Erro SSH [RESOLVIDO]

wiliampegoraro
(usa Outra)

Enviado em 24/04/2015 - 17:47h

Possuo um servidor CENTOS rodando IPTABLES e SQUID lindo, perfeito!

As portas 443 e 80 sao direcionadas para a 3128

Problema: Como são apenas 3 computadores, quando era necessario acessar um site https eu removia do iptables o direcionamento da porta 443, e os computadores acessavam https normalmente, mas agora quando eu tiro o direcionamento 443, as maquinas apresentam erro SSH ou as vezes ficam processando e não entram nos sites https.

fabio
(usa Debian)

Enviado em 24/04/2015 - 17:51h

Publique as regras que você está usando e a mensagem de erro SSH que ocorre. Só por relato é quase impossível alguém diagnosticar o erro.

wiliampegoraro
(usa Outra)

Enviado em 24/04/2015 - 17:56h

Boa tarde Fabio, o erro que apresenta é "Código de erro: ERR_CONNECTION_TIMED_OUT", segue meu iptables e squid.
IPTABLES

#!/bin/sh
#ip-guardian

echo ""
uname -s -r -m -o
echo ""
echo " FIREWALL RAFITEC -- Firewall Iptables"
echo ""


firewall_start(){

echo ""
echo " Iniciando as Regras do Firewall .............................................."
echo ""

echo " Ativando o IP forward ................................................. [ OK ]"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo " Protegendo contra Pings ( ignorando ) ................................. [ OK ]"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo " Protegendo contra IP spoofing ......................................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo " Protegendo contra diversos ataques .................................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo " Protegendo contra bogus responses ..................................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo " Protegendo contra IP synflood ......................................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo " Protegendo contra ICMP Broadcasting ................................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo " Protegendo contra alteracao de rota ................................... [ OK ]"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

echo " Protegendo contra Pings da Morte ...................................... [ OK ]"
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT


echo " Definindo Politica Padrao ...................................................."
echo ""
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP


echo " Limpando Regras Anteriores ............................................ [ OK ]"
echo ""
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t raw -F

echo " Compartilhando a internet via IPTABLES .................................[ OK ]"
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


echo " Redirecionamento de portas ............................................ [ OK ]"
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 40100 -j DNAT --to-destination 192.168.100.100:3389 #Apontamento01-xxe
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 40101 -j DNAT --to-destination 192.168.100.101:3389 #Prensa01-xxe
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 40102 -j DNAT --to-destination 192.168.100.102:3389 #Marciano

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3000 -j DNAT --to-destination 192.168.100.49:3000 #REP-01
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 1001 -j DNAT --to-destination 192.168.100.50:1001 #REP-02



echo " Redirecionando portas para o SQUID (Proxy Transparente) ............... [ OK ]"
iptables -t nat -A PREROUTING -i eth1 -m multiport -p tcp --dports 21,80 -j REDIRECT --to-port 3128


echo " Liberando acesso FTP, HTTP, HTTPS, atraves do SQUID ................... [ OK ]"
iptables -A INPUT -p tcp -i eth1 --dport 3128 -j ACCEPT


echo " Forward porta DNS ..................................................... [ OK ]"
iptables -A FORWARD -p udp --dport 53 -j ACCEPT


########################################################################################
################## TEAM VIEWER ##################
########################################################################################

iptables -A FORWARD -p tcp --dport 5938 -j ACCEPT
iptables -A FORWARD -p udp --dport 5938 -j ACCEPT


########################################################################################
################### WEB SERVICE RAFITEC ###################
########################################################################################

iptables -A FORWARD -p tcp --dport 8189 -j ACCEPT
iptables -A FORWARD -p udp --dport 8189 -j ACCEPT

########################################################################################
################### PORTA DE ACESSO REMOTO WTS RAFITEC ###################
########################################################################################

iptables -A FORWARD -p tcp --dport 40018 -j ACCEPT
iptables -A FORWARD -p udp --dport 40018 -j ACCEPT

########################################################################################


echo " Liberando acesso NTP .................................................. [ OK ]"
iptables -A FORWARD -p tcp -i eth1 --dport 123 -j ACCEPT


echo " Liberando acesso a E-MAIL ............................................. [ OK ]"
iptables -A FORWARD -p tcp -i eth1 -m multiport --dports 25,110,143,465,587,993,995 -j ACCEPT


echo " Protegendo contra traceroute .......................................... [ OK ]"
iptables -A INPUT -p udp --dport 33435:33525 -j LOG --log-prefix "_BLOCKED_: "
iptables -A INPUT -p udp --dport 33435:33525 -j DROP


echo " Protegendo contra portscanners, ping of death, ataques DoS, etc. ...... [ OK ]"
iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "_BLOCKED_: "
iptables -A INPUT -m state --state INVALID -j DROP


echo " Liberando conexao SSH ..................................................[ OK ]"
iptables -A INPUT -p tcp -m tcp --dport 22500 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22500 -i eth1 -j ACCEPT


echo " Fechando portas UDP 1:1024 ............................................ [ OK ]"
iptables -A INPUT -p udp --dport 1:1024 -j LOG --log-prefix "_BLOCKED_UDP_: "
iptables -A INPUT -p udp --dport 1:1024 -j DROP


echo " Permitindo respostas a conexoes iniciadas pela maquina ................ [ OK ]"
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


echo " Permitindo respostas a conexoes iniciadas pela rede ................... [ OK ]"
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT


echo " Liberando a interface de loopback ..................................... [ OK ]"
iptables -A INPUT -i lo -j ACCEPT


echo " Liberando portas WTS .................................................. [ OK ]"
iptables -A FORWARD -i eth0 -p tcp -m tcp -d 192.168.100.100 --dport 3389 -m state --state NEW -j ACCEPT #Apontamento01-xxe
iptables -A FORWARD -i eth0 -p tcp -m tcp -d 192.168.100.101 --dport 3389 -m state --state NEW -j ACCEPT #Prensa01-xxe
iptables -A FORWARD -i eth0 -p tcp -m tcp -d 192.168.100.102 --dport 3389 -m state --state NEW -j ACCEPT #Marciano

########################################################################################
################### Henry ###################
########################################################################################

iptables -A FORWARD -i eth0 -p tcp -m tcp -d 192.168.100.49 --dport 3000 -m state --state NEW -j ACCEPT #REP
iptables -A FORWARD -i eth0 -p tcp -m tcp -d 192.168.100.50 --dport 1001 -m state --state NEW -j ACCEPT #REP

########################################################################################

echo " Bloqueando qualquer conexao que nao tenha sido permitida acima ........ [ OK ]"
iptables -A INPUT -p tcp --syn -j LOG --log-prefix "_BLOCKED_: "
iptables -A INPUT -p tcp --syn -j DROP


echo " Firewall em operacao .................................................. [ OK ]"
echo " Seja bem-vindo de volta "


sleep 1

}

firewall_stop(){

iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t raw -F

}

case "$1" in

"start")
firewall_start
;;

"stop")
firewall_stop
echo " Desativando todas as Regras do Firewall ................................ [ OK ]"
echo " firewall disabled "
sleep 1
;;

status)
echo -e " ============================== Table Filter ============================ ";
iptables -t filter -vnL
echo -e " ============================== Table Nat ============================= ";
iptables -t nat -vnL
echo -e " ============================== Table Mangle =========================== ";
iptables -t mangle -vnL
echo -e " ============================== Table Raw ============================ ";
iptables -t raw -vnL
;;

"restart")
echo " Reativando todas as Regras do Firewall ................................ [ OK ]"
sleep 1
firewall_stop; firewall_start
;;

*)
iptables -vnL

esac




SQUID


http_port 3128 transparent
visible_hostname proxy.rafitecxxe
error_directory /usr/share/squid/errors/Portuguese

cache_mem 700 MB
maximum_object_size_in_memory 32 KB
maximum_object_size 1024 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /etc/squid/cache 30000 16 256
cache_access_log /etc/squid/access.log


acl all src 0.0.0.0/0.0.0.0
acl redelocal src 192.168.100.0/24
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563 873
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 873 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # swat
acl Safe_ports port 1025-65535 # portas altas
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports


# Libera acesso ROOT por IP
acl liberar_root src "/etc/squid/liberar_root"
http_access allow liberar_root


# Libera acesso limitado por IP
acl liberar_acesso_ip_limitado src "/etc/squid/liberar_ips"


# White List
acl sites_liberados dstdom_regex -i "/etc/squid/sites_liberados"


# Bloqueio de sites por URL
acl sites_proibidos url_regex -i "/etc/squid/sites_proibidos"
http_access deny sites_proibidos


# Bloqueio de palavras na URL
acl proibir_palavras_na_url dstdom_regex "/etc/squid/proibir_palavras_na_url"
http_access deny proibir_palavras_na_url


# Bloqueio de downloads por extensão
acl downloads_proibidos url_regex -i \.exe \.torrent \.avi \.mp3 \.mp4 \.rar \.zip \.3gp \.mpeg
http_access deny downloads_proibidos


# [*****]
acl pornografia_na_url url_regex -i "/etc/squid/pornografia_na_url"
http_access deny pornografia_na_url



http_access allow localhost
http_access deny !sites_liberados
http_access allow liberar_acesso_ip_limitado
http_access deny redelocal
http_access deny all

wiliampegoraro
(usa Outra)

Enviado em 01/09/2015 - 09:07h

Alguém?

Buckminster
(usa Debian)

Enviado em 01/09/2015 - 09:25h

A regra abaixo

echo " Redirecionando portas para o SQUID (Proxy Transparente) ............... [ OK ]"
iptables -t nat -A PREROUTING -i eth1 -m multiport -p tcp --dports 21,80 -j REDIRECT --to-port 3128

deixe assim

echo " Redirecionando portas para o SQUID (Proxy Transparente) ............... [ OK ]"
iptables -t nat -A PREROUTING -i eth1 -m multiport -p tcp --dports 21,80,443 -j REDIRECT --to-port 3128

reinicie e teste.
Poste aqui o que acontecer.

wiliampegoraro
(usa Outra)

Enviado em 01/09/2015 - 09:51h

Obrigado pela resposta

Ao direcionar a porta 443 para o SQUID -> ERRO SSH
Ao remover o direcinamento de porta, o navegador fica processando e nao abre o site.

Pode me ajudar?

Buckminster
(usa Debian)

Enviado em 01/09/2015 - 10:53h

Ok, agora mantenha as regras abaixo

echo " Redirecionando portas para o SQUID (Proxy Transparente) ............... [ OK ]"
iptables -t nat -A PREROUTING -i eth1 -m multiport -p tcp --dports 21,80,443 -j REDIRECT --to-port 3128

echo " Liberando acesso FTP, HTTP, HTTPS, atraves do SQUID ................... [ OK ]"
iptables -A INPUT -p tcp -i eth1 --dport 3128 -j ACCEPT

e logo abaixo acrescente

iptables -A FORWARD -p tcp --dport 443 -j ACCEPT

reinicie e teste.


E porquê diabos tu está negando o acesso à rede local no Squid:
http_access deny redelocal

wiliampegoraro
(usa Outra)

Enviado em 01/09/2015 - 11:05h

fiz o que me pediu e o navegador continua apresentando erro SSH

Não foi possível estabelecer uma conexão segura com o servidor. Pode ser um problema com o servidor ou pode ser necessário um certificado de autenticação de cliente que você não tem.
Código de erro: ERR_SSL_PROTOCOL_ERROR

devo retirar essa regra?
http_access deny redelocal

Buckminster
(usa Debian)

Enviado em 01/09/2015 - 11:12h

Mude essa regra

http_access deny redelocal

para

http_access allow redelocal

reinicie o Squid e teste.

Ah, e não esqueça de habilitar o SSL nos navegadores usados e limpar o cache desses navegadores.

Outra coisa: tu compilaste o Squid com suporte ao SSL?

wiliampegoraro
(usa Outra)

Enviado em 01/09/2015 - 11:28h

Amigo me equivoquei, como esse post tinha um tempo já, o arquivo era antigo. Segue meu firewall configurado

#!/bin/sh
#ip-guardian

echo ""
uname -s -r -m -o
echo ""
echo " FIREWALL RAFITEC -- Firewall Iptables"
echo ""


firewall_start(){

echo ""
echo " Iniciando as Regras do Firewall .............................................."
echo ""

echo " Ativando o IP forward ................................................. [ OK ]"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo " Protegendo contra Pings ( ignorando ) ................................. [ OK ]"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo " Protegendo contra IP spoofing ......................................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo " Protegendo contra diversos ataques .................................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo " Protegendo contra bogus responses ..................................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo " Protegendo contra IP synflood ......................................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo " Protegendo contra ICMP Broadcasting ................................... [ OK ]"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo " Protegendo contra alteracao de rota ................................... [ OK ]"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

echo " Protegendo contra Pings da Morte ...................................... [ OK ]"
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT


echo " Definindo Politica Padrao ...................................................."
echo ""
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP


echo " Limpando Regras Anteriores ............................................ [ OK ]"
echo ""
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t raw -F

echo " Compartilhando a internet via IPTABLES .................................[ OK ]"
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


echo " Redirecionamento de portas ............................................ [ OK ]"
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 40100 -j DNAT --to-destination 192.168.100.100:3389 #Apontamento01-xxe
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 40101 -j DNAT --to-destination 192.168.100.101:3389 #Prensa01-xxe
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 40102 -j DNAT --to-destination 192.168.100.102:3389 #Marciano
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 40103 -j DNAT --to-destination 192.168.100.103:3389 #Expedicao41

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3000 -j DNAT --to-destination 192.168.100.49:3000 #REP-01
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 1001 -j DNAT --to-destination 192.168.100.50:1001 #REP-02


echo " Redirecionando portas para o SQUID (Proxy Transparente) ............... [ OK ]"
iptables -t nat -A PREROUTING -i eth1 -m multiport -p tcp --dports 21,80,443 -j REDIRECT --to-port 3128


echo " Liberando acesso FTP, HTTP, HTTPS, atraves do SQUID ................... [ OK ]"
iptables -A INPUT -p tcp -i eth1 --dport 3128 -j ACCEPT


iptables -A FORWARD -p tcp --dport 443 -j ACCEPT


echo " Forward porta DNS ..................................................... [ OK ]"
iptables -A FORWARD -p udp --dport 53 -j ACCEPT


########################################################################################
################## TEAM VIEWER ##################
########################################################################################

#iptables -A FORWARD -p tcp --dport 5938 -j ACCEPT
iptables -A FORWARD -p udp --dport 5938 -j ACCEPT


########################################################################################
################### WEB SERVICE RAFITEC ###################
########################################################################################

iptables -A FORWARD -p tcp --dport 8189 -j ACCEPT
iptables -A FORWARD -p udp --dport 8189 -j ACCEPT

########################################################################################
################### PORTA DE ACESSO REMOTO WTS RAFITEC ###################
########################################################################################

iptables -A FORWARD -p tcp --dport 40018 -j ACCEPT
#iptables -A FORWARD -p udp --dport 40018 -j ACCEPT

########################################################################################


echo " Liberando acesso NTP .................................................. [ OK ]"
iptables -A FORWARD -p tcp -i eth1 --dport 123 -j ACCEPT


echo " Liberando acesso a E-MAIL ............................................. [ OK ]"
iptables -A FORWARD -p tcp -i eth1 -m multiport --dports 110,587 -j ACCEPT


echo " Protegendo contra traceroute .......................................... [ OK ]"
iptables -A INPUT -p udp --dport 33435:33525 -j LOG --log-prefix "_BLOCKED_: "
iptables -A INPUT -p udp --dport 33435:33525 -j DROP


echo " Protegendo contra portscanners, ping of death, ataques DoS, etc. ...... [ OK ]"
iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "_BLOCKED_: "
iptables -A INPUT -m state --state INVALID -j DROP


echo " Liberando conexao SSH ..................................................[ OK ]"
iptables -A INPUT -p tcp -m tcp --dport 22500 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22500 -i eth1 -j ACCEPT


echo " Fechando portas UDP 1:1024 ............................................ [ OK ]"
iptables -A INPUT -p udp --dport 1:1024 -j LOG --log-prefix "_BLOCKED_UDP_: "
iptables -A INPUT -p udp --dport 1:1024 -j DROP


echo " Permitindo respostas a conexoes iniciadas pela maquina ................ [ OK ]"
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


echo " Permitindo respostas a conexoes iniciadas pela rede ................... [ OK ]"
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT


echo " Liberando a interface de loopback ..................................... [ OK ]"
iptables -A INPUT -i lo -j ACCEPT


echo " Liberando portas WTS .................................................. [ OK ]"
iptables -A FORWARD -i eth0 -p tcp -m tcp -d 192.168.100.100 --dport 3389 -m state --state NEW -j ACCEPT #Apontamento01-xxe
iptables -A FORWARD -i eth0 -p tcp -m tcp -d 192.168.100.101 --dport 3389 -m state --state NEW -j ACCEPT #Prensa01-xxe
iptables -A FORWARD -i eth0 -p tcp -m tcp -d 192.168.100.102 --dport 3389 -m state --state NEW -j ACCEPT #Marciano

########################################################################################
################### Henry ###################
########################################################################################

iptables -A FORWARD -i eth0 -p tcp -m tcp -d 192.168.100.49 --dport 3000 -m state --state NEW -j ACCEPT #REP
iptables -A FORWARD -i eth0 -p tcp -m tcp -d 192.168.100.50 --dport 1001 -m state --state NEW -j ACCEPT #REP

########################################################################################

echo " Bloqueando qualquer conexao que nao tenha sido permitida acima ........ [ OK ]"
iptables -A INPUT -p tcp --syn -j LOG --log-prefix "_BLOCKED_: "
iptables -A INPUT -p tcp --syn -j DROP


echo " Firewall em operacao .................................................. [ OK ]"
echo " Seja bem-vindo de volta "


sleep 1

}

firewall_stop(){

iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t raw -F

}

case "$1" in

"start")
firewall_start
;;

"stop")
firewall_stop
echo " Desativando todas as Regras do Firewall ................................ [ OK ]"
echo " firewall disabled "
sleep 1
;;

status)
echo -e " ============================== Table Filter ============================ ";
iptables -t filter -vnL
echo -e " ============================== Table Nat ============================= ";
iptables -t nat -vnL
echo -e " ============================== Table Mangle =========================== ";
iptables -t mangle -vnL
echo -e " ============================== Table Raw ============================ ";
iptables -t raw -vnL
;;

"restart")
echo " Reativando todas as Regras do Firewall ................................ [ OK ]"
sleep 1
firewall_stop; firewall_start
;;

*)
iptables -vnL

esac

wiliampegoraro
(usa Outra)

Enviado em 01/09/2015 - 11:29h

Buckminster
(usa Debian)

Enviado em 01/09/2015 - 11:39h

Agora coloque essa regra

iptables -A FORWARD -p tcp --dport 443 -j ACCEPT

assim

iptables -A FORWARD -p tcp --dport 443 -j ACCEPT

echo " Redirecionando portas para o SQUID (Proxy Transparente) ............... [ OK ]"
iptables -t nat -A PREROUTING -i eth1 -m multiport -p tcp --dports 21,80,443 -j REDIRECT --to-port 3128

reinicie, teste e poste aqui o resultado.

Obs.: só para descargo de consciência: a data e a hora dos sistemas estão corretas?