Servidor slackware+nocat+squid

13. Re: Servidor slackware+nocat+squid

Renato Carneiro Pacheco
renato_pacheco

(usa Debian)

Enviado em 12/09/2012 - 18:00h

Infelizmente eu não sei como funciona esse aplicativo. Assim fica complicado em ajudar.


  


14. Re: Servidor slackware+nocat+squid

Marcos Vinícius Silva
marvinoliveiras

(usa Slackware)

Enviado em 14/09/2012 - 12:33h

tem um outro arquivo de configuração que tem outra informação sobre iptables, o access.fw:


#!/bin/sh

##
# VERY simple access control script for leeenux
##

# Note: your PATH is inherited from the gateway process
#

action=$1
mac=$2
ip=$3
class=$4

if [ -z "$action" -o -z "$mac" -o -z "$ip" -o -z "$class" ]; then
echo Usage: $0 [permit\|deny] [MAC] [IP] [Class]
echo Example: $0 permit 00:02:2d:aa:bb:cc 10.0.0.105 member
exit 1
fi

if [ "$action" = "permit" ]; then
cmd=-A
elif [ "$action" = "deny" ]; then
cmd=-D
else
echo "FATAL: Bad action: $action!"
exit 1
fi

if [ "$class" = "Owner" ]; then
mark=1
elif [ "$class" = "Member" ]; then
mark=2
elif [ "$class" = "Public" ]; then
mark=3
else
echo "FATAL: Bad class: $class!"
exit 1
fi

if [ "$IgnoreMAC" ]; then
match_mac=""
else
match_mac="-m mac --mac-source $mac"
fi

# Mark outbound traffic from this node.
iptables -t mangle $cmd NoCat $match_mac -s $ip -j MARK --set-mark $mark
iptables -t nat $cmd PREROUTING $match_mac -s $ip -p tcp --dport 80 -j DNAT --to 192.168.1.254:3128
# Mark inbound traffic to this node.
iptables -t filter $cmd NoCat_Inbound -d $ip -j ACCEPT

#
# Ende
#



15. Re: Servidor slackware+nocat+squid

Renato Carneiro Pacheco
renato_pacheco

(usa Debian)

Enviado em 14/09/2012 - 14:04h

Aparentemente esse script está correto. Não vi nenhum erro nele, pois conferi cada parâmetro. Pode ser outro arquivo, pq na msg d erro ele fala "Bad argument", como se a sintaxe do comando estivesse incorreta.


16. Re: Servidor slackware+nocat+squid

Marcos Vinícius Silva
marvinoliveiras

(usa Slackware)

Enviado em 19/09/2012 - 17:38h

o impressionante é que apesar desse erro percebi que o aplicativo inicia pois testei em um computador que coloquei como cliente, nele quando tento acessar a internet o servidor tenta redirecionar para a página de login, o endereço fica assim:

https://192.168.1.254/cgi-bin/login?redirect=http%3a%2f%2fwww%2eguiadohardware%2enet%2f&timeout=...

mas a página não carrega



17. Re: Servidor slackware+nocat+squid

Marcos Vinícius Silva
marvinoliveiras

(usa Slackware)

Enviado em 03/10/2012 - 14:42h

depois de muito tempo de testes e pesquisas, comentei umas linhas do arquivo /usr/local/nocat/gw/initialize.fw, são elas:


$ports -p tcp -i $iface --dport $port -m mark --mark 3 -j ACCEPT
$ports -p udp -i $iface --dport $port -m mark --mark 3 -j ACCEPT
--to-port $GatewayPort


o arquivo completo:

#!/bin/sh
##
#
# initialize.fw: setup the default firewall rules
#
# *** NOTE ***
#
# If you want to have local firewall rules in addition to what NoCat
# provides, add them at the bottom of this file. They will be recreated
# each time gateway is restarted.
#
##

# The current service classes by fwmark are:
#
# 1: Owner
# 2: Co-op
# 3: Public
# 4: Free

# Note: your PATH is inherited from the gateway process
#

if [ $(id -u) = 0 ]; then
# Enable IP forwarding and rp_filter (to kill IP spoof attempts).
#
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

# Load alllll the kernel modules we need.
#
rmmod ipchains > /dev/null 2>&1 # for RH 7.1 users.

for module in ip_tables ipt_REDIRECT ipt_MASQUERADE ipt_MARK ipt_REJECT \
ipt_TOS ipt_LOG iptable_mangle iptable_filter iptable_nat ip_nat_ftp \
ip_conntrack ip_conntrack_ftp ip_conntrack_irc \
ip_nat_irc ipt_mac ipt_state ipt_mark; do

modprobe $module
done
fi

# Flush all user-defined chains
#
iptables -t filter -N NoCat 2>/dev/null
iptables -t filter -F NoCat
iptables -t filter -D FORWARD -j NoCat 2>/dev/null
iptables -t filter -A FORWARD -j NoCat

iptables -t filter -N NoCat_Ports 2>/dev/null
iptables -t filter -F NoCat_Ports
iptables -t filter -D NoCat -j NoCat_Ports 2>/dev/null
iptables -t filter -A NoCat -j NoCat_Ports

iptables -t filter -N NoCat_Inbound 2>/dev/null
iptables -t filter -F NoCat_Inbound
iptables -t filter -D NoCat -j NoCat_Inbound 2>/dev/null
iptables -t filter -A NoCat -j NoCat_Inbound

iptables -t nat -N NoCat_Capture 2>/dev/null
iptables -t nat -F NoCat_Capture
iptables -t nat -D PREROUTING -j NoCat_Capture 2>/dev/null
iptables -t nat -A PREROUTING -j NoCat_Capture

iptables -t nat -N NoCat_NAT 2>/dev/null
iptables -t nat -F NoCat_NAT

#
# Only nat if we're not routing
#
iptables -t nat -D POSTROUTING -j NoCat_NAT 2>/dev/null
[ "$RouteOnly" ] ||iptables -t nat -A POSTROUTING -j NoCat_NAT

iptables -t mangle -N NoCat 2>/dev/null
iptables -t mangle -F NoCat
iptables -t mangle -D PREROUTING -j NoCat 2>/dev/null
iptables -t mangle -A PREROUTING -j NoCat

fwd="iptables -t filter -A NoCat"
ports="iptables -t filter -A NoCat_Ports"
nat="iptables -t nat -A NoCat_NAT"
redirect="iptables -t nat -A NoCat_Capture"
mangle="iptables -t mangle -A NoCat"

if [ "$MembersOnly" ]; then
classes="1 2"
else
classes="1 2 3"
fi

# Handle tagged traffic.
#
for iface in $InternalDevice; do
for net in $LocalNetwork; do
for fwmark in $classes; do
# Only forward tagged traffic per class
$fwd -i $iface -s $net -m mark --mark $fwmark -j ACCEPT
# $fwd -o $iface -d $net -m mark --mark $fwmark -j ACCEPT

# Masquerade permitted connections.
$nat -o $ExternalDevice -s $net -m mark --mark $fwmark -j MASQUERADE
done

# Allow web traffic to the specified hosts, and don't capture
# connections intended for them.
#
if [ "$AuthServiceAddr" -o "$AllowedWebHosts" ]; then
for host in $AuthServiceAddr $AllowedWebHosts; do
for port in 80 443; do
$nat -s $net -d $host -p tcp --dport $port -j MASQUERADE
$redirect -s $net -d $host -p tcp --dport $port -j RETURN
$fwd -s $net -d $host -p tcp --dport $port -j ACCEPT
$fwd -d $net -s $host -p tcp --sport $port -j ACCEPT
done
done
fi

# Accept forward and back traffic to/from DNSAddr
if [ "$DNSAddr" ]; then
for dns in $DNSAddr; do
$fwd -o $iface -d $net -s $dns -j ACCEPT

for prot in tcp udp; do
$fwd -i $iface -s $net -d $dns -p $prot --dport 53 -j ACCEPT
$nat -p $prot -s $net -d $dns --dport 53 -j MASQUERADE

# Force unauthenticated DNS traffic through this server.
# Of course, only the first rule of this type will match.
# But it's easier to leave them all in ATM.
#
# Commented out for now, it's got a syntax issue I can't
# quite fathom: "iptables: Invalid argument"
# --Rob
#
#$nat -i $InternalDevice -m mark --mark 4 -p $prot \
# --dport 53 -j DNAT --to $dns:53
done
done
fi
done

# Set packets from internal devices to fw mark 4, or 'denied', by default.
$mangle -i $iface -j MARK --set-mark 4
done

# Redirect outbound non-auth web traffic to the local gateway process
# except to windowsupdate.microsoft.com, which is broken.
#
# If MembersOnly is active, then redirect public class as well
#
if [ "$MembersOnly" ]; then
nonauth="3 4"
else
nonauth="4"
fi
for port in 80 443; do
for mark in $nonauth; do
$redirect -m mark --mark $mark -d windowsupdate.microsoft.com -j DROP
$redirect -m mark --mark $mark -p tcp --dport $port -j REDIRECT \
--to-port $GatewayPort
done
done

# Lock down more ports for public users, if specified. Port restrictions
# are not applied to co-op and owner class users.
#
# There are two philosophies in restricting access: That Which Is Not
# Specifically Permitted Is Denied, and That Which Is Not Specifically
# Denied Is Permitted.
#
# If "IncludePorts" is defined, the default policy will be to deny all
# traffic, and only allow the ports mentioned.
#
# If "ExcludePorts" is defined, the default policy will be to allow all
# traffic, except to the ports mentioned.
#
# If both are defined, ExcludePorts will be ignored, and the default policy
# will be to deny all traffic, allowing everything in IncludePorts, and
# issue a warning.
#
if [ "$IncludePorts" ]; then
if [ "$ExcludePorts" ]; then
echo "Warning: ExcludePorts and IncludePorts are both defined."
echo "Ignoring 'ExcludePorts'. Please check your nocat.conf."
fi

# Enable all ports in IncludePorts
for iface in $InternalDevice; do
for port in $IncludePorts; do
$ports -p tcp -i $iface --dport $port -m mark --mark 3 -j ACCEPT
$ports -p udp -i $iface --dport $port -m mark --mark 3 -j ACCEPT
done

# Always permit access to the GatewayPort (or we can't logout)
$ports -p tcp -i $iface --dport $GatewayPort -j ACCEPT
$ports -p udp -i $iface --dport $GatewayPort -j ACCEPT

# ...and disable access to the rest.
$ports -p tcp -i $iface -m mark --mark 3 -j DROP
$ports -p udp -i $iface -m mark --mark 3 -j DROP
done

elif [ "$ExcludePorts" ]; then
# If ExcludePorts has entries, simply deny access to them.
for iface in $InternalDevice; do
for port in $ExcludePorts; do
$ports -p tcp -i $iface --dport $port -m mark --mark 3 -j DROP
$ports -p udp -i $iface --dport $port -m mark --mark 3 -j DROP
done
done
fi

#
# Disable access on the external to GatewayPort from anything but the AuthServiceAddr
#
if [ "$AuthServiceAddr" ]; then
$fwd -i $ExternalDevice -s ! $AuthServiceAddr -p tcp --dport $GatewayPort -j DROP
fi

# Filter policy.
$fwd -j DROP

#
# Call the bandwidth throttle rules.
#
# Note: This feature is *highly* experimental.
#
# This functionality requires the 'tc' advanced router tool,
# part of the iproute2 package, available at:
# ftp://ftp.inr.ac.ru/ip-routing/
#
# To use bandwidth throttling, edit the upload and download
# bandwidth thresholds at the top of the throttle.fw file,
# and make throttle.fw executable. Try something like this:
#
# chmod +x throttle.fw
#
[ -x throttle.fw ] && throttle.fw

##
# Add any other local firewall rules below.
##

##
# Uncomment the following to permit all 10/8 traffic *before* auth
##

#AllowedNetworks="10.0.0.0/8"
#
#for net in $AllowedNetworks; do
# iptables -t mangle -A PREROUTING -d $net -j MARK --set-mark 2
# iptables -t filter -A FORWARD -s $net -j ACCEPT
#done

#
# Ende
#


erro apresentado:



iptables v1.4.12.2:
The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.


Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.12.2:
The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.


Try `iptables -h' or 'iptables --help' for more information.
Bad argument `192.168.1.254'
Try `iptables -h' or 'iptables --help' for more information.
[2012-10-03 14:41:59] Binding listener socket to 0.0.0.0

o que fazer para concertar esse erro?



01 02



Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts