Re: [Fedora-users-br] iptables travando a máquina na inicialização
PaTricK
patrick_rsl em yahoo.com.br
Sábado Maio 26 20:39:37 UTC 2007
Olá,
Pensei q essa regra aqui:
iptables -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT
que tem no meu script service pra isso... ela esta errada pra esse caso?
obrigado!
PaTricK
Otto Fuchshuber Filho escreveu:
>
> Abra uma regra na chain INPUT permitindo tudo para source de localhost.
>
> Saudações,
> Otto Fuchshuber Filho
> o2to2f em gmail.com
>
> PaTricK escreveu, Em 26-05-2007 12:28:
>> Ele trava na hora que vai abrir a interface gráfica.
>> quando aparece "daemon HAL..."
>>
>> trava somente se deixo essas regras no iptables
>>
>>
>>
>> que bloqueia tudo no INPUT para depois ir liberando somente o que quero.
>> Se uso essas regras aqui:
>>
>> iptables -P FORWARD ACCEPT
>> iptables -P INPUT ACCEPT
>> iptables -P OUTPUT ACCEPT
>>
>>
>> Ele nao trava com essas regras no ACCEPT para liberar tudo.
>>
>>
>> PaTricK
>>
>> Fabio Aragao escreveu:
>>> vc sabe axatamente onde esta o problema ???
>>> caso negativo vc pode tentar uma pequeno macetezinho
>>> coloque um echo em deteminado ponto no script tipo;
>>>
>>> echo "erro começo"
>>>
>>> regra
>>> regra
>>> regra
>>>
>>> echo "erro final"
>>>
>>>
>>> execute o script e o que aparecer entre estes "echos"
>>> vc ja vai eliminando onde esta o erro do que ficar
>>> procurando linha por linha.....
>>>
>>> ou
>>>
>>> utilize este inicio
>>>
>>> echo "Limpando regras do firewall"
>>> ###################
>>> # FLUSH ALL RULES #
>>> ###################
>>> iptables -P INPUT ACCEPT
>>> iptables -P OUTPUT ACCEPT
>>> iptables -P FORWARD ACCEPT
>>> iptables -t nat -P PREROUTING ACCEPT
>>> iptables -t nat -P POSTROUTING ACCEPT
>>> iptables -t nat -P OUTPUT ACCEPT
>>>
>>> iptables -t mangle -P PREROUTING ACCEPT
>>> iptables -t mangle -P OUTPUT ACCEPT
>>>
>>>
>>> #
>>> # flush all the rules in the filter and nat tables.
>>> #
>>> iptables -F
>>> iptables -t nat -F
>>> iptables -t mangle -F
>>>
>>> #
>>> # erase all chains that's not default in filter and
>>> nat table.
>>> #
>>> iptables -X
>>> iptables -t nat -X
>>> iptables -t mangle -X
>>>
>>> #
>>> # zera contadores de todas as chains.
>>> #
>>> iptables -Z
>>> iptables -t nat -Z
>>> iptables -t mangle -Z
>>>
>>> espero que ajude
>>>
>>>
>>>
>>> --- PaTricK <patrick_rsl em yahoo.com.br> escreveu:
>>>
>>>
>>>> Eu resolvi bloquea tudo com o iptables... mas quando
>>>> o computador está iniciando ele trava na parte
>>>> "daemon HAL..."
>>>> Ele trava somente quando boto essas regras:
>>>>
>>>> iptables -F
>>>> iptables -t nat -F
>>>>
>>>> iptables -P FORWARD DROP
>>>> iptables -P INPUT DROP
>>>> iptables -P OUTPUT ACCEPT
>>>>
>>>> Gostaria de saber o que tenho que libera pra ele não
>>>> travar? ou se não é esse o problema qual é?
>>>>
>>>> Aqui está meu iptables :
>>>>
>>>> iptables -F
>>>> iptables -t nat -F
>>>>
>>>> iptables -P FORWARD DROP
>>>> iptables -P INPUT DROP
>>>> iptables -P OUTPUT ACCEPT
>>>>
>>>> iptables -A POSTROUTING -t nat -p all -s 10.1.1.0/29
>>>> -o eth0 -j MASQUERADE
>>>>
>>>> #Libera Loopback
>>>> iptables -A INPUT -p tcp --syn -s
>>>> 127.0.0.1/255.0.0.0 -j ACCEPT
>>>> iptables -t nat -A POSTROUTING -o lo -j ACCEPT
>>>>
>>>> iptables -A OUTPUT -p icmp -s 10.1.1.2 -d
>>>> 10.1.1.0/255.255.255.248 --icmp-type 8 -j ACCEPT
>>>> iptables -A INPUT -p icmp -s 10.1.1.2 -d
>>>> 10.1.1.0/255.255.255.248 --icmp-type 8 -j ACCEPT
>>>> iptables -A OUTPUT -p icmp -s 10.1.1.2 -d
>>>> 10.1.1.0/255.255.255.248 --icmp-type 0 -j ACCEPT
>>>> iptables -A INPUT -p icmp -s 10.1.1.2 -d
>>>> 10.1.1.0/255.255.255.248 --icmp-type 0 -j ACCEPT
>>>>
>>>> iptables -A OUTPUT -p udp -s 10.1.1.2 -d 0/0 --dport
>>>> 53 -j ACCEPT
>>>> iptables -A INPUT -p udp -s 0/0 -d 10.1.1.2 --sport
>>>> 53 -j ACCEPTiptables -A INPUT -p icmp -s 0/0 -d 10.1.1.2
>>>> --icmp-type 0 -j
>>>> ACCEPT
>>>> iptables -A OUTPUT -p tcp -s 10.1.1.2 -d 0/0 --dport
>>>> 80 -j ACCEPT
>>>> iptables -A INPUT -p tcp -s 0/0 -d 10.1.1.2 --sport
>>>> 80 -j ACCEPT
>>>>
>>>> iptables -A FORWARD -p udp -s 192.168.1.0/24 -d 0/0
>>>> --dport 53 -j ACCEPT
>>>> iptables -A FORWARD -p udp -s 0/0 -d 192.168.1.0/24
>>>> --sport 53 -j ACCEPT
>>>> iptables -A FORWARD -p icmp -s 192.168.1.0/24 -d 0/0
>>>> --icmp-type 8 -j ACCEPT
>>>> iptables -A FORWARD -p icmp -s 0/0 -d 192.168.1.0/24
>>>> --icmp-type 0 -j ACCEPT
>>>> iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d 0/0
>>>> --dport 80 -j ACCEPT
>>>> iptables -A FORWARD -p tcp -s 0/0 -d 192.168.1.0/24
>>>> --sport 80 -j ACCEPT
>>>>
>>>>
>>>> #Libera e-mail e SSH
>>>> iptables -A INPUT -s 0/0 -p tcp -m multiport --sport
>>>> 2222,25,110,4617 -j ACCEPT
>>>> iptables -A INPUT -s 0/0 -p tcp -m multiport --dport
>>>> 2222,25,110,4617 -j ACCEPT
>>>>
>>>> #Libera MSN
>>>> iptables -A INPUT -s 0/0 -p tcp -m multiport --sport
>>>>
>>>> 1863,1864,6891,6900,6901,1863,5190,6901 -j ACCEPT
>>>> iptables -A INPUT -s 0/0 -p tcp -m multiport --dport
>>>>
>>>> 1863,1864,6891,6900,6901,1863,5190,6901 -j ACCEPT
>>>>
>>>> iptables -A POSTROUTING -t nat -p all -s 10.1.1.0/29
>>>> -o eth0 -j MASQUERADE
>>>>
>>>> #SQUID
>>>> #/sbin/modprobe iptables_nat
>>>>
>>>> #iptables -t nat -A PREROUTING -i eth0 -s 0/0 -p tcp
>>>> --dport 80 -j REDIRECT --to-port 3128
>>>>
>>>> #iptables -t nat -A PREROUTING -s 0/0 -p tcp --dport
>>>> 80 -j REDIRECT --to-port 3128
>>>>
>>>> #iptables -t nat -A PREROUTING -s 0/0 -p udp --dport
>>>> 80 -j REDIRECT --to-port 3128
>>>> iptables -A OUTPUT -p icmp -s 10.1.1.2 -d 0/0
>>>> --icmp-type 8 -j ACCEPT
>>>>
>>>> #VNCserver
>>>> iptables -A INPUT -p tcp --dport 5801 -j ACCEPT
>>>> iptables -A INPUT -p tcp --dport 5901 -j ACCEPT
>>>>
>>>> #Nessus
>>>> iptables -A INPUT -p tcp --dport 1241 -j ACCEPT
>>>>
>>>> #Azureus
>>>> #iptables -A INPUT -p tcp --dport 18637 -j ACCEPT
>>>> iptables -A INPUT -p tcp --dport 35558 -j ACCEPT
>>>> iptables -A INPUT -p udp --dport 35558 -j ACCEPT
>>>>
>>>> #Portas eMule
>>>>
>>>> iptables -A INPUT -s 0/0 -p tcp -m multiport --sport
>>>>
>>>> 4662,443,4661,4462,4242,3306 -j ACCEPT
>>>> iptables -A INPUT -s 0/0 -p udp -m multiport --sport
>>>>
>>>> 4662,443,4661,4462,4242,3306 -j ACCEPT
>>>> iptables -A INPUT -s 0/0 -p tcp -m multiport --dport
>>>>
>>>> 4662,443,4661,4462,4242,3306 -j ACCEPT
>>>> iptables -A INPUT -s 0/0 -p udp -m multiport --dport
>>>>
>>>> 4662,443,4661,4462,4242,3306 -j ACCEPT
>>>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport
>>>> 4662 -j DNAT --to-destination 10.1.1.2
>>>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m
>>>> multiport --dports 443,4661,4462,4242,3306 -j DNAT --to-destination
>>>> 10.1.1.2
>>>> iptables -t nat -A PREROUTING -i eth0 -p udp -m
>>>> multiport --dports 4672,4465,4468,4246,3310 -j DNAT --to-destination
>>>> 10.1.1.2
>>>> iptables -t nat -A PREROUTING -i eth0 -p udp --dport
>>>> 1024: -j DNAT --to-destination 10.1.1.2
>>>>
>>>> Alguem poderia me dar uma dica?
>>>> Valeu!
>>>>
>>>> PaTricK
>>>>
>>>>
>>>> --
>>>> Fedora-users-br mailing list
>>>> Fedora-users-br em redhat.com
>>>>
>>>>
>>> https://www.redhat.com/mailman/listinfo/fedora-users-br
>>>
>>>
>>> __________________________________________________
>>> Fale com seus amigos de graça com o novo Yahoo! Messenger
>>> http://br.messenger.yahoo.com/
>>> --
>>> Fedora-users-br mailing list
>>> Fedora-users-br em redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-users-br
>>>
>>>
>>
>> --
>> Fedora-users-br mailing list
>> Fedora-users-br em redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-users-br
>>
>
> --
> Fedora-users-br mailing list
> Fedora-users-br em redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-users-br
>
Mais detalhes sobre a lista de discussão br-users