OUTLOOK

maraleman
(usa Debian)

Enviado em 17/09/2012 - 20:01h

Por favor amigos , ja estou quase desistindo pois não sei mais o que fazer para que meu OUTLOOK funcione quando ativo meu servidor proxy e firewal, se puderem me ajudar me apontando os erros para que meu OUTLOOK volte a receber e enviar e-mail fico eternamente agradecido:

SQUID
***************************************
http_port 3128 transparent
icp_port 0
visible_hostname SERVER_PROXY
#######################################
#########TAMANHO MAXIMO DO CACHE
cache_mem 2048 MB

########TAMANHO MAXIMO DO ARQUIVO EM MEMÇ"RIA
maximum_object_size_in_memory 15 KB

########TAMANHO MAXIMO DO ARQUIVO EM CACHE
maximum_object_size 20 MB

########CONFIGURACAOO DO ARQUIVO DE LOGS
cache_dir ufs /var/cache/squid3 30000 16 256
cache_access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_store_log none

########## Gravar mensagens de erro em Portugues
error_directory /usr/share/squid3/errors/Portuguese

################# Atualizar o cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

###############Redes
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl rede src 192.168.1.0/24

############### Filtro de portas
acl SSL_ports port 443 563 995 873
acl Safe_ports port 25 # smtp
acl Safe_ports port 465 # smtp
acl Safe_ports port 110 # pop
acl Safe_ports port 995 # pop
acl Safe_ports port 901 # SWAT
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 3128
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1863 # MSN
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

############### aqui "ativamos" a autentica‡Æo do squid

auth_param basic realm Entre com seu usuario e senha!
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/squid_passwd
acl autenticados proxy_auth REQUIRED
auth_param basic children 10
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off


# *** Controle dos usuarios

### Usuarios com acesso livre
acl acesso_livre proxy_auth "/etc/squid3/listas/usr_livre"
### Usu rios com acesso controlado pelos sites bloqueados

### Usuarios com acesso somente aos sites liberados
acl acesso_limitado proxy_auth "/etc/squid3/listas/usr_bloqueado"

# *** Lista de sites Liberados ao usuarios do grupo acesso_limitado
acl url_liberado url_regex -i "/etc/squid3/listas/url_liberado"

# *** Bloqueio por palavra chave
acl url_bloqueado url_regex -i "/etc/squid3/listas/url_bloqueado"

# *** Liberação e negação das acls
http_access allow acesso_livre
http_access deny acesso_limitado !url_liberado
http_access deny url_bloqueado
http_access deny !rede
http_access allow autenticados
http_access deny all
icp_access allow all
#
cache_mgr webmaster
coredump_dir /var/spool/squid3

## FIM DO SCRIPT squid.conf ##

FIREWALL
*************************************
#!/bin/shi
#Script de Firewall

DNSSERVER1=8.8.8.8
DNSSERVER2=8.8.4.4
IPINTERNO=192.168.1.175
IPEXTERNO=189.108.235.250
INTRANET=192.168.1.0/24
ANY=0/0


/sbin/iptables -F
/sbin/iptables -X
########################

echo Bloqueia Netmeeting
########################
#/sbin/iptables -A FORWARD -p tcp --dport 389 -j DROP
#/sbin/iptables -A FORWARD -p tcp --dport 522 -j DROP
#/sbin/iptables -A FORWARD -p tcp --dport 1503 -j DROP
#/sbin/iptables -A FORWARD -p tcp --dport 1720 -j DROP
#/sbin/iptables -A FORWARD -p tcp --dport 1731 -j DROP

#######################
echo BLOQUEIA P2P
#######################
#echo Bloqueando AIM:

#/sbin/iptables -A FORWARD -d login.oscar.aol.com -j REJECT

#echo echo Bloqueando ICQ:

#/sbin/iptables -A FORWARD -p TCP --dport 5190 -j REJECT

#/sbin/iptables -A FORWARD -d login.icq.com -j REJECT

#echo Bloqueando MSN:

#/sbin/iptables -A FORWARD -p TCP --dport 1863 -j REJECT

#/sbin/iptables -A FORWARD -d 64.4.13.0/24 -j REJECT

#echo Bloqueando Yahoo Messenger:

#/sbin/iptables -A FORWARD -d cs.yahoo.com -j REJECT

#/sbin/iptables -A FORWARD -d scsa.yahoo.com -j REJECT

echo Bittorrent:

/sbin/iptables -A FORWARD -p tcp -i eth0 --dport 6881:6889 -d 192.168.0.2 -j REJECT

echo iMesh:

/sbin/iptables -A FORWARD -d 216.35.208.0/24 -j REJECT

echo BearShare:

/sbin/iptables -A FORWARD -p TCP --dport 6346 -j REJECT

echo ToadNode:

/sbin/iptables -A FORWARD -p TCP --dport 6346 -j REJECT

echo WinMX:

/sbin/iptables -A FORWARD -d 209.61.186.0/24 -j REJECT

/sbin/iptables -A FORWARD -d 64.49.201.0/24 -j REJECT

echo Napigator:

/sbin/iptables -A FORWARD -d 209.25.178.0/24 -j REJECT

echo Morpheus:

/sbin/iptables -A FORWARD -d 206.142.53.0/24 -j REJECT

/sbin/iptables -A FORWARD -p TCP --dport 1214 -j REJECT

echo KaZaA:

/sbin/iptables -A FORWARD -d 213.248.112.0/24 -j REJECT

/sbin/iptables -A FORWARD -p TCP --dport 1214 -j REJECT

echo Limewire:

/sbin/iptables -A FORWARD -p TCP --dport 6346 -j REJECT

echo Audiogalaxy:

/sbin/iptables -A FORWARD -d 64.245.58.0/23 -j REJECT


##########################
echo Libera NAT C/ Proxy
##########################

/sbin/iptables -A FORWARD -s $INTRANET -p tcp --dport 80 -j DROP
/sbin/iptables -t nat -A POSTROUTING -s $INTRANET -o eth1 -j SNAT --to $IPEXTERNO
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

###############################
echo Libera acesso Loopback
###############################
/sbin/iptables -A INPUT -i lo -j ACCEPT

########################################
#echo Bloqueando Windows Live Messenger
########################################
#/sbin/iptables -A FORWARD -s 192.167.123.0/24 -p tcp -j DROP
#/sbin/iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j DROP
#/sbin/iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 5190 -j DROP

#############################
echo Tratando Pacotes de Ping
#############################

/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

###############################
echo Tratando Pacotes Quebrados
###############################

/sbin/iptables -A FORWARD -m unclean -j DROP

##############################
echo Liberando SSH ao Firewall
##############################

/sbin/iptables -A INPUT -p tcp -s $INTRANET --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

##########################################
echo Liberando Consulta ao Servidor de DNS
##########################################
/sbin/iptables -A FORWARD -p udp -s $INTRANET --sport 1023:65535 -d $DNSSERVER1 --dport 53 -j ACCEPT
/sbin/iptables -A FORWARD -p udp -s $INTRANET --sport 1023:65535 -d $DNSSERVER2 --dport 53 -j ACCEPT

################################
echo Liberando Acesso Http,Https
################################

/sbin/iptables -A FORWARD -p tcp -s $INTRANET --sport 1023:65535 -d $ANY --dport 80 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -s $INTRANET --sport 1023:65535 -d $ANY --dport 443 -j ACCEPT
###############################
echo libera e-mails
###############################
/sbin/iptables -A FORWARD -p tcp --dport 143 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 143 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT


#########################
echo Estalizando Firewall
#########################

/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT


echo xxxxxxxxxxxxxxxxxxxxxxxx F i r e w a l l U P xxxxxxxxxxxxxxxxxxxxxxxxxxx

andrecanhadas
(usa Debian)

Enviado em 17/09/2012 - 21:47h

Primeiro remova as portas de email de seu squid ele apenas server para trafego http:
são elas 25,465,587,110,143,993,995

Depois pode liberar o email troque pelas suas regras de liberação do email.

sbin/iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 25,110,143,465,587,993,995 -j ACCEPT

sbin/iptables -A OUTPUT -i eth1 -p tcp -m multiport --dport 25,110,143,465,587,993,995 -j ACCEPT

 

phrich
(usa Slackware)

Enviado em 18/09/2012 - 22:57h

Cara, pelo o que eu vi do seu firewall ele está todo bagunçado, tente arrumar da seguinte maneira:

- Declaração de variáveis

- Ajustes (Módulos, roteamento, etc)

- Regras de NAT

- Regras de INPUT

- Regras de OUTPUT

- Regras de FORWARD

Outra dica, utilize como política padrão o DROP, assim seu firewall fica mais seguro e vc só libera o que for preciso.

Outra coisa, o proxy não influencia no "outlook".

Se precisar se basear em algum explo, segue pra vc:

http://www.vivaolinux.com.br/artigo/Iptables-Seguranca-total-para-sua-rede/

http://www.vivaolinux.com.br/artigo/Squid-+-Iptables-Combinacao-Infalivel/

maraleman
(usa Debian)

Enviado em 18/09/2012 - 23:38h

Amigos obrigado pelas dicas vou seguilas com certeza, mas tenho mais uma duvida, por favor.

na interface do servidor só configuro o IP, Mask e Gateway, preciso configurar o DNS...? se sim qual o da minha rede pelo resolv.conf ou o da Internet e as estações informoo IP, msk, Gateway e o dns da minha rede(192.168.0.1)

obrigado pela ajuda.

phrich
(usa Slackware)

Enviado em 18/09/2012 - 23:58h

Ai tem que ver quem resolve o dns da sua rede interna, pode ser seu próprio servidor, ou algum outro...

maraleman
(usa Debian)

Enviado em 20/09/2012 - 10:30h

não sei mais o que fazer para funcionar o outlook por favor de uma olhada firewall e o resultado:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:3128
ACCEPT icmp -- 192.168.1.0/24 anywhere icmp echo-request

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports smtp,pop3,imap2,imaps,s
ACCEPT tcp -- anywhere 192.168.1.175 tcp dpt:3389
ACCEPT tcp -- anywhere 201.201.0.0/16

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports ftp-data,ftp,domain,www,https
ACCEPT icmp -- anywhere anywhere icmp echo-request

andrecanhadas
(usa Debian)

Enviado em 20/09/2012 - 20:44h

Acho mais fácil começar do zero seguindo um bom tutorial:

http://www.vivaolinux.com.br/artigo/Squid-+-Iptables-Combinacao-Infalivel/

Posta ai se surgirem duvidas

johnnyb
(usa Fedora)

Enviado em 21/09/2012 - 08:19h

tente abrir essas portas nas regras forward 995 465 3269 993 ambos protocolo tcp blz