israelborgess
(usa Debian)
Enviado em 06/01/2011 - 00:55h
Boa noite Pessoal,
Estou com dificuldade em configurar um client Ftp filezilla, autenticando em meu proxy. Segue abaixo meus arquivos de configuração Squid.conf e Firewall.sh, e jpg do meu ambiente de rede.
Ambiente de Rede
Rede Interna
http://img508.imageshack.us/img508/79/redeinterna.jpg
Configuração usuário Proxy
http://img191.imageshack.us/i/usuarioproxy.jpg/
Configuração usuário Ftp
http://img638.imageshack.us/i/usuarioshostfto.jpg
### Squid.conf ######
http_port 80
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 128 MB
maximum_object_size 128096 KB
maximum_object_size_in_memory 64 KB
cache_dir ufs /var/spool/squid 2048 16 256
cache_mgr root@192.168.200.200
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Digite seu usuario e senha.
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
ftp_user root@192.168.200.200
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl portas port 20
acl portas port 21
http_access allow portas
acl CONNECT method CONNECT
http_access deny CONNECT !portas
acl password proxy_auth "/etc/squid/usuarios.txt"
acl manager proto cache_object
acl localhost src 192.168.0.0/24
acl to_localhost dst 192.168.0.0/24
acl SSL_ports port 80 8017 # http pra sefip
acl SSL_ports port 443 # https
acl SSL_ports port 444 # sefip
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl SSL_ports port 11011 # webmin
acl Safe_ports port 80 # http
acl Safe_ports port 444 8017 # sefip
acl Safe_ports port 2678 # sefip
acl Safe_ports port 21 # ftp
acl Safe_ports port 20 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow password
http_access deny all
#######Firewall.sh#########
IPTABLES=/sbin/iptables
modprobe ip_conntrack
modprobe ip_tables
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe iptable_nat
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ip_nat_ftp
#desligando forward
echo 0 > /proc/sys/net/ipv4/ip_forward
#limpando tabela NAT
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -Z
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -F PREROUTING
#limpando regras
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
#Politicas
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
#impedindo alteracao de rotas
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#prot contra responses bogus
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#prot contra syn-flood
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#contra traceroute
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#contra ip spoofing
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
#--------INPUT--------
$IPTABLES -A INPUT -i lo -s 127.0.0.1/8 -d 127.0.0.1/8 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state INVALID -j DROP
#--------OUTPUT-------
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1/8 -d 127.0.0.1/8 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
#------FORWARD--------
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -i eth1 -s 0.0.0.0/22 -o eth0 -j ACCEPT
#--------NAT----------
$IPTABLES -t nat -A POSTROUTING -s 0.0.0.0/22 -o eth+ -j MASQUERADE
#habilitando forward
echo 1 > /proc/sys/net/ipv4/ip_forward
#liberando SSh
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#liberando porta 80 SQUID
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
#liberando range para FTP
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 20 - j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 - j ACCEPT
echo "Firewall Startado com Sucesso"
OBS:
- O cliente Filezilla me mostra que consigo passar pelo proxy, so não consigo acessar o host.
- Já tentei outro cliente FTP e o problema persiste.
- Quando acesso o FTP direto do servidor ubuntu, consigo ter acesso normalmente ao mesmo, sem problemas.
- Já tentei criar ACL no squid liberando acesso total ao ip do terminal que acessa o Cliente Filezilla.
- Já tentei criar a regra acl SSL_ports port 1024-65535 para liberar as requisições do método CONNECT durante o handshake
Com estes testes se quer consegui chamar a janela de usuario e senha ao acessar o FTP pelo browser. A única forma que consigo acesso é com usuario:senha@dominio. Alguem pode me ajudar por favor??