Liberando Cliente de Email [RESOLVIDO]

marcosvinicius12
(usa Ubuntu)

Enviado em 01/08/2013 - 14:38h

Olá galera, seguinte

Preciso liberar o acesso dos clientes de email e nao estou conseguindo
Segue as configuracoes do Firewall e do Squid
Meu Firewall

#!/bin/bash

#Variaveis
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
LOGS="/var/log/firewall.log"

#Interfaces#

#Interface para a internet
WAN="eth0"
IP_WAN="IP_WAN"

#Interface para rede Interna
LOCAL="eth1"
IP_LOCAL="192.168.254.1"

#Interface LO
IF_LO="lo"
IP_LO="127.0.0.1"

################################################################################
#Inicio das funcoes

#Regra padrao para o firewall
politica_padrao()
{
${IPTABLES} -P INPUT ACCEPT
${IPTABLES} -P OUTPUT ACCEPT
}

#Funcao para regras de INPUT
###############################################################################
# REGRAS PARA INPUT
###############################################################################
regras_input()
{
#Coloca Firewall em STATEFULL
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Libera o acesso da maquina local (LO)
${IPTABLES} -A INPUT -d $IP_LO -j ACCEPT

#Libera acesso a internet atraves do proxy
${IPTABLES} -A INPUT -p tcp -i $LOCAL --dport 3128 -j ACCEPT

#Libera conexao remota via SSH
${IPTABLES} -I INPUT -i $WAN -p tcp --dport 22 -j LOG --log-prefix "Acesso via SSH EXT"
${IPTABLES} -A INPUT -i $WAN -p tcp --dport 22 -j ACCEPT
${IPTABLES} -I INPUT -i $LOCAL -p tcp --dport 22 -j LOG --log-prefix "Acesso via SSH LOCAL"
${IPTABLES} -A INPUT -i $LOCAL -p tcp --dport 22 -j ACCEPT

}

##############################################################################
# Regras para FORWARD
##############################################################################
regras_forward()
{
${IPTABLES} -A FORWARD -p tcp --dport 110 -j ACCEPT
${IPTABLES} -A FORWARD -p udp --dport 587 -j ACCEPT
${IPTABLES} -A FORWARD -p tcp --dport 143 -j ACCEPT
${IPTABLES} -A FORWARD -p udp --dport 465 -j ACCEPT
${IPTABLES} -A FORWARD -p tcp --dport 993 -j ACCEPT


}
#regras_output()
#{
#
#}

###############################################################################
# Regars para PREROUTING
###############################################################################
regras_prerouting()
{
#Direciona as requisicoes das portas 80 e 443 para o squid
${IPTABLES} -t nat -A PREROUTING -i $LOCAL -p tcp -m multiport --dport 80 -j REDIRECT --to-port 3128
${IPTABLES} -t nat -A PREROUTING -i $LOCAL -p tcp -m multiport --dport 443 -j REDIRECT --to-port 3128
}




Meu Squid:

http_port 3128
visible_hostname servidor
cache_mgr wemaster@localhost

#Diretorio de pagina de erro
error_directory /usr/share/squid/errors/pt-br

#Cache
hierarchy_stoplist cgi-bin ?
cache_mem 700 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 100 MB

#Local do Cache
cache_dir ufs /var/spool/squid 2048 16 256

#Tempo de vida cache - Proxy atualiza
refresh_pattern ^ftp: 360 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

#Log Proxy
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log

#ACLS

acl localhost src 127.0.0.1/32
acl localnet src 192.168.0.0/24

acl manager proto cache_object
http_access allow manager localhost
http_access deny manager

acl purge method PURGE
http_access allow purge localhost
http_access deny purge

acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 443 # https
acl Safe_ports port 488 # gss-http
acl Safe_ports port 563 # nntps
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # swat
acl Safe_ports port 1025-65535 # unregistered ports

http_access deny !Safe_ports

acl connect method CONNECT

acl SSL_ports port 443 # https
acl SSL_ports port 563 # nntps
acl SSL_ports port 873 # rsync

http_access deny connect !SSL_ports

acl dominios_bloq dstdomain "/etc/squid/dominios_bloq"
#bloqueia dominios_bloq
http_access deny dominios_bloq

acl expressao_bloq url_regex -i "/etc/squid/expressao_bloq"
#bloqueia expressa_bloq
http_access deny expressao_bloq

acl extenssao_bloq urlpath_regex -i "/etc/squid/extessao_bloq"
#Bloqueia extenssao_bloq
http_access deny extenssao_bloq


http_access allow localnet
http_access allow localhost
http_access deny all

souzacarlos
(usa Outra)

Enviado em 05/08/2013 - 17:21h

Cara seguinte tinha um problema semelhante principalmente com cliente de correio tipo outlook, sempre que eu tentava estabelecer uma conexão minha conexão era dropada. Acredito que o problema seja o método como o squid trata o protocolo SMTP ou como ele não trata, no meu caso habilitei o NAT no servidor que estava hospedado o squid e coloquei nas configurações das máquinas como GW o meu proxy squid

segue ex de meu script pra isso

http://www.vivaolinux.com.br/script/Limpar-regras-e-compartilhar-conexao

marcosvinicius12
(usa Ubuntu)

Enviado em 05/08/2013 - 19:19h

Sim, eu possuo essas regras no meu firewall

porem nao consigo liberar essa conexao

#!/bin/bash

#Variaveis
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
LOGS="/var/log/firewall.log"

#Interfaces#

#Interface para a internet
WAN="eth0"
IP_WAN="IP_WAN"

#Interface para rede Interna
LOCAL="eth1"
IP_LOCAL="192.168.254.1"

#Interface LO
IF_LO="lo"
IP_LO="127.0.0.1"

################################################################################
#Inicio das funcoes

#Regra padrao para o firewall
politica_padrao()
{
${IPTABLES} -P INPUT ACCEPT
${IPTABLES} -P OUTPUT ACCEPT
}

#Funcao para regras de INPUT
###############################################################################
# REGRAS PARA INPUT
###############################################################################
regras_input()
{
#Coloca Firewall em STATEFULL
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Libera o acesso da maquina local (LO)
${IPTABLES} -A INPUT -d $IP_LO -j ACCEPT

#Libera acesso a internet atraves do proxy
${IPTABLES} -A INPUT -p tcp -i $LOCAL --dport 3128 -j ACCEPT

#Libera conexao remota via SSH
${IPTABLES} -I INPUT -i $WAN -p tcp --dport 22 -j LOG --log-prefix "Acesso via SSH EXT"
${IPTABLES} -A INPUT -i $WAN -p tcp --dport 22 -j ACCEPT
${IPTABLES} -I INPUT -i $LOCAL -p tcp --dport 22 -j LOG --log-prefix "Acesso via SSH LOCAL"
${IPTABLES} -A INPUT -i $LOCAL -p tcp --dport 22 -j ACCEPT

}

##############################################################################
# Regras para FORWARD
##############################################################################
regras_forward()
{
${IPTABLES} -A FORWARD -p tcp --dport 110 -j ACCEPT
${IPTABLES} -A FORWARD -p udp --dport 587 -j ACCEPT
${IPTABLES} -A FORWARD -p tcp --dport 143 -j ACCEPT
${IPTABLES} -A FORWARD -p udp --dport 465 -j ACCEPT
${IPTABLES} -A FORWARD -p tcp --dport 993 -j ACCEPT


}
#regras_output()
#{
#
#}

###############################################################################
# Regars para PREROUTING
###############################################################################
regras_prerouting()
{
#Direciona as requisicoes das portas 80 e 443 para o squid
${IPTABLES} -t nat -A PREROUTING -i $LOCAL -p tcp -m multiport --dport 80 -j REDIRECT --to-port 3128
${IPTABLES} -t nat -A PREROUTING -i $LOCAL -p tcp -m multiport --dport 443 -j REDIRECT --to-port 3128
}

###############################################################################
# Regras para POSTROUTING
###############################################################################
#regras_postrouting()
#{
#${IPTABLES} -t nat -A POSTROUTING -o ${IF_EXT} -j MASQUERADE
#}

#Funcao limpar regras do firewall
limpar()
{
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -Z
}

#Funcao Iniciar
iniciar()
{
clear

#Realiza o nat (mascaramento) das interfaces da internet
echo -e "\n\tLimpado regras do firewall..."
${IPTABLES} -F
${IPTABLES} -t nat -F
${IPTABLES} -X
${IPTABLES} -Z
#limpar
echo -e "\n\tFirewall zerado..."
echo -e "\n\tAtivando o Roteamento..."
$MODPROBE iptable_nat
if [ $? != 0 ]; then
exit
fi
echo 1 > /proc/sys/net/ipv4/ip_forward

${IPTABLES} -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
#regras_postrouting
var1=$?

if [ $var1 = 0 ]; then
echo -e "\n\tRoteamento ativado com sucesso"
else
echo -e "\n\tErro $?"
exit
fi
echo -e "\n\tCriando regras para o Firewall..."
echo -e ""
echo -e ""
echo -e "\n\tRegras Cridas com sucesso...!!"

}

#Funcao para listar as regras do firewall
listar()
{
echo ""
echo "Listando Tabela Filter..."
echo "***********************************************************************************************************************************************"
$IPTABLES -t filter -L -v -n
echo ""
echo ""
echo ""
echo "Listando Tabela Nat..."
echo "***********************************************************************************************************************************************"
$IPTABLES -t nat -L -v -n
echo ""
echo ""
echo ""
echo "Listando tabela Mangle..."
echo "***********************************************************************************************************************************************"
$IPTABLES -t mangle -L -v -n
echo ""
echo ""
echo "***********************************************************************************************************************************************"
$IPTABLES -L --line-numbers
$IPTABLES -L -t nat -n
}
case "$1" in
start)
iniciar
politica_padrao
regras_input
regras_prerouting
regras_forward
;;
status)
listar
;;
stop)
limpar
;;
restart)
clear
echo -e "\n\tParando o Firewall..."
limpar
echo -e ""
echo -e ""
echo "***************************************************************************************************************************************************"
echo -e "\n\tIniciando o Forewall..."
iniciar
politica_padrao
regras_input
regras_prerouting
regras_forward
;;
*)
echo "Use: $0 {start | status}"
RETVAL=1


esac

souzacarlos
(usa Outra)

Enviado em 05/08/2013 - 19:39h

Boa noite, meu problema era igual ao seu como resolvi:

Montei outra topologia igual a minha, e levantei o básico, primeiro fiz o simples para ver se funcionaria, blz o simples foi comecei a acrescentar o resto do conteúdo aos poucos e tratando os problemas, to meu caso, quando subi um novo como falei liberando no fazendo o masquerede e tudo mais funcionou perfeitamente

marcosvinicius12
(usa Ubuntu)

Enviado em 05/08/2013 - 19:54h

O problema de tudo é que ta tudo simples, unica coisa é que o squid nao é transparente na rede

souzacarlos
(usa Outra)

Enviado em 05/08/2013 - 19:58h

Não lembro se tive problemas por o squid ser transparent porém não uso por conta da autenticação que preciso.

As vezes uma regra pode esta influenciando em outra e passar despercebido pra gente

souzacarlos
(usa Outra)

Enviado em 07/03/2014 - 01:58h

E ai cara resolveu teu problema?

aguardo.

marcosvinicius12
(usa Ubuntu)

Enviado em 22/05/2014 - 19:30h

COnsegui resolver, era a ordem das regras.