Filezilla e Iptables [RESOLVIDO]

1. Filezilla e Iptables [RESOLVIDO]

Israel Borges
israelborgess

(usa Debian)

Enviado em 06/01/2011 - 00:55h

Boa noite Pessoal,
Estou com dificuldade em configurar um client Ftp filezilla, autenticando em meu proxy. Segue abaixo meus arquivos de configuração Squid.conf e Firewall.sh, e jpg do meu ambiente de rede.

Ambiente de Rede
Rede Interna
http://img508.imageshack.us/img508/79/redeinterna.jpg
Configuração usuário Proxy
http://img191.imageshack.us/i/usuarioproxy.jpg/
Configuração usuário Ftp
http://img638.imageshack.us/i/usuarioshostfto.jpg


### Squid.conf ######
http_port 80


hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 128 MB
maximum_object_size 128096 KB
maximum_object_size_in_memory 64 KB
cache_dir ufs /var/spool/squid 2048 16 256
cache_mgr root@192.168.200.200
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Digite seu usuario e senha.
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

ftp_user root@192.168.200.200

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320



acl all src 0.0.0.0/0.0.0.0
acl portas port 20
acl portas port 21
http_access allow portas
acl CONNECT method CONNECT
http_access deny CONNECT !portas

acl password proxy_auth "/etc/squid/usuarios.txt"
acl manager proto cache_object
acl localhost src 192.168.0.0/24
acl to_localhost dst 192.168.0.0/24
acl SSL_ports port 80 8017 # http pra sefip
acl SSL_ports port 443 # https
acl SSL_ports port 444 # sefip
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl SSL_ports port 11011 # webmin
acl Safe_ports port 80 # http
acl Safe_ports port 444 8017 # sefip
acl Safe_ports port 2678 # sefip
acl Safe_ports port 21 # ftp
acl Safe_ports port 20 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow password
http_access deny all

#######Firewall.sh#########

IPTABLES=/sbin/iptables

modprobe ip_conntrack
modprobe ip_tables
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe iptable_nat
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ip_nat_ftp


#desligando forward
echo 0 > /proc/sys/net/ipv4/ip_forward

#limpando tabela NAT
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -Z
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -F PREROUTING

#limpando regras
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

#Politicas
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

#impedindo alteracao de rotas
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#prot contra responses bogus
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#prot contra syn-flood
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#contra traceroute
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#contra ip spoofing
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter


#--------INPUT--------
$IPTABLES -A INPUT -i lo -s 127.0.0.1/8 -d 127.0.0.1/8 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state INVALID -j DROP

#--------OUTPUT-------
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1/8 -d 127.0.0.1/8 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

#------FORWARD--------
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -i eth1 -s 0.0.0.0/22 -o eth0 -j ACCEPT

#--------NAT----------
$IPTABLES -t nat -A POSTROUTING -s 0.0.0.0/22 -o eth+ -j MASQUERADE


#habilitando forward
echo 1 > /proc/sys/net/ipv4/ip_forward

#liberando SSh
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

#liberando porta 80 SQUID
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT

#liberando range para FTP
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 20 - j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 - j ACCEPT

echo "Firewall Startado com Sucesso"
OBS:
- O cliente Filezilla me mostra que consigo passar pelo proxy, so não consigo acessar o host.
- Já tentei outro cliente FTP e o problema persiste.
- Quando acesso o FTP direto do servidor ubuntu, consigo ter acesso normalmente ao mesmo, sem problemas.
- Já tentei criar ACL no squid liberando acesso total ao ip do terminal que acessa o Cliente Filezilla.
- Já tentei criar a regra acl SSL_ports port 1024-65535 para liberar as requisições do método CONNECT durante o handshake

Com estes testes se quer consegui chamar a janela de usuario e senha ao acessar o FTP pelo browser. A única forma que consigo acesso é com usuario:senha@dominio. Alguem pode me ajudar por favor??




  


2. Re: Filezilla e Iptables [RESOLVIDO]

Israel Borges
israelborgess

(usa Debian)

Enviado em 29/01/2011 - 18:24h

Agradeço a ajuda dos membros da comunidade segue abaixo a resolução do meu problema.

Solução: A ordem das regras não estava em conformidade. Foi realizado o ajuste nas regras e em seus posicionamentos. Segue abaixo o resultado:

### Squid.coonf ####

http_port 80



hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY

acl apache rep_header Server ^Apache

cache_mem 128 MB

maximum_object_size 128096 KB

maximum_object_size_in_memory 64 KB

cache_dir ufs /var/spool/squid3 2048 16 256

cache_mgr root@192.168.200.200

access_log /var/log/squid3/access.log squid

hosts_file /etc/hosts



ftp_passive off



auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd

auth_param basic children 5

auth_param basic realm Digite seu usuario e senha.

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off



ftp_user usuario@dominio





refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320







acl rede_local src 0.0.0.0/22







acl liberados url_regex "/etc/squid3/liberados"



http_access deny liberados



acl CONNECT method CONNECT



acl password proxy_auth "/etc/squid3/usuarios.txt"

acl manager proto cache_object

acl localhost src 127.0.0.1/32

acl to_localhost dst 127.0.0.1/32

acl SSL_ports port 80 8017 # http pra sefip

acl SSL_ports port 443 # https

acl SSL_ports port 444 # sefip

acl SSL_ports port 563 # snews

acl SSL_ports port 873 # rsync

acl SSL_ports port 11011 # webmin

acl Safe_ports port 80 # http

acl Safe_ports port 444 8017 # sefip

acl Safe_ports port 2678 # sefip

acl Safe_ports port 21 # ftp

acl Safe_ports port 20 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl Safe_ports port 631 # cups

acl Safe_ports port 873 # rsync

acl Safe_ports port 901 # SWAT

acl portas port 21

acl ftp proto FTP

acl purge method PURGE

acl CONNECT method CONNECT



http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access allow CONNECT portas

http_access allow portas

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny to_localhost

http_access allow password

http_access allow rede_local

http_reply_access allow all

always_direct allow FTP

http_access allow ftp

http_access deny all







debug_options ALL,1 33,2 28,9


--------------------------------------------------------------------------------

### iptables.sh

IPTABLES=/sbin/iptables

modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_tables
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe iptable_nat
modprobe ipt_LOG
modprobe ipt_REJECT

#desligando forward
echo 0 > /proc/sys/net/ipv4/ip_forward

#limpando tabela NAT
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -Z
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -F PREROUTING

#limpando regras
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

#Politicas
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

## Estabilizando conexoes
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

#--------NAT----------
$IPTABLES -t nat -A POSTROUTING -s 0.0.0.0/22 -o eth+ -j MASQUERADE

#habilitando forward
echo 1 > /proc/sys/net/ipv4/ip_forward

#liberando SSh
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

#liberando porta 80 SQUID
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT

#liberando range para FTP
$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i eth+ -s 0/0 -p tcp --dport 20:21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i eth+ -s 0/0 -p tcp --sport 20:21 -m state --state ESTABLISHED -j ACCEPT

$IPTABLES -A FORWARD -p tcp -s 0.0.0.0/0.0.0.0 -d 189.48.110.10 --dport 20 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s 0.0.0.0/0.0.0.0 -d 189.48.110.10 --dport 21 -j ACCEPT


echo "Firewall Startado com Sucesso"

Em relação a configuração do cliente filezilla, continuo como na imagem de link abaixo:

http://img191.imageshack.us/i/usuarioproxy.jpg/

Novamente agradeço a ajuda de todos e estou à disposição para quaisquer dúvidas.






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts