Liberar portas, squid ou iptables?

1. Liberar portas, squid ou iptables?

CelioCtba
(usa Debian)

Enviado em 23/06/2012 - 15:10h

Já vi vários casos parecidos aqui, mas não consegui entender.
Instalei um Squeeze e o squid3 que está gerenciando a internet, instalei uma maquina Windows e configurei uma conta de email no outlook, a princípio não envia e nem recebe e-mail, mas se eu crio uma regra no firewall para liberar as portas 110 e 25, o email passa a funcionar.
Ainda não ativei nada no firewall, as tabelas estão vazias, pq então tenho que criar uma regra para liberar essas portas no Iptables? Essa liberaçao não deveria ser uma acl no Squid?

0 0

Quote

2. Firewall

andrecanhadas
(usa Debian)

Enviado em 23/06/2012 - 15:23h

O squid apenas controla o trafego http/https ou seja as portas 80 e 443.
O firewall ou iptables é o responsável pelo controle dos outros protocolos TCP como o smtp e pop/imap como descreveu acima.

0 0

Quote

3. Re: Liberar portas, squid ou iptables?

CelioCtba
(usa Debian)

Enviado em 23/06/2012 - 15:33h

Então, mas se é uma instalação nova, o iptables ainda não deveria estar bloqueando nada, não é?
Ou ele já vem bloqueando tudo e eu tenho que ir liberando conforme a necessidade?

0 0

Quote

4. Bloqueio

andrecanhadas
(usa Debian)

Enviado em 23/06/2012 - 15:38h

Por padrão o output e forwarder é liberado posta a saida do comando:



iptables -L

Se não mecheu em nada a saida seria esta:

target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

0 0

Quote

5. Re: Liberar portas, squid ou iptables?

CelioCtba
(usa Debian)

Enviado em 23/06/2012 - 15:46h

Está assim, zerado, só que após a instalação do Squid, o outlook parou, só voltou a funcionar qdo coloquei uma regra de firewall liberando as portas de email

root@estrovenga:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

0 0

Quote

6. Firewall

andrecanhadas
(usa Debian)

Enviado em 23/06/2012 - 16:18h

Bom se liberando o acesso nas portas funciona como compartilhou a internet?

Segue um firewall basico:

#!/bin/bash

################################################################################
#################### Inicio Firewall ##########################################
################################################################################
/sbin/modprobe ip_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_queue
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_mangle
/sbin/modprobe ipt_state
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_multiport
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_string
## Limpando as Regras existentes #######
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -t filter -F
/sbin/iptables -t raw -F
/sbin/iptables -X
/sbin/iptables -Z

# Variaveis
rede_local=eth0
internet=eth1

## Definindo politica padr..o (Nega entrada e permite saida)
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

################################################################################
######################## Protege contra ataques diversos #######################
################################################################################

###### Protege contra synflood
/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

###### Protecao contra ICMP Broadcasting
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
###### Prote.. Contra IP Spoofing
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

###### Protecao diversas contra portscanners, ping of death, ataques DoS, pacotes danificados e etc.
#/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#/sbin/iptables -A INPUT -i $internet -p icmp --icmp-type echo-reply -m limit --limit 1/s -j DROP
/sbin/iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -N VALID_CHECK
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP

################################################################################
######################### Fim da regras de contra ataques ######################
################################################################################

## Impede navegacao sem proxy definido no navegador ##########

/sbin/iptables -t nat -A PREROUTING -i $rede_local -p tcp --dport 80 -j REDIRECT --to-port 3128

## Estabelece relacao de confianca entre maquinas da rede local $rede_local(rede local)

/sbin/iptables -A INPUT -i $rede_local -s 192.168.0.0/255.255.255.0 -j ACCEPT
/sbin/iptables -A INPUT -i $rede_local -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#########Liberar SSH externo ######
/sbin/iptables -A INPUT -i $internet -p tcp --dport 22 -j ACCEPT

################################################################################
################################# Bloqueio de entrada ##########################
################################################################################
/sbin/iptables -A INPUT -i $rede_local -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A INPUT -i $internet -j REJECT
## Liberar ping ## 0=on 1=off
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

################################################################################
############################ Compartilhamento Internet #########################
################################################################################

/sbin/iptables -t nat -A POSTROUTING -o $internet -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "Firewall Ativado"
################################################################################
######################################## Fim ###################################
################################################################################

Salve dentro de # /usr/local/bin/firewall.sh

De permissão para executar: