Liberar porta Squid+iptables

marspbx
(usa Outra)

Enviado em 15/04/2011 - 22:37h

Olá sou novato em linux e minha empresa tem o squid e o iptables rodando no debian, estou precisando fazer 2 liberações para acesso externo. quem puder me ajudar agradeço

1º vnc para a máquina 192.168.0.30
2º libera um máquina atendimento:8080/chat

segue acls

Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

#######################################################
# CONFIGURACOES ACLs
#######################################################

#######################################################
### ACLs REDE
acl rede_interna2 src 192.168.0.0/24
acl rede_interna src 192.168.0.0/16
acl intranet dstdomain "/etc/squid/acls/sites/sites_intra"

#######################################################
### COMUNICADORES

acl gtalk url_regex -i "/etc/squid/acls/comunicadores/gtalk"
acl msn url_regex -i "/etc/squid/acls/comunicadores/msn"
acl ips-comunic src "/etc/squid/acls/ips/ips-comunicadores"
acl skype url_regex -i ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:443


#######################################################
### DOWNLOADS
acl download url_regex -i "/etc/squid/acls/downloads/download"

#######################################################
### BLOQUEAR USUARIO EXPECIFICO
acl congelar src "/etc/squid/acls/usuario/usuario"

#######################################################
### MARKETING
acl ips_marketing src "/etc/squid/acls/pcs/ips/ips_marketing"
acl mac_marketing arp "/etc/squid/acls/pcs/mac/mac_marketing"

#######################################################
### ADMINISTRATIVO
acl ips_administrativo src "/etc/squid/acls/pcs/ips/ips_administrativo"
acl mac_administrativo arp "/etc/squid/acls/pcs/mac/mac_administrativo"

#######################################################
### SUPERVISORES
acl ips_supervisao src "/etc/squid/acls/pcs/ips/ips_supervisao"
acl mac_supervisao arp "/etc/squid/acls/pcs/mac/mac_supervisao"

#######################################################
### DIRETORIA
acl ips_diretoria src "/etc/squid/acls/pcs/ips/ips_diretoria"
acl mac_diretoria arp "/etc/squid/acls/pcs/mac/mac_diretoria"

#######################################################
### EMISSAO
acl ips_emissao src "/etc/squid/acls/pcs/ips/ips_emissao"
acl mac_emissao arp "/etc/squid/acls/pcs/mac/mac_emissao"

#######################################################
### PACOTES
acl ips_pacotes src "/etc/squid/acls/pcs/ips/ips_pacotes"
acl mac_pacotes arp "/etc/squid/acls/pcs/mac/mac_pacotes"

#######################################################
### PASSAGENS
acl ips_passagens src "/etc/squid/acls/pcs/ips/ips_passagens"
acl mac_passagens arp "/etc/squid/acls/pcs/mac/mac_passagens"

#######################################################
### RISCOS
acl ips_riscos src "/etc/squid/acls/pcs/ips/ips_riscos"
acl mac_riscos arp "/etc/squid/acls/pcs/mac/mac_riscos"

#######################################################
### SAC
acl ips_sac src "/etc/squid/acls/pcs/ips/ips_sac"
acl mac_sac arp "/etc/squid/acls/pcs/mac/mac_sac"

#######################################################
### INFRA
acl ips_infra src "/etc/squid/acls/pcs/ips/ips_infra"
acl mac_infra arp "/etc/squid/acls/pcs/mac/mac_infra"

#######################################################
### ACL BADWORDS ( PALAVRAS PROIBIDAS )
acl badwords url_regex -i "/etc/squid/acls/badwords/badwords"
acl ex_badwords url_regex -i "/etc/squid/acls/badwords/exception_badwords"

#######################################################
### SITES
acl sites_sac dstdomain "/etc/squid/acls/sites/sites_sac"
acl sites_pacotes dstdomain "/etc/squid/acls/sites/sites_pacotes"
acl sites_passagens dstdomain "/etc/squid/acls/sites/sites_passagens"
acl sites_livres dstdomain "/etc/squid/acls/sites/sites_livres"
acl sites_livres2 url_regex -i "/etc/squid/acls/sites/sites_livres2"
acl sala_reuniao src 192.168.0.20
acl ips_visitantes src 192.168.1.0/24

#######################################################

acl sites_bruno url_regex -i "/etc/squid/acls/sites/sites_bruno"
acl ip_bruno src 192.168.2.89

#######################################################
### SITES BLOQUEADOS
acl sites_bloqueados dstdomain -i "/etc/squid/acls/sites/sites_bloqueados"
acl sites_no_exception url_regex -i "/etc/squid/acls/sites/sites_no_exception"
acl sites_no_exception2 url_regex -i "/etc/squid/acls/sites/sites_no_exception2"
acl sites_bloqueados2 dstdomain -i "/etc/squid/acls/sites/sites_bloqueados2"
acl ips_block_gmail src "/etc/squid/acls/ips/ips-block-gmail"
acl sites_block_gmail url_regex -i "/etc/squid/acls/ips/sites-block-gmail"
acl sites_risco dstdomain "/etc/squid/acls/sites/sites_risco"



#######################################################
### ATUALIZACAO
acl atualizacao url_regex -i "/etc/squid/acls/sites/sites_atualizacao"

###
# acls temporarias
acl sites2gmail dstdomain "/etc/squid/acls/ips/sites-block-gmail2"

# ADOBE
acl adobe url_regex -i "/etc/squid/acls/sites/sites_adobe"

#acl ips-temp src "/etc/squid/acls/ips/ips-liberados"
#acl sites-temp url_regex -i "/etc/squid/acls/sites/sites-temporarios"

http_access allow ips_visitantes

http_access allow rede_interna2
#http_access allow all
###
#########################################################
####### CONTROLE HTTP_ACCESS
http_access deny ips_block_gmail sites_block_gmail
http_access allow CONNECT !sites2gmail ips_block_gmail
######################
### MINIMO
http_access deny adobe
http_access deny congelar
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports




#######################
### CUSTOM RULES

http_access allow localhost
http_access allow atualizacao
always_direct allow intranet
http_access deny intranet sites_no_exception
http_access allow intranet

##################
# BRUNO
http_access allow sites_bruno ip_bruno
http_access deny ip_bruno

########################################
# LIBERAR SKYPE
http_access deny all CONNECT !SSL_ports skype
http_access allow ips-comunic skype
http_access deny !ips-comunic skype
http_access deny skype

# INFRA
http_access deny mac_infra !ips_infra
http_access allow ips_infra mac_infra


####################################
# DIRETORIA ACESSO TOTAL LIBERADO

http_access deny mac_diretoria !ips_diretoria
http_access allow ips_diretoria mac_diretoria


####################################
# MARKETING ACESSO LIBERADO
# Controle IP - ARP
http_access deny mac_marketing !ips_marketing
http_access allow ips_marketing mac_marketing

http_access deny CONNECT sites_no_exception !ips_diretoria
http_access deny CONNECT sites_no_exception2 !ips_diretoria

################

http_access deny sites_no_exception
http_access deny msn
################
http_access allow ips_riscos sites_risco
http_access allow ips_supervisao sites_risco
http_access deny download

####################################
# BLOQUEIA SITES PROIBIDOS A TODOS

http_access deny sites_no_exception2

# VISITANTES
http_access deny ips_visitantes sites_no_exception
http_access deny ips_visitantes sites_no_exception2
http_access allow ips_visitantes

####################################
# LIBERA ACESSO PARA
# SUPERVISORES / ADMINISTRATIVO / EMISSAO / RISCOS
# Controle IP - ARP

####################################
# SUPERVISAO
http_access deny mac_supervisao !ips_supervisao
http_access allow ips_supervisao mac_supervisao

####################################
# REGRAS DE SEGURANCA
# Proibe download


#################################
#### ESPACO PARA ADICIONAR
#### OUTROS ACESSOS
#
http_access allow sites_livres2

########################################
# CONTROLE COMUNICADORES
http_access deny CONNECT !SSL_ports msn all
http_access deny CONNECT !SSL_ports gtalk all
http_access allow ips-comunic msn all
http_access allow ips-comunic gtalk all
http_access deny !ips-comunic msn all
http_access deny !ips-comunic gtalk all
http_access deny msn
http_access deny gtalk


#####################################
# Proibe acesso a lista de sites
# bloqueados a todos que não são
# supervisores ou diretoria
# http_access deny sites_bloqueados

http_access deny sites_bloqueados2


####################################
# ADMINISTRATIVO
http_access deny ips_administrativo sites_bloqueados
http_access deny mac_administrativo !ips_administrativo
http_access allow ips_administrativo mac_administrativo
####################################

####################################
# EMISSAO
http_access deny ips_emissao sites_bloqueados
http_access deny mac_emissao !ips_emissao
http_access allow ips_emissao mac_emissao
####################################
# RISCOS
http_access deny ips_riscos sites_bloqueados
http_access deny ips_riscos !mac_riscos
http_access allow ips_riscos mac_riscos
####################################





######################################
# DEFINIR BLOQUEIOS PARA CALL CENTERS
# + CONTROLE IP - ARP
####################################
# PACOTES
http_access deny mac_pacotes !ips_pacotes
http_access allow ips_pacotes mac_pacotes



####################################
# CALL CENTERS SE ACESSAM O QUE FOR
# PRE DEFINIDO. NEGA TODO RESTANTE
####################################

####################################

http_access deny badwords !badwords

####################################
# PASSAGENS AEREAS

http_access deny mac_passagens !ips_passagens
http_access allow ips_passagens mac_passagens sites_passagens

####################################
# SAC
http_access deny mac_sac !ips_sac
http_access allow ips_sac mac_sac sites_sac
http_access allow ips_sac mac_sac sites_livres

#####################################
# BLOQUEIA TUDO QUE NAO TENHA CAIDO NAS REGRAS ANTERIORES
http_access deny all


#######################################################
# FIM DOS BLOQUEIOS
#######################################################

pinon.filho
(usa Ubuntu)

Enviado em 16/04/2011 - 09:19h

iptables -t nat -A PREROUTING -i [interface_internet] -p tcp --dport [porta_desejada] -j DNAT --to [ip_desejado]
iptables -A FORWARD -p [tcp ou udp] --dport [porta_desejada] -d [ip_desejado] -j ACCEPT

Espero ter ajudado. Sou novato também, mas já passei por situações semelhantes.

marspbx
(usa Outra)

Enviado em 17/04/2011 - 06:22h

Blz cara vou tentar e depois posto o resultado...valeu1!!