Firewall corrompe downloads e uploads

1. Firewall corrompe downloads e uploads

brunodifr
(usa Ubuntu)

Enviado em 05/09/2012 - 14:13h

Boa Tarde galera...
sou novo por aqui.

tenho um firewall com squid aki na empresa mas estou tendo problemas...
ele corrompe arquivos tanto no UP quanto no DOWN

também não está bloqueando MSN, ARES, ULTRASURF, REEGATE e etc..

queria saber se alguém poderia me dar uma luz quanto ao meu arquivo de iptables.

Sou meio leigo com firewalls.queria saber o que poderia melhorar.
Obrigado

segue o arquivo do firewall e do squid.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

#!/bin/sh

echo "Variaveis"
# -------------------------------------------------------

IF_EXTERNA=eth0
IF_INTERNA01=eth1
IF_INTERNA02=eth2
#IF_LINUX=eth2

echo "Ativa modulos "
# -------------------------------------------------------
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

echo "Ativa roteamento no kernel"
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward

echo "Protecao contra IP spoofing"
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

echo "Zera regras"
# -------------------------------------------------------
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle

echo "Determina a politica padrao"
# -------------------------------------------------------
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

############################## ###########################
echo "Tabela FILTER"
############################## ###########################

echo "Dropa pacotes TCP indesejaveis"
# -------------------------------------------------------

iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

echo "Dropa pacotes mal formados"
# -------------------------------------------------------

iptables -A INPUT -i $IF_EXTERNA -m unclean -j DROP

echo "Aceita os pacotes que realmente devem entrar"
# -------------------------------------------------------
iptables -A INPUT -i ! $IF_EXTERNA -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

echo "Protecao contra trinoo"
# -------------------------------------------------------
iptables -N TRINOO

iptables -A TRINOO -j DROP
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27444 -j TRINOO
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27665 -j TRINOO
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 31335 -j TRINOO
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 34555 -j TRINOO
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 35555 -j TRINOO

echo "Protecao contra tronjans"
# -------------------------------------------------------
iptables -N TROJAN

iptables -A TROJAN -j DROP
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 666 -j TROJAN
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 4000 -j TROJAN
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6000 -j TROJAN
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 6006 -j TROJAN
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 16660 -j TROJAN

echo "Protecao contra worms"
# -------------------------------------------------------
iptables -A FORWARD -p tcp --dport 135 -i $IF_INTERNA01 -j REJECT
iptables -A FORWARD -p tcp --dport 135 -i $IF_INTERNA02 -j REJECT

echo "Protecao contra syn-flood"
# -------------------------------------------------------
iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT

echo "Protecao contra ping da morte"
# -------------------------------------------------------

echo "Aceita a requisicao do PING"
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

echo "Protecao contra port scanners"
# -------------------------------------------------------
iptables -N SCANNER

iptables -A SCANNER -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXTERNA -j SCANNER

echo "Libera acesso externo a determinadas portas"
# -------------------------------------------------------
iptables -A INPUT -p tcp --dport 443 -i $IF_EXTERNA -j ACCEPT
iptables -A INPUT -p udp --dport 443 -i $IF_EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -i $IF_EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -i $IF_INTERNA02 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -i $IF_EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -i $IF_INTERNA01 -j ACCEPT
iptables -A INPUT -p tcp --dport 5800 -i $IF_EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 5900 -i $IF_EXTERNA -j ACCEPT
iptables -A INPUT -p tcp -i $IF_INTERNA01 -s 172.16.1.0/24 --dport 139 -j ACCEPT
iptables -A OUTPUT -p tcp -o $IF_INTERNA01 -d 172.16.1.0/24 --sport 139 -j ACCEPT
iptables -A INPUT -p tcp --dport 3128 -i $IF_INTERNA01 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -i $IF_INTERNA01 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -i $IF_INTERNA01 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 9000 -i $IF_EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 8010 -i $IF_EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 34567 -i $IF_EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 3389 -i $IF_EXTERNA -j ACCEPT

############################## ###########################
echo "Tabela NAT"
############################## ###########################

echo "Ativa mascaramento de saida"
# -------------------------------------------------------
iptables -A POSTROUTING -t nat -o $IF_EXTERNA -j MASQUERADE

echo "Libera o acesso para sair do Proxy Transparente"
# -------------------------------------------------------
iptables -t nat -A PREROUTING -i $IF_INTERNA01 -s 172.16.4.2 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -i $IF_INTERNA01 -s 172.16.4.11 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -i $IF_INTERNA01 -s 172.16.4.12 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -i $IF_INTERNA01 -s 172.16.4.13 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -i $IF_INTERNA01 -s 172.16.4.14 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -i $IF_INTERNA01 -s 172.16.4.15 -d 0/0 -j ACCEPT

echo "Redireciona 80 para 3128"
# -------------------------------------------------------

iptables -t nat -A PREROUTING -i $IF_INTERNA01 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $IF_INTERNA02 -p tcp --dport 80 -j REDIRECT --to-port 3128

echo "REDIRECIONAMENTO CAMERAS"

iptables -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 9000 -j DNAT --to-destination 172.16.4.20
iptables -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 8010 -j DNAT --to-destination 172.16.4.20
iptables -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 34567 -j DNAT --to-destination 172.16.4.20

echo "REDIRECIONAMENTO TERMINAL SERVER"
iptables -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 3389 -j DNAT --to-destination 172.16.4.2

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

http_port 3128

auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd

auth_param basic children 5

auth_param basic realm Digite seu usuario e senha

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

visible_hostname PINESI HARDWARE

cache_mgr info.saude@cajamar.sp.gov.br

error_directory /usr/share/squid3/errors/Portuguese

hierarchy_stoplist cgi-bin ?

cache_mem 256 MB

maximum_object_size_in_memory 64 KB

maximum_object_size 100 MB

cache_dir ufs /var/spool/squid3 2040 16 256

refresh_pattern ^ftp: 360 20% 10080

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern . 0 20% 4320

access_log /var/log/squid3/access.log

acl localhost src 127.0.0.1/32

acl localnet src 172.16.4.0/24

# ADMINISTRADORES

acl user_adm proxy_auth "/etc/squid3/user_adm"
http_access allow user_adm

# USUARIOS

acl user_user proxy_auth "/etc/squid3/user_user"

#controle de banda

#delay_pools 2

#sem restricao de banda

#delay_class 1 2

#delay_parameters 1 -1/-1 -1/-1

#delay_access 1 allow user_adm

#restricao banda geral

#delay_class 2 2

#delay_parameters 2 20000/20000 20000/20000

#delay_access 2 allow all

# ACLS

acl manager proto cache_object
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 2631 # conectividade
acl CONNECT method CONNECT

#bloquear sites

acl sites_negados url_regex -i "/etc/squid3/bloqueados/block.txt"

#liberar sites

acl sites_liberados url_regex -i "/etc/squid3/bloqueados/unblock.txt"

#bloquear arquivos para downloads

acl downloads url_regex -i \.mp3$
acl downloads url_regex -i \.mpg$
acl downloads url_regex -i \.avi$
acl downloads url_regex -i \.exe$
acl downloads url_regex -i \.pps$

http_access allow user_adm
http_access deny downloads !user_adm
http_access deny sites_negados !user_adm
http_access allow sites_liberados
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow user_user !sites_negados
http_access deny all
icp_access allow all

0 0

Quote