amigos alguem me ajude conectividade social por favor [RESOLVIDO]

jhonboy
(usa Conectiva)

Enviado em 21/08/2008 - 16:16h

caro esta conectividade esta me deixando louco por favor alguem me da uma luz ai q nao to conseguindo, nao consigo fazer esta conectividade social de jeito nenhum funcionar, antes meu firewall tinha todas portas aberta sem regra agora q fechei tudo e abrir somente as necessaria ele nao deixa. entao as maquinas ja usava conectividade de boa, quer dizer que e minha regra no firewall ou no squid! teria como vc dar uma olhada e me dizer se tem algo errado no meu squid ou firewall
segue abaixo os firewall e o squid

squid

acl localhost src 127.0.0.1/255.255.255.255
acl to-localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl safe_ports port 80
acl safe_ports port 21
acl safe_ports port 443 563
acl safe_ports port 70
acl safe_ports port 210
acl safe_ports port 1024-65535
acl safe_ports port 280
acl safe_ports port 488
acl safe_ports port 591
acl safe_ports port 777
acl CONNECT method CONNECT

#Limitar o tamanho de downloads
acl html rep_mime_type text/html
reply_body_max_size 0 allow html
reply_body_max_size 10485760 allow all

# liberar msn/orkut
acl iplib src "/etc/squid/rl/iplib.txt"
http_access allow iplib

# bloquear msn/orkut
acl trava_msn_orkut url_regex -i "/etc/squid/rl/trava_msn_orkut.txt"
http_access deny trava_msn_orkut

acl dominio_msn_orkut dstdomain "/etc/squid/rl/trava_msn_orkut.txt
header_access Accept-Encoding deny dominio_msn_orkut

# bloquear sites
acl site_bloq url_regex -i "/etc/squid/rl/sitebloq.txt"
#acl termobloq dstdom_regex "/etc/squid/rl/bloq.txt"

# liberar sites
acl site_lib url_regex "/etc/squid/rl/lib.txt"

#bloquear internet por ip
acl usuariobloq src 192.168.0.45
http_access deny usuariobloq

http_access allow SSL_ports
http_access allow manager localhost
http_access deny !safe_ports
http_access deny CONNECT !SSL_ports
http_access deny site_bloq !site_lib
#http_access deny site_bloq
#http_access deny termobloq
http_reply_access allow all

#deixando proxy transparente
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

firewall

#!/bin/sh
### Carrega módulos de connection tracking
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_nat_ftp

### Define políticas de acesso padrão
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

### Limpa regras e cadeias de usuário prévias
iptables -X
iptables -F
iptables -t nat -F

### Habilita repasse de pacotes
echo 1 > /proc/sys/net/ipv4/ip_forward

### Interface externa
EXT_IF=eth0

### Interface Interna
INT_IF=eth1

### Rede interna
INT_NET=192.168.0.0/24

### Habilita comunicação interna entre processos locais
iptables -A INPUT -i lo -j ACCEPT

### Habilita acesso pela rede interna a esse host
iptables -A INPUT -i $INT_IF -j ACCEPT
iptables -A FORWARD -i $INT_IF -j ACCEPT

### Habilita SSH externo - use isso se for acessar o servidor externamente
iptables -A INPUT -i $EXT_IF -m tcp -p tcp --dport 22 -j ACCEPT

### Habilita todas a conexões previamente aceitas (estados Estabelicida e Relacionada)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

### Liberar acesso externo às portas de Mail(25), Pop-3(110), Dns(53(tcp e udp)), Https(443), Gmail(465,955)
iptables -t nat -A POSTROUTING -o $EXT_IF -m multiport -p tcp --dports 20,21,22,25,53,110,443,465,995 -j MASQUERADE
iptables -t nat -A POSTROUTING -o $EXT_IF -m multiport -p udp --dports 20,21,53,443 -j MASQUERADE

### Proxy transparente
iptables -t nat -A PREROUTING -p tcp --dport 80 -i $INT_IF -s $INT_NET -j REDIRECT --to-port 3128

leandro_silvas
(usa Debian)

Enviado em 22/08/2008 - 19:39h

eu tenho um proxy tranasparente, e com essas regras no firewall e funcionando tranquilamente,

#Libera Porta CONECTIVIDADE
/sbin/iptables -A INPUT -j ACCEPT -p tcp -i eth1 --sport 2631
/sbin/iptables -A INPUT -j ACCEPT -p tcp -i eth1 --dport 2631
/sbin/iptables -A INPUT -j ACCEPT -p tcp -i eth1 -s 200.201.174.0/24
/sbin/iptables -A INPUT -j ACCEPT -p tcp -i eth1 -d 200.201.174.0/24

/sbin/iptables -A FORWARD -j ACCEPT -p tcp --sport 2631
/sbin/iptables -A FORWARD -j ACCEPT -p tcp --dport 2631

# habilita Squid - PROXY TRANSPARENTE
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! 200.201.174.0/24 --dport 80 -j REDIRECT --to-port 3128


espero ter ajudado

Leandro

leandro_silvas
(usa Debian)

Enviado em 22/08/2008 - 19:40h

cara vc precisa ter o mjvm rodando no ie, o java sun não funfa.

falowe

leandro_silvas
(usa Debian)

Enviado em 28/08/2008 - 17:59h

e æ cara? funcionou??
posta aí pra gente!!!

falows

neonx
(usa Slackware)

Enviado em 28/08/2008 - 18:12h

eu tenho o seguinte no meu squid libero acesso direto do squid sem cache:

acl cscaixa url_regex -i "/etc/squid/blacklist/cscaixa.txt"
no_cache deny cscaixa
always_direct allow cscaixa

dentro do arquivo cscaixa.txt
.caixa.gov.br

no meu firewall:

/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 200.201.174.0/16 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p tcp -d 200.201.174.0/16 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 200.201.166.0/16 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p tcp -d 200.201.166.0/16 -j ACCEPT

e está funcionando tranquilo...

jhonboy
(usa Conectiva)

Enviado em 29/08/2008 - 11:20h

nao funcionou ainda nao monitoro no iptraf ele da scanneando porta e status reset to tentando ainda com nenhum q peguei da internet deu certo ainda to tentando montar uma regra aki mas ta dificil

hibiki
(usa Debian)

Enviado em 30/08/2008 - 10:59h

Olha eu utlizei essa regra e deu certo comigo

iptables -t nat -A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT

tenta elas depos que rolar vc coloca no fire para iniciar
Outra coisa é se no cliente esta com algum antivirus ou fire ativo pode estar bloqueando algo, o avg ja me aprontou isso, se esta instalado a mvm vai rolar

jhonboy
(usa Conectiva)

Enviado em 01/09/2008 - 11:47h

Estas regra tb nao deu certo! estou monitorando pelo iptraf ele conecta fica alguns tempo ai as conexão no status aparece RESET em todas pq sera?

guaidtna
(usa Outra)

Enviado em 30/09/2008 - 16:27h

Boa tarde pessoal, estou ficando louco aqui na empresa pois tenho tentado de tudo e nao estou conseguindo fazer o conectividade social funcionar. Uso o smoothwall express 2.0 ex proxy transparente. Vou postar como que esta a configuraçao no squid e no firewall. Peço ajuda em carater de urgencia,obrigado.

Squid
#Libera Conectividade social Caixa
acl cscaixa url_regex -i "/var/smoothwall/proxy/cscaixa.txt"
no_cache deny cscaixa
always_direct allow cscaixa

rc.firewall.up
#!/bin/sh

# Disable ICMP Redirect Acceptance
for FILE in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $FILE
done

# Disable Source Routed Packets
for FILE in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $FILE
done

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for FILE in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $FILE
done

# Enable rp_filter, will be disabled if VPNs are used
for FILE in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $FILE
done

# Set timeouts. 2.5 hours for TCP.
#/sbin/ipchains -M -S 9000 0 0

/sbin/iptables -F
/sbin/iptables -X

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -t nat -A PREROUTING -p tcp -d 200.201.174.0/16 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -d 200.201.174.0/16 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp -d 200.201.166.0/16 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -d 200.201.166.0/16 -j ACCEPT

/sbin/iptables -A FORWARD -p TCP -i $GREEN_DEV -s 10.0.0.0/0 --dport 1863 -j DROP
/sbin/iptables -A FORWARD -p TCP -i $GREEN_DEV -s 10.0.0.0/0 --dport 5190 -j DROP
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 135 -s 0/0 -j DROP

# IP blocker
/sbin/iptables -N ipblock
/sbin/iptables -A INPUT -i ppp0 -j ipblock
/sbin/iptables -A INPUT -i ippp0 -j ipblock
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A INPUT -i $RED_DEV -j ipblock
fi
/sbin/iptables -A FORWARD -i ppp0 -j ipblock
/sbin/iptables -A FORWARD -i ippp0 -j ipblock
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A FORWARD -i $RED_DEV -j ipblock
fi


# For IGMP and multicast
/sbin/iptables -N advnet
/sbin/iptables -A INPUT -i ppp0 -j advnet
/sbin/iptables -A INPUT -i ippp0 -j advnet
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A INPUT -i $RED_DEV -j advnet
fi

# Spoof protection for RED (rp_filter does not work with FreeS/WAN)
/sbin/iptables -N spoof
/sbin/iptables -A spoof -s $GREEN_NETADDRESS/$GREEN_NETMASK -j DROP
if [ "$ORANGE_DEV" != "" ]; then
/sbin/iptables -A spoof -s $ORANGE_NETADDRESS/$ORANGE_NETMASK -j DROP
fi

/sbin/iptables -A INPUT -i ppp0 -j spoof
/sbin/iptables -A INPUT -i ippp0 -j spoof
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A INPUT -i $RED_DEV -j spoof
fi


# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT

# IPSEC
/sbin/iptables -N secin
/sbin/iptables -A secin -i ipsec0 -j ACCEPT
/sbin/iptables -A INPUT -j secin

/sbin/iptables -N secout
/sbin/iptables -A secout -i ipsec0 -j ACCEPT
/sbin/iptables -A FORWARD -j secout

/sbin/iptables -N block

# Let em through.
/sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A block -i $GREEN_DEV -j ACCEPT

# External access. Rule set with setxtaccess setuid
/sbin/iptables -N xtaccess
/sbin/iptables -A block -j xtaccess

# IPSEC
/sbin/iptables -N ipsec
/sbin/iptables -A ipsec -p udp --destination-port 500 -j ACCEPT
/sbin/iptables -A ipsec -p 47 -j ACCEPT
/sbin/iptables -A ipsec -p 50 -j ACCEPT
/sbin/iptables -A block -i ppp0 -j ipsec
/sbin/iptables -A block -i ippp0 -j ipsec
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A block -i $RED_DEV -j ipsec
fi

# DHCP
if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
/sbin/iptables -A block -p tcp --source-port 67 --destination-port 68 \
-i $RED_DEV -j ACCEPT
/sbin/iptables -A block -p tcp --source-port 68 --destination-port 67 \
-i $RED_DEV -j ACCEPT
/sbin/iptables -A block -p udp --source-port 67 --destination-port 68 \
-i $RED_DEV -j ACCEPT
/sbin/iptables -A block -p udp --source-port 68 --destination-port 67 \
-i $RED_DEV -j ACCEPT
fi

# All ICMP on ppp too.
/sbin/iptables -A block -p icmp -i ppp0 -j ACCEPT
/sbin/iptables -A block -p icmp -i ippp0 -j ACCEPT
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A block -p icmp -i $RED_DEV -d $RED_NETADDRESS/$RED_NETMASK -j ACCEPT
fi

/sbin/iptables -A INPUT -j block

# last rule in INPUT chain is for logging.
/sbin/iptables -A INPUT -j LOG
/sbin/iptables -A INPUT -j REJECT

# Allow packets that we know about through.
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $GREEN_DEV -o ppp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ppp0 -o $GREEN_DEV -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -i $GREEN_DEV -o ppp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $GREEN_DEV -o ippp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ippp0 -o $GREEN_DEV -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -i $GREEN_DEV -o ippp0 -j ACCEPT
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $GREEN_DEV -o $RED_DEV -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $RED_DEV -o $GREEN_DEV -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -i $GREEN_DEV -o $RED_DEV -j ACCEPT
fi
if [ "$ORANGE_DEV" != "" ]; then
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $ORANGE_DEV -o ppp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ppp0 -o $ORANGE_DEV -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -i $ORANGE_DEV -o ppp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $ORANGE_DEV -o ippp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ippp0 -o $ORANGE_DEV -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -i $ORANGE_DEV -o ippp0 -j ACCEPT
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $ORANGE_DEV -o $RED_DEV -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $RED_DEV -o $ORANGE_DEV -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -i $ORANGE_DEV -o $RED_DEV -j ACCEPT
fi
fi

# Port forwarding
/sbin/iptables -N portfwf
/sbin/iptables -A FORWARD -j portfwf

/sbin/iptables -N dmzholes

# Allow GREEN to talk to ORANGE.
if [ "$ORANGE_DEV" != "" ]; then
/sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -m state \
--state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -o $ORANGE_DEV -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
# dmz pinhole chain. setdmzholes setuid prog adds rules here to allow
# ORANGE to talk to GREEN.
/sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -j dmzholes
fi

# VPN
/sbin/iptables -A FORWARD -i $GREEN_DEV -o ipsec0 -j ACCEPT
/sbin/iptables -A FORWARD -i ipsec0 -o $GREEN_DEV -j ACCEPT

/sbin/iptables -A FORWARD -j LOG
/sbin/iptables -A FORWARD -j REJECT

# NAT table
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X

# squid
/sbin/iptables -t nat -N squid
/sbin/iptables -t nat -N jmpsquid
/sbin/iptables -t nat -A jmpsquid -d 10.0.0.0/8 -j RETURN
/sbin/iptables -t nat -A jmpsquid -d 172.16.0.0/12 -j RETURN
/sbin/iptables -t nat -A jmpsquid -d 192.168.0.0/16 -j RETURN
/sbin/iptables -t nat -A jmpsquid -d 169.254.0.0/16 -j RETURN
/sbin/iptables -t nat -A jmpsquid -j squid
/sbin/iptables -t nat -A PREROUTING -i $GREEN_DEV -j jmpsquid

# Masqurade
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADE
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -t nat -A POSTROUTING -o $RED_DEV -j MASQUERADE
fi

# Port forwarding
/sbin/iptables -t nat -N portfw
/sbin/iptables -t nat -A PREROUTING -j portfw