Página 2 de 4 PrimeiroPrimeiro 1234 ÚltimoÚltimo
+ Responder ao Tópico



  1. cara...

    como tá sua regra de redirecionamento para a porta do proxy?

    com o comando "lsmod" você consegue identificar algum módulo do iptables???

  2. O comando que vc indicou retornou isso:

    [root@Informatica2 ~]# lsmod
    Module Size Used by
    ipt_layer7 16772 1
    ipt_REDIRECT 6784 1
    xt_state 6400 2
    xt_limit 7040 1
    xt_mac 6144 3
    xt_tcpudp 7296 94
    i915 23552 2
    drm 80276 3 i915
    ip_nat_ftp 7808 0
    iptable_nat 12164 1
    ipt_MASQUERADE 8448 2
    ip_nat 22956 4 ipt_REDIRECT,ip_nat_ftp,iptable_nat,ipt_MASQUERADE
    ip_conntrack_ftp 12176 1 ip_nat_ftp
    ip_conntrack 58436 7 ipt_layer7,xt_state,ip_nat_ftp,iptable_nat,ipt_MASQUERADE,ip_nat,ip_conntrack_ftp
    nfnetlink 11288 2 ip_nat,ip_conntrack
    ipt_LOG 10752 18
    ipt_TOS 6528 70
    iptable_mangle 7168 1
    iptable_filter 7296 1
    ip_tables 18116 3 iptable_nat,iptable_mangle,iptable_filter
    x_tables 19972 11 ipt_layer7,ipt_REDIRECT,xt_state,xt_limit,xt_mac,xt_tcpudp,iptable_nat,ipt_MASQUERADE,ipt_LOG,ipt_TOS,ip_tables
    autofs4 25604 2
    hidp 24448 2
    l2cap 31872 5 hidp
    bluetooth 61796 2 hidp,l2cap
    sunrpc 164284 1
    fuse 49940 4
    dm_mirror 26832 0
    dm_multipath 23176 0
    dm_mod 62872 2 dm_mirror,dm_multipath
    video 21124 0
    sbs 20160 0
    i2c_ec 9344 1 sbs
    button 11152 0
    battery 14596 0
    ac 9604 0
    ipv6 272576 22
    lp 16968 0
    sg 38940 0
    snd_intel8x0 37148 1
    snd_ac97_codec 99748 1 snd_intel8x0
    snd_ac97_bus 6656 1 snd_ac97_codec
    i2c_i801 11916 0
    snd_seq_dummy 8196 0
    floppy 61540 0
    iTCO_wdt 15044 0
    i2c_core 26112 2 i2c_ec,i2c_i801
    ide_cd 42528 0
    snd_seq_oss 37120 0
    snd_seq_midi_event 11904 1 snd_seq_oss
    snd_seq 57072 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event
    serio_raw 11396 0
    snd_seq_device 12428 3 snd_seq_dummy,snd_seq_oss,snd_seq
    8139too 31232 0
    8139cp 28288 0
    cdrom 38816 1 ide_cd
    pcspkr 7424 0
    snd_pcm_oss 46336 0
    snd_mixer_oss 20608 1 snd_pcm_oss
    tg3 108036 0
    mii 9728 2 8139too,8139cp
    snd_pcm 81156 3 snd_intel8x0,snd_ac97_codec,snd_pcm_oss
    parport_pc 31396 1
    parport 40776 2 lp,parport_pc
    cdc_acm 20000 0
    snd_timer 26628 2 snd_seq,snd_pcm
    snd 58244 11 snd_intel8x0,snd_ac97_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer
    soundcore 12384 1 snd
    snd_page_alloc 14472 2 snd_intel8x0,snd_pcm
    ata_piix 19848 3
    libata 107028 1 ata_piix
    sd_mod 24960 4
    scsi_mod 140588 3 sg,libata,sd_mod
    ext3 135816 1
    jbd 63144 1 ext3
    ehci_hcd 34952 0
    ohci_hcd 24324 0
    uhci_hcd 27788 0
    [root@Informatica2 ~]#



  3. meu arquivop de firewall
    #!/bin/sh
    #

    #=================================================================
    # MODULOS A SEREM CARREGADOS
    # ================================================================

    echo "Carregando mdulos...."

    modprobe \*
    modprobe iptable_filter
    modprobe iptable_mangle
    modprobe ipt_TOS
    modprobe ipt_LOG
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    modprobe ipt_MASQUERADE
    modprobe iptable_nat
    modprobe ip_nat_ftp

    # ================================================================
    # LIMPAR REGRAS
    # ================================================================

    echo "Limpando regras..."

    iptables -Z
    iptables -t nat -F
    iptables -F
    iptables -X
    iptables -F -t nat
    iptables -X -t nat
    iptables -F -t filter
    iptables -X -t filter


    ########### TABELA FILTER ############

    echo "Iniciando tabela : FILTER...."

    iptables -t filter -P INPUT ACCEPT
    iptables -t filter -P OUTPUT ACCEPT
    iptables -t filter -P FORWARD ACCEPT

    ########### TABELA NAT ############

    echo "Iniciando tabela : NAT.... "

    iptables -t nat -P PREROUTING ACCEPT
    iptables -t nat -P OUTPUT ACCEPT
    iptables -t nat -P POSTROUTING DROP

    ########### TABELA MANGLE ############

    echo "Iniciando tabela : MANGLE...."

    iptables -t mangle -P PREROUTING ACCEPT
    iptables -t mangle -P OUTPUT ACCEPT

    #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.3
    #iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.3

    ################################################
    # Determina a política padrão
    #iptables -P INPUT DROP
    #iptables -P FORWARD DROP
    ########################################


    #----------
    # Regras para funcionamento do Conectividade Social da CEF
    #----------
    iptables -t nat -A PREROUTING -d 200.201.174.202 -p tcp -m tcp --dport 80 -j DNAT --to-destination 200.201.174.202:80
    iptables -t nat -A PREROUTING -d 200.201.174.203 -p tcp -m tcp --dport 80 -j DNAT --to-destination 200.201.174.203:80
    iptables -t nat -A PREROUTING -d 200.201.174.204 -p tcp -m tcp --dport 80 -j DNAT --to-destination 200.201.174.204:80
    iptables -t nat -A PREROUTING -d 200.201.174.205 -p tcp -m tcp --dport 80 -j DNAT --to-destination 200.201.174.205:80
    iptables -t nat -A PREROUTING -d 200.201.174.206 -p tcp -m tcp --dport 80 -j DNAT --to-destination 200.201.174.206:80
    iptables -t nat -A PREROUTING -d 200.201.174.207 -p tcp -m tcp --dport 80 -j DNAT --to-destination 200.201.174.207:80
    iptables -t nat -A PREROUTING -d 200.201.174.208 -p tcp -m tcp --dport 80 -j DNAT --to-destination 200.201.174.208:80
    iptables -t nat -A PREROUTING -d 200.201.174.209 -p tcp -m tcp --dport 80 -j DNAT --to-destination 200.201.174.209:80

    ###### PROTECAO CONTRA IP SPOOFING ############

    echo "Proteᅵo contra : IP SPOOFING..."

    iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j ACCEPT
    iptables -A INPUT -s 172.16.0.0/16 -i eth0 -j ACCEPT
    iptables -A INPUT -s 192.168.0.0/24 -i eth0 -j ACCEPT

    ########### PROTECAO CONTRA PING ############

    echo "Proteᅵo contra : PING"

    iptables -A INPUT -s 200.139.12.0/24 -p icmp --icmp-type echo-request -i eth0 -j ACCEPT


    ########### PROTECAO CONTRA PING OF DEATH ############

    echo "Proteᅵo contra : PING DA MORTE"

    ############iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT


    ########### PROTECAO CONTRA SYS-FLOODS ############

    echo "Proteᅵo contra : SYS-FLOODS"

    #iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT



    ########### PROTECAO CONTRA PORT SCANNERS ############

    echo "Proteᅵo contra : PORT SCANNERS"

    #iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

    ###### PROTECAO CONTRA PACOTES DANIFICADOS OU SUSPEITOS

    echo "Proteᅵo contra : PACOTES DANIFICADOS"

    #iptables -A FORWARD -m unclean -j DROP

    # ================================================================
    # ATIVANDO O REDIRECIONAMENTO DE PACOTES (NAT)
    # ================================================================

    echo "Ativando o ip_forward"

    echo 1 > /proc/sys/net/ipv4/ip_forward

    # ================================================================
    # TABELA FILTER
    # ================================================================

    # Criamos uma chain que sera usada para tratar o trafego vindo da internet

    echo "Criando chain de entrada..."

    iptables -N eth0-input

    # ########## ACEITA AS CONEXOES VINDO DA LOOPBACK E INDO PARA A LOOPBACK

    echo "Criando regra de loopback...."

    iptables -A INPUT -i lo -j ACCEPT


    # ########## TODO O TRAFEGO VINDO DA REDE INTERNA SERA ACEITO #########

    echo "Criando regra para Intranet...."

    iptables -A INPUT -s 192.168.1.0/24 -i eth1 -j ACCEPT
    iptables -A INPUT -s 200.139.12.0/24 -i eth1 -j ACCEPT


    # ### CONEXOES VINDAS DA ETH0 SERAO TRATADAS PELA CHAIN ETH0-INPUT ########

    echo "Regra de tratamento de entrada..."

    iptables -A INPUT -i eth0 -j eth0-input

    ### QUALQUER OUTRA CONEXᅵ DESCONHECIDA E IMEDIATAMENTE REGISTRADA E
    ### DERRUBADA

    echo "Regra geral..."

    iptables -A INPUT -j LOG --log-prefix "FIREWALL: INPUT "
    iptables -A INPUT -j ACCEPT

    ############# CHAIN FORWARD ##########################

    echo "Chain Forward..."

    iptables -A FORWARD -d 192.168.1.0/24 -i eth0 -o eth1 -j ACCEPT
    iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -j ACCEPT

    iptables -A FORWARD -d 200.139.12.0/24 -i eth0 -o eth1 -j ACCEPT
    iptables -A FORWARD -s 200.139.12.0/24 -i eth1 -o eth0 -j ACCEPT

    iptables -A FORWARD -j LOG --log-prefix "FIREWALL: FORWARD "
    iptables -A FORWARD -j ACCEPT

    ### CHAIN ETH0-INPUT ######

    echo "Chain etho-input..."

    ###### Aceitamos todas as mensagens icmp vindas de eth0 com certa limitaᅵo #########
    iptables -A eth0-input -p icmp -m limit --limit 2/s -j ACCEPT

    iptables -A eth0-input -p tcp --dport 21 -j LOG --log-prefix "FIREWALL: ftp "
    iptables -A eth0-input -p tcp --dport 22 -j LOG --log-prefix "Porta SSH"
    iptables -A eth0-input -p tcp --dport 23 -j LOG --log-prefix "Porta TELNET"
    iptables -A eth0-input -p tcp --dport 25 -j LOG --log-prefix "FIREWALL: smtp "
    iptables -A eth0-input -p udp --dport 53 -j LOG --log-prefix "FIREWALL: dns "
    iptables -A eth0-input -p tcp --dport 113 -j LOG --log-prefix "FIREWALL: identd "

    iptables -A eth0-input -p udp --dport 111 -j LOG --log-prefix "FIREWALL: rpc"
    iptables -A eth0-input -p tcp --dport 111 -j LOG --log-prefix "FIREWALL: rpc"

    iptables -A eth0-input -p tcp --dport 3000 -j LOG --log-prefix " FIREWALL: squid "

    iptables -A eth0-input -p tcp --dport 137:139 -j LOG --log-prefix "FIREWALL: samba "
    # iptables -A eth0-input -p udp --dport 137:139 -j LOG --log-prefix "FIREWALL: samba "

    iptables -A eth0-input -p tcp --dport 5042 -j LOG --log-prefix "Servico: Wincrash"

    iptables -A eth0-input -p tcp --dport 12345 -j LOG --log-prefix "Servico: BackOrifice"

    # Bloqueia qualquer tentativa de nova conexᅵ de fora para esta mᅵuina

    iptables -A eth0-input -m state --state ! ESTABLISHED,RELATED -j LOG --log-prefix "FIREWALL: eth0-in "
    iptables -A eth0-input -m state --state ! ESTABLISHED,RELATED -j DROP

    # Qualquer outro tipo de trᅵego ᅵaceito
    iptables -A eth0-input -j ACCEPT

    # ================================================================
    # TABELA NAT
    # ================================================================

    ##### Chain POSTROUTING #####
    # Permite qualquer conexᅵ vinda com destino a lo e rede local para eth1
    iptables -t nat -A POSTROUTING -o lo -j ACCEPT
    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j ACCEPT


    iptables -t nat -A POSTROUTING -s 200.139.12.0/24 -o eth1 -j ACCEPT



    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

    iptables -t nat -A POSTROUTING -s 200.139.12.0/24 -o eth0 -j MASQUERADE


    iptables -t nat -A POSTROUTING -o eth1 -d 192.168.1.0/24 -j LOG --log-prefix "FIREWALL: SNAT unknown"
    iptables -t nat -A POSTROUTING -o eth1 -d 192.168.1.0/24 -j DROP

    iptables -t nat -A POSTROUTING -o eth1 -d 200.139.12.0/24 -j LOG --log-prefix "FIREWALL: SNAT unknown"
    iptables -t nat -A POSTROUTING -o eth1 -d 200.139.12.0/24 -j DROP

    # ================================================================
    # TABELA MANGLE
    # ================================================================


    iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 21 -j TOS --set-tos 0x10
    iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 23 -j TOS --set-tos 0x10
    iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 6665:6668 -j TOS --set-tos 0x10
    iptables -t mangle -A OUTPUT -o eth0 -p udp --dport 53 -j TOS --set-tos 0x10

    # TAMBEM PARA HTTP
    iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -j TOS --set-tos 0x10

    ##############################################################
    #
    # ATIVANDO O PROXY TRANSPARENTE
    #
    #############################################################

    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

    # O trᅵego que entrar pela eth1 (rede local) e que solicitar conexᅵ
    # na porta 80 (www) serᅵredirecionado para a porta 3000 (proxy)

    # Obs : ver configuraᅵes adicionais no squid.conf (httpd_accel)

    #######################################################################
    echo "================================================================"
    echo " FIM DO FIREWALL"
    echo "================================================================"

  4. Citação Postado originalmente por lucianogf Ver Post
    cara...

    como tá sua regra de redirecionamento para a porta do proxy?

    com o comando "lsmod" você consegue identificar algum módulo do iptables???
    cara...

    se você mandar tudo pra mim não vai adiantar nada...

    tente responder as duas perguntas acima...



  5. ok amigão foi mal ta dessa forma:
    # ATIVANDO O REDIRECIONAMENTO DE PACOTES (NAT)

    echo "Ativando o ip_forward"

    echo 1 > /proc/sys/net/ipv4/ip_forward

    # ATIVANDO O PROXY TRANSPARENTE

    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

    Com relação ao lsmod tassim :
    [root@Informatica2 ~]# lsmod
    Module Size Used by
    ipt_layer7 16772 1
    ipt_REDIRECT 6784 1
    xt_state 6400 2
    xt_limit 7040 1
    xt_mac 6144 3
    xt_tcpudp 7296 94
    i915 23552 2
    drm 80276 3 i915
    ip_nat_ftp 7808 0
    iptable_nat 12164 1
    ipt_MASQUERADE 8448 2
    ip_nat 22956 4 ipt_REDIRECT,ip_nat_ftp,iptable_nat,ipt_MASQUERADE
    ip_conntrack_ftp 12176 1 ip_nat_ftp
    ip_conntrack 58436 7 ipt_layer7,xt_state,ip_nat_ftp,iptable_nat,ipt_MAS QUERADE,ip_nat,ip_conntrack_ftp
    nfnetlink 11288 2 ip_nat,ip_conntrack
    ipt_LOG 10752 18
    ipt_TOS 6528 70
    iptable_mangle 7168 1
    iptable_filter 7296 1






Tópicos Similares

  1. regra para bloqueio de skype e msn
    Por wireless&cia no fórum Redes
    Respostas: 1
    Último Post: 09-09-2008, 08:47
  2. Alguma regra "EFETIVA" para bloquear MSN e ORKUT
    Por durban no fórum Servidores de Rede
    Respostas: 19
    Último Post: 11-04-2006, 16:51
  3. Regra para habilitar pop e smtpo no Ipchains
    Por no fórum Servidores de Rede
    Respostas: 1
    Último Post: 08-09-2002, 23:09
  4. Regra para habilitar pop e smtpo no Ipchains
    Por no fórum Servidores de Rede
    Respostas: 2
    Último Post: 04-09-2002, 15:23
  5. Regra para ipchains
    Por no fórum Servidores de Rede
    Respostas: 1
    Último Post: 02-08-2002, 13:03

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L