cesarpazebao
(usa CentOS)
Enviado em 08/06/2010 - 17:43h
Amigos boa tarde! Após quebrar tanto a cabeça resolvi postar o problema que estou tendo em um servidor antes de ser colocado em produção. Ele controlará 2 redes, sendo uma rede local ( autenticada ) e uma rede transparente. Notoriamente claro usando IPTables e Squid. O problema: Configurei tds as interfaces de rede, inclusive o acesso para internet e com Modem DSL 500B - Generation II o qual estou usando interface pppoe. As duas redes funcionam perfeitamente sem problema algum, abrem email's entre outras coisas navegar normalmente porém não estou conseguindo liberar acesso ao MSN para ambas as redes. Já tentei de todas as maneiras possíveis que encontrei, inclusive seguindo tutoriais e dicas aqui do VOL mesmo. Segue anexo minhas configurações do firewall. Forte abraço a toda a comunidade e desde já o meu muitissimo obrigado pelas possíveis ajudas que com certeza serão bem vindas.
#############################################################
############## Redes e Interfaces... ##############
#############################################################
###################### Gateway Internet #####################
# Acesso internet...
## Nomeando interface ppp0
IF_EXT="ppp0"
##################### Rede Local #########################
# Acesso local...
## Nomeando interface eth2
IF_INT="eth2"
## Atribuindo IP interface eth2
IP_IF_INT="192.168.5.254"
## Atribuindo faixa de rede eth2
RANGE_IF_INT="192.168.5.0/24"
###################### Rede Wireless ###########################
# Acesso wireless...
## Nomeando interface eth1
IF_WRL="eth1"
## Atribuindo IP interface eth1
IP_IF_WRL="192.168.7.254"
## Atribuindo faixa de rede eth1
RANGE_IF_WRL="192.168.7.0/24"
# Carregando modulos para ftp...
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe iptable_nat
# Limpando as regras
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -Z
$IPT -Z -t nat
# Definindo politica padrao
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
#############################################################
############## Regras de Output... ##############
#############################################################
# Gerando log's para output...
$IPT -N OUTPT_LOG
$IPT -A OUTPT_LOG -j LOG --log-prefix "OUTPUT DROP"
$IPT -A OUTPT_LOG -j DROP
# Proibindo ping para teste local
$IPT -A OUTPUT -p icmp --icmp-type echo-request -j DROP
# Proteção contra port-scanners ocultos
$IPT -A OUTPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Liberando loopback
$IPT -A OUTPUT -o lo -j ACCEPT
# Liberando consulta ao DNS
$IPT -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 53 -j ACCEPT
# Liberando acesso para dns - rede local
$IPT -A OUTPUT -p tcp -d $RANGE_IF_INT -s $IP_IF_INT --dport 53 -j ACCEPT
$IPT -A OUTPUT -p udp -d $RANGE_IF_INT -s $IP_IF_INT --dport 53 -j ACCEPT
# Liberando acesso para dns - rede wireless
$IPT -A OUTPUT -p tcp -d $RANGE_IF_WRL -s $IP_IF_WRL --dport 53 -j ACCEPT
$IPT -A OUTPUT -p udp -d $RANGE_IF_WRL -s $IP_IF_WRL --dport 53 -j ACCEPT
# Liberando porta 80
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT
# Liberando porta 20
$IPT -A OUTPUT -p tcp --dport 20 --j ACCEPT
# Liberando porta 21
$IPT -A OUTPUT -p tcp --dport 21 -j ACCEPT
# Liberando a.ntp.br - sincronizando relogio
$IPT -A OUTPUT -p udp -d 200.160.0.8 --dport 123 -j ACCEPT
# Liberando b.ntp.br - sincronizando relogio
$IPT -A OUTPUT -p udp -d 200.189.40.8 --dport 123 -j ACCEPT
# Liberando c.ntp.br - sincronizando relogio
$IPT -A OUTPUT -p udp -d 200.192.232.8 --dport 123 -j ACCEPT
# Liberando porta 443 - HTTPS
$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT
# Liberando porta 563 - SSL
$IPT -A OUTPUT -p tcp --dport 563 -j ACCEPT
# Liberando MSN - Rede Wireless
$IPT -A OUTPUT -p tcp -s $RANGE_IF_WRL -o $IF_EXT --dport 1863 -j ACCEPT
$IPT -A OUTPUT -p tcp -s $RANGE_IF_WRL -o $IF_EXT --dport 5190 -j ACCEPT
#############################################################
############## Regras de Forward... ##############
#############################################################
# Bloqueando pacotes invalidos...
$IPT -A FORWARD -m state --state INVALID -j DROP
# Proteção contra port-scanners ocultos
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Proibindo ping
$IPT -A FORWARD -p icmp --icmp-type echo-request -j DROP
# Liberando acesso Webmail - Rede Wireless ( nao passa no squid )
$IPT -A FORWARD -p tcp -s $RANGE_IF_WRL -i $IF_WRL -o $IF_EXT --dport 443 -j ACCEPT
$IPT -A FORWARD -p tcp -s $RANGE_IF_WRL -i $IF_WRL -o $IF_EXT --dport 563 -j ACCEPT
# Liberando acesso Webmail - Rede Local ( passa no squid )
$IPT -A FORWARD -p tcp -s $RANGE_IF_INT -i $IF_INT -o $IF_EXT --dport 443 -j ACCEPT
$IPT -A FORWARD -p tcp -s $RANGE_IF_INT -i $IF_INT -o $IF_EXT --dport 563 -j ACCEPT
# Liberando redes para MSN
$IPT -A FORWARD -p tcp -s 192.168.7.30 -d 61.63.80.81 --dport 80 -j ACCEPT
$IPT -A FORWARD -p tcp -s 192.168.7.30 -d 207.46.0.0/16 -j ACCEPT
$IPT -A FORWARD -p tcp -s 192.168.7.30 -d 64.4.9.0/24 -j ACCEPT
$IPT -A FORWARD -p tcp -s 192.168.7.30 -d 64.4.13.0/24 -j ACCEPT
$IPT -A FORWARD -p tcp -s 192.168.7.30 -d 64.4.50.0/24 -j ACCEPT
$IPT -A FORWARD -p tcp -s 192.168.7.30 -d 64.4.50.62 -j ACCEPT
$IPT -A FORWARD -p tcp -s 192.168.7.30 -d 64.4.9.253 -j ACCEPT
$IPT -A FORWARD -p tcp -s 192.168.7.30 --dport 5190 -j ACCEPT
$IPT -A FORWARD -p tcp -s 192.168.7.30 --dport 1863 -j ACCEPT
$IPT -A FORWARD -p tcp -s 192.168.7.30 -d loginnet.passport.com -j ACCEPT
$IPT -A FORWARD -p tcp -s 192.168.7.30 -d messenger.msn.com -j ACCEPT
$IPT -A FORWARD -p tcp -s 192.168.7.30 -d login.passport.com -j ACCEPT
#############################################################
############## Regras para Nat... ##############
#############################################################
# Habilitando encaminhamento de pacotes no Kernel
sysctl -w net.ipv4.ip_forward=1 > /dev/null 2>&1
# Direcionando porta 80 para o squid na porta 3128 - Rede Wireless
$IPT -t nat -A PREROUTING -i eth1 -s 192.168.7.0/255.255.255.0 -p tcp --dport 80 -j REDIRECT --to-port 3128
# Direcionando porta 80 para o squid na porta 3128 - Rede Local
$IPT -t nat -A PREROUTING -i eth2 -s 192.168.5.0/255.255.255.0 -p tcp --dport 80 -j REDIRECT --to-port 3128
# Mascaramento de portas
$IPT -t nat -A POSTROUTING -p tcp -s $RANGE_IF_WRL -o $IF_EXT --dport 443 -j MASQUERADE