Oi pessoal! Estou com uma dúvida básica.
Estou com um problema no meu gateway, preciso liberar algumas portas, para endereços específicos de ips da caixa, para poder utilizar o Conectividade Social.
O site é esse: http://www1.caixa.gov.br/pj/asp/cone...empregador.asp
Têm um manual no site, mas não consegui executar nada de útil com ele, por inexperiência minha:
http://downloads.caixa.gov.br/pj/_ar...es_CNS-E11.pdf
Código :ipfwadm -F -i accept -m -P tcp -S 10.0.0.0/8 1024:65535 -D 200.201.174.0/24) 80
Meu arquivo de firewall é esse:
Código :#!/bin/bash # chkconfig: 345 98 110 # description: Inicializaçao do firewall IPTABLES="/sbin/iptables" MODPROBE="/sbin/modprobe" function status() { ${IPTABLES} -L } function carrega_modulos() { $MODPROBE ip_tables $MODPROBE iptable_filter $MODPROBE iptable_nat $MODPROBE ip_nat_ftp $MODPROBE ip_conntrack $MODPROBE ip_conntrack_ftp } function stop() { ${IPTABLES} --flush ${IPTABLES} -t mangle --flush ${IPTABLES} -t nat --flush ${IPTABLES} -F ${IPTABLES} -F INPUT ${IPTABLES} -F OUTPUT ${IPTABLES} -F FORWARD ${IPTABLES} -F -t mangle ${IPTABLES} -t mangle -X ${IPTABLES} -t nat -X ${IPTABLES} -X ${IPTABLES} -t nat -F PREROUTING ${IPTABLES} -t nat -F OUTPUT ${IPTABLES} -t nat -F POSTROUTING ${IPTABLES} -t mangle -F PREROUTING ${IPTABLES} -t mangle -F OUTPUT } function start() { stop carrega_modulos ETHInternet=eth0 IPInternet= o ip do meu speedy echo "IP Internet: " $IPInternet ETHLocal=eth1 IPLocal=192.168.0.0/24 echo "IP Local: " $IPLocal LOG_FLOOD="2/s" SYN_FLOOD="4/s" PING_FLOOD="2/s" LOG_LEVEL="debug" echo 1 > /proc/sys/net/ipv4/ip_forward for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 >$i done ######################### Aceita ########################## ${IPTABLES} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ##### Tráfego do loopback e indo pro loopback ${IPTABLES} -A INPUT -i lo -j ACCEPT ##### Tráfego da rede interna ****** ${IPTABLES} -A INPUT -i 192.168.0.3 -j REJECT ${IPTABLES} -A INPUT -i $ETHLocal -j ACCEPT ${IPTABLES} -A INPUT -p tcp -s 200.0.0.0/8 --dport ssh -j ACCEPT ##### Aceita HTTP #${IPTABLES} -A INPUT -p tcp -s 0/0 -m multiport --dport http,https -j ACCEPT ##### Aceita SMTP #${IPTABLES} -A INPUT -p tcp -m multiport --dport smtp -j ACCEPT #${IPTABLES} -A INPUT -p tcp -m multiport --dport pop3 -j ACCEPT #### caixa ${IPTABLES} -A FORWARD -p tcp -s 192.168.0.0/24 -d 200.201.174.0/24 -j ACCEPT #### Barra o MSN #### ${IPTABLES} -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j REJECT ${IPTABLES} -A FORWARD -s 192.168.0.0/24 -d loginnet.passport.com -j REJECT ${IPTABLES} -A FORWARD -s 192.168.0.0/24 -d webmessenger.msn.com -j REJECT ###################################### CRIA LOG ##### PING #${IPTABLES} -A INPUT -p icmp --icmp-type echo-request -j LOG --log-level "warning" --log-prefix "Firewall - Ping " ##### SSH,TELNET,FTP #${IPTABLES} -A INPUT -p tcp --dport ssh -j LOG --log-level "warning" --log-prefix "Firewall - sshDENIED " #${IPTABLES} -A INPUT -p tcp --dport telnet -j LOG --log-level "warning" --log-prefix "Firewall - telnetDENIED " #${IPTABLES} -A INPUT -p tcp --dport ftp -j LOG --log-level "warning" --log-prefix "Firewall - ftpDENIED" ######################################## DROP ##### Nega todo acesso restante ${IPTABLES} -A INPUT -j DROP ####################################### FORWARD # Drop de passagem de ping #${IPTABLES} -A FORWARD -s 192.168.0.100 -j REJECT ${IPTABLES} -A FORWARD -j ACCEPT ################################### Regras auxiliares ##### Melhora ssh ${IPTABLES} -t nat -A PREROUTING -t mangle -p tcp --dport ssh -j TOS --set-tos Minimize-Delay ##### Não deixa smtp sair com prioridade pra não matar o link ${IPTABLES} -A PREROUTING -t mangle -p tcp --dport smtp -j TOS --set-tos Normal-Service ################################### REDIRECIONAMENTO ##### Proxy ${IPTABLES} -t nat -A PREROUTING -p tcp -i $ETHLocal --dport 80 -j REDIRECT --to-port 3128 ########################################## NAT ##### NAT da rede interna ${IPTABLES} -t nat -N INTERNET ${IPTABLES} -t nat -A INTERNET -s $IPLocal -j SNAT --to $IPInternet ${IPTABLES} -t nat -A POSTROUTING -j INTERNET ########################################## FIM echo "Firewall iniciado .............." } # End function reload() { echo "Parando Firewall." stop echo "Iniciando Firewall." start } case "$1" in status) status ;; start) start ;; stop) stop ;; restart) reload ;; reload) reload ;; *) echo "Utilize firewall {start|stop|status|restart|reload}" exit 1 esac
O arquivo squid.conf é esse:
Código :# WELCOME TO SQUID 2 # ------------------ hierarchy_stoplist cgi-bin ? acl SITE_COOPEC url_regex -i ^http://www.coopec.com.br/ no_cache deny SITE_COOPEC minimum_object_size 10 KB maximum_object_size_in_memory 100 KB cache_access_log /var/log/squid/access.log acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl ricardo src 192.168.0.100/255.255.255.255 acl adriano src 192.168.0.3/255.255.255.255 acl labserver src 192.168.0.30/255.255.255.255 acl jane src 192.168.0.99/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl Safe_ports port 4662 # emule tcp acl Safe_ports port 4672 # emule udp acl purge method PURGE acl CONNECT method CONNECT acl proibidos dstdom_regex "/etc/squid/proibidos" http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow ricardo http_access allow labserver http_access deny proibidos http_access deny adriano icp_access allow all error_directory /usr/lib/squid/errors/Portuguese httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on
Agradeço desde já a ajuda de algum caridoso companheiro!
Grande abraço!!!!