Pessoal boa tarde,
É o seguinte não consigo acessar ftp e nem emails pelo navegador não sei se o problema e no firewall ou no squid. vou postar o meu firewall pra ver se o problema está lá, desde agradeço. Meu servidor de proxy e um redhat 9.0.
# Script de firewall
CLASS_A="10.0.0.0/8" # redes privadas classe A
CLASS_B="172.16.0.0/16" # redes privadas classe B
CLASS_C="192.168.0.0/24" # redes privadas classe C
CLASS_D_MULTICAST="224.0.0.0/4" # endereços muticast classe D
CLASS_E_RESERVED_NET="240.0.0.0/5" # endereços reservados classe E
#Carregando modulos para ftp
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
# Limpando as chains
echo "Firewall iniciando..."
iptables -F
iptables -F -t nat
iptables -X
iptables -X -t nat
# Mudando as politicas de acesso
#Tabela Filter
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
#Tabela NAT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
#Tabela Mangle
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
# Habilitando o Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#CAT
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 5025 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 1500 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 5017 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 1001 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 5018 -o eth1 -j MASQUERADE
#Pcanywhere
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 5631 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 5632 -o eth1 -j MASQUERADE
#ReceitaNET
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 3456 -o eth1 -j MASQUERADE
#Positrack - para funcionar o rastreamento dos veiculos
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 10010 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 10020 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 10030 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 10050 -o eth1 -j MASQUERADE
# FTP
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 21 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 20 -o eth1 -j MASQUERADE
# Domino Evoluti
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 1352 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 25 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p icmp -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 53 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 110 -o eth1 -j MASQUERADE
# Regras de forward
echo "Atribuindo regras de FORWARD"
# Pacotes com origem na eth0 podem trafegar entre as demais interfaces
iptables -A FORWARD -s 192.168.0.0 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0 -d 200.242.133.128 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0 -d 200.241.236.1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
#iptables -A FORWARD -s 192.168.0.250 -j DROP
# Permitindo a volta dos pacote
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Qualquer outra tentativa de conexao é registrada e derrubada
#iptables -A FORWARD -j LOG --log-prefix "Firewall: Forward"
#iptables -A FORWARD -j DROP
# Regras retiradas do Livro Linux Firewalls
#POSITRACK
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 10010 -j DNAT --to 192.168.0.250:10010
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 10020 -j DNAT --to 192.168.0.250:10020
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 10030 -j DNAT --to 192.168.0.250:10030
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 10050 -j DNAT --to 192.168.0.250:10050
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 200.200.107.35 --dport 25 -j DNAT --to-destination 200.241.236.1
iptables -A FORWARD -i eth0 -o eth0 -p tcp -d 200.241.236.1 --dport 25 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Porta 110
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 200.200.107.35 --dport 110 -j DNAT --to-destination 200.241.236.1
iptables -A FORWARD -i eth0 -o eth0 -p tcp -d 200.241.236.1 --dport 110 -m state --state NEW -j ACCEPT
# Regras de INPUT
# Aceitando 1 ping a cada minuto
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
echo "Atribuindo regras de INPU:T"
# Proteção contra ip spoofing
echo "IP spoofing"
for file in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo "2" > $file
done
# Proteção a cookie TCP SYN
echo "TCP SYN"
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Proteção a mensagem de bad error ICMP
echo "Bad error ICMP"
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Recusar pacotes de classe A,B,C,D,E vindos de fora
echo "Recusar pacotes de classe A,B,C,D,E vindos de fora"
iptables -A INPUT -i eth1 -s $CLASS_A -j DROP
iptables -A INPUT -i eth1 -s $CLASS_B -j DROP
iptables -A INPUT -i eth1 -s $CLASS_C -j DROP
iptables -A INPUT -i eth1 -s $CLASS_D_MULTICAST -j DROP
iptables -A INPUT -i eth1 -s $CLASS_E_RESERVED_NET -j DROP
# Negar pacotes multicast com protocolo nao-UDP
echo "Negar pacotes multicast nao-UDP"
iptables -A INPUT -i eth1 -p ! udp -d $CLASS_D_MULTICAST -j DROP
# Recusar pacotes vindos de fora com endereço de loopback
echo "Recusar pacotes vindos de fora com endereco de loopback"
iptables -A INPUT -i eth1 -s 127.0.0.1 -j DROP
# Aceita todo o tráfego vindo do loopback
echo "Aceitar tráfego vindo do loopback"
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Aceita todo o tráfego entrando pelas interfaces internas
echo "Aceitar tráfego entrante pelas interfaces internas"
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 23 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 5631 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 5632 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 3456 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 10010 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 10020 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 10030 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 10050 -j ACCEPT
# Qualquer outra tentativa de conexão é registrada e derrubada
#iptables -A INPUT -j LOG --log-prefix "Firewall:Input"
iptables -A INPUT -j DROP
echo "Finalizando..."