Caros, peço ajuda urgente!
Acabei de configurar um firewall.
A internet funciona normal, porem o outlook não consegue contactar o servidor pop, nem smtp.
Me ajudem urgente, por favor.
Meu firewaal é em iptables.
NoiseMaster
Caros, peço ajuda urgente!
Acabei de configurar um firewall.
A internet funciona normal, porem o outlook não consegue contactar o servidor pop, nem smtp.
Me ajudem urgente, por favor.
Meu firewaal é em iptables.
NoiseMaster
quais as regras que vc levantou, posta aki pra nois zoiá!!!!
fica mais fácil de saber qual o problema!!!!
[ ]´s <IMG SRC="images/forum/icons/icon_wink.gif">
alem de nat.
iptables -I INPUT -p tcp -s minha_rede --dport 80 -j DROP
iptables -I INPUT -p tcp -s minha_rede --dport 443 -j DROP
iptables -I INPUT -p tcp -s minha_rede -j ACCEPT
apenas para que os usuarios não burlem o squid.
NoiseMaster
como eles vao ver o email?
se for pelo squid que o outlook passa .. vc nao pode bloquear a porta que ele usa para comunicar com o exterior.
qual e´ a sua porta do squid? 80? iptables -I INPUT -p tcp -s minha_rede --dport 80 -j DROP
vc esta meio confuso nao?
diga o que quer fazer e nos ajudamos com as regras. <IMG SRC="images/forum/icons/icon_wink.gif">
limpei todas as regras do firewall
#iptables -t filter -F
agora estou apenas com o squid rodando.
como faço para liberar as porta smtp e pop?
Simon chegou cedo hj...
Simon advinha: "Vc tem gateway linux e as demais maquinas da rede sao ruindows...."
Simon simula:
no gateway linux vc pelo menos tem duas placas de redes:
eth0 = dhcp ou ppp (acesso externo internet)
eth1= 13.1.1.1 - sub_masc=255.255.255.0 (acesso LAN roteada) sendo o nome da maquina gateway e o nome da rede testnet
----------------------------------------------------------------------------------------------
Insira no final do rc.firewall:
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.2/32 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.3/32 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.4/32 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.5/32 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.6/32 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.7/32 -j MASQUERADE
-----------------------------------------------------------------------------------------------
Isto mascara 7 maquinas na rede
Reboot torna-se necessario no final do procedimento.
-----------------------------------------------------------------------------------------------
Verifique as propriedades da rede de cada maquina windows da rede:
- Todas devem ter ip fixo por exemplo:
a Maquina do diretor da empresa tem com o ip 13.1.1.7 e sub mascara:255.255.255.0
- Definir o protocolo TCP/IP (da placa conectada) como padrao;
- inserir o gateway: 13.1.1.1
- inserir DNS:13.1.1.1 (certifique se named esta rodando no gateway com o comando :
# ps -edf | grep named
se nao tiver execute:
# /etc/init.d/named start
Obs: Se falhar vc deve instalar os pacotes do servidor de nomes (DNS); Lembrete, insira no resolv.conf (isso em conf padrao) o IP do DNS do seu provedor de internet.
- inserir nome do host -> Diretor_Franginha e tbm o nome da rede testnet.
- Feito isso o ruindows pede para reiniciar... pois ele tem que se matar para reler as configuraçoes de rede.
-------------------------------------------------------------------------------------
Teste o outlook
e boa sorte!
by ¿X?
Simon tu és confuso!
cara, vc nem envia e nem recebe?
quando vc limpou o iptables, funcionou?
<IMG SRC="images/forum/icons/icon_confused.gif">
as regras deram problemas,
´-s´ bad arquments ´meu_ip´.
o q é $EXTIF?
B4D,
Limpei as regras do iptables e deixei o squid sem minhas regras, apenas com as regras básicas.
e mesmo assim não funciona
Dei um comando:
nmap 10.0.0.254 e deu
duas portas abertas apenas
111/tpc open sunrpc
3128/tcp open squid-http
Como abro as outras, 25, 110, 3389 (WTS)?
[ Esta mensagem foi editada por: NoiseMaster em 14-11-2002 11:47 ]
Simon diz....
Povo reclama mto...
Mas Simon entende e manda firewall completo.
Cut and Grud by ¿Xa®aDa?
Tecnica de mascaramento de ip utilizando o firewall para conexao ppp
se for ethx e so substituir ppp por ethx
Obs... tem squid pro meio mas isso vcs terao que pesquisarem.
-------------------------------------------------------------------------------------
#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.63
#
# Initial SIMPLE IP Masquerade test for 2.4.x kernels
# using IPTABLES.
#
# Once IP Masquerading has been tested, with this simple
# ruleset, it is highly recommended to use a stronger
# IPTABLES ruleset either given later in this HOWTO or
# from another reputable resource.
#
#
#
# Log:
# 0.63 - Added support for the IRC IPTABLES module
# 0.62 - Fixed a typo on the MASQ enable line that used eth0
# instead of $EXTIF
# 0.61 - Changed the firewall to use variables for the internal
# and external interfaces.
# 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP
# all forwarded packets but it didn´t have a rule to ACCEPT
# any packets to be forwarded either
# - Load the ip_nat_ftp and ip_conntrack_ftp modules by default
# 0.50 - Initial draft
#
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
# The location of the ´iptables´ program
#
# If your Linux distribution came with a copy of iptables, most
# likely it is located in /sbin. If you manually compiled
# iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPTABLES=/sbin/iptables
#Setting the EXTERNAL and INTERNAL interfaces for the network
#
# Each IP Masquerade network needs to have at least one
# external and one internal network. The external network
# is where the natting will occur and the internal network
# should preferably be addressed with a RFC1918 private address
# scheme.
#
# For this example, "eth0" is external and "eth1" is internal"
#
# NOTE: If this doesnt EXACTLY fit your configuration, you must
# change the EXTIF or INTIF variables above. For example:
#
# EXTIF="ppp0"
#
# if you are a modem user.
#
EXTIF="ppp0"
INTIF="eth1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==
echo -en " loading modules: "
# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
/sbin/depmod -a
# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
# options as MODULES. If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.
#
# NOTE: The following items are listed ONLY for informational reasons.
# There is no reason to manual load these modules unless your
# kernel is either mis-configured or you intentionally disabled
# the kernel module autoloader.
#
# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ
# modules are shown below but are commented out from loading.
# ===============================================================
#Load the main body of the IPTABLES module - "iptable"
# - Loaded automatically when the "iptables" command is invoked
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
/sbin/insmod ip_tables
#Load the IPTABLES filtering module - "iptable_filter"
# - Loaded automatically when filter policies are activated
#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
# - This module is loaded automatically when MASQ functionality is
# enabled
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
/sbin/insmod ip_conntrack
#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_ftp, "
/sbin/insmod ip_conntrack_ftp
#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_irc, "
/sbin/insmod ip_conntrack_irc
#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
/sbin/insmod iptable_nat
#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_nat_ftp, "
/sbin/insmod ip_nat_ftp
# Just to be complete, here is a list of the remaining kernel modules
# and their function. Please note that several modules should be only
# loaded by the correct master kernel module for proper operation.
# --------------------------------------------------------------------
#
# ipt_mark - this target marks a given packet for future action.
# This automatically loads the ipt_MARK module
#
# ipt_tcpmss - this target allows to manipulate the TCP MSS
# option for braindead remote firewalls.
# This automatically loads the ipt_TCPMSS module
#
# ipt_limit - this target allows for packets to be limited to
# to many hits per sec/min/hr
#
# ipt_multiport - this match allows for targets within a range
# of port numbers vs. listing each port individually
#
# ipt_state - this match allows to catch packets with various
# IP and TCP flags set/unset
#
# ipt_unclean - this match allows to catch packets that have invalid
# IP/TCP flags set
#
# iptable_filter - this module allows for packets to be DROPped,
# REJECTed, or LOGged. This module automatically
# loads the following modules:
#
# ipt_LOG - this target allows for packets to be
# logged
#
# ipt_REJECT - this target DROPs the packet and returns
# a configurable ICMP packet back to the
# sender.
#
# iptable_mangle - this target allows for packets to be manipulated
# for things like the TCPMSS option, etc.
echo ". Done loading modules."
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable this following option. This enables dynamic-address hacking
# which makes the life with Diald and similar programs much easier.
#
echo " enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable simple IP forwarding and Masquerading
#
# NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
# NOTE #2: The following is an example for an internal LAN address in the
# 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
# connecting to the Internet on external interface "eth0". This
# example will MASQ internal traffic out to the Internet but not
# allow non-initiated traffic into your internal network.
#
#
# ** Please change the above network numbers, subnet mask, and your
# *** Internet connection interface name to match your setup
#
#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP
#
echo " clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.2/32 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.3/32 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.4/32 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.5/32 -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.6/32 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.7/32 -j MASQUERADE
echo -e "\nDone.\n"
-------------------------------------------------------------------------------------------
Agora Simon ajudou.
Copie e cole isto no seu firewall... and good luck!!!
mas para que raio sao essas portas abertas? vc tem os servidores a correr na sua maquina???
se tiver..eles abrem as portas .. se nao tiver .. nao precisa de abrir!!!!!!
s vc simplesmente e´ cliente .. o gateway nao precisa de estar aberto para nada, pq as portas clientes sao randomicas!!!!
tanta confusao por um assunto de nada <IMG SRC="images/forum/icons/icon_confused.gif">
Kralho, meu tu mandaste tudo mesmo.....
Simon tu és meu ídolo!!!
<IMG SRC="images/forum/icons/icon_wink.gif">
noise...testa aí o fire, se naum der certo pode ser outra coisa que estou a pensar...me avise...estou aki até as 15:00 oks?
<IMG SRC="images/forum/icons/icon21.gif">
<TABLE BORDER=0 ALIGN=CENTER WIDTH=85%><TR><TD><font size=-1>Quote:</font><HR></TD></TR><TR><TD><FONT SIZE=-1><BLOCKQUOTE>
On 2002-11-14 11:25, X wrote:
Simon chegou cedo hj...
Simon advinha: "Vc tem gateway linux e as demais maquinas da rede sao ruindows...."
Simon simula:
no gateway linux vc pelo menos tem duas placas de redes:
eth0 = dhcp ou ppp (acesso externo internet)
eth1= 13.1.1.1 - sub_masc=255.255.255.0 (acesso LAN roteada) sendo o nome da maquina gateway e o nome da rede testnet
----------------------------------------------------------------------------------------------
Insira no final do rc.firewall:
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.2/32 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.3/32 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.4/32 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.5/32 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.6/32 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.7/32 -j MASQUERADE
-----------------------------------------------------------------------------------------------
Isto mascara 7 maquinas na rede
Reboot torna-se necessario no final do procedimento.
-----------------------------------------------------------------------------------------------
nao e´ verdade! nao percebo o pq do reboot <IMG SRC="images/forum/icons/icon_mad.gif"> , basta correr o script em tempo real ah .. e o rc.firewall nao existe em todos os sistemas ;| . voce pode mascarar logo a rede em vezs de host a host
Verifique as propriedades da rede de cada maquina windows da rede:
- Todas devem ter ip fixo por exemplo:
a Maquina do diretor da empresa tem com o ip 13.1.1.7 e sub mascara:255.255.255.0
- Definir o protocolo TCP/IP (da placa conectada) como padrao;
- inserir o gateway: 13.1.1.1
- inserir DNS:13.1.1.1 (certifique se named esta rodando no gateway com o comando :
# ps -edf | grep named
se nao tiver execute:
# /etc/init.d/named start
Obs: Se falhar vc deve instalar os pacotes do servidor de nomes (DNS); Lembrete, insira no resolv.conf (isso em conf padrao) o IP do DNS do seu provedor de internet.
- inserir nome do host -> Diretor_Franginha e tbm o nome da rede testnet.
- Feito isso o ruindows pede para reiniciar... pois ele tem que se matar para reler as configuraçoes de rede.
-------------------------------------------------------------------------------------
Teste o outlook
e boa sorte!
by ¿X?
se for Windows NT based basta desactivar a ligação e voltar a ligar. s for dhcp client a mesma coisa.
Mesmo assim acho que esta´ muita confusão de volta da duvida do nosso colega ... penso que nao e´ isso q ele quer. Fico à espera de mais explicaçoes do problema!!