Sites Https

guh.muller
(usa Debian)

Enviado em 17/02/2011 - 11:27h

Seguinte,

tenho um servidor debian, rodando squid + firewall, funciona tudo normal, ate tentar acessar sites https, nao vai.. nenhum site https funciona
preciso disso urgente
segue o meu firewall

#!/bin/bash
iniciar(){

# Habilita/Desabilita o roteamento
echo 1 > /proc/sys/net/ipv4/ip_forward

# Define Variaveis
EXTERNA=eth2
INTERNA=eth0
terminal=192.168.100.2
vnc1=
vnc2=
cameras=192.168.100.10

##### Zera regras
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

echo "|==============================================================|"
echo "| Script de Firewall - IPTABLES |"
echo "| Criado por: Wns Informatica |"
echo "| |"
echo "|==============================================================|"
echo "| INICIANDO A CONFIGURAÃO DO FIREWALL |"
echo "|==============================================================|"
# Bloqueio Anti-Spoofings
iptables -A INPUT -s 10.0.0.0/8 -i $EXTERNA -j DROP
iptables -A INPUT -s 127.0.0.0/8 -i $EXTERNA -j DROP
iptables -A INPUT -s 172.16.0.0/12 -i $EXTERNA -j DROP
ptables -A INPUT -s 192.168.0.0/16 -i $EXTERNA -j DROP
echo "Ativado o bloqueio de tentativa de ataque do tipo Anti-spoofings"
echo "ON ...................................................... [ OK ]"

##### ACCEPT (libera) pacotes de retorno da internet
iptables -A INPUT -i ! $EXTERNA -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -p tcp --dport 443 -d mail.mailig.ig.com.br -o $EXTERNA -j MASQUERADE

##### Log de acesso por porta
iptables -A INPUT -p tcp --dport 21 -i $EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: ftp: "
iptables -A INPUT -p tcp --dport 23 -i $EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: telnet: "
iptables -A INPUT -p tcp --dport 25 -i $EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: smtp: "
iptables -A INPUT -p tcp --dport 80 -i $EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: http: "
iptables -A INPUT -p tcp --dport 110 -i $EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: pop3: "
iptables -A INPUT -p udp --dport 111 -i $EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: rpc: "
iptables -A INPUT -p udp --dport 53 -i $EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: dns: "
iptables -A INPUT -p tcp --dport 137:139 -i $EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
iptables -A INPUT -p udp --dport 137:139 -i $EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
iptables -A INPUT -p tcp --dport 161:162 -i $EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: snmp: "
iptables -A INPUT -p tcp --dport 3128 -i $EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: squid: "
# Fechando as portas do samba o perigo mora aqui caso fique de cara para a internet.
iptables -A INPUT -p tcp -i $EXTERNA --syn --dport 139 -j DROP
iptables -A INPUT -p tcp -i $EXTERNA --syn --dport 138 -j DROP
iptables -A INPUT -p tcp -i $EXTERNA --syn --dport 137 -j DROP

# Fechar NFS (portmap) para o mundo
iptables -A INPUT -p tcp -i $EXTERNA --syn --dport 111 -j DROP

# Libera acesso externo para ssh e servidor web
iptables -A INPUT -p tcp --dport 85 -i $EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 85 -i $INTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -i $EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -i $EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -i $EXTERNA -j ACCEPT
iptables -A INPUT -p udp --dport 53 -i $EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -i $INTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -i $INTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -i $EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -i $INTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -i $EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -i $INTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 1515 -i $EXTERNA -j ACCEPT
iptables -A INPUT -p tcp --dport 1515 -i $INTERNA -j ACCEPT

# Bloqueio ping da morte
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
iptables -N PING-MORTE
iptables -A INPUT -p icmp --icmp-type echo-request -j PING-MORTE
iptables -A PING-MORTE -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A PING-MORTE -j DROP
echo "Ativado Bloqueio Ping Da Morte"
echo "ON ...................................................... [ OK ]"

#bloquear ataque do tipo SYN-FLOOD
echo "0" > /proc/sys/net/ipv4/tcp_syncookies
iptables -N syn-flood
iptables -A INPUT -i $EXTERNA -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
echo "Ativado Bloqueio De ataque do tipo SYN-FLOOD"
echo "ON ...................................................... [ OK ]"

# Negar e log de port scanners
iptables -N SCANNER
iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "DIVERSOS: port scanner: "
iptables -A SCANNER -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $EXTERNA -j SCANNER
echo "Ativando Bloqueo Port scanners"
echo "ON ...................................................... [ OK ]"

# Regras Iptables para Bloquear ataques Brute Force no SSH
iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set

iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset
iptables -A FORWARD -p tcp --syn --dport 22 -m recent --name sshattack --set
iptables -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
iptables -A FORWARD -p tcp --dport 22 --syn -m recent --name sshattack --rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset
echo "Ativado Bloqueio de Ataque SSH-BRUT-FORCE"
echo "ON ...................................................... [ OK ]"

#### Liberar porta 443
iptables -t filter -A FORWARD -p tcp --dport 443 -j ACCEPT
iptables -t filter -A FORWARD -p udp --dport 443 -j ACCEPT
iptables -t filter -A FORWARD -p tcp --sport 443 -j ACCEPT
iptables -t filter -A FORWARD -p udp --sport 443 -j ACCEPT

# Excluir estacoes do proxy, passa direto pelo NAT

iptables -t nat -A PREROUTING -i $INTERNA -s 192.168.100.2/32 -p tcp -m multiport --dport 80,443 -j ACCEPT
iptables -t nat -A PREROUTING -i $INTERNA -s 192.168.100.202/32 -p tcp -m multiport --dport 80,443 -j ACCEPT
iptables -t nat -A PREROUTING -i $INTERNA -s 192.168.100.201/32 -p tcp -m multiport --dport 80,443 -j ACCEPT


#iptables -t nat -A PREROUTING -i $INTERNA -s 192.168.1.2/32 -p tcp -m multiport --dport 80,443 -j ACCEPT

##### Squid - proxy

#utilize somente uma das opçs abaixo, comente as demais

# redireciona o trafego da porta 80 para 3128, execeto a estacao
# com IP 192.168.1.6

#iptables -t nat -A PREROUTING -i $INTERNA -s \! 192.168.100.108 -p tcp -m multiport --dport 80,443 -j REDIRECT --to-ports 3128


# redireciona o trafego da prota 80 para 3128 (squid)
iptables -t nat -A PREROUTING -p tcp -m multiport -s 192.168.100.0/24 --dport 80 -j REDIRECT --to-ports 3128





######################
##### VNC
#####################
# Redireciona portas na primeira maquina vnc troque o ip conforme a maquina que deseja acessar.

iptables -A FORWARD -i $EXTERNA -p tcp --dport 5800:5850 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p udp --dport 5800:5850 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $EXTERNA --dport 5800:5850 -j DNAT --to $vnc1:5800-5850
iptables -t nat -A PREROUTING -p udp -i $EXTERNA --dport 5800:5850 -j DNAT --to $vnc1:5800-5850

#Redirecionar para maquina VNC ouvindo na 5801

iptables -A FORWARD -i $EXTERNA -p tcp --dport 5851:5901 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p udp --dport 5851:5901 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $EXTERNA --dport 5851:5901 -j DNAT --to $vnc2:5851-5901
iptables -t nat -A PREROUTING -p udp -i $EXTERNA --dport 5851:5901 -j DNAT --to $vnc2:5851-5901

#####################
##### Terminal Server
#####################

iptables -A FORWARD -i $EXTERNA -p tcp --dport 3389 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p udp --dport 3389 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $EXTERNA --dport 3389 -j DNAT --to $terminal:3389
iptables -t nat -A PREROUTING -p udp -i $EXTERNA --dport 3389 -j DNAT --to $terminal:3389

###################
#### Cameras
###################

iptables -A FORWARD -i $EXTERNA -p tcp --dport 4000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTERNA -p udp --dport 4000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $EXTERNA --dport 4000 -j DNAT --to $cameras:4000
iptables -t nat -A PREROUTING -p udp -i $EXTERNA --dport 4000 -j DNAT --to $cameras:4000
echo "Ativando roteamento de portas"
echo "ON....................................................... [ OK ]"

# Habilita o mascaramento
iptables -t nat -A POSTROUTING -o $EXTERNA -j MASQUERADE



echo "Regras de firewall ativas"

}
parar(){
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
echo 0 > /proc/sys/net/ipv4/ip_forward
echo "Regras de firewall desativadas"
}
case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar;;
*) echo "utilize --> start, stop ou restart"
esac

nao sei mais o que fazer

Obrigado

renato_pacheco
(usa Debian)

Enviado em 17/02/2011 - 11:50h

Troque a política OUTPUT para ACCEPT:

iptables -P OUTPUT ACCEPT

Acredito q funcionará...

guh.muller
(usa Debian)

Enviado em 17/02/2011 - 12:06h

fiz o que vc falo e nada,

preciso de uma luz :S

valdinei.campos
(usa CentOS)

Enviado em 17/02/2011 - 12:25h

poderia postar o arquivo de configuraçao do squid (squid.conf)?

guh.muller
(usa Debian)

Enviado em 17/02/2011 - 12:45h

########################
# Configuracao Squid #
# By Wns #
########################
visible_hostname web.wns.com.br
http_port 3128
error_directory /usr/share/squid/errors/Portuguese
cache_mem 64 MB
##################
# Autenticacao ###
##################
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Entre Com Usuario E Senha Da Internet.
auth_param basic credentialsttl 8 hours
auth_param basic casesensitive off
####################
# Cache e log ###
####################
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
########################
# Controle de banda ####
########################
#delay_pools 1
#delay_class 1 2
#delay_parameters 1 229376/229376 8192/8192
###################
# Refresh ##
###################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
##################
# Padrao Squid ###
##################
acl rede_interna proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 110 # pop
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
######################
# Regras especificas #
######################
acl folha url_regex "/etc/squid/folha.txt"
acl diretoria proxy_auth "/etc/squid/diretoria.txt"
acl msn url_regex "/etc/squid/msn.txt"
acl sites_bloqueados url_regex -i "/etc/squid/sitesbloqueados.txt"
acl palavras_bloqueadas dstdom_regex "/etc/squid/palavrasbloqueadas.txt"
acl funcionarios proxy_auth "/etc/squid/funcionarios.txt"
acl sites_liberados url_regex -i "/etc/squid/sitesliberados.txt"
acl funcionarios_bloqueados proxy_auth "/etc/squid/funcionariosbloqueados.txt"
http_access allow folha
http_access allow msn
http_access allow diretoria
http_access allow sites_liberados
http_access deny sites_bloqueados
http_access deny palavras_bloqueadas
http_access deny funcionarios_bloqueados !sites_liberados
http_access allow funcionarios !palavras_bloqueadas
http_access allow rede_interna
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid
################
# Refresh IE ###
################
ie_refresh on

ivo.becker
(usa Debian)

Enviado em 17/02/2011 - 14:14h

você está mandando a porta 443 para o Squid junto com a 80, só que também está dando um ACCEPT. veja isto!

rodrigoh79
(usa Debian)

Enviado em 17/02/2011 - 20:14h

adiciona esa linha no teu firewall:

iptables -A FORWARD -i eth1 -p tcp --dport 443 -j ACCEPT

sendo que eth1 é minha interface da rede local. Tem que fazer isso pq o https não funciona com squid transparente.