amigos alguem me ajude conectividade social por favor [RESOLVIDO]

1. amigos alguem me ajude conectividade social por favor [RESOLVIDO]

Fabiano Marçal
jhonboy

(usa Conectiva)

Enviado em 21/08/2008 - 16:16h

caro esta conectividade esta me deixando louco por favor alguem me da uma luz ai q nao to conseguindo, nao consigo fazer esta conectividade social de jeito nenhum funcionar, antes meu firewall tinha todas portas aberta sem regra agora q fechei tudo e abrir somente as necessaria ele nao deixa. entao as maquinas ja usava conectividade de boa, quer dizer que e minha regra no firewall ou no squid! teria como vc dar uma olhada e me dizer se tem algo errado no meu squid ou firewall
segue abaixo os firewall e o squid

squid

acl localhost src 127.0.0.1/255.255.255.255
acl to-localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl safe_ports port 80
acl safe_ports port 21
acl safe_ports port 443 563
acl safe_ports port 70
acl safe_ports port 210
acl safe_ports port 1024-65535
acl safe_ports port 280
acl safe_ports port 488
acl safe_ports port 591
acl safe_ports port 777
acl CONNECT method CONNECT

#Limitar o tamanho de downloads
acl html rep_mime_type text/html
reply_body_max_size 0 allow html
reply_body_max_size 10485760 allow all

# liberar msn/orkut
acl iplib src "/etc/squid/rl/iplib.txt"
http_access allow iplib

# bloquear msn/orkut
acl trava_msn_orkut url_regex -i "/etc/squid/rl/trava_msn_orkut.txt"
http_access deny trava_msn_orkut

acl dominio_msn_orkut dstdomain "/etc/squid/rl/trava_msn_orkut.txt
header_access Accept-Encoding deny dominio_msn_orkut

# bloquear sites
acl site_bloq url_regex -i "/etc/squid/rl/sitebloq.txt"
#acl termobloq dstdom_regex "/etc/squid/rl/bloq.txt"

# liberar sites
acl site_lib url_regex "/etc/squid/rl/lib.txt"

#bloquear internet por ip
acl usuariobloq src 192.168.0.45
http_access deny usuariobloq

http_access allow SSL_ports
http_access allow manager localhost
http_access deny !safe_ports
http_access deny CONNECT !SSL_ports
http_access deny site_bloq !site_lib
#http_access deny site_bloq
#http_access deny termobloq
http_reply_access allow all

#deixando proxy transparente
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

firewall

#!/bin/sh
### Carrega módulos de connection tracking
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_nat_ftp

### Define políticas de acesso padrão
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

### Limpa regras e cadeias de usuário prévias
iptables -X
iptables -F
iptables -t nat -F

### Habilita repasse de pacotes
echo 1 > /proc/sys/net/ipv4/ip_forward

### Interface externa
EXT_IF=eth0

### Interface Interna
INT_IF=eth1

### Rede interna
INT_NET=192.168.0.0/24

### Habilita comunicação interna entre processos locais
iptables -A INPUT -i lo -j ACCEPT

### Habilita acesso pela rede interna a esse host
iptables -A INPUT -i $INT_IF -j ACCEPT
iptables -A FORWARD -i $INT_IF -j ACCEPT

### Habilita SSH externo - use isso se for acessar o servidor externamente
iptables -A INPUT -i $EXT_IF -m tcp -p tcp --dport 22 -j ACCEPT

### Habilita todas a conexões previamente aceitas (estados Estabelicida e Relacionada)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

### Liberar acesso externo às portas de Mail(25), Pop-3(110), Dns(53(tcp e udp)), Https(443), Gmail(465,955)
iptables -t nat -A POSTROUTING -o $EXT_IF -m multiport -p tcp --dports 20,21,22,25,53,110,443,465,995 -j MASQUERADE
iptables -t nat -A POSTROUTING -o $EXT_IF -m multiport -p udp --dports 20,21,53,443 -j MASQUERADE

### Proxy transparente
iptables -t nat -A PREROUTING -p tcp --dport 80 -i $INT_IF -s $INT_NET -j REDIRECT --to-port 3128


  


2. conectividade

Leandro Silva
leandro_silvas

(usa Debian)

Enviado em 22/08/2008 - 19:39h

eu tenho um proxy tranasparente, e com essas regras no firewall e funcionando tranquilamente,

#Libera Porta CONECTIVIDADE
/sbin/iptables -A INPUT -j ACCEPT -p tcp -i eth1 --sport 2631
/sbin/iptables -A INPUT -j ACCEPT -p tcp -i eth1 --dport 2631
/sbin/iptables -A INPUT -j ACCEPT -p tcp -i eth1 -s 200.201.174.0/24
/sbin/iptables -A INPUT -j ACCEPT -p tcp -i eth1 -d 200.201.174.0/24

/sbin/iptables -A FORWARD -j ACCEPT -p tcp --sport 2631
/sbin/iptables -A FORWARD -j ACCEPT -p tcp --dport 2631

# habilita Squid - PROXY TRANSPARENTE
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! 200.201.174.0/24 --dport 80 -j REDIRECT --to-port 3128


espero ter ajudado

Leandro



3. mjvm

Leandro Silva
leandro_silvas

(usa Debian)

Enviado em 22/08/2008 - 19:40h

cara vc precisa ter o mjvm rodando no ie, o java sun não funfa.

falowe


4. funcionou?

Leandro Silva
leandro_silvas

(usa Debian)

Enviado em 28/08/2008 - 17:59h

e æ cara? funcionou??
posta aí pra gente!!!

falows


5. Re: amigos alguem me ajude conectividade social por favor [RESOLVIDO]

Ânderson P. R. Rodrigues
neonx

(usa Slackware)

Enviado em 28/08/2008 - 18:12h

eu tenho o seguinte no meu squid libero acesso direto do squid sem cache:

acl cscaixa url_regex -i "/etc/squid/blacklist/cscaixa.txt"
no_cache deny cscaixa
always_direct allow cscaixa

dentro do arquivo cscaixa.txt
.caixa.gov.br

no meu firewall:

/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 200.201.174.0/16 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p tcp -d 200.201.174.0/16 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 200.201.166.0/16 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p tcp -d 200.201.166.0/16 -j ACCEPT

e está funcionando tranquilo...


6. ainda nao

Fabiano Marçal
jhonboy

(usa Conectiva)

Enviado em 29/08/2008 - 11:20h

nao funcionou ainda nao monitoro no iptraf ele da scanneando porta e status reset to tentando ainda com nenhum q peguei da internet deu certo ainda to tentando montar uma regra aki mas ta dificil


7. Re: amigos alguem me ajude conectividade social por favor [RESOLVIDO]

Alan Aristides
hibiki

(usa Debian)

Enviado em 30/08/2008 - 10:59h

Olha eu utlizei essa regra e deu certo comigo

iptables -t nat -A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT

tenta elas depos que rolar vc coloca no fire para iniciar
Outra coisa é se no cliente esta com algum antivirus ou fire ativo pode estar bloqueando algo, o avg ja me aprontou isso, se esta instalado a mvm vai rolar



8. AMIGOS E O SEGUINTE

Fabiano Marçal
jhonboy

(usa Conectiva)

Enviado em 01/09/2008 - 11:47h

Estas regra tb nao deu certo! estou monitorando pelo iptraf ele conecta fica alguns tempo ai as conexão no status aparece RESET em todas pq sera?


9. problemas com o conectividade

marcio veloso
guaidtna

(usa Outra)

Enviado em 30/09/2008 - 16:27h

Boa tarde pessoal, estou ficando louco aqui na empresa pois tenho tentado de tudo e nao estou conseguindo fazer o conectividade social funcionar. Uso o smoothwall express 2.0 ex proxy transparente. Vou postar como que esta a configuraçao no squid e no firewall. Peço ajuda em carater de urgencia,obrigado.

Squid
#Libera Conectividade social Caixa
acl cscaixa url_regex -i "/var/smoothwall/proxy/cscaixa.txt"
no_cache deny cscaixa
always_direct allow cscaixa

rc.firewall.up
#!/bin/sh

# Disable ICMP Redirect Acceptance
for FILE in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $FILE
done

# Disable Source Routed Packets
for FILE in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $FILE
done

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for FILE in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $FILE
done

# Enable rp_filter, will be disabled if VPNs are used
for FILE in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $FILE
done

# Set timeouts. 2.5 hours for TCP.
#/sbin/ipchains -M -S 9000 0 0

/sbin/iptables -F
/sbin/iptables -X

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -t nat -A PREROUTING -p tcp -d 200.201.174.0/16 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -d 200.201.174.0/16 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -d 200.201.166.0/16 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -d 200.201.166.0/16 -j ACCEPT

/sbin/iptables -A FORWARD -p TCP -i $GREEN_DEV -s 10.0.0.0/0 --dport 1863 -j DROP
/sbin/iptables -A FORWARD -p TCP -i $GREEN_DEV -s 10.0.0.0/0 --dport 5190 -j DROP
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 135 -s 0/0 -j DROP

# IP blocker
/sbin/iptables -N ipblock
/sbin/iptables -A INPUT -i ppp0 -j ipblock
/sbin/iptables -A INPUT -i ippp0 -j ipblock
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A INPUT -i $RED_DEV -j ipblock
fi
/sbin/iptables -A FORWARD -i ppp0 -j ipblock
/sbin/iptables -A FORWARD -i ippp0 -j ipblock
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A FORWARD -i $RED_DEV -j ipblock
fi


# For IGMP and multicast
/sbin/iptables -N advnet
/sbin/iptables -A INPUT -i ppp0 -j advnet
/sbin/iptables -A INPUT -i ippp0 -j advnet
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A INPUT -i $RED_DEV -j advnet
fi

# Spoof protection for RED (rp_filter does not work with FreeS/WAN)
/sbin/iptables -N spoof
/sbin/iptables -A spoof -s $GREEN_NETADDRESS/$GREEN_NETMASK -j DROP
if [ "$ORANGE_DEV" != "" ]; then
/sbin/iptables -A spoof -s $ORANGE_NETADDRESS/$ORANGE_NETMASK -j DROP
fi

/sbin/iptables -A INPUT -i ppp0 -j spoof
/sbin/iptables -A INPUT -i ippp0 -j spoof
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A INPUT -i $RED_DEV -j spoof
fi


# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT

# IPSEC
/sbin/iptables -N secin
/sbin/iptables -A secin -i ipsec0 -j ACCEPT
/sbin/iptables -A INPUT -j secin

/sbin/iptables -N secout
/sbin/iptables -A secout -i ipsec0 -j ACCEPT
/sbin/iptables -A FORWARD -j secout

/sbin/iptables -N block

# Let em through.
/sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A block -i $GREEN_DEV -j ACCEPT

# External access. Rule set with setxtaccess setuid
/sbin/iptables -N xtaccess
/sbin/iptables -A block -j xtaccess

# IPSEC
/sbin/iptables -N ipsec
/sbin/iptables -A ipsec -p udp --destination-port 500 -j ACCEPT
/sbin/iptables -A ipsec -p 47 -j ACCEPT
/sbin/iptables -A ipsec -p 50 -j ACCEPT
/sbin/iptables -A block -i ppp0 -j ipsec
/sbin/iptables -A block -i ippp0 -j ipsec
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A block -i $RED_DEV -j ipsec
fi

# DHCP
if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
/sbin/iptables -A block -p tcp --source-port 67 --destination-port 68 \
-i $RED_DEV -j ACCEPT
/sbin/iptables -A block -p tcp --source-port 68 --destination-port 67 \
-i $RED_DEV -j ACCEPT
/sbin/iptables -A block -p udp --source-port 67 --destination-port 68 \
-i $RED_DEV -j ACCEPT
/sbin/iptables -A block -p udp --source-port 68 --destination-port 67 \
-i $RED_DEV -j ACCEPT
fi

# All ICMP on ppp too.
/sbin/iptables -A block -p icmp -i ppp0 -j ACCEPT
/sbin/iptables -A block -p icmp -i ippp0 -j ACCEPT
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A block -p icmp -i $RED_DEV -d $RED_NETADDRESS/$RED_NETMASK -j ACCEPT
fi

/sbin/iptables -A INPUT -j block

# last rule in INPUT chain is for logging.
/sbin/iptables -A INPUT -j LOG
/sbin/iptables -A INPUT -j REJECT

# Allow packets that we know about through.
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $GREEN_DEV -o ppp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ppp0 -o $GREEN_DEV -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -i $GREEN_DEV -o ppp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $GREEN_DEV -o ippp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ippp0 -o $GREEN_DEV -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -i $GREEN_DEV -o ippp0 -j ACCEPT
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $GREEN_DEV -o $RED_DEV -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $RED_DEV -o $GREEN_DEV -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -i $GREEN_DEV -o $RED_DEV -j ACCEPT
fi
if [ "$ORANGE_DEV" != "" ]; then
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $ORANGE_DEV -o ppp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ppp0 -o $ORANGE_DEV -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -i $ORANGE_DEV -o ppp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $ORANGE_DEV -o ippp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ippp0 -o $ORANGE_DEV -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -i $ORANGE_DEV -o ippp0 -j ACCEPT
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $ORANGE_DEV -o $RED_DEV -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $RED_DEV -o $ORANGE_DEV -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -i $ORANGE_DEV -o $RED_DEV -j ACCEPT
fi
fi

# Port forwarding
/sbin/iptables -N portfwf
/sbin/iptables -A FORWARD -j portfwf

/sbin/iptables -N dmzholes

# Allow GREEN to talk to ORANGE.
if [ "$ORANGE_DEV" != "" ]; then
/sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -m state \
--state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -o $ORANGE_DEV -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
# dmz pinhole chain. setdmzholes setuid prog adds rules here to allow
# ORANGE to talk to GREEN.
/sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -j dmzholes
fi

# VPN
/sbin/iptables -A FORWARD -i $GREEN_DEV -o ipsec0 -j ACCEPT
/sbin/iptables -A FORWARD -i ipsec0 -o $GREEN_DEV -j ACCEPT

/sbin/iptables -A FORWARD -j LOG
/sbin/iptables -A FORWARD -j REJECT

# NAT table
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X

# squid
/sbin/iptables -t nat -N squid
/sbin/iptables -t nat -N jmpsquid
/sbin/iptables -t nat -A jmpsquid -d 10.0.0.0/8 -j RETURN
/sbin/iptables -t nat -A jmpsquid -d 172.16.0.0/12 -j RETURN
/sbin/iptables -t nat -A jmpsquid -d 192.168.0.0/16 -j RETURN
/sbin/iptables -t nat -A jmpsquid -d 169.254.0.0/16 -j RETURN
/sbin/iptables -t nat -A jmpsquid -j squid
/sbin/iptables -t nat -A PREROUTING -i $GREEN_DEV -j jmpsquid

# Masqurade
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADE
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -t nat -A POSTROUTING -o $RED_DEV -j MASQUERADE
fi

# Port forwarding
/sbin/iptables -t nat -N portfw
/sbin/iptables -t nat -A PREROUTING -j portfw







Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts