Liberar MSN

anonimous_
(usa Ubuntu)

Enviado em 01/12/2009 - 15:19h

Olá pessoal!
Sou novato no linux, gostaria da ajuda de vcs para liberar o msn para todos baseado neste firewall ja existente. Fiz algumas alterações mas nao deu certo, ai removi. Se puderem ajudar agradeço. Existe também proxy autenticado.
Segue abaixo:
# Generated by iptables-save v1.2.8 on Thu May 27 17:35:48 2004
*mangle
:PREROUTING ACCEPT [182818:49915445]
:INPUT ACCEPT [171765:41326777]
:FORWARD ACCEPT [11005:8581050]
:OUTPUT ACCEPT [186327:69197841]
:POSTROUTING ACCEPT [197405:77793407]
-A PREROUTING -d 10.0.0.139 -j TOS --set-tos 0x10
COMMIT
# Completed on Thu May 27 17:35:48 2004
# Generated by iptables-save v1.2.8 on Thu May 27 17:35:48 2004
*nat
:PREROUTING ACCEPT [6355:500468]
:POSTROUTING ACCEPT [2632:166040]
:OUTPUT ACCEPT [2802:179184]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.1
-A PREROUTING -s 66.117.38.101 -p tcp -m tcp --dport 80 -j RETURN
-A PREROUTING -s 200.211.177.13 -p tcp -m tcp --dport 9987 -j RETURN
-A PREROUTING -s 200.211.177.13 -p tcp -m tcp --dport 80 -j RETURN
-A PREROUTING -s 193.86.103.21 -p tcp -m tcp --dport 80 -j RETURN
-A PREROUTING -s 193.86.103.11 -p tcp -m tcp --dport 80 -j RETURN
-A PREROUTING -s 193.86.103.10 -p tcp -m tcp --dport 80 -j RETURN
-A PREROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.254:3128
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Thu May 27 17:35:48 2004
# Generated by iptables-save v1.2.8 on Thu May 27 17:35:48 2004
*filter
:INPUT DROP [442:87710]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [184955:69041928]
:syn-flood - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 192.168.0.0/255.255.255.0 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1023 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3389 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6734 -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -s 10.0.0.138 -i eth1 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN
-A INPUT -p tcp -m tcp --dport 5000 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 5000 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m multiport --dports 6699,8875,8888 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j syn-flood
-A FORWARD -i lo -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 6734 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 53 -j ACCEPT
-A FORWARD -p udp -m udp --sport 53 -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.255.0 -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.255.0 -j ACCEPT
-A FORWARD -s 66.78.36.53 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A FORWARD -d 216.35.208.0/255.255.255.0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 6346 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 209.61.186.0/255.255.255.0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 64.49.201.0/255.255.255.0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 209.25.178.0/255.255.255.0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 208.142.53.0/255.255.255.0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 1214 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 213.248.112.0/255.255.255.0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 64.245.58.0/255.255.255.0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp -j LOG --log-prefix "Iptables TCP denied " --log-level info
-A FORWARD -p udp -m udp -j LOG --log-prefix "Iptables UDP denied " --log-level info
-A FORWARD -p tcp -m multiport --dports 6699,8875,8888 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 200.211.177.13 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 200.211.177.13 -p tcp -m tcp --dport 9987 -j ACCEPT
-A FORWARD -s 192.168.1.1 -p tcp -m tcp -j ACCEPT
-A FORWARD -s 192.168.1.5 -p tcp -m tcp -j ACCEPT
-A FORWARD -s 193.86.103.21 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 193.86.103.10 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 193.86.103.11 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5190 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 64.12.161.185 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 64.12.200.89 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 205.188.179.233 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 64.12.161.153 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 1863 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 64.4.13.0/255.255.255.0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 216.136.233.128 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 216.136.233.137 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 216.136.233.138 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 216.136.226.208 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
-A FORWARD -d 64.124.41.0/255.255.255.0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 216.35.208.0/255.255.255.0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 6346 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 6346 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 209.61.186.0/255.255.255.0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 64.49.201.0/255.255.255.0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 209.25.178.0/255.255.255.0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 206.142.53.0/255.255.255.0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 1214 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 213.248.112.0/255.255.255.0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --dport 6346 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 64.245.58.0/255.255.254.0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -p tcp -m multiport --dports 6699,8875,8888 -j REJECT --reject-with icmp-port-unreachable
-A syn-flood -m limit --limit 1/sec --limit-burst 4 -j RETURN
COMMIT
# Completed on Thu May 27 17:35:49 2004

-----
Vlw galera

brunosilva.ti
(usa Debian)

Enviado em 01/12/2009 - 15:33h

Olá

Porta MSN = 1863
Tente excluir a linha:
-A FORWARD -p tcp -m tcp --dport 1863 -j REJECT --reject-with icmp-port-unreachable

anonimous_
(usa Ubuntu)

Enviado em 01/12/2009 - 15:43h

Comentei esta linha e nao obtive sucesso.
No msn tentei conectar com e sem usuario do proxy autenticado. Ambos nao deram certo.
No aguardo galera!

brunosilva.ti
(usa Debian)

Enviado em 01/12/2009 - 16:57h

Primeiro tente inserir as seguintes linhas no firewall
-A FORWARD -p tcp -m tcp --dport 1863 -j ACCEPT

e depois, Verifica então se tem alguma ACL no arquivo de configuração do squid:
# vi /etc/squid/squid.conf
Por exemplo:
acl HOST_MSN src 192.168.1.40/255.255.255.255
acl Negar_MSN dstdomain "/etc/squid/msn.txt"
acl Negar_MSN2 url_regex "/etc/squid/msn2.txt"
acl msn url_regex -i /gateway/gateway.dll

http_access allow HOST_MSN
http_access deny Negar_MSN
http_access deny Negar_MSN2
http_access deny msn

Se tiver comente e atualize o squid
# squid -k reconfigure
ou
# /etc/init.d/squid reload

anonimous_
(usa Ubuntu)

Enviado em 02/12/2009 - 12:56h

Coloquei está regra, mas continua dando erro. Verifiquei os logs do MSN, ele tenta conectar nesta url -> messenger.hotmail.com:443
Precisa liberar a 443 e a url?
Alguém?

anonimous_
(usa Ubuntu)

Enviado em 03/12/2009 - 10:15h

o Squid pelo que vi nao tem regra bloqueando.
O estranho eh a 443.
Segue abaixo o SQUID.

http_port 3128

icp_port 0

htcp_port 0

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

cache_dir ufs /var/cache/squid 100 16 16

cache_access_log /var/log/squid/access.log

cache_log /var/log/squid/cache.log

cache_store_log /var/log/squid/store.log

dns_nameservers 127.0.0.1 192.168.0.254

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 21 # ftp
acl Safe_ports port 25 #
acl Safe_ports port 80 # http
acl Safe_ports port 110 #
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 4100 # gopher
acl Safe_ports port 8080 # proxy
acl Safe_ports port 9141 # teste
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 835 # multiling http
acl CONNECT method CONNECT
acl passwd proxy_auth REQUIRED

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow passwd
http_access deny all

icp_access allow all

cache_effective_user proxy
cache_effective_group proxy

visible_hostname linux.proxy

#httpd_accel_port 80
#httpd_accel_host virtual

#httpd_accel_with_proxy on

#httpd_accel_uses_host_header on

coredump_dir /var/spool/squid/


NO firewall tentei adicionar algumas portas la mas nao resolveu.
No aguardo pessoal!