felipepetitto
(usa Outra)
Enviado em 04/08/2012 - 17:00h
Boa tarde,
Estou tendo problemas ao configurar meu firewall para bloquear todos de entrarem no MSN com exceção dos usuários e/ou IP's que eu colocar.
No caso não estou conseguindo nem bloquear a entrada do MSN por isso não criei a regra de IP's liberados.
Por favor, me ajudem! Preciso desse firewall rodando na segunda-feira e é só o que resta pra ser feito.
Segue abaixo os confs do Squid e Firewall:
FIREWALL:
#!/bin/sh
#Configuracao de Variaveis.
IPT=/sbin/iptables
NET=eth0
REDE=eth1
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
fi
#Ativando syn cookies protecao no kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
#Setando o kernel para dinamico IP masquerado
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]
then
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
fi
#Flushing all e criando chains.
$IPT -F
$IPT -F -t nat
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -t mangle -F
$IPT -t nat -F
$IPT -X
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_tables
modprobe sch_htb
$IPT --flush
$IPT --table nat --flush
$IPT --table mangle --flush
$IPT --table filter --flush
$IPT --delete-chain
$IPT --table nat --delete-chain
$IPT --table mangle --delete-chain
$IPT --table filter --delete-chain
#Bloqueaia tudo
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -A FORWARD -p tcp -m tcp ! --syn -m state --state NEW -j DROP
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPT -N TRINOO
$IPT -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
$IPT -A TRINOO -j DROP
$IPT -A INPUT -p TCP -i $NET --dport 27444 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 27665 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 31335 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 34555 -j TRINOO
$IPT -A INPUT -p TCP -i $NET --dport 35555 -j TRINOO
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
$IPT -N TROJAN
$IPT -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
$IPT -A TROJAN -j DROP
$IPT -A INPUT -p TCP -i $NET --dport 666 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 666 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 4000 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 6000 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 6006 -j TROJAN
$IPT -A INPUT -p TCP -i $NET --dport 16660 -j TROJAN
$IPT -A FORWARD -p tcp --dport 1214 -j REJECT
$IPT -A FORWARD -p udp --dport 1214 -j REJECT
$IPT -A FORWARD -d 213.248.112.0/24 -j REJECT
$IPT -A FORWARD -d 206.142.53.0/24 -j REJECT
$IPT -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -N SCANNER
# Capturando o IP da Internet
ipnet=$1
ipnet=`ifconfig $NET| grep addr:| cut -f2 -d:| cut -f1 -d " "`
echo $ipnet
# Liberando as PORTAS
INTERNAS="5222,5223,22,3128,9090,10000,80,139,445"
EXTERNAS="22,10000"
$IPT -A INPUT -p tcp -m multiport --dport $INTERNAS -i $REDE -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dport $INTERNAS -i $REDE -j ACCEPT
#Para IP especifico: $IPT -A INPUT -p tcp --dport 22 -i $REDE -j ACCEPT -s 10.10.0.1
$IPT -A INPUT -p tcp -m multiport --dport $EXTERNAS -i $NET -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dport $EXTERNAS -i $NET -j ACCEPT
#Liberar um IP - LIBERAR UM IP NO FIREWALL (AD, SERVIDORES, DIRETORIA)
$IPT -t nat -A PREROUTING -i $REDE -p tcp -s 192.168.0.16 -j RETURN
# Desvios do SISTEMA
$IPT -t nat -A PREROUTING -i $REDE -p tcp --dport 80 -j REDIRECT --to-port 3128
# Desvios Externos
$IPT -t nat -A PREROUTING -d $ipnet -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.16
$IPT -t nat -A PREROUTING -d $ipnet -p udp --dport 3389 -j DNAT --to-destination 192.168.0.16
$IPT -t nat -A PREROUTING -d $ipnet -p tcp --dport 10000 -j DNAT --to-destination 192.168.0.50
$IPT -t nat -A PREROUTING -d $ipnet -p udp --dport 10000 -j DNAT --to-destination 192.168.0.50
# Compartilha a Internet
$IPT -t nat -A POSTROUTING -o $NET -j MASQUERADE
$IPT -A FORWARD -i $NET -j ACCEPT
SQUID:
acl all src all
acl manager proto cache_object
acl localhost src 192.168.0.0/24
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
############################### Autenticacao via passwd ##########################
access_log /var/log/squid/access.log squid
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off
#auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
#auth_param basic realm Digite seu Login
#acl autenticacao proxy_auth REQUERID
###################################################################################
############################## Autenticacao via AD ###############################
auth_param basic program /usr/lib/squid/ldap_auth -R -b "dc=************,dc=com,dc=br" -D "cn=Linux,cn=Users,dc=**********,dc=com,dc=br" -w "******" -f sAMAccountName=%s -h 192.168.0.16
auth_param basic realm Acesso Controlado
auth_param basic children 5
auth_param basic credentialsttl 400 minutes
acl password proxy_auth REQUIRED
##################################################################################
#################################### ACLS #########################################
acl dld urlpath_regex -i "/ikd/squid/dld"
acl padrao url_regex -i "/ikd/squid/padrao"
acl blnivel1 url_regex -i "/ikd/squid/blnivel1"
acl blnivel2 url_regex -i "/ikd/squid/blnivel2"
acl liberados url_regex -i "/ikd/squid/liberados"
acl ipliberado src "/ikd/squid/ipliberado"
external_acl_type checa_diretoria %LOGIN /ikd/squid/diretoria.sh
acl diretoria external checa_diretoria "/ikd/squid/diretoria"
external_acl_type checa_n1 %LOGIN /ikd/squid/n1.sh
acl nivel1 external checa_n1 "/ikd/squid/nivel1"
external_acl_type checa_n2 %LOGIN /ikd/squid/n2.sh
acl nivel2 external checa_n2 "/ikd/squid/nivel2"
###################################################################################
##################################### teste apagar ############################
external_acl_type passa_url %URI /ikd/squid/videos.sh
acl videos external passa_url "/ikd/squid/videos"
##############################################################################
#portas confiáveis de sites
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#####################################
http_access deny padrao
http_access allow diretoria
http_access allow ipliberado
http_access allow videos
http_access deny dld
http_access deny blnivel1 !liberados
http_access allow nivel1
http_access deny blnivel2 !liberados
http_access allow nivel2
#####################################
http_access allow localhost
http_port 3128 transparent
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
error_directory /usr/share/squid/errors/Portuguese
Obrigado!
Felipe