Re: [Fedora-users-br] iptables travando a máquina na inicialização
PaTricK
patrick_rsl em yahoo.com.br
Segunda Maio 28 00:41:25 UTC 2007
Funciono dessa maneira
Obrigado pela ajuda
PaTricK
Otto Fuchshuber Filho escreveu:
> Abra tudo para localhost e veja se resolve seu problema.
>
> iptables -A INPUT -i lo -j ACCEPT
>
> Coloque esta regra como a primeira, antes das demais.
>
> Saudações,
> Otto Fuchshuber Filho
> o2to2f em gmail.com
>
> PaTricK escreveu, Em 26-05-2007 17:39:
>> Olá,
>> Pensei q essa regra aqui:
>> iptables -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT
>>
>> que tem no meu script service pra isso... ela esta errada pra esse caso?
>> obrigado!
>>
>> PaTricK
>>
>>
>> Otto Fuchshuber Filho escreveu:
>>>
>>> Abra uma regra na chain INPUT permitindo tudo para source de localhost.
>>>
>>> Saudações,
>>> Otto Fuchshuber Filho
>>> o2to2f em gmail.com
>>>
>>> PaTricK escreveu, Em 26-05-2007 12:28:
>>>> Ele trava na hora que vai abrir a interface gráfica.
>>>> quando aparece "daemon HAL..."
>>>>
>>>> trava somente se deixo essas regras no iptables
>>>>
>>>>
>>>>
>>>> que bloqueia tudo no INPUT para depois ir liberando somente o que
>>>> quero.
>>>> Se uso essas regras aqui:
>>>>
>>>> iptables -P FORWARD ACCEPT
>>>> iptables -P INPUT ACCEPT
>>>> iptables -P OUTPUT ACCEPT
>>>>
>>>>
>>>> Ele nao trava com essas regras no ACCEPT para liberar tudo.
>>>>
>>>>
>>>> PaTricK
>>>>
>>>> Fabio Aragao escreveu:
>>>>> vc sabe axatamente onde esta o problema ???
>>>>> caso negativo vc pode tentar uma pequeno macetezinho
>>>>> coloque um echo em deteminado ponto no script tipo;
>>>>>
>>>>> echo "erro começo"
>>>>>
>>>>> regra
>>>>> regra
>>>>> regra
>>>>>
>>>>> echo "erro final"
>>>>>
>>>>>
>>>>> execute o script e o que aparecer entre estes "echos"
>>>>> vc ja vai eliminando onde esta o erro do que ficar
>>>>> procurando linha por linha.....
>>>>>
>>>>> ou
>>>>>
>>>>> utilize este inicio
>>>>>
>>>>> echo "Limpando regras do firewall"
>>>>> ###################
>>>>> # FLUSH ALL RULES #
>>>>> ###################
>>>>> iptables -P INPUT ACCEPT
>>>>> iptables -P OUTPUT ACCEPT
>>>>> iptables -P FORWARD ACCEPT
>>>>> iptables -t nat -P PREROUTING ACCEPT
>>>>> iptables -t nat -P POSTROUTING ACCEPT
>>>>> iptables -t nat -P OUTPUT ACCEPT
>>>>>
>>>>> iptables -t mangle -P PREROUTING ACCEPT
>>>>> iptables -t mangle -P OUTPUT ACCEPT
>>>>>
>>>>>
>>>>> #
>>>>> # flush all the rules in the filter and nat tables.
>>>>> #
>>>>> iptables -F
>>>>> iptables -t nat -F
>>>>> iptables -t mangle -F
>>>>>
>>>>> #
>>>>> # erase all chains that's not default in filter and
>>>>> nat table.
>>>>> #
>>>>> iptables -X
>>>>> iptables -t nat -X
>>>>> iptables -t mangle -X
>>>>>
>>>>> #
>>>>> # zera contadores de todas as chains.
>>>>> #
>>>>> iptables -Z
>>>>> iptables -t nat -Z
>>>>> iptables -t mangle -Z
>>>>>
>>>>> espero que ajude
>>>>>
>>>>>
>>>>>
>>>>> --- PaTricK <patrick_rsl em yahoo.com.br> escreveu:
>>>>>
>>>>>
>>>>>> Eu resolvi bloquea tudo com o iptables... mas quando
>>>>>> o computador está iniciando ele trava na parte
>>>>>> "daemon HAL..."
>>>>>> Ele trava somente quando boto essas regras:
>>>>>>
>>>>>> iptables -F
>>>>>> iptables -t nat -F
>>>>>>
>>>>>> iptables -P FORWARD DROP
>>>>>> iptables -P INPUT DROP
>>>>>> iptables -P OUTPUT ACCEPT
>>>>>>
>>>>>> Gostaria de saber o que tenho que libera pra ele não
>>>>>> travar? ou se não é esse o problema qual é?
>>>>>>
>>>>>> Aqui está meu iptables :
>>>>>>
>>>>>> iptables -F
>>>>>> iptables -t nat -F
>>>>>>
>>>>>> iptables -P FORWARD DROP
>>>>>> iptables -P INPUT DROP
>>>>>> iptables -P OUTPUT ACCEPT
>>>>>>
>>>>>> iptables -A POSTROUTING -t nat -p all -s 10.1.1.0/29
>>>>>> -o eth0 -j MASQUERADE
>>>>>>
>>>>>> #Libera Loopback
>>>>>> iptables -A INPUT -p tcp --syn -s
>>>>>> 127.0.0.1/255.0.0.0 -j ACCEPT
>>>>>> iptables -t nat -A POSTROUTING -o lo -j ACCEPT
>>>>>>
>>>>>> iptables -A OUTPUT -p icmp -s 10.1.1.2 -d
>>>>>> 10.1.1.0/255.255.255.248 --icmp-type 8 -j ACCEPT
>>>>>> iptables -A INPUT -p icmp -s 10.1.1.2 -d
>>>>>> 10.1.1.0/255.255.255.248 --icmp-type 8 -j ACCEPT
>>>>>> iptables -A OUTPUT -p icmp -s 10.1.1.2 -d
>>>>>> 10.1.1.0/255.255.255.248 --icmp-type 0 -j ACCEPT
>>>>>> iptables -A INPUT -p icmp -s 10.1.1.2 -d
>>>>>> 10.1.1.0/255.255.255.248 --icmp-type 0 -j ACCEPT
>>>>>>
>>>>>> iptables -A OUTPUT -p udp -s 10.1.1.2 -d 0/0 --dport
>>>>>> 53 -j ACCEPT
>>>>>> iptables -A INPUT -p udp -s 0/0 -d 10.1.1.2 --sport
>>>>>> 53 -j ACCEPTiptables -A INPUT -p icmp -s 0/0 -d 10.1.1.2
>>>>>> --icmp-type 0 -j
>>>>>> ACCEPT
>>>>>> iptables -A OUTPUT -p tcp -s 10.1.1.2 -d 0/0 --dport
>>>>>> 80 -j ACCEPT
>>>>>> iptables -A INPUT -p tcp -s 0/0 -d 10.1.1.2 --sport
>>>>>> 80 -j ACCEPT
>>>>>>
>>>>>> iptables -A FORWARD -p udp -s 192.168.1.0/24 -d 0/0
>>>>>> --dport 53 -j ACCEPT
>>>>>> iptables -A FORWARD -p udp -s 0/0 -d 192.168.1.0/24
>>>>>> --sport 53 -j ACCEPT
>>>>>> iptables -A FORWARD -p icmp -s 192.168.1.0/24 -d 0/0
>>>>>> --icmp-type 8 -j ACCEPT
>>>>>> iptables -A FORWARD -p icmp -s 0/0 -d 192.168.1.0/24
>>>>>> --icmp-type 0 -j ACCEPT
>>>>>> iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d 0/0
>>>>>> --dport 80 -j ACCEPT
>>>>>> iptables -A FORWARD -p tcp -s 0/0 -d 192.168.1.0/24
>>>>>> --sport 80 -j ACCEPT
>>>>>>
>>>>>>
>>>>>> #Libera e-mail e SSH
>>>>>> iptables -A INPUT -s 0/0 -p tcp -m multiport --sport
>>>>>> 2222,25,110,4617 -j ACCEPT
>>>>>> iptables -A INPUT -s 0/0 -p tcp -m multiport --dport
>>>>>> 2222,25,110,4617 -j ACCEPT
>>>>>>
>>>>>> #Libera MSN
>>>>>> iptables -A INPUT -s 0/0 -p tcp -m multiport --sport
>>>>>>
>>>>>> 1863,1864,6891,6900,6901,1863,5190,6901 -j ACCEPT
>>>>>> iptables -A INPUT -s 0/0 -p tcp -m multiport --dport
>>>>>>
>>>>>> 1863,1864,6891,6900,6901,1863,5190,6901 -j ACCEPT
>>>>>>
>>>>>> iptables -A POSTROUTING -t nat -p all -s 10.1.1.0/29
>>>>>> -o eth0 -j MASQUERADE
>>>>>>
>>>>>> #SQUID
>>>>>> #/sbin/modprobe iptables_nat
>>>>>>
>>>>>> #iptables -t nat -A PREROUTING -i eth0 -s 0/0 -p tcp
>>>>>> --dport 80 -j REDIRECT --to-port 3128
>>>>>>
>>>>>> #iptables -t nat -A PREROUTING -s 0/0 -p tcp --dport
>>>>>> 80 -j REDIRECT --to-port 3128
>>>>>>
>>>>>> #iptables -t nat -A PREROUTING -s 0/0 -p udp --dport
>>>>>> 80 -j REDIRECT --to-port 3128
>>>>>> iptables -A OUTPUT -p icmp -s 10.1.1.2 -d 0/0
>>>>>> --icmp-type 8 -j ACCEPT
>>>>>>
>>>>>> #VNCserver
>>>>>> iptables -A INPUT -p tcp --dport 5801 -j ACCEPT
>>>>>> iptables -A INPUT -p tcp --dport 5901 -j ACCEPT
>>>>>>
>>>>>> #Nessus
>>>>>> iptables -A INPUT -p tcp --dport 1241 -j ACCEPT
>>>>>>
>>>>>> #Azureus
>>>>>> #iptables -A INPUT -p tcp --dport 18637 -j ACCEPT
>>>>>> iptables -A INPUT -p tcp --dport 35558 -j ACCEPT
>>>>>> iptables -A INPUT -p udp --dport 35558 -j ACCEPT
>>>>>>
>>>>>> #Portas eMule
>>>>>>
>>>>>> iptables -A INPUT -s 0/0 -p tcp -m multiport --sport
>>>>>>
>>>>>> 4662,443,4661,4462,4242,3306 -j ACCEPT
>>>>>> iptables -A INPUT -s 0/0 -p udp -m multiport --sport
>>>>>>
>>>>>> 4662,443,4661,4462,4242,3306 -j ACCEPT
>>>>>> iptables -A INPUT -s 0/0 -p tcp -m multiport --dport
>>>>>>
>>>>>> 4662,443,4661,4462,4242,3306 -j ACCEPT
>>>>>> iptables -A INPUT -s 0/0 -p udp -m multiport --dport
>>>>>>
>>>>>> 4662,443,4661,4462,4242,3306 -j ACCEPT
>>>>>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport
>>>>>> 4662 -j DNAT --to-destination 10.1.1.2
>>>>>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m
>>>>>> multiport --dports 443,4661,4462,4242,3306 -j DNAT --to-destination
>>>>>> 10.1.1.2
>>>>>> iptables -t nat -A PREROUTING -i eth0 -p udp -m
>>>>>> multiport --dports 4672,4465,4468,4246,3310 -j DNAT --to-destination
>>>>>> 10.1.1.2
>>>>>> iptables -t nat -A PREROUTING -i eth0 -p udp --dport
>>>>>> 1024: -j DNAT --to-destination 10.1.1.2
>>>>>>
>>>>>> Alguem poderia me dar uma dica?
>>>>>> Valeu!
>>>>>>
>>>>>> PaTricK
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fedora-users-br mailing list
>>>>>> Fedora-users-br em redhat.com
>>>>>>
>>>>>>
>>>>> https://www.redhat.com/mailman/listinfo/fedora-users-br
>>>>>
>>>>>
>>>>> __________________________________________________
>>>>> Fale com seus amigos de graça com o novo Yahoo! Messenger
>>>>> http://br.messenger.yahoo.com/
>>>>> --
>>>>> Fedora-users-br mailing list
>>>>> Fedora-users-br em redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-users-br
>>>>>
>>>>>
>>>>
>>>> --
>>>> Fedora-users-br mailing list
>>>> Fedora-users-br em redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-users-br
>>>>
>>>
>>> --
>>> Fedora-users-br mailing list
>>> Fedora-users-br em redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-users-br
>>>
>>
>> --
>> Fedora-users-br mailing list
>> Fedora-users-br em redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-users-br
>>
>
> --
> Fedora-users-br mailing list
> Fedora-users-br em redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-users-br
>
Mais detalhes sobre a lista de discussão br-users