- kazaa+squid+iptables
+ Responder ao Tópico
-
kazaa+squid+iptables
Aí galera,
Tenho um RH8, squid 2.4 e iptables 1.2.6a bem configurado.
ao contrario de muita gente, eu preciso liberar o kazaa lite k++ para algumas estações, mas não consigo. quais portas devo liberar e onde?
-
Re:
evandrobolsoni
posta suas regras de iptables, pois todo mundo quer bloquear o kazaa e pouca gente consegue.
abraços
-
kazaa+squid+iptables
Posta seu squid.conf tb.... mais se vc não bloqueou, estranho não funionar...
-
kazaa+squid+iptables
Ae...
Tenho Duas filiais e uma delas tem o mesmo problema.
Nenhuma estação consegue ter acesso ao Kazza. Liberei MSN, mas Kazza, nem ferrando !
Também tô tentando ! Já liberei portas e tudo mais.
Abutre.
-
tá o squid aí
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 5017 # Cat Servidor Dataprev
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl redelocal src 192.168.200.0/255.255.255.0
acl bad_expr url_regex "/etc/squid/bad_expr.txt"
http_access deny bad_expr
acl bad_urls dstdom_regex "/etc/squid/bad_urls.txt"
http_access deny bad_urls
#Bloqueados por Hora:
acl nomedosetor src "/etc/squid/ip_depto.txt"
acl time_nomedosetor time M T W H F 08:00-15:40
http_access deny nomedosetor !time_nomedosetor
#Proibicao de IPs:
acl ip_proi src "/etc/squid/ip_proi.txt"
http_access deny ip_proi
#acl ip_lab1 src "/etc/squid/ip_lab1.txt"
#http_access deny ip_lab1
#acl ip_lab2 src "/etc/squid/ip_lab2.txt"
#http_access deny ip_lab2
#acl ip_lab3 src "/etc/squid/ip_lab3.txt"
#http_access deny ip_lab3
#acl ip_lab4 src "/etc/squid/ip_lab4.txt"
#http_access deny ip_lab4
#Auth IPs
acl ip_auth src "/etc/squid/ip_auth.txt"
http_access allow ip_auth
-
kazaa+squid+iptables
1)Falto uma parte do squid.conf ele tem um http_access allow !Safe_ports ou seja qq porta que num tiver nakele lista dele de safeports vai ser bloqueado
2) pra liberar o kazaa num precisa definir porta, tem 2 opcoes
2.1)usar a porta do proxy mesmo usando socks na configuracao do kazaa(acho que eh assim)
2.2) vc pode liberar por iptables sem ter q passar pelo proxy, vc soh define no kazaa que se conecta diretamente:
as regras sao:
iptables -t nat -A POSTROUTING -s rede_interna -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
-
kazaa+squid+iptables
Queria sabe de uma coisa ate ja pedi ajuda para JIm ( que sou muito grato) é um problema que persiste comigo eu tenho um squid e nao consiguo fazer este squid usando iptables acessar meu email que estao no www.X..com.br estranho que setei varias regras e nada vc tem alguma idea como eu poderia resolver este problemas
-
kazaa+squid+iptables
jah tentou essa??
iptables -t nat -A POSTROUTING -s rede_interna -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
c num funfou cria um topico novo com tuas regras de iptables
-
ñ func
tô postando o meu arq. de regras, por favor dá uma olhada, preciso resolver este problema.
#!/bin/sh
# regras do firewall em /etc/sysconfig/regras_fireall
#
#########
# Seta variáveis com interfaces e IPs
#
INET_IP="200.195.XX.XX1"
INET_IFACE="eth0"
INET_IP2="200.195.XX.XX2"
INET_IP3="200.195.XX.XX3"
LAN_IP="192.168.200.2"
LAN_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"
#########
# Define redes reservadas
#
RESERVED_NET="
0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 \
23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/8 37.0.0.0/8 \
39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 49.0.0.0/8 50.0.0.0/8 \
58.0.0.0/7 60.0.0.0/8 67.0.0.0/8 68.0.0.0/6 72.0.0.0/5 80.0.0.0/4 \
96.0.0.0/3 169.254.0.0/16 192.0.2.0/24 197.0.0.0/8 201.0.0.0/8 \
218.0.0.0/7 220.0.0.0/6 224.0.0.0/3"
#########
# iptables PATH
#
IPTABLES="/sbin/iptables"
#########
# Carrega módulos necessários
#
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_tables
modprobe iptable_nat
modprobe ipt_state
modprobe ipt_unclean
modprobe ipt_limit
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
#########
# Seta parâmetros de kernel
#
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
#########
# Limpa cadeias, apaga cadeias e seta políticas padrão para as cadeias
#
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
########
# Loga pacotes spoofed
#
$IPTABLES -N log_spoofed
$IPTABLES -A log_spoofed -j LOG --log-prefix "FIREWALL - spoofed: "
$IPTABLES -A log_spoofed -j DROP
########
# Loga pacotes unclean
#
$IPTABLES -N log_unclean
$IPTABLES -A log_unclean -j LOG --log-prefix "FIREWALL - unclean: "
$IPTABLES -A log_unclean -j DROP
########
# Loga pacotes fragmentados
#
$IPTABLES -N log_fragmentado
$IPTABLES -A log_fragmentado -j LOG --log-prefix "FIREWALL - fragmentado: "
$IPTABLES -A log_fragmentado -j DROP
########
# Loga conexoes FTP
#
$IPTABLES -N log_ftp
$IPTABLES -A log_ftp -j LOG --log-prefix "FIREWALL - --FTP--: "
$IPTABLES -A log_ftp -j ACCEPT
#########
# Habilita NAT nos pacotes que entram
#
# Nat's do IP valido
# Permite inclusao porta p/ acesso nat fora para dentro
$IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p tcp --dport 20 -j DNAT --to 192.168.200.3:20
$IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p tcp --dport 21 -j DNAT --to 192.168.200.3:21
$IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p tcp --dport 25 -j DNAT --to 192.168.200.3:25
$IPTABLES -A PREROUTING -t nat -d $INET_IP -p tcp --dport 80 -j DNAT --to 192.168.200.3:80
$IPTABLES -A PREROUTING -t nat -d $INET_IP2 -p tcp --dport 80 -j DNAT --to 192.168.200.2:80
$IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p tcp --dport 110 -j DNAT --to 192.168.200.3:110
$IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p tcp --dport 53 -j DNAT --to 192.168.200.3:53
$IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p udp --dport 53 -j DNAT --to 192.168.200.3:53
#########
# Habilita NAT nos pacotes que saem
#
$IPTABLES -t nat -A POSTROUTING -s 192.168.200.0/24 -o $INET_IFACE -j MASQUERADE
#########
# Permite pacotes na interface loopback
#
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#########
# Bloqueia pacotes unclean e fragmentados
#
$IPTABLES -A INPUT -i $INET_IFACE -m unclean -j log_unclean
$IPTABLES -A INPUT -f -i $INET_IFACE -j log_fragmentado
#########
# Verifica IP's spoofed
#
$IPTABLES -A INPUT -i $LAN_IFACE ! -s 192.168.200.0/24 -j log_spoofed
$IPTABLES -A INPUT -i $INET_IFACE -s 10.0.0.0/8 -j log_spoofed
$IPTABLES -A INPUT -i $INET_IFACE -s 172.16.0.0/12 -j log_spoofed
$IPTABLES -A INPUT -i $INET_IFACE -s 192.168.0.0/16 -j log_spoofed
$IPTABLES -A INPUT -i $INET_IFACE -s 127.0.0.0/8 -j log_spoofed
$IPTABLES -A INPUT -i $INET_IFACE -s 255.255.255.255 -j log_spoofed
for NET in $RESERVED_NET; do
$IPTABLES -A INPUT -i $INET_IFACE -s $NET -j log_spoofed
done
$IPTABLES -A OUTPUT -o $INET_IFACE -d 0.0.0.0 -j log_spoofed
$IPTABLES -A OUTPUT -o $INET_IFACE -d 10.0.0.0/8 -j log_spoofed
$IPTABLES -A OUTPUT -o $INET_IFACE -d 172.16.0.0/12 -j log_spoofed
$IPTABLES -A OUTPUT -o $INET_IFACE -d 192.168.0.0/16 -j log_spoofed
$IPTABLES -A OUTPUT -o $INET_IFACE -d 224.0.0.0/4 -j log_spoofed
$IPTABLES -A OUTPUT -o $INET_IFACE -d 240.0.0.0/5 -j log_spoofed
#########
# Cadeia FORWARD
#
$IPTABLES -N good-bad
$IPTABLES -N bad-good
# Permite pacotes de conexões estabelecidas e relacionas
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.200.0/24 -o $INET_IFACE -j good-bad
$IPTABLES -A FORWARD -s 0.0.0.0/0 -o $LAN_IFACE -j bad-good
# Dropa todos os outros pacote, logando-os
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "FIREWALL - forward drop: "
#########
# Acesso da rede Administrativa para a Internet
#
$IPTABLES -A good-bad -p tcp --dport 21 -i $LAN_IFACE -j log_ftp
$IPTABLES -A good-bad -p tcp --dport 22 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 23 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 25 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p udp --dport 53 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 53 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 81 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 113 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 443 -i $LAN_IFACE -j ACCEPT
#receita federal
$IPTABLES -A good-bad -p tcp --dport 8017 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 1081 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 2631 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p udp --dport 2631 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 5631 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p udp --dport 5631 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 5632 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p udp --dport 5632 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p udp --dport 33434:33500 -i $LAN_IFACE -j ACCEPT
# receita.fazenda receitanet
$IPTABLES -A good-bad -p tcp --dport 3456 -i $LAN_IFACE -j ACCEPT
#Cnpq
$IPTABLES -A good-bad -p tcp --dport 2001 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 2002 -i $LAN_IFACE -j ACCEPT
# banestes
$IPTABLES -A good-bad -p tcp --dport 4226 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p icmp -i $LAN_IFACE -j ACCEPT
# CAT
$IPTABLES -A good-bad -p tcp --dport 5017 -i $LAN_IFACE -j ACCEPT
#Rational
$IPTABLES -A good-bad -p tcp --dport 27000 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp --dport 1030:1050 -i $LAN_IFACE -j ACCEPT
#########
#
# Acesso da Internet para o servidor
# Permissao do Nat feito anteriormente
$IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 20 -i $INET_IFACE -j ACCEPT
$IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 21 -i $INET_IFACE -j ACCEPT
$IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 25 -i $INET_IFACE -j ACCEPT
$IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 53 -i $INET_IFACE -j ACCEPT
$IPTABLES -A bad-good -p udp -d 192.168.200.3 --dport 53 -i $INET_IFACE -j ACCEPT
$IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 80 -i $INET_IFACE -j ACCEPT
$IPTABLES -A bad-good -p tcp -d 192.168.200.2 --dport 80 -i $INET_IFACE -j ACCEPT
$IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 110 -i $INET_IFACE -j ACCEPT
$IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 6502 -i $INET_IFACE -j ACCEPT
$IPTABLES -A bad-good -p tcp -d 192.168.200.1 --dport 6501 -i $INET_IFACE -j ACCEPT
#########a
# Cadeia INPUT
#
$IPTABLES -N bad-if
$IPTABLES -N good-if
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "FW - input - New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -j bad-if
$IPTABLES -A INPUT -i $LAN_IFACE -j good-if
# definicao de prioridade
$IPTABLES -t mangle -A INPUT -i $LAN_IFACE -p tcp --dport 80 -j TOS --set-tos 16
$IPTABLES -t mangle -A OUTPUT -o $LAN_IFACE -p tcp --dport 80 -j TOS --set-tos 16
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "FIREWALL - input drop: "
$IPTABLES -A bad-if -p TCP -s 0.0.0.0/0.0.0.0 --dport 22 -j ACCEPT
$IPTABLES -A bad-if -p TCP -s 0.0.0.0/0.0.0.0 --dport 80 -j ACCEPT
$IPTABLES -A bad-if -p TCP -s 0.0.0.0/0.0.0.0 --dport 443 -j ACCEPT
$IPTABLES -A good-if -d 192.168.200.255 -j DROP
$IPTABLES -A good-if -d 255.255.255.255 -j DROP
$IPTABLES -A good-if -p TCP -s 192.168.200.0/24 --dport 20 -j ACCEPT
$IPTABLES -A good-if -p TCP -s 192.168.200.0/24 --dport 21 -j ACCEPT
$IPTABLES -A good-if -p TCP -s 192.168.200.0/24 --dport 22 -j ACCEPT
$IPTABLES -A good-if -p TCP -s 192.168.200.0/24 --dport 80 -j ACCEPT
$IPTABLES -A good-if -p TCP -s 192.168.200.0/24 --dport 443 -j ACCEPT
$IPTABLES -A good-if -p TCP -s 192.168.200.0/24 --dport 3128 -j ACCEPT
$IPTABLES -A good-if -p icmp -j ACCEPT
#########
# Cadeia OUTPUT
#
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "FW - output New not syn:"
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "FIREWALL - output drop: "
-
kazaa+squid+iptables
Tenta liberar a 1024 no squid.conf...
Adiciona no Iptables tb:
iptables -A FORWARD -i ppp0 --protocol tcp --source-port 1024:65535 -j ACCEPT
iptables -A FORWARD -i ppp0 --protocol udp --source-port 1024:65535 -j ACCEPT
-
1024?
Mas a porta do Kazaa é 1024 ou é 1214?
-
solucionado!
Conforme as regras que postei acima, a resposta é essa:
$IPTABLES -A good-bad -p tcp -s 192.168.200.125 --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p tcp -s 192.168.200.125 --dport 1214:65535 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A good-bad -p udp -s 192.168.200.125 --dport 1214:65535 -i $LAN_IFACE -j ACCEPT
tb tem que liberar a 1214 no squid.conf
thanks
-
Kazaa e Ipchains
Uso ipchains e tenho o mesmo problema, preciso liberar a porta do kazaa lite 2.4.3b, pra uma máquina só, mas não entendo, libero a porta 1214 e nada, preciso urgente! Valew