Pessoal Boa tarde !
Estou enfrentando um pequeno problema em minha estrutura. Configurei o firewall e o proxy (squid3) na mesma máquina. Porem quando tento receber e-mail pelo outlook ou mesmo pelo thunderbird nao funciona. Detalhes: - o firewall está todo accept nao está bloqueando nada. - se tirar o proxy funciona Irei postar meu squid.conf e o meu firewall tb, se alguem puder me dar alguam dica. Abraços a todos # cat firewall #!/bin/bash echo "#################################################################" echo "## Iniciando o IPTables... ##" echo "#################################################################" echo ####################################################################### ## Variáveis ## ####################################################################### echo "Criando variaveis ..."; echo vIth_net='eth0'; # interface de rede responsável por receber link Embratel vIth_adm='eth1'; # interface de rede direcionada a rede interna vIth_dmz='eth2'; # interface de rede direcionada a rede DMZ vIptables='/sbin/iptables'; # caminho do executável do comando iptables vModprobe='/sbin/modprobe'; # caminho do execitável do comamdo modprobe vPortWorms=31337,33270,1234,6711,16660,60001,12345,12346,1524,27665,27444,31335,6000,6001,6002 # portas sujeitas ao ataque de trojan vPortasAltas=1024:65535 vIp_net='200.243.63.139'; # IP configurado na interface eth0 - IP embratel vIp_dmz='192.168.217.1'; # IP configurado na interface eth1 - recebe do servidor dhcp - gateway da rede iterna vIp_adm='192.168.217.33'; # IP configurado na interface eth1 - gateway da rede DMZ vLan_lfwl='192.168.217.0/27'; # sub-rede firewall vLan_ldmz='192.168.217.32/27'; # sub-rede DMZ vLan_lsti='192.168.217.64/27'; # sub-rede TI ( Segurança e Tecnologia da Informação ) vLan_ladm='192.168.217.96/27'; # Sub-rede administração vLan_lsup='192.168.217.128/27'; # sub-rede suporte vLan_lpro='192.168.217.160/27'; # sub-rede produção vLan_lcon='192.168.217.192/27'; # sub-rede convidada vLan_lwir='192.168.217.224/27'; # sub-rede wireless vIP_SMB='192.168.200.34' # IP ativo no Servidor de Arquivos vIP_WEB='192.168.200.35' # IP ativo no Servidor WEB vIP_APL='192.168.200.36' # IP ativo no Servidor de Aplicação vIP_SDB='192.168.200.37' # IP ativo no Servidor de Banco de Dados ####################################################################### ## Limpa todas as regras ## ####################################################################### echo "Limpando as regras ..."; echo fClearRules() { $vIptables -F $vIptables -X $vIptables -t nat -F $vIptables -F INPUT $vIptables -F OUTPUT $vIptables -F FORWARD $vIptables -Z $vIptables -t nat -F PREROUTING $vIptables -t nat -F OUTPUT $vIptables -t nat -F POSTROUTING $vIptables -Z -t nat } fClearRules ################################################################# ## Habilita roteamento entre placas ## ################################################################# echo "Habilita roteamento entre placas ..."; echo fIpForward() { echo "1" > /proc/sys/net/ipv4/ip_forward } fIpForward ####################################################################### ## Carrega arrega os módulos ## ####################################################################### echo "Carregando modulos..." echo fModprobe() { $vModprobe iptable_nat $vModprobe ip_conntrack_ftp $vModprobe ip_nat_ftp $vModprobe ip_conntrack $vModprobe ip_conntrack_irc $vModprobe ip_nat_irc $vModprobe ipt_state $vModprobe ip_tables $vModprobe ipt_REDIRECT $vModprobe ipt_LOG $vModprobe ipt_REJECT $vModprobe ipt_MASQUERADE $vModprobe ipt_limit } fModprobe ####################################################################### ## Cria Politica Padrão ## ####################################################################### echo "Criando Politica Padrao ..."; echo fDefaulPolicy () { $vIptables -P INPUT ACCEPT $vIptables -P FORWARD ACCEPT $vIptables -P OUTPUT ACCEPT $vIptables -A INPUT -i lo -j ACCEPT } fDefaultPolicy ####################################################################### ## SNAT - Altera endereço e porta de origem ## ####################################################################### echo "Habilitando Internet ..." echo $vIptables -v -t nat -A POSTROUTING -s $vLan_lfwl -o $vIth_net -j SNAT --to $vIp_net $vIptables -v -t nat -A POSTROUTING -s $vLan_ldmz -o $vIth_net -j SNAT --to $vIp_net $vIptables -v -t nat -A POSTROUTING -s $vLan_lsti -o $vIth_net -j SNAT --to $vIp_net *$vIptables -v -t nat -A POSTROUTING -s $vLan_ladm -o $vIth_net -j SNAT --to $vIp_net* $vIptables -v -t nat -A POSTROUTING -s $vLan_lsup -o $vIth_net -j SNAT --to $vIp_net $vIptables -v -t nat -A POSTROUTING -s $vLan_lpro -o $vIth_net -j SNAT --to $vIp_net $vIptables -v -t nat -A POSTROUTING -s $vLan_lcon -o $vIth_net -j SNAT --to $vIp_net $vIptables -v -t nat -A POSTROUTING -s $vLan_lwir -o $vIth_net -j SNAT --to $vIp_net echo "Estabilizando conexões ..."; echo $vIptables -v -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $vIptables -v -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ####################################################################### ## Politicas ACCEPT ## ####################################################################### echo "Politicas ACCEPT - lfwl - Firewall ..." # Web 80/8080/8081 $vIptables -A FORWARD -p tcp -s $vLan_lfwl -d 0/0 --dport 80 -j ACCEPT $vIptables -A FORWARD -p tcp -s $vLan_lfwl -d 0/0 --dport 8080 -j ACCEPT $vIptables -A FORWARD -p tcp -s $vLan_lfwl -d 0/0 --dport 8081 -j ACCEPT # DNS 53 $vIptables -A FORWARD -p tcp -s $vLan_lfwl -d 0/0 --dport 53 -j ACCEPT $vIptables -A FORWARD -p udp -s $vLan_lfwl -d 0/0 --dport 53 -j ACCEPT $vIptables -A INPUT -s $vLan_lsti -d $vLan_lfwl -j ACCEPT echo "Politicas ACCEPT - ldmz - DMZ ..." # Web 80/8080/8081 $vIptables -A FORWARD -p tcp -s $vLan_ldmz -d 0/0 --dport 80 -j ACCEPT $vIptables -A FORWARD -p tcp -s $vLan_ldmz -d 0/0 --dport 8080 -j ACCEPT $vIptables -A FORWARD -p tcp -s $vLan_ldmz -d 0/0 --dport 8081 -j ACCEPT # DNS 53 $vIptables -A FORWARD -p tcp -s $vLan_ldmz -d 0/0 --dport 53 -j ACCEPT $vIptables -A FORWARD -p udp -s $vLan_ldmz -d 0/0 --dport 53 -j ACCEPT * echo "Politicas ACCEPT - ladm - Administração ..." # Web 80/8080/8081 $vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 80 -j ACCEPT $vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 8080 -j ACCEPT $vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 8081 -j ACCEPT # WEB SSl 443 $vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 443 -j ACCEPT # DNS 53 $vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 53 -j ACCEPT $vIptables -v -A FORWARD -p udp -s $vLan_ladm -d 0/0 --dport 53 -j ACCEPT # Email 25 110 587 993 995 $vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 25 -j ACCEPT $vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 110 -j ACCEPT $vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 587 -j ACCEPT $vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 993 -j ACCEPT $vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 995 -j ACCEPT $vIptables -v -A FORWARD -p tcp --sport 25 -j ACCEPT $vIptables -v -A FORWARD -p tcp --sport 110 -j ACCEPT $vIptables -v -A FORWARD -p tcp --sport 587 -j ACCEPT $vIptables -v -A FORWARD -p tcp --sport 993 -j ACCEPT $vIptables -v -A FORWARD -p tcp --sport 995 -j ACCEPT* # Servidor de arquivos SAMBA 137 138 139 445 $vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d $vIP_SMB -m multiport --dport 137,138,139,445 -j ACCEPT ********************************************************************************************************************************************************************************************** # cat /etc/squid3/squid.conf # Configuracao Squid3 # identificacao host_ip e porta http_port 192.168.217.1:3128 # Nome atribuido ao proxy visible_hostname firewall icp_port 3130 hierarchy_stoplist cgi-bin ? # Definindo o cache que será armazenado em memoria cache_mem 1024 MB # Define o tamanho max de um arquivo em memoria maximum_object_size_in_memory 128 KB # Define tamanho max do arquivo armazenado maximum_object_size 512 MB # Define tamanho min do arquivo em cache minimum_object_size 0 KB # Define o percentual em que o squid iniciara o descarte de arquivos # mais antigos. cache_swap_low 90 cache_swap_high 95 # Ajustando o cache em disco : Iremos especificar 512Mb de cache, com 128 #diretorios e 256 subdiretorios. cache_dir ufs /var/spool/squid3 1024 128 256 # Atualizacao do cache refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 #O cache pode ser configurado para continuar com o download de requisições abortadas quick_abort_min 0 KB quick_abort_max 0 KB quick_abort_pct 100 # Inicio da politica de filtragem acl all_network src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl to_localhost dst 127.0.0.0/8 acl SSl_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # swat acl Safe_ports port 3389 # TsMicrosoft acl Safe_ports port 993 # gmail acl Safe_ports port 995 # gmail acl Safe_ports port 587 # gmail acl Safe_ports port 110 # smtp acl Safe_ports port 25 # pop acl Safe_ports port 137 # pop acl Safe_ports port 138 # pop acl purge method PURGE acl CONNECT method CONNECT # ---- Cache do Windows Update ---- #refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|msi) 10080 100% 43200 reload-into-ims #refresh_pattern download.microsoft.com/.*\.(cab|exe|msi) 10080 100% 43200 reload-into-ims #refresh_pattern msgruser.dlservice.microsoft.com/.*\.(cab|exe|msi) 10080 100% 43200 reload-into-ims #refresh_pattern windowsupdate.com/.*\.(cab|exe|msi) 10080 100% 43200 reload-into-ims #refresh_pattern www.microsoft.com/.*\.(cab|exe|msi) 10080 100% 43200 reload-into-ims http_access allow Safe_ports http_access allow manager to_localhost http_access deny manager http_access allow purge to_localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # Definindo as redes que seram liberada para acesso ao proxy acl acl_ldmz src "/etc/squid3/acl/lan_dmz.acl" acl acl_lsti src "/etc/squid3/acl/lan_sti.acl" acl acl_ladm src "/etc/squid3/acl/lan_adm.acl" acl acl_lsup src "/etc/squid3/acl/lan_sup.acl" acl acl_lpro src "/etc/squid3/acl/lan_pro.acl" acl acl_lcon src "/etc/squid3/acl/lan_con.acl" acl acl_lwir src "/etc/squid3/acl/lan_wir.acl" # Definindo acl de filtragem para urls acl url_bloqueadas dstdomain "/etc/squid3/acl/url_bloqueadas.acl" acl url_liberadas dstdomain "/etc/squid3/acl/url_liberadas.acl" acl url_trabalho dstdomain "/etc/squid3/acl/url_trabalho.acl" # Definindo bloqueio de palavras acl palavras_bloqueadas dstdom_regex -i "/etc/squid3/acl/palavras_bloqueadas.acl" acl extensoes_bloqueadas url_regex -i "/etc/squid3/acl/extensoes_bloqueadas.acl" # Definindo horario de acesso acl almoco time 12:05-13:25 acl url_libera_almoco dstdomain "/etc/squid3/acl/url_horario.acl" http_access allow almoco url_libera_almoco http_access allow url_trabalho !url_bloqueadas http_access allow url_liberadas !url_bloqueadas http_access deny palavras_bloqueadas http_access deny url_bloqueadas http_access deny extensoes_bloqueadas http_access allow !palavras_bloqueadas !url_bloqueadas http_access allow acl_ldmz http_access allow acl_lsti http_access allow acl_ladm http_access allow acl_lsup http_access allow acl_lpro http_access allow acl_lcon http_access allow acl_lwir # Parâmetros para controle de banda # IPs cadastrados para download 70k acl ip_download_70 src "/etc/squid3/acl/ip_download_70.acl" delay_pools 2 delay_class 1 2 delay_access 1 allow ip_download_70 delay_class 2 2 delay_access 2 allow acl_lsti delay_parameters 1 -1/-1 70000/70000 delay_parameters 2 -1/-1 32000/32000 #bloqueia acesso para demais redes #http_access deny all_network coredump_dir /var/spool/squid3 # Direcionando para página de saida # E-mail do administrador cache_mgr dlinux.ar...@gmail.com # Definindo localizacao de armazenamento dos LOGs de acesso cache_access_log /var/log/squid3/access.log error_directory /usr/share/squid3/errors/Portuguese -- -------------------------------------------------- °v° Flávio Alexandre dos Reis /( )\ dlinux.ar...@gmail.com ^ ^ LPIC-1 Linux user #481115 Ubuntu user #24388 Juiz de Fora - MG -- Mais sobre o Ubuntu em português: http://www.ubuntu-br.org/comece Lista de discussão Ubuntu Brasil Histórico, descadastramento e outras opções: https://lists.ubuntu.com/mailman/listinfo/ubuntu-br