vpn squid

brunocunha
(usa Fedora)

Enviado em 13/04/2009 - 12:33h

sou novo em linux, instalei um squid no fedora, e botei na rede aqui do trabalho,
mas o pessoal que usa vpn nao consegue conectar mais.
nao tenho ideia de porta ou protocolo que esse programa de vpn usa.
somente sei o servidor safeconn01.telemar.com.br
alguem tem alguma ideia por que o firewall/squid esta bloquando?
como libero essa vpn??
obrigado.

volcom
(usa Debian)

Enviado em 13/04/2009 - 12:46h

Tenta essas regra:

iptables -A FORWARD -s (SEU_IP) -i eth1 -d (IP_DA_VPN) -o eth0 -j ACCEPT
iptables -A FORWARD -s (IP_DA_VPN) -i eth0 -d (SEU_IP) -o eth1 -j ACCEPT

Onde eth0 é a sua placa de rede externa e eth1 placa da rede interna.

Passe as suas regras do Iptables também que nos ajuda ;)

Abraço

brunocunha
(usa Fedora)

Enviado em 13/04/2009 - 14:05h

ja fiz isso e nada
meu squid:

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.254.0/255.255.255.0 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 1024-65535 # VPN
acl Safe_ports port 1723 # VPN
acl Safe_ports port 65535 # VPN
acl Safe_ports port 51396 # VPN
acl Safe_ports port 5355 # VPN
acl Safe_ports port 1024 # VPN
acl sitios url_regex -i "/etc/squid/sitios"
acl palavras url_regex -i "/etc/squid/palavras"
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow sitios
http_access allow all
http_access deny palavras
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 8888 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
coredump_dir /var/spool/squid


firewall.sh

#***************************************#
# Firewall #
# #
# POR: CRISTYAN G. S. SANTOS #
# #
# DATA: 27/12/2006 #
# #
#***************************************#
#!/bin/bash

echo "CARREGANDO FIREWALL "

echo -n "DEFAULT POLICY ACCEPT..................."

iptables -t filter -P INPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT ACCEPT

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT

echo "[OK]"

echo -n "LIMPANDO REGRAS ANTIGAS................."

iptables -t filter -F
iptables -t filter -X
iptables -t filter -Z

iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z

iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z

echo "[OK]"

echo -n "DEFAULT POLICY DROP....................."

iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

echo "[OK]"

echo -n "CARREGANDO REGRAS DE INT-EXT............"
sh /usr/local/bin/firewall/INT-EXT.sh
echo "[OK]"

echo -n "CARREGANDO REGRAS DE EXT-INT............"
sh /usr/local/bin/firewall/EXT-INT.sh
echo "[OK]"

echo -n "CARREGANDO REGRAS DE INPUT.............."
sh /usr/local/bin/firewall/INPUT.sh
echo "[OK]"

echo -n "CARREGANDO REGRAS DE FORWARD............"
sh /usr/local/bin/firewall/FORWARD.sh
echo "[OK]"

echo -n "CARREGANDO REGRAS DE OUTPUT............."
sh /usr/local/bin/firewall/OUTPUT.sh
echo "[OK]"

echo -n "CARREGANDO REGRAS DE NAT-IN............."
sh /usr/local/bin/firewall/NAT-IN.sh
echo "[OK]"

iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done

echo "FIREWALL CARREGADO."

ext-int.sh

#################################################
# Liberar acessos Externos

iptables -N EXT2INT

#ACESSO VNC

iptables -A EXT2INT -p tcp -s 200.xxx.xxx.xxx --dport 5800 -j ACCEPT
iptables -A EXT2INT -p tcp -s 200.xxx.xxx.xxx --dport 5900 -j ACCEPT


#ACESSO VPN
iptables -A EXT2INT -p tcp -s 200.xxx.xxx.xxx --dport 1723 -j ACCEPT
iptables -A EXT2INT -p 47 -s 200.xxx.xxx.xxx -j ACCEPT

forward,sh

#Regras de FORWARD

iptables -A FORWARD -i eth1 -o eth1 -j ACCEPT

iptables -A FORWARD -i eth2 -o eth2 -j ACCEPT

# DROP invalid state
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

# accept forward packets with allowed state
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth2 -o eth1 -j INT2EXT
iptables -A FORWARD -i eth1 -o eth2 -j EXT2INT

input.sh

##############################################
#Regras de INPUT

#Libera entrada definida no arquivo EXT-INT.sh
iptables -A INPUT -i eth1 -j EXT2INT

#REJEITA PACOTES INVÁLIDOS
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

#ACEITA PACOTES SINCRONIZADOS
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#ACEITA PACOTES LOCAL
iptables -A INPUT -i lo -j ACCEPT

#Bloqueia Broadcast
iptables -A INPUT -p tcp -d 192.168.254.255 -j DROP
iptables -A INPUT -p tcp -d 255.255.255.255 -j DROP

# reset auth packets
iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset

# Libera Webmin para rede
iptables -A INPUT -p tcp -i eth2 --dport 10000 -j ACCEPT

# Libera SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Libera SQUID para rede
iptables -A INPUT -p tcp -i eth2 --dport 8888 -j ACCEPT

# Libera ftp para rede
#iptables -A INPUT -p tcp -i eth1 --dport 21 -j ACCEPT

# Libera HTTP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

#Libera ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#Libera Traceroute
iptables -A INPUT -p udp --dport 33434 -j ACCEPT

int-ext.sh

#######################################
#Liberar Saída Interna

iptables -N INT2EXT


#***************************************************#
#LIBERA ACESSO TOTAL PARA MAQUINAS INTERNAS
#***************************************************#

iptables -A INT2EXT -p tcp -s 192.168.254.0 -j ACCEPT
iptables -A INT2EXT -p udp -s 192.168.254.0 -j ACCEPT


#***************************************************#
# LIBERA ENVIO E RECEBIMENTO DE E-MAIL
#***************************************************#

iptables -A INT2EXT -p tcp -m multiport --dports 25,110 -j ACCEPT


#***************************************************#
#LIBERA SAÍDA NAS PORTAS
#***************************************************#

#VNC
iptables -A INT2EXT -p tcp --dport 5900 -j ACCEPT
iptables -A INT2EXT -p tcp --dport 5800 -j ACCEPT

#FTP
iptables -A INT2EXT -p tcp --dport 21 -j ACCEPT
iptables -A INT2EXT -p udp --dport 21 -j ACCEPT

#DNS
iptables -A INT2EXT -p udp --dport 53 -j ACCEPT
iptables -A INT2EXT -p tcp --dport 53 -j ACCEPT

iptables -A INT2EXT -p icmp -j ACCEPT
#############################################

output.sh

###############################################
#Regras de OUTPUT

# DROP invalid state
#iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

# accept output packets with allowed state
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# accept output packets from LO_IFACE
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -j ACCEPT
##############################################

brunocunha
(usa Fedora)

Enviado em 13/04/2009 - 18:01h

quando conecto na vpn pela rede local sem proxy tenho a seguinte tela:
protocolo endereco local endereco externo estado
tcp snap-16777af438:1090 rjprod01.telemar:telnet established
tcp snap-16777af438:1086 localhost:5152 fin_wait_2
tcp snap-16777af438:5152 localhost:1086 close_wait

cristyangiovane
(usa CentOS)

Enviado em 30/04/2009 - 16:48h

Não sei se entendi...
O pessoal da sua rede acessa uma vpn no servidor safeconn01.telemar.com.br
Se for isso coloca essa regra no arquivo INT-EXT.sh

iptables -A INT2EXT -p tcp -d safeconn01.telemar.com.br
-j ACCEPT