cara...
como tá sua regra de redirecionamento para a porta do proxy?
com o comando "lsmod" você consegue identificar algum módulo do iptables???
Versão Imprimível
cara...
como tá sua regra de redirecionamento para a porta do proxy?
com o comando "lsmod" você consegue identificar algum módulo do iptables???
O comando que vc indicou retornou isso:
[root@Informatica2 ~]# lsmod
Module Size Used by
ipt_layer7 16772 1
ipt_REDIRECT 6784 1
xt_state 6400 2
xt_limit 7040 1
xt_mac 6144 3
xt_tcpudp 7296 94
i915 23552 2
drm 80276 3 i915
ip_nat_ftp 7808 0
iptable_nat 12164 1
ipt_MASQUERADE 8448 2
ip_nat 22956 4 ipt_REDIRECT,ip_nat_ftp,iptable_nat,ipt_MASQUERADE
ip_conntrack_ftp 12176 1 ip_nat_ftp
ip_conntrack 58436 7 ipt_layer7,xt_state,ip_nat_ftp,iptable_nat,ipt_MASQUERADE,ip_nat,ip_conntrack_ftp
nfnetlink 11288 2 ip_nat,ip_conntrack
ipt_LOG 10752 18
ipt_TOS 6528 70
iptable_mangle 7168 1
iptable_filter 7296 1
ip_tables 18116 3 iptable_nat,iptable_mangle,iptable_filter
x_tables 19972 11 ipt_layer7,ipt_REDIRECT,xt_state,xt_limit,xt_mac,xt_tcpudp,iptable_nat,ipt_MASQUERADE,ipt_LOG,ipt_TOS,ip_tables
autofs4 25604 2
hidp 24448 2
l2cap 31872 5 hidp
bluetooth 61796 2 hidp,l2cap
sunrpc 164284 1
fuse 49940 4
dm_mirror 26832 0
dm_multipath 23176 0
dm_mod 62872 2 dm_mirror,dm_multipath
video 21124 0
sbs 20160 0
i2c_ec 9344 1 sbs
button 11152 0
battery 14596 0
ac 9604 0
ipv6 272576 22
lp 16968 0
sg 38940 0
snd_intel8x0 37148 1
snd_ac97_codec 99748 1 snd_intel8x0
snd_ac97_bus 6656 1 snd_ac97_codec
i2c_i801 11916 0
snd_seq_dummy 8196 0
floppy 61540 0
iTCO_wdt 15044 0
i2c_core 26112 2 i2c_ec,i2c_i801
ide_cd 42528 0
snd_seq_oss 37120 0
snd_seq_midi_event 11904 1 snd_seq_oss
snd_seq 57072 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event
serio_raw 11396 0
snd_seq_device 12428 3 snd_seq_dummy,snd_seq_oss,snd_seq
8139too 31232 0
8139cp 28288 0
cdrom 38816 1 ide_cd
pcspkr 7424 0
snd_pcm_oss 46336 0
snd_mixer_oss 20608 1 snd_pcm_oss
tg3 108036 0
mii 9728 2 8139too,8139cp
snd_pcm 81156 3 snd_intel8x0,snd_ac97_codec,snd_pcm_oss
parport_pc 31396 1
parport 40776 2 lp,parport_pc
cdc_acm 20000 0
snd_timer 26628 2 snd_seq,snd_pcm
snd 58244 11 snd_intel8x0,snd_ac97_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer
soundcore 12384 1 snd
snd_page_alloc 14472 2 snd_intel8x0,snd_pcm
ata_piix 19848 3
libata 107028 1 ata_piix
sd_mod 24960 4
scsi_mod 140588 3 sg,libata,sd_mod
ext3 135816 1
jbd 63144 1 ext3
ehci_hcd 34952 0
ohci_hcd 24324 0
uhci_hcd 27788 0
[root@Informatica2 ~]#
meu arquivop de firewall
#!/bin/sh
#
#=================================================================
# MODULOS A SEREM CARREGADOS
# ================================================================
echo "Carregando mdulos...."
modprobe \*
modprobe iptable_filter
modprobe iptable_mangle
modprobe ipt_TOS
modprobe ipt_LOG
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_MASQUERADE
modprobe iptable_nat
modprobe ip_nat_ftp
# ================================================================
# LIMPAR REGRAS
# ================================================================
echo "Limpando regras..."
iptables -Z
iptables -t nat -F
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t filter
iptables -X -t filter
########### TABELA FILTER ############
echo "Iniciando tabela : FILTER...."
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
########### TABELA NAT ############
echo "Iniciando tabela : NAT.... "
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING DROP
########### TABELA MANGLE ############
echo "Iniciando tabela : MANGLE...."
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.3
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.3
################################################
# Determina a política padrão
#iptables -P INPUT DROP
#iptables -P FORWARD DROP
########################################
#----------
# Regras para funcionamento do Conectividade Social da CEF
#----------
iptables -t nat -A PREROUTING -d 200.201.174.202 -p tcp -m tcp --dport 80 -j DNAT --to-destination 200.201.174.202:80
iptables -t nat -A PREROUTING -d 200.201.174.203 -p tcp -m tcp --dport 80 -j DNAT --to-destination 200.201.174.203:80
iptables -t nat -A PREROUTING -d 200.201.174.204 -p tcp -m tcp --dport 80 -j DNAT --to-destination 200.201.174.204:80
iptables -t nat -A PREROUTING -d 200.201.174.205 -p tcp -m tcp --dport 80 -j DNAT --to-destination 200.201.174.205:80
iptables -t nat -A PREROUTING -d 200.201.174.206 -p tcp -m tcp --dport 80 -j DNAT --to-destination 200.201.174.206:80
iptables -t nat -A PREROUTING -d 200.201.174.207 -p tcp -m tcp --dport 80 -j DNAT --to-destination 200.201.174.207:80
iptables -t nat -A PREROUTING -d 200.201.174.208 -p tcp -m tcp --dport 80 -j DNAT --to-destination 200.201.174.208:80
iptables -t nat -A PREROUTING -d 200.201.174.209 -p tcp -m tcp --dport 80 -j DNAT --to-destination 200.201.174.209:80
###### PROTECAO CONTRA IP SPOOFING ############
echo "Proteï¿o contra : IP SPOOFING..."
iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j ACCEPT
iptables -A INPUT -s 172.16.0.0/16 -i eth0 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -i eth0 -j ACCEPT
########### PROTECAO CONTRA PING ############
echo "Proteï¿o contra : PING"
iptables -A INPUT -s 200.139.12.0/24 -p icmp --icmp-type echo-request -i eth0 -j ACCEPT
########### PROTECAO CONTRA PING OF DEATH ############
echo "Proteï¿o contra : PING DA MORTE"
############iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
########### PROTECAO CONTRA SYS-FLOODS ############
echo "Proteï¿o contra : SYS-FLOODS"
#iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
########### PROTECAO CONTRA PORT SCANNERS ############
echo "Proteï¿o contra : PORT SCANNERS"
#iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
###### PROTECAO CONTRA PACOTES DANIFICADOS OU SUSPEITOS
echo "Proteï¿o contra : PACOTES DANIFICADOS"
#iptables -A FORWARD -m unclean -j DROP
# ================================================================
# ATIVANDO O REDIRECIONAMENTO DE PACOTES (NAT)
# ================================================================
echo "Ativando o ip_forward"
echo 1 > /proc/sys/net/ipv4/ip_forward
# ================================================================
# TABELA FILTER
# ================================================================
# Criamos uma chain que sera usada para tratar o trafego vindo da internet
echo "Criando chain de entrada..."
iptables -N eth0-input
# ########## ACEITA AS CONEXOES VINDO DA LOOPBACK E INDO PARA A LOOPBACK
echo "Criando regra de loopback...."
iptables -A INPUT -i lo -j ACCEPT
# ########## TODO O TRAFEGO VINDO DA REDE INTERNA SERA ACEITO #########
echo "Criando regra para Intranet...."
iptables -A INPUT -s 192.168.1.0/24 -i eth1 -j ACCEPT
iptables -A INPUT -s 200.139.12.0/24 -i eth1 -j ACCEPT
# ### CONEXOES VINDAS DA ETH0 SERAO TRATADAS PELA CHAIN ETH0-INPUT ########
echo "Regra de tratamento de entrada..."
iptables -A INPUT -i eth0 -j eth0-input
### QUALQUER OUTRA CONEXï¿ DESCONHECIDA E IMEDIATAMENTE REGISTRADA E
### DERRUBADA
echo "Regra geral..."
iptables -A INPUT -j LOG --log-prefix "FIREWALL: INPUT "
iptables -A INPUT -j ACCEPT
############# CHAIN FORWARD ##########################
echo "Chain Forward..."
iptables -A FORWARD -d 192.168.1.0/24 -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -d 200.139.12.0/24 -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -s 200.139.12.0/24 -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -j LOG --log-prefix "FIREWALL: FORWARD "
iptables -A FORWARD -j ACCEPT
### CHAIN ETH0-INPUT ######
echo "Chain etho-input..."
###### Aceitamos todas as mensagens icmp vindas de eth0 com certa limitaï¿o #########
iptables -A eth0-input -p icmp -m limit --limit 2/s -j ACCEPT
iptables -A eth0-input -p tcp --dport 21 -j LOG --log-prefix "FIREWALL: ftp "
iptables -A eth0-input -p tcp --dport 22 -j LOG --log-prefix "Porta SSH"
iptables -A eth0-input -p tcp --dport 23 -j LOG --log-prefix "Porta TELNET"
iptables -A eth0-input -p tcp --dport 25 -j LOG --log-prefix "FIREWALL: smtp "
iptables -A eth0-input -p udp --dport 53 -j LOG --log-prefix "FIREWALL: dns "
iptables -A eth0-input -p tcp --dport 113 -j LOG --log-prefix "FIREWALL: identd "
iptables -A eth0-input -p udp --dport 111 -j LOG --log-prefix "FIREWALL: rpc"
iptables -A eth0-input -p tcp --dport 111 -j LOG --log-prefix "FIREWALL: rpc"
iptables -A eth0-input -p tcp --dport 3000 -j LOG --log-prefix " FIREWALL: squid "
iptables -A eth0-input -p tcp --dport 137:139 -j LOG --log-prefix "FIREWALL: samba "
# iptables -A eth0-input -p udp --dport 137:139 -j LOG --log-prefix "FIREWALL: samba "
iptables -A eth0-input -p tcp --dport 5042 -j LOG --log-prefix "Servico: Wincrash"
iptables -A eth0-input -p tcp --dport 12345 -j LOG --log-prefix "Servico: BackOrifice"
# Bloqueia qualquer tentativa de nova conexï¿ de fora para esta mï¿uina
iptables -A eth0-input -m state --state ! ESTABLISHED,RELATED -j LOG --log-prefix "FIREWALL: eth0-in "
iptables -A eth0-input -m state --state ! ESTABLISHED,RELATED -j DROP
# Qualquer outro tipo de trï¿ego ï¿aceito
iptables -A eth0-input -j ACCEPT
# ================================================================
# TABELA NAT
# ================================================================
##### Chain POSTROUTING #####
# Permite qualquer conexï¿ vinda com destino a lo e rede local para eth1
iptables -t nat -A POSTROUTING -o lo -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 200.139.12.0/24 -o eth1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 200.139.12.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -d 192.168.1.0/24 -j LOG --log-prefix "FIREWALL: SNAT unknown"
iptables -t nat -A POSTROUTING -o eth1 -d 192.168.1.0/24 -j DROP
iptables -t nat -A POSTROUTING -o eth1 -d 200.139.12.0/24 -j LOG --log-prefix "FIREWALL: SNAT unknown"
iptables -t nat -A POSTROUTING -o eth1 -d 200.139.12.0/24 -j DROP
# ================================================================
# TABELA MANGLE
# ================================================================
iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 21 -j TOS --set-tos 0x10
iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 23 -j TOS --set-tos 0x10
iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 6665:6668 -j TOS --set-tos 0x10
iptables -t mangle -A OUTPUT -o eth0 -p udp --dport 53 -j TOS --set-tos 0x10
# TAMBEM PARA HTTP
iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -j TOS --set-tos 0x10
##############################################################
#
# ATIVANDO O PROXY TRANSPARENTE
#
#############################################################
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
# O trï¿ego que entrar pela eth1 (rede local) e que solicitar conexï¿
# na porta 80 (www) serï¿redirecionado para a porta 3000 (proxy)
# Obs : ver configuraï¿es adicionais no squid.conf (httpd_accel)
#######################################################################
echo "================================================================"
echo " FIM DO FIREWALL"
echo "================================================================"
ok amigão foi mal ta dessa forma:
# ATIVANDO O REDIRECIONAMENTO DE PACOTES (NAT)
echo "Ativando o ip_forward"
echo 1 > /proc/sys/net/ipv4/ip_forward
# ATIVANDO O PROXY TRANSPARENTE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
Com relação ao lsmod tassim :
[root@Informatica2 ~]# lsmod
Module Size Used by
ipt_layer7 16772 1
ipt_REDIRECT 6784 1
xt_state 6400 2
xt_limit 7040 1
xt_mac 6144 3
xt_tcpudp 7296 94
i915 23552 2
drm 80276 3 i915
ip_nat_ftp 7808 0
iptable_nat 12164 1
ipt_MASQUERADE 8448 2
ip_nat 22956 4 ipt_REDIRECT,ip_nat_ftp,iptable_nat,ipt_MASQUERADE
ip_conntrack_ftp 12176 1 ip_nat_ftp
ip_conntrack 58436 7 ipt_layer7,xt_state,ip_nat_ftp,iptable_nat,ipt_MAS QUERADE,ip_nat,ip_conntrack_ftp
nfnetlink 11288 2 ip_nat,ip_conntrack
ipt_LOG 10752 18
ipt_TOS 6528 70
iptable_mangle 7168 1
iptable_filter 7296 1