IPTABLES+SQUID+SCRIPT=AJUDEM-ME
Olá lista to com o seguinte problema tenho um micro configurado
com apache,bind9,qmail,vpopmail,qmailadmin e iptables. Carregei
o iptables para minha rede navegar na net com a seguinte linha
#iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
Com isso fico sem nenhum controle de paguinas de sexo,icq,
messenger,bate-papo e assim vai.... estah tudo liberdo Ai instalei
o squid criei minhas acl's e configurei meu servidor pra ser um proxy
transparente, ateh ai td bem. Ai removi a linha #iptables -t nat -A
POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
e adicionei
#iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
e reiniciei o squid, depois disso minha rede naum acessa os sites
bloqueados ou seja o squid tah certinho - acho - porém alguns sites
como de bancos naum abrem mais ai precisei liberar td de novo. Voltei a ler
uns artigos sobre iptables mais naum entendi muito bem, tipo atualmente meu
micro estah como um gateway somente e naum como um firewall - correto ? -
ai peguei este script na net e executei no meu servidor soh q minha rede
naum navega poderiam me ajudar ?
Tipo tenho um micro soh como webserver,proxy,fierewall tah td no mesmo
micro.
Tipo soh quero liberar o acesso a net sendo filtrado pelo squid
e tb liberar o acesso irrestrito a alguns ip's como 192.168.1.86
192.168.1.171 isso eu faço no squid ou iptables ?
#!/bin/bash
clear
echo
"========================================================================"
echo "----------------- CARREGANDO FIREWAL --------------------------------
--"
echo
"========================================================================"
ANY="0.0.0.0/0"
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
NAT_FILE=/sbin/firewall.nat
######################
# Carrega modulos
echo -n "Carregando Módulos... "
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE iptable_nat
$MODPROBE ip_nat_ftp
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
echo "Módulos Carregados!"
###########################################
echo -n "Iniciando Regras... "
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD ACCEPT
###########################################
# Somente em casos raros mude essas regras
$IPTABLES -A INPUT -p all -s $ANY -d $ANY -i lo0 -j ACCEPT
$IPTABLES -A INPUT -p all -s 127.0.0.0/8 -d 127.0.0.0/8 -j DROP
echo "Regras Iniciadas!"
###########################################
# configure sua interface externa
# oif = interface externa
# onet = endereco da rede externa
# omask = mascara da rede externa
# oip = endereco IP da interface externa
oif="eth1"
onet="200.206.190.0"
omask="255.255.255.192"
oip="200.206.190.252"
###########################################
# configure sua interface interna
# iif = interface interna
# inet = endereco da rede interna
# imask = mascara da rede interna
# iip = endereco IP da interface interna
iif="eth0"
inet="192.168.1.0"
imask="255.255.255.0"
iip="192.168.1.1"
###############################
# indique suas redes internas
inets="192.168.1.0"
######################################################################
# Indique os enderecos de broadcast das redes internas (contra SMURF)
ibroad="192.168.1.255"
################################
# Enderecos de redes reservadas
netsReservadas="172.16.0.0/12 10.0.0.0/8 127.0.0.0/8 0.0.0.0/32
255.255.255.255/32 169.254.0.0/16 192.0.2.0/24"
###############################
# Servidores de DNS externos
ipdnsext="200.206.190.1 200.204.0.10 200.204.0.138"
########################################
# indique os Servidores de DNS internos
ipdns="192.168.1.1"
##########################################
# indique os Servidores de FTP da Unidade
ipftp="192.168.1.1"
##################################
# indique os Servidores de Telnet
iptelnet=""
###############################
# indique os Servidores de Ssh
ipssh="192.168.1.1"
################################
# indique os Servidores de SMTP
# (sendmail, postfix, etc)
#
ipsmtp="192.168.1.1"
################################
# indique os Servidores de Pop3
ippop="192.168.1.1"
################################
# indique os Servidores de IMAP
ipimap="192.168.1.1"
####################################
# indique os Servidores de IMAP/SSL
ipimaps="192.168.1.1"
################################
# indique os Servidores de HTTP
iphttp="192.168.1.1"
#################################
# indique os Servidores de HTTPS
iphttps="192.168.1.1"
#################################
# indique os Servidores Webmin
ipwebmin="192.168.1.1"
######### Regras ##############
# Barra (RFC1918, nulas, loopback)
for vnet in ${netsReservadas}; do
$IPTABLES -A INPUT -s ${vnet} -i ${oif} -j DROP
done
#################################
# Permite tudo saindo da Unidade
echo -n "Permitindo tudo saindo da unidade..."
for vinet in ${inets}; do
$IPTABLES -A OUTPUT -s ${vinet} -o ${oif} -j ACCEPT
done
echo "Permissão carregada!"
##################################
# NAT
echo -n "Iniciando NAT... "
$NAT_FILE
echo "NAT iniciado!"
##############################
# Permite conexoes Multicast
echo -n "Permitindo conexões multicast... "
$IPTABLES -A INPUT -p ip -d 224.0.0.0/4 -j ACCEPT
$IPTABLES -A INPUT -p ip -s 224.0.0.0/4 -j ACCEPT
$IPTABLES -A INPUT -p igmp -s ${onet}/${omask} -d ${oip} -i ${oif} -j
ACCEPT
echo "conexões multicast permitidas"
##############################
# Permite OSPF para o Gateway
$IPTABLES -A INPUT -p ospf -s ${onet}/${omask} -d ${oip} -j ACCEPT
###################################
# Barra ICMP para broadcast (SMURF)
echo -n "Bloqueando ICMP..."
for vip in ${ibroad}; do
$IPTABLES -A INPUT -p icmp -d ${vip} -i ${oif} -j DROP
$IPTABLES -A INPUT -p icmp -d ${vip} -i ${oif} -j LOG
done
echo "ICMP Bloqueado!"
################
# Permite ICMP
#echo -n "Permitindo ICMP..."
#for vinet in ${inets}; do
# $IPTABLES -A INPUT -p icmp -d ${vinet} -i ${oif} -j ACCEPT
#done
#echo "...Feito!"
####################################################################
# Permite NTP (Network Time Protocol)
#echo -n "Permitindo NTP...
#$IPTABLES -A INPUT -p udp --source-port 123 -d ${oip} -i ${oif} -j ACCEPT
#for vinet in ${inets}; do
# $IPTABLES -A INPUT -p udp --source-port 123 -d ${vinet} -i ${oif} -j
ACCEPT
#done
#echo "...Feito!"
####################################
# Allow udp through if ports > 1023
for vinet in ${inets}; do
$IPTABLES -A INPUT -p udp -d ${vinet} --destination-port 1023: -i ${oif} -j
ACCEPT
done
###############################
# Permite comunicacao para DNS externo
echo -n "Permitindo comunicação com DNS... "
for vip in ${ipdnsext}; do
$IPTABLES -A INPUT -p udp -s ${vip} --source-port 53 --destination-port
1023: -i ${oif} -j ACCEPT
done
echo "Permissão Realizada"
#################################
# Permite comunicação com DNS interno
#for vip in ${ipdns}; do
# $IPTABLES -A INPUT -p udp --source-port 1023: -d ${vip} --destination-
port 53 -i ${oif} -j ACCEPT
# $IPTABLES -A INPUT -p udp --source-port 53 -d ${vip} --destination-port
1023: -i ${oif} -j ACCEPT
# $IPTABLES -A INPUT -p udp --source-port 53 -d ${vip} --destination-port
53 -i ${oif} -j ACCEPT
# for vip2 in ${ipdnsext}; do
# $IPTABLES -A INPUT -p tcp -s ${vip2} --source-port 1023: -d ${vip} --
destination-port 53 -i ${oif} -j ACCEPT
# done
#done
#echo "Feito!"
#####################################
# Permite conexoes TCP "established"
echo "Permite conexões TCP established... "
$IPTABLES -A INPUT -p tcp -d ${oip} -i ${oif} ! --syn -j ACCEPT
for vinet in ${inets}; do
$IPTABLES -A INPUT -p tcp -d ${vinet} -i ${oif} ! --syn -j ACCEPT
done
echo "Permissão Realizada!"
############################
# Permite AUTH
echo -n "PERMITINDO AUTH..."
$IPTABLES -A INPUT -p tcp --destination-port 113 --syn -j ACCEPT
echo "PERMISSÃO REALIZADA!"
###############################################
# Permite acessos a servidores de FTP internos
#
echo "Permitindo FTP Interno... "
for vip in ${ipftp}; do
$IPTABLES -A INPUT -p tcp -d ${vip}21 -i ${oif} --syn -j ACCEPT
done
echo "Permissão Concluída!"
###################################################
# Permite acesso a servidores de FTP (passive mode)
#for vip in ${ipftp}; do
# $IPTABLES -A INPUT -p tcp --source-port 1023: -d ${vip} 1023: -i ${oif} --
syn -j ACCEPT
#done
########################################
# Permite FTP DATA CHANNEL (active mode)
# Nao recomendamos a utilizacao de active mode em seus clientes
# Utilize o PASSIVE MODE
# Mesmo assim se desejar utilizar o active mode, descomente as
# linhas abaixo
#for vinet in ${inets}; do
# $IPTABLES -A INPUT -p tcp --source-port 20 -d ${vinet} 1023: -i ${oif} --
syn -j ACCEPT
#done
##########################################
# Permite TELNET para servidores internos
# Nos NAO recomendamos a utilizacao de telnet
# para a comunicao entre as maquinas.
# Utilize o SSH para fazer isso.
# Mesmo assim que quiser utilizar TELNET,
# libere as linhas abaixo
#for vip in ${iptelnet}; do
# $IPTABLES -A INPUT -l -p tcp -d ${vip} 23 -i ${oif} --syn -j ACCEPT
#done
#############################
# Permite conexoes via SSH
echo -n "Permitindo SSH..."
for vip in ${ipssh}; do
$IPTABLES -A INPUT -p tcp -d ${vip} --destination-port 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -d ${vip} --destination-port 22 -j LOG
done
echo "SSH Permitido!"
#############################
# Permite conexoes Webmin
echo -n "Permitindo Webmin..."
for vip in ${ipwebmin}; do
$IPTABLES -A INPUT -p tcp -d ${vip} --destination-port 10101 -j ACCEPT
done
echo "Webmin permitido!"
####################################################
# Permite conexoes de SMTP para servidores internos
#for vip in ${ipsmtp}; do
# $IPTABLES -A INPUT -p tcp -d ${vip} --destination-port 25 -i ${oif} --syn
-j ACCEPT
#done
####################################################
# Permite conexoes de POP3 para servidores internos
# NAO recomendamos a utilizacao de POP3 para clientes
# que estejam fora de sua rede.
# No lugar voce pode utilizar IMAP/SSL ou instalar
# um WEBMAIL em seu servidor.
# Mesmo assim se quiser utilizar POP3 libere as regras
# abaixo
#for vip in ${ippop}; do
# $IPTABLES -A INPUT -l -p tcp -d ${vip} 110 -i ${oif} --syn -j ACCEPT
#done
####################################################
# Permite conexoes de IMAP para servidores internos
# De preferencia a utilizar IMAP/SSL (porta 993/TCP)
# ao inves de IMAP (porta 143/TCP)
# Mas, mesmo assim, se quiser utilizar IMAP sem SSL
# libere as linhas abaixo
#for vip in ${ipimap}; do
# $IPTABLES -A INPUT -l -p tcp -d ${vip} 143 -i ${oif} --syn -j ACCEPT
#done
########################################################
# Permite conexoes de IMAP/SSL para servidores internos
#for vip in ${ipimap}; do
# $IPTABLES -A INPUT -p tcp -d ${vip} --destination-port 993 -i ${oif} --
syn -j ACCEPT
# $IPTABLES -A INPUT -p tcp -d ${vip} --destination-port 993 -i ${oif} --
syn -j LOG
#done
###################################################
# Permite conexoes de HTTP para servidores internos
echo -n "Permitindo HTTP..."
for vip in ${iphttp}; do
$IPTABLES -A INPUT -p tcp -d ${vip} --destination-port 80 -i ${oif} --syn -
j ACCEPT
done
echo "Feito!"
#######################################################
# Permite conexoes de HTTP/SSL para servidores internos
for vip in ${iphttps}; do
$IPTABLES -A INPUT -p tcp -d ${vip} --destination-port 443 -i ${oif} --syn -
j ACCEPT
$IPTABLES -A INPUT -p tcp -d ${vip} --destination-port 443 -i ${oif} --syn -
j LOG
done
#############################
# Permite Traceroute
#echo -n "Permitindo Traceroute..."
#for vinet in ${inets}; do
# $IPTABLES -A INPUT -p udp -d ${vinet} --destination-port 32000: -i ${oif}
-j ACCEPT
#done
#echo "Feito!"
#############################
# Permite ICQ
#echo -n "Permitindo ICQ..."
#for vinet in ${inets}; do
# $IPTABLES -A INPUT -p udp --source-port 4000 -d ${vinet} -i ${oif} -j
ACCEPT
# $IPTABLES -A INPUT -p udp -s ${vinet} --destination-port 4000 -j ACCEPT
# $IPTABLES -A INPUT -p udp --source-port 5190 -d ${vinet} -i ${oif} -j
ACCEPT
# $IPTABLES -A INPUT -p udp -s ${vinet} --destination-port 5190 -j ACCEPT
#done
#echo "Feito!"
###################################################################
# Permite todo trafego entrando ou saindo em sua interface externa
$IPTABLES -A INPUT -i ${iif} -j ACCEPT
$IPTABLES -A OUTPUT -o ${iif} -j ACCEPT
#######################################
# TODO O RESTO EH BLOQUEADO POR DEFAULT
####################################### echo
"=============================================================================="
echo "----------------------- FIREWALL CARREGADO --------------------------
--------"
echo
"=============================================================================="
Grato pela atenção Josemar Vieira
icq 33495727
Reply to: