+ Responder ao Tópico



  1. #1
    NoiseMaster
    Visitante

    Padrão SOCORRO!! Meu email de internet

    Caros, peço ajuda urgente!

    Acabei de configurar um firewall.

    A internet funciona normal, porem o outlook não consegue contactar o servidor pop, nem smtp.

    Me ajudem urgente, por favor.

    Meu firewaal é em iptables.

    NoiseMaster

  2. #2
    B4D_D0G
    Visitante

    Padrão SOCORRO!! Meu email de internet

    quais as regras que vc levantou, posta aki pra nois zoiá!!!!

    fica mais fácil de saber qual o problema!!!!

    [ ]&acute;s <IMG SRC="images/forum/icons/icon_wink.gif">

  3. #3
    NoiseMaster
    Visitante

    Padrão SOCORRO!! Meu email de internet

    alem de nat.

    iptables -I INPUT -p tcp -s minha_rede --dport 80 -j DROP
    iptables -I INPUT -p tcp -s minha_rede --dport 443 -j DROP
    iptables -I INPUT -p tcp -s minha_rede -j ACCEPT

    apenas para que os usuarios não burlem o squid.

    NoiseMaster

  4. #4
    Mr_Mind
    Visitante

    Padrão SOCORRO!! Meu email de internet

    como eles vao ver o email?
    se for pelo squid que o outlook passa .. vc nao pode bloquear a porta que ele usa para comunicar com o exterior.
    qual e&acute; a sua porta do squid? 80? iptables -I INPUT -p tcp -s minha_rede --dport 80 -j DROP

    vc esta meio confuso nao?
    diga o que quer fazer e nos ajudamos com as regras. <IMG SRC="images/forum/icons/icon_wink.gif">

  5. #5
    NoiseMaster
    Visitante

    Padrão SOCORRO!! Meu email de internet

    limpei todas as regras do firewall
    #iptables -t filter -F

    agora estou apenas com o squid rodando.

    como faço para liberar as porta smtp e pop?

  6. #6
    X
    Visitante

    Padrão SOCORRO!! Meu email de internet

    Simon chegou cedo hj...
    Simon advinha: "Vc tem gateway linux e as demais maquinas da rede sao ruindows...."
    Simon simula:
    no gateway linux vc pelo menos tem duas placas de redes:
    eth0 = dhcp ou ppp (acesso externo internet)
    eth1= 13.1.1.1 - sub_masc=255.255.255.0 (acesso LAN roteada) sendo o nome da maquina gateway e o nome da rede testnet
    ----------------------------------------------------------------------------------------------
    Insira no final do rc.firewall:
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.2/32 -j MASQUERADE
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.3/32 -j MASQUERADE
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.4/32 -j MASQUERADE
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.5/32 -j MASQUERADE
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.6/32 -j MASQUERADE
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.7/32 -j MASQUERADE
    -----------------------------------------------------------------------------------------------
    Isto mascara 7 maquinas na rede
    Reboot torna-se necessario no final do procedimento.
    -----------------------------------------------------------------------------------------------
    Verifique as propriedades da rede de cada maquina windows da rede:
    - Todas devem ter ip fixo por exemplo:
    a Maquina do diretor da empresa tem com o ip 13.1.1.7 e sub mascara:255.255.255.0
    - Definir o protocolo TCP/IP (da placa conectada) como padrao;
    - inserir o gateway: 13.1.1.1
    - inserir DNS:13.1.1.1 (certifique se named esta rodando no gateway com o comando :
    # ps -edf | grep named
    se nao tiver execute:
    # /etc/init.d/named start
    Obs: Se falhar vc deve instalar os pacotes do servidor de nomes (DNS); Lembrete, insira no resolv.conf (isso em conf padrao) o IP do DNS do seu provedor de internet.

    - inserir nome do host -> Diretor_Franginha e tbm o nome da rede testnet.
    - Feito isso o ruindows pede para reiniciar... pois ele tem que se matar para reler as configuraçoes de rede.
    -------------------------------------------------------------------------------------
    Teste o outlook
    e boa sorte!
    by ¿X?

  7. #7
    B4D_D0G
    Visitante

    Padrão SOCORRO!! Meu email de internet

    Simon tu és confuso!

    cara, vc nem envia e nem recebe?

    quando vc limpou o iptables, funcionou?
    <IMG SRC="images/forum/icons/icon_confused.gif">

  8. #8
    NoiseMaster
    Visitante

    Padrão SOCORRO!! Meu email de internet

    as regras deram problemas,

    &acute;-s&acute; bad arquments &acute;meu_ip&acute;.

    o q é $EXTIF?

  9. #9
    NoiseMaster
    Visitante

    Padrão SOCORRO!! Meu email de internet

    B4D,

    Limpei as regras do iptables e deixei o squid sem minhas regras, apenas com as regras básicas.

    e mesmo assim não funciona


    Dei um comando:

    nmap 10.0.0.254 e deu

    duas portas abertas apenas

    111/tpc open sunrpc
    3128/tcp open squid-http

    Como abro as outras, 25, 110, 3389 (WTS)?

    [ Esta mensagem foi editada por: NoiseMaster em 14-11-2002 11:47 ]

  10. #10
    X
    Visitante

    Padrão SOCORRO!! Meu email de internet

    Simon diz....
    Povo reclama mto...
    Mas Simon entende e manda firewall completo.
    Cut and Grud by ¿Xa®aDa?
    Tecnica de mascaramento de ip utilizando o firewall para conexao ppp
    se for ethx e so substituir ppp por ethx
    Obs... tem squid pro meio mas isso vcs terao que pesquisarem.
    -------------------------------------------------------------------------------------
    #!/bin/sh
    #
    # rc.firewall-2.4
    FWVER=0.63
    #
    # Initial SIMPLE IP Masquerade test for 2.4.x kernels
    # using IPTABLES.
    #
    # Once IP Masquerading has been tested, with this simple
    # ruleset, it is highly recommended to use a stronger
    # IPTABLES ruleset either given later in this HOWTO or
    # from another reputable resource.
    #
    #
    #
    # Log:
    # 0.63 - Added support for the IRC IPTABLES module
    # 0.62 - Fixed a typo on the MASQ enable line that used eth0
    # instead of $EXTIF
    # 0.61 - Changed the firewall to use variables for the internal
    # and external interfaces.
    # 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP
    # all forwarded packets but it didn&acute;t have a rule to ACCEPT
    # any packets to be forwarded either
    # - Load the ip_nat_ftp and ip_conntrack_ftp modules by default
    # 0.50 - Initial draft
    #

    echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"


    # The location of the &acute;iptables&acute; program
    #
    # If your Linux distribution came with a copy of iptables, most
    # likely it is located in /sbin. If you manually compiled
    # iptables, the default location is in /usr/local/sbin
    #
    # ** Please use the "whereis iptables" command to figure out
    # ** where your copy is and change the path below to reflect
    # ** your setup
    #
    IPTABLES=/sbin/iptables
    #Setting the EXTERNAL and INTERNAL interfaces for the network
    #
    # Each IP Masquerade network needs to have at least one
    # external and one internal network. The external network
    # is where the natting will occur and the internal network
    # should preferably be addressed with a RFC1918 private address
    # scheme.
    #
    # For this example, "eth0" is external and "eth1" is internal"
    #
    # NOTE: If this doesnt EXACTLY fit your configuration, you must
    # change the EXTIF or INTIF variables above. For example:
    #
    # EXTIF="ppp0"
    #
    # if you are a modem user.
    #
    EXTIF="ppp0"
    INTIF="eth1"
    echo " External Interface: $EXTIF"
    echo " Internal Interface: $INTIF"


    #======================================================================
    #== No editing beyond this line is required for initial MASQ testing ==


    echo -en " loading modules: "

    # Need to verify that all modules have all required dependencies
    #
    echo " - Verifying that all kernel modules are ok"
    /sbin/depmod -a

    # With the new IPTABLES code, the core MASQ functionality is now either
    # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
    # options as MODULES. If your kernel is compiled correctly, there is
    # NO need to load the kernel modules manually.
    #
    # NOTE: The following items are listed ONLY for informational reasons.
    # There is no reason to manual load these modules unless your
    # kernel is either mis-configured or you intentionally disabled
    # the kernel module autoloader.
    #

    # Upon the commands of starting up IP Masq on the server, the
    # following kernel modules will be automatically loaded:
    #
    # NOTE: Only load the IP MASQ modules you need. All current IP MASQ
    # modules are shown below but are commented out from loading.
    # ===============================================================

    #Load the main body of the IPTABLES module - "iptable"
    # - Loaded automatically when the "iptables" command is invoked
    #
    # - Loaded manually to clean up kernel auto-loading timing issues
    #
    echo -en "ip_tables, "
    /sbin/insmod ip_tables


    #Load the IPTABLES filtering module - "iptable_filter"
    # - Loaded automatically when filter policies are activated


    #Load the stateful connection tracking framework - "ip_conntrack"
    #
    # The conntrack module in itself does nothing without other specific
    # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
    # module
    #
    # - This module is loaded automatically when MASQ functionality is
    # enabled
    #
    # - Loaded manually to clean up kernel auto-loading timing issues
    #
    echo -en "ip_conntrack, "
    /sbin/insmod ip_conntrack


    #Load the FTP tracking mechanism for full FTP tracking
    #
    # Enabled by default -- insert a "#" on the next line to deactivate
    #
    echo -en "ip_conntrack_ftp, "
    /sbin/insmod ip_conntrack_ftp


    #Load the IRC tracking mechanism for full IRC tracking
    #
    # Enabled by default -- insert a "#" on the next line to deactivate
    #
    echo -en "ip_conntrack_irc, "
    /sbin/insmod ip_conntrack_irc


    #Load the general IPTABLES NAT code - "iptable_nat"
    # - Loaded automatically when MASQ functionality is turned on
    #
    # - Loaded manually to clean up kernel auto-loading timing issues
    #
    echo -en "iptable_nat, "
    /sbin/insmod iptable_nat


    #Loads the FTP NAT functionality into the core IPTABLES code
    # Required to support non-PASV FTP.
    #
    # Enabled by default -- insert a "#" on the next line to deactivate
    #
    echo -en "ip_nat_ftp, "
    /sbin/insmod ip_nat_ftp
    # Just to be complete, here is a list of the remaining kernel modules
    # and their function. Please note that several modules should be only
    # loaded by the correct master kernel module for proper operation.
    # --------------------------------------------------------------------
    #
    # ipt_mark - this target marks a given packet for future action.
    # This automatically loads the ipt_MARK module
    #
    # ipt_tcpmss - this target allows to manipulate the TCP MSS
    # option for braindead remote firewalls.
    # This automatically loads the ipt_TCPMSS module
    #
    # ipt_limit - this target allows for packets to be limited to
    # to many hits per sec/min/hr
    #
    # ipt_multiport - this match allows for targets within a range
    # of port numbers vs. listing each port individually
    #
    # ipt_state - this match allows to catch packets with various
    # IP and TCP flags set/unset
    #
    # ipt_unclean - this match allows to catch packets that have invalid
    # IP/TCP flags set
    #
    # iptable_filter - this module allows for packets to be DROPped,
    # REJECTed, or LOGged. This module automatically
    # loads the following modules:
    #
    # ipt_LOG - this target allows for packets to be
    # logged
    #
    # ipt_REJECT - this target DROPs the packet and returns
    # a configurable ICMP packet back to the
    # sender.
    #
    # iptable_mangle - this target allows for packets to be manipulated
    # for things like the TCPMSS option, etc.

    echo ". Done loading modules."



    #CRITICAL: Enable IP forwarding since it is disabled by default since
    #
    # Redhat Users: you may try changing the options in
    # /etc/sysconfig/network from:
    #
    # FORWARD_IPV4=false
    # to
    # FORWARD_IPV4=true
    #
    echo " enabling forwarding.."
    echo "1" > /proc/sys/net/ipv4/ip_forward

    # Dynamic IP users:
    #
    # If you get your IP address dynamically from SLIP, PPP, or DHCP,
    # enable this following option. This enables dynamic-address hacking
    # which makes the life with Diald and similar programs much easier.
    #
    echo " enabling DynamicAddr.."
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr


    # Enable simple IP forwarding and Masquerading
    #
    # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
    #
    # NOTE #2: The following is an example for an internal LAN address in the
    # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
    # connecting to the Internet on external interface "eth0". This
    # example will MASQ internal traffic out to the Internet but not
    # allow non-initiated traffic into your internal network.
    #
    #
    # ** Please change the above network numbers, subnet mask, and your
    # *** Internet connection interface name to match your setup
    #


    #Clearing any previous configuration
    #
    # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
    # The default for FORWARD is DROP
    #
    echo " clearing any existing rules and setting default policy.."
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -F INPUT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -F OUTPUT
    $IPTABLES -P FORWARD DROP
    $IPTABLES -F FORWARD
    $IPTABLES -t nat -F

    echo " FWD: Allow all connections OUT and only existing and related ones IN"
    $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
    $IPTABLES -A FORWARD -j LOG

    echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.2/32 -j MASQUERADE
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.3/32 -j MASQUERADE
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.4/32 -j MASQUERADE
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.5/32 -j MASQUERADE
    #$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.6/32 -j MASQUERADE
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.7/32 -j MASQUERADE
    echo -e "\nDone.\n"
    -------------------------------------------------------------------------------------------
    Agora Simon ajudou.
    Copie e cole isto no seu firewall... and good luck!!!

  11. #11
    Mr_Mind
    Visitante

    Padrão SOCORRO!! Meu email de internet

    mas para que raio sao essas portas abertas? vc tem os servidores a correr na sua maquina???
    se tiver..eles abrem as portas .. se nao tiver .. nao precisa de abrir!!!!!!
    s vc simplesmente e&acute; cliente .. o gateway nao precisa de estar aberto para nada, pq as portas clientes sao randomicas!!!!

    tanta confusao por um assunto de nada <IMG SRC="images/forum/icons/icon_confused.gif">

  12. #12
    B4D_D0G
    Visitante

    Padrão SOCORRO!! Meu email de internet

    Kralho, meu tu mandaste tudo mesmo.....

    Simon tu és meu ídolo!!!

    <IMG SRC="images/forum/icons/icon_wink.gif">

    noise...testa aí o fire, se naum der certo pode ser outra coisa que estou a pensar...me avise...estou aki até as 15:00 oks?
    <IMG SRC="images/forum/icons/icon21.gif">

  13. #13
    Mr_Mind
    Visitante

    Padrão SOCORRO!! Meu email de internet

    <TABLE BORDER=0 ALIGN=CENTER WIDTH=85%><TR><TD><font size=-1>Quote:</font><HR></TD></TR><TR><TD><FONT SIZE=-1><BLOCKQUOTE>
    On 2002-11-14 11:25, X wrote:
    Simon chegou cedo hj...
    Simon advinha: "Vc tem gateway linux e as demais maquinas da rede sao ruindows...."
    Simon simula:
    no gateway linux vc pelo menos tem duas placas de redes:
    eth0 = dhcp ou ppp (acesso externo internet)
    eth1= 13.1.1.1 - sub_masc=255.255.255.0 (acesso LAN roteada) sendo o nome da maquina gateway e o nome da rede testnet
    ----------------------------------------------------------------------------------------------
    Insira no final do rc.firewall:
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.2/32 -j MASQUERADE
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.3/32 -j MASQUERADE
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.4/32 -j MASQUERADE
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.5/32 -j MASQUERADE
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.6/32 -j MASQUERADE
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 13.1.1.7/32 -j MASQUERADE
    -----------------------------------------------------------------------------------------------
    Isto mascara 7 maquinas na rede
    Reboot torna-se necessario no final do procedimento.
    -----------------------------------------------------------------------------------------------


    nao e&acute; verdade! nao percebo o pq do reboot <IMG SRC="images/forum/icons/icon_mad.gif"> , basta correr o script em tempo real ah .. e o rc.firewall nao existe em todos os sistemas ;| . voce pode mascarar logo a rede em vezs de host a host



    Verifique as propriedades da rede de cada maquina windows da rede:
    - Todas devem ter ip fixo por exemplo:
    a Maquina do diretor da empresa tem com o ip 13.1.1.7 e sub mascara:255.255.255.0
    - Definir o protocolo TCP/IP (da placa conectada) como padrao;
    - inserir o gateway: 13.1.1.1
    - inserir DNS:13.1.1.1 (certifique se named esta rodando no gateway com o comando :
    # ps -edf | grep named
    se nao tiver execute:
    # /etc/init.d/named start
    Obs: Se falhar vc deve instalar os pacotes do servidor de nomes (DNS); Lembrete, insira no resolv.conf (isso em conf padrao) o IP do DNS do seu provedor de internet.

    - inserir nome do host -> Diretor_Franginha e tbm o nome da rede testnet.
    - Feito isso o ruindows pede para reiniciar... pois ele tem que se matar para reler as configuraçoes de rede.
    -------------------------------------------------------------------------------------
    Teste o outlook
    e boa sorte!
    by ¿X?

    se for Windows NT based basta desactivar a ligação e voltar a ligar. s for dhcp client a mesma coisa.



    Mesmo assim acho que esta&acute; muita confusão de volta da duvida do nosso colega ... penso que nao e&acute; isso q ele quer. Fico à espera de mais explicaçoes do problema!!