Oi galera,
Tenho um conectiva 8 como servidor de internet. Uso o Squid como proxy e o Iptables como filtro de pacotes.
A Caixa Econimica Federal instalou um programa de cobranca que precisa pingar os seguintes enderecos e portas:
200.244.109.67:2007
200.244.109.94:2008
200.231.155.65:3006
Preciso liberar estes enderecos para ping e tambem para o telnet.
Segue abaixo meus arquivos Squid.conf e iptables.txt
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 25 110 # POP3 SMTP
acl Safe_ports port 2007 2008 3006
acl CONNECT method CONNECT
acl rede_interna src 192.168.2.0/24
acl noblock_ports port 25 110
acl noblock_ports port 2007 2008 3006 # Portas para conexao CEF
#INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# And finally deny all other access to this proxy
#http_access deny all
http_access allow rede_interna
# http_port 3128
httpd_accel_with_proxy off
cache_dir ufs /cache/ 1000 16 256
httpd_accel_port 80
# httpd_accel_host virtual
cache_mem 16 MB
*****Iptables.txt*****
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_state
/sbin/modprobe ipt_MASQUERADE
/usr/sbin/iptables -F
/usr/sbin/iptables -Z
/usr/sbin/iptables -X
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -P OUTPUT ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/usr/sbin/iptables -A INPUT -p ALL -s 127.0.0.1 -i lo -j ACCEPT
/usr/sbin/iptables -A INPUT -p ALL -s 192.168.2.0 -i lo -j ACCEPT
/usr/sbin/iptables -A INPUT -p ALL -s 200.149.0.0 -i lo -j ACCEPT
/usr/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A INPUT -p icmp --icmp-type 8 -i eth0 -j ACCEPT
/usr/sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
/usr/sbin/iptables -A INPUT -p icmp -s 192.168.2.0 -d 200.244.109.67 -j ACCEPT
/usr/sbin/iptables -A INPUT -p icmp -s 192.168.2.0 -d 200.244.109.94 -j ACCEPT
/usr/sbin/iptables -A INPUT -p icmp -s 192.168.2.0 -d 200.231.155.65 -j ACCEPT
/usr/sbin/iptables -A INPUT -p udp -s 200.202.193.71 --sport 53 -d 200.149.0.0 -j ACCEPT
/usr/sbin/iptables -A INPUT -p udp -s 200.149.55.140 --sport 53 -d 200.149.0.0 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth1 -f -j LOG --log-prefix "Pacote INPUT fragmentado: "
/usr/sbin/iptables -A INPUT -i eth1 -f -j DROP
/usr/sbin/iptables -A INPUT -p TCP -i eth0 -s 192.168.2.0/24 --dport 3128 -j ACCEPT
/usr/sbin/iptables -A INPUT -p TCP --dport 22 -j ACCEPT
/usr/sbin/iptables -A INPUT -p TCP -i eth1 --sport 80 -j ACCEPT
/usr/sbin/iptables -A INPUT -p TCP -i eth1 --sport 443 -j ACCEPT
/usr/sbin/iptables -A INPUT -p TCP -i eth1 --sport 20 -j ACCEPT
/usr/sbin/iptables -A INPUT -p UDP -i eth1 --sport 21 -j ACCEPT
/usr/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
/usr/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A FORWARD -p udp -s 192.168.2.0/24 -d 200.202.193.71 --dport 53 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p udp -s 192.168.2.0/24 -d 200.149.55.140 --dport 53 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p udp -s 200.202.193.71 --sport 53 -d 192.168.2.0/24 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p udp -s 200.149.55.140 --sport 53 -d 192.168.2.0/24 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p TCP -s 192.168.2.0/24 --dport 25 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p TCP -s 192.168.2.0/24 --dport 110 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
/usr/sbin/iptables -A FORWARD -j LOG --log-prefix "Pacote forward descartado: "
/usr/sbin/iptables -A FORWARD -j DROP
/usr/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
Se algume puder me ajudar.
Agradeco desde ja
Alexandre de Souza
[email protected]