Problema com pop terra e Ipatables

djskolman
(usa Ubuntu)

Enviado em 14/08/2014 - 17:38h

Pessoal, será que alguém pode me ajudar.

Eu tenho um script Firewall, na empresa. Acontece que algumas maquinas, de repente para de receber e-mails. Fica a mensagem no thunderbird: "recebendo 1/10" e não sai disso até dar timeout. Eu desligo o firewall e as mensagens chegam.

O mais engraçado é que são algumas maquinas (semana passada foram 03 e de uma semana pra cá apenas uma), e não acontece sempre. Depois que eu libero, mesmo religando o Firewaal, a maquina continua a receber e vai travar 01 ou 02 dias depois.

Será que alguém pode me ajudar?? Segue meu script de Firewall.

#!/bin/bash

############################################################################
###################### INICIO DO SCRIPT FIREWALL ###########################
############################################################################


############################################################################
# DEFININDO INTERFACES
############################################################################

############################################################################

extif=ppp0
intif=eth0
REDE_INTERNA="192.168.10.0/24"

############################################################################
# Portas Liberadas
############################################################################

ports=(20 21 22 52182 25 80 443 110 587 1040 3128 3306 3389 2000 2221 2222 5000 8000 8080 9969 10000)

############################################################################
# Portas Redirecionadas para o Squid
############################################################################

sports=(80 443 5190 5050 6667 21)

############################################################################
# Ips Liberados - Fora do Squid
############################################################################

ips=('192.168.10.23' '192.168.10.202' '192.168.10.31' '192.168.10.160' '192.168.10.161' '192.168.10.162' '192.168.10.163' '192.168.10.164' '192.168.10.165' '192.168.10.166' '192.168.10.167' '192.168.10.168' '192.168.10.169' '192.168.10.170' '192.168.10.171' '192.168.10.172' '192.168.10.173' '192.168.10.174' '192.168.10.175' '192.168.10.176' '192.168.10.177' '192.168.10.178' '192.168.10.179' '192.168.10.180' '192.168.10.150' '192.168.10.199' '192.168.10.220' '192.168.10.240')

############################################################################
# Ips com acesso ao Skype Liberado
############################################################################

ipskp=('192.168.10.165' '192.168.10.160' '192.168.10.168')


############################################################################
############################################################################


if [ $UID -ne 0 ]; then
echo "Erro: execute o script como root"
exit 1
fi

function firewall_on() {
echo -ne "\nIniciando Serviço Firewall'... \t" && sleep 2


echo "Iniciando Servidor Firewall"

############################################################################
# ESTABELECENDO REGRAS DO FIREWALL
############################################################################

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

############################################################################
# REDIRECIONAMENTO DE PORTAS
############################################################################

iptables -t filter -A INPUT -i $extif -p tcp --dport 52182 -j ACCEPT
iptables -t filter -A INPUT -i $extif -p tcp --dport 8000 -j ACCEPT
iptables -t filter -A INPUT -i $extif -p tcp -s $REDE_INTERNA --dport 110 -j ACCEPT

#iptables -I INPUT -p tcp -m multiport -s 200.182.57.13 --dports 1023:5000 -j ACCEPT

iptables -t nat -A PREROUTING -i $extif -p tcp --dport 2000 -j DNAT --to 192.168.10.230:3389
iptables -t nat -A PREROUTING -i $extif -p tcp --dport 3389 -j DNAT --to 192.168.10.150:3389
iptables -t nat -A PREROUTING -i $extif -p tcp --dport 22 -j DNAT --to 192.168.10.220:52182
iptables -t nat -A PREROUTING -i $extif -p tcp --dport 1040 -j DNAT --to 192.168.10.220:1040
iptables -t nat -A PREROUTING -i $extif -p tcp --dport 873 -j DNAT --to 192.168.10.220:873
iptables -t nat -A PREROUTING -i $extif -p tcp --dport 2221 -j DNAT --to 192.168.10.165:22
iptables -t nat -A PREROUTING -i $extif -p tcp --dport 9969 -j DNAT --to 192.168.10.165:9969

###########################################################################
# REGRAS DE SEGURANCA
############################################################################

# Input in NAT Rules
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

# Log & Deny the rest of the privileged ports
iptables -t filter -A INPUT -i $extif -p tcp --dport 0:1023 -j LOG
iptables -t filter -A INPUT -i $extif -p udp --dport 0:1023 -j LOG
iptables -t filter -A INPUT -i $extif -p tcp --dport 0:1023 -j DROP
iptables -t filter -A INPUT -i $extif -p udp --dport 0:1023 -j DROP

# Log & Deny NFS
iptables -t filter -A INPUT -i $extif -p udp --dport 2049 -j LOG
iptables -t filter -A INPUT -i $extif -p tcp --dport 2049 -j LOG
iptables -t filter -A INPUT -i $extif -p udp --dport 2049 -j DROP
iptables -t filter -A INPUT -i $extif -p tcp --dport 2049 -j DROP

# Log & Deny X11
iptables -t filter -A INPUT -i $extif -p tcp --dport 6000:6063 -j LOG
iptables -t filter -A INPUT -i $extif -p tcp --dport 6000:6063 -j DROP

# Log & Deny XFS
iptables -t filter -A INPUT -i $extif -p tcp --dport 7100 -j LOG
iptables -t filter -A INPUT -i $extif -p tcp --dport 7100 -j DROP

# Deny TCP connection attempts
iptables -t filter -A INPUT -i $extif -p tcp --syn -j LOG
iptables -t filter -A INPUT -i $extif -p tcp --syn -j DROP

# Deny ICMP echo-requests
iptables -t filter -A INPUT -i $extif -p icmp --icmp-type echo-request -j DROP

# no IP spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i
done
fi

# Disable Source Routed Packets
iptables -A INPUT -i $extif -p icmp --icmp-type 8 -j DROP

for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $i
done

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

############################################################################
# COMPARTILHANDO A INTERNET
############################################################################

iptables -t nat -A POSTROUTING -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1

iptables -A INPUT -s $REDE_INTERNA -j ACCEPT

#############################################################################
# LIBERANDO ACESSO TOTAL AO IP
#############################################################################

for ip in ${ips[@]}
do
iptables -A FORWARD -s $ip -j ACCEPT
iptables -A INPUT -s $ip -j ACCEPT
iptables -A OUTPUT -s $ip -j ACCEPT

for port in ${sports[@]}
do
iptables -t nat -A PREROUTING -p tcp --dport $port -s $ip -j RETURN
done

done

#############################################################################
# HABILITANDO PROXY TRANSPARENTE
#############################################################################

for port in ${sports[@]}

do
iptables -t nat -A PREROUTING -i $intif -p tcp --dport $port -j REDIRECT --to-port 3128
done

#############################################################################
# BLOQUEANDO MSN
#############################################################################

iptables -A FORWARD -s $REDE_INTERNA -p tcp --dport 1863 -j REJECT
iptables -I FORWARD 1 -i $extif -s $REDE_INTERNA -p tcp --dport 1863 -j DROP
iptables -I FORWARD 1 -i $intif -s $REDE_INTERNA -p tcp --dport 1863 -j DROP

#############################################################################
# BLOQUEANDO FACEBOOK
#############################################################################

iptables -N FACEBOOK
iptables -I FORWARD -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 443 -j DROP
iptables -I FORWARD -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 443 -j DROP
iptables -I FORWARD -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 443 -j DROP
iptables -I FORWARD -p tcp -m iprange --dst-range 204.74.64.0-204.74.127.255 --dport 443 -j DROP
iptables -I FORWARD -p tcp -m iprange --dst-range 69.171.224.0-69.171.255.255 --dport 443 -j DROP

for face in ${ips[@]}
do
iptables -I FACEBOOK -s $face -j ACCEPT
done
iptables -A FACEBOOK -j REJECT

#############################################################################
# BLOQUEANDO SKYPE
#############################################################################

iptables -N SKYPE

for skp in ${ipskp[@]}
do
iptables -I SKYPE -s $skp -j ACCEPT
done

iptables -I FORWARD -m string --algo bm --string "skype.com" -j DROP
iptables -A FORWARD -p tcp --dport 39856 -j REJECT
iptables -I FORWARD -s $REDE_INTERNA -j SKYPE

for i in `cat /etc/skype`;do

iptables -A SKYPE -d $i -j REJECT
done

#############################################################################
# BLOQUEANDO SITES IMPROPRIOS
#############################################################################

#iptables -N DENY
#
#iptables -I FORWARD -m string --algo bm --string "cameraprive.com.br" -j DROP
#iptables -I FORWARD -m string --algo bm --string "femdom-[*****]-tube.com" -j DROP
#iptables -I FORWARD -m string --algo bm --string "batepapo.uol.com.br" -j DROP
#iptables -I FORWARD -m string --algo bm --string "kryyska.com" -j DROP
#iptables -I FORWARD -m string --algo bm --string "lapiova.com" -j DROP
#iptables -I FORWARD -m string --algo bm --string "pussycats.com.br" -j DROP
#iptables -I FORWARD -m string --algo bm --string "gatagold.com" -j DROP
#iptables -I FORWARD -m string --algo bm --string "festaprive.com" -j DROP
#iptables -I FORWARD -m string --algo bm --string "elitte.com.br" -j DROP
#iptables -I FORWARD -m string --algo bm --string "gpguia.net" -j DROP
#iptables -I FORWARD -m string --algo bm --string "pt-br.facebook.com" -j DROP
#iptables -I FORWARD -m string --algo bm --string "https://www.facebook.com" -j DROP
#iptables -I FORWARD -s $REDE_INTERNA -j DENY

############################################################################
# POLITICA DE SAIDA LIBERADA
############################################################################

iptables -A FORWARD -s $REDE_INTERNA -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

############################################################################
# Aceitando NFe
############################################################################

nfe1=200.233.3.103/32
nfe2=200.233.3.104/32

iptables -t nat -A POSTROUTING -s $REDE_INTERNA -d $nfe1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $REDE_INTERNA -d $nfe2 -j MASQUERADE

#############################################################################
# PERMITINDO CONEXOES POR SAMBA
############################################################################

iptables -A INPUT -i $intif -p tcp -m multiport --dports 445,139 -j ACCEPT
iptables -A INPUT -i $intif -p udp -m multiport --dports 137,138 -j ACCEPT

############################################################################
# LIBERANDO PORTAS
############################################################################

for port in ${ports[@]}
do
iptables -t filter -A INPUT -i $extif -p tcp --dport $port -j ACCEPT
# iptables -t filter -A INPUT -i $intif -p tcp --dport $port -j ACCEPT
done

iptables -A FORWARD -s 200.182.57.13 -j ACCEPT
iptables -A INPUT -s 200.182.57.13 -j ACCEPT
iptables -A OUTPUT -s 200.182.57.13 -j ACCEPT
iptables -I INPUT -p tcp -m multiport -s 200.182.57.13 --dports 1023:5000 -j ACCEPT

#############################################################################
#############################################################################

echo "Servidor Firewall Iniciado"

if [ $? -eq 0 ]; then
echo -e "[ OK ]\n"
else
echo -e "[ Falhou ]"
fi

echo -n "Verificando SQUID..."
if [ -z $(pidof squid3) ]; then
service squid3 start
else
echo -e "\t[ OK ]"
fi

}

function firewall_flush() {
echo -ne "\nDesabilitando Serviço Firewall e Liberando todas as entradas... \t" && sleep 2

############################################################################
# ATRIBUINDO REGRAS
############################################################################

echo "Desligando todas as regras de Firewall..."

service squid3 stop > /dev/null
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -L -n > /dev/null

sleep 3
echo "Regras de Firewall desligada"

echo ""
echo "Ativando Compartilhamento de Trafego"

iptables -t nat -A POSTROUTING -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1

for port in ${sports[@]}
do
iptables -t nat -A PREROUTING -p tcp --dport $port -s 192.168.0.0/24 -j RETURN
done

echo ""
echo -ne "\nFirewall desligado e Compartilhamento com a internet efetuado com Sucesso!! \t"



if [ $? -eq 0 ]; then
echo -e "[ OK ]\n"
else
echo -e "[ Falhou ]"
fi

}

function firewall_almoco() {

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -L -n > /dev/null

############################################################################
# REDIRECIONAMENTO DE PORTAS
############################################################################

iptables -t nat -A PREROUTING -i $extif -p tcp --dport 2000 -j DNAT --to 192.168.10.230:3389
iptables -t nat -A PREROUTING -i $extif -p tcp --dport 3389 -j DNAT --to 192.168.10.150:3389
iptables -t nat -A PREROUTING -i $extif -p tcp --dport 22 -j DNAT --to 192.168.10.220:52182
iptables -t nat -A PREROUTING -i $extif -p tcp --dport 1040 -j DNAT --to 192.168.10.220:1040
iptables -t nat -A PREROUTING -i $extif -p tcp --dport 873 -j DNAT --to 192.168.10.220:873

############################################################################
# POLITICA DE SAIDA LIBERADA
############################################################################

iptables -A FORWARD -s $REDE_INTERNA -j ACCEPT

############################################################################
# COMPARTILHANDO A INTERNET
############################################################################

iptables -t nat -A POSTROUTING -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1

iptables -A INPUT -s $REDE_INTERNA -j ACCEPT

#############################################################################
# LIBERANDO ACESSO TOTAL AO IP
#############################################################################

for ip in ${ips[@]}
do
iptables -A FORWARD -s $ip -j ACCEPT
iptables -A INPUT -s $ip -j ACCEPT
iptables -A OUTPUT -s $ip -j ACCEPT

for port in ${sports[@]}
do
iptables -t nat -A PREROUTING -p tcp --dport $port -s $ip -j RETURN
done

done

#############################################################################
# HABILITANDO PROXY TRANSPARENTE
#############################################################################

for port in ${sports[@]}

do
iptables -t nat -A PREROUTING -i $intif -p tcp --dport $port -j REDIRECT --to-port 3128
done

#############################################################################

echo "Firewall -o" | at now + 90 minutes

if [ $? -eq 0 ]; then
echo -e "[ OK ]\n"
else
echo -e "[ Falhou ]"
fi

}


function usage() {
echo "
Uso: $0 [ OPTIONS ] [-t minutos]

OPTIONS:
--on | -o 'Inicia Serviço Firewall'
--flush | -f 'Desabilita Serviço Firewall'
-t 'Desabilita Serviço Firewall por um Determinado Tempo'
"
exit 1

}

[ $# -lt 1 ] && usage

while getopts 'oaft:' option
do
case $option in
o) firewall_on ;;
f) firewall_flush ;;
a) firewall_almoco ;;
t) [ -z $OPTARG ] && usage
$0 -f
echo "$0 -o" | at now + $OPTARG minutes > /dev/null
echo "seu Firewall está temporariamente desabilitado, voltando em $OPTARG minutos." ;;
?) usage ;;
esac
done

px
(usa Debian)

Enviado em 14/08/2014 - 18:24h

Primeiro lugar, parabéns pelo seu script ta bem legal. Tem alguma informação relevante nos logs do squid e iptables?

djskolman
(usa Ubuntu)

Enviado em 15/08/2014 - 08:52h

Eu dei esse comando: tail -f /var/log/syslog na hora que eu estava recendo e-mail dessa maquina e não vi nada que se referisse ao IP dela ou a porta 110.

É o mais engraçado é a inconstância da regra. São só com algumas máquinas. As máquinas que acontece não é sempre. E ontem, por exemplo, na hora que travou uma máquina, eu entrei no terra mail e exclui 03 e-mails do mesmo domínio que estava na caixa de entrada, e recebeu, sem precisar desligar o Firewall.

Quando isso acontece, eu chego a pensar que não tem nada a ver com o meu Firewall, por outro lado, se isso acontece e eu desligo o Firewall, os e-mails chegam normalmente.

px
(usa Debian)

Enviado em 17/08/2014 - 22:00h

BOm, mais você usa squid? já liberou as portas nele? e no iptables?

djskolman
(usa Ubuntu)

Enviado em 18/08/2014 - 08:33h

Eu uso squid sim, mas esses portas não estou redirecionando pro squid. Como eu faço pra libera-las?

px
(usa Debian)

Enviado em 18/08/2014 - 11:26h

Libera pelo iptables...

Ifw-DAST
(usa Debian)

Enviado em 18/08/2014 - 16:06h

Boa tarde!!!

Pelo que foi descrito no problema, "pode-ser", que o seu redirecionamento de porta das maquinas que não recebem os e-mails estão direcionando-os a uma outra porta que você ainda não identificou..., ocasionando o timeout.

Segundo a descrição, "logo após o desligamento do firewall as mensagens chegam":

- Pois bem o Squid está configurado de forma errônea a sua solicitação...,recomendo que confira as configurações das portas e as refaça, mesmo estando aparentemente certo...

- Já pelo fato de isto não ser uma constante "pode-ser" que alguns e-mails recebidos podem estar configurados para a porta que está liberada pelo squid, tente identificar quais e-mails foram recebido e qual sua porta...,Isto pode ajuda.

Pelo fato de travar alguns dias, "pode-ser" que o seu script contem alguma regra ou configuração que permitam que isto aconteça...,Recomendo que neste caso estude o scrip e refaça-o detalhando o que deseja..., embora esteja aparentemente bem elaborado.


====================================================================================================
ENTENDIMENTO: Sua empresa esta mascarada pelo iptables, para controle dos sites que os usuários visitam através do link com a Internet..., precisamos fazer com que todos os pacotes enviados através da porta TCP 80 sejam redirecionados para o Squid.

redirecionamento:
--------------------------------------------------------------------------------------------------------
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
--------------------------------------------------------------------------------------------------------

Onde:
eth1 é a saída para a rede interna
3128 é a porta usada pelo Squid
========================================================================================================

Espero poder ter auxiliado!!!

djskolman
(usa Ubuntu)

Enviado em 25/08/2014 - 09:11h

Pessoal, ainda continuo com o problema, alguém tem alguma sugestão?