A CADEIA DE IPTABLES É IGNORADA

1

Alguém pode me explicar por que esse fluxo caiu?

192.168.1.18 - > QUALQUER: QUALQUER

As regras DROP dentro de default_FORWARD_FIREWALL parecem assumir as regras ACCEPT dentro de 55_FORWARD_FIREWALL

Quando eu removo as regras do DROP dentro do default_FORWARD_FIREWALL, ele funciona!

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       88  6086 55_INPUT   all  --  *      *       192.168.1.18         0.0.0.0/0
2      722  386K default_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       89  5072 55_FORWARD_WEBSITES  all  --  *      *       192.168.1.18         0.0.0.0/0
2       89  5072 55_FORWARD_FIREWALL  all  --  *      *       192.168.1.18         0.0.0.0/0
3      150  8532 default_FORWARD_WEBSITES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
4      150  8532 default_FORWARD_FIREWALL  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      736  330K default_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain 55_FORWARD_FIREWALL (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       77  4004 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
2       12  1068 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
3        0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Chain 55_FORWARD_WEBSITES (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain 55_INPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,12345,8080,4430,8081,4431
2       30  2052 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport dports 53,5300,5302,5301,5303

Chain 55_OUTPUT (0 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain default_FORWARD_FIREWALL (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1      138  6888 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
2       12  1644 DROP       udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0

Chain default_FORWARD_WEBSITES (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain default_INPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1      259  258K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
2      446  126K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3        6   360 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 67,22,80,443,8001,8002
4        1    67 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 67,53,5300,5301
5       10   878 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain default_OUTPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1      259  258K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
2      477 71370 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            state NEW,RELATED,ESTABLISHED
3        0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Script:

/sbin/iptables  -t filter -F
/sbin/iptables  -t filter -X
/sbin/iptables  -t nat -F
/sbin/iptables  -t nat -X
/sbin/iptables  -t filter -P INPUT ACCEPT
/sbin/iptables  -t filter -P FORWARD ACCEPT
/sbin/iptables  -t filter -P OUTPUT ACCEPT
/sbin/iptables  -t nat -P PREROUTING ACCEPT
/sbin/iptables  -t nat -P POSTROUTING ACCEPT
/sbin/iptables  -t nat -P OUTPUT ACCEPT
/sbin/iptables -t filter -N default_INPUT
/sbin/iptables -t filter -A default_INPUT  -i lo -j ACCEPT
/sbin/iptables -t filter -A default_INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t filter -A default_INPUT  -p tcp -m multiport --dport 67,22,http,https,8001,8002 -j ACCEPT
/sbin/iptables -t filter -A default_INPUT  -p udp -m multiport --dport 67,53,5300,5301 -j ACCEPT
/sbin/iptables -t filter -A default_INPUT  -j DROP
/sbin/iptables -t filter -I INPUT 1  -j default_INPUT
/sbin/iptables -t filter -N default_FORWARD_FIREWALL
/sbin/iptables -t filter -A default_FORWARD_FIREWALL  -i eth0 -p tcp -j DROP
/sbin/iptables -t filter -A default_FORWARD_FIREWALL  -i eth0 -p udp -j DROP
/sbin/iptables -t filter -I FORWARD 1  -j default_FORWARD_FIREWALL
/sbin/iptables -t filter -N default_FORWARD_WEBSITES
/sbin/iptables -t filter -I FORWARD 1  -j default_FORWARD_WEBSITES
/sbin/iptables -t filter -N default_OUTPUT
/sbin/iptables -t filter -A default_OUTPUT  -o lo -j ACCEPT
/sbin/iptables -t filter -A default_OUTPUT  -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t filter -A default_OUTPUT  -o eth0 -j ACCEPT
/sbin/iptables -t filter -I OUTPUT 1  -j default_OUTPUT
/sbin/iptables -t nat -N default_PREROUTING
/sbin/iptables -t nat -A default_PREROUTING  -i eth0 -p tcp -m multiport --dport 80,443 -j DNAT --to 192.168.1.12:8002
/sbin/iptables -t nat -I PREROUTING 1  -j default_PREROUTING
/sbin/iptables -t nat -N default_POSTROUTING
/sbin/iptables -t nat -A default_POSTROUTING  -o eth0 -j MASQUERADE
/sbin/iptables -t nat -I POSTROUTING 1  -j default_POSTROUTING
/sbin/iptables -t filter -N 55_INPUT
/sbin/iptables -t filter -N 55_FORWARD_FIREWALL
/sbin/iptables -t filter -N 55_FORWARD_WEBSITES
/sbin/iptables -t filter -N 55_OUTPUT
/sbin/iptables -t nat -N 55_PREROUTING
/sbin/iptables -t nat -N 55_POSTROUTING
/sbin/iptables -t filter -A 55_INPUT -i eth0 -p tcp -m multiport --dport 80,443,12345,8080,4430,8081,4431 -j ACCEPT
/sbin/iptables -t filter -A 55_INPUT -i eth0 -p udp -m multiport --dport 53,5300,5302,5301,5303 -j ACCEPT
/sbin/iptables -t filter -A 55_FORWARD_FIREWALL -i eth0 -p tcp -j ACCEPT
/sbin/iptables -t filter -A 55_FORWARD_FIREWALL -i eth0 -p udp -j ACCEPT
/sbin/iptables -t filter -A 55_FORWARD_FIREWALL  -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A 55_PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to 192.168.1.12:5300
/sbin/iptables -t nat -A 55_PREROUTING -i eth0 -p tcp --dport 53 -j DNAT --to 192.168.1.12:5300
/sbin/iptables -t nat -A 55_PREROUTING -i eth0 -d 192.168.1.12 -p tcp --dport 80 -j DNAT --to 192.168.1.12:8080
/sbin/iptables -t nat -A 55_PREROUTING -i eth0 -d 192.168.1.12 -p tcp --dport 443 -j DNAT --to 192.168.1.12:4430
/sbin/iptables -t nat -A 55_PREROUTING -i eth0 -p tcp -m multiport --dport 80,443 -j ACCEPT
/sbin/iptables -t nat -I 55_PREROUTING 1 -i eth0 -p tcp -d 193.0.6.139 -m multiport --dport 80,443 -j DNAT --to 192.168.1.12:12345
/sbin/iptables -t filter -I INPUT 1 -s 192.168.1.18 -j 55_INPUT
/sbin/iptables -t filter -I FORWARD 1 -s 192.168.1.18 -j 55_FORWARD_FIREWALL
/sbin/iptables -t filter -I FORWARD 1 -s 192.168.1.18 -j 55_FORWARD_WEBSITES
/sbin/iptables -t nat -I PREROUTING 1 -s 192.168.1.18 -j 55_PREROUTING
    
por benoit974 08.01.2018 / 08:55

0 respostas

Tags