Squid e Firewall nao estao trabalhando juntos..

[fabianosms]

Saudacoes galera, boa tarde.......

consigo navegar normalmente com essa config do squid, porem mesmo que eu carrege os modulos ip_nat_ftp e ip_conntrack_ftp a parte, nao libera acesso a sites ftp, o pior comeca qdo carrego meu firewall, dae pãra tudo! e apos um stop no firewaal tudo volta, com excecao do ftp.

Meu sistema e CL 10

deixo meu scripts pro pessoal apura-los e desde ja agradeco pelas colaboracoes....
____________________________________________________________________
#Squid.conf
http_port 192.168.1.253:3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 16 MB
cache_dir ufs /var/cache/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
ftp_user Squid@
ftp_passive on
dns_nameservers 201.10.120.2
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hour
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl rede src 192.168.1.0/255.255.255.0
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow rede
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_user proxy
cache_effective_group proxy
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/cache/squid
httpd_accel_single_host off
________________________________________________________________
#!/bin/bash
# firewall:
#
# description: Ativa/desativa filtragem de pacotes com mascaramento de IP.

. /etc/rc.d/init.d/functions
. /etc/sysconfig/network

if [ ${NETWORKING} = "no" ]; then
exit 0;
fi

IPTABLES="env iptables"
DEPMOD="env depmod"
INSMOD="env insmod"
MODPROBE="env modprobe"
RMMOD="env rmmod"
PUBLIC_IFACE="eth0"
TRUSTED_IFACE="eth1"
IP_FORWARD="/proc/sys/net/ipv4/ip_forward"
SAFE_DST_PORTS="ssh"

#for i in ${IPTABLES} ${DEPMOD} ${INSMOD} ${RMMOD};
#do
# if [ ! -x $i ]; then
# echo "Arquivos $i não encontrado."
# exit 1
# fi
#done

case "$1" in
start)
echo "Ativando firewall"

# --- Carregando modulos necessarios ao NAT
${DEPMOD} -a
${MODPROBE} ip_tables
${MODPROBE} ip_conntrack
${MODPROBE} ip_conntrack_ftp
${MODPROBE} ip_conntrack_irc
${MODPROBE} iptable_nat
${MODPROBE} ip_nat_ftp

echo "Modulos carregados"
# --- Ativando "repasse" de pacotes
if [ ! -f ${IP_FORWARD} ]; then
echo "Kernel nao suporta mascaramento de IP."
exit 1
fi
echo 1 > ${IP_FORWARD}

# --- Resetando regras vigentes
echo "Resetando regras ..."
${IPTABLES} -P INPUT ACCEPT
${IPTABLES} -F INPUT
${IPTABLES} -P OUTPUT ACCEPT
${IPTABLES} -F OUTPUT
${IPTABLES} -P FORWARD ACCEPT
${IPTABLES} -F FORWARD
${IPTABLES} -t nat -F


# --- Especificando as regras de entrada
${IPTABLES} -A INPUT -i lo -j ACCEPT
${IPTABLES} -A INPUT -i ${TRUSTED_IFACE} -j ACCEPT

# --- Todas as conexoes TCP ja estabelecidas ---
${IPTABLES} -A INPUT -p tcp ! --syn -j ACCEPT

# --- Portas (abertas) confiaveis ---
for PORT in ${SAFE_DST_PORTS};
do
${IPTABLES} -A INPUT -i ${PUBLIC_IFACE} -p tcp --destination-port ${PORT} --syn -j ACCEPT
done

# --- Negar acesso ao PostgreSQL (caso esteja aberto) ---
# ${IPTABLES} -A INPUT -i ${PUBLIC_IFACE} -p tcp --destination-port 5432 -j DROP
# ${IPTABLES} -A INPUT -i ${PUBLIC_IFACE} -p udp --destination-port 5432 -j DROP

# --- Liberar acesso aas portas dinamicas (exceto X11) ---
${IPTABLES} -A INPUT -i ${PUBLIC_IFACE} -p tcp --source-port 5001:5999 -j ACCEPT
${IPTABLES} -A INPUT -i ${PUBLIC_IFACE} -p tcp --source-port 6011:65535 -j ACCEPT

# --- Redefinicao de politica (NEGAR TUDO) ---
${IPTABLES} -P INPUT DROP

# -- Mascarar rede local para navegar na internet ---
${IPTABLES} -A FORWARD -i ${TRUSTED_IFACE} -o ${PUBLIC_IFACE} -j ACCEPT
${IPTABLES} -t nat -A POSTROUTING -o ${PUBLIC_IFACE} -j MASQUERADE
${IPTABLES} -P FORWARD ACCEPT
;;
stop)
echo "Desativando firewall"
${IPTABLES} -P INPUT ACCEPT
${IPTABLES} -F INPUT
${IPTABLES} -P OUTPUT ACCEPT
${IPTABLES} -F OUTPUT
${IPTABLES} -P FORWARD ACCEPT
${IPTABLES} -F FORWARD
${IPTABLES} -t nat -F
echo 0 > ${IP_FORWARD}
${RMMOD} ip_nat_ftp
${RMMOD} iptable_nat
${RMMOD} ip_conntrack_irc
${RMMOD} ip_conntrack_ftp
${RMMOD} ip_conntrack
${RMMOD} ip_tables
;;
list)
echo "Regras ativas:"
${IPTABLES} -L
;;
restart)
$0 stop
$0 start
;;
esac

exit 0

_________________________________________________________________-

Grato

[xstefanox]

O acesso por FTP provavelente pára porque você descarrega o módulo que é responsável por prover o serviço específico de NAT para FTP.

Fora isso, eu recomendo que você dê uma revisada nessa firewall seu. Vá testando e sniffando a rede, lapidando os serviços. Você também poderia pegar um script de firewall pronto, lendo-o e utilizando suas opções.


Abraços!

[fabianosms]

muito obrigado XstefanoX ... estarei reverificando conforme sua dica, abraço