Squid - Bloquear acesso externo.

1. Squid - Bloquear acesso externo.

rafael
couxita

(usa Debian)

Enviado em 17/12/2010 - 10:47h

Galera bom dia....
Esses dias reparei que no relatório do sarg apareceu alguns IPs estranhos. Verifiquei na net e no meu server que meu squid esta com acesso externo aberto. Como eu faço para bloquear isso?

Eu add 2 regras mais nao adiantou. Eu uso proxy, ele não é transparente.

Segue meu script:

#!/bin/bash
IPTABLES=/sbin/iptables

ETHLAN=eth1
ETHWAN=eth5

SERVER=192.168.0.3
LAN=192.168.0.0/24
IPINTERNET=`ifconfig eth5 | grep addr: | awk '{ print $2 }' | cut -d: -f 2`

echo Limpando configuracoes antigas
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT

### Inicio do Script ###
echo Iniciando Script de Seguranca

### ICMP ###
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -p icmp -j MASQUERADE

#iptables -A FORWARD -s $LAN -d 64.4.16.55 -j DROP
#iptables -A FORWARD -s $LAN -d 72.246.64.168 -j DROP
#iptables -A FORWARD -s $LAN -d 72.246.64.137 -j DROP
#iptables -A FORWARD -s $LAN -d sn130w.snt130.mail.live.com -j DROP
#iptables -A FORWARD -s $LAN -d gateway.dll -j DROP
#iptables -A FORWARD -s $LAN -d 65.54.179.228 -j DROP

### IP nao passar pelo Firewall ###
$IPTABLES -t nat -I PREROUTING -s 192.168.0.105 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.105 -o $ETHWAN -p tcp -j MASQUERADE
$IPTABLES -t nat -I PREROUTING -s 192.168.0.48 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.48 -o $ETHWAN -p tcp -j MASQUERADE
$IPTABLES -t nat -I PREROUTING -s 192.168.0.24 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.24 -o $ETHWAN -p tcp -j MASQUERADE
$IPTABLES -t nat -I PREROUTING -s 192.168.0.54 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.54 -o $ETHWAN -p tcp -j MASQUERADE
$IPTABLES -t nat -I PREROUTING -s 192.168.0.51 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.51 -o $ETHWAN -p tcp -j MASQUERADE
$IPTABLES -t nat -I PREROUTING -s 192.168.0.12 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.12 -o $ETHWAN -p tcp -j MASQUERADE
$IPTABLES -t nat -I PREROUTING -s 192.168.0.65 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.65 -o $ETHWAN -p tcp -j MASQUERADE
$IPTABLES -t nat -I PREROUTING -s 192.168.0.75 -j ACCEPT # Notebook Dr. Marcel
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.75 -o $ETHWAN -p tcp -j MASQUERADE

#$IPTABLES -A FORWARD -s 64.4.16.60 -j REJECT

### IP nao passar pelo Firewall ###
$IPTABLES -t nat -I PREROUTING -s 192.168.0.2 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.2 -o $ETHWAN -p tcp -j MASQUERADE
$IPTABLES -t nat -I PREROUTING -s 192.168.0.62 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.62 -o $ETHWAN -p tcp -j MASQUERADE
$IPTABLES -t nat -I PREROUTING -s 192.168.0.7 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.7 -o $ETHWAN -p tcp -j MASQUERADE
#$IPTABLES -I FORWARD 1 -i $ETHLAN -d 192.168.0.2 -j ACCEPT
#$IPTABLES -I FORWARD 2 -i $ETHWAN -s 192.168.0.2 -j ACCEPT

### Conectividade Social ###
#$IPTABLES -t POSTROUTING -j MASQUERADE -t nat -s $192.168.0.25 -p tcp -d 200.201.174.207 -dport 80 -o $ETHWAN
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -d 200.201.174.0/24 -j SNAT --to-source $IPINTERNET
$IPTABLES -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -s 192.168.0.0/24 -d 0/0 -p tcp --dport 80
$IPTABLES -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -s 192.168.0.0/24 -d 0/0 -p tcp --dport 3128

### FTP ###
$IPTABLES -A INPUT -p tcp --dport 20 -s $LAN -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -s $LAN -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 20 -s $LAN -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 21 -s $LAN -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $LAN -p udp --dport 20 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN -p tcp --dport 21 -j MASQUERADE

### ACESSO EXTERNO SPARK ###
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 6060 -j DNAT --to-destination 192.168.0.2
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 6060 -m state --state NEW -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 7070 -j DNAT --to-destination 192.168.0.2
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 7070 -m state --state NEW -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 80 -j DNAT --to-destination 192.168.0.2
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 5222 -j DNAT --to-destination 192.168.0.2
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 5222 -m state --state NEW -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 5233 -j DNAT --to-destination 192.168.0.2
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 5233 -m state --state NEW -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 5222:5233 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 5222:5233 -j ACCEPT


## Voip ###
#VOIP=192.168.0.62

#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 8080 -j DNAT --to-destination $VOIP
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 8080 -m state --state NEW -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 10000:20000 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 5500 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 5060:5061 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 1560:1561 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 1571 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 8000 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A POSTROUTING -s $VOIP -p udp -m udp -j SNAT --to-source $IPINTERNET
#$IPTABLES -t nat -A POSTROUTING -s $VOIP -p tcp -m tcp -j SNAT --to-source $IPINTERNET
#$IPTABLES -A INPUT -p tcp --dport 5060:5061 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 5060:5061 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 16384:16482 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 16384:16482 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 5500 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 5500 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 10000:20000 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 10000:20000 -j ACCEPT

## Voip ###
#VOIP=192.168.0.14

#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 8080 -j DNAT --to-destination $VOIP
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 8080 -m state --state NEW -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 10000:20000 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 5500 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 5060:5061 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 1560:1561 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 1571 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p udp -m udp --dport 8000 -j DNAT --to-destination $VOIP
#$IPTABLES -t nat -A POSTROUTING -s $VOIP -p udp -m udp -j SNAT --to-source $IPINTERNET
#$IPTABLES -t nat -A POSTROUTING -s $VOIP -p tcp -m tcp -j SNAT --to-source $IPINTERNET
#$IPTABLES -A INPUT -p tcp --dport 5060:5061 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 5060:5061 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 16384:16482 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 16384:16482 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 5500 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 5500 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 10000:20000 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 10000:20000 -j ACCEPT


#### POLI ###
#POLI=192.168.0.105

#iptables -t nat -A PREROUTING -p tcp --dport 20 -j DNAT --to 192.168.0.105:20
#iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to 192.168.0.105:21
#iptables -A FORWARD -p tcp --dport 20 -j ACCEPT
#iptables -A FORWARD -p tcp --dport 21 -j ACCEPT

#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 21 -j DNAT --to-destination 192.168.0.105
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 21 -m state --state NEW -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i eth5 -p tcp --dport 21 -j DNAT --to $POLI:21
#$IPTABLES -A FORWARD -i eth5 -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i eth5 -p udp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -p tcp -i eth5 --dport 21 -j DNAT --to $POLI:21
#$IPTABLES -t nat -A PREROUTING -p udp -i eth5 --dport 21 -j DNAT --to $POLI:21


### VPN ###

#$IPTABLES -A INPUT -p tcp --dport 47 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 47 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 3382 -s $LAN -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 3382 -j ACCEPT


### SSH ###
$IPTABLES -A INPUT -p tcp --dport 22 -s $LAN -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

#$IPTABLES -A INPUT -p tcp --dport 21 -s $LAN -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 21 -s $LAN -j ACCEPT

### HTTP Apache ###
#$IPTABLES -A INPUT -p tcp --dport 80 -s $LAN -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 80 -s $LAN -j ACCEPT

### HTTP Apache - Acesso Externo ###
#$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 80 -j ACCEPT

### DNS ###
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -p udp --dport 53 -j MASQUERADE

### SQUID ###
#$IPTABLES -A INPUT -p tcp --dport 8080 -i $ETHLAN -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 3128 -i $ETHLAN -j ACCEPT
#$IPTABLES -A INPUT -p tcp --sport 8080 -i $ETHLAN -j ACCEPT
#$IPTABLES -A INPUT -p tcp --sport 80 -i $ETHWAN -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $ETHLAN -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -A INPUT -p tcp -i $ETHWAN --dport 3128 -j DROP
$IPTABLES -A INPUT -i $ETHWAN -m state --state ! ESTABLISHED,RELATED -j DROP

### SSL ###
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT

### Portas utilizadas por alguns sites ###
$IPTABLES -A INPUT -p tcp --dport 8000:8088 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 8000:8088 -j ACCEPT

### Nat MAIL ###
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 25 -s $LAN -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 110 -s $LAN -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p udp --dport 110 -s $LAN -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 465 -s $LAN -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p udp --dport 465 -s $LAN -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 995 -s $LAN -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p udp --dport 995 -s $LAN -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 587 -s $LAN -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -p udp --dport 587 -s $LAN -j MASQUERADE


### Forward TerminalService ###
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 3389 -j DNAT --to-destination $SERVER
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 3389 -m state --state NEW -j ACCEPT

### Forward VNC ###
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 5800 -j DNAT --to-destination $SERVER
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 5800 -m state --state NEW -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $ETHWAN -p tcp --sport 1024:65535 --dport 5900 -j DNAT --to-destination $SERVER
#$IPTABLES -A FORWARD -i $ETHWAN -o $ETHLAN -p tcp --sport 1024:65535 --dport 5900 -m state --state NEW -j ACCEPT

### Bloquear todas as outras portas
$IPTABLES -P INPUT ACCEPT
#$IPTABLES -t nat -A POSTROUTING -j MASQUERADE




  


2. Re: Squid - Bloquear acesso externo.

Davi Ribeiro
dastyler

(usa Fedora)

Enviado em 17/12/2010 - 12:10h

Bloqueie a entrada (INPUT) e o forward no iptables vindo da internet para o seu firewall na porta do Squid (na interface $ETHWAN). Isso já é o suficiente para impedir acesso externo ao seu proxy e é uma regra de segurança que deve ser seguida a risca para evitar que estranhos usem seu proxy.

E seu script ta meio bagunçado. Aonde tem comentarios para Bloquear tem regras de ACCEPT. Variavel do VOIP esta comentada e as regras dele descomentadas...precisa de uma revisão geral para que funcione apenas o que realmente precisa.
[]´s




3. Re: Squid - Bloquear acesso externo.

Davi Ribeiro
dastyler

(usa Fedora)

Enviado em 17/12/2010 - 12:15h

Falha quanto aoo VOIP. me confundi e esta comentado. Se nao for usar as regras, apague-as do script, lembrando de fazer uma cópia do mesmo antes de remover a linha, pois algum dia voce pode precisar de alguma referencia.

[]´s


4. Re: Squid - Bloquear acesso externo.

rafael
couxita

(usa Debian)

Enviado em 17/12/2010 - 14:02h

Ola amigo. Obrigado.

Essa regra que coloquei funcionaria?

$IPTABLES -A INPUT -p tcp -i $ETHWAN --dport 3128 -j DROP

E a do forward, como ficaria, sou iniciante no linux.

Obrigado.

Vou dar uma limpada no script, tem bastante coisa nao sendo usada.






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts