Bom dia, Estou com grande problema, estou tentando montar um servidor DNS, Firewall e de Email Já esta instalado bind 8.4.6, Shorewall 2.2.3 e o Postfix 2.1.5. O servidor é um Debian 3.1 com duas placa de rede, a eth0 esta para a ADSL ( ppp0 ) e eth1 esta para rede interna... Estou me perdendo na configuração do Iptables (Shorewall). Os problemas: o MSN não conecta, o servidor de email não recebe os emails e na navegação na internet alguns sites entra e outro não... Vou listar a regras que o Shorewall gerou para Iptables:
*Saindo da configuração do Firewall. *# Generated by iptables-save v1.2.11 on Tue Jun 5 12:09:08 2007 *mangle :PREROUTING ACCEPT [706669:568366777] :INPUT ACCEPT [370158:418977074] :FORWARD ACCEPT [336511:149389703] :OUTPUT ACCEPT [236010:23456634] :POSTROUTING ACCEPT [574496:172689628] :outtos - [0:0] :pretos - [0:0] -A PREROUTING -j pretos -A OUTPUT -j outtos COMMIT # Completed on Tue Jun 5 12:09:08 2007 # Generated by iptables-save v1.2.11 on Tue Jun 5 12:09:08 2007 *nat :PREROUTING ACCEPT [23296:1280099] :POSTROUTING ACCEPT [1470:118393] :OUTPUT ACCEPT [1470:118393] :ppp0_masq - [0:0] -A POSTROUTING -o ppp0 -j ppp0_masq -A ppp0_masq -s 192.168.0.0/255.255.255.0 -j SNAT --to-source 200.146.78.61 COMMIT # Completed on Tue Jun 5 12:09:08 2007 # Generated by iptables-save v1.2.11 on Tue Jun 5 12:09:08 2007 *filter :INPUT DROP [1:48] :FORWARD DROP [1:48] :OUTPUT DROP [0:0] :AllowICMPs - [0:0] :Drop - [0:0] :DropDNSrep - [0:0] :DropSMB - [0:0] :DropUPnP - [0:0] :Reject - [0:0] :RejectAuth - [0:0] :RejectSMB - [0:0] :all2all - [0:0] :dropBcast - [0:0] :dropInvalid - [0:0] :dropNotSyn - [0:0] :dynamic - [0:0] :eth1_fwd - [0:0] :eth1_in - [0:0] :fw2loc - [0:0] :fw2net - [0:0] :icmpdef - [0:0] :loc2fw - [0:0] :loc2net - [0:0] :net2all - [0:0] :net2fw - [0:0] :ppp0_fwd - [0:0] :ppp0_in - [0:0] :reject - [0:0] :shorewall - [0:0] :smurfs - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i ppp0 -j ppp0_in -A INPUT -i eth1 -j eth1_in -A INPUT -j Reject -A INPUT -j reject -A FORWARD -i ppp0 -j ppp0_fwd -A FORWARD -i eth1 -j eth1_fwd -A FORWARD -j Reject -A FORWARD -j reject -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o ppp0 -j fw2net -A OUTPUT -o eth1 -j fw2loc -A OUTPUT -j Reject -A OUTPUT -j reject -A AllowICMPs -p icmp -m icmp --icmp-type 3/4 -j ACCEPT -A AllowICMPs -p icmp -m icmp --icmp-type 11 -j ACCEPT -A Drop -j RejectAuth -A Drop -j dropBcast -A Drop -p icmp -j AllowICMPs -A Drop -j dropInvalid -A Drop -j DropSMB -A Drop -j DropUPnP -A Drop -p tcp -j dropNotSyn -A Drop -j DropDNSrep -A DropDNSrep -p udp -m udp --sport 53 -j DROP -A DropSMB -p udp -m udp --dport 135 -j DROP -A DropSMB -p udp -m udp --dport 137:139 -j DROP -A DropSMB -p udp -m udp --dport 445 -j DROP -A DropSMB -p tcp -m tcp --dport 135 -j DROP -A DropSMB -p tcp -m tcp --dport 139 -j DROP -A DropSMB -p tcp -m tcp --dport 445 -j DROP -A DropUPnP -p udp -m udp --dport 1900 -j DROP -A Reject -j RejectAuth -A Reject -j dropBcast -A Reject -p icmp -j AllowICMPs -A Reject -j dropInvalid -A Reject -j RejectSMB -A Reject -j DropUPnP -A Reject -p tcp -j dropNotSyn -A Reject -j DropDNSrep -A RejectAuth -p tcp -m tcp --dport 113 -j reject -A RejectSMB -p udp -m udp --dport 135 -j reject -A RejectSMB -p udp -m udp --dport 137:139 -j reject -A RejectSMB -p udp -m udp --dport 445 -j reject -A RejectSMB -p tcp -m tcp --dport 135 -j reject -A RejectSMB -p tcp -m tcp --dport 139 -j reject -A RejectSMB -p tcp -m tcp --dport 445 -j reject -A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A all2all -j Reject -A all2all -j reject -A dropBcast -m pkttype --pkt-type broadcast -j DROP -A dropBcast -m pkttype --pkt-type multicast -j DROP -A dropInvalid -m state --state INVALID -j DROP -A dropNotSyn -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP -A eth1_fwd -m state --state INVALID,NEW -j dynamic -A eth1_fwd -o ppp0 -j loc2net -A eth1_in -m state --state INVALID,NEW -j dynamic -A eth1_in -j loc2fw -A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT -A fw2loc -p icmp -j ACCEPT -A fw2loc -j ACCEPT -A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT -A fw2net -p icmp -j ACCEPT -A fw2net -j ACCEPT -A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT -A loc2fw -p tcp -m tcp --dport 20 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 21 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 80 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 53 -j ACCEPT -A loc2fw -p udp -m udp --dport 53 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 137 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 138 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 139 -j ACCEPT -A loc2fw -p udp -m udp --dport 137 -j ACCEPT -A loc2fw -p udp -m udp --dport 138 -j ACCEPT -A loc2fw -p udp -m udp --dport 139 -j ACCEPT -A loc2fw -p tcp -m tcp --dport 443 -j ACCEPT -A loc2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT -A loc2fw -j ACCEPT -A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT -A loc2net -j ACCEPT -A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A net2all -j ACCEPT -A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT -A net2fw -p tcp -m tcp --dport 20 -j ACCEPT -A net2fw -p tcp -m tcp --dport 21 -j ACCEPT -A net2fw -p tcp -m tcp --dport 80 -j ACCEPT -A net2fw -p tcp -m tcp --dport 53 -j ACCEPT -A net2fw -p udp -m udp --dport 53 -j ACCEPT -A net2fw -p tcp -m tcp --dport 443 -j ACCEPT -A net2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT -A net2fw -j net2all -A ppp0_fwd -m state --state INVALID,NEW -j dynamic -A ppp0_fwd -o eth1 -j net2all -A ppp0_in -m state --state INVALID,NEW -j dynamic -A ppp0_in -j net2fw -A reject -m pkttype --pkt-type broadcast -j DROP -A reject -m pkttype --pkt-type multicast -j DROP -A reject -s 192.168.0.255 -j DROP -A reject -s 255.255.255.255 -j DROP -A reject -s 224.0.0.0/240.0.0.0 -j DROP -A reject -p tcp -j REJECT --reject-with tcp-reset -A reject -p udp -j REJECT --reject-with icmp-port-unreachable -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable -A reject -j REJECT --reject-with icmp-host-prohibited -A smurfs -s 192.168.0.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 192.168.0.255 -j DROP -A smurfs -s 255.255.255.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 255.255.255.255 -j DROP -A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 -A smurfs -s 224.0.0.0/240.0.0.0 -j DROP COMMIT # Completed on Tue Jun 5 12:09:08 2007 O problema é ai? como posso resolver? -- Adriano de Souza Barbosa Msn: [EMAIL PROTECTED]
