+ Responder ao Tópico



  1. 18-11-2003, 13:39 #1
    Visitante

    Padrão Liberando o ping e o telnet

    Oi galera,
    Tenho um conectiva 8 como servidor de internet. Uso o Squid como proxy e o Iptables como filtro de pacotes.

    A Caixa Econimica Federal instalou um programa de cobranca que precisa pingar os seguintes enderecos e portas:

    200.244.109.67:2007
    200.244.109.94:2008
    200.231.155.65:3006

    Preciso liberar estes enderecos para ping e tambem para o telnet.

    Segue abaixo meus arquivos Squid.conf e iptables.txt

    #Recommended minimum configuration:
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl SSL_ports port 443 563
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 563 # https, snews
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 25 110 # POP3 SMTP
    acl Safe_ports port 2007 2008 3006
    acl CONNECT method CONNECT
    acl rede_interna src 192.168.2.0/24
    acl noblock_ports port 25 110
    acl noblock_ports port 2007 2008 3006 # Portas para conexao CEF
    #INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #
    # And finally deny all other access to this proxy
    #http_access deny all

    http_access allow rede_interna
    # http_port 3128

    httpd_accel_with_proxy off
    cache_dir ufs /cache/ 1000 16 256
    httpd_accel_port 80
    # httpd_accel_host virtual
    cache_mem 16 MB


    *****Iptables.txt*****

    /sbin/modprobe ip_tables
    /sbin/modprobe iptable_filter
    /sbin/modprobe ip_conntrack
    /sbin/modprobe ip_conntrack_ftp
    /sbin/modprobe iptable_nat
    /sbin/modprobe ip_nat_ftp
    /sbin/modprobe ipt_LOG
    /sbin/modprobe ipt_state
    /sbin/modprobe ipt_MASQUERADE


    /usr/sbin/iptables -F
    /usr/sbin/iptables -Z
    /usr/sbin/iptables -X
    /usr/sbin/iptables -t nat -F
    /usr/sbin/iptables -P INPUT DROP
    /usr/sbin/iptables -P FORWARD DROP
    /usr/sbin/iptables -P OUTPUT ACCEPT


    echo "1" > /proc/sys/net/ipv4/ip_forward

    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts



    /usr/sbin/iptables -A INPUT -p ALL -s 127.0.0.1 -i lo -j ACCEPT
    /usr/sbin/iptables -A INPUT -p ALL -s 192.168.2.0 -i lo -j ACCEPT
    /usr/sbin/iptables -A INPUT -p ALL -s 200.149.0.0 -i lo -j ACCEPT


    /usr/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    /usr/sbin/iptables -A INPUT -p icmp --icmp-type 8 -i eth0 -j ACCEPT
    /usr/sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
    /usr/sbin/iptables -A INPUT -p icmp -s 192.168.2.0 -d 200.244.109.67 -j ACCEPT
    /usr/sbin/iptables -A INPUT -p icmp -s 192.168.2.0 -d 200.244.109.94 -j ACCEPT
    /usr/sbin/iptables -A INPUT -p icmp -s 192.168.2.0 -d 200.231.155.65 -j ACCEPT


    /usr/sbin/iptables -A INPUT -p udp -s 200.202.193.71 --sport 53 -d 200.149.0.0 -j ACCEPT
    /usr/sbin/iptables -A INPUT -p udp -s 200.149.55.140 --sport 53 -d 200.149.0.0 -j ACCEPT


    /usr/sbin/iptables -A INPUT -i eth1 -f -j LOG --log-prefix "Pacote INPUT fragmentado: "
    /usr/sbin/iptables -A INPUT -i eth1 -f -j DROP


    /usr/sbin/iptables -A INPUT -p TCP -i eth0 -s 192.168.2.0/24 --dport 3128 -j ACCEPT

    /usr/sbin/iptables -A INPUT -p TCP --dport 22 -j ACCEPT

    /usr/sbin/iptables -A INPUT -p TCP -i eth1 --sport 80 -j ACCEPT
    /usr/sbin/iptables -A INPUT -p TCP -i eth1 --sport 443 -j ACCEPT
    /usr/sbin/iptables -A INPUT -p TCP -i eth1 --sport 20 -j ACCEPT
    /usr/sbin/iptables -A INPUT -p UDP -i eth1 --sport 21 -j ACCEPT

    /usr/sbin/iptables -A FORWARD -m state --state INVALID -j DROP

    /usr/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

    /usr/sbin/iptables -A FORWARD -p udp -s 192.168.2.0/24 -d 200.202.193.71 --dport 53 -j ACCEPT
    /usr/sbin/iptables -A FORWARD -p udp -s 192.168.2.0/24 -d 200.149.55.140 --dport 53 -j ACCEPT
    /usr/sbin/iptables -A FORWARD -p udp -s 200.202.193.71 --sport 53 -d 192.168.2.0/24 -j ACCEPT
    /usr/sbin/iptables -A FORWARD -p udp -s 200.149.55.140 --sport 53 -d 192.168.2.0/24 -j ACCEPT

    /usr/sbin/iptables -A FORWARD -p TCP -s 192.168.2.0/24 --dport 25 -j ACCEPT
    /usr/sbin/iptables -A FORWARD -p TCP -s 192.168.2.0/24 --dport 110 -j ACCEPT
    /usr/sbin/iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
    /usr/sbin/iptables -A FORWARD -p tcp --sport 110 -j ACCEPT

    /usr/sbin/iptables -A FORWARD -j LOG --log-prefix "Pacote forward descartado: "
    /usr/sbin/iptables -A FORWARD -j DROP

    /usr/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE


    Se algume puder me ajudar.


    Agradeco desde ja


    Alexandre de Souza
    [email protected]
    Citação Citação
  2. 18-11-2003, 15:18 #2
    Visitante

    Padrão Liberando o ping e o telnet

    Alexandre tente usar isso e ve se vai funcionar
    para vc liberar o telnet use
    iptables -A Forward -p tcp -s ip_sua_rede -d 200.244.109.67 --dport 23 -J ACCEPT
    iptables -A Forward -p udp -s ip_sua_rede -d 200.244.109.67 --dport 23 -J ACCEPT
    Use tbm para as regras de Input e Output e mudando os outros endereços de ips que vc precisa liberar.
    Espero que isso te ajude

    [ Esta mensagem foi editada por: em 18-11-2003 15:19 ]
    Citação Citação



« Tópico Anterior | Próximo Tópico »