+ Responder ao Tópico



  1. #1
    josedec
    Visitante

    Padrão FTP bloqueado

    pessoal ,

    meu problema é o seguinte. eu estou conseguindo acesso vários endereços ftp. mas tem um em especifico que naum esta acessando. ip 200.199.14.8 .
    naum consigo fazer o ping. e a route não consegue reconhecer o endereço. mas quando ele elimino o firewall / proxy acesso normalmente.


    o que deve esta acontencendo no meu iptables. para bolquear so esse endereço ftp. e naum os outros.
    pode ser meu provedor que esta com problema ou me iptables que esta faltando configurar alguma coisa

  2. #2
    maverick_cba
    Visitante

    Padrão FTP bloqueado

    Posta ai suas regras do firewall pra gente dar uma olhada.

  3. #3
    josedec
    Visitante

    Padrão da uma olha no script

    Arquivo iptables.sh

    ###################################################
    # Script para implementacao de firewall em iptables
    # Autor:
    # Manutencao:
    # Data: Abril/2003
    # Ultima Manutencao: 10/04/03
    ###################################################


    ##########################################
    # Reseta regras do iptables
    ##########################################

    /usr/sbin/iptables --flush
    /usr/sbin/iptables --table nat --flush
    /usr/sbin/iptables --delete-chain
    /usr/sbin/iptables --table nat --delete-chain

    ##########################################
    # Definicao das variaveis
    ##########################################

    IT=/usr/sbin/iptables

    # Portas

    P_PPTP=1723 # VPN
    P_TERMSERV=3389 # Terminal Service Windows
    P_ORACLE=1521 # Servidor de Banco de Dados Oracle
    P_SQL=1433 # Servidor de banco de Dados SQL Server
    P_PCANYD=5631 # PcAnywhere dados
    P_PCANYS=5632 # PcAnywhere status
    P_VNCA1=5900 # VNC aplicacao
    P_VNCA2=5901 # VNC aplicacao
    P_VNCA3=5902 # VNC aplicacao
    P_VNCA4=5903 # VNC aplicacao
    P_VNCW1=5800 # VNC web applet
    P_VNCW2=5801 # VNC web applet
    P_VNCW3=5802 # VNC web applet
    P_VNCW4=5803 # VNC web applet
    P_TREND=80 # Antivirus - Servico de atualizacao
    P_CAGEDNET=2500 # CAGEDnet para ACI
    P_CONXSOC=2631 # Conectividade Social
    #P_DSNET=21 # DSNet - Servidor 200.249.133.132
    P_SEFAZNET=50000 # Sefaz Net
    P_GIMNET=1023 # GIM Net - Servidor 200.249.15.56
    P_CONEX=81 # Sistema de Comercio Exterior da SIMASA
    P_MESSENGER=1863 # MSN Messenger
    P_MESSENGEV=6901 # MSN Voz - UDP, TCP
    P_SAGC99=1049 # Gian - Secret Fazenda Pernamb
    P_RAISNET=3007 # Ministerio do Trabalho - servidor 161.148.185.30
    P_RALNET1=1500 # Minas e Energia
    P_RALNET2=1600 # Minas e Energia
    P_RECEITANET=3456 # Receita Federal
    P_SINTEGRA=8017 # Secretaria da Fazenda

    # Servidores Externos

    S_SEFAZNET=200.253.176.68 # Sefaz Net
    S_CONSOC=200.201.173.68 # Caixa Economica
    S_GIMNET=200.249.15.56 # Secretaria da Tributacao RN
    S_PALMTOP=207.66.2.50 # Site da Palm
    S_SAGSERVER=200.238.112.123 # Secretaria Fazenda Pernambuco - Gian
    S_RAISSERVER=161.148.185.30 # Ministerio do Trabalho e Emprego
    S_DSSERVER=200.249.133.132 # Prefeitura Cidade Recife

    # Interfaces fisicas

    IF_INTERNET=eth1
    IF_INTERNA=eth0

    # Redes urs/loca/bin/

    REDE_INTERNET=192.xxx.xxx.xxx/255.255.255.0
    REDE_INTERNA=10.0.0.1/255.255.255.0

    # Ips das Interfaces

    IP_IF_INTERNET=192.xxx.xxx.xxx
    IP_IF_INTERNA=10.0.0.101

    ##########################################
    # Protecao contra spoofing
    ##########################################

    touch /var/lock/subsys/local
    echo 1 > /proc/sys/net/ipv4/ip_forward
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
    modprobe iptable_nat


    ##########################################
    # Inicio das Regras do firewall
    ##########################################

    # Diretivas defaults

    $IT -P INPUT DROP
    $IT -P FORWARD DROP
    $IT -P OUTPUT ACCEPT

    # Diretiva para int loopback

    $IT -A INPUT -i lo -j ACCEPT


    $IT -N LOGDROP
    $IT -A LOGDROP -m limit --limit 50/hour -j LOG
    $IT -A LOGDROP -j DROP


    ##########################################
    # NAT (MASCARAMENTO)
    ##########################################

    # SourceNAT REDE-INTERNA --> INTERNET

    $IT --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
    $IT --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

    #$IT -t nat -A POSTROUTING -s $REDE_INTERNA -o $IF_INTERNET -j SNAT --to-source $IP_IF_INTERNET
    #$IT --table nat --append POSTROUTING -s $REDE_INTERNA --out-interface eth1 -j MASQUERADE
    #$IT --append FORWARD --in-interface eth1 -j ACCEPT

    ##########################################
    # NAT (PORT FORWARD)
    ##########################################

    # DestinationNAT INTERNET --> Win2000 da REDE INTERNA
    # para VPN
    # porta 1723 - PPTP
    # prot 47 - GRE

    #$IT -t nat -A PREROUTING -p tcp -d $S_VPN_ALIAS --dport 3389 -j DNAT --to $S_VPN_INTERNO

    #$IT -t nat -A PREROUTING -p tcp -d $S_VPN_ALIAS --dport 1723 -j DNAT --to $S_VPN_INTERNO

    #$IT -t nat -A PREROUTING -p 80,21 -d $S_VPN_ALIAS -j DNAT --to $S_VPN_INTERNO

    #$IT -t nat -A PREROUTING -s $REDE_INTERNA -p tcp -d 200.68.173.243 --dport 80 -j ACCEPT
    $IT -t nat -A PREROUTING -s $REDE_INTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128
    $IT -t nat -A PREROUTING -s $REDE_INTERNA -p tcp --dport 443 -j REDIRECT --to-port 3128
    #$IT -t nat -A PREROUTING -s $REDE_INTERNA -p tcp --dport 21 -j REDIRECT --to-port 3128

    ##########################################
    # Definicao das cadeias
    ##########################################

    # Forwards

    $IT -N interna-internet
    $IT -N interna-interna
    $IT -N internet-interna

    # Inputs

    $IT -N interna-if
    $IT -N internet-if
    $IT -N icmp-accept

    # Definicoes dos forwards

    $IT -A FORWARD -i $IF_INTERNA -o $IF_INTERNET -j interna-internet
    $IT -A FORWARD -i $IF_INTERNA -o $IF_INTERNA -j interna-interna
    $IT -A FORWARD -i $IF_INTERNET -o $IF_INTERNA -j internet-interna

    # Definicoes dos inputs

    $IT -A INPUT -i $IF_INTERNA -j interna-if
    $IT -A INPUT -i $IF_INTERNET -j internet-if


    ##########################################
    # Filtros
    ##########################################

    # Permissoes para pacotes icmp

    $IT -A icmp-accept -p icmp --icmp-type destination-unreachable -j ACCEPT
    $IT -A icmp-accept -p icmp --icmp-type source-quench -j ACCEPT
    $IT -A icmp-accept -p icmp --icmp-type time-exceeded -j ACCEPT
    $IT -A icmp-accept -p icmp --icmp-type parameter-problem -j ACCEPT
    $IT -A icmp-accept -p icmp --icmp-type echo-reply -j ACCEPT

    # Contra Ping of Death
    $IT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
    # Contra Ataques Syn-flood
    $IT -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
    # Contra Port scanners Avançados (nmap)
    $IT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 1/s -j ACCEPT
    # Contra pacotes danificados ou suspeitos
    $IT -A FORWARD -m unclean -j DROP

    ##########################################
    # interna para interna
    ##########################################

    # Libera tudo de interna para interna
    $IT -A interna-interna -j ACCEPT

    ##########################################
    # interna para internet
    ##########################################

    # Libera http e ftp para Micros Totalmente Liberados
    $IT -A interna-internet -m multiport -p tcp -s 13.0.5.0/16 --dport 80,43,21 -j ACCEPT
    #$IT -A interna-internet -p udp -s $S_SERVIDOR --dport 20 -j ACCEPT

    # Protocolo 47 GRE para VPN
    $IT -A interna-internet -p 47 -j ACCEPT

    # Servicos basicos permitidos
    $IT -A interna-internet -m multiport -p tcp --dport domain,pop-3,smtp,imap,telnet,ssh,$P_PPTP,$P_TERMSERV,snmp,nntp,nntps,113 -j ACCEPT

    $IT -A interna-internet -m multiport -p tcp --dport $P_VNCA1,$P_VNCA2,$P_VNCW1,$P_VNCW2,$P_MESSENGER,$P_MESSENGEV,$P_PCANYD,$P_PCANYS,$P_SQL -j ACCEPT

    $IT -A interna-internet -m multiport -p udp --dport domain,snmp,$P_MESSENGER,$P_MESSENGEV,nntp,nntps -j ACCEPT

    # Acesso a Receita Federal, Minas e Energia, Ministerio Trabalho, Secret Fazenda
    $IT -A interna-internet -m multiport -p tcp --dport $P_RECEITANET,$P_RALNET1,$P_RALNET2,$P_RAISNET,$P_SAGC99,$P_SINTEGRA -j ACCEPT

    # Conexao com Conectividade Social
    $IT -A interna-internet -p tcp --dport $P_CONXSOC -j ACCEPT

    # Conexao com Cegedenet - Ministerio Trabalho
    $IT -A interna-internet -p tcp --dport $P_CAGEDNET -j ACCEPT

    # Conexao com a Rede SEFAZNET
    $IT -A interna-internet -p tcp --dport $P_SEFAZNET -d $S_SEFAZNET -j ACCEPT

    # Conexao com a Rede GIMNET
    $IT -A interna-internet -p tcp --dport $P_GIMNET -d $S_GIMNET -j ACCEPT

    # Conexao com a Caixa Economica
    $IT -A interna-internet -p tcp --dport http -d $S_CONSOC -j ACCEPT

    # Conexoes estabelecidas e relacionadas
    $IT -A interna-internet -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Ping e ICMP
    $IT -A interna-internet -j icmp-accept
    $IT -A interna-internet -p icmp --icmp-type ping -j ACCEPT

    ##########################################
    # internet para interna
    ##########################################

    # Conexoes estabelecidas e relacionadas
    $IT -A internet-interna -m state --state ESTABLISHED,RELATED -j ACCEPT

    # ICMP
    $IT -A internet-interna -p icmp -j icmp-accept

    # Ident e pop3
    $IT -A internet-interna -m multiport -p tcp --dport 80,113,pop-3,smtp,ftp-data,ftp -j ACCEPT

    # MSN
    #$IT -A internet-interna -p tcp --dport 1024:65000 -j ACCEPT

    ############################################
    # Regras de input para o firewall: cautela!
    ############################################

    # ---- INTERFACE INTERNA------
    # Conexoes estabelecidas e relacionadas
    $IT -A interna-if -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Ping e ICMP
    $IT -A interna-if -j icmp-accept
    $IT -A interna-if -p icmp --icmp-type ping -j ACCEPT

    # ident
    #IT -A interna-if -p tcp --dport 113 -j REJECT

    # ftp, ssh e shell
    $IT -A interna-if -p tcp --dport ftp -j ACCEPT
    $IT -A interna-if -p tcp --dport ssh -j ACCEPT

    #permissao de acesso ao squid
    $IT -A interna-if -p tcp -s $REDE_INTERNA --dport 3128 -j ACCEPT

    #este firewall tambem eh dns para a rede interna
    $IT -A interna-if -p tcp --dport domain -j ACCEPT
    $IT -A interna-if -p udp --dport domain -j ACCEPT
    $IT -A interna-if -p tcp --dport smtp -j ACCEPT
    $IT -A interna-if -p tcp --dport pop-3 -j ACCEPT
    $IT -A interna-if -p tcp --dport 113 -j ACCEPT

    # ---- INTERFACE INTERNET ------
    # este firewall tambem eh dns para a rede interna
    $IT -A internet-if -p udp --dport domain -j ACCEPT
    $IT -A internet-if -p tcp --dport domain -j ACCEPT
    $IT -A internet-if -p tcp --dport smtp -j ACCEPT
    $IT -A internet-if -p udp --dport smtp -j ACCEPT
    $IT -A internet-if -p tcp --dport pop-3 -j ACCEPT
    $IT -A internet-if -p tcp --dport 113 -j ACCEPT
    $IT -A internet-if -p tcp --dport ftp -j ACCEPT
    $IT -A internet-if -p udp --dport ftp-data -j ACCEPT

    # Conexoes estabelecidas e relacionadas
    $IT -A internet-if -m state --state ESTABLISHED,RELATED -j ACCEPT

    # ICMP
    $IT -A internet-if -j icmp-accept

    # ident
    $IT -A internet-if -p tcp --dport 113 -j REJECT

  4. #4
    Visitante

    Padrão FTP bloqueado

    Não olhei seu script direito, mas sei que o iptables quando faz nat tem alguns problemas com ftp. Tive alguns problemas parecido com os seus, alguns aceitavam e outros não. Quando setado no navegador ftp passivo ele aceitava na maioria das vezes...
    Resolvi meu problema, adicionando essas duas linhas que ativam dois módulos que resolvem esse problema do ftp no rc.local (na verdade coloquei em um script que o rc.local chama, mas pode ser colocado direto...
    Tente, depois poste resposta.

    insmod /lib/modules/2.4.18-14/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o
    insmod /lib/modules/2.4.18-14/kernel/net/ipv4/netfilter/ip_nat_ftp.o


    Um abraço,
    Guidolin

  5. #5
    Visitante

    Padrão FTP bloqueado

    as regras de nat tem q ficar por ultimas, e da o comando lsmod e cola aqui pra gente.