reject 
-A RejectSMB -p tcp -m tcp --dport 135 -j reject 
-A RejectSMB -p tcp -m tcp --dport 139 -j reject 

-A RejectSMB -p tcp -m tcp --dport 445 -j reject 
-A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A all2all -j Reject 
-A all2all -j reject 
-A dropBcast -m pkttype --pkt-type broadcast -j DROP 

-A dropBcast -m pkttype --pkt-type multicast -j DROP 
-A dropInvalid -m state --state INVALID -j DROP 
-A dropNotSyn -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP 
-A eth1_fwd -m state --state INVALID,NEW -j dynamic 

-A eth1_fwd -o ppp0 -j loc2net 
-A eth1_in -m state --state INVALID,NEW -j dynamic 
-A eth1_in -j loc2fw 
-A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A fw2loc -p icmp -j ACCEPT 
-A fw2loc -j ACCEPT 

-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A fw2net -p icmp -j ACCEPT 
-A fw2net -j ACCEPT 
-A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A loc2fw -p tcp -m tcp --dport 20 -j ACCEPT 

-A loc2fw -p tcp -m tcp --dport 21 -j ACCEPT 
-A loc2fw -p tcp -m tcp --dport 80 -j ACCEPT 
-A loc2fw -p tcp -m tcp --dport 53 -j ACCEPT 
-A loc2fw -p udp -m udp --dport 53 -j ACCEPT 
-A loc2fw -p tcp -m tcp --dport 137 -j ACCEPT 

-A loc2fw -p tcp -m tcp --dport 138 -j ACCEPT 
-A loc2fw -p tcp -m tcp --dport 139 -j ACCEPT 
-A loc2fw -p udp -m udp --dport 137 -j ACCEPT 
-A loc2fw -p udp -m udp --dport 138 -j ACCEPT 
-A loc2fw -p udp -m udp --dport 139 -j ACCEPT 

-A loc2fw -p tcp -m tcp --dport 443 -j ACCEPT 
-A loc2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A loc2fw -j ACCEPT 
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A loc2net -j ACCEPT 
-A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT 

-A net2all -j ACCEPT 
-A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A net2fw -p tcp -m tcp --dport 20 -j ACCEPT 
-A net2fw -p tcp -m tcp --dport 21 -j ACCEPT 
-A net2fw -p tcp -m tcp --dport 80 -j ACCEPT 

-A net2fw -p tcp -m tcp --dport 53 -j ACCEPT 
-A net2fw -p udp -m udp --dport 53 -j ACCEPT 
-A net2fw -p tcp -m tcp --dport 443 -j ACCEPT 
-A net2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A net2fw -j net2all 

-A ppp0_fwd -m state --state INVALID,NEW -j dynamic 
-A ppp0_fwd -o eth1 -j net2all 
-A ppp0_in -m state --state INVALID,NEW -j dynamic 
-A ppp0_in -j net2fw 
-A reject -m pkttype --pkt-type broadcast -j DROP 

-A reject -m pkttype --pkt-type multicast -j DROP 
-A reject -s 192.168.0.255 -j DROP 
-A reject -s 255.255.255.255 -j DROP 
-A reject -s 
224.0.0.0/240.0.0.0 -j DROP 
-A reject -p tcp -j REJECT --reject-with tcp-reset 
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable 
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable 

-A reject -j REJECT --reject-with icmp-host-prohibited 
-A smurfs -s 192.168.0.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 
-A smurfs -s 
192.168.0.255 -j DROP 
-A smurfs -s 255.255.255.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 
-A smurfs -s 255.255.255.255
 -j DROP 
-A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 
-A smurfs -s 224.0.0.0/240.0.0.0
 -j DROP 
COMMIT
# Completed on Tue Jun  5 12:09:08 2007

O problema é ai? como posso resolver?

--
Adriano de Souza Barbosa
Msn: asb.intruder@gmail.com

Reply to:

Prev by Date: Re: Uso de SNMP para gerencias análises
Next by Date: Re: Uso de SNMP para gerencias análises
Previous by thread: Re: Erro ao Montar CDROM
Next by thread: Som não funciona
Index(es):
- Date
- Thread