Configuração de Roteamento Firewall

1. Configuração de Roteamento Firewall

Bruno Moroz
legalnet

(usa KUbuntu)

Enviado em 11/10/2011 - 14:40h

Pessoal.
Fiz as configurações do firewall, ja tornei ele executavel em chmod 750 /etc/init.d/firewall, criei o link simbolico no ln –s /etc/init.d/firewall /etc/rc2.d/S99firewall e mesmo assim nao esta compartilhando a internet passando pelo squid.
A rede interna ja foi configurada e pinga o servidorproxy normalmente.
Vejam se tem algo errado em meu script.


--------------- Firewall-------------------------


#!/bin/bash

#script de firewall

#Versão - 0.0.1

#Limpando regras anteriores

echo "Flushing firewall rules"

iptables -F

iptables -t nat -F

iptables -t mangle -F

#

#Bloqueio Geral

#iptables -P INPUT DROP

#iptables -P FORWARD DROP

#iptables -P OUTPUT ACCEPT

#echo "Done."

#

echo "Ativando roteamento no sistema"

modprobe iptable_nat

echo 1 > /proc/sys/net/ipv4/ip_forward

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

##########################Gerando Log´s do Ping"#########################################################

#iptables -A INPUT -p icmp -j LOG

#iptables -A INPUT -p tcp -j LOG

#iptables -A INPUT -p tcp -j LOG

##########################Ativando o roteamento NAT############################################

echo "Ativando o roteamento NAT"

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

#########################Teste Center V2############################################

echo "teste"

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5545:5549 -j DNAT --to 192.168.0.110

iptables -t nat -A PREROUTING -p udp -i eth0 --dport 5545:5549 -j DNAT --to 192.168.0.110

#iptables -A FORWARD -d 192.168.0.1 --dport 5545 -j DNAT --to 192.168.0.110

#iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 5546 -j DNAT --to 192.168.0.110:5546

#iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 5547 -j DNAT --to 192.168.0.110:5547

#iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 5548 -j DNAT --to 192.168.0.110:5548

#iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 5549 -j DNAT --to 192.168.0.110:5549

#echo "udp"

#iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5545 -j DNAT --to 192.168.0.110:5545

#iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5546 -j DNAT --to 192.168.0.110:5546

#iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5547 -j DNAT --to 192.168.0.110:5547

#iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5548 -j DNAT --to 192.168.0.110:5548

#iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5549 -j DNAT --to 192.168.0.110:5549

#iptables -A FORWARD -p udp -d 192.168.0.110 --dport 5546 -j LOG

#iptables -A FORWARD -p tcp -d 192.168.0.110 --dport 5547 -j LOG

#iptables -A FORWARD -p udp -d 192.168.0.110 --dport 5547 -j LOG

#iptables -A FORWARD -p tcp -d 192.168.0.110 --dport 5548 -j LOG

#iptables -A FORWARD -p udp -d 192.168.0.110 --dport 5548 -j LOG

#iptables -A FORWARD -p tcp -d 192.168.0.110 --dport 5549 -j LOG

#iptables -A FORWARD -p udp -d 192.168.0.110 --dport 5549 -j LOG

##############################################################################################

#echo "Bloqueando roteamento p/ ip 192.168.0.110."

#iptables -A FORWARD -p udp -s 192.168.0.110 -j DROP

#echo "Done"

#############################################################################################

echo "regra para proxy transparente"

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

echo "Done"

##############################################################################################

echo "Ativando Mascaramento"

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

echo "Done"

#######################################




-----------------squid---------------------


http_port 192.168.0.1:3128 transparent
cache_mem 256 MB
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
pid_filename /var/run/squid.pid
error_directory /usr/share/squid/errors/Portuguese
emulate_httpd_log on
visible_hostname Proxy
maximum_object_size_in_memory 1024 KB
maximum_object_size 700 MB
minimum_object_size 1 KB
cache_swap_low 90
cache_swap_high 95
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280

acl all src 0.0.0.0/0.0.0.0
acl redelocal src 192.168.0.0/24
acl blockedsites url_regex -i "/etc/squid/block.txt"
acl unblockedsites url_regex "/etc/squid/unblock.txt"
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 21 80 443 563 70 210 280 488 59 777 901 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access allow localhost
#http_access allow redelocal
http_access deny blockedsites !unblockedsites
#http_access allow unblockedsites
http_access allow all




---------------------------ifconfig----------------------


eth0 Link encap:Ethernet Endereço de HW 00:05:00:19:1a:de
inet end.: 192.168.10.101 Bcast:255.255.255.255 Masc:255.255.255.0
endereço inet6: fe80::205:ff:fe19:1ade/64 Escopo:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Métrica:1
pacotes RX:2561 erros:0 descartados:0 excesso:0 quadro:0
Pacotes TX:2684 erros:0 descartados:0 excesso:0 portadora:0
colisões:0 txqueuelen:1000
RX bytes:2698803 (2.6 MB) TX bytes:468418 (468.4 KB)
IRQ:19 Endereço de E/S:0xdf00

eth1 Link encap:Ethernet Endereço de HW 6c:f0:49:fb:ef:cd
inet end.: 192.168.0.1 Bcast:192.168.0.255 Masc:255.255.255.0
endereço inet6: fe80::6ef0:49ff:fefb:efcd/64 Escopo:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Métrica:1
pacotes RX:78 erros:0 descartados:0 excesso:0 quadro:0
Pacotes TX:67 erros:0 descartados:0 excesso:0 portadora:1
colisões:0 txqueuelen:1000
RX bytes:9083 (9.0 KB) TX bytes:10014 (10.0 KB)
IRQ:42

lo Link encap:Loopback Local
inet end.: 127.0.0.1 Masc:255.0.0.0
endereço inet6: ::1/128 Escopo:Máquina
UP LOOPBACK RUNNING MTU:16436 Métrica:1
pacotes RX:164 erros:0 descartados:0 excesso:0 quadro:0
Pacotes TX:164 erros:0 descartados:0 excesso:0 portadora:0
colisões:0 txqueuelen:0
RX bytes:12934 (12.9 KB) TX bytes:12934 (12.9 KB)



  


2. Re: Configuração de Roteamento Firewall

Natanael Henrique
natanaelhenrique

(usa Arch Linux)

Enviado em 11/10/2011 - 17:45h


http_access allow localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access allow localhost
#http_access allow redelocal
http_access deny blockedsites !unblockedsites
#http_access allow unblockedsites
http_access allow all


Faltou voce descomentar a regra da redelocal no squid. Do jeito que esta a configuracao do firewall ate que funciona, mas o squid da acesso negado porque os ips da sua rede nao estao sendo autorizados.

Tambem e bom ressaltar que o bloqueio tem que se referir a alguem (maquina, usuario), mas voce nao especificou para quem esta bloqueando/desbloqueando.

Modifique para que fique assim


http_access allow localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny blockedsites !unblockedsites
http_access allow redelocal unblockedsites
http_access deny all !redelocal



3. Re: Configuração de Roteamento Firewall

Emanuel Gomes do Carmo
emanuel_gomes

(usa Debian)

Enviado em 24/10/2011 - 20:39h

legalnet escreveu:

Pessoal.
Fiz as configurações do firewall, ja tornei ele executavel em chmod 750 /etc/init.d/firewall, criei o link simbolico no ln –s /etc/init.d/firewall /etc/rc2.d/S99firewall e mesmo assim nao esta compartilhando a internet passando pelo squid.
A rede interna ja foi configurada e pinga o servidorproxy normalmente.
Vejam se tem algo errado em meu script.


--------------- Firewall-------------------------


#!/bin/bash

#script de firewall

#Versão - 0.0.1

#Limpando regras anteriores

echo "Flushing firewall rules"

iptables -F

iptables -t nat -F

iptables -t mangle -F

#

#Bloqueio Geral

#iptables -P INPUT DROP

#iptables -P FORWARD DROP

#iptables -P OUTPUT ACCEPT

#echo "Done."

#

echo "Ativando roteamento no sistema"

modprobe iptable_nat

echo 1 > /proc/sys/net/ipv4/ip_forward

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

##########################Gerando Log´s do Ping"#########################################################

#iptables -A INPUT -p icmp -j LOG

#iptables -A INPUT -p tcp -j LOG

#iptables -A INPUT -p tcp -j LOG

##########################Ativando o roteamento NAT############################################

echo "Ativando o roteamento NAT"

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

#########################Teste Center V2############################################

echo "teste"

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5545:5549 -j DNAT --to 192.168.0.110

iptables -t nat -A PREROUTING -p udp -i eth0 --dport 5545:5549 -j DNAT --to 192.168.0.110

#iptables -A FORWARD -d 192.168.0.1 --dport 5545 -j DNAT --to 192.168.0.110

#iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 5546 -j DNAT --to 192.168.0.110:5546

#iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 5547 -j DNAT --to 192.168.0.110:5547

#iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 5548 -j DNAT --to 192.168.0.110:5548

#iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 5549 -j DNAT --to 192.168.0.110:5549

#echo "udp"

#iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5545 -j DNAT --to 192.168.0.110:5545

#iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5546 -j DNAT --to 192.168.0.110:5546

#iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5547 -j DNAT --to 192.168.0.110:5547

#iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5548 -j DNAT --to 192.168.0.110:5548

#iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5549 -j DNAT --to 192.168.0.110:5549

#iptables -A FORWARD -p udp -d 192.168.0.110 --dport 5546 -j LOG

#iptables -A FORWARD -p tcp -d 192.168.0.110 --dport 5547 -j LOG

#iptables -A FORWARD -p udp -d 192.168.0.110 --dport 5547 -j LOG

#iptables -A FORWARD -p tcp -d 192.168.0.110 --dport 5548 -j LOG

#iptables -A FORWARD -p udp -d 192.168.0.110 --dport 5548 -j LOG

#iptables -A FORWARD -p tcp -d 192.168.0.110 --dport 5549 -j LOG

#iptables -A FORWARD -p udp -d 192.168.0.110 --dport 5549 -j LOG

##############################################################################################

#echo "Bloqueando roteamento p/ ip 192.168.0.110."

#iptables -A FORWARD -p udp -s 192.168.0.110 -j DROP

#echo "Done"

#############################################################################################

echo "regra para proxy transparente"

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

echo "Done"

##############################################################################################

echo "Ativando Mascaramento"

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

echo "Done"

#######################################




-----------------squid---------------------


http_port 192.168.0.1:3128 transparent
cache_mem 256 MB
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
pid_filename /var/run/squid.pid
error_directory /usr/share/squid/errors/Portuguese
emulate_httpd_log on
visible_hostname Proxy
maximum_object_size_in_memory 1024 KB
maximum_object_size 700 MB
minimum_object_size 1 KB
cache_swap_low 90
cache_swap_high 95
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280

acl all src 0.0.0.0/0.0.0.0
acl redelocal src 192.168.0.0/24
acl blockedsites url_regex -i "/etc/squid/block.txt"
acl unblockedsites url_regex "/etc/squid/unblock.txt"
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 21 80 443 563 70 210 280 488 59 777 901 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access allow localhost
#http_access allow redelocal
http_access deny blockedsites !unblockedsites
#http_access allow unblockedsites
http_access allow all




---------------------------ifconfig----------------------


eth0 Link encap:Ethernet Endereço de HW 00:05:00:19:1a:de
inet end.: 192.168.10.101 Bcast:255.255.255.255 Masc:255.255.255.0
endereço inet6: fe80::205:ff:fe19:1ade/64 Escopo:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Métrica:1
pacotes RX:2561 erros:0 descartados:0 excesso:0 quadro:0
Pacotes TX:2684 erros:0 descartados:0 excesso:0 portadora:0
colisões:0 txqueuelen:1000
RX bytes:2698803 (2.6 MB) TX bytes:468418 (468.4 KB)
IRQ:19 Endereço de E/S:0xdf00

eth1 Link encap:Ethernet Endereço de HW 6c:f0:49:fb:ef:cd
inet end.: 192.168.0.1 Bcast:192.168.0.255 Masc:255.255.255.0
endereço inet6: fe80::6ef0:49ff:fefb:efcd/64 Escopo:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Métrica:1
pacotes RX:78 erros:0 descartados:0 excesso:0 quadro:0
Pacotes TX:67 erros:0 descartados:0 excesso:0 portadora:1
colisões:0 txqueuelen:1000
RX bytes:9083 (9.0 KB) TX bytes:10014 (10.0 KB)
IRQ:42

lo Link encap:Loopback Local
inet end.: 127.0.0.1 Masc:255.0.0.0
endereço inet6: ::1/128 Escopo:Máquina
UP LOOPBACK RUNNING MTU:16436 Métrica:1
pacotes RX:164 erros:0 descartados:0 excesso:0 quadro:0
Pacotes TX:164 erros:0 descartados:0 excesso:0 portadora:0
colisões:0 txqueuelen:0
RX bytes:12934 (12.9 KB) TX bytes:12934 (12.9 KB)







Acho que seu firewall tem uma redundância que pode estar interferindo, não sei se isso afeta, me corrijam se eu estiver errado:

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

note as interfaces de redes diferentes. Nos meus sempre uso só uma!



4. Re: Configuração de Roteamento Firewall

Perfil removido
removido

(usa Nenhuma)

Enviado em 25/10/2011 - 15:48h

Boa Tarde Emanoel,

Não ha problema de realizar o redirect da porta 80 para 3128 do squid em ambas as interfaces. No cenário o squid estaria escutando na porta 80 em ambas as interfaces sem problemas, utilizo o aqui na interface wan para realizar proxy reverso de servidores web em DMZ exemplo. ok !!

ATT
Tiago Eduardo Zacarias
LPIC-1






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts