Liberacao da porta 2095 e 2086 com iptables

Pessoal, liberei as portas 2095 e 2086 nas regras do firewall - iptables e tb no squid.
Mas ele so funciona quando inicia o servico. Em questao de poucos minutos ele para de acessar o webmail.
Alguem tem uma dica

Re: Liberacao da porta 2095 e 2086 com iptables

Post as regras de firewall, para avaliação.

mtec :rock:

Re: Liberacao da porta 2095 e 2086 com iptables

mtec,

Ai vai o firewall por inteiro.

Código bash:

# LIBERANDO ENTRADA
 
echo -n "LIBERANDO ENTRADA.............................."
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
 
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Aceita pacotes local
iptables -A INPUT -i lo -j ACCEPT
 
iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 22 -j ACCEPT
 
iptables -A INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.1 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.1 -d 192.168.0.0/24 --sport 22 -j ACCEPT
 
iptables -A INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.1 --dport 2910 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.1 -d 192.168.0.0/24 --sport 2910 -j ACCEPT
 
iptables -A FORWARD -p tcp -i eth0 --dport 2910 -j ACCEPT
iptables -A FORWARD -p tcp -o eth0 --dport 2910 -j ACCEPT
 
#liberar porta 2095 
iptables -A INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.1 --dport 2095 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.1 --sport 2095 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --dport 2095 -j ACCEPT
 
 
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3389 -j ACCEPT
 
# Ftp PASSIVO
 
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Libera squid para rede interna
iptables -A INPUT -p tcp -s 0/0 --dport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 3128 -j ACCEPT
 
# Libera ftp 
iptables -A INPUT -p tcp -s 0/0 --dport 20 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 20 -j ACCEPT
 
iptables -A INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.1 --dport 20 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.1 --dport 20 -j ACCEPT
 
iptables -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 21 -j ACCEPT
 
iptables -A INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.1 --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.1 --dport 21 -j ACCEPT
 
# Libera HTTP
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 80 -j ACCEPT
 
iptables -A INPUT -p tcp -s 0/0 --dport 8080 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 8080 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 8080 -j ACCEPT
 
# Libera HTTPS
iptables -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 443 -j ACCEPT
 
# Liberar ping 
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
 
#Libera Traceroute
iptables -A INPUT -p udp -s 0/0 --dport 33434 -j ACCEPT
iptables -A OUTPUT -p udp -d 0/0 --sport 33434 -j ACCEPT
 
#DNS
iptables -A INPUT -p udp -s 0/0 --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -d 0/0 --sport 53 -j ACCEPT
 
iptables -A OUTPUT -p udp -d 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --sport 53 -j ACCEPT
 
# Samba so pra rede interna
iptables -A INPUT -p tcp -i eth1 --dport 139 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --dport 139 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 138 -j ACCEPT
iptables -A INPUT -p udp -i eth1 --dport 138 -j ACCEPT
 
iptables -A INPUT -p tcp -s 0/0 --dport 139 -j DROP
iptables -A INPUT -p udp -s 0/0 --dport 139 -j DROP
iptables -A INPUT -p udp -s 0/0 --dport 138 -j DROP
iptables -A INPUT -p udp -s 0/0 --dport 137 -j DROP
 
# VNC
iptables -A INPUT -p tcp -s 192.168.0.0/24 -d 0/0 --dport 5900 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 -s 192.168.0.0/24 --sport 5900 -j ACCEPT
 
iptables -A INPUT -p tcp -s 192.168.0.0/24 -d 0/0 --dport 5800 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 -s 192.168.0.0/24 --sport 5800 -j ACCEPT
 
# E-MAIL ENVIAR E RECEBER
iptables -A INPUT -p tcp -s 0/0 --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 25 -j ACCEPT
 
iptables -A INPUT -p tcp -s 0/0 --dport 110 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 110 -j ACCEPT
 
  #########BLOQUEANDO REDES P2P#############################
 
iptables -A FORWARD -m layer7 --l7proto edonkey -j DROP 
iptables -A FORWARD -m layer7 --l7proto fasttrack -j DROP 
iptables -A FORWARD -m layer7 --l7proto bittorrent -j DROP 
iptables -A FORWARD -m layer7 --l7proto gnutella -j DROP 
iptables -A FORWARD -m layer7 --l7proto napster -j DROP 
iptables -A FORWARD -m layer7 --17proto emule -j DROP
iptables -A FORWARD -m layer7 --17proto limewire -j DROP
#iptables -A FORWARD -m layer7 --l7proto ares -j DROP
 
#Kazaa
iptables -A FORWARD -d 213.248.112.0/24 -j REJECT
iptables -A FORWARD -p TCP --dport 1214 -j REJECT
 
#Yahoo Messenger
iptables -A FORWARD -d cs.yahoo.com -j REJECT
iptables -A FORWARD -d scsa.yahoo.com -j REJECT
 
#BITTORRENT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 6881.6889 -j DNAT --to dest 192.168.0.2 -j REJECT
iptables -A FORWARD -p tcp -i eth0 --dport 6881:6889 -d 192.168.0.2 -j REJECT
 
# MSNP
iptables -A INPUT -p tcp -s 0/0 --dport 1863 -j ACCEPT
iptables -A OUTPUT -p tcp -d 0/0 --sport 1863 -j ACCEPT
iptables -A FORWARD -s LAN -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s LAN -d loginnet.passport.com -j REJECT
 
#BLOQUEANDO WEBMESSENGER
iptables -A FORWARD -s LAN -d webmesssenger.msn.com -j REJECT
 
#Bloqueando Orkut
 
iptables -A FORWARD -d [URL="http://www.orkut.com"]www.orkut.com[/URL] -p tcp --dport 443 -j DROP
iptables -A INPUT -d [URL="http://www.orkut.com"]www.orkut.com[/URL] -p tcp --dport 443 -j DROP
iptables -A FORWARD -d orkut.com -p tcp --dport 443 -j DROP 
iptables -A INPUT -d orkut.com -p tcp --dport 443 -j DROP
 
echo "[OK]"
 
# LIBERANDO SAIDA
 
echo -n "SAIDA DOS SERVIçOS EXT.........................."
 
# Pacotes externo 
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
 
# Aceita pacote para lo
iptables -A OUTPUT -o lo -j ACCEPT
 
iptables -A OUTPUT -j ACCEPT
 
echo "[OK]"
 
# NAT REDE INTERNA
 
echo -n "NAT REDE INTERNA..............................."
# VNC IDA NA 5900
iptables -A FORWARD -p tcp -s 192.168.0.250 -d 0/0 --dport 5900 -j ACCEPT
iptables -A FORWARD -p tcp -d 0/0 -s 192.168.0.250 --sport 5900 -j ACCEPT
iptables -t nat -A PREROUTING -d 192.168.0.250 -p tcp --dport 22 -j DNAT --to-destination 10.1.1.5
 
 iptables -A FORWARD -i ppp0 -o eth1 -p tcp --dport 5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o ppp0 -p tcp --dport 5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 0/0 --dport 5900 -j DNAT --to 192.168.0.250:5900
 
# VNC VOLTA NA 5900
iptables -A FORWARD -i ppp0 -o eth1 -p tcp --sport 5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o ppp0 -p tcp --sport 5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 0/0 --sport 5900 -j DNAT --to 192.168.0.250:5900
 
# VNC IDA NA PORTA 5800
iptables -A FORWARD -p tcp -s 192.168.0.250 --dport 5800 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.250 --sport 5800 -j ACCEPT
 
iptables -A FORWARD -i ppp0 -o eth1 -p tcp --dport 5800 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o ppp0 -p tcp --dport 5800 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 0/0 --dport 5800 -j DNAT --to 192.168.0.250:5800
 
# VNC VOLTA
iptables -A FORWARD -i ppp0 -o eth1 -p tcp --sport 5800 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o ppp0 -p tcp --sport 5800 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 0/0 --sport 5800 -j DNAT --to 192.168.0.250:5800
iptables -t nat -A PREROUTING -p tcp -s 0/0 --sport 5800 -j DNAT --to 192.168.0.250:5800
 
#nat via vnc##############################
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5800 -j DNAT --to-destination 192.168.0.250:5800
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5900 -j DNAT --to-destination 192.168.0.250:5900
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 5900 -j DNAT --to-destination 192.168.0.250:5800
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 5800 -j DNAT --to-destination 192.168.0.250:5900
 
iptables -A FORWARD -p tcp -i eth0 -j ACCEPT
iptables -A FORWARD -p tcp -o eth0 -j ACCEPT
 
#nat terminal service#########################################################################
iptables -A FORWARD -p tcp -i eth0 --dport 3389 -j ACCEPT
iptables -A FORWARD -p tcp -o eth0 --sport 3389 -j ACCEPT
 
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3389 -j DNAT --to-destination 192.168.0.250:3389
 
############nat para ssh #########
iptables -A FORWARD -p tcp -i eth0 --dport 2910 -j ACCEPT
iptables -A FORWARD -p tcp -o eth0 --sport 2910 -j ACCEPT
 
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 2910 -j DNAT --to-destination 192.168.0.1:2209
 
###############nat servidor web##################
iptables -A FORWARD -p tcp -i eth0 --dport 8080 -j ACCEPT
iptables -A FORWARD -p tcp -o eth0 --sport 8080 -j ACCEPT
 
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8080 -j DNAT --to-destination 192.168.0.1:8080
 
############### REDIRECIONAMENTO DO SQUID ####################
 
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 80 -j REDIRECT --to-port 3128
 
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 443 -j REDIRECT --to-port 3128
echo "[OK]"
 
# LIBERANDO INTERNET
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Re: Liberacao da porta 2095 e 2086 com iptables

Amigo vc esta meio confuso na suas regras, explica o que vc quer fazer pra nos, vc tem proxy na maquina e roda nat tbm isso? e que redirecionar vnc pra um maquina interna fio isso tbm? e o que mais vc quer fazer?

Re: Liberacao da porta 2095 e 2086 com iptables

tenho proxy e nat. Isso.Qto as outras conexoes, liberações ta tudo funcionando blz. Como deve.
O problema e o webmail...o servidor de email fica hospedado em outra empresa... o webmail agora usa a porta 2095. O que esta acontecendo e que nao é possivel acessar o webmail passando pelo proxy. Mesmo tendo liberado a porta 2095 no firewall. Qdo reinicio o servidor, eu ate consigo abrir o webmail...mas logo cai e nao acesso mais.

Re: Liberacao da porta 2095 e 2086 com iptables

mas fio vc tem q redirecionar apenas a 80 para o proxy as demais vc da um forward accept