Re: regras no iptables e XP

Fri, 10 Feb 2006 06:05:41 -0800

OK, abaixo script completo, novamente dizendo  funciona bem no 98 mas no XP ele nao permite navegar nos sites liberados!!SerĂ¡ que alguem tem alguma ideia ?

Diego S. Oliveira

INT_INT="eth0"
EXT_INT="eth1"
EXT_IP="200.100.100.100" 'ip ficticio
LANNET="192.168.1.0/255.255.255.0"
ANY="0.0.0.0/0"

if [ -z $EXT_IP ]; then
echo "Pegando IP externo na Interface $EXT_INT"
EXT_IP="`ifconfig $EXT_INT 2> /dev/null | grep 'inet end' | awk '{print $3}'`"/32
fi

# Ativa modulos

MODULOS="ip_tables ip_conntrack ip_conntrack_ftp iptable_nat ip_nat_ftp"

for a in $(echo $MODULOS)
do
if lsmod | grep ^$a > /dev/null; then
echo "Modulo $a Ativo!"

else

echo "Ativando modulo $a ..."

insmod $a

fi

done

# Elimina Chains anteriores

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -F

#exit

# Cria regra default para Chains

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

# Seta Kernel Flags

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for f in /proc/sys/net/ipv4/conf/*/rp_filter;do
echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects;do
echo 0 >$f
done
for f in /proc/sys/net/ipv4/conf/*/accept_source_route;do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/log_martians;do
echo 0 > $f
done

###IPS liberados 
iptables -A FORWARD -s 192.168.1.20/255.255.255.255 -d ${ANY} -j ACCEPT
iptables -A FORWARD -s 192.168.1.22/255.255.255.255 -d ${ANY} -j ACCEPT
iptables -A FORWARD -s 192.168.1.32/255.255.255.255 -d ${ANY} -j ACCEPT

###IPS liberados (parcialmente) ( regras que nao funcionam no XP)
iptables -A FORWARD -s ${LANNET} -d 200.154.55.0/24 -j ACCEPT

###bloqueia todo o resto
iptables -A FORWARD -s ${LANNET} -d ${ANY} -j REJECT

# Libera Rede Interna / dialin

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ${INT_INT} -s ${LANNET} -j ACCEPT
iptables -A INPUT -i ${EXT_INT} -s ${LANNET} -j ACCEPT
# Ativando reenvio de pacotes
iptables -t nat -A POSTROUTING -o ${EXT_INT} -j SNAT --to ${EXT_IP}

# LIBERA PORTAS

# PROXY (3128-tcp)
iptables -A INPUT -i ${EXT_INT} -p tcp --dport 3128 -m state --state NEW -j LOG --log-prefix "Permite PROXY:"
for a in $(echo $SUPORTE)
do
iptables -A INPUT -i ${EXT_INT} -p tcp -s $a --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
done

iptables -t nat -A PREROUTING -p tcp --dport 1723 -j DNAT --to 192.168.1.230
iptables -t nat -A PREROUTING -p gre -j DNAT --to 192.168.1.230
iptables -A INPUT -p tcp -d ${EXT_IP} --dport 1723 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT

# SMTP (25-tcp)

iptables -A INPUT -i ${EXT_INT} -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i ${EXT_INT} -p tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

# WWW (80-tcp)
iptables -A INPUT -i ${EXT_INT} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i ${EXT_INT} -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

# Portas de Saida
iptables -A INPUT -i ${EXT_INT} -p tcp --sport 8080 --dport ${APORTAS} -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i ${EXT_INT} -p tcp --sport 443 --dport ${APORTAS} -m state --state NEW,ESTABLISHED -j ACCEPT

# Proibe portas restantes
iptables -A INPUT -i ${EXT_INT} -j DROP

Responder a