[Fedora-users-br] Firewall fedora?? não envia e-mail

Bruno Yahoo brunoce10 em yahoo.com.br
Seg Nov 27 10:44:21 UTC 2006 

Olá comunidade, eu estou com um problema, implementei um firewall com proxy ( squid ) no Fedora, a net está ok, o proxy também, só que não consigo receber e-mails e nem enviar, e as portas no firewall estão abertas para isso.
esse é o meu firewall, se alguém puder me ajudar, eu agradeço... Vamos criar uma lista de pessoas que queiram conversar via Google Talk para tirar dúvidas? o meu é brunorodeiro em gmail.com
abraços...
#!/bin/bash

stop ()
{
        echo "0" > /proc/sys/net/ipv4/ip_forward
        iptables -F
        iptables -X
}

start ()
{

############################# Limpar as regras primeiro
/usr/sbin/iptables -F
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -F -t mangle
/usr/sbin/iptables -X -t mangle


############################# Insere os modulos kernel
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_mangle
/sbin/modprobe ipt_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_multiport 
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_mark
/sbin/modprobe ipt_MARK

echo 1 > /proc/sys/net/ipv4/ip_forward

echo "0" > /proc/sys/net/ipv4/tcp_ecn

###########################################
#/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/usr/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

########### LOGS ######################
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 5190 -j LOG --log-prefix "LOG ICQ: "
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 1863 -j LOG --log-prefix "LOG MSN: "
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 22 -j LOG --log-prefix "Serviço SSH: "
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j LOG --log-prefix "Serviço FTP: "

#####################################
# PROTECAO EXTRA
#####################################

############## Brute Force ############
/usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
/usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
/usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset
/usr/sbin/iptables -A FORWARD -p tcp --syn --dport 22 -m recent --name sshattack --set
/usr/sbin/iptables -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
/usr/sbin/iptables -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset

############# Proteção contra trojans ################
/usr/sbin/iptables -N TROJAN
/usr/sbin/iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
/usr/sbin/iptables -A TROJAN -j DROP
/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 666 -j TROJAN
/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 666 -j TROJAN
/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 4000 -j TROJAN
/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 6000 -j TROJAN
/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 6006 -j TROJAN
/usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 16660 -j TROJAN

############## Proteção contra worms #################
/usr/sbin/iptables -A FORWARD -p tcp --dport 135 -i eth0 -j REJECT 

############## SYN-flood ############
/usr/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

############## ping da morte ########
/usr/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

########### Port Scanners ###########
/usr/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j DROP

########## IP Spoofing ##############
/usr/sbin/iptables -N syn-flood
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
/usr/sbin/iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
/usr/sbin/iptables -A INPUT -s 172.16.0.0/16 -i eth0 -j DROP
/usr/sbin/iptables -A INPUT -s 192.168.0.0/24 -i eth0 -j DROP

######## anomalias de pacotes #######
/usr/sbin/iptables -A FORWARD -m unclean -j DROP

################### CEF ########################
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 200.201.174.0/16 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p tcp -d 200.201.174.0/16 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 200.201.166.0/16 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p tcp -d 200.201.166.0/16 -j ACCEPT

############################# Redirecionar 80, 3128 -> 3128

#/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 2100 -j DNAT --to-destination 192.168.0.1:3128
#/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80   -s 192.168.0.0/24 -j DNAT --to-destination 192.168.0.1:3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -m multiport -s 192.168.0.0/24 --dport 80,443,563 -j REDIRECT --to-port 3128

############################# Aceitar lista de portas padrao
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 21   -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 22   -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 23   -j ACCEPT -s 192.168.0.145
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 25   -j ACCEPT -s 192.168.0.0/24
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 53   -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80   -j ACCEPT -s 192.168.0.0/24
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 110  -j ACCEPT -s 192.168.0.0/24
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 443  -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 465  -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 500  -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 587  -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 995  -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 3306 -j ACCEPT -s 192.168.0.0/24
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 2100 -j ACCEPT -s 192.168.0.0/24
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 8080 -j ACCEPT -s 192.168.0.0/24
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 5017 -j ACCEPT -s 192.168.0.0/24

########## ICQ ################
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 5190 -j ACCEPT -s 192.168.0.50

########### MSN #######################
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 1863 -j ACCEPT -s 192.168.0.128 


######################################
# Filtros de portas udp
######################################
/usr/sbin/iptables -t nat -A PREROUTING -p udp --dport 53 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 53 -j ACCEPT


########### Apos feitas as regras rejeitar todos os outros pacotes
/usr/sbin/iptables -t nat -p tcp -A PREROUTING -j DROP
/usr/sbin/iptables -t nat -p udp -A PREROUTING -j DROP

}

case $1 in
 start)
  echo -n Starting Firewall...
  add_rules
  echo "Done"
 ;;
 stop)
  echo -n Stoping Firewall...
  flush_rules
  echo "Done"
 ;;
 restart)
  echo -n Restarting Firewall...
  flush_rules
  add_rules
  echo "Done"
 ;;
 status)
  echo "============================ Firewall rules:"
  iptables -L -n
  echo "============================ Masquerade tables:"
  iptables -t nat -L -n
  echo "============================ Mangle table:"
  iptables -t mangle -L -n
  ;;
 *)
  echo Usar: "$0 { status | start | stop | restart }"
  ;;
esac
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://listman.redhat.com/archives/fedora-users-br/attachments/20061127/0e8bd41a/attachment.htm>

Mais detalhes sobre a lista de discussão Fedora-users-br