+ Responder ao Tópico



  1. 19-12-2005, 09:49 #1
    wasley
    wasley está desconectado
    Avatar de wasley
    Ingresso
    Nov 2005
    Posts
    113

    Padrão Problemas no redirecionamento de porta squid

    Bom dia, estou precisando com urgência de uma ajuda.

    É um seguinte:

    Estou tentando fazer um redirecionameto da porta squid via NAT.

    A minha rede interna é: 192.168.0.X, meu squid esta configurado para trabalhar na porta 3128.

    Configuro nas estações para utilizarem o proxy para o endereço 192.168.0.1 porta 3128.

    Minha interface local no firewall é eth1 192.168.0.1

    Tenho as seguintes regras de Firewall:

    #!/bin/sh
    # Script Firewall
    #
    #
    ###################################################
    # Definicoes Basicas
    ###################################################
    IPTABLES="/sbin/iptables"

    # HABILITANDO ROTEAMENTO
    #
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo 1 > /proc/sys/net/ipv4/ip_dynaddr

    ###################################################
    # Limpeza geral
    ###################################################

    $IPTABLES -F
    $IPTABLES -F INPUT
    $IPTABLES -F OUTPUT
    $IPTABLES -F FORWARD
    $IPTABLES -F -t mangle
    $IPTABLES -F -t nat
    $IPTABLES -X

    ###################################################
    #Setup de politicas
    ###################################################
    $IPTABLES -P INPUT DROP
    $IPTABLES -P OUTPUT DROP
    $IPTABLES -P FORWARD DROP

    $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    ############################################################
    # NAT - NETWORK ADRESS TRANSLATION
    ############################################################

    $IPTABLES -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to-port 3128
    $IPTABLES -t nat -A PREROUTING -p udp -i eth1 --dport 80 -j REDIRECT --to-port 3128

    ####
    # Rede Invalida
    ####

    $IPTABLES -A FORWARD -i eth0 -o eth1 -j ACCEPT
    $IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT

    ####
    # Loopback interface
    ####
    $IPTABLES -A INPUT -i lo -j ACCEPT

    ############################################################
    # Regras Finais (DROP C/ LOG)
    ############################################################
    $IPTABLES -A INPUT -j dropwall
    $IPTABLES -A FORWARD -j dropwall
    $IPTABLES -A OUTPUT -j dropwall

    **** Dessa forma não a meio de fazer as estações navegarem, a log do squid não registra nada.

    O firewall me retorna essa log

    Dec 19 09:44:41 fw kernel: Dropwall:IN=eth1 OUT= MAC=00:06:29:26:00:94:00:11:5b:d4:c6:75:08:00 SRC=192.168.0.11 DST=192.168.0.1 LEN=378 TOS=0x00 PREC=0x00 TTL=128 ID=31212 DF PROTO=TCP SPT=1257 DPT=3128 WINDOW=15753 RES=0x00 ACK PSH URGP=0

    Se criou uma regra de firewall de forma: (Retirando os DROPs)


    #!/bin/sh
    # Script Firewall
    #
    #
    ###################################################
    # Definicoes Basicas
    ###################################################
    IPTABLES="/sbin/iptables"

    # HABILITANDO ROTEAMENTO
    #
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo 1 > /proc/sys/net/ipv4/ip_dynaddr

    ###################################################
    # Limpeza geral
    ###################################################

    $IPTABLES -F
    $IPTABLES -F INPUT
    $IPTABLES -F OUTPUT
    $IPTABLES -F FORWARD
    $IPTABLES -F -t mangle
    $IPTABLES -F -t nat
    $IPTABLES -X

    $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    ############################################################
    # NAT - NETWORK ADRESS TRANSLATION
    ############################################################

    $IPTABLES -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to-port 3128
    $IPTABLES -t nat -A PREROUTING -p udp -i eth1 --dport 80 -j REDIRECT --to-port 3128

    ####
    # Rede Invalida
    ####

    $IPTABLES -A FORWARD -i eth0 -o eth1 -j ACCEPT
    $IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT

    ####
    # Loopback interface
    ####
    $IPTABLES -A INPUT -i lo -j ACCEPT

    Ai funciona, o que esta faltando tenho q criar mais alguma regra para porta 3128, como faço isso? em que ponto do script ela deve ser incluida...

    Agradeço desde já.
    WASLEY
    Citação Citação
  2. 19-12-2005, 10:30 #2
    felco
    Visitante

    Padrão Problemas no redirecionamento de porta squid

    pra voce descobrir aonde esta dropando voce tem que colocar regras de LOG em suas CHAINS entao voce tenta abrir conexoes e vai verificando o log... eh bem trabalhoso...

    existe um projeto de firewall muito bacana.... chama tuxfrw da uma olhada nele, ele procura ser bem restritivo
    Citação Citação



« Tópico Anterior | Próximo Tópico »