Re: [Fedora-users-br] iptables travando a máquina na inicialização
PaTricK
patrick_rsl em yahoo.com.br
Sábado Maio 26 15:28:44 UTC 2007
Ele trava na hora que vai abrir a interface gráfica.
quando aparece "daemon HAL..."
trava somente se deixo essas regras no iptables
que bloqueia tudo no INPUT para depois ir liberando somente o que quero.
Se uso essas regras aqui:
iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
Ele nao trava com essas regras no ACCEPT para liberar tudo.
PaTricK
Fabio Aragao escreveu:
> vc sabe axatamente onde esta o problema ???
> caso negativo vc pode tentar uma pequeno macetezinho
> coloque um echo em deteminado ponto no script tipo;
>
> echo "erro começo"
>
> regra
> regra
> regra
>
> echo "erro final"
>
>
> execute o script e o que aparecer entre estes "echos"
> vc ja vai eliminando onde esta o erro do que ficar
> procurando linha por linha.....
>
> ou
>
> utilize este inicio
>
> echo "Limpando regras do firewall"
> ###################
> # FLUSH ALL RULES #
> ###################
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -t nat -P PREROUTING ACCEPT
> iptables -t nat -P POSTROUTING ACCEPT
> iptables -t nat -P OUTPUT ACCEPT
>
> iptables -t mangle -P PREROUTING ACCEPT
> iptables -t mangle -P OUTPUT ACCEPT
>
>
> #
> # flush all the rules in the filter and nat tables.
> #
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
>
> #
> # erase all chains that's not default in filter and
> nat table.
> #
> iptables -X
> iptables -t nat -X
> iptables -t mangle -X
>
> #
> # zera contadores de todas as chains.
> #
> iptables -Z
> iptables -t nat -Z
> iptables -t mangle -Z
>
> espero que ajude
>
>
>
> --- PaTricK <patrick_rsl em yahoo.com.br> escreveu:
>
>
>> Eu resolvi bloquea tudo com o iptables... mas quando
>> o computador está
>> iniciando ele trava na parte
>> "daemon HAL..."
>> Ele trava somente quando boto essas regras:
>>
>> iptables -F
>> iptables -t nat -F
>>
>> iptables -P FORWARD DROP
>> iptables -P INPUT DROP
>> iptables -P OUTPUT ACCEPT
>>
>> Gostaria de saber o que tenho que libera pra ele não
>> travar? ou se não é
>> esse o problema qual é?
>>
>> Aqui está meu iptables :
>>
>> iptables -F
>> iptables -t nat -F
>>
>> iptables -P FORWARD DROP
>> iptables -P INPUT DROP
>> iptables -P OUTPUT ACCEPT
>>
>> iptables -A POSTROUTING -t nat -p all -s 10.1.1.0/29
>> -o eth0 -j MASQUERADE
>>
>> #Libera Loopback
>> iptables -A INPUT -p tcp --syn -s
>> 127.0.0.1/255.0.0.0 -j ACCEPT
>> iptables -t nat -A POSTROUTING -o lo -j ACCEPT
>>
>> iptables -A OUTPUT -p icmp -s 10.1.1.2 -d
>> 10.1.1.0/255.255.255.248
>> --icmp-type 8 -j ACCEPT
>> iptables -A INPUT -p icmp -s 10.1.1.2 -d
>> 10.1.1.0/255.255.255.248
>> --icmp-type 8 -j ACCEPT
>> iptables -A OUTPUT -p icmp -s 10.1.1.2 -d
>> 10.1.1.0/255.255.255.248
>> --icmp-type 0 -j ACCEPT
>> iptables -A INPUT -p icmp -s 10.1.1.2 -d
>> 10.1.1.0/255.255.255.248
>> --icmp-type 0 -j ACCEPT
>>
>> iptables -A OUTPUT -p udp -s 10.1.1.2 -d 0/0 --dport
>> 53 -j ACCEPT
>> iptables -A INPUT -p udp -s 0/0 -d 10.1.1.2 --sport
>> 53 -j ACCEPTiptables
>> -A INPUT -p icmp -s 0/0 -d 10.1.1.2 --icmp-type 0 -j
>> ACCEPT
>> iptables -A OUTPUT -p tcp -s 10.1.1.2 -d 0/0 --dport
>> 80 -j ACCEPT
>> iptables -A INPUT -p tcp -s 0/0 -d 10.1.1.2 --sport
>> 80 -j ACCEPT
>>
>> iptables -A FORWARD -p udp -s 192.168.1.0/24 -d 0/0
>> --dport 53 -j ACCEPT
>> iptables -A FORWARD -p udp -s 0/0 -d 192.168.1.0/24
>> --sport 53 -j ACCEPT
>> iptables -A FORWARD -p icmp -s 192.168.1.0/24 -d 0/0
>> --icmp-type 8 -j ACCEPT
>> iptables -A FORWARD -p icmp -s 0/0 -d 192.168.1.0/24
>> --icmp-type 0 -j ACCEPT
>> iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d 0/0
>> --dport 80 -j ACCEPT
>> iptables -A FORWARD -p tcp -s 0/0 -d 192.168.1.0/24
>> --sport 80 -j ACCEPT
>>
>>
>> #Libera e-mail e SSH
>> iptables -A INPUT -s 0/0 -p tcp -m multiport --sport
>> 2222,25,110,4617 -j
>> ACCEPT
>> iptables -A INPUT -s 0/0 -p tcp -m multiport --dport
>> 2222,25,110,4617 -j
>> ACCEPT
>>
>> #Libera MSN
>> iptables -A INPUT -s 0/0 -p tcp -m multiport --sport
>>
>> 1863,1864,6891,6900,6901,1863,5190,6901 -j ACCEPT
>> iptables -A INPUT -s 0/0 -p tcp -m multiport --dport
>>
>> 1863,1864,6891,6900,6901,1863,5190,6901 -j ACCEPT
>>
>> iptables -A POSTROUTING -t nat -p all -s 10.1.1.0/29
>> -o eth0 -j MASQUERADE
>>
>> #SQUID
>> #/sbin/modprobe iptables_nat
>>
>> #iptables -t nat -A PREROUTING -i eth0 -s 0/0 -p tcp
>> --dport 80 -j
>> REDIRECT --to-port 3128
>>
>> #iptables -t nat -A PREROUTING -s 0/0 -p tcp --dport
>> 80 -j REDIRECT
>> --to-port 3128
>>
>> #iptables -t nat -A PREROUTING -s 0/0 -p udp --dport
>> 80 -j REDIRECT
>> --to-port 3128
>> iptables -A OUTPUT -p icmp -s 10.1.1.2 -d 0/0
>> --icmp-type 8 -j ACCEPT
>>
>> #VNCserver
>> iptables -A INPUT -p tcp --dport 5801 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 5901 -j ACCEPT
>>
>> #Nessus
>> iptables -A INPUT -p tcp --dport 1241 -j ACCEPT
>>
>> #Azureus
>> #iptables -A INPUT -p tcp --dport 18637 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 35558 -j ACCEPT
>> iptables -A INPUT -p udp --dport 35558 -j ACCEPT
>>
>> #Portas eMule
>>
>> iptables -A INPUT -s 0/0 -p tcp -m multiport --sport
>>
>> 4662,443,4661,4462,4242,3306 -j ACCEPT
>> iptables -A INPUT -s 0/0 -p udp -m multiport --sport
>>
>> 4662,443,4661,4462,4242,3306 -j ACCEPT
>> iptables -A INPUT -s 0/0 -p tcp -m multiport --dport
>>
>> 4662,443,4661,4462,4242,3306 -j ACCEPT
>> iptables -A INPUT -s 0/0 -p udp -m multiport --dport
>>
>> 4662,443,4661,4462,4242,3306 -j ACCEPT
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport
>> 4662 -j DNAT
>> --to-destination 10.1.1.2
>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m
>> multiport --dports
>> 443,4661,4462,4242,3306 -j DNAT --to-destination
>> 10.1.1.2
>> iptables -t nat -A PREROUTING -i eth0 -p udp -m
>> multiport --dports
>> 4672,4465,4468,4246,3310 -j DNAT --to-destination
>> 10.1.1.2
>> iptables -t nat -A PREROUTING -i eth0 -p udp --dport
>> 1024: -j DNAT
>> --to-destination 10.1.1.2
>>
>> Alguem poderia me dar uma dica?
>> Valeu!
>>
>> PaTricK
>>
>>
>> --
>> Fedora-users-br mailing list
>> Fedora-users-br em redhat.com
>>
>>
> https://www.redhat.com/mailman/listinfo/fedora-users-br
>
>
>
> __________________________________________________
> Fale com seus amigos de graça com o novo Yahoo! Messenger
> http://br.messenger.yahoo.com/
>
> --
> Fedora-users-br mailing list
> Fedora-users-br em redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-users-br
>
>
Mais detalhes sobre a lista de discussão br-users