Autor Tópico: [Resolvido] Squid + iptable (Lida 5226 vezes)

Eduardof · « **Online:** 08 de Abril de 2011, 10:46 »

Pessoal, minha duvida é assim.

Tenho uma rede aqui na empresa com dois servidores. Um deles é o Windows 2003 Server rodando como servidor de dominio, já o outro esta rolando linux com squid + iptable.

Estou tentando ligar outra estação da trabalho, porem ela tem acesso total a rede, mas não a internet. Na configuração do squid já coloquei entre as maquinas com acesso a internet. Acho que já tentei bastante coisas, mas não consegui. Imagino que deve ser uma besteira que acabei não percebendo, por isso vou deixar aqui as configurações e ver se alguém olhando de fora possa ver.

iptables

Código: [Selecionar]

#!/bin/bash

###################### Escrevendo um firewall feito para o servidor ######################

######################  Apagando qualquer regra existente ######################
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F

###################### Apagando regras de terceiros ######################
iptables -t nat -X
iptables -t filter -X
iptables -t mangle -X
iptables -F

###################### Compartilhar uma conexÃ£o da internet utilizando duas placas de rede ######################
# eth1 => placa ligada no Speedy / Virtua
# eth0 => placa ligada a rede com ip 192.168.0.1
# ppp0 => tipo de conexao PPOE


#-- Carrega Modulos do Iptables
modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_nat_ftp
modprobe ipt_REJECT
modprobe ipt_MASQUERADE

# -- Habilitando o repasse entre as placas de rede --
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20 -s 192.168.0.111 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -s 192.168.0.111 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128


#### Variaveis para facilitar ######
IF_EXTERNA=eth1
IF_INTERNA=eth0
PORTAS_VNC=5900

#Protege contra os "Ping of Death"
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#Protege contra os ataques do tipo "Syn-flood, DoS, etc
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT

#Permitir repassamento (NAT,DNAT,SNAT) de pacotes estabilizados e os relatados ...
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#Logar os pacotes mortos por inatividade ...

#iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG

#Protege contra port scanners avancados (Ex.: nmap)
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

#Protege contra pacotes que podem procurar e obter informaÃ§Ãµes da rede interna ...
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

#ICMP
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -p udp --dport 111 -j ACCEPT


###################### LIBERACAO DE PORTAS GERAIS MAIS COMUNS ##########################

## OUTLOOK
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 25 -o $IF_EXTERNA
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 110 -o $IF_EXTERNA

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 110 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 587 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 587 -j ACCEPT

## E-MAILS IMAP
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 143 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 143 -j ACCEPT

iptables -A INPUT -s 63.13.161.0/24 -p tcp --dport 443 -j DROP
iptables -A INPUT -d o.imo.im -p tcp --dport 443 -j DROP
iptables -A INPUT -d imo.im -p tcp --dport 443 -j REJECT

#####Liberar portas Gmail/Outlook####
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 995 -o $IF_EXTERNA
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 465 -o $IF_EXTERNA

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 465 -j ACCEPT

iptables -A FORWARD -s 192.168.1.0 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 192.168.1.0 -d loginnet.passport.com -j REJECT
iptables -A FORWARD -s 198.168.1.0/24 -d messenger.hotmail.com -j REJECT
iptables -A FORWARD -s 198.168.1.0/24 -d webmessenger.msn.com -j REJECT
iptables -A FORWARD -p tcp --dport 1080 -j DROP
iptables -A FORWARD -s 198.168.1.0/24 -p tcp --dport 1080 -j REJECT
iptables -A FORWARD -s 198.168.1.0/24 -d imo.im -j REJECT


## VNC E ULTRAVNC  -  liberar porta
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp -m multiport --dport $PORTAS_VNC -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp -m multiport --dport $PORTAS_VNC -j ACCEPT

## REMOTE DESKTOP E ACESSO REMOTO  -  liberar porta 3389 ######
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 3389 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp --dport 3389 -j ACCEPT

## SSH liberar porta #####
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 22 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT

## VPN liberar porta  #####
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 1701 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp --dport 1701 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 1723 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp --dport 1723 -j ACCEPT

##  "Liberar porta para apache"
iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT

## HTTPS - Liberar Porta ##
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 443 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp --dport 443 -j ACCEPT


## SERVIDOR DNS  - Liberar Porta##
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p udp --dport 53 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp --dport 53 -j ACCEPT

## FTP  - Liberar Porta ##
iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 20 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 21 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 20 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp --dport 20 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 21 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp --dport 21 -j ACCEPT

iptables -I INPUT 1 -j ACCEPT -p 20
iptables -I OUTPUT 1 -j ACCEPT -p 20

iptables -I INPUT 1 -j ACCEPT -p 21
iptables -I OUTPUT 1 -j ACCEPT -p 21

iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 20 -j ACCEPT

iptables -A INPUT -p udp --dport 21 -j ACCEPT
iptables -A INPUT -p udp --dport 20 -j ACCEPT
iptables -A OUTPUT -p udp --dport 21 -j ACCEPT
iptables -A OUTPUT -p udp --dport 20 -j ACCEPT
iptables -A FORWARD -p udp --dport 21 -j ACCEPT
iptables -A FORWARD -p udp --dport 20 -j ACCEPT


# Liberar rede virtual privada - VPN
iptables -A INPUT -j ACCEPT -p tcp --dport 1701
iptables -A INPUT -j ACCEPT -p tcp --dport 1723
iptables -A INPUT -i $IF_EXTERNA -s 0/0 -d 0/0 -p 43 -j ACCEPT
iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -p 43 -j ACCEPT
iptables --append INPUT --protocol 47 --jump ACCEPT
iptables --append INPUT --protocol tcp --match tcp --destination-port 1723 --jump ACCEPT
iptables -A FORWARD -i $IF_EXTERNA -j ACCEPT
iptables -A FORWARD -o $IF_EXTERNA -j ACCEPT


### Liberar Bit Torrent ####
iptables -A FORWARD -o $IF_EXTERNA -p tcp --dport 6881:6889 -j ACCEPT
iptables -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 6881:6889 -j DNAT --to-dest 192.168.0.240
iptables -A FORWARD -p tcp -i $IF_EXTERNA --dport 6881:6889 -d 192.168.0.240 -j ACCEPT
iptables -t nat -A PREROUTING -i $IF_EXTERNA -p udp --dport 6881:6889 -j DNAT --to-dest 192.168.0.240
iptables -A FORWARD -p udp -i $IF_EXTERNA --dport 6881:6889 -d 192.168.0.240 -j ACCEPT

iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 6881 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 6882 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 6883 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 6884 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 6885 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 6886 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 6887 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 6888 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 6889 -j ACCEPT

########## LIBERAR LOGMEIN #################
#iptables -A FORWARD -d www.logmein.com -j ACCEPT
#iptables -A FORWARD -d secure.logmein.com -j ACCEPT
#iptables -A FORWARD -p tcp --dport 2002 -j ACCEPT
#iptables -A FORWARD -d 69.209.251.0/24 -j ACCEPT
#iptables -A FORWARD -s 69.209.251.0/24 -j ACCEPT
#iptables -A FORWARD -d asterisk.app01.logmein.com -j ACCEPT
#iptables -A FORWARD -d asterisk.app02.logmein.com -j ACCEPT
#iptables -A FORWARD -d asterisk.app03.logmein.com -j ACCEPT
#iptables -A FORWARD -d asterisk.app04.logmein.com -j ACCEPT
#iptables -A FORWARD -d asterisk.app05.logmein.com -j ACCEPT
#iptables -A FORWARD -d asterisk.app06.logmein.com -j ACCEPT


########## LIBERAR KITMAR #################
iptables -A FORWARD -d www.maritima.com.br -j ACCEPT
iptables -A FORWARD -d kitmar.maritima.com.br -j ACCEPT
iptables -A FORWARD -s kitmar.maritima.com.br -j ACCEPT
iptables -A FORWARD -d 200.185.135.0/24 -j ACCEPT
iptables -A FORWARD -s 200.185.135.0/24 -j ACCEPT
iptables -A FORWARD -d kitmar3.maritima.com.br -j ACCEPT
iptables -A FORWARD -d kitmar2.maritima.com.br -j ACCEPT


#############  LIBERACAO DE PORTAS ESPECIFICAS ###############

### BANCO REAL - Liberar Portas
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 4675 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 4675 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 4976 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 4976 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 443 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 443 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 1992 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1992 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 4977 -o $IF_EXTERNA

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 4977 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 4074 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 4074 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 5004 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 5004 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p udp --dport 5060 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 5060 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p udp --dport 5062 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 5062 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p udp --dport 5004 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 5004 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 3306 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 3306 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 4137 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 4137 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p udp --dport 4137 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 4137 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p udp --dport 8443 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 8443 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 8443 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 8443 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p udp --dport 34000:65000 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 34000:65000 -j ACCEPT


iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 5060 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 5062 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 5004 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -p tcp --dport 5060 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -p tcp --dport 5062 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -p tcp --dport 5004 -j ACCEPT

iptables -A INPUT -d 192.168.0.0/24 -p tcp --dport 8008 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -p tcp --dport 8008 -j ACCEPT

iptables -A INPUT -d 192.168.0.0/24 -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/24 -p udp --dport 5062 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/24 -p udp --dport 5004 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -p udp --dport 5060 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -p udp --dport 5062 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -p udp --dport 5004 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/24 -p udp --dport 30000:65000 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -p udp --dport 30000:65000 -j ACCEPT

## liberacao da porta 211 ##
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 211 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 211 -j ACCEPT

## liberacao da porta 220 ##
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 220 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 220 -j ACCEPT


## liberacao da porta 6000 ##
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 6000 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 6000 -j ACCEPT


## liberacao da porta 5900 ##
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 5900 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 5900 -j ACCEPT


## liberacao da porta 5060 ##
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 5060 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 5060 -j ACCEPT


## liberacao da porta 5062 ##
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 5062 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 5062 -j ACCEPT


## liberacao da porta 5500 ##
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 5500 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 5500 -j ACCEPT


### SPTRANS - Liberar Porta 809
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 809 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -d 200.189.189.94 -p tcp --dport 809 -j ACCEPT


### Portas Especificas
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 2020 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 2020 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 2023 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 2023 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 2010 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 2010 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 2021 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 2021 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 3110 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 3110 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 3210 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 3210 -j ACCEPT


iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 3310 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 3310 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 8080 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 8080 -j ACCEPT


## LIBERAR PORTA VIVO GESTAO ####
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 7003 -o $IF_EXTERNA
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp --dport 7003 -j ACCEPT


## CAMERAS GEOVISION 3550 ###
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 3550 -o $IF_EXTERNA
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 4550 -o $IF_EXTERNA
iptables -I POSTROUTING -j MASQUERADE -t nat -s 192.168.0.0/24 -p tcp --dport 5550 -o $IF_EXTERNA


## BANCO CENTRAL
#iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 5024 -o $EXTERNAL
#iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 1024 -o $EXTERNAL


## Porta 3007 associacao comercial
#iptables -I POSTROUTING -j MASQUERADE -t nat -p tcp --dport 3007 -o $IF_EXTERNA


## SUFRAMA
#iptables -I POSTROUTING -j MASQUERADE -t nat -p tcp --dport 7778 -o $IF_EXTERNA
#iptables -I POSTROUTING -j MASQUERADE -t nat -p udp --dport 7778 -o $IF_EXTERNA


#Intranets porta 8080
#iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 8080 -o $EXTERNAL


#CONECTIVIDADE CAIXA ECONOMICA
#iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp -d 200.201.174.207 --dport 80 -o $EXTERNAL
#
#CPANEL
#iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 2082 -o $EXTERNAL


## LIBERACAO DA PORTA 5617
iptables -I POSTROUTING -j MASQUERADE -t nat -p tcp --dport 5617 -o $IF_EXTERNA



###################### REDIRECIONAMENTO DE PORTAS ##################

#### SSH redirecionar porta #####
iptables -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 22 -j DNAT --to 192.168.0.1

## VPN redirecionar porta
iptables -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 1701 -j DNAT --to 192.168.0.10
iptables -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 1723 -j DNAT --to 192.168.0.10
iptables -t nat -A PREROUTING -i $IF_EXTERNA -p 47 -j DNAT --to 192.168.0.10


## VNC redirecionar porta
iptables -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 5900 -j DNAT --to 192.168.0.10


## Remote Desktop #######
iptables -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.1:3389

iptables -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 8008 -j DNAT --to-destination 192.168.0.1:8008
iptables -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 443 -j DNAT --to-destination 192.168.0.1:8008
iptables -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 5000 -j DNAT --to-destination 192.168.0.112:3389
iptables -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 4444 -j DNAT --to-destination 192.168.0.112:5900
iptables -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 4445 -j DNAT --to-destination 192.168.0.112:5800

Eduardof · « **Resposta #1 Online:** 08 de Abril de 2011, 10:47 »

Desculpe, colocar em dois tópicos, mas veio uma mensagem dizendo que estava passando e em muito o numero de caracteres

Configuração do squid

Código: [Selecionar]

######################## Configuracoes basicas ############################

# Porta padrão do Proxy 3128
####Versao do squid abaixo de 2.6  
### Alterar de acordo com a REDE
####Versao 2.6 ou superior
#http_port 192.168.0.10:3128

	http_port 3128 transparent


# Nome que será visivel
	visible_hostname Antunes Pinto

# Memória chache de paginas e arquivos
	cache_mem 128 MB

# Tamanho máximo dos arquivos que serao guardados no chache
	maximum_object_size_in_memory 64 KB

# Valores máximo e minimo de arquivos de downloads
	maximum_object_size 512 MB
	minimum_object_size 0 KB

# Porcentagem de uso do cache que fara o Squid começar a descartar os arquivos mais antigos
	cache_swap_low 90
	cache_swap_high 95


# Pasta onde sera armazenado os arquivos do cache - 2048 MB / até 16 pastas e 256 subpastas podem ser criadas
	cache_dir ufs /var/spool/squid 2048 16 256

# Local dos arquivos de log
	cache_access_log /var/log/squid/access.log
	cache_log /var/log/squid/cache.log


# Outras configuracoes padroes
	hierarchy_stoplist cgi-bin ?
	acl QUERY urlpath_regex cgi-bin \?
	no_cache deny QUERY
	cache_mgr root
	cache_effective_user squid
	cache_effective_group squid 
	coredump_dir /var/spool/squid

#Configuracoes para outros servicos
	refresh_pattern ^ftp:		1440	20%	10080
	refresh_pattern ^gopher:	1440	0%	1440
	refresh_pattern .		0	20%	4320

#Acls padroes
	acl all src 0.0.0.0/0.0.0.0
	acl manager proto cache_object
	acl localhost src 127.0.0.1/255.255.255.255
	acl to_localhost dst 127.0.0.0/8
	acl SSL_ports port 443 563
	acl Safe_ports port 80		# http
	acl Safe_ports port 21		# ftp
	acl Safe_ports port 20          # ftp2
	acl Safe_ports port 443 563	# https, snews
	acl Safe_ports port 70		# gopher
	acl Safe_ports port 210		# wais
	acl Safe_ports port 1025-65535	# unregistered ports
	acl Safe_ports port 280		# http-mgmt
	acl Safe_ports port 488		# gss-http
	acl Safe_ports port 591		# filemaker
	acl Safe_ports port 777		# multiling http.
	acl Safe_ports port 901 	# SWAT
	acl Safe_ports port 25 		# pop
	acl Safe_ports port 5060        # voip3
	acl Safe_ports port 5062        # voip2
	acl Safe_ports port 5004        # voip1
	acl Safe_ports port 110 	# smtp
	acl Safe_ports port 7778	# suframa
	acl Safe_ports port 809		# SPTrans
	acl purge method PURGE
	acl CONNECT method CONNECT


###### ACLS PERSONALIZADAS #########

acl ACESSOTOTAL src 192.168.0.1 192.168.0.13 192.168.0.20 192.168.0.110 192.168.0.111 192.168.0.117
acl LIBERAEMAILS src 192.168.0.201 192.168.0.213 192.168.0.214 192.168.0.215 192.168.0.202 192.168.0.220
acl ACESSOPARCIAL src 192.168.0.201 192.168.0.202
acl TESTE_SERVIDOR src 192.168.0.10
acl SITESLIB dstdom_regex -i "/etc/squid/sites_liberados"
acl ACESSO_MSN src 192.168.0.1 
acl HOST_MSN src 192.168.1.40/255.255.255.255
acl Negar_MSN dstdomain "/etc/squid/msn_sites"
acl Negar_MSN2 url_regex "/etc/squid/msn.txt"
acl msn url_regex -i /gateway/gateway.dll 

http_access allow HOST_MSN
http_access deny Negar_MSN !ACESSOTOTAL
http_access deny Negar_MSN2 !ACESSOTOTAL
http_access deny msn !ACESSOTOTAL


## Bloqueia as palavras proibidas
	acl PALAVRASPROIBIDAS url_regex -i "/etc/squid/palavras_proibidas"
	http_access deny PALAVRASPROIBIDAS !ACESSOTOTAL

## Bloqueia as palavras pornografia
	acl PORNOGRAFIA url_regex -i "/etc/squid/palavras_pornografia"
	http_access deny PORNOGRAFIA !ACESSOTOTAL

## Bloqueia as palavras ORKUT
	acl PALAVRASORKUT url_regex -i "/etc/squid/palavras_orkut"
	http_access deny PALAVRASORKUT !ACESSOTOTAL

## Bloqueia sites proibidos
	acl SITESPROIBIDOS dstdomain "/etc/squid/sites_proibidos" 
	http_access deny SITESPROIBIDOS !ACESSOTOTAL !SITESLIB

## Bloqueia sites de e-mails
	acl SITESMAILS dstdomain "/etc/squid/sites_emails" 
	http_access deny SITESMAILS !ACESSOTOTAL !LIBERAEMAILS

## Bloqueia sites YOUTUBE
	acl PALAVRASYOUTUBE url_regex "/etc/squid/palavras_youtube" 
	http_access deny PALAVRASYOUTUBE !ACESSOTOTAL

## Bloqueio por extensão do arquivo
	acl ARQUIVOSPROIBIDOS url_regex -i "/etc/squid/tipoarquivos"
	http_access deny ARQUIVOSPROIBIDOS !ACESSOTOTAL 


## Bloqueia as palavras MSN
	acl PALAVRASMSN url_regex -i "/etc/squid/msn_palavras"
	http_access deny PALAVRASMSN !ACESSOTOTAL !ACESSO_MSN

## Bloqueia sites MSN
	acl SITESMSN dstdomain "/etc/squid/msn_sites" 
	http_access deny SITESMSN !ACESSOTOTAL !ACESSO_MSN

## Sites permitidos - Atraves de palavras
	acl SITESLIB dstdom_regex -i "/etc/squid/sites_liberados"
	acl SITESLIB dstdomain "/etc/squid/sites_liberados"
	http_access allow SITESLIB


##Configuracoes de autenticacao

##Configurar autenticacao
#	auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/senhas
#	acl USUARIOS proxy_auth REQUIRED
#	acl SITES url_regex "/etc/squid/sitesproibidos.txt"
#	http_access allow USUARIOS SITES

#	auth_param basic children 5
#	auth_param basic realm Controle de Seguranca Antunes Pinto
#	auth_param basic credentialsttl 2 hours
#	auth_param basic casesensitive off


## Regras padroes (devem ficar neste local)
	http_access allow manager localhost
	http_access deny manager
	http_access allow purge localhost
	http_access deny purge
	http_access deny !Safe_ports
	http_access deny CONNECT !SSL_ports

	acl redelocal src 192.168.0.0/24
	http_access allow localhost
	http_access allow redelocal


############ MSN ###########################

#acl MSN url_regex -i gateway.dll
#http_access deny MSN !ACESSOTOTAL

#acl BLOQPORTA port 1863
#http_access deny BLOQPORTA !ACESSOTOTAL

#acl BLOQEND dst 65.54.239.210
#http_access deny BLOQEND !ACESSOTOTAL

#acl app_msn rep_mime_type -i ^application/x-msn-messenger$
#http_access deny app_msn !ACESSOTOTAL

############### Fim do bloqueio MSN ###############################


#Regra perdida time
httpd_accel_no_pmtu_disc on
#acl LOGINNET dstdomain loginnet.passport.com
#http_access deny LOGINNET

# Regra para proxy transparente para versao abaixo do squid 2.6
#http_accel_host virtual
#http_accel_port 80
#http_accel_with proxy on
#http_accel_uses_host_header on

Só para constar, o ip da maquina que estou ligando agora é 192.168.0.117.
As configurações para conectar no ad já estão ok.

Vlw

zekkerj · « **Resposta #2 Online:** 08 de Abril de 2011, 15:40 »

Eduardo, essa estação recebe alguma mensagem de erro ao conectar ao squid?

Outra coisa, eu comecei a ver seu firewall, e percebi que vc mistura "-I" com "-A". Fica muito difícil compreender o funcionamento do firewall assim, visto que um adiciona as regras ao final, o outro adiciona ao início. Sugiro que você reveja suas regras com cuidado, e no script, use sempre e apenas "-A".

Cuide para que as regras de bloqueio (que, aliás, não encontrei nenhuma --- seu firewall realmente bloqueia alguma coisa???) fiquem sempre ao final, pra não matar o pacote antes de analisá-lo com calma.

Eduardof · « **Resposta #3 Online:** 11 de Abril de 2011, 08:34 »

Ola zekkerj

Optei por não dar continuidade ao que o outro tecnico vinha fazendo.
Realmente estava uma bagunça a configuração do iptables.
Peguei o fim de semana recomecei as configurações.

Vlw as dicas

Notícias:

Autor Tópico: [Resolvido] Squid + iptable (Lida 5226 vezes)

Eduardof

[Resolvido] Squid + iptable

Eduardof

Re: Squid + iptable

zekkerj

Re: Squid + iptable

Eduardof

Re: Squid + iptable