| Linha 1: | Linha 1: | ||
| + | |||
| + | '''SOFTNEX''' | ||
| + | ssh root@200.175.61.62 --> firewall | ||
| + | |||
Geferson e Volvei | Geferson e Volvei | ||
9919-1542 | 9919-1542 | ||
SOFTNEX
ssh root@200.175.61.62 --> firewall
Geferson e Volvei 9919-1542
Luiz e Andrei
http://labsoftnex.com.br:8989/teste/ http://labsoftnex.com.br:8989/homologacao/plenocard/
ssh root@200.175.61.62
Antes: [lan]/# nmap 192.168.100.11 -p80
Starting Nmap 5.21 ( http://nmap.org ) at 2011-07-15 14:49 Universal Nmap scan report for homologacao.dmz.softnex (192.168.100.11) Host is up (0.00049s latency). PORT STATE SERVICE 80/tcp open http MAC Address: 00:16:36:0A:F4:6D (Quanta Computer)
Depois:
[lan]/# nmap 192.168.100.11 -p80
Starting Nmap 5.21 ( http://nmap.org ) at 2011-07-15 14:26 Universal Nmap scan report for homologacao.dmz.softnex (192.168.100.11) Host is up (0.00043s latency). PORT STATE SERVICE 80/tcp filtered http MAC Address: 00:16:36:0A:F4:6D (Quanta Computer)
Nmap done: 1 IP address (1 host up) scanned in 6.86 seconds
BrasilFW e redirecionamento Problema: Rede lan não acessa DMZ porta 80 Causa: redirecionamento porta externa em /etc/brazilfw/ports/forward.cfg = yes all all 8989 192.168.100.11 80 * O BrazilFW criar novas changes para filtrar a porta 80 e impede o redirecionamento interno. Solução: Remover a regra de redirecionamento no BrazilFW e criar o redirecionamento no iptables.
Arquivo /etc/brazilfw/ports/forward.cfg completo: #<active> <alias> <protocol> <port> <ip-destination> [port] #active: yes/no #protocol: tcp/udp/all #alias: all/name of logical connection # Regras de acesso ao Jabber externamente no internet all 5222 192.168.2.6 5222 no internet all 5223 192.168.2.6 5223 no internet all 5269 192.168.2.6 5269 #cameras yes internet all 8885 192.168.2.188 85 yes internet all 8886 192.168.2.189 85 yes internet all 8887 192.168.2.190 85 # ACESSO LUPA AO XEN DMZ yes internet all 22100 192.168.100.2 22 #port Y 192.168.2.8 tcp 9000 9000 dns #Captura getnet #port Y 192.168.2.8 tcp 8989 80 dns #Acesso ao servidor de Desenvolvimento ### LYRA TMP yes internet all 9001 192.168.2.91 9001 # yes internet all 9002 192.168.2.91 9002 # yes internet all 10001 192.168.2.91 10001 ### CONF IP-SEC LYRA #auto Y tcp 500 192.168.2.8 dns #yes internet all 500 192.168.2.8 500 yes internet all 4500 192.168.2.8 4500 yes internet all 50 192.168.2.8 50 yes internet all 8080 192.168.100.11 8080 ### DNS yes all all 53 192.168.100.13 53 # labsoftnex ### Andrey yes all all 9000 192.168.2.8 9000 #andrey - server ### Acesso Homologa DMZ #yes all all 8989 192.168.100.11 80
Arquivo IPTABLES completo:
### REDIRECIONAMENTO INTERNO / EXTERNO
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8888 -j DNAT --to-destination 192.168.100.10:80
#iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8989 -j DNAT --to-destination 192.168.100.11:80 a linha abaixo faz a mesma coisa
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 8989 -j DNAT --to 192.168.100.11:80
IPTABLES COMPLETO SOFTNEX
### REDIRECIONAMENTO INTERNO / EXTERNO
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8888 -j DNAT --to-destination 192.168.100.10:80
#iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8989 -j DNAT --to-destination 192.168.100.11:80
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 8989 -j DNAT --to 192.168.100.11:80
#iptables -t nat -A PREROUTING -i eth0 -d 200.175.61.62 -p tcp -m tcp --dport 8989 -j DNAT --to-destination 192.168.100.11:80
#iptables -t nat -A PREROUTING -i eth2 -d 200.175.61.62 -p tcp -m tcp --dport 8989 -j DNAT --to-destination 192.168.100.11:80
#iptables -t nat -A OUTPUT -d 200.175.61.62 -p tcp --dport 8989 -j DNAT --to-destination 192.168.100.11:80
#iptables -t nat -A PREROUTING -i eth0 -d 200.175.61.62 -p tcp --dport 8989 -j DNAT --to-destination 192.168.100.11:80
#iptables -t nat -A PREROUTING -i eth1 -d 200.175.61.62 -p tcp --dport 8989 -j DNAT --to-destination 192.168.100.11:80
#iptables -t nat -A PREROUTING -i eth2 -d 200.175.61.62 -p tcp --dport 8989 -j DNAT --to-destination 192.168.100.11:80
# LIBERA MSN
#iptables -t mangle -A POSTROUTING -s 192.168.2.249 -d 0/0 -m layer7 --l7proto msnmessenger -j ACCEPT
#iptables -t mangle -A POSTROUTING -s 0/0 -d 192.168.2.249 -m layer7 --l7proto msnmessenger -j ACCEPT
iptables -t mangle -A POSTROUTING -s 192.168.2.59 -d 0/0 -m layer7 --l7proto msnmessenger -j ACCEPT
iptables -t mangle -A POSTROUTING -s 0/0 -d 192.168.2.59 -m layer7 --l7proto msnmessenger -j ACCEPT
iptables -t mangle -A POSTROUTING -s 192.168.2.32 -d 0/0 -m layer7 --l7proto msnmessenger -j ACCEPT
iptables -t mangle -A POSTROUTING -s 0/0 -d 192.168.2.32 -m layer7 --l7proto msnmessenger -j ACCEPT
# BLOQUEIO MSN RESTANTE DA REDE
iptables -t mangle -A POSTROUTING -m layer7 --l7proto msnmessenger -j DROP
# Speed UP DNS
#iptables -t mangle -A OUTPUT -p udp --dport 53 -j TOS --set-tos 0x08
#iptables -t mangle -A PREROUTING -p udp --dport 53 -j TOS --set-tos 0x10
# Speed UP HTTP
iptables -t mangle -A OUTPUT -p tcp -j TOS --sport 80 --set-tos 0x08
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos 0x08
## bloqueado https (Porta 443)
iptables -A FORWARD -d iy-in-f85.google.com -p tcp --dport 443 -j DROP #orkut
iptables -A INPUT -d vw-in-f85.google.com -p tcp --dport 443 -j DROP #orkut
iptables -A FORWARD -d imo.im -p tcp --dport 443 -j DROP
iptables -A INPUT -d imo.im -p tcp --dport 443 -j DROP
iptables -A FORWARD -d 207.44.237.165 -p tcp --dport 443 -j DROP #proxify
iptables -A INPUT -d 207.44.237.165 -p tcp --dport 443 -j DROP #proxify
iptables -A FORWARD -d meebo.com -p tcp --dport 443 -j DROP
iptables -A INPUT -d meebo.com -p tcp --dport 443 -j DROP
## google talk
iptables -A FORWARD -d talk.google.com -p tcp --dport 443 -j DROP
iptables -A FORWARD -d talkx.l.google.com -p tcp --dport 443 -j DROP
iptables -A FORWARD -d talk.l.google.com -p tcp --dport 443 -j DROP
iptables -A FORWARD -d chatenabled.mail.google.com -p tcp --dport 443 -j DROP
## bloqueado https (Porta 563)
iptables -A FORWARD -d iy-in-f85.google.com -p tcp --dport 563 -j DROP #orkut
iptables -A INPUT -d vw-in-f85.google.com -p tcp --dport 563 -j DROP #orkut
iptables -A FORWARD -d imo.im -p tcp --dport 563 -j DROP
iptables -A INPUT -d imo.im -p tcp --dport 563 -j DROP
iptables -A FORWARD -d 207.44.237.165 -p tcp --dport 563 -j DROP #proxify
iptables -A INPUT -d 207.44.237.165 -p tcp --dport 563 -j DROP #proxify
iptables -A FORWARD -d meebo.com -p tcp --dport 563 -j DROP
iptables -A INPUT -d meebo.com -p tcp --dport 563 -j DROP
## BLOQUEIO GTALK
iptables -A INPUT -m layer7 --l7proto gtalk -j DROP
iptables -A INPUT -m layer7 --l7proto gtalk -j DROP
### Redirecionamento interno para o servidor de HOMOLOGACAO Porta 80
#iptables -t nat -I PREROUTING -d labsoftnex.com.br -p tcp --dport 80 -j DNAT --to 192.168.100.11:80
### OpeVpn
openvpn /etc/brazilfw/openvpn/server-01.config
openvpn /etc/brazilfw/openvpn/server-02.config
openvpn /etc/brazilfw/openvpn/server-03.config
openvpn /etc/brazilfw/openvpn/server-04.config
openvpn /etc/brazilfw/openvpn/server-05.config
openvpn /etc/brazilfw/openvpn/server-06.config
### Homologacao
openvpn /etc/brazilfw/openvpn/server-100.0.config
openvpn /etc/brazilfw/openvpn/server-100.1.config
### ADM
cp /partition/meu_profile /root/.profile
[lan]/# ifconfig
eth0 Link encap:Ethernet HWaddr 00:E0:52:BD:C6:C1
inet addr:192.168.3.2 Bcast:192.168.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1908204 errors:0 dropped:0 overruns:0 frame:0
TX packets:1336533 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2443218100 (2.2 GiB) TX bytes:205162257 (195.6 MiB)
Interrupt:16
eth1 Link encap:Ethernet HWaddr 00:E0:4C:4D:C6:4E
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1346919 errors:0 dropped:0 overruns:0 frame:0
TX packets:2143376 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:134285112 (128.0 MiB) TX bytes:2553736747 (2.3 GiB)
Interrupt:17 Base address:0x4000
eth2 Link encap:Ethernet HWaddr 00:E0:7D:AC:A4:EA
inet addr:192.168.100.1 Bcast:192.168.100.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:114756 errors:0 dropped:0 overruns:0 frame:0
TX packets:79037 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:25622144 (24.4 MiB) TX bytes:21018681 (20.0 MiB)
Interrupt:18 Base address:0x8000
ifb0 Link encap:Ethernet HWaddr 9E:34:43:91:05:F5
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2576238 errors:0 dropped:0 overruns:0 frame:0
TX packets:2576238 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2463245498 (2.2 GiB) TX bytes:2463245498 (2.2 GiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.9.0.1 P-t-P:10.9.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun2 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.0.1 P-t-P:10.10.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun3 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.11.0.1 P-t-P:10.11.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun4 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.12.0.1 P-t-P:10.12.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun5 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.13.0.1 P-t-P:10.13.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun6 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.14.0.1 P-t-P:10.14.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun7 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.15.0.1 P-t-P:10.15.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
root@xen-server2:~# ifconfig
eth1 Link encap:Ethernet Endereço de HW 48:5b:39:f9:1b:7f
inet end.: 192.168.2.30 Bcast:192.168.2.255 Masc:255.255.255.0
endereço inet6: fe80::4a5b:39ff:fef9:1b7f/64 Escopo:Link
UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
RX packets:6089196 errors:0 dropped:0 overruns:0 frame:0
TX packets:5165652 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:1000
RX bytes:2728866222 (2.5 GiB) TX bytes:2901362820 (2.7 GiB)
IRQ:21 Endereço de E/S:0x8000
lo Link encap:Loopback Local
inet end.: 127.0.0.1 Masc:255.0.0.0
endereço inet6: ::1/128 Escopo:Máquina
UP LOOPBACKRUNNING MTU:16436 Métrica:1
RX packets:12377 errors:0 dropped:0 overruns:0 frame:0
TX packets:12377 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:0
RX bytes:665498 (649.9 KiB) TX bytes:665498 (649.9 KiB)
tap0 Link encap:Ethernet Endereço de HW 00:ff:73:e3:92:0e
endereço inet6: fe80::2ff:73ff:fee3:920e/64 Escopo:Link
UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
RX packets:2815123 errors:0 dropped:0 overruns:0 frame:0
TX packets:3627857 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:500
RX bytes:2143328577 (1.9 GiB) TX bytes:2565246917 (2.3 GiB)
tap1 Link encap:Ethernet Endereço de HW 00:ff:3d:0b:94:40
endereço inet6: fe80::2ff:3dff:fe0b:9440/64 Escopo:Link
UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
RX packets:1118370 errors:0 dropped:0 overruns:0 frame:0
TX packets:1877967 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:500
RX bytes:432071850 (412.0 MiB) TX bytes:262055895 (249.9 MiB)
tap2 Link encap:Ethernet Endereço de HW 00:ff:65:d3:cc:58
endereço inet6: fe80::2ff:65ff:fed3:cc58/64 Escopo:Link
UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
RX packets:1312725 errors:0 dropped:0 overruns:0 frame:0
TX packets:2327607 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:500
RX bytes:647216579 (617.2 MiB) TX bytes:434813669 (414.6 MiB)
tap3 Link encap:Ethernet Endereço de HW 00:ff:ee:39:40:f8
endereço inet6: fe80::2ff:eeff:fe39:40f8/64 Escopo:Link
UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
RX packets:595771 errors:0 dropped:0 overruns:0 frame:0
TX packets:1586546 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:500
RX bytes:164778305 (157.1 MiB) TX bytes:337489011 (321.8 MiB)
vif1.0 Link encap:Ethernet Endereço de HW fe:ff:ff:ff:ff:ff
endereço inet6: fe80::fcff:ffff:feff:ffff/64 Escopo:Link
UP BROADCASTRUNNING PROMISC MULTICAST MTU:1500 Métrica:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:818931 overruns:0 carrier:0
colisões:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
vif2.0 Link encap:Ethernet Endereço de HW fe:ff:ff:ff:ff:ff
endereço inet6: fe80::fcff:ffff:feff:ffff/64 Escopo:Link
UP BROADCASTRUNNING PROMISC MULTICAST MTU:1500 Métrica:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:818912 overruns:0 carrier:0
colisões:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
vif3.0 Link encap:Ethernet Endereço de HW fe:ff:ff:ff:ff:ff
endereço inet6: fe80::fcff:ffff:feff:ffff/64 Escopo:Link
UP BROADCASTRUNNING PROMISC MULTICAST MTU:1500 Métrica:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:818903 overruns:0 carrier:0
colisões:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
vif4.0 Link encap:Ethernet Endereço de HW fe:ff:ff:ff:ff:ff
endereço inet6: fe80::fcff:ffff:feff:ffff/64 Escopo:Link
UP BROADCASTRUNNING PROMISC MULTICAST MTU:1500 Métrica:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:818853 overruns:0 carrier:0
colisões:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
xenbr0 Link encap:Ethernet Endereço de HW 00:ff:3d:0b:94:40
inet end.: 192.168.2.29 Bcast:192.168.2.255 Masc:255.255.255.0
endereço inet6: fe80::4a5b:39ff:fef9:1b7f/64 Escopo:Link
UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
RX packets:798003 errors:0 dropped:0 overruns:0 frame:0
TX packets:175583 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:0
RX bytes:94003629 (89.6 MiB) TX bytes:29433982 (28.0 MiB)