Denuncie   Favoritos   Indicar  

Configuração de Roteamento Firewall

1. Configuração de Roteamento Firewall

Bruno Moroz
legalnet
(usa KUbuntu)

Enviado em 11/10/2011 - 14:40h

Pessoal.
Fiz as configurações do firewall, ja tornei ele executavel em chmod 750 /etc/init.d/firewall, criei o link simbolico no ln –s /etc/init.d/firewall /etc/rc2.d/S99firewall e mesmo assim nao esta compartilhando a internet passando pelo squid.
A rede interna ja foi configurada e pinga o servidorproxy normalmente.
Vejam se tem algo errado em meu script.


--------------- Firewall-------------------------


#!/bin/bash

#script de firewall

#Versão - 0.0.1

#Limpando regras anteriores

echo "Flushing firewall rules"

iptables -F

iptables -t nat -F

iptables -t mangle -F

#

#Bloqueio Geral

#iptables -P INPUT DROP

#iptables -P FORWARD DROP

#iptables -P OUTPUT ACCEPT

#echo "Done."

#

echo "Ativando roteamento no sistema"

modprobe iptable_nat

echo 1 > /proc/sys/net/ipv4/ip_forward

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

##########################Gerando Log´s do Ping"#########################################################

#iptables -A INPUT -p icmp -j LOG

#iptables -A INPUT -p tcp -j LOG

#iptables -A INPUT -p tcp -j LOG

##########################Ativando o roteamento NAT############################################

echo "Ativando o roteamento NAT"

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

#########################Teste Center V2############################################

echo "teste"

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5545:5549 -j DNAT --to 192.168.0.110

iptables -t nat -A PREROUTING -p udp -i eth0 --dport 5545:5549 -j DNAT --to 192.168.0.110

#iptables -A FORWARD -d 192.168.0.1 --dport 5545 -j DNAT --to 192.168.0.110

#iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 5546 -j DNAT --to 192.168.0.110:5546

#iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 5547 -j DNAT --to 192.168.0.110:5547

#iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 5548 -j DNAT --to 192.168.0.110:5548

#iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 5549 -j DNAT --to 192.168.0.110:5549

#echo "udp"

#iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5545 -j DNAT --to 192.168.0.110:5545

#iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5546 -j DNAT --to 192.168.0.110:5546

#iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5547 -j DNAT --to 192.168.0.110:5547

#iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5548 -j DNAT --to 192.168.0.110:5548

#iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5549 -j DNAT --to 192.168.0.110:5549

#iptables -A FORWARD -p udp -d 192.168.0.110 --dport 5546 -j LOG

#iptables -A FORWARD -p tcp -d 192.168.0.110 --dport 5547 -j LOG

#iptables -A FORWARD -p udp -d 192.168.0.110 --dport 5547 -j LOG

#iptables -A FORWARD -p tcp -d 192.168.0.110 --dport 5548 -j LOG

#iptables -A FORWARD -p udp -d 192.168.0.110 --dport 5548 -j LOG

#iptables -A FORWARD -p tcp -d 192.168.0.110 --dport 5549 -j LOG

#iptables -A FORWARD -p udp -d 192.168.0.110 --dport 5549 -j LOG

##############################################################################################

#echo "Bloqueando roteamento p/ ip 192.168.0.110."

#iptables -A FORWARD -p udp -s 192.168.0.110 -j DROP

#echo "Done"

#############################################################################################

echo "regra para proxy transparente"

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

echo "Done"

##############################################################################################

echo "Ativando Mascaramento"

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

echo "Done"

#######################################




-----------------squid---------------------


http_port 192.168.0.1:3128 transparent
cache_mem 256 MB
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
pid_filename /var/run/squid.pid
error_directory /usr/share/squid/errors/Portuguese
emulate_httpd_log on
visible_hostname Proxy
maximum_object_size_in_memory 1024 KB
maximum_object_size 700 MB
minimum_object_size 1 KB
cache_swap_low 90
cache_swap_high 95
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280

acl all src 0.0.0.0/0.0.0.0
acl redelocal src 192.168.0.0/24
acl blockedsites url_regex -i "/etc/squid/block.txt"
acl unblockedsites url_regex "/etc/squid/unblock.txt"
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 21 80 443 563 70 210 280 488 59 777 901 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access allow localhost
#http_access allow redelocal
http_access deny blockedsites !unblockedsites
#http_access allow unblockedsites
http_access allow all




---------------------------ifconfig----------------------


eth0 Link encap:Ethernet Endereço de HW 00:05:00:19:1a:de
inet end.: 192.168.10.101 Bcast:255.255.255.255 Masc:255.255.255.0
endereço inet6: fe80::205:ff:fe19:1ade/64 Escopo:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Métrica:1
pacotes RX:2561 erros:0 descartados:0 excesso:0 quadro:0
Pacotes TX:2684 erros:0 descartados:0 excesso:0 portadora:0
colisões:0 txqueuelen:1000
RX bytes:2698803 (2.6 MB) TX bytes:468418 (468.4 KB)
IRQ:19 Endereço de E/S:0xdf00

eth1 Link encap:Ethernet Endereço de HW 6c:f0:49:fb:ef:cd
inet end.: 192.168.0.1 Bcast:192.168.0.255 Masc:255.255.255.0
endereço inet6: fe80::6ef0:49ff:fefb:efcd/64 Escopo:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Métrica:1
pacotes RX:78 erros:0 descartados:0 excesso:0 quadro:0
Pacotes TX:67 erros:0 descartados:0 excesso:0 portadora:1
colisões:0 txqueuelen:1000
RX bytes:9083 (9.0 KB) TX bytes:10014 (10.0 KB)
IRQ:42

lo Link encap:Loopback Local
inet end.: 127.0.0.1 Masc:255.0.0.0
endereço inet6: ::1/128 Escopo:Máquina
UP LOOPBACK RUNNING MTU:16436 Métrica:1
pacotes RX:164 erros:0 descartados:0 excesso:0 quadro:0
Pacotes TX:164 erros:0 descartados:0 excesso:0 portadora:0
colisões:0 txqueuelen:0
RX bytes:12934 (12.9 KB) TX bytes:12934 (12.9 KB)


0 0
  • Quote

    •   


    2. Re: Configuração de Roteamento Firewall

    Natanael Henrique
    n4t4n
    (usa Arch Linux)

    Enviado em 11/10/2011 - 17:45h 


    
http_access allow localhost
    
http_access deny manager
    
http_access allow purge localhost
    
http_access deny purge
    
http_access deny !Safe_ports
    
http_access deny CONNECT !SSL_ports
    
#http_access allow localhost
    
#http_access allow redelocal
    
http_access deny blockedsites !unblockedsites
    
#http_access allow unblockedsites
    
http_access allow all


    Faltou voce descomentar a regra da redelocal no squid. Do jeito que esta a configuracao do firewall ate que funciona, mas o squid da acesso negado porque os ips da sua rede nao estao sendo autorizados.

    Tambem e bom ressaltar que o bloqueio tem que se referir a alguem (maquina, usuario), mas voce nao especificou para quem esta bloqueando/desbloqueando.

    Modifique para que fique assim


    
http_access allow localhost
    
http_access deny manager
    
http_access allow purge localhost
    
http_access deny purge
    
http_access deny !Safe_ports
    
http_access deny CONNECT !SSL_ports
    
http_access deny blockedsites !unblockedsites
    
http_access allow redelocal unblockedsites
    
http_access deny all !redelocal


    0 0
  • Quote

    • 3. Re: Configuração de Roteamento Firewall

    Emanuel Gomes do Carmo
    emanuel_gomes
    (usa Debian)

    Enviado em 24/10/2011 - 20:39h

    legalnet escreveu:

    Pessoal.
    Fiz as configurações do firewall, ja tornei ele executavel em chmod 750 /etc/init.d/firewall, criei o link simbolico no ln –s /etc/init.d/firewall /etc/rc2.d/S99firewall e mesmo assim nao esta compartilhando a internet passando pelo squid.
    A rede interna ja foi configurada e pinga o servidorproxy normalmente.
    Vejam se tem algo errado em meu script.


    --------------- Firewall-------------------------


    #!/bin/bash

    #script de firewall

    #Versão - 0.0.1

    #Limpando regras anteriores

    echo "Flushing firewall rules"

    iptables -F

    iptables -t nat -F

    iptables -t mangle -F

    #

    #Bloqueio Geral

    #iptables -P INPUT DROP

    #iptables -P FORWARD DROP

    #iptables -P OUTPUT ACCEPT

    #echo "Done."

    #

    echo "Ativando roteamento no sistema"

    modprobe iptable_nat

    echo 1 > /proc/sys/net/ipv4/ip_forward

    # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

    ##########################Gerando Log´s do Ping"#########################################################

    #iptables -A INPUT -p icmp -j LOG

    #iptables -A INPUT -p tcp -j LOG

    #iptables -A INPUT -p tcp -j LOG

    ##########################Ativando o roteamento NAT############################################

    echo "Ativando o roteamento NAT"

    iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

    #########################Teste Center V2############################################

    echo "teste"

    iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5545:5549 -j DNAT --to 192.168.0.110

    iptables -t nat -A PREROUTING -p udp -i eth0 --dport 5545:5549 -j DNAT --to 192.168.0.110

    #iptables -A FORWARD -d 192.168.0.1 --dport 5545 -j DNAT --to 192.168.0.110

    #iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 5546 -j DNAT --to 192.168.0.110:5546

    #iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 5547 -j DNAT --to 192.168.0.110:5547

    #iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 5548 -j DNAT --to 192.168.0.110:5548

    #iptables -A FORWARD -p tcp -d 192.168.0.1 --dport 5549 -j DNAT --to 192.168.0.110:5549

    #echo "udp"

    #iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5545 -j DNAT --to 192.168.0.110:5545

    #iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5546 -j DNAT --to 192.168.0.110:5546

    #iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5547 -j DNAT --to 192.168.0.110:5547

    #iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5548 -j DNAT --to 192.168.0.110:5548

    #iptables -A FORWARD -p udp -d 192.168.0.1 --dport 5549 -j DNAT --to 192.168.0.110:5549

    #iptables -A FORWARD -p udp -d 192.168.0.110 --dport 5546 -j LOG

    #iptables -A FORWARD -p tcp -d 192.168.0.110 --dport 5547 -j LOG

    #iptables -A FORWARD -p udp -d 192.168.0.110 --dport 5547 -j LOG

    #iptables -A FORWARD -p tcp -d 192.168.0.110 --dport 5548 -j LOG

    #iptables -A FORWARD -p udp -d 192.168.0.110 --dport 5548 -j LOG

    #iptables -A FORWARD -p tcp -d 192.168.0.110 --dport 5549 -j LOG

    #iptables -A FORWARD -p udp -d 192.168.0.110 --dport 5549 -j LOG

    ##############################################################################################

    #echo "Bloqueando roteamento p/ ip 192.168.0.110."

    #iptables -A FORWARD -p udp -s 192.168.0.110 -j DROP

    #echo "Done"

    #############################################################################################

    echo "regra para proxy transparente"

    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

    echo "Done"

    ##############################################################################################

    echo "Ativando Mascaramento"

    iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

    echo "Done"

    #######################################




    -----------------squid---------------------


    http_port 192.168.0.1:3128 transparent
    cache_mem 256 MB
    cache_dir ufs /var/spool/squid 2048 16 256
    cache_access_log /var/log/squid/access.log
    cache_log /var/log/squid/cache.log
    cache_store_log /var/log/squid/store.log
    pid_filename /var/run/squid.pid
    error_directory /usr/share/squid/errors/Portuguese
    emulate_httpd_log on
    visible_hostname Proxy
    maximum_object_size_in_memory 1024 KB
    maximum_object_size 700 MB
    minimum_object_size 1 KB
    cache_swap_low 90
    cache_swap_high 95
    refresh_pattern ^ftp: 15 20% 2280
    refresh_pattern ^gopher: 15 0% 2280
    refresh_pattern . 15 20% 2280

    acl all src 0.0.0.0/0.0.0.0
    acl redelocal src 192.168.0.0/24
    acl blockedsites url_regex -i "/etc/squid/block.txt"
    acl unblockedsites url_regex "/etc/squid/unblock.txt"
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl SSL_ports port 443 563
    acl Safe_ports port 21 80 443 563 70 210 280 488 59 777 901 1025-65535
    acl purge method PURGE
    acl CONNECT method CONNECT

    http_access allow localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    #http_access allow localhost
    #http_access allow redelocal
    http_access deny blockedsites !unblockedsites
    #http_access allow unblockedsites
    http_access allow all




    ---------------------------ifconfig----------------------


    eth0 Link encap:Ethernet Endereço de HW 00:05:00:19:1a:de
    inet end.: 192.168.10.101 Bcast:255.255.255.255 Masc:255.255.255.0
    endereço inet6: fe80::205:ff:fe19:1ade/64 Escopo:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Métrica:1
    pacotes RX:2561 erros:0 descartados:0 excesso:0 quadro:0
    Pacotes TX:2684 erros:0 descartados:0 excesso:0 portadora:0
    colisões:0 txqueuelen:1000
    RX bytes:2698803 (2.6 MB) TX bytes:468418 (468.4 KB)
    IRQ:19 Endereço de E/S:0xdf00

    eth1 Link encap:Ethernet Endereço de HW 6c:f0:49:fb:ef:cd
    inet end.: 192.168.0.1 Bcast:192.168.0.255 Masc:255.255.255.0
    endereço inet6: fe80::6ef0:49ff:fefb:efcd/64 Escopo:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Métrica:1
    pacotes RX:78 erros:0 descartados:0 excesso:0 quadro:0
    Pacotes TX:67 erros:0 descartados:0 excesso:0 portadora:1
    colisões:0 txqueuelen:1000
    RX bytes:9083 (9.0 KB) TX bytes:10014 (10.0 KB)
    IRQ:42

    lo Link encap:Loopback Local
    inet end.: 127.0.0.1 Masc:255.0.0.0
    endereço inet6: ::1/128 Escopo:Máquina
    UP LOOPBACK RUNNING MTU:16436 Métrica:1
    pacotes RX:164 erros:0 descartados:0 excesso:0 quadro:0
    Pacotes TX:164 erros:0 descartados:0 excesso:0 portadora:0
    colisões:0 txqueuelen:0
    RX bytes:12934 (12.9 KB) TX bytes:12934 (12.9 KB)







    Acho que seu firewall tem uma redundância que pode estar interferindo, não sei se isso afeta, me corrijam se eu estiver errado:

    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

    note as interfaces de redes diferentes. Nos meus sempre uso só uma!


    0 0
  • Quote

    • 4. Re: Configuração de Roteamento Firewall

    Perfil removido
    removido
    (usa Nenhuma)

    Enviado em 25/10/2011 - 15:48h

    Boa Tarde Emanoel,

    Não ha problema de realizar o redirect da porta 80 para 3128 do squid em ambas as interfaces. No cenário o squid estaria escutando na porta 80 em ambas as interfaces sem problemas, utilizo o aqui na interface wan para realizar proxy reverso de servidores web em DMZ exemplo. ok !!

    ATT
    Tiago Eduardo Zacarias
    LPIC-1

    0 0
  • Quote





    • Patrocínio

    Site hospedado pelo provedor RedeHost.
    Linux banner

    Destaques

    Artigos

    Instalar certificado digital Safesign, fornecido pela Certisign e utilizado pela OAB-SP, em qualquer distribuição Linux usando distrobox

    Manutenção de sistemas Linux Debian e derivados com apt-get, apt, aptitude e dpkg

    Criatividade para TI parte 1

    Melhorando o tempo de boot do Fedora e outras distribuições

    Como instalar as extensões Dash To Dock e Hide Top Bar no Gnome 45/46

    Dicas

    Como Atualizar Fedora 39 para 40

    Instalar Google Chrome no Debian e derivados

    Consertando o erro do Sushi e Wayland no Opensuse Leap 15

    Instalar a última versão do PostgreSQL no Lunix mantendo atualizado

    Flathub na sua distribuição Linux e comandos básicos de gerenciamento

    Tópicos

    Sistema da Coréia do Norte - Red Star OS (16)

    Problemas com o Lutris e o Wine no Slackware 15.0 (1)

    redirecionando saida de comando touch para o AWK[RESOLVIDO] (18)

    Acesso a internet servidor virtualizado (11)

    Cant ´t attach process a10c: error 0 Wine fecha (3)

    Top 10 do mês

    Scripts

    [Python] Adicione a opção Redimensionar e rotacionar imagens ao Nautilus

    [Shell Script] Script para desinstalar pacotes desnecessários no OpenSuse

    [Shell Script] Script para criar certificados de forma automatizada no OpenVpn

    [Shell Script] Conversor de vídeo com opção de legenda

    [C/C++] BRT - Bulk Renaming Tool

    A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.

    Site hospedado por: