- FTP bloqueado
+ Responder ao Tópico
-
FTP bloqueado
pessoal ,
meu problema é o seguinte. eu estou conseguindo acesso vários endereços ftp. mas tem um em especifico que naum esta acessando. ip 200.199.14.8 .
naum consigo fazer o ping. e a route não consegue reconhecer o endereço. mas quando ele elimino o firewall / proxy acesso normalmente.
o que deve esta acontencendo no meu iptables. para bolquear so esse endereço ftp. e naum os outros.
pode ser meu provedor que esta com problema ou me iptables que esta faltando configurar alguma coisa
-
FTP bloqueado
Posta ai suas regras do firewall pra gente dar uma olhada.
-
da uma olha no script
Arquivo iptables.sh
###################################################
# Script para implementacao de firewall em iptables
# Autor:
# Manutencao:
# Data: Abril/2003
# Ultima Manutencao: 10/04/03
###################################################
##########################################
# Reseta regras do iptables
##########################################
/usr/sbin/iptables --flush
/usr/sbin/iptables --table nat --flush
/usr/sbin/iptables --delete-chain
/usr/sbin/iptables --table nat --delete-chain
##########################################
# Definicao das variaveis
##########################################
IT=/usr/sbin/iptables
# Portas
P_PPTP=1723 # VPN
P_TERMSERV=3389 # Terminal Service Windows
P_ORACLE=1521 # Servidor de Banco de Dados Oracle
P_SQL=1433 # Servidor de banco de Dados SQL Server
P_PCANYD=5631 # PcAnywhere dados
P_PCANYS=5632 # PcAnywhere status
P_VNCA1=5900 # VNC aplicacao
P_VNCA2=5901 # VNC aplicacao
P_VNCA3=5902 # VNC aplicacao
P_VNCA4=5903 # VNC aplicacao
P_VNCW1=5800 # VNC web applet
P_VNCW2=5801 # VNC web applet
P_VNCW3=5802 # VNC web applet
P_VNCW4=5803 # VNC web applet
P_TREND=80 # Antivirus - Servico de atualizacao
P_CAGEDNET=2500 # CAGEDnet para ACI
P_CONXSOC=2631 # Conectividade Social
#P_DSNET=21 # DSNet - Servidor 200.249.133.132
P_SEFAZNET=50000 # Sefaz Net
P_GIMNET=1023 # GIM Net - Servidor 200.249.15.56
P_CONEX=81 # Sistema de Comercio Exterior da SIMASA
P_MESSENGER=1863 # MSN Messenger
P_MESSENGEV=6901 # MSN Voz - UDP, TCP
P_SAGC99=1049 # Gian - Secret Fazenda Pernamb
P_RAISNET=3007 # Ministerio do Trabalho - servidor 161.148.185.30
P_RALNET1=1500 # Minas e Energia
P_RALNET2=1600 # Minas e Energia
P_RECEITANET=3456 # Receita Federal
P_SINTEGRA=8017 # Secretaria da Fazenda
# Servidores Externos
S_SEFAZNET=200.253.176.68 # Sefaz Net
S_CONSOC=200.201.173.68 # Caixa Economica
S_GIMNET=200.249.15.56 # Secretaria da Tributacao RN
S_PALMTOP=207.66.2.50 # Site da Palm
S_SAGSERVER=200.238.112.123 # Secretaria Fazenda Pernambuco - Gian
S_RAISSERVER=161.148.185.30 # Ministerio do Trabalho e Emprego
S_DSSERVER=200.249.133.132 # Prefeitura Cidade Recife
# Interfaces fisicas
IF_INTERNET=eth1
IF_INTERNA=eth0
# Redes urs/loca/bin/
REDE_INTERNET=192.xxx.xxx.xxx/255.255.255.0
REDE_INTERNA=10.0.0.1/255.255.255.0
# Ips das Interfaces
IP_IF_INTERNET=192.xxx.xxx.xxx
IP_IF_INTERNA=10.0.0.101
##########################################
# Protecao contra spoofing
##########################################
touch /var/lock/subsys/local
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
modprobe iptable_nat
##########################################
# Inicio das Regras do firewall
##########################################
# Diretivas defaults
$IT -P INPUT DROP
$IT -P FORWARD DROP
$IT -P OUTPUT ACCEPT
# Diretiva para int loopback
$IT -A INPUT -i lo -j ACCEPT
$IT -N LOGDROP
$IT -A LOGDROP -m limit --limit 50/hour -j LOG
$IT -A LOGDROP -j DROP
##########################################
# NAT (MASCARAMENTO)
##########################################
# SourceNAT REDE-INTERNA --> INTERNET
$IT --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
$IT --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
#$IT -t nat -A POSTROUTING -s $REDE_INTERNA -o $IF_INTERNET -j SNAT --to-source $IP_IF_INTERNET
#$IT --table nat --append POSTROUTING -s $REDE_INTERNA --out-interface eth1 -j MASQUERADE
#$IT --append FORWARD --in-interface eth1 -j ACCEPT
##########################################
# NAT (PORT FORWARD)
##########################################
# DestinationNAT INTERNET --> Win2000 da REDE INTERNA
# para VPN
# porta 1723 - PPTP
# prot 47 - GRE
#$IT -t nat -A PREROUTING -p tcp -d $S_VPN_ALIAS --dport 3389 -j DNAT --to $S_VPN_INTERNO
#$IT -t nat -A PREROUTING -p tcp -d $S_VPN_ALIAS --dport 1723 -j DNAT --to $S_VPN_INTERNO
#$IT -t nat -A PREROUTING -p 80,21 -d $S_VPN_ALIAS -j DNAT --to $S_VPN_INTERNO
#$IT -t nat -A PREROUTING -s $REDE_INTERNA -p tcp -d 200.68.173.243 --dport 80 -j ACCEPT
$IT -t nat -A PREROUTING -s $REDE_INTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128
$IT -t nat -A PREROUTING -s $REDE_INTERNA -p tcp --dport 443 -j REDIRECT --to-port 3128
#$IT -t nat -A PREROUTING -s $REDE_INTERNA -p tcp --dport 21 -j REDIRECT --to-port 3128
##########################################
# Definicao das cadeias
##########################################
# Forwards
$IT -N interna-internet
$IT -N interna-interna
$IT -N internet-interna
# Inputs
$IT -N interna-if
$IT -N internet-if
$IT -N icmp-accept
# Definicoes dos forwards
$IT -A FORWARD -i $IF_INTERNA -o $IF_INTERNET -j interna-internet
$IT -A FORWARD -i $IF_INTERNA -o $IF_INTERNA -j interna-interna
$IT -A FORWARD -i $IF_INTERNET -o $IF_INTERNA -j internet-interna
# Definicoes dos inputs
$IT -A INPUT -i $IF_INTERNA -j interna-if
$IT -A INPUT -i $IF_INTERNET -j internet-if
##########################################
# Filtros
##########################################
# Permissoes para pacotes icmp
$IT -A icmp-accept -p icmp --icmp-type destination-unreachable -j ACCEPT
$IT -A icmp-accept -p icmp --icmp-type source-quench -j ACCEPT
$IT -A icmp-accept -p icmp --icmp-type time-exceeded -j ACCEPT
$IT -A icmp-accept -p icmp --icmp-type parameter-problem -j ACCEPT
$IT -A icmp-accept -p icmp --icmp-type echo-reply -j ACCEPT
# Contra Ping of Death
$IT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Contra Ataques Syn-flood
$IT -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
# Contra Port scanners Avançados (nmap)
$IT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 1/s -j ACCEPT
# Contra pacotes danificados ou suspeitos
$IT -A FORWARD -m unclean -j DROP
##########################################
# interna para interna
##########################################
# Libera tudo de interna para interna
$IT -A interna-interna -j ACCEPT
##########################################
# interna para internet
##########################################
# Libera http e ftp para Micros Totalmente Liberados
$IT -A interna-internet -m multiport -p tcp -s 13.0.5.0/16 --dport 80,43,21 -j ACCEPT
#$IT -A interna-internet -p udp -s $S_SERVIDOR --dport 20 -j ACCEPT
# Protocolo 47 GRE para VPN
$IT -A interna-internet -p 47 -j ACCEPT
# Servicos basicos permitidos
$IT -A interna-internet -m multiport -p tcp --dport domain,pop-3,smtp,imap,telnet,ssh,$P_PPTP,$P_TERMSERV,snmp,nntp,nntps,113 -j ACCEPT
$IT -A interna-internet -m multiport -p tcp --dport $P_VNCA1,$P_VNCA2,$P_VNCW1,$P_VNCW2,$P_MESSENGER,$P_MESSENGEV,$P_PCANYD,$P_PCANYS,$P_SQL -j ACCEPT
$IT -A interna-internet -m multiport -p udp --dport domain,snmp,$P_MESSENGER,$P_MESSENGEV,nntp,nntps -j ACCEPT
# Acesso a Receita Federal, Minas e Energia, Ministerio Trabalho, Secret Fazenda
$IT -A interna-internet -m multiport -p tcp --dport $P_RECEITANET,$P_RALNET1,$P_RALNET2,$P_RAISNET,$P_SAGC99,$P_SINTEGRA -j ACCEPT
# Conexao com Conectividade Social
$IT -A interna-internet -p tcp --dport $P_CONXSOC -j ACCEPT
# Conexao com Cegedenet - Ministerio Trabalho
$IT -A interna-internet -p tcp --dport $P_CAGEDNET -j ACCEPT
# Conexao com a Rede SEFAZNET
$IT -A interna-internet -p tcp --dport $P_SEFAZNET -d $S_SEFAZNET -j ACCEPT
# Conexao com a Rede GIMNET
$IT -A interna-internet -p tcp --dport $P_GIMNET -d $S_GIMNET -j ACCEPT
# Conexao com a Caixa Economica
$IT -A interna-internet -p tcp --dport http -d $S_CONSOC -j ACCEPT
# Conexoes estabelecidas e relacionadas
$IT -A interna-internet -m state --state ESTABLISHED,RELATED -j ACCEPT
# Ping e ICMP
$IT -A interna-internet -j icmp-accept
$IT -A interna-internet -p icmp --icmp-type ping -j ACCEPT
##########################################
# internet para interna
##########################################
# Conexoes estabelecidas e relacionadas
$IT -A internet-interna -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP
$IT -A internet-interna -p icmp -j icmp-accept
# Ident e pop3
$IT -A internet-interna -m multiport -p tcp --dport 80,113,pop-3,smtp,ftp-data,ftp -j ACCEPT
# MSN
#$IT -A internet-interna -p tcp --dport 1024:65000 -j ACCEPT
############################################
# Regras de input para o firewall: cautela!
############################################
# ---- INTERFACE INTERNA------
# Conexoes estabelecidas e relacionadas
$IT -A interna-if -m state --state ESTABLISHED,RELATED -j ACCEPT
# Ping e ICMP
$IT -A interna-if -j icmp-accept
$IT -A interna-if -p icmp --icmp-type ping -j ACCEPT
# ident
#IT -A interna-if -p tcp --dport 113 -j REJECT
# ftp, ssh e shell
$IT -A interna-if -p tcp --dport ftp -j ACCEPT
$IT -A interna-if -p tcp --dport ssh -j ACCEPT
#permissao de acesso ao squid
$IT -A interna-if -p tcp -s $REDE_INTERNA --dport 3128 -j ACCEPT
#este firewall tambem eh dns para a rede interna
$IT -A interna-if -p tcp --dport domain -j ACCEPT
$IT -A interna-if -p udp --dport domain -j ACCEPT
$IT -A interna-if -p tcp --dport smtp -j ACCEPT
$IT -A interna-if -p tcp --dport pop-3 -j ACCEPT
$IT -A interna-if -p tcp --dport 113 -j ACCEPT
# ---- INTERFACE INTERNET ------
# este firewall tambem eh dns para a rede interna
$IT -A internet-if -p udp --dport domain -j ACCEPT
$IT -A internet-if -p tcp --dport domain -j ACCEPT
$IT -A internet-if -p tcp --dport smtp -j ACCEPT
$IT -A internet-if -p udp --dport smtp -j ACCEPT
$IT -A internet-if -p tcp --dport pop-3 -j ACCEPT
$IT -A internet-if -p tcp --dport 113 -j ACCEPT
$IT -A internet-if -p tcp --dport ftp -j ACCEPT
$IT -A internet-if -p udp --dport ftp-data -j ACCEPT
# Conexoes estabelecidas e relacionadas
$IT -A internet-if -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP
$IT -A internet-if -j icmp-accept
# ident
$IT -A internet-if -p tcp --dport 113 -j REJECT
-
FTP bloqueado
Não olhei seu script direito, mas sei que o iptables quando faz nat tem alguns problemas com ftp. Tive alguns problemas parecido com os seus, alguns aceitavam e outros não. Quando setado no navegador ftp passivo ele aceitava na maioria das vezes...
Resolvi meu problema, adicionando essas duas linhas que ativam dois módulos que resolvem esse problema do ftp no rc.local (na verdade coloquei em um script que o rc.local chama, mas pode ser colocado direto...
Tente, depois poste resposta.
insmod /lib/modules/2.4.18-14/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
insmod /lib/modules/2.4.18-14/kernel/net/ipv4/netfilter/ip_nat_ftp.o
Um abraço,
Guidolin
-
FTP bloqueado
as regras de nat tem q ficar por ultimas, e da o comando lsmod e cola aqui pra gente.