Denuncie   Favoritos   Indicar  

squid ou iptables bloqueando emails e ftp externo

1. squid ou iptables bloqueando emails e ftp externo

thiago
thiagomcinfo
(usa CentOS)

Enviado em 21/04/2014 - 16:15h

Pessoal desde ja agradeço:

Seguinte troquei o servidor ad da empresa, dai depois recnectei o squid, kerberos e etc...
Agora funciona navegação authenticada pelo AD, mais não consigo acessar emails externos via outlook e nem ftp!

Segue os conf´s:

IPTABLES:

# Generated by iptables-save v1.3.5 on Thu Dec 16 09:06:55 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [5814:473969]
:OUTPUT ACCEPT [2207030:928570205]
:sshguard - [0:0]
-A INPUT -s 187.45.213.196 -p tcp -m tcp --dport 8090 -j DROP
-A INPUT -s 221.195.4.92 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 201.47.246.170 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 201.148.157.151 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 125.39.82.251 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 124.247.193.78 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 60.217.229.226 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j sshguard
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 146.164.48.1 -d 200.205.36.252 -i eth1 -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -s 143.107.255.15 -d 200.205.36.252 -i eth1 -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -s 200.20.186.75 -d 200.205.36.252 -i eth1 -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -s 200.144.121.33 -d 200.205.36.252 -i eth1 -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -s 200.192.112.8 -d 200.205.36.252 -i eth1 -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -i eth0 -p tcp -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -i eth0 -p udp -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -i eth0 -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.37 -d 189.126.109.250 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.0.41 -d 189.126.109.250 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.0.25 -d 189.126.109.250 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.0.2 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -s 200.169.222.131 -d 192.168.0.1 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 200.169.222.130 -d 192.168.0.1 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 200.230.21.0/255.255.255.0 -d 192.168.0.1 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.0.231 -p icmp -j ACCEPT
-A FORWARD -s 192.168.0.40 -p icmp -j ACCEPT
-A FORWARD -s 192.168.0.39 -p icmp -j ACCEPT
-A FORWARD -s 192.168.0.30 -p icmp -j ACCEPT
-A FORWARD -s 192.168.0.30 -p icmp -j ACCEPT
-A FORWARD -s 192.168.0.33 -p icmp -j ACCEPT
-A FORWARD -s 192.168.0.12 -p icmp -j ACCEPT
-A FORWARD -s 192.168.0.24 -p icmp -j ACCEPT
-A FORWARD -s 192.168.0.34 -p icmp -j ACCEPT
-A FORWARD -s 192.168.0.232 -p icmp -j ACCEPT
-A FORWARD -s 192.168.0.38 -p icmp -j ACCEPT
-A FORWARD -s 192.168.0.31 -p tcp -m multiport --dports 1433 -j ACCEPT
-A FORWARD -s 192.168.0.2 -p tcp -m multiport --dports 7177 -j ACCEPT
-A FORWARD -s 192.168.0.2 -p tcp -m multiport --dports 5500:5600 -j ACCEPT
-A FORWARD -s 192.168.0.29 -p tcp -m multiport --dports 20,21,1433,5432,3389 -j ACCEPT
-A FORWARD -s 192.168.0.16 -p tcp -m multiport --dports 20,21,1433,5432,3389,587 -j ACCEPT
-A FORWARD -s 192.168.0.103 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1863,2121,3389,3456,587 -j ACCEPT
-A FORWARD -s 192.168.0.20 -p tcp -m multiport --dports 1433 -j ACCEPT
-A FORWARD -s 192.168.0.231 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1433,3050,5432,1863,2121,3389,5900,5800 -j ACCEPT
-A FORWARD -s 192.168.0.231 -p tcp -m multiport --dports 3306,5222,8443,8888 -j ACCEPT
-A FORWARD -s 192.168.0.40 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1433,3050,5432,1863,2121,3389,5900,5800 -j ACCEPT
-A FORWARD -s 192.168.0.40 -p tcp -m multiport --dports 3306,5222,8443 -j ACCEPT
-A FORWARD -s 192.168.0.12 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1433,3050,5432,1863,2121,3389,5900,5800 -j ACCEPT
-A FORWARD -s 192.168.0.12 -p tcp -m multiport --dports 3306,5222,8433,8888 -j ACCEPT
-A FORWARD -s 192.168.0.32 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1433,3050,5432,1863,2121,3389,5900,5800 -j ACCEPT
-A FORWARD -s 192.168.0.32 -p tcp -m multiport --dports 3306,5222,8443,8888 -j ACCEPT
-A FORWARD -s 192.168.0.30 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1433,3050,5432,1863,2121,3389,5900,5800 -j ACCEPT
-A FORWARD -s 192.168.0.30 -p tcp -m multiport --dports 3306,8443 -j ACCEPT
-A FORWARD -s 192.168.0.38 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1433,3050,5432,1863,2121,3389,5900,5800 -j ACCEPT
-A FORWARD -s 192.168.0.38 -p tcp -m multiport --dports 1024:65534 -j ACCEPT
-A FORWARD -s 192.168.0.38 -p tcp -m multiport --dports 2180,39365,6514,1972,6515,1973,80,443 -j ACCEPT
-A FORWARD -s 192.168.0.11 -p tcp -m multiport --dports 25,110,143,465,995,587,1863,3389 -j ACCEPT
-A FORWARD -s 192.168.0.36 -p tcp -m multiport --dports 25,110,143,465,995,587,1863,3389 -j ACCEPT
-A FORWARD -s 192.168.0.31 -p tcp -m multiport --dports 20,21,25,110,143,465,995,587,1863,2121,3389 -j ACCEPT
-A FORWARD -s 192.168.0.33 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1863,2121,3389,5800,5900,2121,1863,8090 -j ACCEPT
-A FORWARD -s 192.168.0.33 -p tcp -m multiport --dports 2180,7004,7003,7005
-A FORWARD -s 192.168.0.12 -p tcp -m multiport --dports 2180,21,1433
-A FORWARD -s 192.168.0.24 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1863,2121,3389,5800,5900,2121,1863,8090 -j ACCEPT
-A FORWARD -s 192.168.0.24 -p tcp -m multiport --dports 2180,7004,7003,7005
-A FORWARD -s 192.168.0.37 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1863,2121,3389,587 -j ACCEPT
-A FORWARD -s 192.168.0.35 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1863,2121,3389,587 -j ACCEPT
-A FORWARD -s 192.168.0.41 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1863,2121,3389,587 -j ACCEPT
-A FORWARD -s 192.168.0.25 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1863,2121,3389,587 -j ACCEPT
-A FORWARD -s 192.168.0.94 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1863,2121,3389,587 -j ACCEPT
-A FORWARD -s 192.168.0.34 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1863,2121,3389,5800,5900,2121,1863,8090 -j ACCEPT
-A FORWARD -s 192.168.0.34 -p tcp -m multiport --dports 2180,7004,7003,7005,587
-A FORWARD -s 192.168.0.37 -p tcp -m multiport --dports 5800,5900,2121,8090,3050,5432,587,5222 -j ACCEPT
-A FORWARD -s 192.168.0.35 -p tcp -m multiport --dports 5800,5900,2121,8090,3050,5432,587,5222 -j ACCEPT
-A FORWARD -s 192.168.0.41 -p tcp -m multiport --dports 5800,5900,2121,8090,3050,5432,587,5222 -j ACCEPT
-A FORWARD -s 192.168.0.37 -p tcp -m multiport --dports 1024:65534 -j ACCEPT
-A FORWARD -s 192.168.0.35 -p tcp -m multiport --dports 1024:65534 -j ACCEPT
-A FORWARD -s 192.168.0.41 -p tcp -m multiport --dports 1024:65534 -j ACCEPT
-A FORWARD -s 192.168.0.25 -p tcp -m multiport --dports 5800,5900,2121,8090,3050,5432,587 -j ACCEPT
-A FORWARD -s 192.168.0.25 -p tcp -m multiport --dports 1024:65534 -j ACCEPT
-A FORWARD -s 192.168.0.33 -p tcp -m multiport --dports 1024:65534 -j ACCEPT
#-A FORWARD -s 192.168.0.12 -p tcp -m multiport --dports 1024:65534 -j ACCEPT
-A FORWARD -s 192.168.0.24 -p tcp -m multiport --dports 1024:65534 -j ACCEPT
-A FORWARD -s 192.168.0.34 -p tcp -m multiport --dports 1024:65534 -j ACCEPT
-A FORWARD -s 192.168.0.24 -p tcp -m multiport --dports 3389 -j ACCEPT
-A FORWARD -s 192.168.0.81 -p tcp -m multiport --dports 3389 -j ACCEPT
#-A FORWARD -s 192.168.0.25 -p tcp -m multiport --dports 3389 -j ACCEPT
-A FORWARD -s 192.168.0.52 -p tcp -m multiport --dports 3389 -j ACCEPT
-A OUTPUT -s 200.205.36.252 -o eth1 -p tcp -m tcp --sport 4661:4662 -j DROP
-A OUTPUT -s 200.205.36.252 -o eth1 -p udp -m udp --sport 4465 -j DROP
-A OUTPUT -s 200.205.36.252 -o eth1 -p tcp -m tcp --sport 8577 -j DROP
-A OUTPUT -s 200.205.36.252 -o eth1 -p tcp -m tcp --sport 8577 -j DROP
-A OUTPUT -s 200.205.36.252 -o eth1 -p tcp -m tcp --sport 1214 -j DROP
-A OUTPUT -s 200.205.36.252 -o eth1 -p udp -m udp --sport 1214 -j DROP
-A OUTPUT -s 200.205.36.252 -o eth1 -p tcp -m tcp --sport 3551 -j DROP
-A OUTPUT -s 200.205.36.252 -o eth1 -p tcp -m tcp --sport 3531 -j DROP
-A OUTPUT -s 200.205.36.252 -o eth1 -p tcp -m multiport --sports 6881,6889,8090,7004,7003,7005 -j DROP
COMMIT
# Completed on Thu Dec 16 09:06:55 2010
# Generated by iptables-save v1.3.5 on Thu Dec 16 09:06:55 2010
*nat
:PREROUTING ACCEPT [30598:2428602]
:POSTROUTING ACCEPT [144062:8738746]
:OUTPUT ACCEPT [144400:8767646]
-A PREROUTING -s 200.160.108.5 -d 200.205.36.252 -p tcp -m tcp --dport 1433 -j DNAT --to-destination 192.168.0.31:1433
-A PREROUTING -s 189.11.243.254 -d 200.205.36.252 -p tcp -m tcp --dport 1433 -j DNAT --to-destination 192.168.0.31:1433
-A PREROUTING -s 200.169.222.131 -d 200.205.36.252 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.1:22
-A PREROUTING -s 200.169.222.130 -d 200.205.36.252 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.1:22
-A PREROUTING -s 200.230.21.0/255.255.255.0 -d 200.205.36.252 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.1:22
-A POSTROUTING -s 192.168.0.231 -p icmp -j MASQUERADE
-A POSTROUTING -s 192.168.0.40 -p icmp -j MASQUERADE
-A POSTROUTING -s 192.168.0.30 -p icmp -j MASQUERADE
-A POSTROUTING -s 192.168.0.33 -p icmp -j MASQUERADE
-A POSTROUTING -s 192.168.0.12 -p icmp -j MASQUERADE
-A POSTROUTING -s 192.168.0.24 -p icmp -j MASQUERADE
-A POSTROUTING -s 192.168.0.34 -p icmp -j MASQUERADE
-A POSTROUTING -s 192.168.0.232 -p icmp -j MASQUERADE
-A POSTROUTING -s 192.168.0.38 -p icmp -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 53 -j MASQUERADE
-A PREROUTING -p tcp --dport 7177 -j DNAT --to 192.168.0.2:7177
-A PREROUTING -p tcp --dport 5500:5600 -j DNAT --to 192.168.0.2
-A PREROUTING -s 201.246.47.5 -d 200.205.36.252 -p tcp -m tcp --dport 1433 -j DNAT --to-destination 192.168.0.31:1433
-A POSTROUTING -s 192.168.0.36 -p tcp -m multiport --dports 20,21,25,110,5432,3389 -j MASQUERADE
-A POSTROUTING -s 192.168.0.29 -p tcp -m multiport --dports 20,21,1433,5432,3389 -j MASQUERADE
-A POSTROUTING -s 192.168.0.16 -p tcp -m multiport --dports 20,21,1433,5432,3389 -j MASQUERADE
-A POSTROUTING -s 192.168.0.103 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1863,2121,3389,3456,587 -j MASQUERADE
-A POSTROUTING -s 192.168.0.20 -p tcp -m multiport --dports 1433 -j MASQUERADE
-A POSTROUTING -s 192.168.0.231 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1433,3050,5432,1863,2121,3389,5900,5800 -j MASQUERADE
-A POSTROUTING -s 192.168.0.231 -p tcp -m multiport --dports 3306,5222,8443,8888 -j MASQUERADE
-A POSTROUTING -s 192.168.0.40 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1433,3050,5432,1863,2121,3389,5900,5800 -j MASQUERADE
-A POSTROUTING -s 192.168.0.40 -p tcp -m multiport --dports 3306,5222,8443 -j MASQUERADE
-A POSTROUTING -s 192.168.0.12 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1433,3050,5432,1863,2121,3389,5900,5800 -j MASQUERADE
-A POSTROUTING -s 192.168.0.12 -p tcp -m multiport --dports 3306,5222,8443,8888 -j MASQUERADE
-A POSTROUTING -s 192.168.0.32 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1433,3050,5432,1863,2121,3389,5900,5800 -j MASQUERADE
-A POSTROUTING -s 192.168.0.32 -p tcp -m multiport --dports 3306,5222,8443,8888 -j MASQUERADE
-A POSTROUTING -s 192.168.0.30 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1433,3050,5432,1863,2121,3389,5900,5800 -j MASQUERADE
-A POSTROUTING -s 192.168.0.30 -p tcp -m multiport --dports 3306,8443 -j MASQUERADE
-A POSTROUTING -s 192.168.0.38 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1433,3050,5432,1863,2121,3389,5900,5800 -j MASQUERADE
-A POSTROUTING -s 192.168.0.38 -p tcp -m multiport --dports 39365,6514,1972,6515,1973,80,443 -j MASQUERADE
-A POSTROUTING -s 192.168.0.38 -d 189.47.139.217 -p tcp -m multiport --dports 1024:65534 -j MASQUERADE
-A POSTROUTING -s 192.168.0.11 -p tcp -m multiport --dports 25,110,143,465,995,587,1863,3389 -j MASQUERADE
-A POSTROUTING -s 192.168.0.36 -p tcp -m multiport --dports 25,110,143,465,995,587,1863,3389 -j MASQUERADE
-A POSTROUTING -s 192.168.0.34 -p tcp -m multiport --dports 25,110,143,465,995,587,1863,3389 -j MASQUERADE
-A POSTROUTING -s 192.168.0.31 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1863,2121,3389 -j MASQUERADE
-A POSTROUTING -s 192.168.0.33 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1863,2121,3389,5800,5900,2121,1863,8090 -j MASQUERADE
-A POSTROUTING -s 192.168.0.35 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1863,2121,3389,5800,5900,2121,1863,8090 -j MASQUERADE
-A POSTROUTING -s 192.168.0.12 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1863,2121,3389,5800,5900,2121,1863,8090 -j MASQUERADE
-A POSTROUTING -s 192.168.0.33 -p tcp -m multiport --dports 2180,7004,7005,7003
-A POSTROUTING -s 192.168.0.35 -p tcp -m multiport --dports 2180,7004,7005,7003
-A POSTROUTING -s 192.168.0.12 -p tcp -m multiport --dports 2180,7004,7005,7003
-A POSTROUTING -s 192.168.0.12 -p tcp -m multiport --dports 21,2180,2180,1433
-A POSTROUTING -s 192.168.0.24 -p tcp -m multiport --dports 21,2180,2180
-A POSTROUTING -s 192.168.0.33 -d 187.45.233.45 -p tcp -m multiport --dports 1024:65534 -j MASQUERADE
-A POSTROUTING -s 192.168.0.35 -d 187.45.233.45 -p tcp -m multiport --dports 1024:65534 -j MASQUERADE
#-A POSTROUTING -s 192.168.0.12 -d 187.45.233.45 -p tcp -m multiport --dports 1024:65534 -j MASQUERADE
-A POSTROUTING -s 192.168.0.24 -d 187.45.233.45 -p tcp -m multiport --dports 1024:65534 -j MASQUERADE
-A POSTROUTING -s 192.168.0.33 -d 187.45.206.186 -p tcp -m multiport --dports 1024:65534 -j MASQUERADE
-A POSTROUTING -s 192.168.0.35 -d 187.202.3.21 -p tcp -m multiport --dports 1024:65534 -j MASQUERADE
#-A POSTROUTING -s 192.168.0.12 -d 187.202.3.21 -p tcp -m multiport --dports 1024:65534 -j MASQUERADE
-A POSTROUTING -s 192.168.0.12 -d 187.202.3.21 -p tcp -m multiport --dports 1024:65534 -j MASQUERADE
-A POSTROUTING -s 192.168.0.35 -d 187.202.136.25 -p tcp -m multiport --dports 1024:65534 -j MASQUERADE
-A POSTROUTING -s 192.168.0.35 -d 187.45.206.186 -p tcp -m multiport --dports 1024:65534 -j MASQUERADE
-A POSTROUTING -s 192.168.0.12 -d 187.202.136.25 -p tcp -m multiport --dports 1024:65534 -j MASQUERADE
-A POSTROUTING -s 192.168.0.24 -d 187.45.244.127 -p tcp -m multiport --dports 1024:65534 -j MASQUERADE
-A PREROUTING -s 187.45.244.127 -p tcp -i eth1 --dport 7005 -j DNAT --to 192.168.0.33
-A PREROUTING -s 187.45.244.45 -p tcp -i eth1 --dport 7003 -j DNAT --to 192.168.0.33
-A PREROUTING -s 187.45.244.186 -p tcp -i eth1 --dport 7004 -j DNAT --to 192.168.0.33
-A PREROUTING -s 187.45.244.45 -p tcp -i eth1 --dport 7004 -j DNAT --to 192.168.0.33
#-A PREROUTING -s 187.45.244.127 -p tcp -i eth1 --dport 7005 -j DNAT --to 192.168.0.24
-A PREROUTING -s 187.45.244.45 -p tcp -i eth1 --dport 7003 -j DNAT --to 192.168.0.24
-A PREROUTING -s 187.45.244.186 -p tcp -i eth1 --dport 7004 -j DNAT --to 192.168.0.24
-A PREROUTING -s 187.45.244.45 -p tcp -i eth1 --dport 7004 -j DNAT --to 192.168.0.24
-A POSTROUTING -s 192.168.0.37 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1863,2121,3389,587 -j MASQUERADE
-A POSTROUTING -s 192.168.0.35 -p tcp -m multiport --dports 21,21,25,110,143,465,995,1863,2121,3389,587 -j MASQUERADE
-A POSTROUTING -s 192.168.0.41 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1863,2121,3389,587 -j MASQUERADE
-A POSTROUTING -s 192.168.0.25 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1863,2121,3389,587 -j MASQUERADE
-A POSTROUTING -s 192.168.0.94 -p tcp -m multiport --dports 20,21,25,110,143,465,995,1863,2121,3389,587 -j MASQUERADE
-A POSTROUTING -s 192.168.0.37 -p tcp -m multiport --dports 5800,5900,2121,1433,3050,5432,5222 -j MASQUERADE
-A POSTROUTING -s 192.168.0.35 -p tcp -m multiport --dports 5800,5900,2121,1433,3050,5432,5222 -j MASQUERADE
-A POSTROUTING -s 192.168.0.41 -p tcp -m multiport --dports 5800,5900,2121,1433,3050,5432,5222 -j MASQUERADE

-A POSTROUTING -s 192.168.0.37 -d 189.47.139.217 -p tcp -m multiport --dports 1024:65534 -j MASQUERADE
-A POSTROUTING -s 192.168.0.35 -d 189.47.139.217 -p tcp -m multiport --dports 1024:65534 -j MASQUERADE
-A POSTROUTING -s 192.168.0.41 -d 189.47.139.217 -p tcp -m multiport --dports 1024:65534 -j MASQUERADE
-A POSTROUTING -s 192.168.0.25 -p tcp -m multiport --dports 5800,5900,2121,1433,3050,5432 -j MASQUERADE
-A POSTROUTING -s 192.168.0.25 -d 189.47.139.217 -p tcp -m multiport --dports 1024:65534 -j MASQUERADE
-A POSTROUTING -s 192.168.0.25 -d 189.126.109.250 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 192.168.0.38 -d 187.45.233.45 -p tcp -m multiport --dports 1024:65534 -j MASQUERADE
-A POSTROUTING -s 192.168.0.37 -d 189.126.109.250 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 192.168.0.35 -d 189.126.109.250 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 192.168.0.41 -d 189.126.109.250 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 192.168.0.24 -p tcp -m multiport --dports 3389 -j MASQUERADE
-A POSTROUTING -s 192.168.0.40 -p tcp -m multiport --dports 3389 -j MASQUERADE
-A POSTROUTING -s 192.168.0.81 -p tcp -m multiport --dports 3389 -j MASQUERADE
#-A POSTROUTING -s 192.168.0.25 -p tcp -m multiport --dports 3389 -j MASQUERADE
-A POSTROUTING -s 192.168.0.52 -p tcp -m multiport --dports 3389 -j MASQUERADE
COMMIT
# Completed on Thu Dec 16 09:06:55 2010



0 0
  • Quote

    •   


    2. Re: squid ou iptables bloqueando emails e ftp externo

    thiago
    thiagomcinfo
    (usa CentOS)

    Enviado em 21/04/2014 - 16:17h

    Segue o Squid.conf:

    ttp_port 192.168.0.1:3128
    icp_port 3130
    hierarchy_stoplist cgi-bin ?
    acl QUERY urlpath_regex cgi-bin \?
    no_cache deny QUERY
    cache_mem 800 MB
    cache_replacement_policy lru
    memory_replacement_policy lru
    maximum_object_size 200 MB
    maximum_object_size_in_memory 20 KB
    cache_dir ufs /var/spool/squid 5120 16 256
    cache_effective_user squid
    dns_timeout 3 minutes
    #cache_effective_group squid
    access_log /var/log/squid/access.log squid
    cache_store_log none
    error_directory /usr/share/squid/errors/Portuguese
    dns_nameservers 192.168.0.1

    emulate_httpd_log on

    redirect_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf
    redirect_children 30

    visible_hostname firewall.redesindata.com.br

    acl mcafee url_regex "/etc/squid/mcafee"
    http_access allow mcafee

    auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
    auth_param ntlm children 30
    external_acl_type AD_GROUP %LOGIN /usr/lib/squid/wbinfo_group.pl

    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache

    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320

    #cache windows update
    refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
    refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
    refresh_pattern www.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
    refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
    refresh_pattern download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
    refresh_pattern update.microsoft.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims

    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443
    acl Safe_ports port 995 #email
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 110 #tera
    acl Safe_ports port 587 #tera
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 2121 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 7177 # ftp
    acl Safe_ports port 5500-5600 # ftp
    acl Safe_ports port 1973 #vnc
    acl Safe_ports port 6515 #vnc
    acl Safe_ports port 1972 #vnc
    acl Safe_ports port 6514 #vnc
    acl Safe_ports port 443 #vnc
    acl Safe_ports port 7003-7006 #soap
    acl SSL_ports port 7003-7006 #soap
    acl Safe_ports port 80 #vnc
    acl Safe_ports port 5800 #vnc
    acl Safe_ports port 5900 #vnc
    acl Safe_ports port 3389 #remoto
    acl Safe_ports port 8090 #radar
    acl Safe_ports port 10060 #radar
    acl Safe_ports port 1433 #sql
    #acl Safe_ports port 6100-6200 #consladel
    #acl Safe_ports port 43934-65534 #consladel
    #acl Safe_ports port 3456 #irpf
    #acl Safe_ports port 20 # ftp
    #acl Safe_ports port 200 207 80 61 6 211 #ftp
    acl CONNECT method CONNECT

    #acl aitusers src 192.168.0.94 192.168.0.37 192.168.0.25
    #acl ait dstdomain 187.45.206.186/* 187.45.206.186. 187.45.206.186/aitnet
    #http_access allow ait
    #http_access deny ait !aitusers

    #acl acidentesusers src 192.168.0.12
    #acl acidentes dstdomain 187.45.206.186/* 187.45.206.186. 187.45.206.186/acidentes
    #http_access allow acidentes
    #http_access deny acidentes !acidentesusers

    acl excessao src 192.168.0.231 192.168.0.232 192.168.0.103 192.168.0.16 192.168.0.36 192.168.0.37 192.168.0.41 192.168.0.33
    acl excessaomail src 192.168.0.11 192.168.0.38 192.168.0.33
    #acl pda src 192.168.0.24 192.168.0.33
    acl guisardi src 192.168.0.103

    # Fix support.microsoft.com by removing Accept-Encoding header
    acl support.microsoft.com dstdomain -i "/etc/squid/header.txt"
    header_access Accept-Encoding deny support.microsoft.com

    # urls
    acl org url_regex -i "/etc/squid/org"
    acl allowedurls url_regex -i "/var/lib/squidguard/allowedurls"
    acl blockedurls url_regex -i "/etc/squid/blockedurls"
    acl webmail url_regex -i "/etc/squid/webmailurls"
    acl chaturls url_regex -i "/etc/squid/chatwords"
    acl aits url_regex -i "/etc/squid/aits"
    acl allowedradar url_regex -i "/var/lib/squidguard/allowedradar"
    acl marcelo url_regex -i "/var/lib/squidguard/marcelo"
    acl unrestrictedusers external AD_GROUP REDESINDATA\supervisores
    #acl restrito external AD_GROUP REDESINDATA\restrito
    acl func external AD_GROUP REDESINDATA\func
    #acl Authenticated proxy_auth REQUIRED

    #http_access allow unrestrictedusers
    #http_access allow marcelo !func
    http_access deny marcelo !guisardi
    http_access allow org
    http_access allow allowedurls
    http_access allow aits
    http_access deny chaturls !unrestrictedusers
    http_access deny blockedurls !unrestrictedusers
    http_access deny webmail !excessao !excessaomail !unrestrictedusers
    http_access allow unrestrictedusers
    #http_access allow allowedradar
    #http_access allow allowedradar !restrito
    #http_access deny allowedradar !pda !excessao !excessaomail !unrestrictedusers
    #http_access allow unrestrictedusers
    #http_access allow restrictedusers
    #http_access deny !Authenticated

    http_access allow manager localhost
    http_access deny manager

    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localhost
    http_access deny all
    http_reply_access allow all

    #tcp_outgoing_address 200.168.62.245
    #udp_outgoing_address 200.168.62.245

    coredump_dir /var/spool/squid


    0 0
  • Quote





    • Patrocínio

    Site hospedado pelo provedor RedeHost.
    Linux banner

    Destaques

    Artigos

    Enviar mensagem ao usuário trabalhando com as opções do php.ini

    Meu Fork do Plugin de Integração do CVS para o KDevelop

    Compartilhando a tela do Computador no Celular via Deskreen

    Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota

    Configuração para desligamento automatizado de Computadores em um Ambiente Comercial

    Dicas

    Compartilhamento de Rede com samba em modo Público/Anônimo de forma simples, rápido e fácil

    Cups: Mapear/listar todas as impressoras de outro Servidor CUPS de forma rápida e fácil

    Criando uma VPC na AWS via CLI

    Multifuncional HP imprime mas não digitaliza

    Dica básica para escrever um Artigo.

    Tópicos

    Arch tavado na instalação (0)

    Impressora Bematech MP4200TH rorando com a distribuição Zorin OS (3)

    Erro no Linux (2)

    escalar privilegio (3)

    PC congelando em momentos aleatórios (em várias distros) (1)

    Top 10 do mês

    Scripts

    [C/C++] reverse shell na marra!

    [Outros] Dicas e truques Matematica Básica

    [C/C++] criptografia de modo simples

    [C/C++] intdb - gerador de wordlist numerica

    [C/C++] genpass - gerador de senhas seguras

    A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.

    Site hospedado por: