SefazNet [RESOLVIDO]

1. SefazNet [RESOLVIDO]

Charlles Anderson Matos Andrade
suportetiv

(usa Ubuntu)

Enviado em 15/03/2010 - 23:50h

Existe um programa aqui em Pernambuco o SEFAZNET que usa as Portas 21 ftp e a porta 1049. Já seguir muitos tutoriais e nada. O programa não transmite, mesmo colocando o programa por fora do firewall o dito não funfa.
Servidor de Comunicação: porta 1049. (Entrada/Saída)
Servidor de FTP : porta 21. (Saída)

Alguém pode me ajudar?

Charlles Anderson


  


2. Re: SefazNet [RESOLVIDO]

Diego Oliveira da Silva
dolivervl

(usa Slackware)

Enviado em 16/03/2010 - 00:18h

Tem versão GNU/Linux ?? So achei Windows...
Posta ai log de erro


3. Re: SefazNet [RESOLVIDO]

Renato Carneiro Pacheco
renato_pacheco

(usa Debian)

Enviado em 16/03/2010 - 07:59h

Ele não usa nenhum outro tipo d porta não? Tente analisar isso ae com algum sniffer (wireshark, tcpdump...).


4. Resp.

Charlles Anderson Matos Andrade
suportetiv

(usa Ubuntu)

Enviado em 16/03/2010 - 22:59h

Segundo o suporte Técnico Sefaz ele só usa estas duas portas.
Uso o Ubunto
u Server 9


5. Re: SefazNet [RESOLVIDO]

Renato Carneiro Pacheco
renato_pacheco

(usa Debian)

Enviado em 17/03/2010 - 08:25h

Coloque aki quais foram as regras q vc aplicou do seu firewall, por favor.


6. Regras Firewall

Charlles Anderson Matos Andrade
suportetiv

(usa Ubuntu)

Enviado em 14/04/2010 - 21:53h

#!/bin/bash

firewall_start(){

## >> Abre a faixa de endereco da rede local << ################################
iptables -A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT
#
## >> Ativando o compartilhamento da internet << ###############################
echo 1 > /proc/sys/net/ipv4/ip_forward
#
## >> Mascarando a placa de rede eth0 Rede externa << ##########################
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#
## >> Ativando o proxy transparente << #########################################
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
#
## >> Bloqueando acesso ao MSN << ##############################################
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 192.168.1.0/24 -d loginnet.passport.com -j REJECT
#
## >> Abrindo a porta do servidor ssh (52591) << ###############################
iptables -A INPUT -p tcp --dport 52591 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 52591 -j ACCEPT
#
## >> Redirecionando Windows Terminal Service << ###############################
# iptables -I FORWARD -p tcp -i eth1 --dport 3389 -j ACCEPT
# iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 192.168.1.189:3389
#
## >> Redirecionando Prosoft pra micro Server << ###############################
iptables -I FORWARD -p tcp -i eth1 --dport 1434 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 1434 -j DNAT --to-destination 192.168.1.189:1434
#
## >> Redirecionando VNC para Note Mary Elze << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54001 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54001 -j DNAT --to-destination 192.168.1.1:54001
#
## >> Redirecionando VNC para Diretoria2 << #####################################
iptables -I FORWARD -p tcp -i eth1 --dport 54002 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54002 -j DNAT --to-destination 192.168.1.2:54002
#

## >> Redirecionando VNC para Diretoria3 << #####################################
iptables -I FORWARD -p tcp -i eth1 --dport 54003 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54003 -j DNAT --to-destination 192.168.1.3:54003
#
## >> Redirecionando VNC para Secretaria << #####################################
iptables -I FORWARD -p tcp -i eth1 --dport 54005 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54005 -j DNAT --to-destination 192.168.1.5:54005
#
## >> Redirecionando VNC para Financeiro1 << ####################################
iptables -I FORWARD -p tcp -i eth1 --dport 54006 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54006 -j DNAT --to-destination 192.168.1.6:54006
#
## >> Redirecionando VNC para Financeiro2 << ######################################
iptables -I FORWARD -p tcp -i eth1 --dport 54007 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54007 -j DNAT --to-destination 192.168.1.7:54007
#
## >> Redirecionando VNC para Financeiro3 << ####################################
iptables -I FORWARD -p tcp -i eth1 --dport 54008 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54008 -j DNAT --to-destination 192.168.1.8:54008
#
## >> Redirecionando VNC para Contabilidade1 << ##################################
iptables -I FORWARD -p tcp -i eth1 --dport 54009 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54009 -j DNAT --to-destination 192.168.1.9:54009
#
## >> Redirecionando VNC para Contabilidade2 << #################################
iptables -I FORWARD -p tcp -i eth1 --dport 54010 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54010 -j DNAT --to-destination 192.168.1.10:54010
#
## >> Redirecionando VNC para Recursos Humanos << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54012 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54012 -j DNAT --to-destination 192.168.1.12:54012
#
## >> Redirecionando VNC para Expedicao1 << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54016 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54016 -j DNAT --to-destination 192.168.1.16:54016
#
## >> Redirecionando VNC para Expedicao2 << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54017 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54017 -j DNAT --to-destination 192.168.1.17:54017

iptables -I FORWARD -p tcp -i eth1 --dport 54019 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54019 -j DNAT --to-destination 192.168.1.19:54019
#
## >> Redirecionando VNC para Beneficiamento << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54020 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54020 -j DNAT --to-destination 192.168.1.20:54020
#
## >> Redirecionando VNC para PCP Confeccao << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54022 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54022 -j DNAT --to-destination 192.168.1.22:54022
#
## >> Redirecionando VNC para Camera1 << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54181 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54181 -j DNAT --to-destination 192.168.1.181:54181
#
## >> Redirecionando VNC para Servidor << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54188 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54188 -j DNAT --to-destination 192.168.1.188:54188
#
## >> Redirecionando VNC para Server << ################################
iptables -I FORWARD -p tcp -i eth1 --dport 54000 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54000 -j DNAT --to-destination 192.168.1.189:54000
#
## REdirecionando Terminal para porta 54189 do SERVER
iptables -I FORWARD -p tcp -i eth1 --dport 54189 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 54189 -j DNAT --to-destination 192.168.1.189:54189


## >> Liberando ip's da caixa economica (cmt.gov.br) << ########################
iptables -t nat -I PREROUTING -d 200.223.17.180/255.255.0.0 -j ACCEPT
iptables -t nat -I PREROUTING -d 200.201.173.168/255.255.0.0 -j ACCEPT

#
## >> Ignora pings << ###########################################################
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
#
## >> Proteç contra IP spoofing << #############################################
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
#

## >> Proteç contra IP spoofing << #############################################
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
#
## >> Protege contra synflood << ###############################################
echo "1"> /proc/sys/net/ipv4/tcp_syncookies
#
## >> Protecao contra ICMP Broadcasting << #####################################
echo "1"> /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
## >> Bloqueia traceroute << ###################################################
iptables -A INPUT -p udp --dport 33435:33525 -j DROP
#
## >> Proteçs diversas contra portscanners,ping of death,ataques DoS, etc << ###
iptables -A INPUT -m state --state INVALID -j DROP
#
## >> Regra para o KDE e outros programas grácos funcionarem adequadamente << ##
iptables -A INPUT -i lo -j ACCEPT
#
## >> Fecha as portas udp de 1 a 1024 << #######################################
iptables -A INPUT -p udp --dport 1:1024 -j ACCEPT
iptables -A INPUT -p udp --dport 59229 -j DROP

#
## >> Regra final,bloqueia qualquer conexao q n tenha sido permitida acima << ##
iptables -A INPUT -p tcp --syn -j DROP
#

echo "* O Firewall esta sendo carregado..."
sleep 1
echo "* Tudo pronto!"
sleep 1

}
firewall_stop(){
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}

case "$1" in
"start")
firewall_start
;;
"stop")
firewall_stop
echo "O Firewall esta sendo desativado"
sleep 2
echo "ok."
;;
"restart")
echo "O Firewall esta sendo desativado"
sleep 1
echo "ok."
firewall_stop; firewall_start
;;
*)
iptables -L -n
esac


7. Regras Squid

Charlles Anderson Matos Andrade
suportetiv

(usa Ubuntu)

Enviado em 14/04/2010 - 21:56h

# /etc/squid.conf

## >> Proxy transparente << ####################################################
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
#
## >> Diretorio de erros em portugues << #######################################
error_directory /usr/share/squid/errors/Portuguese
#
## >> Configuracao do cache de paginas e arquivos << ###########################
cache_mem 64 MB
#
## >> Tamanho maximo dos arquivos armazenados na memoria ram(os maiores q 64kb irao para o HD << ##
maximum_object_size_in_memory 64 KB
#
## >> Tamano maximo = 1GB, e minimo = 0KB, dos arquivos armazenaos no HD << ####
maximum_object_size 2048 MB
minimum_object_size 0 KB
#
## >> Percentagem de uso do cache = 90%, que fara o squid a descartar os arquivos mais antigos << ##
cache_swap_low 90
cache_swap_high 95
#
## >> Cache em disco(Tamanho do Cache= 25 GB em 16 pastas e 256 subpastas) << ##
cache_dir ufs /var/spool/squid 25600 16 256
#
## >> Arquivo onde serao guardado os logs de acesso do squid << ################
cache_access_log /var/log/squid/access.log
#
## >> Nome do servidor nas paginas de aviso << #################################
visible_hostname RIO-MALHAS
#
## >> Tempo de atualizacao do cache << #########################################
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280

#
## >> Controle de acesso << ####################################################
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT

acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
#
## >> Libera os sites do governo << ###########################################
acl governo url_regex .gov.br
http_access allow governo
#
## >> Libera Msn << ###########################################################
acl Liberar_MSN arp "/etc/squid/MacLiberarMSN"
acl msn url_regex -i /gateway/gateway.dll
http_access deny msn !Liberar_MSN
#
## >> Computadores com acesso total << #########################################
acl Acesso_Total arp "/etc/squid/AcessoTotal"
http_access allow Acesso_Total

#
## >> Sites bloqueados(liberatodos e bloqueia so alguns) << ####################
acl Mac_Bloqueados arp "/etc/squid/MacBloqueados"
acl Sites_Bloqueados url_regex "/etc/squid/SitesBloqueados"
http_access allow Mac_Bloqueados !Sites_Bloqueados
#
## >> Sites liberados(bloqueia todos e libera so alguns) << ###################
acl Mac_Liberados arp "/etc/squid/MacLiberados"
acl Sites_Liberados url_regex "/etc/squid/SitesLiberados"
http_access allow Mac_Liberados Sites_Liberados
#
## >> Libera a rede local << ###################################################
acl redelocal src 192.168.1.0/24
http_access allow redelocal
#
## >> Bloqueia tudo que não passou nas regras acima << #########################
http_access deny all


8. SEFAZ

Charlles Anderson Matos Andrade
suportetiv

(usa Ubuntu)

Enviado em 14/04/2010 - 21:57h

Mais mesmo colocando para passar por fora do firewall não funciona.


9. Re: SefazNet [RESOLVIDO]

Renato Carneiro Pacheco
renato_pacheco

(usa Debian)

Enviado em 14/04/2010 - 23:38h

Vc já tentou limpar toda a regra d filter e tentar novo?

# iptables -F


10. Sefaznet

Charlles Anderson Matos Andrade
suportetiv

(usa Ubuntu)

Enviado em 15/04/2010 - 21:17h

Já. Tirei totalmente do Firewall e nada. Já não sei mais o que fazer.


11. Resolvido

Charlles Anderson Matos Andrade
suportetiv

(usa Ubuntu)

Enviado em 15/10/2010 - 14:56h

Galera agradeço a todos pela ajuda. Resolvi o problema apenas digitando e colocando na inicialização a seguinte linha:

modprobe ip_nat_ftp




12. Dica

Pedro Oliveira
bonner

(usa CentOS)

Enviado em 13/03/2012 - 11:44h

Cara, aqui na minha empresa resolvi adicionando esta regra logo no inicio do Script:

IPT=/sbin/iptables
IGVT="ppp0" # link GVT
IINT="eth2" # Interface da rede interna
REDE_INT="172.16.4.0/24"

$IPT -A FORWARD -i $IINT -o $IGVT -s $REDE_INT -p tcp -m multiport --dport 21,443,1049 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s $REDE_INT -p udp -m multiport --dport 21,443,1049 -j ACCEPT


O Sefaz junto com o NFE utilizam as portas 21 e 1049. Aproveitei e liberei também a porta 443(ssl)por desencargo, embora não seja necessárias...

Fica esta dica para os users que precisarem... Caso as dicas anteriores não funcionarem...

Abraços!






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts