Firewall bloqueia Navegação [RESOLVIDO]

1. Firewall bloqueia Navegação [RESOLVIDO]

topz
(usa Ubuntu)

Enviado em 29/10/2010 - 11:15h

Caros Colegas,

Estou tendo que implementar segurança em minha empresa e estou com algumas dificuldades, copiei este script na internet, adequei a configuração de meu servidor e implementei, antes apenas fazia o compartilhamento da conexão do iptables para o squid transparente e funcionava, com este novo script os clientes pingam para fora da rede para IP´s e resolvem nomes também, porém não navegam de jeito nenhum:
Segue o dito abaixo, desde ja agradeço pela ajuda.

#!bin/bash
#firewall

### VARIAVEIS GLOBAIS
ipt="/sbin/iptables"
mod="/sbin/modprobe"

#start_fw()
#{

### VARIAVEIS DO SISTEMA
LO_IP="127.0.0.1"
LAN_IF="eth1"
LAN_IP="172.16.16.1"
LAN_NET="172.16.16.0/24"
WAN_IF="eth0"

### PORTAS DE SAIDA
FW_TCPOUT="443,1049,1364,2500,3007,3456,5017,5024,7080,8017"

### HABILITA ROTEAMENTO DE PACOTES
echo 1 > /proc/sys/net/ipv4/ip_forward

### DESABILITA RESPOSTA DE PING DE BROADCAST
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

### DESABILITA TCP SYNCOOKIES
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

## PROTECAO CONTRA IP SPOOFING
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

## IMPEDIR QUE ATAQUES REDIRECIONEM ROTAS
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

## IMPEDIRE QUE ATAQUES DETERMINEM O CAMINHO DA ROTA
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

## PROTECAO CONTRA RESPONSES BOGUS
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

### CARREGANDO MODULOS
$mod ip_tables
$mod ip_conntrack
$mod iptable_filter
$mod iptable_mangle
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod ipt_MASQUERADE
$mod ip_nat_ftp
$mod ip_conntrack_ftp

### APAGANDO AS REGRAS
$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -X

### SETANDO AS POLITICAS
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT

### TABELAS ADICIONAIS
# $ipt -N SYN_FLOOD
# $ipt -N UNCLEAN
# $ipt -N PING_DEATH
$ipt -N PORT_SCANNER
$ipt -N INVALID_SOURCE
$ipt -N INVALID_CONNECTION
$ipt -N TRANS_PROXY -t nat
$ipt -N SSH

### CONFIGURA AS TABELAS
$ipt -A PORT_SCANNER -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
$ipt -A PORT_SCANNER -j LOG --log-prefix "[IPTables PortScan] : " --log-level info
$ipt -A PORT_SCANNER -j DROP

$ipt -A INVALID_SOURCE -j LOG --log-prefix "[IPTables Drop_Source] : " --log-level info
$ipt -A INVALID_SOURCE -j DROP

$ipt -A INVALID_CONNECTION -j LOG --log-prefix "[IPTables Drop_Port] : " --log-level info
$ipt -A INVALID_CONNECTION -j DROP

$ipt -A SSH -j LOG --log-prefix "[IPTables SSH] : " --log-level info
$ipt -A SSH -j DROP

$ipt -A TRANS_PROXY -t nat -d $LAN_IP -j RETURN
$ipt -A TRANS_PROXY -t nat -p tcp -j REDIRECT --to-port 3128 # REDIRECIONA PARA O SQUID

#########################################################################################
#################### TABELA NAT
#########################################################################################

## SQUID3 / PROXY TRANSPARENTE
$ipt -t nat -A PREROUTING -s $LAN_NET -p tcp --dport 80 -j TRANS_PROXY
#$ipt -t nat -A PREROUTING -s $LAN_NET -p tcp --dport 8080 -j TRANS_PROXY

## ROTEAMENTO PARA TS
$ipt -t nat -A PREROUTING -i $WAN_IF -p tcp --dport 3389 -j DNAT --to-destination 172.16.16.220:3389

## MASCARANDO CONEXAO DO COMPARTILHAMENTO DE INTERNET
$ipt -A POSTROUTING -t nat -s $LAN_NET -o $WAN_IF -j MASQUERADE

#########################################################################################
##################### TABELA OUTPUT
#########################################################################################

## DESTINOS CONFIAVEIS
$ipt -A OUTPUT -d $LAN_NET -j ACCEPT
$ipt -A OUTPUT -d $LO_IP -j ACCEPT

## ORIGENS / DESTINOS NAO CONFIAVEIS
$ipt -A OUTPUT -s 10.0.0.0/8 -j DROP
$ipt -A OUTPUT -s 192.168.0.0/16 -j DROP
$ipt -A OUTPUT -s 224.0.0.0/4 -j DROP
$ipt -A OUTPUT -s 240.0.0.0/5 -j DROP
$ipt -A OUTPUT -s 127.0.0.0/8 -j DROP
$ipt -A OUTPUT -s 0.0.0.0/8 -j DROP
$ipt -A OUTPUT -d 255.255.255.255 -j DROP
$ipt -A OUTPUT -d 224.0.0.0/4 -j DROP

#########################################################################################
###################### TABELA INPUT
#########################################################################################

## SSH - LIBERA CONEXOES DA REDE INTERNA
$ipt -A INPUT -s $LAN_NET -p tcp --dport 22 -j ACCEPT
$ipt -A FORWARD -d $LAN_NET -p tcp --dport 22 -j ACCEPT
$ipt -A OUTPUT -d $LAN_NET -p tcp --dport 22 -j ACCEPT

## SSH - LOGA QUANQUER OUTRA TENTATIVA
$ipt -A INPUT -p tcp --dport 22 -j SSH
$ipt -A FORWARD -p tcp --dport 22 -j SSH
$ipt -A OUTPUT -p tcp --dport 22 -j SSH

## ORIGENS CONFIAVEIS
$ipt -A INPUT -i $LO_IP -j ACCEPT
$ipt -A INPUT -i $LAN_NET -j ACCEPT

## ORIGENS NAO CONFIAVEIS
$ipt -A INPUT -s 10.0.0.0/8 -j DROP
$ipt -A INPUT -s 192.168.0.0/16 -j INVALID_SOURCE
$ipt -A INPUT -s 224.0.0.0/4 -j INVALID_SOURCE
$ipt -A INPUT -s 240.0.0.0/4 -j INVALID_SOURCE
$ipt -A INPUT -s 127.0.0.0/8 -j INVALID_SOURCE
$ipt -A INPUT -s 0.0.0.0/8 -j INVALID_SOURCE
$ipt -A INPUT -d 255.255.255.255 -j INVALID_SOURCE
$ipt -A INPUT -d 224.0.0.0/4 -j INVALID_SOURCE

## PERMITE TRAFEGOS JA ESTABELECIDOS
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

## LIBERANDO MENSAGENS ICMP
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

## TERMINAL SERVICE
$ipt -A INPUT -i $WAN_IF -p tcp --dport 3389 -j ACCEPT

## COMPUTADORES LIBERADOS E SEM PROXY
for i in $(cat /etc/fw_net_free)
do
$ipt -A INPUT -i $WAN_IF -s $i -p tcp --sport 0:65535 --dport 0:65535 -j ACCEPT
$ipt -A INPUT -i $WAN_IF -s $i -p udp --sport 0:65535 --dport 0:65535 -j ACCEPT
done

## SERVIDOR WEB
$ipt -A INPUT -i $WAN_IF -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -i $LAN_IF -p tcp --dport 80 -j ACCEPT

## DNS
$ipt -A INPUT -p tcp --dport 53 -j ACCEPT
$ipt -A INPUT -p udp --dport 53 -j ACCEPT
$ipt -A INPUT -p tcp --dport 953 -j ACCEPT
$ipt -A INPUT -p udp --dport 953 -j ACCEPT

#######################################################$ipt -A INPUT -p tcp --destination-port 80 -j ACCEPT

$ipt -A INPUT -m multiport -p tcp --dport 22,80 -j ACCEPT

#############################################################################################
######################### TABELA FORWARD
#############################################################################################

## PORTA 3128 ACEITA PELA REDE INTERNA
$ipt -A FORWARD -i $LAN_NET -p tcp --dport 3128 -j ACCEPT

## PERMITE TRAFEGO JA ESTABELECIDO
$ipt -A FORWARD -i $WAN_IF -o $LAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $LAN_IF -o $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

## BLOQUEIA ORKUT
$ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d 64.233.171.0/24 -p tcp --dport 443 -j DROP
$ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d 72.14.209.0/24 -p tcp --dport 443 -j DROP
$ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d 216.239.51.0/24 -p tcp --dport 443 -j DROP
$ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d orkut.com.br -j DROP

## LIBERA CONEXOES HTTPS
$ipt -A FORWARD -i $LAN_IF -s $LAN_NET -p tcp --dport 443 -j ACCEPT

## LIBERA MSN
for i in $(cat /etc/fw_msn_free)
do
$ipt -A FORWARD -i $LAN_IF -s $i -p tcp --dport 1863 -j ACCEPT
done

## BLOQUEIA MSN
$ipt -A FORWARD -s $LAN_NET -p tcp --dport 1863 -j REJECT
$ipt -A FORWARD -s $LAN_NET -p tcp --dport 1864 -j REJECT
$ipt -A FORWARD -s $LAN_NET -d loginnet.passport.com -j REJECT
$ipt -A FORWARD -s $LAN_NET -d login.live.com -j REJECT

## PERMITE TRAFEGO DEFINIDO
$ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d 0/0 -p tcp -m multiport --dport $FW_TCPOUT -j ACCEPT

## PERMITIR PING PARTINDO DA REDE LOCAL
$ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d 0/0 -p icmp -j ACCEPT

## PERMITIR FTP
$ipt -A FORWARD -i $LAN_IF -p tcp --dport 21 -j ACCEPT
$ipt -A FORWARD -i $LAN_IF -p tcp --dport 20 -j ACCEPT

## PERMITIR CLIENTES POP
$ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d smtp.terra.com.br -p tcp --dport 25 -j ACCEPT
$ipt -A FORWARD -i $LAN_IF -s $LAN_NET -d pop.terra.com.br -p tcp --dport 110 -j ACCEPT

## LIBERA COMPLETO
for i in $(cat /etc/fw_net_free)
do
$ipt -A FORWARD -i $WAN_IF -d $i -j ACCEPT
$ipt -A FORWARD -i $LAN_IF -s $i -j ACCEPT
done

## LOG DO TRAFEGO NAO PERMITIDO
$ipt -A FORWARD -p tcp -j INVALID_CONNECTION

## RECONFIGURA SQUID3
#squid3 -k reconfigure

#}

0 0

Quote

2. Re: Firewall bloqueia Navegação [RESOLVIDO]

renato_pacheco
(usa Debian)

Enviado em 29/10/2010 - 12:47h

Nessa regra:

$ipt -A TRANS_PROXY -t nat -p tcp -j REDIRECT --to-port 3128 # REDIRECIONA PARA O SQUID

Kd a porta 80?? Vc tem q redirecionar a porta 80 ae.

0 0

Quote

3. Esta aqui

topz
(usa Ubuntu)

Enviado em 29/10/2010 - 14:50h

ipt -t nat -A PREROUTING -s $LAN_NET -p tcp --dport 80 -j TRANS_PROXY

0 0

Quote

4. Re: Firewall bloqueia Navegação [RESOLVIDO]

renato_pacheco
(usa Debian)

Enviado em 29/10/2010 - 16:08h

Talvez o problema seja no seu squid. Como ele se encontra?

0 0

Quote

5. Redirecionamento de interfaces

gustavohsr
(usa Debian)

Enviado em 29/10/2010 - 16:15h

Verifique o redirecionamento de conexões entre as interfaces locais.

Por exemplo:

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

0 0

Quote

6. Segue o squid

topz
(usa Ubuntu)

Enviado em 01/11/2010 - 11:26h

http_port 3128 transparent
cache_mem 1000 MB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid3 45000 16 256

maximum_object_size 30000 KB
maximum_object_size_in_memory 40 KB

access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
pid_filename /var/log/squid3/squid3.pid
mime_table /usr/share/squid3/mime.conf

#cache_mgr ac.miranda@terra.com.br
memory_pools off

diskd_program /usr/lib/squid3/diskd
unlinkd_program /usr/lib/squid3/unlinkd

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_max 16 KB
quick_abort_pct 95
quick_abort_min 16 KB
request_header_max_size 20 KB
reply_header_max_size 20 KB
request_body_max_size 0 KB

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl caop src 172.16.16.0/24

acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 1863 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow caop
http_access deny all

icp_access allow all
cache_mgr proxy
#mail_program mail
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string off
visible_hostname BURNS

error_directory /usr/share/squid3/errors/Portuguese/

0 0

Quote

7. Resolvido

topz
(usa Ubuntu)

Enviado em 29/10/2011 - 13:12h

Aew Galera, depois de muito tempo resolvi a parada

$ipt -A OUTPUT -s 127.0.0.0/8 -j DROP

esta regra impedia o encaminhamento do redir, na qual o cliente executava o TS em 127.0.0.1:33899 e o redir encaminhava para o meu servidor x.x.x.x:3389 onde o serviço era executado,

Grato pela ajudas e espero que este tópico possa ajudar alguém no futuro.

0 0

Quote