Olá pessoal,
Coloquei regras em meu firewall de acordo como vcs me disseram só que ao
redirecionar para a porta 3128 a página não abre e no me no access.log do
squid fica assim:
986490810.828 3 192.168.1.10 NONE/400 1104 GET /[MATRIX]/ - NONE/- -
986490931.130 3 192.168.1.10 NONE/400 1104 GET /[MATRIX]/ - NONE/- -
986491173.054 3 192.168.1.10 NONE/400 1104 GET /[MATRIX]/ - NONE/- -
986491196.831 3 192.168.1.10 NONE/400 1086 GET / - NONE/- -
Erro retornado no browser:
The following error was encountered:
Invalid URL
Some aspect of the requested URL is incorrect. Possible problems:
Missing or incorrect access protocol (should be `http://'' or similar)
Missing hostname
Illegal double-escape in the URL-Path
Illegal character in hostname; underscores are not allowed
Ao contrário do que deveria aparecer quando especifico a porta no browser:
986384983.712 18998 192.168.1.10 TCP_MISS/200 925 GET
http://www.antunes.eti.br
/ - DIRECT/200.197.180.16 text/html
986384984.906 1192 192.168.1.10 TCP_MISS/200 768 GET
http://www.antunes.eti.br
/header.html - DIRECT/200.197.180.16 text/html
o Script de meu firewall está assim:
*******************
:
#!/bin/sh
# Masqueraing Firewall
# Script for IPChains on Linux 2.2.14 kernel
# Change IPCHAINS to the correct path for your system
IPCHAINS=/sbin/ipchains
# Change INETDEV to the network device connceted to the Internet (ppp0/eth0)
# This is ppp0 by default for dial-up connections. Most cable modem users
# will probably want eth0 or possibly eth1. When in doubt look at the
command
# 'ifconfig'.
#INETDEV="ppp0"
INETDEV="eth1"
# Change LAN to the correct network address and network mask for your LAN
# this can be found by using ifconfig from one of the clients
LAN="192.168.1.0/24"
INETLAN="172.18.1.100/30"
# Change LANDEV to the network device connected to your LAN
LANDEV="eth0"
# There should be no need to change this
LOCALIP=`ifconfig $LANDEV | grep inet | cut -d : -f 2 | cut -d \ -f 1`
. /etc/rc.d/init.d/functions
. /etc/sysconfig/network
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
case "$1" in
start)
gprintf "Iniciando o serviço de %s: " "IPChains"
echo
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo ""
echo "FireMasq version 0.7 by Dr. Teeth (2001)"
echo "---------------------------------------------------------"
echo "Local Network Device: $LANDEV"
echo "Local IP: $LOCALIP"
echo "Local Network Address: $LAN"
echo "External Network Device: $INETDEV"
echo "---------------------------------------------------------"
echo ""
#Set default chain policy
echo -n "Setting default chain policies..."
$IPCHAINS -P input DENY
$IPCHAINS -P forward DENY
$IPCHAINS -P output ACCEPT
echo " Done!"
#Flush all chains
echo -n "Flushing chains..."
$IPCHAINS -F
$IPCHAINS -X
echo " Done!"
#Add custom chains - CRIA REGRAS
echo -n "Adding custom chains..."
$IPCHAINS -N inet-in
$IPCHAINS -N inet-out
echo " Done!"
#Set input rules - TUDO QUE CHEGA A MÁQUINA
echo -n "Setting rules for input chain..."~
$IPCHAINS -A input -s $LAN -d $LAN -j ACCEPT
$IPCHAINS -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -i lo -j ACCEPT
$IPCHAINS -A input -p tcp -s $LAN -d 0.0.0.0/0 www -j REDIRECT 3128 -l
$IPCHAINS -A input -s $LAN -d 0.0.0.0/0 -j ACCEPT
$IPCHAINS -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -i $INETDEV -j inet-in
echo " Done!"
#Set forward rules - TUDO QUE É REPASSADO
echo -n "Setting rules for forward chain..."
$IPCHAINS -A forward -s $LAN -d $LAN -j ACCEPT
$IPCHAINS -A forward -s $LOCALIP -d 0.0.0.0/0 -j ACCEPT
echo " Done!"
#Activate masquerade - ATIVA MASCARAMENTO
echo -n "Activating masquerade..."
$IPCHAINS -A forward -s $LAN -d 0.0.0.0/0 -j MASQ
$IPCHAINS -M -S 7200 10 60
echo "Done!"
#Set output rules - TUDO QUE SAI
echo -n "Setting rules for output chain..."
$IPCHAINS -A output -s $LAN -d $LAN -j ACCEPT
$IPCHAINS -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -i lo -j ACCEPT
$IPCHAINS -A output -s $LAN -d 0.0.0.0/0 -j ACCEPT
$IPCHAINS -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -i $INETDEV -j inet-out
echo " Done!"
#Set inet-in rules
echo "Setting rules for internet device incoming chain:"
# Tudo o que for www é redirecionado para porta 3128 - Squid o resto é
roteado
# pra frente.
#echo -n " Redirecionando acesso a www para o Squid(3128)..."
#$IPCHAINS -A inet-in -p TCP -s 0.0.0.0/0 -d 0.0.0.0/0 www -j REDIRECT 3128
#echo " Done!"
echo -n " Setup port blocking on vulnerable ports..."
#Block NetBios
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0
netbios-ns:netbios-ssn -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0
netbios-ns:netbios-ssn -j DENY -l
#Block NFS
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 2049 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 2049 -j DENY -l
#Block postgres
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 postgres -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 postgres -j DENY -l
#Block X
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 5999:6003 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 5999:6003 -j DENY -l
#Block XFS
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 7100 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 7100 -j DENY -l
#Block Back Orifice
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 31337 -j DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 31337 -j DENY -l
#Block netbus
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 12345:12346 -j
DENY -l
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 12345:12346 -j
DENY -l
echo " Done!"
echo -n " Allowing ssh, dns, and icmp (ping/traceroute) traffic..."
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 3128 -j ACCEPT
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 ssh -d 0.0.0.0/0 -j ACCEPT
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 ssh -j ACCEPT
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 auth -j ACCEPT
$IPCHAINS -A inet-in -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 1023:65535 -j ACCEPT
$IPCHAINS -A inet-in -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 1023:65535 -j ACCEPT
$IPCHAINS -A inet-in -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
echo " Done!"
echo -n " Setting default input to DENY..."
$IPCHAINS -A inet-in -s 0.0.0.0/0 -d 0.0.0.0/0 -j DENY -l
echo " Done!"
#Set inet-out rules
echo "Setting rules for internet device outgoing chain:"
echo -n " Setting TOS flags for www, telnet, ssh, and ftp..."
$IPCHAINS -A inet-out -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 www -t 0x01 0x10
$IPCHAINS -A inet-out -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 telnet -t 0x01 0x10
$IPCHAINS -A inet-out -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 ssh -t 0x01 0x10
$IPCHAINS -A inet-out -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 ftp -t 0x01 0x10
$IPCHAINS -A inet-out -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 ftp-data -t 0x01
0x08
echo " Done!"
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_user
/sbin/modprobe ip_masq_raudio
;;
stop)
gprintf "Parando o serviço de %s: " "IPChains"
echo
/sbin/ipchains --flush
;;
*)
gprintf "Uso: firewall.sh (start|stop)"
echo
;;
esac
exit 0
*******************
Em que estou errando?
Obrigado.
Cristiano Sepe
Analista de Sistemas
DATAPAR S.R.L. Informática
Ciudad del Este - PY
--------------------------
@ home: [EMAIL PROTECTED]
Assinantes em 05/04/2001: 2181
Mensagens recebidas desde 07/01/1999: 107894
Historico e [des]cadastramento: http://linux-br.conectiva.com.br
Assuntos administrativos e problemas com a lista:
mailto:[EMAIL PROTECTED]
