IPTABLES error

Dom Ago 30 15:29:16 CLT 2009

Amigos/Colegas:

He aqui que tengpo este pequeño problema. Configure mi firewall para evitar 
entradas indeseables por los puertos que so deben verse desde dentro de mi 
Intranet y/o algunas maquinas conm permisos administrativos. Ahora todo 
funciona perfecto excepto el squid que no me develve solo errores. Aqui esta 
la vconf del iptables.

*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
# COMMON
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT

# PUBLIC (All)
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 25 --state 
NEW,ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 53 --state 
NEW,ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 80 --state 
NEW,ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 443 --state 
NEW,ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 953 --state 
NEW,ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 7070 --state 
NEW,ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 8443 --state 
NEW,ESTABLISHED,RELATED -j ACCEPT

# PUBLIC (Intranet Only)
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 172.16.16.0/24 -i 
eth1 --dport 110 --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -i eth1 --dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -i eth0 --dport 3128 -j ACCEPT

# PRIVATE (Administration Only)
-A RH-Firewall-1-INPUT -p tcp -m tcp -m mac -m state -s 172.16.16.12 -i 
eth1 --dport 21 --mac-source 00:1F:C6:5D:5E:64 --state 
NEW,ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m mac -m state -s 172.16.16.14 -i 
eth1 --dport 21 --mac-source 00:15:F2:00:2E:59 --state 
NEW,ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m mac -m state -s 172.16.16.12 -i 
eth1 --dport 22 --mac-source 00:1F:C6:5D:5E:64 --state 
NEW,ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m mac -m state -s 172.16.16.14 -i 
eth1 --dport 22 --mac-source 00:15:F2:00:2E:59 --state 
NEW,ESTABLISHED,RELATED -j ACCEPT

# PRIVATE (Internal Only)
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 127.0.0.1 -i eth1 --dport 
143 --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 127.0.0.1 -i eth1 --dport 
3306 --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 127.0.0.1 -i eth1 --dport 
8010 --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 127.0.0.1 -i eth1 --dport 
8100 --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 127.0.0.1 -i eth1 --dport 
9090 --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state -s 127.0.0.1 -i eth1 --dport 
10000 --state NEW,ESTABLISHED,RELATED -j ACCEPT

# REJECT ALL
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

Ahora si comento las lineas:
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
 Entonces todo deja de funcionar, pero al tenerlas puestas el resto da igual 
tenerlas o no. Desde el punto que permito todo desde cada una del 
asinterfaces ya es suficiente pra que cualquiera pueda acceder a cualqueir 
puesto.

Saludos Fraternales
_____________________________
Atte.
Alberto García Gómez M:.M:.
Administrador de Redes/Webmaster
IPI "Carlos Marx", Matanzas. Cuba. 