Pessoal bom dia!
Essa semana implementei um servidor proxy usando squid + um firewall
iptables. Tudo funciona direito porém o MSN não conecta. Todas as
versões são a live.
Os arquivos do firewall e do squid estão abaixo
Alguma ideia?
[]´s
Victor
Arquivo de Firewall
#!/bin/sh
# Variáveis
# -------------------------------------------------------
iptables=/sbin/iptables
IF_EXTERNA=ppp0
IF_INTERNA=eth1
# Ativa módulos
# -------------------------------------------------------
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
# Ativa roteamento no kernel
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward
# Proteção contra IP spoofing
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
# Zera regras
# -------------------------------------------------------
$iptables -F
$iptables -X
$iptables -F -t nat
$iptables -X -t nat
$iptables -F -t mangle
$iptables -X -t mangle
# Determina a política padrão
# -------------------------------------------------------
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP
#################################################
# Tabela FILTER
#################################################
# Dropa pacotes TCP indesejáveis
# -------------------------------------------------------
$iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG
--log-level 6 --log-prefix "FIREWALL: NEW sem syn: "
$iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
# Dropa pacotes mal formados
# -------------------------------------------------------
$iptables -A INPUT -i $IF_EXTERNA -m unclean -j LOG --log-level 6
--log-prefix "FIREWALL: pacote mal formado: "
$iptables -A INPUT -i $IF_EXTERNA -m unclean -j DROP
# Aceita os pacotes que realmente devem entrar
# -------------------------------------------------------
$iptables -A INPUT -i ! $IF_EXTERNA -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
# Proteção contra trinoo
# -------------------------------------------------------
$iptables -N TRINOO
$iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6
--log-prefix "FIREWALL: trinoo: "
$iptables -A TRINOO -j DROP
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27444 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27665 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 31335 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 34555 -j TRINOO
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 35555 -j TRINOO
# Proteção contra tronjans
# -------------------------------------------------------
$iptables -N TROJAN
$iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6
--log-prefix "FIREWALL: trojan: "
$iptables -A TROJAN -j DROP
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 4000 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6000 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6006 -j TROJAN
$iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 16660 -j TROJAN
# Proteção contra worms
# -------------------------------------------------------
$iptables -A FORWARD -p tcp --dport 135 -i $IF_INTERNA -j REJECT
# Proteção contra syn-flood
# -------------------------------------------------------
$iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
# Proteção contra ping da morte
# -------------------------------------------------------
$iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
1/s -j ACCEPT
# Proteção contra port scanners
# -------------------------------------------------------
$iptables -N SCANNER
$iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6
--log-prefix "FIREWALL: port scanner: "
$iptables -A SCANNER -j DROP
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXTERNA -j
SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i
$IF_EXTERNA -j SCANNER
$iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXTERNA -j
SCANNER
$iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXTERNA -j
SCANNER
# Libera acesso externo a determinadas portas
# -------------------------------------------------------
$iptables -A INPUT -p tcp --dport 22 -i $IF_EXTERNA -j ACCEPT
#################################################
# Tabela NAT
#################################################
# Ativa mascaramento de saída
# -------------------------------------------------------
$iptables -A POSTROUTING -t nat -o $IF_EXTERNA -j MASQUERADE
# Proxy transparente
# -------------------------------------------------------
#$iptables -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 80 -j
REDIRECT --to-port 3128
SQUID.CONF
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 64 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 65535 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
cache_access_log /var/log/squid/access.log
visible_hostname proxy.int
acl all src 192.168.0.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl sites_proibidos dstdom_regex "/etc/squid/sites_proibidos"
acl ips_liberados src "/etc/squid/ips_liberados"
acl ips_proibidos src "/etc/squid/ips_proibidos"
acl sites_liberados dstdom_regex "/etc/squid/sites_liberados"
acl extensoes urlpath_regex -i "/etc/squid/extensoes"
http_access allow ips_liberados
http_access deny extensoes
http_access deny ips_proibidos !sites_liberados
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny sites_proibidos
cache_mgr [EMAIL PROTECTED]
---------------------------------------------------------------------------
Esta lista é patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br
Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br
Regras de utilização da lista: http://linux-br.conectiva.com.br
FAQ: http://www.zago.eti.br/menu.html
