cara verifiquei seu script iptables e vi que ele apresenta alguns erros, por exemplo voce definiu a politica como ACCEPT, ou seja, tudo pode entrar e sair de sua rede a mesnos que vocÊ bloquei explicitamente.
vi tb q vc criou regras de DROP que deveriam ser ACCEPT. recomendo vc dar uma estudada nas documentacoes sobre seguranca existentes no debian e no site www.netfilter.org (site oficial do iptables) até dsales Em Sáb, 2007-04-21 às 16:01 +0100, Silvino Silva escreveu: > Olá > > > Tenho a Simples configuração de iptables; > > > # Tabela filter > iptables -P INPUT ACCEPT > iptables -P OUTPUT ACCEPT > iptables -P FORWARD ACCEPT > > # Tabela nat > iptables -t nat -P PREROUTING ACCEPT > iptables -t nat -P OUTPUT ACCEPT > iptables -t nat -P POSTROUTING ACCEPT > # Tabela mangle > iptables -t mangle -P INPUT ACCEPT > iptables -t mangle -P PREROUTING ACCEPT > iptables -t mangle -P FORWARD ACCEPT > iptables -t mangle -P POSTROUTING ACCEPT > iptables -t mangle -P OUTPUT ACCEPT > > # Habilitar IP forwarding > echo 1 > /proc/sys/net/ipv4/ip_forward > echo 1 > /proc/sys/net/ipv4/ip_dynaddr > > > #cria uma nova cadeia athinput > iptables -N athin > iptables -N athout > > echo "##########################Cadeia > Filter#############################" > #Aceita loopback > iptables -A INPUT -i lo -j DROP > > #Cria uma cadeia para as conexões da interenet chamada athin > iptables -A INPUT -i ath0 -j athin > > #Cria uma cadeia para as conexões de desntro para fora > iptables -A OUTPUT -o ath0 -j athout > > > #aceita a rede local > iptables -A INPUT -i eth0 -j DROP > > #Tudo o resto é rejeitado e rejistado > iptables -A INPUT -j DROP > > echo "##########################Cadeia > FORWARD#############################" > iptables -A FORWARD -j DROP > echo "##########################Cadeia > athin###############################" > #Aceitas respostas de destino inatingível e ping com um limite de 2 > por segundo > iptables -A athin -p icmp --icmp-type 3 -m limit --limit 2/s -j ACCEPT > iptables -A athin -m state --state INVALID -j DROP > > > #Aceita conecções para o apache > iptables -A athin -p tcp --dport 80 -j ULOG --ulog-prefix "FIREWALL: > Apache" > iptables -A athin -p tcp --dport 80 -j ACCEPT > > #Aceita serviço de HTML > iptables -A athin -p tcp --sport 80: --dport 1024: -j ACCEPT > > #Resposta de DNS > iptables -A athin -p udp --sport 53 --dport 1024: -j ACCEPT > > #rejeita tudo o resto > iptables -A athin -j ULOG --ulog-nlgroup 1 --ulog-prefix "FIREWALL: > Excluido" > iptables -A athin -j DROP > > echo "##########################Cadeia > OUT###############################" > > #Pedido de Serviço HTML > iptables -A athout -p tcp --dport 80 -j ACCEPT > > #Pedido de Serviço DNS > iptables -A athout -p udp --dport 53 -j ACCEPT > > #Tudo o resto Rejeitado > iptables -A athout -j DROP > > echo "##########################Cadeia > NAT###############################" > # iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -j DNAT --to > 200.200.217.40-200.200.217.50:1024:5000 > # iptables -t nat -A PREROUTING -j DNAT -p udp --dport 53 -i eth0 > --to-destination 195.22.0.136 > # iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 53 -i eth0 > --to-destination 195.22.0.136 > # > # #iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o ath0 -j > MASQUERADE > # iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE > > exit 0 > > Mas se correr o nmap com as opções > > nmap -sT -F -P0 192.168.1.253 > > Devolve; > > Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-04-21 > 15:53 WEST > Interesting ports on silvinosilva.no-ip.org (192.168.1.253): > Not shown: 656 closed ports, 581 filtered ports > PORT STATE SERVICE > 80/tcp open http > 6017/tcp open xmail-ctrl > > Nmap finished: 1 IP address (1 host up) scanned in 13.222 seconds > > Eu não autorizo no iptables 6017/tcp open xmail-ctrl > > :( Onde esta o meu erro ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
