Funcionarios Burlando a autenticação

1. Funcionarios Burlando a autenticação

renan rosolem chinelatto
pok182

(usa Ubuntu)

Enviado em 13/07/2010 - 10:52h

Pessoal, preciso da ajuda de vcs, pois estao burlando a autenticação da internet, colocando um outro proxy e com uma outra porta...
o proxy utilizado na empresa é 192.168.0.1 porta 3128
porem, o pessoal esta utilizando o proxy 127.0.0.1 porta 8118 e a porta 9050, assim ele nao pede nenhuma autenticação no squid
alguem pode me ajudar???


  


2. Re: Funcionarios Burlando a autenticação

Johnny Ferreira dos Santos
johnnyfsan

(usa CentOS)

Enviado em 13/07/2010 - 10:59h

Amigo,
faça o bloqueio das portas no firewall com iptables.
Se precisar de ajuda com o iptables da um toque!

Abraço


3. Re: Funcionarios Burlando a autenticação

renan rosolem chinelatto
pok182

(usa Ubuntu)

Enviado em 13/07/2010 - 11:06h

se puder me ajudar....
preciso bloquear essas portas...
enfim...
meu firewall aqui:

modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward

# Zerando o Firewall (Flush)
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

#iptables -A INPUT -p tcp --syn .i eth0 .s 192.168.0.50/32 .o eth1 --destination-port 80 -j ACCEPT
#iptables -A INPUT -p tcp --syn .i eth0 .s 192.168.0.50/32 .o eth1 --destination-port 443 -j ACCEPT

#EMAIL
#iptables -A FORWARD -p TCP --dport 25 -i eth0 -j ACCEPT
#i3iptables -A FORWARD -p UDP --dport 53 -i eth0 -j ACCEPT
#iptables -A FORWARD -p TCP --dport 110 -i eth0 -j ACCEPT
#iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A FORWARD -p udp -s 192.168.0.0/24 -d 192.168.0.1 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.1 --sport 53 -d 192.168.0.0/24 -j ACCEPT

iptables -A FORWARD -p udp -s 192.168.0.0/24 -d 200.246.46.173 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.246.46.173 --sport 53 -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.0/24 -d 200.246.46.132 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.246.46.132 --sport 53 -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.0.0/24 --dport 25 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.0.0/24 --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE

#Liberar MSN
iptables -A FORWARD -s 192.168.0.50 -p tcp --dport 1863 -j ACCEPT # Renan
#iptables -A FORWARD -s 192.168.0.50 -d loginnet.passport.com -j ACCEPT #Renan

iptables -A FORWARD -s 192.168.0.71 -p tcp --dport 1863 -j ACCEPT # Graziela
#iptables -A FORWARD -s 192.168.0.50 -d loginnet.passport.com -j ACCEPT #Renan


iptables -A FORWARD -s 192.168.0.178 -p tcp --dport 1863 -j ACCEPT # Matheus
#iptables -A FORWARD -s 192.168.0.178 -d loginnet.passport.com -j ACCEPT #Matheus

iptables -A FORWARD -s 192.168.0.15 -p tcp --dport 1863 -j ACCEPT # Gustavo
#iptables -A FORWARD -s 192.168.0.15 -d loginnet.passport.com -j ACCEPT #Gustavo

iptables -A FORWARD -s 192.168.0.147 -p tcp --dport 1863 -j ACCEPT # Leandro
#iptables -A FORWARD -s 192.168.0.15 -d loginnet.passport.com -j ACCEPT


iptables -A FORWARD -s 192.168.0.146 -p tcp --dport 1863 -j ACCEPT # Elide
#iptables -A FORWARD -s 192.168.0.146 -d loginnet.passport.com -j ACCEPT #Elide

iptables -A FORWARD -s 192.168.0.174 -p tcp --dport 1863 -j ACCEPT # lilian

iptables -A FORWARD -s 192.168.0.28 -p tcp --dport 1863 -j ACCEPT # Bruno
#iptables -A FORWARD -s 192.168.0.28 -d loginnet.passport.com -j ACCEPT # Bruno
iptables -A FORWARD -s 192.168.0.28 -p tcp --dport 1863 -j ACCEPT # Bruno
#iptables -A FORWARD -s 192.168.0.28 -d loginnet.passport.com -j ACCEPT # Bruno

iptables -A FORWARD -s 192.168.0.25 -p tcp --dport 1863 -j ACCEPT # Daniela
#iptables -A FORWARD -s 192.168.0.25 -d loginnet.passport.com -j ACCEPT #Daniela

iptables -A FORWARD -s 192.168.0.78 -p tcp --dport 1863 -j ACCEPT # Evelise
#iptables -A FORWARD -s 192.168.0.78 -d loginnet.passport.com -j ACCEPT # Evelise

iptables -A FORWARD -s 192.168.0.53 -p tcp --dport 1863 -j ACCEPT # Cirulli
#iptables -A FORWARD -s 192.168.0.53 -d loginnet.passport.com -j ACCEPT # Cirulli

iptables -A FORWARD -s 192.168.0.26 -p tcp --dport 1863 -j ACCEPT # Lilian
#iptables -A FORWARD -s 192.168.0.26 -d loginnet.passport.com -j ACCEPT #Lilian

iptables -A FORWARD -s 192.168.0.120 -p tcp --dport 1863 -j ACCEPT # Prisciliana
#iptables -A FORWARD -s 192.168.0.120 -d loginnet.passport.com -j ACCEPT # Prisciliana

iptables -A FORWARD -s 192.168.0.69 -p tcp --dport 1863 -j ACCEPT # Rodrigo
#iptables -A FORWARD -s 192.168.0.69 -d loginnet.passport.com -j ACCEPT #Rodrigo

iptables -A FORWARD -s 192.168.0.67 -p tcp --dport 1863 -j ACCEPT # Juliana
#iptables -A FORWARD -s 192.168.0.67 -d loginnet.passport.com -j ACCEPT # Juliana

iptables -A FORWARD -s 192.168.0.68 -p tcp --dport 1863 -j ACCEPT # Andressa
#iptables -A FORWARD -s 192.168.0.68 -d loginnet.passport.com -j ACCEPT # Andressa

iptables -A FORWARD -s 192.168.0.63 -p tcp --dport 1863 -j ACCEPT # Flavia
#iptables -A FORWARD -s 192.168.0.64 -d loginnet.passport.com -j ACCEPT # Flavia

#Bloquiar MSN
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d loginnet.passport.com -j REJECT



# Habilitando Masquerade e forwarding
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j MASQUERADE
#iptables -A FORWARD -s 192.168.0.0/16 -j ACCEPT


iptables -A FORWARD -s 192.168.0.71 -j ACCEPT
iptables -A FORWARD -s 192.168.126.129 -j ACCEPT
iptables -A FORWARD -s 192.168.0.128 -j ACCEPT
iptables -A FORWARD -s 192.168.0.49 -j ACCEPT
iptables -A FORWARD -s 192.168.0.179 -j ACCEPT
iptables -A FORWARD -s 192.168.0.95 -j ACCEPT
iptables -A FORWARD -s 192.168.0.109 -j ACCEPT
iptables -A FORWARD -s 192.168.0.88 -j ACCEPT
iptables -A FORWARD -s 192.168.0.186 -j ACCEPT
iptables -A FORWARD -s 192.168.0.50 -j ACCEPT
iptables -A FORWARD -s 192.168.0.80 -j ACCEPT
iptables -A FORWARD -s 192.168.0.254 -j ACCEPT
iptables -A FORWARD -s 192.168.0.11 -j ACCEPT
iptables -A FORWARD -s 192.168.0.63 -j ACCEPT
iptables -A FORWARD -s 192.168.0.147 -j ACCEPT
iptables -A FORWARD -s 192.168.0.93 -j ACCEPT
iptables -A FORWARD -s 192.168.0.65 -j ACCEPT
iptables -A FORWARD -s 192.168.0.71 -j ACCEPT
iptables -A FORWARD -s 192.168.0.65 -j ACCEPT
iptables -A FORWARD -s 192.168.0.71 -j ACCEPT
iptables -A FORWARD -s 192.168.0.138 -j ACCEPT
iptables -A FORWARD -s 192.168.0.28 -j ACCEPT
iptables -A FORWARD -s 192.168.0.146 -j ACCEPT
iptables -A FORWARD -s 192.168.0.26 -j ACCEPT
iptables -A FORWARD -s 192.168.0.25 -j ACCEPT
iptables -A FORWARD -s 192.168.0.68 -j ACCEPT
iptables -A FORWARD -s 192.168.0.69 -j ACCEPT
iptables -A FORWARD -s 192.168.0.101 -j ACCEPT
iptables -A FORWARD -s 192.168.0.59 -j ACCEPT
iptables -A FORWARD -s 192.168.0.49 -j ACCEPT
iptables -A FORWARD -s 192.168.0.56 -j ACCEPT
iptables -A FORWARD -s 192.168.0.144 -j ACCEPT
iptables -A FORWARD -s 192.168.0.48 -j ACCEPT
iptables -A FORWARD -s 192.168.0.47 -j ACCEPT
iptables -A FORWARD -s 192.168.0.51 -j ACCEPT
iptables -A FORWARD -s 192.168.0.58 -j ACCEPT
iptables -A FORWARD -s 192.168.0.46 -j ACCEPT
iptables -A FORWARD -s 192.168.0.156 -j ACCEPT
iptables -A FORWARD -s 192.168.0.12 -j ACCEPT
iptables -A FORWARD -s 192.168.0.14 -j ACCEPT
iptables -A FORWARD -s 192.168.0.53 -j ACCEPT
iptables -A FORWARD -s 192.168.0.30 -j ACCEPT
iptables -A FORWARD -s 192.168.0.186 -j ACCEPT
iptables -A FORWARD -s 192.168.0.35 -j ACCEPT
iptables -A FORWARD -s 192.168.0.78 -j ACCEPT
iptables -A FORWARD -s 192.168.0.174 -j ACCEPT





iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# STATE RELATED para Router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Rede interna tem acesso permitido
iptables -A INPUT -p tcp -s 127.0.0.1/255.255.255.255 -j ACCEPT
iptables -A INPUT -p udp -s 127.0.0.1/255.255.255.255 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A INPUT -p tcp -s 10.0.0.0/255.255.0.0 -j ACCEPT
iptables -A INPUT -p udp -s 10.0.0.0/255.255.0.0 -j ACCEPT
iptables -A INPUT -p udp -s 0.0.0.0/0.0.0.0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s 0.0.0.0/0.0.0.0 -j DROP

#Liberar computadores
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 0.0.0.0/0.0.0.0 --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.0/16 -s 0.0.0.0/0.0.0.0 --dport 443 -j ACCEPT

#Liberar Receita
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 0.0.0.0/0.0.0.0 --dport 3456 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.0/16 -s 0.0.0.0/0.0.0.0 --dport 3456 -j ACCEPT

#Conectividade - CAD Unico
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 200.201.174.204 --dport 2631 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.0/16 -s 200.201.174.204 --dport 2631 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.0/16 -s 200.201.174.204 --dport 2631 -j ACCEPT

#Recarga de cartao Passe
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 174.133.30.170 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 174.133.30.194 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/16 --dport 3306 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.0/16 --dport 3306 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 200.171.74.227 --dport 1433 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.0.0/16 -s 200.171.74.227 --dport 1433 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 200.171.74.227 --dport 1434 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.0.0/16 -s 200.171.74.227 --dport 1434 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.0.0/16 -s 200.171.74.227 --dport 1446 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 200.171.74.227 --dport 1446 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 200.144.5.48 --dport 1498 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 200.144.5.48 --dport 1446 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.0.0/16 -s 200.144.5.48 --dport 1498 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.0.0/16 -s 200.144.5.48 --dport 1446 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.0/16 --dport 1446 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.0.0/16 -s 189.5.194.64 --dport 7486 -j ACCEPT

#iptables -A FORWARD -p tcp -s 192.168.0.52 -d www.claro.com.br -j ACCEPT
#iptables -A FORWARD -p udp -d 192.168.0.52 -s www.claro.com.br -j ACCEPT


iptables -A FORWARD -p tcp -s 192.168.0.0/16 --dport 3356 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.0/16 --dport 3356 -j ACCEPT

iptables -A FORWARD -p tcp -s 192.168.0.95 --dport 5900 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.95 --dport 5900 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.95 --dport 1863 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.95 --dport 1863 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.95 --dport 44405 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.95 --dport 44405 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.95 --dport 55901 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.95 --dport 55901 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.50 --dport 27442 -j ACCEPT

#rede interna
#iptables -A FORWARD -p tcp -d 192.168.0.134 -j ACCEPT
#iptables -A FORWARD -p tcp -s 192.168.0.134 -j ACCEPT


# Portas que estao abertas para a internet
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 221 -j ACCEPT
#Porta do Remote Desktop
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 587 -j ACCEPT
iptables -A INPUT -p tcp --dport 65432 -j ACCEPT
iptables -A INPUT -p tcp --dport 5432 -j ACCEPT
iptables -A INPUT -p tcp --dport 44405 -j ACCEPT
iptables -A INPUT -p tcp --dport 5432 -j ACCEPT
iptables -A INPUT -p tcp --dport 44405 -j ACCEPT
iptables -A INPUT -p tcp --dport 55901 -j ACCEPT
iptables -A INPUT -p tcp --dport 7486 -j ACCEPT
iptables -A INPUT -p tcp --dport 27015 -j ACCEPT
iptables -A INPUT -p tcp --dport 27442 -j ACCEPT

# Permitir ICMP
iptables -A INPUT -p icmp -j ACCEPT

#iptables -t nat -A PREROUTING -d www.ciee.org.br -j ACCEPT
#iptables -t nat -A PREROUTING -d redir.folha.com.br -j ACCEPT
#iptables -t nat -A PREROUTING -d f.i.uol.com.br -j ACCEPT
#iptables -t nat -A PREROUTING -d www.folha.com.br -j ACCEPT
#iptables -t nat -A PREROUTING -d www.farmaciasdelimeira.com.br -j ACCEPT
#iptables -t nat -A PREROUTING -d 200.234.200.68 -j ACCEPT
#iptables -t nat -A PREROUTING -d www.pmas.sp.gov.br -j ACCEPT
#iptables -t nat -A PREROUTING -d 200.144.6.210 -j ACCEPT
#iptables -t nat -A PREROUTING -d 200.144.6.9 -j ACCEPT
#iptables -t nat -A PREROUTING -d www.mds.gov.br -j ACCEPT
#iptables -t nat -A PREROUTING -d 192.168.0.105 -j ACCEPT
#iptables -t nat -A PREROUTING -d 201.65.178.130 -j ACCEPT
#iptables -t nat -A PREROUTING -d www14.bancodobrasil.com.br -j ACCEPT
#iptables -t nat -A PREROUTING -d 170.66.1.60 -j ACCEPT
#iptables -t nat -A PREROUTING -d office.bancobrasil.com.br -j ACCEPT
#iptables -t nat -A PREROUTING -d 189.47.163.127 --dport 300 -j ACCEPT
#iptables -t nat -A PREROUTING -d 189.5.194.64 --dport 7486 -j ACCEPT
#iptables -t nat -A PREROUTING -d 189.5.194.64 -j ACCEPT
#iptables -t nat -A PREROUTING -d 200.155.160.200 -j ACCEPT


#AUDESP
#iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.50 -d 0/0 -p tcp --dport 80 -j REDIRECT --to-port 80
iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.50 -d 0/0 -j ACCEPT #--> quem for liberado aqui nãpassa pela regra seguinte
iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.49 -d 0/0 -j ACCEPT #--> quem for liberado aqui nãpassa pela regra seguinte
iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.10 -d 0/0 -j ACCEPT #--> quem for liberado aqui nãpassa pela regra seguinte
#iptables -t nat -A PREROUTING -i eth0 -p tcp -d 0/0 --dport http -j REDIRECT --to-port 3128
# Direciona todo o trafego da porta 80 para o Squid
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.0.0/16 --dport 80 -j REDIRECT --to-port 3128

#Redireciona porta 3389 para o Windows
iptables -t nat -A PREROUTING -p tcp -d 201.62.122.32 --dport 3389 -j DNAT --to 192.168.0.250:3389
iptables -t nat -A POSTROUTING -d 192.168.0.250 -j SNAT --to 192.168.0.1
iptables -A FORWARD -p tcp -d 192.168.0.250 --dport 3389 -j ACCEPT

#Redireciona porta 3389 para o Windows
iptables -t nat -A PREROUTING -p tcp -d 201.62.122.32 --dport 3390 -j DNAT --to 192.168.0.250:3389
iptables -t nat -A POSTROUTING -d 192.168.0.250 -j SNAT --to 192.168.0.1
iptables -A FORWARD -p tcp -d 192.168.0.250 --dport 3389 -j ACCEPT

#Redireciona porta 5432 para o Windows
iptables -t nat -A PREROUTING -p tcp -d 201.62.122.32 --dport 5432 -j DNAT --to 192.168.0.250:5432
iptables -t nat -A POSTROUTING -d 192.168.0.250 -j SNAT --to 192.168.0.1
iptables -A FORWARD -p tcp -d 192.168.0.250 --dport 5432 -j ACCEPT

#Redireciona porta 5432 para o Windows
iptables -t nat -A PREROUTING -p tcp -d 201.62.122.32 --dport 65432 -j DNAT --to 192.168.0.250:65432
iptables -t nat -A POSTROUTING -d 192.168.0.250 -j SNAT --to 192.168.0.1
iptables -A FORWARD -p tcp -d 192.168.0.250 --dport 65432 -j ACCEPT
iptables -t nat -A POSTROUTING -d 192.168.0.250 -j SNAT --to 192.168.0.1
iptables -A FORWARD -p tcp -d 192.168.0.250 --dport 65432 -j ACCEPT

#Redireciona porta 5900 para o Windows (MArio)
iptables -t nat -A PREROUTING -p tcp -d 201.62.122.32 --dport 5900 -j DNAT --to 192.168.0.49:5900
iptables -t nat -A POSTROUTING -d 192.168.0.49 -j SNAT --to 192.168.0.1
iptables -A FORWARD -p tcp -d 192.168.0.49 --dport 5900 -j ACCEPT

#redireciona porta 8080 para porta 80 srvconan
iptables -t nat -A PREROUTING -p tcp -d 201.75.229.121 --dport 8080 -j DNAT --to 192.168.0.105:80
iptables -t nat -A POSTROUTING -d 192.168.0.105 -j SNAT --to 192.168.0.1
iptables -A FORWARD -p tcp -d 192.168.0.105 --dport 80 -j ACCEPT

#iptables -t nat -A PREROUTING -p tcp -d 187.2.29.193 --dport 8080 -j DNAT --to 192.168.0.105:80
#iptables -t nat -A POSTROUTING -d 192.168.0.105 -j SNAT --to 192.168.0.1
#iptables -A FORWARD -p tcp -d 192.168.0.105 --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -d 201.62.122.32 --dport 8080 -j DNAT --to 192.168.0.105:80

#iptables -t nat -A PREROUTING -p tcp -d 201.75.229.121 --dport 8080 -j DNAT --to 192.168.0.105:80
#iptables -t nat -A POSTROUTING -d 192.168.0.105 -j SNAT --to 192.168.0.1
#iptables -A FORWARD -p tcp -d 192.168.0.105 --dport 80 -j ACCEPT

#Redireciona porta 300 para a porta 22 do SRVCONAN
#iptables -t nat -A PREROUTING -p tcp -d 201.75.229.121 --dport 300 -j DNAT --to 192.168.0.105:22
#iptables -t nat -A POSTROUTING -d 192.168.0.105 -j SNAT --to 192.168.0.1
#iptables -A FORWARD -p tcp -d 192.168.0.105 --dport 22 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -d 187.107.145.14 --dport 300 -j DNAT --to 192.168.0.105:22
iptables -t nat -A POSTROUTING -d 192.168.0.105 -j SNAT --to 192.168.0.1
iptables -A FORWARD -p tcp -d 192.168.0.105 --dport 22 -j ACCEPT



#iptables -t nat -A PREROUTING -p tcp -d 201.62.122.32 --dport 300 -j DNAT --to 192.168.0.105:22
#iptables -t nat -A POSTROUTING -d 192.168.0.105 -j SNAT --to 192.168.0.1
#iptables -A FORWARD -p tcp -d 192.168.0.105 --dport 22 -j ACCEPT



4. Re: Funcionarios Burlando a autenticação

Johnny Ferreira dos Santos
johnnyfsan

(usa CentOS)

Enviado em 13/07/2010 - 11:46h

Cara,
coloque essas linhas no seu firewall

# BLOQUEIA AS PORTAS ESPECIFICADAS EXTERNAS
/sbin/iptables -A INPUT -m tcp -p tcp -d 192.168.0.0 --dport 8118 -j DROP
/sbin/iptables -A INPUT -m tcp -p tcp -d 192.168.0.0 --dport 9050 -j DROP


acho que resolve.


5. Re: Funcionarios Burlando a autenticação

renan rosolem chinelatto
pok182

(usa Ubuntu)

Enviado em 13/07/2010 - 11:55h

bloquiei e nao funcionou
;/
alguma outra saida?


6. Re: Funcionarios Burlando a autenticação

Perfil removido
removido

(usa Nenhuma)

Enviado em 13/07/2010 - 13:26h

@Jonny, não adianda nada adiciona uma nova regra com DROP se a policy já é DROP.

@pok182, testa ai remover essas linha:

# Rede interna tem acesso permitido
iptables -A INPUT -p tcp -s 127.0.0.1/255.255.255.255 -j ACCEPT
iptables -A INPUT -p udp -s 127.0.0.1/255.255.255.255 -j ACCEPT


7. Re: Funcionarios Burlando a autenticação

irado furioso com tudo
irado

(usa XUbuntu)

Enviado em 13/07/2010 - 14:03h

acrescente esta regra:

$IPT -t filter -A OUTPUT -p tcp -m multiport --dport http,https -m owner ! --uid-owner squid -j REJECT --reject-with tcp-reset

se TODOS devem usar seu proxy, será a primeira regra de OUTPUT, se alguns não precisam usar o proxy, essa regra irá APÓS a liberação dêstes.


8. irado

Perfil removido
removido

(usa Nenhuma)

Enviado em 13/07/2010 - 14:16h

pode me explicar essa parte que nunca vi?
-m owner ! --uid-owner squid -j REJECT --reject-with tcp-reset

e pok182, não esquece de alterar o $IPT(variável) p/ iptables que o nosso amigo irado colocou. ;)


9. Re: Funcionarios Burlando a autenticação

Johnny Ferreira dos Santos
johnnyfsan

(usa CentOS)

Enviado em 13/07/2010 - 14:50h

essa galera manja!!
ajudando e aprendendo :D


quem disse que linux nao tem suporte hehehe!


10. Re: Funcionarios Burlando a autenticação

irado furioso com tudo
irado

(usa XUbuntu)

Enviado em 13/07/2010 - 14:59h

esclarecimento:

-m owner <-- carregar o módulo de propriedade
! --uid-owner squid <-- se o ID NÃO for do squid
-j REJECT <-- rejeitar conexão
--reject-with tcp-reset <-- dando reset (RST) como resposta.


11. Re: Funcionarios Burlando a autenticação

renan rosolem chinelatto
pok182

(usa Ubuntu)

Enviado em 13/07/2010 - 15:09h

Irado, como e onde devo adicionar essa regra?
$IPT -t filter -A OUTPUT -p tcp -m multiport --dport http,https -m owner ! --uid-owner squid -j REJECT --reject-with tcp-reset

minha faixa de ip é 192.168.0.0, entao eu como eu faço? ainda nao entendi... as outras alternativas ainda n funcionaram


12. Re: Funcionarios Burlando a autenticação

irado furioso com tudo
irado

(usa XUbuntu)

Enviado em 13/07/2010 - 15:27h

bem, o COMO: com qualquer editor de textos com os quais vc se sinta confortável (eu, por ex, uso o VIM).

e ONDE: no script original que vc tem nessa máquina.

vc tem mais informações aqui:
http://www.google.com.br/custom?domains=www.vivaolinux.com.br&sitesearch=www.vivaolinux.com.br&a...






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts