+ Responder ao Tópico



  1. #1
    evandrobolsoni
    Visitante

    Padrão kazaa+squid+iptables

    Aí galera,

    Tenho um RH8, squid 2.4 e iptables 1.2.6a bem configurado.
    ao contrario de muita gente, eu preciso liberar o kazaa lite k++ para algumas estações, mas não consigo. quais portas devo liberar e onde?

  2. #2
    Visitante

    Padrão Re:

    evandrobolsoni

    posta suas regras de iptables, pois todo mundo quer bloquear o kazaa e pouca gente consegue.

    abraços

  3. #3

    Padrão kazaa+squid+iptables

    Posta seu squid.conf tb.... mais se vc não bloqueou, estranho não funionar...

  4. #4
    Abutre
    Visitante

    Padrão kazaa+squid+iptables

    Ae...
    Tenho Duas filiais e uma delas tem o mesmo problema.
    Nenhuma estação consegue ter acesso ao Kazza. Liberei MSN, mas Kazza, nem ferrando !
    Também tô tentando ! Já liberei portas e tudo mais.

    Abutre.

  5. #5
    evandrobolsoni
    Visitante

    Padrão tá o squid aí

    #Recommended minimum configuration:
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl SSL_ports port 443 563
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 563 # https, snews
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 5017 # Cat Servidor Dataprev
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT

    acl redelocal src 192.168.200.0/255.255.255.0
    acl bad_expr url_regex "/etc/squid/bad_expr.txt"
    http_access deny bad_expr
    acl bad_urls dstdom_regex "/etc/squid/bad_urls.txt"
    http_access deny bad_urls

    #Bloqueados por Hora:
    acl nomedosetor src "/etc/squid/ip_depto.txt"
    acl time_nomedosetor time M T W H F 08:00-15:40
    http_access deny nomedosetor !time_nomedosetor

    #Proibicao de IPs:
    acl ip_proi src "/etc/squid/ip_proi.txt"
    http_access deny ip_proi
    #acl ip_lab1 src "/etc/squid/ip_lab1.txt"
    #http_access deny ip_lab1
    #acl ip_lab2 src "/etc/squid/ip_lab2.txt"
    #http_access deny ip_lab2
    #acl ip_lab3 src "/etc/squid/ip_lab3.txt"
    #http_access deny ip_lab3
    #acl ip_lab4 src "/etc/squid/ip_lab4.txt"
    #http_access deny ip_lab4

    #Auth IPs
    acl ip_auth src "/etc/squid/ip_auth.txt"
    http_access allow ip_auth

  6. #6

    Padrão kazaa+squid+iptables

    1)Falto uma parte do squid.conf ele tem um http_access allow !Safe_ports ou seja qq porta que num tiver nakele lista dele de safeports vai ser bloqueado

    2) pra liberar o kazaa num precisa definir porta, tem 2 opcoes
    2.1)usar a porta do proxy mesmo usando socks na configuracao do kazaa(acho que eh assim)
    2.2) vc pode liberar por iptables sem ter q passar pelo proxy, vc soh define no kazaa que se conecta diretamente:
    as regras sao:
    iptables -t nat -A POSTROUTING -s rede_interna -j MASQUERADE
    echo 1 > /proc/sys/net/ipv4/ip_forward

  7. #7

    Padrão kazaa+squid+iptables

    Queria sabe de uma coisa ate ja pedi ajuda para JIm ( que sou muito grato) é um problema que persiste comigo eu tenho um squid e nao consiguo fazer este squid usando iptables acessar meu email que estao no www.X..com.br estranho que setei varias regras e nada vc tem alguma idea como eu poderia resolver este problemas

  8. #8

    Padrão kazaa+squid+iptables

    jah tentou essa??
    iptables -t nat -A POSTROUTING -s rede_interna -j MASQUERADE
    echo 1 > /proc/sys/net/ipv4/ip_forward

    c num funfou cria um topico novo com tuas regras de iptables

  9. #9
    evandrobolsoni
    Visitante

    Padrão ñ func

    tô postando o meu arq. de regras, por favor dá uma olhada, preciso resolver este problema.

    #!/bin/sh
    # regras do firewall em /etc/sysconfig/regras_fireall
    #

    #########
    # Seta variáveis com interfaces e IPs
    #

    INET_IP="200.195.XX.XX1"
    INET_IFACE="eth0"

    INET_IP2="200.195.XX.XX2"

    INET_IP3="200.195.XX.XX3"

    LAN_IP="192.168.200.2"

    LAN_IFACE="eth1"

    LO_IFACE="lo"
    LO_IP="127.0.0.1"

    #########
    # Define redes reservadas
    #
    RESERVED_NET="
    0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 \
    23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/8 37.0.0.0/8 \
    39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 49.0.0.0/8 50.0.0.0/8 \
    58.0.0.0/7 60.0.0.0/8 67.0.0.0/8 68.0.0.0/6 72.0.0.0/5 80.0.0.0/4 \
    96.0.0.0/3 169.254.0.0/16 192.0.2.0/24 197.0.0.0/8 201.0.0.0/8 \
    218.0.0.0/7 220.0.0.0/6 224.0.0.0/3"

    #########
    # iptables PATH
    #

    IPTABLES="/sbin/iptables"

    #########
    # Carrega módulos necessários
    #

    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    modprobe ip_nat_ftp
    modprobe ip_tables
    modprobe iptable_nat
    modprobe ipt_state
    modprobe ipt_unclean
    modprobe ipt_limit
    modprobe ipt_LOG
    modprobe ipt_REJECT
    modprobe ipt_MASQUERADE

    #########
    # Seta parâmetros de kernel
    #

    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
    echo "0" > /proc/sys/net/ipv4/tcp_sack
    echo "0" > /proc/sys/net/ipv4/tcp_timestamps
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
    echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
    echo "0" > /proc/sys/net/ipv4/conf/all/log_martians

    #########
    # Limpa cadeias, apaga cadeias e seta políticas padrão para as cadeias
    #

    $IPTABLES -F
    $IPTABLES -X
    $IPTABLES -P INPUT DROP
    $IPTABLES -P OUTPUT DROP
    $IPTABLES -P FORWARD DROP

    ########
    # Loga pacotes spoofed
    #

    $IPTABLES -N log_spoofed
    $IPTABLES -A log_spoofed -j LOG --log-prefix "FIREWALL - spoofed: "
    $IPTABLES -A log_spoofed -j DROP

    ########
    # Loga pacotes unclean
    #

    $IPTABLES -N log_unclean
    $IPTABLES -A log_unclean -j LOG --log-prefix "FIREWALL - unclean: "
    $IPTABLES -A log_unclean -j DROP

    ########
    # Loga pacotes fragmentados
    #

    $IPTABLES -N log_fragmentado
    $IPTABLES -A log_fragmentado -j LOG --log-prefix "FIREWALL - fragmentado: "
    $IPTABLES -A log_fragmentado -j DROP

    ########
    # Loga conexoes FTP
    #

    $IPTABLES -N log_ftp
    $IPTABLES -A log_ftp -j LOG --log-prefix "FIREWALL - --FTP--: "
    $IPTABLES -A log_ftp -j ACCEPT

    #########
    # Habilita NAT nos pacotes que entram
    #

    # Nat's do IP valido
    # Permite inclusao porta p/ acesso nat fora para dentro
    $IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p tcp --dport 20 -j DNAT --to 192.168.200.3:20
    $IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p tcp --dport 21 -j DNAT --to 192.168.200.3:21
    $IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p tcp --dport 25 -j DNAT --to 192.168.200.3:25
    $IPTABLES -A PREROUTING -t nat -d $INET_IP -p tcp --dport 80 -j DNAT --to 192.168.200.3:80
    $IPTABLES -A PREROUTING -t nat -d $INET_IP2 -p tcp --dport 80 -j DNAT --to 192.168.200.2:80
    $IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p tcp --dport 110 -j DNAT --to 192.168.200.3:110
    $IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p tcp --dport 53 -j DNAT --to 192.168.200.3:53
    $IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p udp --dport 53 -j DNAT --to 192.168.200.3:53

    #########
    # Habilita NAT nos pacotes que saem
    #
    $IPTABLES -t nat -A POSTROUTING -s 192.168.200.0/24 -o $INET_IFACE -j MASQUERADE

    #########
    # Permite pacotes na interface loopback
    #

    $IPTABLES -A INPUT -i lo -j ACCEPT
    $IPTABLES -A OUTPUT -o lo -j ACCEPT

    #########
    # Bloqueia pacotes unclean e fragmentados
    #

    $IPTABLES -A INPUT -i $INET_IFACE -m unclean -j log_unclean
    $IPTABLES -A INPUT -f -i $INET_IFACE -j log_fragmentado

    #########
    # Verifica IP's spoofed
    #

    $IPTABLES -A INPUT -i $LAN_IFACE ! -s 192.168.200.0/24 -j log_spoofed
    $IPTABLES -A INPUT -i $INET_IFACE -s 10.0.0.0/8 -j log_spoofed
    $IPTABLES -A INPUT -i $INET_IFACE -s 172.16.0.0/12 -j log_spoofed
    $IPTABLES -A INPUT -i $INET_IFACE -s 192.168.0.0/16 -j log_spoofed
    $IPTABLES -A INPUT -i $INET_IFACE -s 127.0.0.0/8 -j log_spoofed
    $IPTABLES -A INPUT -i $INET_IFACE -s 255.255.255.255 -j log_spoofed
    for NET in $RESERVED_NET; do
    $IPTABLES -A INPUT -i $INET_IFACE -s $NET -j log_spoofed
    done
    $IPTABLES -A OUTPUT -o $INET_IFACE -d 0.0.0.0 -j log_spoofed
    $IPTABLES -A OUTPUT -o $INET_IFACE -d 10.0.0.0/8 -j log_spoofed
    $IPTABLES -A OUTPUT -o $INET_IFACE -d 172.16.0.0/12 -j log_spoofed
    $IPTABLES -A OUTPUT -o $INET_IFACE -d 192.168.0.0/16 -j log_spoofed
    $IPTABLES -A OUTPUT -o $INET_IFACE -d 224.0.0.0/4 -j log_spoofed
    $IPTABLES -A OUTPUT -o $INET_IFACE -d 240.0.0.0/5 -j log_spoofed

    #########
    # Cadeia FORWARD
    #

    $IPTABLES -N good-bad
    $IPTABLES -N bad-good

    # Permite pacotes de conexões estabelecidas e relacionas
    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    $IPTABLES -A FORWARD -s 192.168.200.0/24 -o $INET_IFACE -j good-bad
    $IPTABLES -A FORWARD -s 0.0.0.0/0 -o $LAN_IFACE -j bad-good

    # Dropa todos os outros pacote, logando-os
    $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-prefix "FIREWALL - forward drop: "

    #########
    # Acesso da rede Administrativa para a Internet
    #
    $IPTABLES -A good-bad -p tcp --dport 21 -i $LAN_IFACE -j log_ftp
    $IPTABLES -A good-bad -p tcp --dport 22 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 23 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 25 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p udp --dport 53 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 53 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 81 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 113 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 443 -i $LAN_IFACE -j ACCEPT

    #receita federal
    $IPTABLES -A good-bad -p tcp --dport 8017 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 1081 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 2631 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p udp --dport 2631 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 5631 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p udp --dport 5631 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 5632 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p udp --dport 5632 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p udp --dport 33434:33500 -i $LAN_IFACE -j ACCEPT

    # receita.fazenda receitanet
    $IPTABLES -A good-bad -p tcp --dport 3456 -i $LAN_IFACE -j ACCEPT

    #Cnpq
    $IPTABLES -A good-bad -p tcp --dport 2001 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 2002 -i $LAN_IFACE -j ACCEPT

    # banestes
    $IPTABLES -A good-bad -p tcp --dport 4226 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p icmp -i $LAN_IFACE -j ACCEPT

    # CAT
    $IPTABLES -A good-bad -p tcp --dport 5017 -i $LAN_IFACE -j ACCEPT

    #Rational
    $IPTABLES -A good-bad -p tcp --dport 27000 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 1030:1050 -i $LAN_IFACE -j ACCEPT

    #########
    #
    # Acesso da Internet para o servidor
    # Permissao do Nat feito anteriormente

    $IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 20 -i $INET_IFACE -j ACCEPT
    $IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 21 -i $INET_IFACE -j ACCEPT
    $IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 25 -i $INET_IFACE -j ACCEPT
    $IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 53 -i $INET_IFACE -j ACCEPT
    $IPTABLES -A bad-good -p udp -d 192.168.200.3 --dport 53 -i $INET_IFACE -j ACCEPT
    $IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 80 -i $INET_IFACE -j ACCEPT
    $IPTABLES -A bad-good -p tcp -d 192.168.200.2 --dport 80 -i $INET_IFACE -j ACCEPT
    $IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 110 -i $INET_IFACE -j ACCEPT
    $IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 6502 -i $INET_IFACE -j ACCEPT
    $IPTABLES -A bad-good -p tcp -d 192.168.200.1 --dport 6501 -i $INET_IFACE -j ACCEPT

    #########a
    # Cadeia INPUT
    #

    $IPTABLES -N bad-if
    $IPTABLES -N good-if

    $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \
    --log-prefix "FW - input - New not syn:"
    $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

    $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A INPUT -i $INET_IFACE -j bad-if
    $IPTABLES -A INPUT -i $LAN_IFACE -j good-if

    # definicao de prioridade
    $IPTABLES -t mangle -A INPUT -i $LAN_IFACE -p tcp --dport 80 -j TOS --set-tos 16
    $IPTABLES -t mangle -A OUTPUT -o $LAN_IFACE -p tcp --dport 80 -j TOS --set-tos 16

    $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-prefix "FIREWALL - input drop: "

    $IPTABLES -A bad-if -p TCP -s 0.0.0.0/0.0.0.0 --dport 22 -j ACCEPT
    $IPTABLES -A bad-if -p TCP -s 0.0.0.0/0.0.0.0 --dport 80 -j ACCEPT
    $IPTABLES -A bad-if -p TCP -s 0.0.0.0/0.0.0.0 --dport 443 -j ACCEPT

    $IPTABLES -A good-if -d 192.168.200.255 -j DROP
    $IPTABLES -A good-if -d 255.255.255.255 -j DROP
    $IPTABLES -A good-if -p TCP -s 192.168.200.0/24 --dport 20 -j ACCEPT
    $IPTABLES -A good-if -p TCP -s 192.168.200.0/24 --dport 21 -j ACCEPT
    $IPTABLES -A good-if -p TCP -s 192.168.200.0/24 --dport 22 -j ACCEPT
    $IPTABLES -A good-if -p TCP -s 192.168.200.0/24 --dport 80 -j ACCEPT
    $IPTABLES -A good-if -p TCP -s 192.168.200.0/24 --dport 443 -j ACCEPT
    $IPTABLES -A good-if -p TCP -s 192.168.200.0/24 --dport 3128 -j ACCEPT
    $IPTABLES -A good-if -p icmp -j ACCEPT

    #########
    # Cadeia OUTPUT
    #

    $IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG \
    --log-prefix "FW - output New not syn:"
    $IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

    $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
    $IPTABLES -A OUTPUT -p ALL -j ACCEPT

    $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-prefix "FIREWALL - output drop: "

  10. #10

    Padrão kazaa+squid+iptables

    Tenta liberar a 1024 no squid.conf...

    Adiciona no Iptables tb:

    iptables -A FORWARD -i ppp0 --protocol tcp --source-port 1024:65535 -j ACCEPT
    iptables -A FORWARD -i ppp0 --protocol udp --source-port 1024:65535 -j ACCEPT

  11. #11
    evandrobolsoni
    Visitante

    Padrão 1024?

    Mas a porta do Kazaa é 1024 ou é 1214?

  12. #12
    evandrobolsoni
    Visitante

    Padrão solucionado!

    Conforme as regras que postei acima, a resposta é essa:

    $IPTABLES -A good-bad -p tcp -s 192.168.200.125 --dport 80 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp -s 192.168.200.125 --dport 1214:65535 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p udp -s 192.168.200.125 --dport 1214:65535 -i $LAN_IFACE -j ACCEPT

    tb tem que liberar a 1214 no squid.conf

    thanks

  13. #13
    Oráculo
    Visitante

    Padrão Kazaa e Ipchains

    Uso ipchains e tenho o mesmo problema, preciso liberar a porta do kazaa lite 2.4.3b, pra uma máquina só, mas não entendo, libero a porta 1214 e nada, preciso urgente! Valew