[Ubuntu-BR] Problema com portas de e-mail e proxy

Flávio Alexandre Sat, 06 Feb 2010 05:19:11 -0800

Pessoal

Boa tarde !


Estou enfrentando um pequeno problema em minha estrutura.

Configurei o firewall e o proxy (squid3) na mesma máquina. Porem quando
tento receber e-mail pelo outlook ou mesmo pelo thunderbird nao funciona.

Detalhes:
- o firewall está todo accept nao está bloqueando nada.
- se tirar o proxy funciona

Irei postar meu squid.conf e o meu firewall tb, se alguem puder me dar
alguam dica.


Abraços a todos


# cat firewall
#!/bin/bash

echo "#################################################################"
echo "## Iniciando o IPTables...                                     ##"
echo "#################################################################"
echo

#######################################################################
## Variáveis                                                         ##
#######################################################################

echo "Criando variaveis ...";
echo

vIth_net='eth0';  # interface de rede responsável por receber link Embratel
vIth_adm='eth1';  # interface de rede direcionada a rede interna
vIth_dmz='eth2';  # interface de rede direcionada a rede DMZ

vIptables='/sbin/iptables';  # caminho do executável do comando iptables
vModprobe='/sbin/modprobe';  # caminho do execitável do comamdo modprobe

vPortWorms=31337,33270,1234,6711,16660,60001,12345,12346,1524,27665,27444,31335,6000,6001,6002
# portas sujeitas ao ataque de trojan

vPortasAltas=1024:65535

vIp_net='200.243.63.139';  # IP configurado na interface eth0 - IP embratel
vIp_dmz='192.168.217.1';   # IP configurado na interface eth1 - recebe do
servidor dhcp - gateway da rede iterna
vIp_adm='192.168.217.33';  # IP configurado na interface eth1 - gateway da
rede DMZ

vLan_lfwl='192.168.217.0/27';    # sub-rede firewall
vLan_ldmz='192.168.217.32/27';   # sub-rede DMZ
vLan_lsti='192.168.217.64/27';   # sub-rede TI ( Segurança e Tecnologia da
Informação )
vLan_ladm='192.168.217.96/27';   # Sub-rede administração
vLan_lsup='192.168.217.128/27';  # sub-rede suporte
vLan_lpro='192.168.217.160/27';  # sub-rede produção
vLan_lcon='192.168.217.192/27';  # sub-rede convidada
vLan_lwir='192.168.217.224/27';  # sub-rede wireless

vIP_SMB='192.168.200.34'    # IP ativo no Servidor de Arquivos
vIP_WEB='192.168.200.35'    # IP ativo no Servidor WEB
vIP_APL='192.168.200.36'    # IP ativo no Servidor de Aplicação
vIP_SDB='192.168.200.37'    # IP ativo no Servidor de Banco de Dados

#######################################################################
##   Limpa todas as regras                                           ##
#######################################################################

echo "Limpando as regras ...";
echo

fClearRules()
{
  $vIptables -F
  $vIptables -X
  $vIptables -t nat -F
  $vIptables -F INPUT
  $vIptables -F OUTPUT
  $vIptables -F FORWARD
  $vIptables -Z
  $vIptables -t nat -F PREROUTING
  $vIptables -t nat -F OUTPUT
  $vIptables -t nat -F POSTROUTING
  $vIptables -Z -t nat
}
fClearRules

#################################################################
## Habilita roteamento entre placas                            ##
#################################################################

echo "Habilita roteamento entre placas ...";
echo

fIpForward()
{
  echo "1" > /proc/sys/net/ipv4/ip_forward
}
fIpForward

#######################################################################
## Carrega arrega os módulos                                         ##
#######################################################################

echo "Carregando modulos..."
echo

fModprobe()
{
  $vModprobe iptable_nat
  $vModprobe ip_conntrack_ftp
  $vModprobe ip_nat_ftp
  $vModprobe ip_conntrack
  $vModprobe ip_conntrack_irc
  $vModprobe ip_nat_irc
  $vModprobe ipt_state
  $vModprobe ip_tables
  $vModprobe ipt_REDIRECT
  $vModprobe ipt_LOG
  $vModprobe ipt_REJECT
  $vModprobe ipt_MASQUERADE
  $vModprobe ipt_limit
}
fModprobe

#######################################################################
## Cria Politica Padrão                                              ##
#######################################################################

echo "Criando Politica Padrao ...";
echo

fDefaulPolicy ()
{
  $vIptables -P INPUT ACCEPT
  $vIptables -P FORWARD ACCEPT
  $vIptables -P OUTPUT ACCEPT
  $vIptables -A INPUT -i lo -j ACCEPT
}
fDefaultPolicy

#######################################################################
## SNAT - Altera endereço e porta de origem                          ##
#######################################################################

echo "Habilitando Internet ..."
echo

$vIptables -v -t nat -A POSTROUTING -s $vLan_lfwl -o $vIth_net -j SNAT --to
$vIp_net
$vIptables -v -t nat -A POSTROUTING -s $vLan_ldmz -o $vIth_net -j SNAT --to
$vIp_net
$vIptables -v -t nat -A POSTROUTING -s $vLan_lsti -o $vIth_net -j SNAT --to
$vIp_net
*$vIptables -v -t nat -A POSTROUTING -s $vLan_ladm -o $vIth_net -j SNAT --to
$vIp_net*
$vIptables -v -t nat -A POSTROUTING -s $vLan_lsup -o $vIth_net -j SNAT --to
$vIp_net
$vIptables -v -t nat -A POSTROUTING -s $vLan_lpro -o $vIth_net -j SNAT --to
$vIp_net
$vIptables -v -t nat -A POSTROUTING -s $vLan_lcon -o $vIth_net -j SNAT --to
$vIp_net
$vIptables -v -t nat -A POSTROUTING -s $vLan_lwir -o $vIth_net -j SNAT --to
$vIp_net

echo "Estabilizando conexões ...";
echo

$vIptables -v -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$vIptables -v -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#######################################################################
## Politicas ACCEPT                                                  ##
#######################################################################

echo "Politicas ACCEPT - lfwl - Firewall ..."

# Web 80/8080/8081
$vIptables -A FORWARD -p tcp -s $vLan_lfwl -d 0/0 --dport 80 -j ACCEPT
$vIptables -A FORWARD -p tcp -s $vLan_lfwl -d 0/0 --dport 8080 -j ACCEPT
$vIptables -A FORWARD -p tcp -s $vLan_lfwl -d 0/0 --dport 8081 -j ACCEPT

# DNS 53
$vIptables -A FORWARD -p tcp -s $vLan_lfwl -d 0/0 --dport 53 -j ACCEPT
$vIptables -A FORWARD -p udp -s $vLan_lfwl -d 0/0 --dport 53 -j ACCEPT

$vIptables -A INPUT -s $vLan_lsti -d $vLan_lfwl -j ACCEPT

echo "Politicas ACCEPT - ldmz - DMZ ..."

# Web 80/8080/8081
$vIptables -A FORWARD -p tcp -s $vLan_ldmz -d 0/0 --dport 80 -j ACCEPT
$vIptables -A FORWARD -p tcp -s $vLan_ldmz -d 0/0 --dport 8080 -j ACCEPT
$vIptables -A FORWARD -p tcp -s $vLan_ldmz -d 0/0 --dport 8081 -j ACCEPT

# DNS 53
$vIptables -A FORWARD -p tcp -s $vLan_ldmz -d 0/0 --dport 53 -j ACCEPT
$vIptables -A FORWARD -p udp -s $vLan_ldmz -d 0/0 --dport 53 -j ACCEPT
*
echo "Politicas ACCEPT - ladm - Administração ..."

# Web 80/8080/8081
$vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 80 -j ACCEPT
$vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 8080 -j ACCEPT
$vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 8081 -j ACCEPT

# WEB SSl 443
$vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 443 -j ACCEPT

# DNS 53
$vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 53 -j ACCEPT
$vIptables -v -A FORWARD -p udp -s $vLan_ladm -d 0/0 --dport 53 -j ACCEPT

# Email 25 110 587 993 995

$vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 25 -j ACCEPT
$vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 110 -j ACCEPT
$vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 587 -j ACCEPT
$vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 993 -j ACCEPT
$vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d 0/0 --dport 995 -j ACCEPT

$vIptables -v -A FORWARD -p tcp --sport 25 -j ACCEPT
$vIptables -v -A FORWARD -p tcp --sport 110 -j ACCEPT
$vIptables -v -A FORWARD -p tcp --sport 587 -j ACCEPT
$vIptables -v -A FORWARD -p tcp --sport 993 -j ACCEPT
$vIptables -v -A FORWARD -p tcp --sport 995 -j ACCEPT*

# Servidor de arquivos SAMBA 137 138 139 445
$vIptables -v -A FORWARD -p tcp -s $vLan_ladm -d $vIP_SMB -m multiport
--dport 137,138,139,445 -j ACCEPT


**********************************************************************************************************************************************************************************************


# cat /etc/squid3/squid.conf
# Configuracao Squid3

# identificacao host_ip e porta
http_port 192.168.217.1:3128

# Nome atribuido ao proxy
visible_hostname firewall

icp_port 3130
hierarchy_stoplist cgi-bin ?

# Definindo o cache que será armazenado em memoria
cache_mem 1024 MB

# Define o tamanho max de um arquivo em memoria
maximum_object_size_in_memory 128 KB

# Define tamanho max do arquivo armazenado
maximum_object_size 512 MB

# Define tamanho min do arquivo em cache
minimum_object_size 0 KB

# Define o percentual em que o squid iniciara o descarte de arquivos
# mais antigos.
cache_swap_low 90
cache_swap_high 95

# Ajustando o cache em disco : Iremos especificar 512Mb de cache, com 128
#diretorios e 256 subdiretorios.
cache_dir ufs /var/spool/squid3 1024 128 256

# Atualizacao do cache
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern .        0    20%    4320

#O cache pode ser configurado para continuar com o download de requisições
abortadas
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100

# Inicio da politica de filtragem

acl all_network src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl to_localhost dst 127.0.0.0/8
acl SSl_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl Safe_ports port 901        # swat
acl Safe_ports port 3389        # TsMicrosoft
acl Safe_ports port 993         # gmail
acl Safe_ports port 995         # gmail
acl Safe_ports port 587         # gmail
acl Safe_ports port 110         # smtp
acl Safe_ports port 25          # pop
acl Safe_ports port 137         # pop
acl Safe_ports port 138         # pop
acl purge method PURGE
acl CONNECT method CONNECT

# ---- Cache do Windows Update ----
#refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|msi) 10080 100%
43200 reload-into-ims
#refresh_pattern download.microsoft.com/.*\.(cab|exe|msi) 10080 100% 43200
reload-into-ims
#refresh_pattern msgruser.dlservice.microsoft.com/.*\.(cab|exe|msi) 10080
100% 43200 reload-into-ims
#refresh_pattern windowsupdate.com/.*\.(cab|exe|msi) 10080 100% 43200
reload-into-ims
#refresh_pattern www.microsoft.com/.*\.(cab|exe|msi) 10080 100% 43200
reload-into-ims

http_access allow Safe_ports
http_access allow manager  to_localhost
http_access deny manager
http_access allow purge to_localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Definindo as redes que seram liberada para acesso ao proxy
acl acl_ldmz src "/etc/squid3/acl/lan_dmz.acl"
acl acl_lsti src "/etc/squid3/acl/lan_sti.acl"
acl acl_ladm src "/etc/squid3/acl/lan_adm.acl"
acl acl_lsup src "/etc/squid3/acl/lan_sup.acl"
acl acl_lpro src "/etc/squid3/acl/lan_pro.acl"
acl acl_lcon src "/etc/squid3/acl/lan_con.acl"
acl acl_lwir src "/etc/squid3/acl/lan_wir.acl"

# Definindo acl de filtragem para urls
acl url_bloqueadas dstdomain "/etc/squid3/acl/url_bloqueadas.acl"
acl url_liberadas dstdomain "/etc/squid3/acl/url_liberadas.acl"
acl url_trabalho dstdomain "/etc/squid3/acl/url_trabalho.acl"

# Definindo bloqueio de palavras
acl palavras_bloqueadas dstdom_regex -i
"/etc/squid3/acl/palavras_bloqueadas.acl"
acl extensoes_bloqueadas url_regex -i
"/etc/squid3/acl/extensoes_bloqueadas.acl"

# Definindo horario de acesso
acl almoco time 12:05-13:25
acl url_libera_almoco dstdomain "/etc/squid3/acl/url_horario.acl"
http_access allow almoco url_libera_almoco

http_access allow url_trabalho !url_bloqueadas
http_access allow url_liberadas !url_bloqueadas
http_access deny palavras_bloqueadas
http_access deny url_bloqueadas
http_access deny extensoes_bloqueadas
http_access allow !palavras_bloqueadas !url_bloqueadas

http_access allow acl_ldmz
http_access allow acl_lsti
http_access allow acl_ladm
http_access allow acl_lsup
http_access allow acl_lpro
http_access allow acl_lcon
http_access allow acl_lwir

# Parâmetros para controle de banda
# IPs cadastrados para download 70k
acl ip_download_70 src "/etc/squid3/acl/ip_download_70.acl"
delay_pools 2
delay_class 1 2
delay_access 1 allow ip_download_70
delay_class 2 2
delay_access 2 allow acl_lsti
delay_parameters 1 -1/-1 70000/70000
delay_parameters 2 -1/-1 32000/32000

#bloqueia acesso para demais redes
#http_access deny all_network

coredump_dir /var/spool/squid3

# Direcionando para página de saida

# E-mail do administrador
cache_mgr [email protected]

# Definindo localizacao de armazenamento dos LOGs de acesso
cache_access_log /var/log/squid3/access.log
error_directory /usr/share/squid3/errors/Portuguese


-- 
--------------------------------------------------
°v°   Flávio Alexandre dos Reis
/(  )\  [email protected]
^ ^   LPIC-1
Linux user #481115
Ubuntu user #24388
Juiz de Fora - MG
-- 
Mais sobre o Ubuntu em português: http://www.ubuntu-br.org/comece

Lista de discussão Ubuntu Brasil
Histórico, descadastramento e outras opções:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-br

[Ubuntu-BR] Problema com portas de e-mail e proxy

Responder a