marciochg
(usa Debian)
Enviado em 25/11/2009 - 17:35h
Oi pessoal,
Tenho um servidor linux e estou com dificuldade para liberar acesso ao squid que está instalado no servidor firewall + VPN. O cenário é o seguinte: Tenho um firewall que roda uma vpn e agora desejo liberar acesso a minha rede lan via proxy transparente. Fiz a configuração do proxy (Squid), no entanto ao configurar o proxy no browser da estações aparece "Conexão recusada pelo servidor proxy". Acho que o firewall está negando o acesso. Seguem as regras aplicadas no firewall para análise.
#!/bin/bash
#
# iptables.regras
# 25.11.2009
#
# Configuracao INTERNET
INET_IP="2xx.2xx.xx.xxx"
INET_IFACE="eth0"
TUN="tun0"
CDIR1="xxx.xxx.xxx.xxx./18"
CDIR2="xxx.xxx.xxx.xxx/19"
## Configuracao INTRANET
LAN_IP="192.168.4.1"
LAN_IP_RANGE="192.168.4.0/24"
LAN_BCAST_ADRESS="192.168.4.255"
LAN_IFACE="eth1"
## CONFIGURACAO REDES INVALIDAS
#CLASSE_A_NET="10.0.0.0/8"
#CLASSE_B_NET="172.16.0.0/12"
#CLASSE_C_NET="192.168.0.0/16"
# CONFIGURACAO LOCALHOST
LO_IFACE="lo"
LO_IP="127.0.0.1"
# ALL
ALL_RANGE="0/0"
# CONFIGURACAO IPTABLES
IPT="/sbin/iptables"
# CARGA DE MODULOS
/sbin/depmod -a
# Required modules
/sbin/modprobe ip_tables
#/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_irc
# SETANDO /proc
echo "1" > /proc/sys/net/ipv4/ip_forward
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# POLITICA PADRAO - NEGAR TUDO
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# CRIANDO CADEIAS
$IPT -N allowed
$IPT -N icmp_packets
$IPT -N tcp_packets
$IPT -N udpincoming_packets
$IPT -N bad_tcp_packets
# REGRAS DA CADEIA bad_tcp_packets
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-level=info --log-prefix "New-not-syn:"
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
# REGRAS DA CADEIA allowed
$IPT -A allowed -p TCP --syn -j ACCEPT
$IPT -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A allowed -p TCP -j DROP
# REGRAS ICMP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
########################
#
# REGRAS INPUT / OUTPUT
#
#######################
# LOOPBACK
$IPT -A OUTPUT -o lo -s 127.0.0.1 -j ACCEPT
$IPT -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
#
# ACESSO ADMINISTRATIVO, VIA SSH
#
#
$IPT -A INPUT -p TCP -i $INET_IFACE -s $CDIR1 -d $INET_IP --dport 7654 -j ACCEPT
$IPT -A OUTPUT -p TCP -d $CDIR1 -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p TCP -i $INET_IFACE -s $CDIR2 -d $INET_IP --dport 7654 -j ACCEPT
$IPT -A OUTPUT -p TCP -d $CDIR2 -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP --dport 7654 -j ACCEPT
$IPT -A OUTPUT -p TCP -s $LAN_IP -m state --state ESTABLISHED -j ACCEPT
# Acesso ao NTOP
# Onorato
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE --dport 3000 -j ACCEPT
$IPT -A OUTPUT -p TCP -d $LAN_IP_RANGE -m state --state ESTABLISHED -j ACCEPT
# palacio
$IPT -A INPUT -p UDP -s xxx.xxx.xx.xxx/32 --sport 500 --dport 500 -j ACCEPT
$IPT -A INPUT -p 50 -s xxx.xxx.xx.xxx/32 -j ACCEPT
$IPT -A INPUT -p 51 -s xxx.xxx.xx.xxx/32 -j ACCEPT
# IKE
$IPT -A OUTPUT -p ICMP -s $LAN_IP -j ACCEPT
$IPT -A OUTPUT -p UDP --sport 500 --dport 500 -j ACCEPT
$IPT -A OUTPUT -p 50 -j ACCEPT
$IPT -A OUTPUT -p 51 -j ACCEPT
# BLOQUEANDO ENTRADA DE COMPARTILHAMENTO WINDOWS
$IPT -A INPUT -p UDP -i $LAN_IFACE --dport 137:139 -j DROP
#############################
#
# REGRAS DA CADEIA FORWARD
#
############################
#
#
#
## Acesso ao Tunel
# Acesso ao Tunnel
$IPT -A FORWARD -o $TUN -i $LAN_IFACE -j ACCEPT
$IPT -A FORWARD -o $LAN_IFACE -i $TUN -j ACCEPT
$IPT -A INPUT -s xxx.xxx.81.178 -j ACCEPT
$IPT -A OUTPUT -d xxx.xxx.238.81.178 -j ACCEPT
$IPT -A INPUT -s 10.0.0.2 -d 10.0.0.1 -j ACCEPT
$IPT -A OUTPUT -d 10.0.0.2 -s 10.0.0.1 -j ACCEPT
$IPT -A OUTPUT -s 10.0.0.2 -d 10.0.0.1 -j ACCEPT
$IPT -A INPUT -d 10.0.0.2 -s 10.0.0.1 -j ACCEPT
$IPT -A FORWARD -s 192.168.1.0/24 -d 192.168.4.0/24 -j ACCEPT
$IPT -A FORWARD -d 192.168.1.0/24 -s 192.168.4.0/24 -j ACCEPT
##
# MSN
$IPT -A FORWARD -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE -o $INET_IFACE --dport 1863 -j DROP
#-----------------------------------------------------------------------------------------
#Em teste - Marcio Souza
#Libera o proxy
#$IPT -A FORWARD -s $LAN_IP_RANGE -p tcp --dport 3128 -j ACCEPT
$IPT -A INPUT -i $LAN_IFACE -p tcp --dport 3128 --syn -j ACCEPT # Permitir acesso ao squid
#Habilita o proxy transparente - SQUID
#$IPT -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE --dport 3128 -j ACCEPT #Libera o squid
$IPT -A OUTPUT -p TCP -d $LAN_IP_RANGE -m state --state ESTABLISHED -j ACCEPT #Libera o squid
#$IPT -A INPUT -p tcp --dport 3128 -j ACCEPT
#$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT
#$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT
#$IPT -A OUTPUT -p udp --dport 53 -j ACCEPT
#-----------------------------------------------------------------------------------------
# INTRANET -> INTERNET
# Fechada, so sai porta 80 e atraves do proxy
$IPT -A FORWARD -i $LAN_IFACE -s $LAN_IP_RANGE -o $INET_IFACE -d $ALL_RANGE -j ACCEPT
$IPT -A FORWARD -o $LAN_IFACE -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
######################################
### DROP COMPARTILHAMENTO (135:139 - TCP/UDP) - DROP
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $INET_IFACE --dport 135:139 -j DROP
$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $INET_IFACE --dport 135:139 -j DROP
#
# REGRAS DA CADEIA POSTROUTING
#
############################
#
#
# Faz NAT para Internet - Exceto se o alvo for a VPN 75.5 saindo como invalido nesse caso
$IPT -t nat -A POSTROUTING -o $TUN -s $LAN_IP_RANGE -d 192.168.1.0/24 -j ACCEPT
$IPT -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP_RANGE -d 0/0 -j SNAT --to-source $INET_IP
############################
#
# LOGA ALL DROP
#
############################
$IPT -A INPUT -j LOG --log-level=info --log-prefix " DROP_INPUT:"
$IPT -A FORWARD -j LOG --log-level=info --log-prefix " DROP_FORWARD:"
$IPT -A OUTPUT -j LOG --log-level=info --log-prefix " DROP_OUTPUT:"
$IPT -t nat -A POSTROUTING -p ALL -j LOG --log-prefix "*** POS NAT ***"
exit 0
Agradeço antecipadamente,