erro Fedora Não assume as regras do Iptables.......

robalm · Novato Registrado em: Jul 16, 2008 Mensagens: 1

Olá Pessoal....
Instalei o Fedora 7 e migrei o script do iptables que estava no Red Hat
Porem ele não abre as portas não aceitas as regras......
Abaixo segue o meu script

#!/bin/bash
# /etc/rc.d/init.d/firesec
# chkconfig: 2345 90 10
# description: firewall
. /etc/rc.d/init.d/functions
. /etc/sysconfig/network
fw_start()
{
echo "==================================================================="
echo " | :: SETTING IPTABLES'S CONFIGURATION :: | "
echo "==================================================================="
echo

# LIMPANDO TODAS AS REGRAS #
iptables -F
echo "CLEANING ALL RULES...................................OK"

# DEFININDO POLITICA DEFAULT DAS CADEIAS #

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

echo "SETTING DEFAULT RULES................................OK"

# DESABILITANDO O TRAFEGO IP ENTRE AS PLACAS DE REDE #
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "SETTING IP_FORWARD: OFF..............................OK"

# CONFIGURANDO A PROTECAO ANTI-SPOOFING #
for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $spoofing
done
echo "SETTING ANTI-SPOOFING PROTECTION.....................OK"

# IMPEDINDO QUE ALGUMA ROTA POSSA SER ALTERADA #
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "SETTING ANTI-REDIRECTS...............................OK"

# IMPEDINDO QUE SE POSSA DETERMINAR O CAMINHO DO PACOTE #
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "SETTING ANTI-SOURCE ROUTE............................OK"

# PROTECAO CONTRA RESPONSES BOGUS #
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "SETTING ANTI-BUGUS_RESPONSE..........................OK"

# PROTECAO CONTRA SYN FLOOD #
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "SETTING ANTI-SYNFLOOD PROTECTION.....................OK"

# CARREGANDO OS MODULOS DO IPTABLES #
modprobe ip_tables
modprobe iptable_mangle
modprobe iptable_nat
modprobe ipt_MASQUERADE
modprobe ipt_conntrack
modprobe ipt_TOS
modprobe ipt_LOG
echo "LOADING IPTABLES'S MODULES...........................OK"

# DEFININDO O QUE PODE E O QUE NAO PODE PASSAR #

# CADEIA DE ENTRADA #

# LOCALHOST - ACEITA TODOS OS PACOTES #
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT

# PORTAS 80; 22; - ACEITA PARA REDE LOCAL
iptables -A INPUT -p tcp -s 200.201.173.68 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 3000 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 20000 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 4662 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 4711 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 4671 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 3192 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 1999 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 5017 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --dport 4672 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --dport 4665 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

echo "SETTING RULES FOR INPUT..............................OK"

# PORTA 3128 - ACEITA PARA REDE LOCAL #
iptables -A FORWARD -i eth1 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i eth1 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 3128 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 143 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 20000 -j ACCEPT

# ATIVANDO O MASCARAMENTO #
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

echo "ACTIVATING IP MASK...................................OK"

# REDIRECIONA PORTA 80 P/ 3128 (SQUID)
iptables -t nat -A PREROUTING -s 192.168.0.25/255.255.255.0 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.0.25/255.255.255.0 -j LOG --log-prefix "FIREWALL: SNAT-WWW"
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1999 -j DNAT --to-dest 192.168.0.27:1999
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20000 -j DNAT --to-dest 192.168.0.18:10000
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

# CADEIA DE REENVIO #

# CADEIA DE SAIDA #
iptables -A OUTPUT -p tcp -s 0.0.0.0/0 --dport 80 -o eth1 -j ACCEPT
iptables -A OUTPUT -p tcp -s 0.0.0.0/0 --dport 21 -o eth1 -j ACCEPT
iptables -A OUTPUT -p tcp -s 0.0.0.0/0 --dport 21 -o eth0 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 143 -o eth1 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -o eth1 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -s 0.0.0.0/0 --dport 465 -o eth1 -j ACCEPT
iptables -A OUTPUT -p tcp -s 0.0.0.0/0 --dport 995 -o eth1 -j ACCEPT
iptables -A OUTPUT -p tcp -s 0.0.0.0/0 --dport 3192 -o eth1 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 110 -o eth1 -j ACCEPT
iptables -A OUTPUT -p tcp -s 0.0.0.0/0 --dport 3000 -o eth1 -j ACCEPT
iptables -A OUTPUT -p udp -s 0.0.0.0/0 --dport 4665 -o eth1 -j ACCEPT
iptables -A OUTPUT -p tcp -s 0.0.0.0/0 --dport 4661 -o eth1 -j ACCEPT
iptables -A OUTPUT -p udp -s 0.0.0.0/0 --dport 4672 -o eth1 -j ACCEPT
iptables -A OUTPUT -p tcp -s 0.0.0.0/0 --dport 4662 -o eth1 -j ACCEPT
iptables -A OUTPUT -p tcp -s 0.0.0.0/0 --dport 4671 -o eth1 -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

# PORTAS 53; 110; 25; 443; 21 - ACEITA PARA REDE LOCAL #
iptables -A FORWARD -s 200.201.173.68 -j ACCEPT
#iptables -A FORWARD -t eth0 -p tcp --dport 5017 -j ACCEPT
#iptables -A FORWARD -t eth0 -p udp --dport 5017 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 143 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 3192 -j ACCEPT
iptables -A FORWARD -p tcp -s 0.0.0.0/24 --sport 1999 -d 200.206.218.7 --dport 1999 -j ACCEPT
iptables -A FORWARD -p tcp -s 0.0.0.0/24 -d 200.206.218.7 --dport 20000 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 3000 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 4711 -j ACCEPT
iptables -A FORWARD -i eth1 -p udp --dport 4665 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 4661 -j ACCEPT
iptables -A FORWARD -i eth1 -p udp --dport 4672 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 4662 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 81 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 4671 -j ACCEPT
#iptables -A FORWARD -p tcp -s 192.168.0.255 --sport 137 -i eth1 --dport 137 -j ACCEPT
#iptables -A FORWARD -p udp -s 192.168.0.255 --sport 137 -i eth1 --dport 137 -j ACCEPT
#iptables -A FORWARD -i eth1 -p tcp --dport 137 -j DROP
#iptables -A FORWARD -i eth1 -p tcp --dport 445 -j DROP
#iptables -A FORWARD -i eth1 -p udp --dport 137 -j DROP
#iptables -A FORWARD -i eth1 -p udp --dport 445 -j DROP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
echo "SETTING RULES FOR FORWARD............................OK"

# HABILITANDO O TRAFEGO IP ENTRE AS INTERFACES DE REDE #
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "SETTING IP_FORWARD: ON...............................OK"
echo "FINISHED!!! FIREWALL: OK.............................OK"
echo "==================================================================="
}
fw_stop()
{
echo ""
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -X
iptables -t nat -X
iptables -t mangle -X
iptables -t filter -Z
iptables -t nat -Z
iptables -t mangle -Z
echo "######################################################"
echo "#--> Desativando / Limpando Firewall ..........[ OK ]#"
echo "######################################################"
echo ""
}
fw_usage()
{
echo
echo "#--> $0 (start | stop | restart | clear)"
echo
echo "#--> start - Ativa o rc.Firewall.sh"
echo "#--> stop - Desativa o rc.Firewall.sh"
echo "#--> restart - Reativa o rc.Firewall.sh"
echo "#--> clear - Limpa os contatores"
}

fw_clear()
{
iptables -t filter -Z
iptables -t nat -Z
iptables -t mangle -Z
}

case $1 in

start)
fw_stop;
fw_start;
;;

stop)
fw_stop;
;;

restart)
fw_start;
;;

clear)
fw_clear;
;;
*)
fw_usage;
exit;

;;

esac

jbl · Novato Registrado em: Apr 04, 2008 Mensagens: 7

Bom dia...

O que acontece quando executa esse teu script? Qual é o resultado do iptables -L depois de executado?

[]'s Jefferson