Eterno Aprendiz ISTF
Mestres,
Subimos um servidor firewall (iptables + squid) no ar, todas as máquinas navegam bem mas, após uns 20 minutos a navegação começa a ficar lenta até o ponto de não acessar mais nada. Quando tiramos o servidor e colocamos um roteador no lugar, a internet funciona perfeitamente.
As máquinas são ligadas a um Switch, no qual também se liga o Linux ou roteador.
Modem: D-Link 500B Geração 2
Roteador D-link DI-524
Linux : AMD Duron 1100Mhz com 256mb de ram e placas de rede Realtek.
Conexão : ADSL Velox. (antes era CABO)
Antes funcionava perfeitamente, penso na possibilidade da mudança de ISP ou firmware do modem.
Segue script do iptables :
Código:#!/bin/bash # Firewall Mestre # ################ Carregar Modulos ################## # /sbin/modprobe iptable_filter /sbin/modprobe iptable_nat /sbin/modprobe iptable_mangle /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_irc /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_tables /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc /sbin/modprobe ip_conntrack_irc /sbin/modprobe ipt_limit /sbin/modprobe ipt_LOG /sbin/modprobe ipt_MASQUERADE /sbin/modprobe ipt_REDIRECT /sbin/modprobe ipt_REJECT /sbin/modprobe ipt_state /sbin/modprobe ipt_tos /sbin/modprobe ipt_TOS /sbin/modprobe ipt_ttl /sbin/modprobe ip_gre # ################# Variaveis ######################### # IPT='/sbin/iptables' # Filtro de pacotes iptables IFEXT='eth2' # Interface Internet IFLAN1='eth1' # Interface LAN1 IPIFLAN1='192.168.0.1' # End. IP Interface LAN1 LAN1='192.168.0.0/24' # End. de rede IP LAN1 # ################# Zerar Chains ##################### # $IPT -t filter -F $IPT -t nat -F $IPT -t mangle -F $IPT -Z # ############# Politicas Default das Chains ########## # # Tabela filter $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT # Tabela nat $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT $IPT -t nat -P POSTROUTING ACCEPT # Tabela mangle $IPT -t mangle -P PREROUTING ACCEPT $IPT -t mangle -P OUTPUT ACCEPT #---------------------------------# # Ativar Filtros TCP/IP no Kernel # #---------------------------------# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/tcp_syncookies for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects echo 0 > $i/accept_source_route echo 1 > $i/log_martians echo 0 > $i/rp_filter; done # Ativar Roteamento echo "1" > /proc/sys/net/ipv4/ip_forward # ##################### Filtros para todas as chains ################### # # Contra IP spoofing $IPT -A INPUT -s $LAN1 -i $IFEXT -j DROP $IPT -A FORWARD -s $LAN1 -i $IFEXT -j DROP $IPT -A INPUT -s 127.0.0.0/8 -i $IFEXT -j DROP $IPT -A FORWARD -s 127.0.0.0/8 -i $IFEXT -j DROP $IPT -A INPUT -s 172.16.0.0/12 -i $IFEXT -j DROP #$IPT -A INPUT -s 224.0.0.0/4 -i $IFEXT -j DROP #$IPT -A INPUT -s 240.0.0.0/5 -i $IFEXT -j DROP $IPT -t mangle -A PREROUTING -s $LAN1 -i $IFEXT -j DROP # Contra Ping of Death $IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT $IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # Bloquear tracert $IPT -A INPUT -p udp -i $IFEXT --dport 33435:33525 -j DROP # Stateful Inspection # Velox iptables -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu $IPT -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT # ##################### Regras para VPN ########################## # # CHAIN INPUT # # OPENVPN #UDP $IPT -A INPUT -p udp --dport 5000 -j ACCEPT # TCP $IPT -A INPUT -p tcp --dport 5000 -j ACCEPT $IPT -A INPUT -i tun+ -j ACCEPT # # OpenSSH $IPT -A INPUT -p tcp --dport 4022 -j ACCEPT # CHAIN FORWARD # # Liberar LAN $IPT -A FORWARD -i tun+ -j ACCEPT $IPT -A FORWARD -o tun+ -j ACCEPT # #----------------------------------------------------------------------------------------- # ##################### Regras Tabela Filter ########################## # # CHAIN INPUT # # Interface Externa (Internet) #----------------------------- # ## Porta TCP SSH/FTP/HTTP/MYSQL/POSTGRES $IPT -A INPUT -i $IFEXT -p tcp -m multiport --dport 20,21,4022 -j ACCEPT #$IPT -A INPUT -i $IFEXT -s 200.10.10.10 -p tcp -m multiport --dport 8000,3306,5432 -j ACCEPT # # Ativar log para INPUT e Bloquear $IPT -A INPUT -i $IFEXT -p ! icmp -m state --state NEW,INVALID -j LOG --log-level 6 --log-prefix "INPUT: NEGADO-IFEXT" $IPT -A INPUT -i $IFEXT -p ! icmp -m state --state NEW,INVALID -j DROP # # Interface Interna (LAN ) #----------------------------- # # Liberar serviços para loopback $IPT -A INPUT -s 127.0.0.0/8 -i lo -j ACCEPT # Liberar Servidor do AD $IPT -A INPUT -s 192.168.0.100 -i $IFLAN1 -d $IPIFLAN1 -j ACCEPT # Portas TCP/UDP (DNS) $IPT -A INPUT -s $LAN1 -i $IFLAN1 -p udp --dport 53 -d $IPIFLAN1 -j ACCEPT $IPT -A INPUT -s $LAN1 -i $IFLAN1 -p udp --sport 53 -d $IPIFLAN1 -j ACCEPT $IPT -A INPUT -s $LAN1 -i $IFLAN1 -p tcp --dport 53 -d $IPIFLAN1 -j ACCEPT $IPT -A INPUT -s $LAN1 -i $IFLAN1 -p tcp --sport 53 -d $IPIFLAN1 -j ACCEPT # Portas TCP (SQUID,SSH,FTP,SAMBA,HTTP,POSTGRESQL) $IPT -A INPUT -s $LAN1 -i $IFLAN1 -p tcp -m multiport --dport 3128,2022,20,21,8080,443,80 -d $IPIFLAN1 -j ACCEPT #$IPT -A INPUT -s 192.168.10.0/24 -i $IFLAN1 -p tcp -m multiport --dport 3128,2124,8080 -d $IPIFLAN1 -j ACCEPT # Portas UDP (SAMBA,POSTGRESQL) $IPT -A INPUT -s $LAN1 -i $IFLAN1 -p udp -m multiport --dport 5432 -d $IPIFLAN1 -j ACCEPT # # Ativar log para INPUT e Bloquear $IPT -A INPUT -i $IFLAN1 -p ! icmp -d $IPIFLAN1 -m state --state NEW,INVALID -j LOG --log-level 6 --log-prefix "[NEGADO-INPUT-IFLAN1]:" $IPT -A INPUT -i $IFLAN1 -p ! icmp -d $IPIFLAN1 -m state --state NEW,INVALID -j DROP # Protecao contra SynFlood & Port scanners #----------------------------------------- # # SynFlood $IPT -A INPUT -p tcp --syn -m limit --limit 2/s -j ACCEPT $IPT -A INPUT -p udp -m limit --limit 2/s -j ACCEPT # Port scanners $IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 15/m -j ACCEPT $IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 15/m -j ACCEPT $IPT -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 15/m -j ACCEPT $IPT -A INPUT -p tcp --tcp-flags ALL FIN,SYN -m limit --limit 15/m -j ACCEPT $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 15/m -j ACCEPT $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 15/m -j ACCEPT $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 15/m -j ACCEPT #-------------------------------------------------------------------------------------------------- # # CHAIN FORWARD # # Servidor do AD - liberado $IPT -A FORWARD -s 192.168.0.100 -i $IFLAN1 -o $IFEXT -j ACCEPT # Bloqueio para Serviços P2P # Bloqueando NAPSTER $IPT -A FORWARD -d 64.124.41.0/24 -j DROP # Bloqueando IMESH $IPT -A FORWARD -d 216.35.208.0/24 -j DROP # Bloqueando Bearshare $IPT -A FORWARD -p tcp --dport 6346 -j DROP # Bloqueando WinMX $IPT -A FORWARD -d 209.61.186.0/24 -j DROP $IPT -A FORWARD -d 64.49.201.0/24 -j DROP # Bloqueando Napigator $IPT -A FORWARD -d 209.25.178.0/24 -j DROP # Bloqueando Morpheus $IPT -A FORWARD -d 206.142.53.0/24 -j DROP $IPT -A FORWARD -p tcp --dport 1214 -j DROP # Bloqueando KaZaa $IPT -A FORWARD -d 213.248.112.0/24 -j DROP $IPT -A FORWARD -p tcp --dport 1214 -j DROP # Bloqueando Limewire $IPT -A FORWARD -p tcp --dport 6346 -j DROP # Bloqueando Audiogalax $IPT -A FORWARD -d 64.245.58.0/23 -j DROP # Bloqueando ICQ $IPT -A FORWARD -p tcp --dport 5190 -j DROP $IPT -A FORWARD -d login.icq.com -j DROP # Bloqueando Yahoo Messenger $IPT -A FORWARD -d scsa.yahoo.com -j DROP # Bloqueando AIM $IPT -A FORWARD -p tcp --dport 5190 -j DROP $IPT -A FORWARD -d login.oscar.aol.com -j DROP $IPT -A FORWARD -p tcp --dport 6667 -j DROP $IPT -A FORWARD -p tcp --dport 6668 -j DROP # MSN Messenger $IPT -A FORWARD -d gateway.messenger.hotmail.com -j ACCEPT $IPT -A FORWARD -d 64.4.13.0/24 -j ACCEPT $IPT -A FORWARD -p tcp --dport 1863 -j ACCEPT # Orkut $IPT -A FORWARD -d www.orkut.com -j DROP $IPT -A FORWARD -d orkut.com -j DROP # Proteger NAT $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP # # Liberar LAN FORWARD (ADMINISTRATIVO) #------------------------------------- # # Liberar Maquina - Servidor AD $IPT -A FORWARD -s 192.168.0.100 -i $IFLAN1 -o $IFEXT -j ACCEPT # Portas UDP (DNS) $IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -p udp -m multiport --dport 53 -j ACCEPT # # Portas TCP (FTP,SMTP,AUTH,POP3,HTTP,HTTPS, DansGuardian) $IPT -A FORWARD -s $LAN1 -i $IFLAN1 -o $IFEXT -p tcp -m multiport --dport 20,21,25,110,993,25,113,995,587,80,443,8080 -j ACCEPT # # SOFTWARES DO GOVERNO #--------------------- # # CONECTIVADE SOCIAL $IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 2631 -j ACCEPT $IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 8301 -j ACCEPT $IPT -A FORWARD -s $LAN1 -i $IFLAN1 -d 200.201.174.0/24 -j ACCEPT # RECEITANET $IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 3456 -j ACCEPT $IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 8800 -j ACCEPT # CEF $IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 2004 -j ACCEPT # Rais ( PROGRAMA ) #$IPT -A FORWARD -s 192.168.0.59 -i $IFLAN1 -p tcp --dport 3007 -j ACCEPT # Portas Altas #$IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p tcp --dport 1024: -j ACCEPT # Ativar log P/ Forward e Bloquear (LAN) $IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p ! icmp -m state --state NEW,INVALID -j LOG --log-level 6 --log-prefix "FORWARD: NEGADO-IFLAN1" $IPT -A FORWARD -s $LAN1 -i $IFLAN1 -p ! icmp -m state --state NEW,INVALID -j DROP # # Protecao contra Synflood & Port scanners #----------------------------------------- # # Synflood $IPT -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT $IPT -A FORWARD -p udp -m limit --limit 2/s -j ACCEPT # Port scanners $IPT -A FORWARD -p tcp -m limit --limit 15/m -j ACCEPT $IPT -A FORWARD -p udp -m limit --limit 1/s -j ACCEPT #-------------------------------------------------------------------------------------------------- # ######################## Regras Tabela NAT ########################### # # CHAIN POSTROUTING # # Liberar Servidor do AD $IPT -t nat -A POSTROUTING -s 192.168.0.100 -o $IFEXT -j MASQUERADE # LIBERAR END. P/ SOFTWARES DO GOVERNO (Conectivade Social) $IPT -t nat -A POSTROUTING -s $LAN1 -d cmt.caixa.gov.br -o $IFEXT -j MASQUERADE $IPT -t nat -A POSTROUTING -s $LAN1 -d 200.201.174.0/24 -o $IFEXT -j MASQUERADE # Ativar log P/ Postrouting Porta 80 e Bloquear (LAN) #$IPT -t nat -A POSTROUTING -s $LAN1 -o $IFEXT -p tcp --dport 80 -j LOG --log-prefix "POSTROUTING: HTTP-NEGADO" #$IPT -t nat -A POSTROUTING -s $LAN1 -o $IFEXT -p tcp --dport 80 -j DROP # Ativar SNAT # SNAT LAN1 $IPT -t nat -A POSTROUTING -s $LAN1 -o $IFEXT -j MASQUERADE # Liberar acesso de todos pela VPN #iptables -t nat -s 172.16.10.0/24 -A POSTROUTING -o eth1 -j MASQUERADE # # CHAIN PREROUTING # # Liberar Conectividade Social $IPT -t nat -A PREROUTING -s $LAN1 -i $IFLAN1 -d 200.201.174.0/24 -p tcp --dport 80 -j RETURN # Proxy Transp. com Squid $IPT -t nat -A PREROUTING -s $LAN1 -i $IFLAN1 -p tcp --dport 80 -j REDIRECT --to-port 8080 # # REDIRECIONAMENTOS # VNC $IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 5900 -j DNAT --to 192.168.0.100:5900 # AREA TRABALHO REMOTA - Servidor do AD $IPT -t nat -A PREROUTING -s 0/0 -i $IFEXT -p tcp --dport 3389 -j DNAT --to 192.168.0.100 # ######################## Regras Tabela Mangle ######################### # # CHAIN OUTPUT # # Mínimo de espera para os serviços Internet (Minimize-Delay) $IPT -t mangle -A OUTPUT -o $IFEXT -p tcp --dport 21 -j TOS --set-tos 0x10 $IPT -t mangle -A OUTPUT -o $IFEXT -p tcp --dport 80 -j TOS --set-tos 0x10 $IPT -t mangle -A OUTPUT -o $IFEXT -p udp --dport 53 -j TOS --set-tos 0x10 # Máximo Processamento $IPT -t mangle -A OUTPUT -o $IFEXT -p tcp --dport 20:21 -j TOS --set-tos 0x8 #------------------------------------------------------------------------ # FIM
squid.conf:
Código:http_port 3128 transparent visible_hostname natalcor cache_mem 64 MB maximum_object_size_in_memory 64 KB maximum_object_size 512 MB minimum_object_size 0 KB cache_swap_low 80 cache_swap_high 95 cache_dir ufs /var/spool/squid 8192 16 256 cache_access_log /var/log/squid/access.log refresh_pattern ^ftp: 15 20% 2280 refresh_pattern ^gopher: 15 0% 2280 refresh_pattern . 15 20% 2280 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 21 80 443 563 70 210 280 488 59 777 901 1025-65535 acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl redelocal src 192.168.0.0/24 http_access allow localhost http_access allow redelocal http_access deny all
"Se eu ví mais longe, é por estar de pé sobre ombros de gigantes"
...:
Eterno Aprendiz ISTF
Pessoal... dando um feedback. Aplicamos a regra do tamanho do MTU e parece que está funcionando certinho. Parece que era esse o problema.
[ ]'s
"Se eu ví mais longe, é por estar de pé sobre ombros de gigantes"
...:
There are currently 1 users browsing this thread. (0 members and 1 guests)
Regras de envio
Responder com citação