Problemas com MSN RC.LOCAL

1. Problemas com MSN RC.LOCAL

Edimar Leandro Turini
digisman

(usa Ubuntu)

Enviado em 03/05/2012 - 18:16h

Boa noite, colegas, tenho um script conforme abaixo funcionando em diversos clientes no Ubuntu 11.04 Server e agora implantei no Ubuntu 11.10 e o mesmo não está bloqueando MSN conforme abaixo descrito com os Bashs, podem me ajudar na organização e onde estou errando por favor, uso squid na porta 3128 ?

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

#!/bin/bash
# compartilhar a internet
echo "1" > /proc/sys/net/ipv4/ip_forward

## limpando tabelas
iptables -F
iptables -t nat -F
iptables -t mangle -F

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

# Proteç contra MSN
# -------------------------------------------------------
# Variáis
# -------------------------------------------------------
echo -n "Carregando Variaveis... "
#iptables="/sbin/iptables"
IP_SERVER="192.168.0.1"
LISTA_BRANCA="192.168.0.96 192.168.0.97 192.168.0.98 192.168.0.99 192.168.0.195" # aqui coloco os IPs liberados
LAN="192.168.0.0/24"
echo "[OK]"
echo -n "Protecao contra MSN... "
echo -n "Lista Branca"
for IP in $LISTA_BRANCA; do
iptables -t nat -A PREROUTING -s $IP -p tcp --dport 1863 -j ACCEPT
echo -n "."
iptables -t nat -A PREROUTING -s $IP -p tcp --dport 5190 -j ACCEPT
echo -n "."
iptables -t nat -A PREROUTING -s $IP -p tcp --dport 6901 -j ACCEPT
echo -n "."
iptables -t nat -A PREROUTING -s $IP -d loginnet.passport.com -j ACCEPT
echo -n "."
iptables -t nat -A PREROUTING -s $IP -d webmessenger.msn.com -j ACCEPT
echo -n "."
echo -n ".[$IP OK]"
done
iptables -A FORWARD -p tcp --dport 1863 -j LOG #--log-level 6 --log-prefix "FIREWALL: MSNPort "

#iptables -t nat -A PREROUTING -s $LAN -p tcp --dport 1863 -j DROP
#iptables -t nat -A PREROUTING -s $LAN -d loginnet.passport.com -j DROP

iptables -t nat -A PREROUTING -p udp -j LOG --log-prefix "skype_udp "
iptables -t nat -A PREROUTING -p tcp -j LOG --log-prefix "skype_tcp "

# REDIRECIONAMENTO DA PORTA TERMINAL SERVICE 3389 PARA MICRO DOS TÃIOS
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to 192.168.0.1
# RE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3388 -j DNAT --to 192.168.0.164
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 3388 -j DNAT --to 192.168.0.164
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 2034 -j DNAT --to 192.168.0.193
# CPNF
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3390 -j DNAT --to 192.168.0.197
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 3390 -j DNAT --to 192.168.0.197
# CT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 192.168.0.185
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 3389 -j DNAT --to 192.168.0.185
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4679 -j DNAT --to 192.168.0.200
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4679 -j DNAT --to 192.168.0.200
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5191 -j DNAT --to 192.168.0.200
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3387 -j DNAT --to 192.168.0.193
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 3387 -j DNAT --to 192.168.0.193
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 34567 -j DNAT --to 192.168.0.25
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 34567 -j DNAT --to 192.168.0.25
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9090 -j DNAT --to 192.168.0.25
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 34599 -j DNAT --to 192.168.0.25
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 34599 -j DNAT --to 192.168.0.25
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 1100 -j DNAT --to 192.168.0.134
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8046 -j DNAT --to 192.168.0.117
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 8046 -j DNAT --to 192.168.0.117
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8245 -j DNAT --to 192.168.0.134
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3024 -j DNAT --to 192.168.0.193
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j DNAT --to 192.168.0.160
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 81 -j DNAT --to 192.168.0.160
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to 192.168.0.200

# ROTEAMENTO SEM PASSAR PELO SQUID/SARG PORTA 80
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

# ROTEAMENTO DA INTERNET PASSANDO PELO SQUID/SARG PORTA 80 DIRECIONADA 318
iptables -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.0/24 --dport 80,8080 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -p tcp -m multiport -s 192.168.1.0/24 --dport 80,8080 -j REDIRECT --to-ports 3128

#iptables -t nat -A POSTROUTING eth0 -j MASQUERADE
iptables -P FORWARD ACCEPT

## mascarando a rede local
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# PORTA 3128 - ACEITA PARA A REDE LOCAL
iptables -A FORWARD -i eth0 -p tcp --dport 3128 -j ACCEPT

# Redireciona porta 80 para 3128 (squid)
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.0/24 --dport 80,8080 -j REDIRECT --to-ports 3128
echo "redirecionamento do Squid ...........................[ OK ]"

##iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to 192.168.0.1
# RE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3388 -j DNAT --to 192.168.0.164
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 3388 -j DNAT --to 192.168.0.164
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 2034 -j DNAT --to 192.168.0.193
# CPNF
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3390 -j DNAT --to 192.168.0.197
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 3390 -j DNAT --to 192.168.0.197
# CT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 192.168.0.185
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 3389 -j DNAT --to 192.168.0.185
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4679 -j DNAT --to 192.168.0.200
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5191 -j DNAT --to 192.168.0.200
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3387 -j DNAT --to 192.168.0.193
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 3387 -j DNAT --to 192.168.0.193
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 34567 -j DNAT --to 192.168.0.25
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 34567 -j DNAT --to 192.168.0.25
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9090 -j DNAT --to 192.168.0.25
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 34599 -j DNAT --to 192.168.0.25
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 34599 -j DNAT --to 192.168.0.25
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 1100 -j DNAT --to 192.168.0.134
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8046 -j DNAT --to 192.168.0.117
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 8046 -j DNAT --to 192.168.0.117
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8245 -j DNAT --to 192.168.0.134
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3024 -j DNAT --to 192.168.0.193
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 3024 -j DNAT --to 192.168.0.193
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j DNAT --to 192.168.0.160
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 81 -j DNAT --to 192.168.0.160
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to 192.168.0.200

# PING DA MORTE
iptables -t filter -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# SYN-FLOODS
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# Porta BACKORIFICE
iptables -A INPUT -p tcp --dport 12345 -j LOG --log-prefix "Serviç BackOrifice"

# Porta Wincrash
iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Serviç Wincrash"

# Porta FPT 21
iptables -A INPUT -p tcp --dport 21 -j LOG --log-prefix "Serviç FTP"

# Porta Scanners Ocultos
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

# LIBERA ?
iptables -A INPUT -p icmp -j DROP

#echo 1 > /proc/sys/net/ipv4/ip_forward

exit 0




  


2. Re: Problemas com MSN RC.LOCAL

Marcelo
hrapytor

(usa Debian)

Enviado em 04/05/2012 - 22:33h

Verifiquei no seu script que você está fazendo mascaramento de pacotes da sua rede em dois pontos.

# ROTEAMENTO SEM PASSAR PELO SQUID/SARG PORTA 80
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

e

## mascarando a rede local
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Isso não está redundante? Tem necessidade?

E nessa regra você está modificando a chain FORWARD setando para ACCEPT: iptables -P FORWARD ACCEPT

Com essa regra todos os micros da redes não vão passar direto pelo firewall?

Pode ser ai que o MSN não está sendo bloqueado.

Até +.