Re: [Fedora-users-br] firewall naõ deixa enviar e-mails
Felipe Tocchetto
felipe em tocchetto.com
Seg Nov 27 18:25:14 UTC 2006
nao entendi como isto pode estar sendo bloqueado, pelo que vi está
usando gmail e yahoo, que relação tem eles com serviços hospedados em
sua rede?
Explique melhor o problema, para que possamos te ajudar.
Em 27/11/06, Rafael Gomes<rafael em gnufacs.org> escreveu:
> Tem que ver qual porta seu e-mail está usando.
>
> E outra coisa,
>
> /usr/sbin/iptables pode ser usado em uma variavel... dai ajuda muito
> depois...
>
> 2006/11/27, Bruno Contin < brunorodeiro em gmail.com>:
> >
> >
> > Olá comunidade, eu estou com um problema, implementei um firewall com
> proxy ( squid ) no Fedora, a net está ok, o proxy também, só que não consigo
> receber e-mails e nem enviar, e as portas no firewall estão abertas para
> isso.
> > esse é o meu firewall, se alguém puder me ajudar, eu agradeço... Vamos
> criar uma lista de pessoas que queiram conversar via Google Talk para tirar
> dúvidas? o meu é brunorodeiro em gmail.com
> > abraços...
> > obs: troquei de-mail pois no yahoo não estava recebendo. agora estou com
> brunorodeiro em gmail.com
> > obs: se eu colocar também uma regra no firewall para excluir determinado
> ip do proxy, os e-mails funcionam normalmente...
> >
> > #!/bin/bash
> >
> > stop ()
> > {
> > echo "0" > /proc/sys/net/ipv4/ip_forward
> > iptables -F
> > iptables -X
> > }
> >
> > start ()
> > {
> >
> > ############################# Limpar as regras primeiro
> > /usr/sbin/iptables -F
> > /usr/sbin/iptables -t nat -F
> > /usr/sbin/iptables -F -t mangle
> > /usr/sbin/iptables -X -t mangle
> >
> >
> > ############################# Insere os modulos kernel
> > /sbin/modprobe iptable_nat
> > /sbin/modprobe iptable_mangle
> > /sbin/modprobe ipt_conntrack
> > /sbin/modprobe ip_conntrack_ftp
> > /sbin/modprobe ip_nat_ftp
> > /sbin/modprobe ipt_multiport
> > /sbin/modprobe ipt_LOG
> > /sbin/modprobe ipt_mark
> > /sbin/modprobe ipt_MARK
> >
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> >
> > echo "0" > /proc/sys/net/ipv4/tcp_ecn
> >
> > ###########################################
> > #/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> > /usr/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> >
> > ########### LOGS ######################
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 5190 -j LOG
> --log-prefix "LOG ICQ: "
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 1863 -j LOG
> --log-prefix "LOG MSN: "
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 22 -j LOG
> --log-prefix "Serviço SSH: "
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j LOG
> --log-prefix "Serviço FTP: "
> >
> > #####################################
> > # PROTECAO EXTRA
> > #####################################
> >
> > ############## Brute Force ############
> > /usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name
> sshattack --set
> > /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name
> sshattack --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH
> REJECT: '
> > /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name
> sshattack --rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with
> tcp-reset
> > /usr/sbin/iptables -A FORWARD -p tcp --syn --dport 22 -m recent --name
> sshattack --set
> > /usr/sbin/iptables -A FORWARD -p tcp --dport 22 --syn -m recent --name
> sshattack --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH
> REJECT: '
> > /usr/sbin/iptables -A FORWARD -p tcp --dport 22 --syn -m recent --name
> sshattack --rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with
> tcp-reset
> >
> > ############# Proteção contra trojans ################
> > /usr/sbin/iptables -N TROJAN
> > /usr/sbin/iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6
> --log-prefix "FIREWALL: trojan: "
> > /usr/sbin/iptables -A TROJAN -j DROP
> > /usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 666 -j TROJAN
> > /usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 666 -j TROJAN
> > /usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 4000 -j TROJAN
> > /usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 6000 -j TROJAN
> > /usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 6006 -j TROJAN
> > /usr/sbin/iptables -A INPUT -p TCP -i eth0 --dport 16660 -j TROJAN
> >
> > ############## Proteção contra worms #################
> > /usr/sbin/iptables -A FORWARD -p tcp --dport 135 -i eth0 -j REJECT
> >
> > ############## SYN-flood ############
> > /usr/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
> >
> > ############## ping da morte ########
> > /usr/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit
> --limit 1/s -j ACCEPT
> >
> > ########### Port Scanners ###########
> > /usr/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m
> limit --limit 1/s -j DROP
> >
> > ########## IP Spoofing ##############
> > /usr/sbin/iptables -N syn-flood
> > /usr/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
> > /usr/sbin/iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
> > /usr/sbin/iptables -A INPUT -s 172.16.0.0/16 -i eth0 -j DROP
> > /usr/sbin/iptables -A INPUT -s 192.168.0.0/24 -i eth0 -j DROP
> >
> > ######## anomalias de pacotes #######
> > /usr/sbin/iptables -A FORWARD -m unclean -j DROP
> >
> > ################### CEF ########################
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 200.201.174.0/16 -j
> ACCEPT
> > /usr/sbin/iptables -A FORWARD -p tcp -d 200.201.174.0/16 -j ACCEPT
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp -d 200.201.166.0/16 -j
> ACCEPT
> > /usr/sbin/iptables -A FORWARD -p tcp -d 200.201.166.0/16 -j ACCEPT
> >
> > ############################# Redirecionar 80, 3128 -> 3128
> >
> > #/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 2100 -j DNAT
> --to-destination 192.168.0.1:3128
> > #/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -s
> 192.168.0.0/24 -j DNAT --to-destination 192.168.0.1:3128
> > iptables -t nat -A PREROUTING -i eth1 -p tcp -m multiport -s
> 192.168.0.0/24 --dport 80,443,563 -j REDIRECT --to-port 3128
> >
> > ############################# Aceitar lista de portas padrao
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j ACCEPT
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 22 -j ACCEPT
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 23 -j ACCEPT -s
> 192.168.0.145
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 25 -j ACCEPT -s
> 192.168.0.0/24
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 53 -j ACCEPT
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j ACCEPT -s
> 192.168.0.0/24
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 110 -j ACCEPT -s
> 192.168.0.0/24
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 443 -j ACCEPT
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 465 -j ACCEPT
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 500 -j ACCEPT
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 587 -j ACCEPT
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 995 -j ACCEPT
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 3306 -j ACCEPT -s
> 192.168.0.0/24
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 2100 -j ACCEPT -s
> 192.168.0.0/24
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 8080 -j ACCEPT -s
> 192.168.0.0/24
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 5017 -j ACCEPT -s
> 192.168.0.0/24
> >
> > ########## ICQ ################
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 5190 -j ACCEPT -s
> 192.168.0.50
> >
> > ########### MSN #######################
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 1863 -j ACCEPT -s
> 192.168.0.128
> >
> >
> > ######################################
> > # Filtros de portas udp
> > ######################################
> > /usr/sbin/iptables -t nat -A PREROUTING -p udp --dport 53 -j ACCEPT
> > /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 53 -j ACCEPT
> >
> >
> > ########### Apos feitas as regras rejeitar todos os outros pacotes
> > /usr/sbin/iptables -t nat -p tcp -A PREROUTING -j DROP
> > /usr/sbin/iptables -t nat -p udp -A PREROUTING -j DROP
> >
> > }
> >
> > case $1 in
> > start)
> > echo -n Starting Firewall...
> > add_rules
> > echo "Done"
> > ;;
> > stop)
> > echo -n Stoping Firewall...
> > flush_rules
> > echo "Done"
> > ;;
> > restart)
> > echo -n Restarting Firewall...
> > flush_rules
> > add_rules
> > echo "Done"
> > ;;
> > status)
> > echo "============================ Firewall rules:"
> > iptables -L -n
> > echo "============================ Masquerade tables:"
> > iptables -t nat -L -n
> > echo "============================ Mangle table:"
> > iptables -t mangle -L -n
> > ;;
> > *)
> > echo Usar: "$0 { status | start | stop | restart }"
> > ;;
> > esac
> > --
> > Fedora-users-br mailing list
> > Fedora-users-br em redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-users-br
> >
> >
> >
>
>
>
> --
> Rafael Brito Gomes
> Sistema de Informação
> Universidade de Salvador (UNIFACS)
>
> Linux User - 430086
>
> O Tabareu - A Arte em sua forma mais Pura!
> http://tabareu.wordpress.com/
>
> Blog do Sinot
> http://sinot.wordpress.com/
> --
> Fedora-users-br mailing list
> Fedora-users-br em redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-users-br
>
>
>
--
Felipe L. Tocchetto
http://felipe.tocchetto.com
Mais detalhes sobre a lista de discussão Fedora-users-br