SefazNet [RESOLVIDO]

Existe um programa aqui em Pernambuco o SEFAZNET que usa as Portas 21 ftp e a porta 1049. Já seguir muitos tutoriais e nada. O programa não transmite, mesmo colocando o programa por fora do firewall o dito não funfa.
Servidor de Comunicação: porta 1049. (Entrada/Saída)
Servidor de FTP : porta 21. (Saída)

Alguém pode me ajudar?

Charlles Anderson

Tem versão GNU/Linux ?? So achei Windows...
Posta ai log de erro

Ele não usa nenhum outro tipo d porta não? Tente analisar isso ae com algum sniffer (wireshark, tcpdump...).

Segundo o suporte Técnico Sefaz ele só usa estas duas portas.
Uso o Ubunto
u Server 9

Coloque aki quais foram as regras q vc aplicou do seu firewall, por favor.

#!/bin/bash

firewall_start(){

## >> Abre a faixa de endereco da rede local << ################################
iptables -A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT
#
## >> Ativando o compartilhamento da internet << ###############################
echo 1 > /proc/sys/net/ipv4/ip_forward
#
## >> Mascarando a placa de rede eth0 Rede externa << ##########################
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#
## >> Ativando o proxy transparente << #########################################
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
#
## >> Bloqueando acesso ao MSN << ##############################################
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 192.168.1.0/24 -d loginnet.passport.com -j REJECT
#
## >> Abrindo a porta do servidor ssh (52591) << ###############################
iptables -A INPUT -p tcp --dport 52591 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 52591 -j ACCEPT
#
## >> Redirecionando Windows Terminal Service << ###############################
# iptables -I FORWARD -p tcp -i eth1 --dport 3389 -j ACCEPT
# iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 192.168.1.189:3389
#
## >> Redirecionando Prosoft pra micro Server << ###############################
iptables -I FORWARD -p tcp -i eth1 --dport 1434 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 1434 -j DNAT --to-destination 192.168.1.189:1434
#
## >> Redirecionando VNC para Note Mary Elze << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54001 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54001 -j DNAT --to-destination 192.168.1.1:54001
#
## >> Redirecionando VNC para Diretoria2 << #####################################
iptables -I FORWARD -p tcp -i eth1 --dport 54002 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54002 -j DNAT --to-destination 192.168.1.2:54002
#

## >> Redirecionando VNC para Diretoria3 << #####################################
iptables -I FORWARD -p tcp -i eth1 --dport 54003 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54003 -j DNAT --to-destination 192.168.1.3:54003
#
## >> Redirecionando VNC para Secretaria << #####################################
iptables -I FORWARD -p tcp -i eth1 --dport 54005 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54005 -j DNAT --to-destination 192.168.1.5:54005
#
## >> Redirecionando VNC para Financeiro1 << ####################################
iptables -I FORWARD -p tcp -i eth1 --dport 54006 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54006 -j DNAT --to-destination 192.168.1.6:54006
#
## >> Redirecionando VNC para Financeiro2 << ######################################
iptables -I FORWARD -p tcp -i eth1 --dport 54007 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54007 -j DNAT --to-destination 192.168.1.7:54007
#
## >> Redirecionando VNC para Financeiro3 << ####################################
iptables -I FORWARD -p tcp -i eth1 --dport 54008 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54008 -j DNAT --to-destination 192.168.1.8:54008
#
## >> Redirecionando VNC para Contabilidade1 << ##################################
iptables -I FORWARD -p tcp -i eth1 --dport 54009 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54009 -j DNAT --to-destination 192.168.1.9:54009
#
## >> Redirecionando VNC para Contabilidade2 << #################################
iptables -I FORWARD -p tcp -i eth1 --dport 54010 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54010 -j DNAT --to-destination 192.168.1.10:54010
#
## >> Redirecionando VNC para Recursos Humanos << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54012 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54012 -j DNAT --to-destination 192.168.1.12:54012
#
## >> Redirecionando VNC para Expedicao1 << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54016 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54016 -j DNAT --to-destination 192.168.1.16:54016
#
## >> Redirecionando VNC para Expedicao2 << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54017 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54017 -j DNAT --to-destination 192.168.1.17:54017

iptables -I FORWARD -p tcp -i eth1 --dport 54019 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54019 -j DNAT --to-destination 192.168.1.19:54019
#
## >> Redirecionando VNC para Beneficiamento << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54020 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54020 -j DNAT --to-destination 192.168.1.20:54020
#
## >> Redirecionando VNC para PCP Confeccao << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54022 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54022 -j DNAT --to-destination 192.168.1.22:54022
#
## >> Redirecionando VNC para Camera1 << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54181 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54181 -j DNAT --to-destination 192.168.1.181:54181
#
## >> Redirecionando VNC para Servidor << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54188 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54188 -j DNAT --to-destination 192.168.1.188:54188
#
## >> Redirecionando VNC para Server << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54000 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54000 -j DNAT --to-destination 192.168.1.189:54000
#
## REdirecionando Terminal para porta 54189 do SERVER
iptables -I FORWARD -p tcp -i eth1 --dport 54189 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54189 -j DNAT --to-destination 192.168.1.189:54189


## >> Liberando ip's da caixa economica (cmt.gov.br) << ########################
iptables -t nat -I PREROUTING -d 200.223.17.180/255.255.0.0 -j ACCEPT
iptables -t nat -I PREROUTING -d 200.201.173.168/255.255.0.0 -j ACCEPT

#
## >> Ignora pings << ###########################################################
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
#
## >> Proteç contra IP spoofing << #############################################
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
#

## >> Proteç contra IP spoofing << #############################################
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
#
## >> Protege contra synflood << ###############################################
echo "1"> /proc/sys/net/ipv4/tcp_syncookies
#
## >> Protecao contra ICMP Broadcasting << #####################################
echo "1"> /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
## >> Bloqueia traceroute << ###################################################
iptables -A INPUT -p udp --dport 33435:33525 -j DROP
#
## >> Proteçs diversas contra portscanners,ping of death,ataques DoS, etc << ###
iptables -A INPUT -m state --state INVALID -j DROP
#
## >> Regra para o KDE e outros programas grácos funcionarem adequadamente << ##
iptables -A INPUT -i lo -j ACCEPT
#
## >> Fecha as portas udp de 1 a 1024 << #######################################
iptables -A INPUT -p udp --dport 1:1024 -j ACCEPT
iptables -A INPUT -p udp --dport 59229 -j DROP

#
## >> Regra final,bloqueia qualquer conexao q n tenha sido permitida acima << ##
iptables -A INPUT -p tcp --syn -j DROP
#

echo "* O Firewall esta sendo carregado..."
sleep 1
echo "* Tudo pronto!"
sleep 1

}
firewall_stop(){
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}

case "$1" in
"start")
firewall_start
;;
"stop")
firewall_stop
echo "O Firewall esta sendo desativado"
sleep 2
echo "ok."
;;
"restart")
echo "O Firewall esta sendo desativado"
sleep 1
echo "ok."
firewall_stop; firewall_start
;;
*)
iptables -L -n
esac

# /etc/squid.conf

## >> Proxy transparente << ####################################################
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
#
## >> Diretorio de erros em portugues << #######################################
error_directory /usr/share/squid/errors/Portuguese
#
## >> Configuracao do cache de paginas e arquivos << ###########################
cache_mem 64 MB
#
## >> Tamanho maximo dos arquivos armazenados na memoria ram(os maiores q 64kb irao para o HD << ##
maximum_object_size_in_memory 64 KB
#
## >> Tamano maximo = 1GB, e minimo = 0KB, dos arquivos armazenaos no HD << ####
maximum_object_size 2048 MB
minimum_object_size 0 KB
#
## >> Percentagem de uso do cache = 90%, que fara o squid a descartar os arquivos mais antigos << ##
cache_swap_low 90
cache_swap_high 95
#
## >> Cache em disco(Tamanho do Cache= 25 GB em 16 pastas e 256 subpastas) << ##
cache_dir ufs /var/spool/squid 25600 16 256
#
## >> Arquivo onde serao guardado os logs de acesso do squid << ################
cache_access_log /var/log/squid/access.log
#
## >> Nome do servidor nas paginas de aviso << #################################
visible_hostname RIO-MALHAS
#
## >> Tempo de atualizacao do cache << #########################################
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280

#
## >> Controle de acesso << ####################################################
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT

acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
#
## >> Libera os sites do governo << ###########################################
acl governo url_regex .gov.br
http_access allow governo
#
## >> Libera Msn << ###########################################################
acl Liberar_MSN arp "/etc/squid/MacLiberarMSN"
acl msn url_regex -i /gateway/gateway.dll
http_access deny msn !Liberar_MSN
#
## >> Computadores com acesso total << #########################################
acl Acesso_Total arp "/etc/squid/AcessoTotal"
http_access allow Acesso_Total

#
## >> Sites bloqueados(liberatodos e bloqueia so alguns) << ####################
acl Mac_Bloqueados arp "/etc/squid/MacBloqueados"
acl Sites_Bloqueados url_regex "/etc/squid/SitesBloqueados"
http_access allow Mac_Bloqueados !Sites_Bloqueados
#
## >> Sites liberados(bloqueia todos e libera so alguns) << ###################
acl Mac_Liberados arp "/etc/squid/MacLiberados"
acl Sites_Liberados url_regex "/etc/squid/SitesLiberados"
http_access allow Mac_Liberados Sites_Liberados
#
## >> Libera a rede local << ###################################################
acl redelocal src 192.168.1.0/24
http_access allow redelocal
#
## >> Bloqueia tudo que não passou nas regras acima << #########################
http_access deny all

Mais mesmo colocando para passar por fora do firewall não funciona.

Vc já tentou limpar toda a regra d filter e tentar novo?

# iptables -F

Já. Tirei totalmente do Firewall e nada. Já não sei mais o que fazer.

Galera agradeço a todos pela ajuda. Resolvi o problema apenas digitando e colocando na inicialização a seguinte linha:

modprobe ip_nat_ftp

Cara, aqui na minha empresa resolvi adicionando esta regra logo no inicio do Script:

IPT=/sbin/iptables
IGVT="ppp0" # link GVT
IINT="eth2" # Interface da rede interna
REDE_INT="172.16.4.0/24"

$IPT -A FORWARD -i $IINT -o $IGVT -s $REDE_INT -p tcp -m multiport --dport 21,443,1049 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s $REDE_INT -p udp -m multiport --dport 21,443,1049 -j ACCEPT


O Sefaz junto com o NFE utilizam as portas 21 e 1049. Aproveitei e liberei também a porta 443(ssl)por desencargo, embora não seja necessárias...

Fica esta dica para os users que precisarem... Caso as dicas anteriores não funcionarem...

Abraços!