Página 1 de 3 123 ÚltimoÚltimo
+ Responder ao Tópico



  1. Amigos,

    Instalei o debina, coloquei o squid + iptables, navego numa boa, mas não baixo as mensagens no outlook ( porta 25 e 110 ) não conecta pelo telnet.

    Squid.conf

    #http_port 3128
    http_port 3128 transparent
    visible_hostname debian.number.com.br
    # Configuração do cache
    cache_mem 128 MB
    #maximum_object_size_in_memory 1536 KB
    maximum_object_size 4096 KB
    #minimum_object_size 0 KB
    cache_swap_low 95
    cache_swap_high 98
    cache_dir ufs /var/spool/squid 800 32 32
    # Localização do log de acessos do Squid
    cache_access_log /var/log/squid/access.log
    cache_log /var/log/squid/cache.log
    cache_store_log none
    connect_timeout 30 seconds
    refresh_pattern ^ftp: 15 20% 2280
    refresh_pattern ^gopher: 15 0% 2280
    refresh_pattern . 15 20% 2280
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl SSL_ports port 443 563
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 563 # https, snews
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 901 # SWAT
    acl purge method PURGE
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    # Libera acessos na hora que quiser (horaliberada)
    #acl almoco time 12:00-14:00
    #http_access allow horaliberada
    # Regra para bloquear por palavras, arquivo em porn.txt
    acl porn dstdom_regex "/etc/squid/porn.txt"
    http_access deny porn
    # Regra para liberar por palavras, arquivo em noporn.txt
    acl noporn dstdom_regex "/etc/squid/noporn.txt"
    http_access allow noporn
    # Regra para Bloquear por domínio
    #acl bloqueados dstdomain orkut.com www.orkut.com playboy.abril.com.br
    #http_access deny bloqueados
    # Autenticação dos usuários
    #auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
    #acl autenticados proxy_auth REQUIRED
    #http_access allow autenticados
    # Libera para a rede local
    acl redelocal src 192.168.0.0/24
    http_access allow localhost
    http_access allow redelocal
    # Bloqueia acessos externos
    http_access deny all
    # Proxy transparente
    #httpd_accel_host virtual
    #httpd_accel_port 80
    #httpd_accel_with_proxy on
    #httpd_accel_uses_host_header on
    cache_mgr informatica@number.com.br
    cache_effective_user squid
    cache_effective_group squid

    iptables.up.rules

    # Generated by iptables-save v1.3.6 on Tue Sep 25 11:59:43 2007
    *nat
    :PREROUTING ACCEPT [4461:1258346]
    :POSTROUTING ACCEPT [241:22746]
    :OUTPUT ACCEPT [253:23976]
    -A PREROUTING -d 192.168.0.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 200.187.64.134
    -A PREROUTING -d 192.168.0.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 200.187.64.133
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
    -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j SNAT --to-source 200.201.158.110
    -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j MASQUERADE
    #-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE
    COMMIT
    # Completed on Tue Sep 25 11:59:43 2007
    # Generated by iptables-save v1.3.6 on Tue Sep 25 11:59:43 2007
    *mangle
    :PREROUTING ACCEPT [6707:1907215]
    :INPUT ACCEPT [2836:733195]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [2490:1178774]
    :POSTROUTING ACCEPT [2600:1192994]
    COMMIT
    # Completed on Tue Sep 25 11:59:43 2007
    # Generated by iptables-save v1.3.6 on Tue Sep 25 11:59:43 2007
    *filter
    :FORWARD ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 53 -j ACCEPT
    -A INPUT -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 53 -j ACCEPT
    -A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 3128 -j ACCEPT
    -A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 25 -j ACCEPT
    -A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 110 -j ACCEPT
    -A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 443 -j ACCEPT
    -A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 137:139 -j ACCEPT
    -A INPUT -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 137:139 -j ACCEPT
    -A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 1080 -j ACCEPT
    -A INPUT -p tcp --dport 1080 -j ACCEPT
    -A INPUT -p tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp --dport 25 -j ACCEPT
    -A INPUT -p tcp --dport 53 -j ACCEPT
    -A INPUT -p udp --dport 1080 -j ACCEPT
    -A INPUT -p tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp --dport 110 -j ACCEPT
    -A INPUT -p tcp --dport 443 -j ACCEPT
    -A INPUT -p tcp --dport 563 -j ACCEPT
    -A INPUT -p tcp -i eth0 --dport 3128 -j ACCEPT
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A FORWARD -p udp -s 192.168.0.0/24 -d 200.170.225.11 --dport 53 -j ACCEPT
    -A FORWARD -p udp -s 200.170.225.11 --sport 53 -d 192.168.0.0/24 -j ACCEPT
    -A FORWARD -p udp -s 192.168.0.0/24 -d 200.195.247.216 --dport 53 -j ACCEPT
    -A FORWARD -p udp -s 200.195.247.216 --sport 53 -d 192.168.0.0/24 -j ACCEPT
    -A FORWARD -d 192.168.0.0/255.255.255.0 -i eth1 -o eth0 -j ACCEPT
    -A FORWARD -s 192.168.0.0/255.255.255.0 -i eth0 -o eth1 -j ACCEPT
    -A FORWARD -s 192.168.0.0/255.255.255.0 -d 192.168.0.10 -j ACCEPT
    -A FORWARD -p TCP -s 192.168.0.0/24 --dport 25 -j ACCEPT
    -A FORWARD -p TCP -s 192.168.0.0/24 --dport 110 -j ACCEPT
    -A FORWARD -p tcp --sport 25 -j ACCEPT
    -A FORWARD -p tcp --sport 110 -j ACCEPT
    # -A FORWARD -p tcp -d mail.number.com.br -i eth0 --dport 25 -j ACCEPT
    -A FORWARD -p tcp -d 200.187.64.134 -i eth0 --dport 25 -j ACCEPT
    # -A FORWARD -p tcp -d smtp.ig.com.br -i eth0 --dport 25 -j ACCEPT
    -A FORWARD -p tcp -d 200.226.132.230 -i eth0 --dport 25 -j ACCEPT
    -A FORWARD -p tcp -i eth0 --dport 53 -j ACCEPT
    -A FORWARD -p udp -i eth0 --dport 53 -j ACCEPT
    # -A FORWARD -p tcp -d pop.number.com.br -i eth0 --dport 110 -j ACCEPT
    -A FORWARD -p tcp -d 200.187.64.133 -i eth0 --dport 110 -j ACCEPT
    # -A FORWARD -p tcp -d pop.ig.com.br -i eth0 --dport 110 -j ACCEPT
    -A FORWARD -p tcp -d 200.226.132.13 -i eth0 --dport 110 -j ACCEPT
    -A FORWARD -p tcp -i eth0 --dport 3128 -j ACCEPT
    -A FORWARD -s 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT
    -A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 25 -j ACCEPT
    -A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 110 -j ACCEPT
    -A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 1080 -j ACCEPT
    -A FORWARD -p tcp -s 192.168.0.0/24 --dport 443 -j ACCEPT
    -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    COMMIT
    # Completed on Tue Sep 25 11:59:43 2007


    Me mostrem o que falta ou o que está errado, não consigo mais achar nada.

    obrigado

  2. #2
    wesleybsd
    Meu jovem
    Faco o seguinte, Tira esse lixo de linux e coloca freebsd com algumas regras basicas.

    #!/bin/sh
    #
    # Modelo de firewall para ser colocado no gateway principal da FreeBSD Consult
    # com acesso direto a rede externa.
    # www.freebsdconsult.com.br / wesley@freebsdconsult.com.br
    ################################################################
    ## Declarando minhas variaveis
    ################################################################

    ## zerando o firewall
    ipfw -q pipe flush
    ipfw -q flush

    Ext_Interfaces1="xl0"
    Int_Interfaces1="rl0"
    Int_Interfaces2="rl1"
    Int_Interfaces3="xl3"
    Int_Interfaces4="wi0"

    # Redes Clientes - Todas as redes dos clientes do provedor que passam por esse gateway
    MyClients=" 10.215.0.0/16 "

    # Redes Locais - Redes dos clientes que sao atendidas diretamente por esse gateway
    MyLocalNets=" 10.215.0.0/16 "

    # Gateways locais - Gateways das redes indicadas acima
    MyGateways="10.215.0.253"

    # Captive Portal
    CaptivePortal="10.215.0.20"
    CaptivePort="81"

    # Rede usada pelo Backbone
    MyBackbone="201.57.42.0/24"

    # Rede dos Servidores ( www, mail, dns )
    MyServersNet=" 201.57.42.0/24 "
    MyWWWServers=" 201.57.42.32 "
    MyMAILServers=" 201.57.42.32 "
    MyFTPServers="1.2.3.4"
    MySSHServers="1.2.3.4"
    MySAMBAServers="1.2.3.4"

    # Rede Interna
    MyInternalNets="192.168.100.0/24"

    # Clientes e Dominios sem Proxy
    ClientsSemProxy=""
    DominiosSemProxy=""

    # Redes Invalidas - rfc 1918
    InvalidNets="{ 0.0.0.0/8 or 169.254.0.0/16 or 192.0.2.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 }"

    ################################################################
    ## Verificar regras dinamicas
    ################################################################
    # Verificar regras dinamicas
    ipfw delete 1
    ipfw add 1 check-state

    ###############################################################
    ## Permitir Pacotes DHCP
    ###############################################################
    ipfw delete set 5
    ipfw add 20 set 5 permit udp from any 68 to 255.255.255.255 67 in
    ipfw add 21 set 5 permit udp from any 68 to me 67 in
    ipfw add 22 set 5 permit udp from me 67 to any 68 out

    ###############################################################
    ## Stop RFC1918 nets
    ###############################################################
    ipfw delete set 6
    ipfw add 40 set 6 deny all from ${InvalidNets} to any in via ${Ext_Interfaces1}

    # Bloqueio portas virus conhecidos
    ipfw delete set 10
    ipfw add 50 set 10 drop log logamount 100 tcp from any to any
    135-139,445,593,1080,1433,1434,1900,2283,2535,2745,3410,4444,5249,5554,6777,8866,8998,9996,9898,10000,10080,12345,17300,27374,38293,65506
    ipfw add 210 set 10 drop log logamount 100 udp from any to any
    135-139,445,593,1080,1433,1434,1900,2283,2535,2745,3410,4444,5249,5554,6777,8866,8998,9996,9898,10000,10080,12345,17300,27374,38293,65506

    ################################################################
    ## Adcionando ajustes ao kernel
    ################################################################
    # Ajustes de Kernel
    # apos passar em regras do dummynet o pacote retorna ao firewall na regra seguinte
    sysctl -w net.inet.ip.fw.one_pass=0

    # ativa controle em layer2
    sysctl -w net.link.ether.ipfw=0

    # Loga tentativas de conexoes em portas fechadas ( tcp / udp )
    sysctl -w net.inet.tcp.log_in_vain=1
    sysctl -w net.inet.udp.log_in_vain=1

    # Tempo de espera por um ACK
    sysctl -w net.inet.tcp.msl=7500

    # Enviar RST ou descartar os pacotes para uma porta fechada - 1 - envia RST, 2 - nao envia RST
    sysctl -w net.inet.tcp.blackhole=2
    sysctl -w net.inet.udp.blackhole=2

    # Numero de sockets - o padrao eh 128 - Max - 32767
    sysctl -w kern.ipc.somaxconn=32767

    # Drop ICMP redirect
    sysctl -w net.inet.icmp.drop_redirect=0
    sysctl -w net.inet.icmp.log_redirect=0
    sysctl -w net.inet.ip.redirect=0

    # Drop Sorce Routing
    sysctl -w net.inet.ip.sourceroute=0
    sysctl -w net.inet.ip.accept_sourceroute=0

    # Contra smurf attacks
    sysctl -w net.inet.icmp.bmcastecho=0

    # negar inforcacoes sobre a mascara de rede
    sysctl -w net.inet.icmp.maskrepl=0


    ###############################################################
    ## deny-and-log pacotes mal formados
    ###############################################################
    # XMAS tree
    ipfw add 100 set 10 deny log logamount 100 tcp from any to any in tcpflags fin,psh,urg

    # NULL scan (no flag set at all)
    ipfw add 110 set 10 deny log logamount 100 tcp from any to any in tcpflags !fin,!syn,!rst,!psh,!ack,!urg

    # SYN flood (SYN,FIN)
    ipfw add 120 set 10 deny log logamount 100 tcp from any to any in tcpflags syn,fin

    # Stealth FIN scan (FIN,RST)
    ipfw add 130 set 10 deny log logamount 100 tcp from any to any in tcpflags fin,rst

    # Negar pacotes com informacoes de roteamento
    ipfw add 140 set 10 deny log logamount 100 ip from any to any in ipoptions ssrr,lsrr,rr,ts

    ################################################################
    # Os clientes desta rede devem passar pelo portal
    ################################################################
    ipfw delete set 8
    ipfw add 700 set 8 skipto 3000 ip from ${MyLocalNets} to any
    ipfw add 700 set 8 skipto 3000 ip from any to ${MyLocalNets}

    #####################################################################
    # Pacotes dos clientes de outras redes, mas que passam neste gateway
    # saltar para a regra 30000
    #####################################################################
    ipfw add 800 set 8 skipto 30000 ip from any to any

    ###############################################################
    ## regras do captive portal
    ## da regra 19000 a 19999
    ###############################################################
    ipfw delete set 16
    # Permitir DNS
    ipfw add 19900 set 16 permit ip from any to any 53
    ipfw add 19910 set 16 permit ip from any 53 to any

    # Permitir Pagina do portal
    ipfw add 19920 set 16 permit ip from any to any 81,82
    ipfw add 19930 set 16 permit ip from any 81,82 to any

    # Permitir Pagina do provedor
    ipfw add 19940 set 16 permit ip from any to ${MyWWWServers} 80,443
    ipfw add 19950 set 16 permit ip from any 80,443 to ${MyWWWServers}

    # Permitir retorno do site que seria acessado - Sem isso, nao desvia para o portal
    ipfw add 19980 permit ip from any 80 to any

    ipfw add 19990 set 16 fwd 127.0.0.1,82 ip from ${MyLocalNets} to any 80,443,3128

    ipfw add 19999 set 16 drop log ip from any to any

    ################################################################
    ## Firewall
    ## da regra de 30000 a 39999
    ################################################################
    ipfw delete set 20
    # Regras para acesso aos servidores do provedor
    ipfw add 30000 set 20 permit ip from ${MyMAILServers} to ${MyMAILServers} setup keep-state
    # limita o numero de conexoes para o servidor de emails - impede ataques
    ipfw add 30010 set 20 permit ip from any to ${MyMAILServers} 25 limit src-addr 5
    ipfw add 30020 set 20 permit ip from ${MyMAILServers} to any 25
    # descomente a linha seguinte para so permitir que o seu servidor envie emails
    # ipfw add 30030 set 20 deny log logamount 100 ip from any to any 25

    # Proteger porta 3128 de clientes - Nao permitir
    ipfw add 32500 set 20 deny log logamount 100 ip from any to any 3128

    ################################################################
    ## Liberando acesso a nossas redes
    ################################################################
    # negar trafego entre clientes
    ipfw delete set 21
    ipfw add 39000 set 21 permit ip from ${MyLocalNets} to ${MyGateways} setup keep-state
    ipfw add 39010 set 21 permit ip from ${MyGateways} to ${MyLocalNets} setup keep-state
    #ipfw add 39020 set 21 drop log ip from ${MyLocalNets} to ${MyLocalNets}
    #ipfw add 39030 set 21 drop log ip from ${MyLocalNets} to ${MyClients}

    ################################################################
    ## Fazer Proxy Transparente
    ## da regra 40000 a 44999
    ################################################################
    # Fazer Transparent Proxy
    ipfw delete set 25

    #ipfw add 40000 set 25 skipto 45000 ip from ${ClientsSemProxy} to any 80,443
    #ipfw add 40000 set 25 skipto 45000 ip from any to ${DominiosSemProxy} 80,443

    #ipfw add 44900 set 25 permit ip from me to any 80,443
    #ipfw add 44910 set 25 fwd 127.0.0.1,3128 ip from ${MyClients} to any 80,443
    #ipfw add 44999 set 25 drop ip from ${MyClients} to any 80,443

    ################################################################
    ## Fazer NAT
    ## da regra 45000 a 46000
    ## ** particularmente eu prefiro nat do PF **
    ################################################################
    ipfw delete set 28
    ipfw add 45000 divert natd ip from any to 201.57.42.33 in via xl0
    ipfw add 45010 divert natd ip from any to any out via xl0

    ################################################################
    ## Liberando tudo que chegar aqui
    ## por padrao, provedores sao "abertos"
    ################################################################
    ipfw delete set 30
    ipfw add 65000 set 30 allow ip from any to any


    ################################################################
    ############### Layer2 - Clientes #####################
    ################################################################

    ipfw delete set 12
    #
    # Cliente que nao tem portal
    ipfw add 3000 set 12 skipto 20000 ip from 1.2.3.4 to any
    ipfw add 3000 set 12 skipto 20000 ip from any to 1.2.3.4
    #

    ################################################################
    ############# Controle de Banda - Clientes #####################
    ################################################################
    ipfw delete set 18
    #
    # Clientes sem portal
    #ipfw add 20000 set 18 pipe 20000 ip from 1.2.3.4 to any in via rl0
    #ipfw add 20001 set 18 pipe 20000 ip from any to rl0 out via rl0
    #ipfw pipe delete 20000
    #ipfw pipe 20000 config bw 450Kbit/s


    Seja feliz acabe com seus problemas JOVEM



  3. Você ativou o roteamento de pacotes do kernel? talvez seja isso seu problema
    =)


    Citação Postado originalmente por antelo Ver Post
    Amigos,

    Instalei o debina, coloquei o squid + iptables, navego numa boa, mas não baixo as mensagens no outlook ( porta 25 e 110 ) não conecta pelo telnet.

    Squid.conf

    #http_port 3128
    http_port 3128 transparent
    visible_hostname debian.number.com.br
    # Configuração do cache
    cache_mem 128 MB
    #maximum_object_size_in_memory 1536 KB
    maximum_object_size 4096 KB
    #minimum_object_size 0 KB
    cache_swap_low 95
    cache_swap_high 98
    cache_dir ufs /var/spool/squid 800 32 32
    # Localização do log de acessos do Squid
    cache_access_log /var/log/squid/access.log
    cache_log /var/log/squid/cache.log
    cache_store_log none
    connect_timeout 30 seconds
    refresh_pattern ^ftp: 15 20% 2280
    refresh_pattern ^gopher: 15 0% 2280
    refresh_pattern . 15 20% 2280
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl SSL_ports port 443 563
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 563 # https, snews
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 901 # SWAT
    acl purge method PURGE
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    # Libera acessos na hora que quiser (horaliberada)
    #acl almoco time 12:00-14:00
    #http_access allow horaliberada
    # Regra para bloquear por palavras, arquivo em porn.txt
    acl porn dstdom_regex "/etc/squid/porn.txt"
    http_access deny porn
    # Regra para liberar por palavras, arquivo em noporn.txt
    acl noporn dstdom_regex "/etc/squid/noporn.txt"
    http_access allow noporn
    # Regra para Bloquear por domínio
    #acl bloqueados dstdomain orkut.com www.orkut.com playboy.abril.com.br
    #http_access deny bloqueados
    # Autenticação dos usuários
    #auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
    #acl autenticados proxy_auth REQUIRED
    #http_access allow autenticados
    # Libera para a rede local
    acl redelocal src 192.168.0.0/24
    http_access allow localhost
    http_access allow redelocal
    # Bloqueia acessos externos
    http_access deny all
    # Proxy transparente
    #httpd_accel_host virtual
    #httpd_accel_port 80
    #httpd_accel_with_proxy on
    #httpd_accel_uses_host_header on
    cache_mgr informatica@number.com.br
    cache_effective_user squid
    cache_effective_group squid

    iptables.up.rules

    # Generated by iptables-save v1.3.6 on Tue Sep 25 11:59:43 2007
    *nat
    :PREROUTING ACCEPT [4461:1258346]
    :POSTROUTING ACCEPT [241:22746]
    :OUTPUT ACCEPT [253:23976]
    -A PREROUTING -d 192.168.0.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 200.187.64.134
    -A PREROUTING -d 192.168.0.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 200.187.64.133
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
    -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j SNAT --to-source 200.201.158.110
    -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j MASQUERADE
    #-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE
    COMMIT
    # Completed on Tue Sep 25 11:59:43 2007
    # Generated by iptables-save v1.3.6 on Tue Sep 25 11:59:43 2007
    *mangle
    :PREROUTING ACCEPT [6707:1907215]
    :INPUT ACCEPT [2836:733195]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [2490:1178774]
    :POSTROUTING ACCEPT [2600:1192994]
    COMMIT
    # Completed on Tue Sep 25 11:59:43 2007
    # Generated by iptables-save v1.3.6 on Tue Sep 25 11:59:43 2007
    *filter
    :FORWARD ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 53 -j ACCEPT
    -A INPUT -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 53 -j ACCEPT
    -A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 3128 -j ACCEPT
    -A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 25 -j ACCEPT
    -A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 110 -j ACCEPT
    -A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 443 -j ACCEPT
    -A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 137:139 -j ACCEPT
    -A INPUT -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 137:139 -j ACCEPT
    -A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 1080 -j ACCEPT
    -A INPUT -p tcp --dport 1080 -j ACCEPT
    -A INPUT -p tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp --dport 25 -j ACCEPT
    -A INPUT -p tcp --dport 53 -j ACCEPT
    -A INPUT -p udp --dport 1080 -j ACCEPT
    -A INPUT -p tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp --dport 110 -j ACCEPT
    -A INPUT -p tcp --dport 443 -j ACCEPT
    -A INPUT -p tcp --dport 563 -j ACCEPT
    -A INPUT -p tcp -i eth0 --dport 3128 -j ACCEPT
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A FORWARD -p udp -s 192.168.0.0/24 -d 200.170.225.11 --dport 53 -j ACCEPT
    -A FORWARD -p udp -s 200.170.225.11 --sport 53 -d 192.168.0.0/24 -j ACCEPT
    -A FORWARD -p udp -s 192.168.0.0/24 -d 200.195.247.216 --dport 53 -j ACCEPT
    -A FORWARD -p udp -s 200.195.247.216 --sport 53 -d 192.168.0.0/24 -j ACCEPT
    -A FORWARD -d 192.168.0.0/255.255.255.0 -i eth1 -o eth0 -j ACCEPT
    -A FORWARD -s 192.168.0.0/255.255.255.0 -i eth0 -o eth1 -j ACCEPT
    -A FORWARD -s 192.168.0.0/255.255.255.0 -d 192.168.0.10 -j ACCEPT
    -A FORWARD -p TCP -s 192.168.0.0/24 --dport 25 -j ACCEPT
    -A FORWARD -p TCP -s 192.168.0.0/24 --dport 110 -j ACCEPT
    -A FORWARD -p tcp --sport 25 -j ACCEPT
    -A FORWARD -p tcp --sport 110 -j ACCEPT
    # -A FORWARD -p tcp -d mail.number.com.br -i eth0 --dport 25 -j ACCEPT
    -A FORWARD -p tcp -d 200.187.64.134 -i eth0 --dport 25 -j ACCEPT
    # -A FORWARD -p tcp -d smtp.ig.com.br -i eth0 --dport 25 -j ACCEPT
    -A FORWARD -p tcp -d 200.226.132.230 -i eth0 --dport 25 -j ACCEPT
    -A FORWARD -p tcp -i eth0 --dport 53 -j ACCEPT
    -A FORWARD -p udp -i eth0 --dport 53 -j ACCEPT
    # -A FORWARD -p tcp -d pop.number.com.br -i eth0 --dport 110 -j ACCEPT
    -A FORWARD -p tcp -d 200.187.64.133 -i eth0 --dport 110 -j ACCEPT
    # -A FORWARD -p tcp -d pop.ig.com.br -i eth0 --dport 110 -j ACCEPT
    -A FORWARD -p tcp -d 200.226.132.13 -i eth0 --dport 110 -j ACCEPT
    -A FORWARD -p tcp -i eth0 --dport 3128 -j ACCEPT
    -A FORWARD -s 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT
    -A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 25 -j ACCEPT
    -A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 110 -j ACCEPT
    -A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 1080 -j ACCEPT
    -A FORWARD -p tcp -s 192.168.0.0/24 --dport 443 -j ACCEPT
    -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    COMMIT
    # Completed on Tue Sep 25 11:59:43 2007


    Me mostrem o que falta ou o que está errado, não consigo mais achar nada.

    obrigado

  4. Pessoal,

    EU não habilitei o roteamento não, porque se eu habilitar, o browser funicona mesmo sem tiver o proxy.

    Gostaria de uma solução que SÓ funciona-se o brower com o proxy e pudesse me conectar com o outlook ( 25 e 110 ).

    Entendeu como estou pensando?

    Tem algúm modo que o meu brower precise do proxy e o roteamento do kernel fique habilitado?

    valeu pela ajuda.



  5. Citação Postado originalmente por antelo
    Tem algúm modo que o meu brower precise do proxy e o roteamento do kernel fique habilitado?
    Você praticamente fez isso no squid.conf:

    Código :
    http_port 3128 transparent

    Se o servidor que contém o Squid-Cache for o Gateway da rede, você não precisa configurar nada de proxy em nenhum navegador. O que tem que fazer é simplesmente redirecionar todas as solicitações encaminhadas para as portas 80 e 8080 direto para a porta 3128 com um softwares firewall (Ex: iptables).

    Aí você poderá ativar o ip_forward que não terá santo que fuja do proxy.

    Citação Postado originalmente por wesleybsd Ver Post
    Meu jovem
    Faco o seguinte, Tira esse lixo de linux e coloca freebsd com algumas regras basicas.
    Putz, que humildade.






Tópicos Similares

  1. Rede sobe mas não conecta na net - Slack 10.2
    Por Spada no fórum Sistemas Operacionais
    Respostas: 3
    Último Post: 16-11-2005, 11:34
  2. trafico gigante na porta 25
    Por PolacoCWB no fórum Servidores de Rede
    Respostas: 6
    Último Post: 14-10-2005, 18:49
  3. Maquina nao conecta na NET
    Por LeoJfa no fórum Servidores de Rede
    Respostas: 4
    Último Post: 20-01-2005, 10:07
  4. Erro na porta 25 com MailScanner
    Por Valois no fórum Servidores de Rede
    Respostas: 1
    Último Post: 22-10-2003, 14:13
  5. Problemas na porta 25
    Por PandaAzul no fórum Servidores de Rede
    Respostas: 4
    Último Post: 27-03-2003, 08:17

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L