Página 2 de 3 PrimeiroPrimeiro 123 ÚltimoÚltimo
+ Responder ao Tópico



  1. 1)Falto uma parte do squid.conf ele tem um http_access allow !Safe_ports ou seja qq porta que num tiver nakele lista dele de safeports vai ser bloqueado

    2) pra liberar o kazaa num precisa definir porta, tem 2 opcoes
    2.1)usar a porta do proxy mesmo usando socks na configuracao do kazaa(acho que eh assim)
    2.2) vc pode liberar por iptables sem ter q passar pelo proxy, vc soh define no kazaa que se conecta diretamente:
    as regras sao:
    iptables -t nat -A POSTROUTING -s rede_interna -j MASQUERADE
    echo 1 > /proc/sys/net/ipv4/ip_forward

  2. Queria sabe de uma coisa ate ja pedi ajuda para JIm ( que sou muito grato) é um problema que persiste comigo eu tenho um squid e nao consiguo fazer este squid usando iptables acessar meu email que estao no www.X..com.br estranho que setei varias regras e nada vc tem alguma idea como eu poderia resolver este problemas



  3. jah tentou essa??
    iptables -t nat -A POSTROUTING -s rede_interna -j MASQUERADE
    echo 1 > /proc/sys/net/ipv4/ip_forward

    c num funfou cria um topico novo com tuas regras de iptables

  4. #9
    evandrobolsoni
    tô postando o meu arq. de regras, por favor dá uma olhada, preciso resolver este problema.

    #!/bin/sh
    # regras do firewall em /etc/sysconfig/regras_fireall
    #

    #########
    # Seta variáveis com interfaces e IPs
    #

    INET_IP="200.195.XX.XX1"
    INET_IFACE="eth0"

    INET_IP2="200.195.XX.XX2"

    INET_IP3="200.195.XX.XX3"

    LAN_IP="192.168.200.2"

    LAN_IFACE="eth1"

    LO_IFACE="lo"
    LO_IP="127.0.0.1"

    #########
    # Define redes reservadas
    #
    RESERVED_NET="
    0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 \
    23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/8 37.0.0.0/8 \
    39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 49.0.0.0/8 50.0.0.0/8 \
    58.0.0.0/7 60.0.0.0/8 67.0.0.0/8 68.0.0.0/6 72.0.0.0/5 80.0.0.0/4 \
    96.0.0.0/3 169.254.0.0/16 192.0.2.0/24 197.0.0.0/8 201.0.0.0/8 \
    218.0.0.0/7 220.0.0.0/6 224.0.0.0/3"

    #########
    # iptables PATH
    #

    IPTABLES="/sbin/iptables"

    #########
    # Carrega módulos necessários
    #

    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    modprobe ip_nat_ftp
    modprobe ip_tables
    modprobe iptable_nat
    modprobe ipt_state
    modprobe ipt_unclean
    modprobe ipt_limit
    modprobe ipt_LOG
    modprobe ipt_REJECT
    modprobe ipt_MASQUERADE

    #########
    # Seta parâmetros de kernel
    #

    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
    echo "0" > /proc/sys/net/ipv4/tcp_sack
    echo "0" > /proc/sys/net/ipv4/tcp_timestamps
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
    echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
    echo "0" > /proc/sys/net/ipv4/conf/all/log_martians

    #########
    # Limpa cadeias, apaga cadeias e seta políticas padrão para as cadeias
    #

    $IPTABLES -F
    $IPTABLES -X
    $IPTABLES -P INPUT DROP
    $IPTABLES -P OUTPUT DROP
    $IPTABLES -P FORWARD DROP

    ########
    # Loga pacotes spoofed
    #

    $IPTABLES -N log_spoofed
    $IPTABLES -A log_spoofed -j LOG --log-prefix "FIREWALL - spoofed: "
    $IPTABLES -A log_spoofed -j DROP

    ########
    # Loga pacotes unclean
    #

    $IPTABLES -N log_unclean
    $IPTABLES -A log_unclean -j LOG --log-prefix "FIREWALL - unclean: "
    $IPTABLES -A log_unclean -j DROP

    ########
    # Loga pacotes fragmentados
    #

    $IPTABLES -N log_fragmentado
    $IPTABLES -A log_fragmentado -j LOG --log-prefix "FIREWALL - fragmentado: "
    $IPTABLES -A log_fragmentado -j DROP

    ########
    # Loga conexoes FTP
    #

    $IPTABLES -N log_ftp
    $IPTABLES -A log_ftp -j LOG --log-prefix "FIREWALL - --FTP--: "
    $IPTABLES -A log_ftp -j ACCEPT

    #########
    # Habilita NAT nos pacotes que entram
    #

    # Nat's do IP valido
    # Permite inclusao porta p/ acesso nat fora para dentro
    $IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p tcp --dport 20 -j DNAT --to 192.168.200.3:20
    $IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p tcp --dport 21 -j DNAT --to 192.168.200.3:21
    $IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p tcp --dport 25 -j DNAT --to 192.168.200.3:25
    $IPTABLES -A PREROUTING -t nat -d $INET_IP -p tcp --dport 80 -j DNAT --to 192.168.200.3:80
    $IPTABLES -A PREROUTING -t nat -d $INET_IP2 -p tcp --dport 80 -j DNAT --to 192.168.200.2:80
    $IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p tcp --dport 110 -j DNAT --to 192.168.200.3:110
    $IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p tcp --dport 53 -j DNAT --to 192.168.200.3:53
    $IPTABLES -A PREROUTING -t nat -i $INET_IFACE -p udp --dport 53 -j DNAT --to 192.168.200.3:53

    #########
    # Habilita NAT nos pacotes que saem
    #
    $IPTABLES -t nat -A POSTROUTING -s 192.168.200.0/24 -o $INET_IFACE -j MASQUERADE

    #########
    # Permite pacotes na interface loopback
    #

    $IPTABLES -A INPUT -i lo -j ACCEPT
    $IPTABLES -A OUTPUT -o lo -j ACCEPT

    #########
    # Bloqueia pacotes unclean e fragmentados
    #

    $IPTABLES -A INPUT -i $INET_IFACE -m unclean -j log_unclean
    $IPTABLES -A INPUT -f -i $INET_IFACE -j log_fragmentado

    #########
    # Verifica IP's spoofed
    #

    $IPTABLES -A INPUT -i $LAN_IFACE ! -s 192.168.200.0/24 -j log_spoofed
    $IPTABLES -A INPUT -i $INET_IFACE -s 10.0.0.0/8 -j log_spoofed
    $IPTABLES -A INPUT -i $INET_IFACE -s 172.16.0.0/12 -j log_spoofed
    $IPTABLES -A INPUT -i $INET_IFACE -s 192.168.0.0/16 -j log_spoofed
    $IPTABLES -A INPUT -i $INET_IFACE -s 127.0.0.0/8 -j log_spoofed
    $IPTABLES -A INPUT -i $INET_IFACE -s 255.255.255.255 -j log_spoofed
    for NET in $RESERVED_NET; do
    $IPTABLES -A INPUT -i $INET_IFACE -s $NET -j log_spoofed
    done
    $IPTABLES -A OUTPUT -o $INET_IFACE -d 0.0.0.0 -j log_spoofed
    $IPTABLES -A OUTPUT -o $INET_IFACE -d 10.0.0.0/8 -j log_spoofed
    $IPTABLES -A OUTPUT -o $INET_IFACE -d 172.16.0.0/12 -j log_spoofed
    $IPTABLES -A OUTPUT -o $INET_IFACE -d 192.168.0.0/16 -j log_spoofed
    $IPTABLES -A OUTPUT -o $INET_IFACE -d 224.0.0.0/4 -j log_spoofed
    $IPTABLES -A OUTPUT -o $INET_IFACE -d 240.0.0.0/5 -j log_spoofed

    #########
    # Cadeia FORWARD
    #

    $IPTABLES -N good-bad
    $IPTABLES -N bad-good

    # Permite pacotes de conexões estabelecidas e relacionas
    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    $IPTABLES -A FORWARD -s 192.168.200.0/24 -o $INET_IFACE -j good-bad
    $IPTABLES -A FORWARD -s 0.0.0.0/0 -o $LAN_IFACE -j bad-good

    # Dropa todos os outros pacote, logando-os
    $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-prefix "FIREWALL - forward drop: "

    #########
    # Acesso da rede Administrativa para a Internet
    #
    $IPTABLES -A good-bad -p tcp --dport 21 -i $LAN_IFACE -j log_ftp
    $IPTABLES -A good-bad -p tcp --dport 22 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 23 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 25 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p udp --dport 53 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 53 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 81 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 113 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 443 -i $LAN_IFACE -j ACCEPT

    #receita federal
    $IPTABLES -A good-bad -p tcp --dport 8017 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 1081 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 2631 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p udp --dport 2631 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 5631 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p udp --dport 5631 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 5632 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p udp --dport 5632 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p udp --dport 33434:33500 -i $LAN_IFACE -j ACCEPT

    # receita.fazenda receitanet
    $IPTABLES -A good-bad -p tcp --dport 3456 -i $LAN_IFACE -j ACCEPT

    #Cnpq
    $IPTABLES -A good-bad -p tcp --dport 2001 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 2002 -i $LAN_IFACE -j ACCEPT

    # banestes
    $IPTABLES -A good-bad -p tcp --dport 4226 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p icmp -i $LAN_IFACE -j ACCEPT

    # CAT
    $IPTABLES -A good-bad -p tcp --dport 5017 -i $LAN_IFACE -j ACCEPT

    #Rational
    $IPTABLES -A good-bad -p tcp --dport 27000 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A good-bad -p tcp --dport 1030:1050 -i $LAN_IFACE -j ACCEPT

    #########
    #
    # Acesso da Internet para o servidor
    # Permissao do Nat feito anteriormente

    $IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 20 -i $INET_IFACE -j ACCEPT
    $IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 21 -i $INET_IFACE -j ACCEPT
    $IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 25 -i $INET_IFACE -j ACCEPT
    $IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 53 -i $INET_IFACE -j ACCEPT
    $IPTABLES -A bad-good -p udp -d 192.168.200.3 --dport 53 -i $INET_IFACE -j ACCEPT
    $IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 80 -i $INET_IFACE -j ACCEPT
    $IPTABLES -A bad-good -p tcp -d 192.168.200.2 --dport 80 -i $INET_IFACE -j ACCEPT
    $IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 110 -i $INET_IFACE -j ACCEPT
    $IPTABLES -A bad-good -p tcp -d 192.168.200.3 --dport 6502 -i $INET_IFACE -j ACCEPT
    $IPTABLES -A bad-good -p tcp -d 192.168.200.1 --dport 6501 -i $INET_IFACE -j ACCEPT

    #########a
    # Cadeia INPUT
    #

    $IPTABLES -N bad-if
    $IPTABLES -N good-if

    $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \
    --log-prefix "FW - input - New not syn:"
    $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

    $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A INPUT -i $INET_IFACE -j bad-if
    $IPTABLES -A INPUT -i $LAN_IFACE -j good-if

    # definicao de prioridade
    $IPTABLES -t mangle -A INPUT -i $LAN_IFACE -p tcp --dport 80 -j TOS --set-tos 16
    $IPTABLES -t mangle -A OUTPUT -o $LAN_IFACE -p tcp --dport 80 -j TOS --set-tos 16

    $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-prefix "FIREWALL - input drop: "

    $IPTABLES -A bad-if -p TCP -s 0.0.0.0/0.0.0.0 --dport 22 -j ACCEPT
    $IPTABLES -A bad-if -p TCP -s 0.0.0.0/0.0.0.0 --dport 80 -j ACCEPT
    $IPTABLES -A bad-if -p TCP -s 0.0.0.0/0.0.0.0 --dport 443 -j ACCEPT

    $IPTABLES -A good-if -d 192.168.200.255 -j DROP
    $IPTABLES -A good-if -d 255.255.255.255 -j DROP
    $IPTABLES -A good-if -p TCP -s 192.168.200.0/24 --dport 20 -j ACCEPT
    $IPTABLES -A good-if -p TCP -s 192.168.200.0/24 --dport 21 -j ACCEPT
    $IPTABLES -A good-if -p TCP -s 192.168.200.0/24 --dport 22 -j ACCEPT
    $IPTABLES -A good-if -p TCP -s 192.168.200.0/24 --dport 80 -j ACCEPT
    $IPTABLES -A good-if -p TCP -s 192.168.200.0/24 --dport 443 -j ACCEPT
    $IPTABLES -A good-if -p TCP -s 192.168.200.0/24 --dport 3128 -j ACCEPT
    $IPTABLES -A good-if -p icmp -j ACCEPT

    #########
    # Cadeia OUTPUT
    #

    $IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG \
    --log-prefix "FW - output New not syn:"
    $IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

    $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
    $IPTABLES -A OUTPUT -p ALL -j ACCEPT

    $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-prefix "FIREWALL - output drop: "



  5. Tenta liberar a 1024 no squid.conf...

    Adiciona no Iptables tb:

    iptables -A FORWARD -i ppp0 --protocol tcp --source-port 1024:65535 -j ACCEPT
    iptables -A FORWARD -i ppp0 --protocol udp --source-port 1024:65535 -j ACCEPT






Tópicos Similares

  1. kazaa+proxy squid+iptables
    Por no fórum Servidores de Rede
    Respostas: 4
    Último Post: 19-12-2003, 13:26
  2. Desafio Squid + Iptables
    Por Valhalla no fórum Servidores de Rede
    Respostas: 36
    Último Post: 20-08-2003, 18:40
  3. SQUID - IPTABLES
    Por no fórum Segurança
    Respostas: 7
    Último Post: 08-02-2003, 07:53
  4. Squid - IpTables
    Por no fórum Segurança
    Respostas: 7
    Último Post: 04-02-2003, 17:09
  5. squid+iptable-smtp.pop
    Por APeixoto no fórum Segurança
    Respostas: 3
    Último Post: 27-09-2002, 17:12

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L