Alguém pode me explicar por que esse fluxo caiu?
192.168.1.18 - > QUALQUER: QUALQUER
As regras DROP dentro de default_FORWARD_FIREWALL parecem assumir as regras ACCEPT dentro de 55_FORWARD_FIREWALL
Quando eu removo as regras do DROP dentro do default_FORWARD_FIREWALL, ele funciona!
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 88 6086 55_INPUT all -- * * 192.168.1.18 0.0.0.0/0
2 722 386K default_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 89 5072 55_FORWARD_WEBSITES all -- * * 192.168.1.18 0.0.0.0/0
2 89 5072 55_FORWARD_FIREWALL all -- * * 192.168.1.18 0.0.0.0/0
3 150 8532 default_FORWARD_WEBSITES all -- * * 0.0.0.0/0 0.0.0.0/0
4 150 8532 default_FORWARD_FIREWALL all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 736 330K default_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain 55_FORWARD_FIREWALL (1 references)
num pkts bytes target prot opt in out source destination
1 77 4004 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
2 12 1068 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain 55_FORWARD_WEBSITES (1 references)
num pkts bytes target prot opt in out source destination
Chain 55_INPUT (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,12345,8080,4430,8081,4431
2 30 2052 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,5300,5302,5301,5303
Chain 55_OUTPUT (0 references)
num pkts bytes target prot opt in out source destination
Chain default_FORWARD_FIREWALL (1 references)
num pkts bytes target prot opt in out source destination
1 138 6888 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
2 12 1644 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain default_FORWARD_WEBSITES (1 references)
num pkts bytes target prot opt in out source destination
Chain default_INPUT (1 references)
num pkts bytes target prot opt in out source destination
1 259 258K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 446 126K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 6 360 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 67,22,80,443,8001,8002
4 1 67 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 67,53,5300,5301
5 10 878 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain default_OUTPUT (1 references)
num pkts bytes target prot opt in out source destination
1 259 258K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2 477 71370 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
3 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
Script:
/sbin/iptables -t filter -F
/sbin/iptables -t filter -X
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t filter -P INPUT ACCEPT
/sbin/iptables -t filter -P FORWARD ACCEPT
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t filter -N default_INPUT
/sbin/iptables -t filter -A default_INPUT -i lo -j ACCEPT
/sbin/iptables -t filter -A default_INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t filter -A default_INPUT -p tcp -m multiport --dport 67,22,http,https,8001,8002 -j ACCEPT
/sbin/iptables -t filter -A default_INPUT -p udp -m multiport --dport 67,53,5300,5301 -j ACCEPT
/sbin/iptables -t filter -A default_INPUT -j DROP
/sbin/iptables -t filter -I INPUT 1 -j default_INPUT
/sbin/iptables -t filter -N default_FORWARD_FIREWALL
/sbin/iptables -t filter -A default_FORWARD_FIREWALL -i eth0 -p tcp -j DROP
/sbin/iptables -t filter -A default_FORWARD_FIREWALL -i eth0 -p udp -j DROP
/sbin/iptables -t filter -I FORWARD 1 -j default_FORWARD_FIREWALL
/sbin/iptables -t filter -N default_FORWARD_WEBSITES
/sbin/iptables -t filter -I FORWARD 1 -j default_FORWARD_WEBSITES
/sbin/iptables -t filter -N default_OUTPUT
/sbin/iptables -t filter -A default_OUTPUT -o lo -j ACCEPT
/sbin/iptables -t filter -A default_OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t filter -A default_OUTPUT -o eth0 -j ACCEPT
/sbin/iptables -t filter -I OUTPUT 1 -j default_OUTPUT
/sbin/iptables -t nat -N default_PREROUTING
/sbin/iptables -t nat -A default_PREROUTING -i eth0 -p tcp -m multiport --dport 80,443 -j DNAT --to 192.168.1.12:8002
/sbin/iptables -t nat -I PREROUTING 1 -j default_PREROUTING
/sbin/iptables -t nat -N default_POSTROUTING
/sbin/iptables -t nat -A default_POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -t nat -I POSTROUTING 1 -j default_POSTROUTING
/sbin/iptables -t filter -N 55_INPUT
/sbin/iptables -t filter -N 55_FORWARD_FIREWALL
/sbin/iptables -t filter -N 55_FORWARD_WEBSITES
/sbin/iptables -t filter -N 55_OUTPUT
/sbin/iptables -t nat -N 55_PREROUTING
/sbin/iptables -t nat -N 55_POSTROUTING
/sbin/iptables -t filter -A 55_INPUT -i eth0 -p tcp -m multiport --dport 80,443,12345,8080,4430,8081,4431 -j ACCEPT
/sbin/iptables -t filter -A 55_INPUT -i eth0 -p udp -m multiport --dport 53,5300,5302,5301,5303 -j ACCEPT
/sbin/iptables -t filter -A 55_FORWARD_FIREWALL -i eth0 -p tcp -j ACCEPT
/sbin/iptables -t filter -A 55_FORWARD_FIREWALL -i eth0 -p udp -j ACCEPT
/sbin/iptables -t filter -A 55_FORWARD_FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A 55_PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to 192.168.1.12:5300
/sbin/iptables -t nat -A 55_PREROUTING -i eth0 -p tcp --dport 53 -j DNAT --to 192.168.1.12:5300
/sbin/iptables -t nat -A 55_PREROUTING -i eth0 -d 192.168.1.12 -p tcp --dport 80 -j DNAT --to 192.168.1.12:8080
/sbin/iptables -t nat -A 55_PREROUTING -i eth0 -d 192.168.1.12 -p tcp --dport 443 -j DNAT --to 192.168.1.12:4430
/sbin/iptables -t nat -A 55_PREROUTING -i eth0 -p tcp -m multiport --dport 80,443 -j ACCEPT
/sbin/iptables -t nat -I 55_PREROUTING 1 -i eth0 -p tcp -d 193.0.6.139 -m multiport --dport 80,443 -j DNAT --to 192.168.1.12:12345
/sbin/iptables -t filter -I INPUT 1 -s 192.168.1.18 -j 55_INPUT
/sbin/iptables -t filter -I FORWARD 1 -s 192.168.1.18 -j 55_FORWARD_FIREWALL
/sbin/iptables -t filter -I FORWARD 1 -s 192.168.1.18 -j 55_FORWARD_WEBSITES
/sbin/iptables -t nat -I PREROUTING 1 -s 192.168.1.18 -j 55_PREROUTING
Tags iptables