Servidor Linux Bloqueando Outlook, incredmail...
1. Servidor Linux Bloqueando Outlook, incredmail...
marcelohbr
(usa CentOS)
Enviado em 22/06/2012 - 17:55h
Boa tarde galera!Estou com um problema aki na empresa onde trabalho que eh o seguinte:
O meu servidor linux esta bloqueando o envio e recebimento de emails por smtp e pop3, uso normalmente o outlook, porem, testei tambem com o incredmail e nada resolveu.
Uso proxy squid nao autenticado e firewall iptables.
Soh quando acrescento essa regra:
# IP Assistencia
#iptables -t filter -A FORWARD -i eth1 -o ppp0 -s 192.168.0.116 -d 0/0 -p tcp -j ACCEPT
#iptables -t filter -A FORWARD -i ppp0 -o eth1 -s 0/0 -d 192.168.0.116 -p tcp -j ACCEPT
no meu firewall que consigo enviar e receber emails, porem, fico sem os logs e o controle desse micro se eu tirar o proxy do navegador.
Alguem pode me dar uma ajuda aki?
Segue o meu firewall:
echo "1" > /proc/sys/net/ipv4/ip_forward
#Limpando Regras
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
#Definindo politica padrao
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#Comunicacao entre processos Loopback
iptables -A INPUT -i lo -j ACCEPT
#libera acesso a porta do sintegra
iptables -A OUTPUT -p tcp --dport 8017 -j ACCEPT
iptables -A OUTPUT -p udp --dport 8017 -j ACCEPT
# ICMP
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
# Regra criada para o DHCP
iptables -A OUTPUT -o eth1 -p UDP --sport 67 --dport 68 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p UDP --sport 68 --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p UDP --sport 67 --dport 68 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p UDP --sport 68 --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT
# DNS
iptables -A INPUT -i eth1 -p udp -s 192.168.0.0/24 --dport 53 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -s 192.168.0.0/24 --dport 53 -j ACCEPT
# SSH e FTP rede interna
iptables -A INPUT -i eth1 -s 192.168.0.0/24 -p tcp --dport 22 --syn -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.0.0/24 -p tcp --dport 21 --syn -j ACCEPT
# SSH rede exterma
iptables -A INPUT -i ppp0 -s 0/0 -p tcp --dport 22 --syn -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 22 --syn -j ACCEPT
#Webmin rede interna
iptables -A INPUT -p tcp -s 192.168.0.0/24 -d 0/0 --dport 10000 --syn -j ACCEPT
#Webmin rede externa
iptables -A INPUT -i ppp0 -s 0/0 -p tcp --dport 10000 --syn -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 10000 --syn -j ACCEPT
iptables -A INPUT -i ppp0 -s 0/0 -p tcp --dport 10000 --syn -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -p tcp -i ppp0 --dport 10000 -j ACCEPT
# NetBIOS rede interna
iptables -A INPUT -i eth1 -s 192.168.0.0/24 -p tcp --dport 137:139 --syn -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.0.0/24 -p udp --dport 137:139 -j ACCEPT
# Acesso interno ao PROXY
iptables -A INPUT -i eth1 -s 192.168.0.0/24 -d 192.168.0.1 -p tcp --dport 3128 --tcp-flags ACK,SYN SYN -j ACCEPT
#Pacotes TCP e UDP de retorno sempre abertos (ACK)
iptables -A INPUT -s 0/0 -d 0/0 -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -p udp -m state --state ESTABLISHED -j ACCEPT
#Nat Reverso E-Mail
#iptables -t nat -A PREROUTING -s 0/0 -d 0/0 -p tcp --dport 5900 -j DNAT --to 10.0.1.50:5900
#iptables -A FORWARD -s 0/0 -d 192.168.2.2 -p tcp --dport 25 -j ACCEPT
#iptables -A FORWARD -s 192.168.2.2 -d 0/0 -p tcp --sport 25 -j ACCEPT
# Regra de masquerading
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -d 0/0 -j MASQUERADE
# Regras de roteamento
# Acesso interno ao SMTP e POP Outlook
iptables -A FORWARD -s 192.168.0.0/24 -d 0/0 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 0/0 -d 192.168.0.0/24 -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -d 0/0 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -s 0/0 -d 192.168.0.0/24 -p tcp --sport 110 -j ACCEPT
#NTP
iptables -A FORWARD -p udp --dport 123 -j ACCEPT
#Libera forward - Acesso sem proxy
# IP Assistencia
#iptables -t filter -A FORWARD -i eth1 -o ppp0 -s 192.168.0.116 -d 0/0 -p tcp -j ACCEPT
#iptables -t filter -A FORWARD -i ppp0 -o eth1 -s 0/0 -d 192.168.0.116 -p tcp -j ACCEPT
# IP Assistencia
#iptables -t filter -A FORWARD -i eth1 -o ppp0 -s 192.168.1.108 -d 0/0 -p tcp -j ACCEPT
#iptables -t filter -A FORWARD -i ppp0 -o eth1 -s 0/0 -d 192.168.1.108 -p tcp -j ACCEPT
###################################### REGRA MARCELO ############################################
# Linux
#iptables -t filter -A FORWARD -i eth1 -o ppp0 -s 192.168.1.115 -d 0/0 -p tcp -j ACCEPT
#iptables -t filter -A FORWARD -i ppp0 -o eth1 -s 0/0 -d 192.168.1.115 -p tcp -j ACCEPT
# Micro Marcelo
#iptables -t filter -A FORWARD -i eth1 -o ppp0 -s 192.168.1.122 -d 0/0 -p tcp -j ACCEPT
#iptables -t filter -A FORWARD -i ppp0 -o eth1 -s 0/0 -d 192.168.1.122 -p tcp -j ACCEPT
#Libera MSN Marcelo
#iptables -A FORWARD -o ppp0 -p tcp -s 192.168.1.195/24 -m multiport --dports 1863,7001 -j ACCEPT
#iptables -A FORWARD -o ppp0 -p udp -s 192.168.1.195/24 --dport 7001 -j ACCEPT
#iptables -A FORWARD -i ppp0 -p tcp -d 192.168.1.195/24 -m multiport --sports 1863,7001 -j ACCEPT
#iptables -A FORWARD -i ppp0 -p udp -d 192.168.1.195/24 --sport 7001 -j ACCEPT
#################################################################################################
# Bloqueia MSN Geral
#iptables -A FORWARD -o ppp0 -p tcp -m multiport --dports 1863,7001 -j DROP
#iptables -A FORWARD -o ppp0 -p udp --dport 7001 -j DROP
#############################################################################################
# Sicoob CEDENTE
iptables -A OUTPUT -p tcp --dport 5006 -j ACCEPT # Conexao com a base da cooperativa
iptables -A OUTPUT -p udp --dport 5006 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 8080 -j ACCEPT # Envio de arquivo de movimento
iptables -A OUTPUT -p udp --dport 8080 -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o ppp0 -s 192.168.0.0/24 -d 189.75.117.230/24 -p tcp -j ACCEPT # Conexao com a base d
iptables -t filter -A FORWARD -i eth1 -o ppp0 -s 192.168.0.0/24 -d 189.75.117.230/24 -p tcp -j ACCEPT # Envio de arquivo de
iptables -t filter -A FORWARD -i eth1 -o ppp0 -s 192.168.0.0/24 -d 189.75.117.230/24 -p udp -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o ppp0 -s 192.168.0.0/24 -d 189.75.117.230/24 -p udp -j ACCEPT
iptables -t filter -A FORWARD -i ppp0 -o eth1 -s 189.75.117.230/24 -d 192.168.0.0/24 -p tcp -j ACCEPT
iptables -t filter -A FORWARD -i ppp0 -o eth1 -s 189.75.117.230/24 -d 192.168.0.0/24 -p udp -j ACCEPT
iptables -t filter -A FORWARD -i ppp0 -o eth1 -s 189.75.117.230/24 -d 192.168.0.0/24 -p tcp -j ACCEPT
iptables -t filter -A FORWARD -i ppp0 -o eth1 -s 189.75.117.230/24 -d 192.168.0.0/24 -p udp -j ACCEPT
# LIBERANDO VIVO VPN W VIVO 360
#iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
#iptables -A OUTPUT -p udp --dport 443 -j ACCEPT
#iptables -t filter -A FORWARD -i eth1 -o ppp0 -s 192.168.0.0/24 -d 200.142.128.120/24 -p tcp -j ACCEPT
#iptables -t filter -A FORWARD -i eth1 -o ppp0 -s 192.168.0.0/24 -d 200.142.128.18/24 -p tcp -j ACCEPT
# Liberando o OUTLOOK
iptables -A FORWARD -p udp -s 192.168.0.0/24 -d 200.165.132.155 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.165.132.155 --sport 53 -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.0/24 -d 200.165.132.147 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.165.132.147 --sport 53 -d 192.168.0.0/24 -j ACCEPT
#iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
# Regra especifica NF-e
iptables -t nat -A PREROUTING -p tcp -d 201.55.62.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -d 201.55.62.0/24 --dport 80 -j ACCEPT
# Liberando acesso a NFE (Nota fiscal Eletronica)
iptables -t nat -I PREROUTING -p tcp --dport 80 -s 192.168.0.0/24 -d 200.189.133.249 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp --dport 80 -s 192.168.0.0/24 -d 200.189.133.247 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 200.189.133.249 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.189.133.249 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 200.189.133.247 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.189.133.247 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.0.0/24 -p tcp --dport 4199 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.0.0/24 -p tcp --dport 5656 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
# Liberar Conexao TED
iptables -A OUTPUT -p tcp --dport 8017 -j ACCEPT
iptables -A OUTPUT -p udp --dport 8017 -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o ppp0 -s 192.168.0.0/24 -d 201.16.234.27/24 -p tcp -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o ppp0 -s 192.168.0.0/24 -d 200.166.92.27/24 -p tcp -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o ppp0 -s 192.168.0.0/24 -d 201.16.234.27/24 -p udp -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o ppp0 -s 192.168.0.0/24 -d 200.166.92.27/24 -p udp -j ACCEPT
iptables -t filter -A FORWARD -i ppp0 -o eth1 -s 201.16.234.27/24 -d 192.168.0.0/24 -p tcp -j ACCEPT
iptables -t filter -A FORWARD -i ppp0 -o eth1 -s 201.16.234.27/24 -d 192.168.0.0/24 -p udp -j ACCEPT
iptables -t filter -A FORWARD -i ppp0 -o eth1 -s 200.166.92.27/24 -d 192.168.0.0/24 -p tcp -j ACCEPT
iptables -t filter -A FORWARD -i ppp0 -o eth1 -s 200.166.92.27/24 -d 192.168.0.0/24 -p udp -j ACCEPT
# Fecha o roteamento com destino a porta 80 e 443
iptables -A FORWARD -s 192.168.0.0/24 -d 0/0 -p tcp --sport 1:65535 --dport www -j DROP
iptables -A FORWARD -s 192.168.0.0/24 -d 0/0 -p tcp --sport 1:65535 --dport 443 -j DROP
iptables -A FORWARD -s 192.168.0.0/24 -d 0/0 -p tcp -j DROP
# Libera o roteamento DNS
iptables -A FORWARD -s 192.168.0.0/24 -d 0/0 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -d 0/0 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s 0/0 -d 192.168.0.0/24 -p udp --sport 53 -j ACCEPT
iptables -A FORWARD -s 0/0 -d 192.168.0.0/24 -p tcp --sport 53 -j ACCEPT
#Log do Firewall
iptables -A INPUT -p tcp -j LOG
# Fecha todo o resto do roteamento
iptables -A INPUT -s 0/0 -d 0/0 -j LOG
iptables -A INPUT -s 0/0 -d 0/0 -j DROP
iptables -A FORWARD -s 0/0 -d 0/0 -j LOG
iptables -A FORWARD -s 0/0 -d 0/0 -j DROP
O meu squid esta apenas monitorando por enquento, ou seja, eu ainda nao o coloquei que bloquear nada.
As unicas coisas que acrescentei foram:
acl rede src 192.168.0.0/255.255.255.0
http_access allow rede.
Desde já agradeço a todos que se disponibilizaram a me ajudar!
Marcelo Rodrigues
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
