+ Responder ao Tópico



  1. #1

    Padrão

    Galera, sempre visito o fórum/blog para ficar a par das notícias sobre Linux, mas hoje precisei criar uma conta devido ao problema do MSN Live.

    Já tentei de tudo, mas creio que algo está errado nas ordens das ACLs:

    Iptables
    Código :
    #!/bin/bash
     
    # Limpa tabela atual
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
     
    # Habilita Forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
     
    # Desabilita resposta para ping
    # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
     
    # Desabilita Port Scan
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
     
    # Protecao contra IP Spoofing
    for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 >$i
    done
     
    # Protege contra Synflood
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
     
    # Disable ICMP Redirect Acceptance
    for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
    done
     
    # Log packets with impossible addresses
    for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 1 > $f
    done
     
    echo "ATIVANDO FIREWALL ... [ OK ]"
     
    modprobe ip_conntrack
    modprobe ipt_MASQUERADE
    modprobe ipt_LOG
    modprobe ip_tables
    modprobe iptable_nat
    modprobe ip_nat_ftp
    modprobe ip_nat_irc
    modprobe ip_conntrack_ftp
     
    # Barra todo o forward que nao estiver listado abaixo
    iptables -t filter -P FORWARD DROP
     
    # Libera trafego livre para loopback
    iptables -t filter -A INPUT -i lo -j ACCEPT
    iptables -t filter -A OUTPUT -o lo -j ACCEPT
     
    # Definicoes iniciais - Rede privada pode fazer novas conexoes
    iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
     
    # Liberacoes para a rede privada 192.168.1.0
    iptables -t filter -A FORWARD -s [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -o eth1 -j ACCEPT
    iptables -t filter -A FORWARD -d [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -s 0/0 -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -t filter -A FORWARD -s [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -o eth0 -j ACCEPT
    iptables -t filter -A FORWARD -d [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -s 0/0 -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
     
    # Permitindo NAT para a rede local
    iptables -t nat -A POSTROUTING -s [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -o eth0 -j SNAT --to 200.217.189.xxx
     
    # ======== REGRAS PARA MSN MESSENGER =========
    # Bloqueando MSN (esta regra deve ficar antes da linha que direciona a conexao da porta 80 para a 3128 do Squid)
    iptables -I FORWARD -s [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -p tcp --dport 1863 -j DROP
    iptables -I FORWARD -s [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -p tcp --dport 5190 -j DROP
    # =========================================
     
    # == Tornando o proxy transparente, permitindo acesso direto ao Conectividade Social e Sites da Caixa
    iptables -t nat -A PREROUTING -p tcp -d [URL="http://200.201.174.0/24"]200.201.174.0/24[/URL] -j ACCEPT
    iptables -t nat -I PREROUTING -p tcp -d [URL="http://200.201.0.0/16"]200.201.0.0/16[/URL] -j ACCEPT
    iptables -I FORWARD -p tcp -d [URL="http://200.201.0.0/16"]200.201.0.0/16[/URL] -j ACCEPT
     
    iptables -t nat -A PREROUTING -i eth1 -p tcp -d ! [URL="http://200.201.174.0/24"]200.201.174.0/24[/URL] --dport 80 -j REDIRECT --to-port 3128
     
    iptables -I FORWARD -s [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -d obsupgdp.caixa.gov.br -j ACCEPT
    iptables -I FORWARD -s obsupgdp.caixa.gov.br -d [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -j ACCEPT
    iptables -I FORWARD -s [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -d cmt.caixa.gov.br -j ACCEPT
    iptables -I FORWARD -s cmt.caixa.gov.br -d [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -j ACCEPT
    # =============================================================================================================
     
    # Regras Finais
    iptables -I INPUT -j ACCEPT
    iptables -I FORWARD -j ACCEPT
    iptables -I OUTPUT -j ACCEPT
     
    # DROP everything and Log it
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP
     
    # === FIM DO FIREWALL

    Squid.conf

    Código :
    http_port 3128 transparent
    icp_port 0
    htcp_port 0
    hierarchy_stoplist cgi-bin ?
    visible_hostname squidserver
     
    dns_nameservers 192.168.1.5 200.217.189.xxx 200.217.189.xxx
     
    acl QUERY urlpath_regex cgi-bin \?
    no_cache deny QUERY
    cache_mem 128 MB
     
    cache_dir ufs /var/spool/squid 1024 16 256
    cache_access_log /var/log/squid/access.log
    cache_log /var/log/squid/cache.log
    cache_store_log /var/log/squid/store.log
    cache_swap_low 90
    cache_swap_high 95
     
    maximum_object_size 76800 KB
    minimum_object_size 0 KB
    maximum_object_size_in_memory 4096 KB
     
    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern .               0       20%     4320
     
    acl all src [URL="http://0.0.0.0/0.0.0.0"]0.0.0.0/0.0.0.0[/URL]
     
    # =====================
    # ACLs DA EMPRESA
    # =====================
     
    # ACL para bloquear/liberar MSN
    acl messenger req_mime_type -i ^application/x-msn-messenger
    http_access deny messenger
    acl msn_gateway url_regex -i "/etc/squid/acl/msn_gateway"
    http_access deny msn_gateway
     
    acl ip_daniel src "/etc/squid/acl/ip_daniel"
    acl ip_liberados src "/etc/squid/acl/ip_liberados"
    acl ip_bloqueadototal src "/etc/squid/acl/ip_bloqueadototal"
    acl sites_free url_regex -i "/etc/squid/acl/sites_free"
    acl sites_orkut url_regex -i "/etc/squid/acl/sites_orkut"
    acl sites_youtube url_regex -i "/etc/squid/acl/sites_youtube"
    acl sites_proxy url_regex -i "/etc/squid/acl/sites_proxy"
    acl sites_radio url_regex -i "/etc/squid/acl/sites_radio"
    acl sites_bloqueados url_regex -i "/etc/squid/acl/sites_bloqueados"
    acl sites_webmessenger url_regex -i "/etc/squid/acl/sites_webmessenger"
    acl sites_hacking url_regex -i "/etc/squid/acl/sites_hacking"
    acl download url_regex -i "/etc/squid/acl/download"
     
    # ACL: Estacao enjaulada apenas para acessar o Sintegra
    acl ip_sintegra src "/etc/squid/acl/ip_sintegra"
    acl sites_sintegra url_regex -i "/etc/squid/acl/sites_sintegra"
     
    # ====== HTTP ACCESS RULES
    http_access deny sites_bloqueados !ip_daniel
    http_access deny sites_hacking !ip_daniel
    http_access deny sites_webmessenger
    http_access deny download !ip_daniel
    http_access deny sites_proxy !ip_daniel
    http_access deny sites_orkut !ip_daniel
    http_access deny sites_youtube !ip_daniel
    http_access deny sites_radio !ip_daniel
    http_access deny ip_bloqueadototal
     
    # ====== ACLs da Rede
     
    acl mariza src [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL]
    acl manager proto cache_object
    acl localhost src [URL="http://127.0.0.1/255.255.255.255"]127.0.0.1/255.255.255.255[/URL]
    acl to_localhost dst [URL="http://127.0.0.0/8"]127.0.0.0/8[/URL]
    acl SSL_ports port 443 563
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443 563     # https, snews
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http
    acl Safe_ports port 631         # cups
    acl Safe_ports port 873         # rsync
    acl Safe_ports port 901         # SWAT
    acl purge method PURGE
    acl CONNECT method CONNECT
     
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localhost
     
    # =====
    http_access allow ip_liberados
    http_access allow ip_sintegra
    http_access allow sites_sintegra
    http_access allow sites_free
     
    # =====
    http_access deny mariza
    http_access deny all
    http_reply_access allow all
    icp_access allow all
     
    # =====
    cache_effective_user proxy
    cache_effective_group proxy
    cache_mgr [EMAIL="[email protected]"][email protected][/EMAIL]
     
    # ====== Diretorio de Erros
    error_directory /usr/share/squid/errors/Portuguese/
    http://img509.imageshack.us/img509/2...clsquidlw6.png

    Quaisquer dúvidas sobre as ACLs eu responderei prontamente.

    Preciso bloquear o bendito MSN Live somente. Sites do Hotmail.com e Live.com poderão ser acessados normalmente (ordens do Gerente de TI).

    Grato.
    Última edição por danielrcom; 16-04-2008 às 09:00.

  2. #2

    Padrão

    cara, acho que seja somente a ordem dessas regras:

    # Liberacoes para a rede privada 192.168.1.0
    iptables -t filter -A FORWARD -s 192.168.1.0/24 -o eth1 -j ACCEPT
    iptables -t filter -A FORWARD -s 192.168.1.0/24 -o eth0 -j ACCEPT

    # ======== REGRAS PARA MSN MESSENGER =========
    # Bloqueando MSN (esta regra deve ficar antes da linha que direciona a conexao da porta 80 para a 3128 do Squid)
    iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1863 -j DROP
    iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 5190 -j DROP


    Sobe as regras de MSN. Põe elas acima da liberação da rede privada.
    Acho que só isso funciona!
    Qualquer problema posta ai...