[Ubuntu-BR] problema UBUNTU 7.04 + squid+samba+iptables+dns

Marcos Rogério Ferrara mrferrara em gmail.com
Quinta Agosto 2 11:03:52 UTC 2007


ae pessoal, nao sou muito expert qndo o assunto é
linux<http://www.vivaolinux.com.br/comunidades/verTopico.php?codigo=70&codtopico=5195#>,
mas resolvi encarar essa batalha, aqui na minha empresa precisamos
substituir o servidor, então abraceei a causa.. ehehhehe
bom, neste servidor roda o samba, o squid, sarg, bind.... mas.. quem diz que
as maquinas clientes recebem email? já tentei um monte de coisa.. varios
tutoriais.. to enroscado.. creio que o problema seja o iptables.. mas eu nao
consigo resolver..
eth0 - ip fixo telefonica, nao precisa de autenticacao
eth1 - 192.168.10.1 - LAN

samba (logando por grupos de acesso) - ok
dns interno - conf. pelo webmin setado nas placas dos clientes - OK
squid - bloqueando url, palavras, liberando ip da diretoria - OK

rececber email no outlook - NADA, ZERO PIFADO ehhehe

já testei varios tutoriais dos amigos aqui do VOL.. complicado nao consigo
sair disso.. e assim meu servidor nao pode substituir o outro....

sem contar que o servidor ficou um pouco lerdo para abrir as aplicações
depois que eu fiquei mexendo no iptables....

bom deixa eu explicar melhor o que tm nesse servidor..
o samba ta blz, loga, faz a divisao por grupos...
[arquivos]
comment = Servidor de
Arquivos<http://www.vivaolinux.com.br/comunidades/verTopico.php?codigo=70&codtopico=5195#>
path = /arquivos/%g
browseable = yes
writable = yes
read only = no
guest ok = no
public = yes

o squid... tranquilo tbem.. com todas as acls funcionando tals.. bloqueando
url, por palavras.. tals...

o dns configurei atraves do webmin.. usando o bind.. creio q estaja
funcionando tbem.. pq atraves do dig -x sai a rota..

dig -x 192.168.10.10
; <<>> DiG 9.3.4 <<>> -x 192.168.10.10
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45988
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;10.10.168.192.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
168.192.in-addr.arpa. 31302 IN SOA prisoner.iana.org.
hostmaster.root-servers.org. 2002040800 1800 900 604800 604800
;; Query time: 30 msec
;; SERVER: 200.111.0.11#53(200.111.0.11)
;; WHEN: Thu Jul 26 13:18:00 2007
;; MSG SIZE rcvd: 121

mas eu na consigo fazer com que as estações recebam email pelo outlook...
incrivel... ja mexi e remexi umsa 500 regras do iptables... e nada
no nmap -A -T4 192.168.10.1 que o amigo rodrigo.capelini passou.. saiu dessa
forma...
Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-26 12:46 BRT
Interesting ports<http://www.vivaolinux.com.br/comunidades/verTopico.php?codigo=70&codtopico=5195#>on
192.168.10.1:
Not shown: 1691 closed ports
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: ARCOIRIS)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: ARCOIRIS)
3128/tcp open squid-http?
10000/tcp open http Webmin httpd

posso fazer qualquer alteração no iptables.. q nada... nao vai..

detalhe que eu tambem nao consigo da um ping pelo prompt das estações....

se alguem poder me ajudar.. fico muito agradecido..

abaixo estou colocando os conf...estão todos reunidos no mesmo
servidor.....se alguem puder me ajudar.....
mas por enquanto nada...
Marcos




-------------------------------------------------------------------------------------------------------------------------
smb.conf
-------------------------------------------------------------------------------------------------------------------------
[global]
   workgroup = EMPRESA
   netbios name = servidor
   server string = Servidor (Samba, Ubuntu)
   security = user
   name resolv order = wins bcast hosts
   domain logons = yes
   preferred master = yes
   wins support = yes
   load printers = yes
   logon drive = X:
   browseable = yes
   log file = /var/log/samba.%m
   max log size = 50
   socket options = TCP_NODELAY
   interfaces = 192.168.10.1
   domain master = NO
   dns proxy = no
   read only = no

   add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s
/bin/false %m$


#======================= Share Definitions =======================

[printers]
   comment = All Printers
   browseable = yes
   path = /var/spool/samba
   printable = yes
   public = no
   writable = yes
   read only = yes

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

[arcoiris]
   comment = Servidor de Arquivos
   path = /arquivos/%g
   browseable = yes
   writable = yes
   read only = no
   guest ok = no
   public = yes

[fotos]
   comment = Fotos
   path = /arquivos/fotos
   browseable = yes
   writable = yes
   read only = no
   guest ok = yes
   public = yes

[programas]
   comment = Servidor de Programas
   path = /arquivos/programas
   browseable = yes
   writable = yes
   read only = no
   guest ok = yes
   public = yes








-------------------------------------------------------------------------------------------------------------------------
iptables
-------------------------------------------------------------------------------------------------------------------------
echo " LIMPANDO AS REGRAS DO IPTABLES ------------------------ OK" &&
iptables -F INPUT &&
iptables -F OUTPUT &&
iptables -F FORWARD &&
echo " DEFININDO POLITICA DE REGRAS DO IPTABLES -------------- OK" &&
iptables -P INPUT DROP &&
iptables -P FORWARD ACCEPT &&
iptables -P OUTPUT ACCEPT &&
echo " LIBERANDO ACESSO AO SERVIDOR -------------------------- OK" &&
iptables -A INPUT -i lo -j ACCEPT &&
iptables -A INPUT -s 0/0 -p udp -m multiport --sport 53 -j ACCEPT &&
iptables -A INPUT -s 0/0 -p tcp -m multiport --sport 22,25,80,110,443 -j
ACCEPT &&
iptables -A INPUT -s 0/0 -p tcp -m multiport --dport 22,25,80,110,443 -j
ACCEPT &&
iptables -A INPUT -s 0/0 -p tcp -m multiport --sport 53 -j ACCEPT &&
iptables -A INPUT -s 0/0 -p udp -m multiport --sport 22,25,80,110,443 -j
ACCEPT &&
iptables -A INPUT -s 0/0 -p udp -m multiport --dport 22,25,80,110,443 -j
ACCEPT &&
echo " LIBERANDO ACESSO A REDE LOCAL ------------------------- OK" &&
iptables -A INPUT -i eth1 -p tcp -m multiport --dport
80,22,25,110,137,138,139,443,445,3128 -j ACCEPT &&
iptables -A INPUT -i eth1 -p tcp -m multiport --sport
80,22,25,110,137,138,139,443,445,3128 -j ACCEPT &&
iptables -A INPUT -i eth1 -p udp -m multiport --dport 137,138,139,445,3128
-j ACCEPT &&
iptables -A INPUT -i eth1 -p udp -m multiport --sport 137,138,139,445,3128
-j ACCEPT &&
echo " LIBERAÇÃO DOS SOCKETES -------------------------------- OK" &&
iptables -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT  &&
echo " COMPARTILHAMENTO DA INTERNET, MASCARAMENTO ------------ OK" &&
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE &&
echo " PERMITINDO REDIRECIONAMENTO DE PACOTES ---------------- OK" &&
echo 1 >/proc/sys/net/ipv4/ip_forward &&
echo &&
echo &&
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" &&
echo "@@@        TERMINO DA CONFIGURAÇÃO         @@@" &&
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" &&
-------------------------------------------------------------------------------------------------------------------------











-------------------------------------------------------------------------------------------------------------------------
squid.conf
-------------------------------------------------------------------------------------------------------------------------
http_port 3128
cache_mem 64 MB
cache_dir ufs /squid/var/spool/squid 5000 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
pid_filename /var/run/squid.pid
error_directory /squid/Prefeitura
emulate_httpd_log on
visible_hostname servidor.arcoiris
cache_mgr marcos em arcoiris.sp.gov.br

refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
#
# Proxy Transparente DESABILITADO
#*******************
#
#httpd_accel_host virtual
#httpd_accel_port 80
#httpd_accel_with_proxy on
#httpd_accel_uses_host_header on
#
# acl - Recomendadas
#*******************
#
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
#
# acl - Personalizadas
#*********************
#
# *** Define portas liberadas
acl Safe_ports port 3050 # Interbase/Firebird
acl Safe_ports port 23000 # Serpro
acl Safe_ports port 13352 # SIRF
acl Safe_ports port 500 # FAP Digital
acl Safe_ports port 110
acl Safe_ports port 25
#
# *** Define a rede interna (Intranet)
acl intranet src 192.168.10.0/255.255.255.0
#

# LISTA DE SITES BLOQUEADOS
acl Site_Bloqueado url_regex "/etc/squid/bloqueio/sites.txt"
http_access deny Site_Bloqueado

# LISTA DE PALAVRAS BLOQUEADAS
acl Palavra_Bloqueada url_regex "/etc/squid/bloqueio/palavras.txt"
http_access deny Palavra_Bloqueada

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow all
http_access allow intranet


-------------------------------------------------------------------------------------------------------------------------













-------------------------------------------------------------------------------------------------------------------------
named.conf
-------------------------------------------------------------------------------------------------------------------------
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local

include "/etc/bind/named.conf.options";

// prime the server with knowledge of the root servers
zone "." {
 type hint;
 file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
 type master;
 file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
 type master;
 file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
 type master;
 file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
 type master;
 file "/etc/bind/db.255";
};

// zone "com" { type delegation-only; };
// zone "net" { type delegation-only; };

// From the release notes:
//  Because many of our users are uncomfortable receiving undelegated
answers
//  from root or top level domains, other than a few for whom that behaviour
//  has been trusted and expected for quite some length of time, we have now
//  introduced the "root-delegations-only" feature which applies
delegation-only
//  logic to all top level domains, and to the root domain.  An exception
list
//  should be specified, including "MUSEUM" and "DE", and any other top
level
//  domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { "DE"; "MUSEUM"; };

include "/etc/bind/named.conf.local";

-------------------------------------------------------------------------------------------------------------------------




-------------------------------------------------------------------------------------------------------------------------
named.conf.options
-------------------------------------------------------------------------------------------------------------------------
options {
 directory "/var/cache/bind";

 // If there is a firewall between you and nameservers you want
 // to talk to, you might need to uncomment the query-source
 // directive below.  Previous versions of BIND always asked
 // questions using port 53, but BIND 8.1 and later use an unprivileged
 // port by default.

 // query-source address * port 53;

 // If your ISP provided one or more IP addresses for stable
 // nameservers, you probably want to use them as forwarders.
 // Uncomment the following block, and insert the addresses replacing
 // the all-0's placeholder.

 // forwarders {
 //  0.0.0.0;
 // };

 auth-nxdomain no;    # conform to RFC1035
 listen-on-v6 { any; };

 // By default, name servers should only perform recursive domain
 // lookups for their direct clients.  If recursion is left open
 // to the entire Internet, your name server could be used to
 // perform distributed denial of service attacks against other
 // innocent computers.  For more information on DDoS recursion:
 // http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0987

 allow-recursion { localnets; };

 // If you have DNS clients on other subnets outside of your
 // server's "localnets", you can explicitly add their networks
 // without opening up your server to the Internet at large:
 // allow-recursion { localnets; 192.168.0.0/24; };

 // If your name server is only listening on 127.0.0.1, consider:
 // allow-recursion { 127.0.0.1; };
};


-------------------------------------------------------------------------------------------------------------------------










-------------------------------------------------------------------------------------------------------------------------
named.conf.local
-------------------------------------------------------------------------------------------------------------------------
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "arcoiris" {
 type master;
 file "/etc/bind/arcoiris.hosts";
 };
zone "10.168.192.in-addr.arpa" {
 type master;
 file "/etc/bind/192.168.10.rev";
 };

-------------------------------------------------------------------------------------------------------------------------










-------------------------------------------------------------------------------------------------------------------------
arcoiris.host
-------------------------------------------------------------------------------------------------------------------------
$ttl 38400
arcoiris. IN SOA servidor.arcoiris. marcos.arcoiris.sp.gov.br. (
   1185288635
   10800
   3600
   604800
   38400 )
arcoiris. IN NS servidor.arcoiris.
arcoiris. IN A 192.168.10.1
administrativo.arcoiris. IN A 192.168.10.10




-------------------------------------------------------------------------------------------------------------------------














-------------------------------------------------------------------------------------------------------------------------
192.168.10.rev
-------------------------------------------------------------------------------------------------------------------------

$ttl 38400
10.168.192.in-addr.arpa. IN SOA servidor.arcoiris. marcos.arcoiris.sp.gov.br.
(
   1185288953
   10800
   3600
   604800
   38400 )
10.168.192.in-addr.arpa. IN NS servidor.arcoiris.
10.10.168.192.in-addr.arpa. IN PTR administrativo.arcoiris.



More information about the ubuntu-br mailing list