iptables + squid não libera acesso ao servidor VsFTPD

1. iptables + squid não libera acesso ao servidor VsFTPD

ricardos1000
(usa Debian)

Enviado em 01/12/2014 - 21:18h

Boa noite pessoal abaixo esta o meu scritp do firewall, estou tentando liberar acesso externo para as pessoas acessarem meu servidor ftp(vsftpd), para baixar ou enviar arquivos para facilitar o trabalho de gráfica e outros, porem as portas e redirecionamento esta liberado mais o nmap acusa que as portas estão fechadas, o servidor ftp esta respondendo na porta 2121, no meu firewall tem um proxy Squid trabalhando junto, abaixo do script do firewall esta as configurações do squid, desde já agradeço quem puder ajudar.

--------------Firewall em 26/11/2014-----------------#

#!/bin/bash
#chkconfig: 345 99 10
#description: Firewall

#DECLARACAO DE VARIAVEIS
IPWan=192.168.zzz.zzz
IPLan=192.168.xxx.xxx
portas_tcp="3128,2121,20,21,22,25,110,80,8080,211,8245,443,587"
portas_udp="53"
echo "Ok -> Variaveis criadas com sucesso"

#CARREGA MODULOS
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe ipt_MASQUERADE
modprobe iptable_nat
modprobe ipt_LOG
#modprobe ipt_REJECT
echo "ok -> Modulos carregados"
echo ""

#desligando forward
#echo 0 > /proc/sys/net/ipv4/ip_forward
#echo "Ok -> Chain Forward desligada"

# LIMPANDO REGRAS ANTERIORES
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F
iptables -X
iptables -Z
#iptables -L
echo "OK -> Todas as regras anteriores limpas"
echo ""

#DEFINE POLITICA PADRAO
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
echo "Ok -> Politicas definidas com sucesso"
echo ""

# liberando loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT

# Desabilitar IPV6
echo 1 /proc/sys/net/ipv6/conf/all/disable_ipv6
echo "Ok -> IPV6 desablilitado "
echo ""

#Abrindo Rede Local
#iptables -A INPUT -p tcp --syn -s 192.168.xxx.xxx/24 -j ACCEPT
iptables -A INPUT -p tcp --syn -s 192.168.xxx.xxx/24 -j ACCEPT
iptables -A OUTPUT -p tcp --syn -s 192.168.xxx.xxx/24 -j ACCEPT
iptables -A FORWARD -p tcp --syn -s 192.168.xxx.xxx/24 -j ACCEPT
echo "OK -> REDE LOCAL LIBERADA"
echo ""

#------------- Estabilizando Conexoes---------------#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "OK -> Conexoes estabelecidas"
echo ""

#ESTABELECENDO CONEXÃO COM SERVIDOR DNS
iptables -A INPUT -i eth0 -p udp -s 200.204.0.10 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s 200.176.2.10 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s 200.176.2.12 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s 200.204.0.138 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s 187.12x.xxx.xxx -j ACCEPT
#iptables -A INPUT -i eth0 -p udp -j REJECT
echo "Ok -> Servidor DNS Liberados"
echo ""

# HABILITANDO PORTA SMTP
#iptables -A INPUT -p tcp -s 192.168.xxx.xxx/24 --dport 25 -j ACCEPT
#iptables -A INPUT -p tcp -s 192.168.xxx.xxx/24 --dport 587 -j ACCEPT
#echo "OK -> PORTA SMTP HABILITADA"
#echo ""

# HABILITANDO PORTA POP3
#iptables -A INPUT -p tcp -s 192.168.xxx.xxx/24 --dport 110 -j ACCEPT
#iptables -A INPUT -p tcp --dport 110 -j ACCEPT
#echo "OK -> PORTA POP HABILITADA"
#echo ""

# liberando consulta DNS
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
echo "OK -> LIBERADA CONSULTA DNS"
echo ""

#LIBERANDO POP E SMTP
#iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
#iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
#iptables -A FORWARD -p tcp --dport 587 -j ACCEPT
#echo "OK -> LIBERANDO TRAFEGO DE E-MAIL NA REDE"
#echo ""

##Liberando trafego no servidor FTP
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 2121 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "OK -> Portas do Servidor ftp liberado"
echo ""

#COMPARTILHAMENTO DA INTERNET
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Ok -> internet compartilhada com sucesso"
echo ""

## Configurando Multi Portas
iptables -A INPUT -p tcp -m multiport --dports $portas_tcp -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports $portas_tcp -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --dports $portas_tcp -j ACCEPT

iptables -A INPUT -p udp -m multiport --dports $portas_udp -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --dports $portas_udp -j ACCEPT
iptables -A FORWARD -p udp -m multiport --dports $portas_udp -j ACCEPT
echo "OK -> Multiplas Portas Liberadas"
echo ""

##Liberando acesso na porta :
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 2121 -j ACCEPT
echo "OK -> portas ftp liberadas"
echo ""

#Bloqueando acesso na porta 80
iptables -A FORWARD -p tcp -m tcp -s 192.168.xxx.xxx/24 --dport 80 -j DROP
echo "Ok -> Rejeitando conexao na porta 80 para rede interna"
echo ""

#PERMITINDO TRAFEGO NO PROXY TRANSPARENTE
iptables -A INPUT -i $IPWan -p tcp --dport 3128 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.xxx.xxx/255.255.255.0 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo "Ok -> Redirecionando trafego da internet para porta 3128"
echo ""

#Redirecionando as cameras de para Maquina da Guarita
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5545 -j DNAT --to 192.168.xxx.19:5545
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5547 -j DNAT --to 192.168.xxx.19:5547
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5548 -j DNAT --to 192.168.xxx.19:5548
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5549 -j DNAT --to 192.168.xxx.19:5549
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 7000 -j DNAT --to 192.168.xxx.65:7000
echo -> "Ok -> Cameras redirecionadas com sucesso"
echo ""

##Redirecionando o Windows terminal server
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 3389 -j DNAT --to 192.168.xxx.230
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 1723 -j DNAT --to 192.168.xxx.230
echo "Ok -> Redirecionamento para WTS bem sucedido"
echo ""

##REDIRECIONANDO O TRAFEGO FTP PARA SERVIDOR FTP
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 20 -j DNAT --to 192.168.xxx.100:20
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to 192.168.xxx.100:21
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 2121 -j DNAT --to 192.168.xxx.100:2121
echo "OK -> REDIRECIONAMENTO PARA SERVIDOR FTP BEM SUCEDIDO"
echo ""

# PROTECAO CONTRA SYN-FLOODS
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
echo "OK -> PROTECAO CONTRA SYN-FLOODS BEM SUCEDIDA"
echo ""

# PROTECAO CONTRA PORT SCANNERS
#iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#echo "OK -> PROTECAO CONTRA PORT SCANER BEM SUCEDIDA"
#echo ""

# PROTECAO CONTRA DDOS
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
echo "OK -> PROTECAO CONTRA DDOS BEM SUCEDIDA"
echo ""

#BLOQUEANDO PACOTES FRAGMENTADOS
#iptables -A INPUT -i eth0 -m unclean -j log_unclean
#iptables -A INPUT -f -i eth0 -j log_fragment
#echo "OK -> Bloqueando pacotes fragmentados

#Pre roteamento quando o pacote sai da nossa rede interna
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.zzz.zzz
iptables -t nat -A POSTROUTING -s 192.168.xxx.xxx/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.zzz.zzz -o eth1 -j MASQUERADE
echo "OK -> OFUSCANDO A REDE COM SUCESSO"
echo ""

echo ""
echo "FIREWALL CARREGADO!"
echo "############################################"

### Squid - 26-11-2014 ###########################
#anonymaize_headers deny
#From Server Via User-Agent
#forwarded_for off
#strip_query_terms on
visible_hostname s2.wellness.com.br

http_port 3128
cache_mem 256 MB
#minimum_object_size 0 KB
#cache_swap_low 90
#cache_swap_high 95
cache_dir ufs /var/spool/squid 4096 16 256
#cache_access_log /usr/local/squid/var/logs/cache.log
cache_swap_low 80
cache_swap_high 85
minimum_object_size 2 KB
maximum_object_size_in_memory 256 KB
#http_port 3128

##Opcao padrao do Squid para configurar como sera tratado
##o tempo de vida dos objetos no cache
refresh_pattern ^ftp: 15 30% 2280
refresh_pattern ^gopher: 15 20% 2280
refresh_pattern . 15 20% 2280

#Especificando lista de servidores dns
dns_nameservers 200.204.0.10
dns_nameservers 200.176.2.10
dns_nameservers 187.12x.xxx.xxx

##ACLs para Rede
acl all src 0.0.0.0/0.0.0.0
acl rede_interna src 192.168.xxx.xxx/24
acl range src 192.168.xxx.33-192.168.xxx.52
acl range1 src 192.168.xxx.54-192.168.xxx.99
acl range2 src 192.168.xxx.123-192.168.xxx.229
acl range3 src 192.168.xxx.231-192.168.xxx.253

##ACLS
#Criando ACLs para IPs da rede livre e restrito
acl ipblock src "/etc/squid/ipblock"
acl iplivre src "/etc/squid/iplivre"
acl restrito src "/etc/squid/restrito"
acl intervalo time MTWHF 19:00-22:59
acl entretenimento src "/etc/squid/entretenimento"

#Criando ACLs para Palavras e Sites livres e restritos
acl redesocial url_regex -i "/etc/squid/redesocial"
acl blacklist url_regex -i "/etc/squid/blacklist"
acl downloads url_regex -i "/etc/squid/downloads"
acl sites_liberados url_regex -i "/etc/squid/sites_liberados"
acl sites_bloqueados url_regex -i "/etc/squid/sites_bloqueados"

##ACLs controladas
http_access deny blacklist
http_access allow iplivre
http_access deny downloads
http_access allow restrito
http_access allow sites_liberados
http_access deny redesocial !restrito
http_access deny sites_bloqueados
http_access allow entretenimento intervalo
http_access deny range range1 range2 range3 !iplivre
#http_access allow entretenimento intervalo
http_access deny ipblock

##ACLs da portas permitidas e restringindas
acl BADPORTS port 7 9 11 19 23 25 53 119 513 514 3128 8080
acl Safe_ports port 2121 #FTP
acl SSL_ports port 443 563 #https snews
acl Safe_ports port 20 21 2121 #ftp conexao
acl SSL_ports port 443 444 563 #https snews
acl Safe_ports port 80 #http
acl Safe_ports port 110 #POP
acl Safe_ports port 210 #wais
acl Safe_ports port 280 #http-mgmt
acl Safe_ports port 488 #gss-http
acl Safe_ports port 587 #SMTP
acl Safe_ports port 591 #filemaker
acl Safe_ports port 777 #multiling http
acl Safe_ports port 901 #swat
#acl Safe_ports port 49000-50000 #portas altas
#acl Safe_ports port 1025-65535 #wais
acl Safe_ports port 5545 5547 5548 5549 5550 6550 #GV800
acl CONNECT method CONNECT

##ACLs controle as portas
http_access allow SSL_ports
http_access allow Safe_ports !BADPORTS
#http_access deny port !Safe_ports SSL_ports

http_access allow rede_interna
http_access deny all

################## resultado do Nmap ##################

Starting Nmap 5.51 ( http://nmap.org ) at 2014-12-01 21:11 BRST
Nmap scan report for 20x-xxx-xxx-xxx.dsl.telesp.net.br (20x.xxx.xxx.xxx)
Host is up (0.054s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 7.75 seconds
[root@S6 ~]# nmap -sT 20x.xxx.xxx.xxx

0 0

Quote