não consigo liberar o HOD do serpro

davidgralha
(usa CentOS)

Enviado em 03/02/2011 - 15:28h

boa tarde pessoal, é a primeira vez q posto uma pergunta aqui.. estou com dificuldades para conseguir liberar o HOD no firewall para a rede aqui da secretaria depois q troquei o servidor..
segue o .conf do squid e as regras de firewall

####### INICIO #######
http_port 10.0.0.1:8080
icp_port 3130


####### ACL'S #######
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 21 443 563 10000 23000 465 995 1194 8999
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8999 # hod (serpro)
acl Safe_ports port 3460
acl Safe_ports port 23000
acl Safe_ports port 663
acl CONNECT method CONNECT

########## CACHE DEFAULT ###########
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
logfile_rotate 5
cache_effective_user squid
cache_effective_group squid



########### AUTENTICACAO #############
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic realm SEMUS-> Digite sua senha da Internet.

####### CACHE #######

cache_swap_low 93
cache_swap_high 98
cache_mem 750 MB
minimum_object_size 0
maximum_object_size 100 MB
maximum_object_size_in_memory 2 MB
cache_dir ufs /var/spool/squid 4444 16 256


## Bloqueios - primeira parte ##
#http_access deny !Safe_ports
http_access deny manager
http_access deny CONNECT !SSL_ports

#### ACLS ####
acl sites_bloqueados url_regex "/etc/squid/bloqueados.lista"
acl sites_liberados url_regex "/etc/squid/liberados.lista"

##### DOWNLOADS DE ARQUIVOS ######
acl download urlpath_regex \.exe$ \.arj$ \.tar.gz$ \.tgz$ \.rpm$ \.mp3$ \.scr$ \.pif$ \.mid$ \.bat$ \.com$ \.drv$ \.bin$ \.ovl$ \.sys$ \.cpl$ \.wav$ \.avi$ \.wmv$ \.mpeg$ \.asf$ \.asx$ \.wax$ \.m3u$ \.wpl$ \.wvx$ \.wmx$ \.dvr-ms$ \.rmi$ \.midi$ \.m1v$ \.np2$ \.mpax$ \.mpax$ \.snd$ \.au$ \.aif$ \.wm$ \.wmv$ \.cab$ \.mp4$ \.flv$ \.ppt$ \.msi$ \.mpg$


### GRUPO SENIOR - LIBERADO ###
acl senior proxy_auth "/etc/squid/senior"

### GRUPO MASTER - MENOS ORKUT E YOUTUBE ###
acl master proxy_auth "/etc/squid/master"

### GRUPO PADRAO, BLOQUEIO DE DOWNLOAD E BLACKLIST ###
acl grupo_padrao proxy_auth "/etc/squid/padrao"

### Liberando Computadores ###
acl comp_liberados src "/etc/squid/comp_liberados"
http_access allow comp_liberados



acl all src 10.0.0.0/255.255.255.0
acl padrao proxy_auth REQUIRED

### Regra de Acesso de Usuarios
### HTTP_ACCESS
http_access allow localhost
http_access allow sites_liberados
http_access allow padrao !sites_bloqueados !download
http_access allow senior

# Redirecionamento para o site de Mesquita
acl redir url_regex -i "/etc/squid/redir"
http_access deny redir
deny_info http://www.mesquita.rj.gov.br redir


http_access allow master
http_access deny all
http_reply_access allow all
icp_access allow all

# TAG: udp_incoming_address
# udp_incoming_address 0.0.0.0
# TAG: udp_outgoing_address
# udp_outgoing_address 255.255.255.255

error_directory /usr/share/squid/errors/Portuguese
coredump_dir /home/squid/core

visible_hostname www.mesquita.rj.gov.br
authenticate_ip_ttl 1 day

######## FIM ########

firewall depois de umas 800 alterações tentando liberar

echo " Firewall sendo iniciado"

######## Inicio #############

# Placas de Redes
#================

INT="10.0.0.0/24"
EXT="eth1"

# Inicio de variaveis
#=======================

fw="/sbin/iptables"
md="/sbin/modprobe"

# VELOX
#===========

NAMESERVER_1="200.149.55.140"
NAMESERVER_2="200.149.55.142"

# Embratel
#==============

#NAMESERVER_1="200.255.255.65"
#NAMESERVER_2="200.255.255.70"


# FLush das Regras
#==================

$md ip_conntrack
$md ip_conntrack_ftp
$md ip_tables
$md iptable_nat
$md ipt_state
$md ipt_limit
$md ipt_LOG
$md ipt_REJECT
$md ip_nat_ftp
$md ip_nat_pptp

$fw -P INPUT ACCEPT
$fw -P FORWARD ACCEPT
$fw -P OUTPUT ACCEPT
$fw -F
$fw -X
$fw -Z
$fw -t nat -F
$fw -t mangle -F

# Habilitando o roteamento
#===========================

echo "1" > /proc/sys/net/ipv4/ip_forward

# Padrao de regras
#$fw -P INPUT DROP
#$fw -P FORWARD DROP
#$fw -P OUTPUT ACCEPT

# Liberar looback
#====================

$fw -A INPUT -i lo -j ACCEPT

# State Full Firewall
#=====================

$fw -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Limitindo PING
#===============

$fw -A INPUT -p icmp --icmp-type 0 -m limit --limit 5/s -j ACCEPT
$fw -A INPUT -p icmp --icmp-type 8 -m limit --limit 5/s -j ACCEPT


PROGRAMAS="200.214.44.0/24 189.28.143.0/24 161.148.0.0/24"
for ip in $PROGRAMAS
do
$fw -t nat -A PREROUTING -p tcp -d $ip -j ACCEPT
$fw -t nat -A PREROUTING -p udp -d $ip -j ACCEPT
$fw -A FORWARD -p tcp -d $ip -j ACCEPT
$fw -A FORWARD -p udp -d $ip -j ACCEPT

done

$fw -t nat -A PREROUTING -i eth0 -p tcp -d ! 161.148.40.0/24 --dport 80 -j REDIRECT --to-port 3130
#$fw -t nat -A PREROUTING -i eth0 ! -s 10.0.0.69 -p tcp --dport 80 -j REDIRECT --to-port 3130
$fw -t nat -A PREROUTING -i eth0 -s 10.0.0.69 -p tcp -m multiport --dport 80,443 -j ACCEPT



#Servidores publicos
#===================
$fw -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$fw -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
$fw -A INPUT -p tcp -m tcp --dport 1443 -j ACCEPT
$fw -A INPUT -p tcp -m tcp --dport 43962 -j ACCEPT
$fw -A INPUT -p udp -m udp --dport 43962 -j ACCEPT
$fw -A INPUT -p tcp -m tcp --dport 23000 -j ACCEPT
$fw -A INPUT -p udp -m udp --dport 23000 -j ACCEPT
$fw -A INPUT -p tcp -m tcp --dport 8999 -j ACCEPT
$fw -A INPUT -p udp -m udp --dport 8999 -j ACCEPT



# FORWARD
#==========

# State Full Firewall
#====================
$fw -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


# DNS
#=====
$fw -A FORWARD -p udp -m udp --dport 53 -j ACCEPT
$fw -A FORWARD -p udp -m udp --sport 53 -j ACCEPT

# Libera SMTP e POP ( Outlook )
#================================
$fw -A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --sport 25 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --dport 110 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --sport 110 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --dport 465 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --sport 465 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --dport 995 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --sport 995 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --dport 993 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --sport 993 -j ACCEPT

# Liberando SQL a toda rede
#===========================
$fw -A FORWARD -p tcp -m tcp --dport 1433 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --sport 1433 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --dport 1954 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --sport 1954 -j ACCEPT

# Liberando Hiperdia e cadsus
#=============================
#$fw -t nat -A PREROUTING -p tcp -d datasus.gov.br -j ACCEPT
#$fw -t nat -A PREROUTING -p tcp -s datasus.gov.br -j ACCEPT
#$fw -A FORWARD -d datasus.gov.br -p tcp --dport 43962 -j ACCEPT
#$fw -A FORWARD -s datasus.gov.br -p tcp --sport 43962 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --dport 43962 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --sport 43962 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --dport 40000 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --sport 40000 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --dport 65000 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --sport 65000 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --dport 3050 -j ACCEPT
$fw -A FORWARD -p tcp -m tcp --sport 3050 -j ACCEPT
#$fw -A FORWARD -d 200.222.91.198 -p tcp --dport 8080 -j ACCEPT
#$fw -A FORWARD -s 200.222.91.198 -p tcp --sport 8080 -j ACCEPT


#Liberando acesso porta Datasus
#===============================
$fw -A FORWARD -d 189.28.143.168 -p tcp -m tcp --dport 3050 -j ACCEPT
$fw -A FORWARD -s 189.28.143.168 -p tcp -m tcp --sport 3050 -j ACCEPT
$fw -A FORWARD -d 64.4.20.196 -p tcp -m tcp --dport 443 -j ACCEPT

#Liberando acesso ao HOD (serpro)
#================================
$fw -t nat -A PREROUTING -p tcp -d 161.148.0.0/16 -j ACCEPT
$fw -A FORWARD -p tcp -d 161.148.0.0/16 -j ACCEPT
#$fw -A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT #
#$fw -A FORWARD -p tcp -m tcp --sport 443 -j ACCEPT #
#$fw -A FORWARD -p tcp -m tcp --dport 8999 -j ACCEPT # Porta de Hod
#$fw -A FORWARD -p tcp -m tcp --dport 23000 -j ACCEPT # Telnet seguro 3270
#$fw -A FORWARD -p tcp -m tcp --sport 8999 -j ACCEPT # Porta de Hod
#$fw -A FORWARD -p tcp -m tcp --sport 23000 -j ACCEPT # Telnet seguro 3270
#$fw -A FORWARD -d 161.148.40.200 -p tcp --dport 23000 -j ACCEPT
#$fw -A FORWARD -s 161.148.40.200 -p tcp --sport 23000 -j ACCEPT
#$fw -A FORWARD -d 161.148.40.200 -p tcp --dport 443 -j ACCEPT
#$fw -A FORWARD -s 161.148.40.200 -p tcp --sport 443 -j ACCEPT
#$fw -A FORWARD -d 161.148.40.200 -p tcp --dport 8999 -j ACCEPT
#$fw -A FORWARD -s 161.148.40.200 -p tcp --sport 8999 -j ACCEPT
#$fw -A FORWARD -d 161.148.40.200 -p tcp --dport 80 -j ACCEPT
#$fw -A FORWARD -s 161.148.40.200 -p tcp --sport 80 -j ACCEPT

#$fw -A OUTPUT -p tcp -m tcp --dport 23000 -j ACCEPT
#$fw -A OUTPUT -p tcp -m tcp --sport 23000 -j ACCEPT
#$fw -A OUTPUT -p tcp -m tcp --dport 8999 -j ACCEPT
#$fw -A OUTPUT -p tcp -m tcp --sport 8999 -j ACCEPT


# Liberando acesso geral ao Servidor Cetil - Sede Prefeitura
#============================================================
$fw -t nat -A POSTROUTING -s 10.0.0.0/24 -d 200.222.91.196 -j MASQUERADE
$fw -t nat -A POSTROUTING -s 10.0.0.0/24 -d 200.222.91.198 -j MASQUERADE
$fw -t nat -A POSTROUTING -s 10.0.0.0/24 -d 161.148.40.0/24 -j MASQUERADE
#$fw -t nat -A POSTROUTING -s 161.148.40.0/24 -d 10.0.0.0/24 -j MASQUERADE


# Mascaramento
#================
$fw -t nat -A POSTROUTING -o eth1 -j MASQUERADE

echo " Firewall Inciado! "
##### FIM #####


favor alguém pode me dar uma luz? tem algo mais bloqueando além do squid e do iptables?

agradeço desde já..

davidgralha
(usa CentOS)

Enviado em 04/02/2011 - 19:25h

eu editei o arquivo hosts dentro da pasta windows e adicionei "161.148.40.200 acesso.serpro.gov.br" e funcionou.. percebi q as máquinas clientes ñ pingavam pra fora.. qnd dou o comando "nslookup acesso.serpro.gov.br" aparece "DNS request timed out" nas máquinas windows ñ importa o dns q eu ponha.. (200.222.0.34 ou 8.8.8.8, etc).. resolvi, em parte, meu problema, mas ñ estou conseguindo liberar o ping e dns pra rede interna.. alguma luz??

rodrigom
(usa Debian)

Enviado em 08/02/2011 - 21:19h

Juntamente com o RELATED E ESTABLISHED, NÃO TEM O NEW ?