+ Responder ao Tópico



  1. #1

    Padrão Squid e Firewall nao estao trabalhando juntos..

    Saudacoes galera, boa tarde.......

    consigo navegar normalmente com essa config do squid, porem mesmo que eu carrege os modulos ip_nat_ftp e ip_conntrack_ftp a parte, nao libera acesso a sites ftp, o pior comeca qdo carrego meu firewall, dae pãra tudo! e apos um stop no firewaal tudo volta, com excecao do ftp.

    Meu sistema e CL 10

    deixo meu scripts pro pessoal apura-los e desde ja agradeco pelas colaboracoes....
    ____________________________________________________________________
    #Squid.conf
    http_port 192.168.1.253:3128
    hierarchy_stoplist cgi-bin ?
    acl QUERY urlpath_regex cgi-bin \?
    no_cache deny QUERY
    cache_mem 16 MB
    cache_dir ufs /var/cache/squid 100 16 256
    cache_access_log /var/log/squid/access.log
    cache_log /var/log/squid/cache.log
    cache_store_log /var/log/squid/store.log
    ftp_user [email protected]
    ftp_passive on
    dns_nameservers 201.10.120.2
    auth_param basic children 5
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 2 hour
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320
    acl rede src 192.168.1.0/255.255.255.0
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443 563
    acl Safe_ports port 80
    acl Safe_ports port 21
    acl Safe_ports port 443 563
    acl Safe_ports port 70
    acl Safe_ports port 210
    acl Safe_ports port 1025-65535
    acl Safe_ports port 280
    acl Safe_ports port 488
    acl Safe_ports port 591
    acl Safe_ports port 777
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow rede
    http_access deny all
    http_reply_access allow all
    icp_access allow all
    cache_effective_user proxy
    cache_effective_group proxy
    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on
    coredump_dir /var/cache/squid
    httpd_accel_single_host off
    ________________________________________________________________
    #!/bin/bash
    # firewall:
    #
    # description: Ativa/desativa filtragem de pacotes com mascaramento de IP.

    . /etc/rc.d/init.d/functions
    . /etc/sysconfig/network

    if [ ${NETWORKING} = "no" ]; then
    exit 0;
    fi

    IPTABLES="env iptables"
    DEPMOD="env depmod"
    INSMOD="env insmod"
    MODPROBE="env modprobe"
    RMMOD="env rmmod"
    PUBLIC_IFACE="eth0"
    TRUSTED_IFACE="eth1"
    IP_FORWARD="/proc/sys/net/ipv4/ip_forward"
    SAFE_DST_PORTS="ssh"

    #for i in ${IPTABLES} ${DEPMOD} ${INSMOD} ${RMMOD};
    #do
    # if [ ! -x $i ]; then
    # echo "Arquivos $i não encontrado."
    # exit 1
    # fi
    #done

    case "$1" in
    start)
    echo "Ativando firewall"

    # --- Carregando modulos necessarios ao NAT
    ${DEPMOD} -a
    ${MODPROBE} ip_tables
    ${MODPROBE} ip_conntrack
    ${MODPROBE} ip_conntrack_ftp
    ${MODPROBE} ip_conntrack_irc
    ${MODPROBE} iptable_nat
    ${MODPROBE} ip_nat_ftp

    echo "Modulos carregados"
    # --- Ativando "repasse" de pacotes
    if [ ! -f ${IP_FORWARD} ]; then
    echo "Kernel nao suporta mascaramento de IP."
    exit 1
    fi
    echo 1 > ${IP_FORWARD}

    # --- Resetando regras vigentes
    echo "Resetando regras ..."
    ${IPTABLES} -P INPUT ACCEPT
    ${IPTABLES} -F INPUT
    ${IPTABLES} -P OUTPUT ACCEPT
    ${IPTABLES} -F OUTPUT
    ${IPTABLES} -P FORWARD ACCEPT
    ${IPTABLES} -F FORWARD
    ${IPTABLES} -t nat -F


    # --- Especificando as regras de entrada
    ${IPTABLES} -A INPUT -i lo -j ACCEPT
    ${IPTABLES} -A INPUT -i ${TRUSTED_IFACE} -j ACCEPT

    # --- Todas as conexoes TCP ja estabelecidas ---
    ${IPTABLES} -A INPUT -p tcp ! --syn -j ACCEPT

    # --- Portas (abertas) confiaveis ---
    for PORT in ${SAFE_DST_PORTS};
    do
    ${IPTABLES} -A INPUT -i ${PUBLIC_IFACE} -p tcp --destination-port ${PORT} --syn -j ACCEPT
    done

    # --- Negar acesso ao PostgreSQL (caso esteja aberto) ---
    # ${IPTABLES} -A INPUT -i ${PUBLIC_IFACE} -p tcp --destination-port 5432 -j DROP
    # ${IPTABLES} -A INPUT -i ${PUBLIC_IFACE} -p udp --destination-port 5432 -j DROP

    # --- Liberar acesso aas portas dinamicas (exceto X11) ---
    ${IPTABLES} -A INPUT -i ${PUBLIC_IFACE} -p tcp --source-port 5001:5999 -j ACCEPT
    ${IPTABLES} -A INPUT -i ${PUBLIC_IFACE} -p tcp --source-port 6011:65535 -j ACCEPT

    # --- Redefinicao de politica (NEGAR TUDO) ---
    ${IPTABLES} -P INPUT DROP

    # -- Mascarar rede local para navegar na internet ---
    ${IPTABLES} -A FORWARD -i ${TRUSTED_IFACE} -o ${PUBLIC_IFACE} -j ACCEPT
    ${IPTABLES} -t nat -A POSTROUTING -o ${PUBLIC_IFACE} -j MASQUERADE
    ${IPTABLES} -P FORWARD ACCEPT
    ;;
    stop)
    echo "Desativando firewall"
    ${IPTABLES} -P INPUT ACCEPT
    ${IPTABLES} -F INPUT
    ${IPTABLES} -P OUTPUT ACCEPT
    ${IPTABLES} -F OUTPUT
    ${IPTABLES} -P FORWARD ACCEPT
    ${IPTABLES} -F FORWARD
    ${IPTABLES} -t nat -F
    echo 0 > ${IP_FORWARD}
    ${RMMOD} ip_nat_ftp
    ${RMMOD} iptable_nat
    ${RMMOD} ip_conntrack_irc
    ${RMMOD} ip_conntrack_ftp
    ${RMMOD} ip_conntrack
    ${RMMOD} ip_tables
    ;;
    list)
    echo "Regras ativas:"
    ${IPTABLES} -L
    ;;
    restart)
    $0 stop
    $0 start
    ;;
    esac

    exit 0

    _________________________________________________________________-

    Grato

  2. #2

    Padrão

    O acesso por FTP provavelente pára porque você descarrega o módulo que é responsável por prover o serviço específico de NAT para FTP.

    Fora isso, eu recomendo que você dê uma revisada nessa firewall seu. Vá testando e sniffando a rede, lapidando os serviços. Você também poderia pegar um script de firewall pronto, lendo-o e utilizando suas opções.


    Abraços!



  3. #3

    Padrão ok

    muito obrigado XstefanoX ... estarei reverificando conforme sua dica, abraço