Squid - Bloquear acesso externo.

1. Squid - Bloquear acesso externo.

couxita
(usa Debian)

Enviado em 17/12/2010 - 10:47h

Galera bom dia....
Esses dias reparei que no relatório do sarg apareceu alguns IPs estranhos. Verifiquei na net e no meu server que meu squid esta com acesso externo aberto. Como eu faço para bloquear isso?

Eu add 2 regras mais nao adiantou. Eu uso proxy, ele não é transparente.

Segue meu script:

#!/bin/bash
IPTABLES=/sbin/iptables

ETHLAN=eth1
ETHWAN=eth5

SERVER=192.168.0.3
LAN=192.168.0.0/24
IPINTERNET=`ifconfig eth5 | grep addr: | awk '{ print $2 }' | cut -d: -f 2`

echo Limpando configuracoes antigas
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT

### Inicio do Script ###
echo Iniciando Script de Seguranca

### ICMP ###
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -p icmp -j MASQUERADE

#iptables -A FORWARD -s $LAN -d 64.4.16.55 -j DROP
#iptables -A FORWARD -s $LAN -d 72.246.64.168 -j DROP
#iptables -A FORWARD -s $LAN -d 72.246.64.137 -j DROP
#iptables -A FORWARD -s $LAN -d sn130w.snt130.mail.live.com -j DROP
#iptables -A FORWARD -s $LAN -d gateway.dll -j DROP
#iptables -A FORWARD -s $LAN -d 65.54.179.228 -j DROP

### IP nao passar pelo Firewall ###
$IPTABLES -t nat -I PREROUTING -s 192.168.0.105 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.105 -o $ETHWAN -p tcp -j MASQUERADE
$IPTABLES -t nat -I PREROUTING -s 192.168.0.48 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.48 -o $ETHWAN -p tcp -j MASQUERADE
$IPTABLES -t nat -I PREROUTING -s 192.168.0.24 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.24 -o $ETHWAN -p tcp -j MASQUERADE
$IPTABLES -t nat -I PREROUTING -s 192.168.0.54 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.54 -o $ETHWAN -p tcp -j MASQUERADE
$IPTABLES -t nat -I PREROUTING -s 192.168.0.51 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.51 -o $ETHWAN -p tcp -j MASQUERADE
$IPTABLES -t nat -I PREROUTING -s 192.168.0.12 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.12 -o $ETHWAN -p tcp -j MASQUERADE
$IPTABLES -t nat -I PREROUTING -s 192.168.0.65 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.65 -o $ETHWAN -p tcp -j MASQUERADE
$IPTABLES -t nat -I PREROUTING -s 192.168.0.75 -j ACCEPT # Notebook Dr. Marcel
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.75 -o $ETHWAN -p tcp -j MASQUERADE

#$IPTABLES -A FORWARD -s 64.4.16.60 -j REJECT

### IP nao passar pelo Firewall ###
$IPTABLES -t nat -I PREROUTING -s 192.168.0.2 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.2 -o $ETHWAN -p tcp -j MASQUERADE
$IPTABLES -t nat -I PREROUTING -s 192.168.0.62 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.62 -o $ETHWAN -p tcp -j MASQUERADE
$IPTABLES -t nat -I PREROUTING -s 192.168.0.7 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.7 -o $ETHWAN -p tcp -j MASQUERADE
#$IPTABLES -I FORWARD 1 -i $ETHLAN -d 192.168.0.2 -j ACCEPT
#$IPTABLES -I FORWARD 2 -i $ETHWAN -s 192.168.0.2 -j ACCEPT

### Conectividade Social ###
#$IPTABLES -t POSTROUTING -j MASQUERADE -t nat -s $192.168.0.25 -p tcp -d 200.201.174.207 -dport 80 -o $ETHWAN
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -d 200.201.174.0/24 -j SNAT --to-source $IPINTERNET
$IPTABLES -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -s 192.168.0.0/24 -d 0/0 -p tcp --dport 80
$IPTABLES -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -s 192.168.0.0/24 -d 0/0 -p tcp --dport 3128

### FTP ###
$IPTABLES -A INPUT -p tcp --dport 20 -s $LAN -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -s $LAN -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 20 -s $LAN -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 21 -s $LAN -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $LAN -p udp --dport 20 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN -p tcp --dport 21 -j MASQUERADE

### ACESSO EXTERNO SPARK ###
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 6060 -j DNAT --to-destination 192.168.0.2
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 6060 -m state --state NEW -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 7070 -j DNAT --to-destination 192.168.0.2
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 7070 -m state --state NEW -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 80 -j DNAT --to-destination 192.168.0.2
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 5222 -j DNAT --to-destination 192.168.0.2
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 5222 -m state --state NEW -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 5233 -j DNAT --to-destination 192.168.0.2
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 5233 -m state --state NEW -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 5222:5233 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 5222:5233 -j ACCEPT

## Voip ###
#VOIP=192.168.0.62

#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 8080 -j DNAT --to-destination $VOIP
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 8080 -m state --state NEW -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 10000:20000 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 5500 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 5060:5061 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 1560:1561 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 1571 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 8000 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A POSTROUTING -s $VOIP -p udp -m udp -j SNAT --to-source $IPINTERNET
#$IPTABLES -t nat -A POSTROUTING -s $VOIP -p tcp -m tcp -j SNAT --to-source $IPINTERNET
#$IPTABLES -A INPUT -p tcp --dport 5060:5061 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 5060:5061 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 16384:16482 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 16384:16482 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 5500 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 5500 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 10000:20000 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 10000:20000 -j ACCEPT

## Voip ###
#VOIP=192.168.0.14

#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 8080 -j DNAT --to-destination $VOIP
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 8080 -m state --state NEW -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 10000:20000 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 5500 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 5060:5061 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 1560:1561 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 1571 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 8000 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A POSTROUTING -s $VOIP -p udp -m udp -j SNAT --to-source $IPINTERNET
#$IPTABLES -t nat -A POSTROUTING -s $VOIP -p tcp -m tcp -j SNAT --to-source $IPINTERNET
#$IPTABLES -A INPUT -p tcp --dport 5060:5061 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 5060:5061 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 16384:16482 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 16384:16482 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 5500 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 5500 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 10000:20000 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 10000:20000 -j ACCEPT

#### POLI ###
#POLI=192.168.0.105

#iptables -t nat -A PREROUTING -p tcp --dport 20 -j DNAT --to 192.168.0.105:20
#iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to 192.168.0.105:21
#iptables -A FORWARD -p tcp --dport 20 -j ACCEPT
#iptables -A FORWARD -p tcp --dport 21 -j ACCEPT

#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 21 -j DNAT --to-destination 192.168.0.105
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 21 -m state --state NEW -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i eth5 -p tcp --dport 21 -j DNAT --to $POLI:21
#$IPTABLES -A FORWARD -i eth5 -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i eth5 -p udp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -p tcp -i eth5 --dport 21 -j DNAT --to $POLI:21
#$IPTABLES -t nat -A PREROUTING -p udp -i eth5 --dport 21 -j DNAT --to $POLI:21

### VPN ###

#$IPTABLES -A INPUT -p tcp --dport 47 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 47 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 3382 -s $LAN -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 3382 -j ACCEPT

### SSH ###
$IPTABLES -A INPUT -p tcp --dport 22 -s $LAN -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

#$IPTABLES -A INPUT -p tcp --dport 21 -s $LAN -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 21 -s $LAN -j ACCEPT

### HTTP Apache ###
#$IPTABLES -A INPUT -p tcp --dport 80 -s $LAN -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 80 -s $LAN -j ACCEPT

### HTTP Apache - Acesso Externo ###
#$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 80 -j ACCEPT

### DNS ###
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -p udp --dport 53 -j MASQUERADE

### SQUID ###
#$IPTABLES -A INPUT -p tcp --dport 8080 -i $ETHLAN -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 3128 -i $ETHLAN -j ACCEPT
#$IPTABLES -A INPUT -p tcp --sport 8080 -i $ETHLAN -j ACCEPT
#$IPTABLES -A INPUT -p tcp --sport 80 -i $ETHWAN -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $ETHLAN -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -A INPUT -p tcp -i $ETHWAN --dport 3128 -j DROP
$IPTABLES -A INPUT -i $ETHWAN -m state --state ! ESTABLISHED,RELATED -j DROP

### SSL ###
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT

### Portas utilizadas por alguns sites ###
$IPTABLES -A INPUT -p tcp --dport 8000:8088 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 8000:8088 -j ACCEPT

### Nat MAIL ###
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 25 -s $LAN -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 110 -s $LAN -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p udp --dport 110 -s $LAN -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 465 -s $LAN -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p udp --dport 465 -s $LAN -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 995 -s $LAN -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p udp --dport 995 -s $LAN -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 587 -s $LAN -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -p udp --dport 587 -s $LAN -j MASQUERADE

### Forward TerminalService ###
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 3389 -j DNAT --to-destination $SERVER
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 3389 -m state --state NEW -j ACCEPT

### Forward VNC ###
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 5800 -j DNAT --to-destination $SERVER
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 5800 -m state --state NEW -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 5900 -j DNAT --to-destination $SERVER
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 5900 -m state --state NEW -j ACCEPT

### Bloquear todas as outras portas
$IPTABLES -P INPUT ACCEPT
#$IPTABLES -t nat -A POSTROUTING -j MASQUERADE

0 0

Quote

2. Re: Squid - Bloquear acesso externo.

dastyler
(usa Fedora)

Enviado em 17/12/2010 - 12:10h

Bloqueie a entrada (INPUT) e o forward no iptables vindo da internet para o seu firewall na porta do Squid (na interface $ETHWAN). Isso já é o suficiente para impedir acesso externo ao seu proxy e é uma regra de segurança que deve ser seguida a risca para evitar que estranhos usem seu proxy.

E seu script ta meio bagunçado. Aonde tem comentarios para Bloquear tem regras de ACCEPT. Variavel do VOIP esta comentada e as regras dele descomentadas...precisa de uma revisão geral para que funcione apenas o que realmente precisa.
[]´s

0 0

Quote

3. Re: Squid - Bloquear acesso externo.

dastyler
(usa Fedora)

Enviado em 17/12/2010 - 12:15h

Falha quanto aoo VOIP. me confundi e esta comentado. Se nao for usar as regras, apague-as do script, lembrando de fazer uma cópia do mesmo antes de remover a linha, pois algum dia voce pode precisar de alguma referencia.

[]´s

0 0

Quote

4. Re: Squid - Bloquear acesso externo.

couxita
(usa Debian)

Enviado em 17/12/2010 - 14:02h

Ola amigo. Obrigado.

Essa regra que coloquei funcionaria?

$IPTABLES -A INPUT -p tcp -i $ETHWAN --dport 3128 -j DROP

E a do forward, como ficaria, sou iniciante no linux.

Obrigado.

Vou dar uma limpada no script, tem bastante coisa nao sendo usada.

0 0

Quote