Responder 
 
Avaliação do Tópico:
  • 0 Votos - 0 Média
  • 1
  • 2
  • 3
  • 4
  • 5
NAT não pede usuário e senha
30/03/2011, 10:26
Resposta: #1
NAT não pede usuário e senha
Olá galera, resolvi instalar o NatACL aqui em minha rede.

Seguindo algumas indicações, já instalei ele, respondi as perguntas para encriptação, mas ele não usuário e senha nos Clientes.

Será que é algo nas minhas regras de iptables que está conflitando???

Minhas regras são essas:

########################## Regras iptables
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -s 192.168.3.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -s 192.168.4.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128

iptables -A FORWARD -s 192.168.3.0/24 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 192.168.3.0/24 -d loginnet.passport.com -j REJECT

iptables -A FORWARD -s 192.168.4.0/24 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 192.168.4.0/24 -d loginnet.passport.com -j REJECT

iptables -A FORWARD -s 192.168.4.9/24 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.4.9/24 -d loginnet.passport.com -j ACCEPT

iptables -A FORWARD -s 192.168.4.10/24 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.4.10/24 -d loginnet.passport.com -j ACCEPT

iptables -A FORWARD -s 192.168.4.12/24 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.4.12/24 -d loginnet.passport.com -j ACCEPT

iptables -A FORWARD -s 192.168.3.0/24 -p tcp --dport 7171 -j REJECT

##############################

O NatACL.conf é esse aqui:
# NETWORK CONFIGURATION
#************************************************************************

# LAN_INTERFACE
# Set the network who will have access to this program
# LAN_INTERFACE [interface] [network/class]
# If you have only one lan interface, you may remove one line.
LAN_INTERFACE eth2 192.168.3.0/24

# WAN_INTERFACE
# Set the output internet address
# WAN_INTERFACE [interface] [local address]
WAN_INTERFACE eth2 192.168.3.1

# NAT_TYPE
# Configure the type of your network nat/firewall
# You can create you own type, just add the respective configuration to the RULE section.
# Default existing configuration:
#IPTABLES_NAT
#IPTABLES_PROXY
#IPFW_NAT
#IPFW_PROXY

NAT_TYPE: IPTABLES_PROXY

#define if you will allow simultaneous users at the same tame
SIMULTANEOUS_LOGON: NO

#If you use Freebsd and IPFW/NATD You must set the NATD port
NATD_PORT: 31000

#If you use Proxy instead NAT, you must define the PROXY PORT
PROXY_PORT: 3128

# MODULE CONFIGURATION
#************************************************************************

# AUTH_UNIX
# Set the expire time and expire method for users using the unix password

# Args: EXPIRE_TIME <Time to live in seconds>
# EXPIRE_PING
# EXPIRE_PINGTIME <Time to live in seconds>
# EXPIRE_POPUP
#
# Ex;
# AUTH_UNIX TYPE EXPIRE_TIME 3600
# or
# AUTH_UNIX TYPE EXPIRE_POPUP
# or
# AUTH_UNIX TYPE EXPIRE_PING
# or both ( ping + time )
# AUTH_UNIX TYPE EXPIRE_PINGTIME 3600

# WARNING: If you use Expire_POPUP, make sure that you have an anti-popup browser disabled.

AUTH_UNIX TYPE EXPIRE_TIME 3600

#
# AUTH_MYSQL
# Set the configuration to the mysql database
# Args: Mysql_Host Mysql_db Mysql_user Mysql_password
# Ex. AUTH_MYSQL 127.0.0.1 NatACL User "password"
#AUTH_MYSQL 127.0.0.1 NatACL root <senha> (eu digitei a minha senha aqui sim) :D


# RULE SECTION
#************************************************************************
# You dont have to alter this part, unless you know what are you doing.
# You can have multiples configuration, even if you dont have a specific firewall. It will not matter.
# Set the NAT_TYPE to your specific rule.

# START RULE - Is executed only once, when NatACL is run.
# INIT RULE - Is executed one time for each LAN_INTERFACE, when NatACL is run.
# GRANT RULE - Is executed when a user logon.
# REVOKE RULE - Is executed when a user expires.


# Rules for Linux IPTABLES_NAT
IPTABLES_NAT START "/sbin/iptables -t nat -F"
#IPTABLES_NAT INIT "/sbin/iptables -t nat -I PREROUTING -i [INTERFACE] -p tcp -s [LAN_INTERFACE] -d 0/0 --dport 80 -j DNAT --to-destination [WAN_ADDRESS]:5121"
IPTABLES_NAT INIT "/sbin/iptables -t nat -I POSTROUTING -p udp --dport 53 -j SNAT --to-source [WAN_ADDRESS]"
IPTABLES_NAT GRANT "/sbin/iptables -t nat -I PREROUTING -i [INTERFACE] -p tcp -s [CLIENT_ADDRESS] -d 0/0 --dport 80 -j ACCEPT"
IPTABLES_NAT GRANT "/sbin/iptables -t nat -I POSTROUTING -p tcp -s [CLIENT_ADDRESS] -j SNAT --to-source [WAN_ADDRESS]"
IPTABLES_NAT REVOKE "/sbin/iptables -t nat -D PREROUTING -i [INTERFACE] -p tcp -s [CLIENT_ADDRESS] -d 0/0 --dport 80 -j ACCEPT"
IPTABLES_NAT REVOKE "/sbin/iptables -t nat -D POSTROUTING -p tcp -s [CLIENT_ADDRESS] -j SNAT --to-source [WAN_ADDRESS]"

# Rules for Linux IPTABLES_PROXY
IPTABLES_PROXY START "/sbin/iptables -t nat -F"
IPTABLES_PROXY INIT "/sbin/iptables -t nat -I PREROUTING -i [INTERFACE] -p tcp -s [LAN_INTERFACE] -d 0/0 --dport 80 -j DNAT --to-destination [WAN_ADDRESS]:5121"
#IPTABLES_PROXY INIT "/sbin/iptables -t nat -I POSTROUTING -p udp --dport 53 -j SNAT --to-source [WAN_ADDRESS]"
IPTABLES_PROXY GRANT "/sbin/iptables -t nat -I PREROUTING -i [INTERFACE] -p tcp -s [CLIENT_ADDRESS] --dport 80 -j DNAT --to-destination [WAN_ADDRESS]:[PROXY_PORT]"
IPTABLES_PROXY REVOKE "/sbin/iptables -t nat -D PREROUTING -i [INTERFACE] -p tcp -s [CLIENT_ADDRESS] -j DNAT --to-destination [WAN_ADDRESS]:[PROXY_PORT]"



# Rules for Freebsd IPFW_NAT
IPFW_NAT START "ipfw del 8"
IPFW_NAT START "ipfw del 9"
IPFW_NAT START "ipfw del 10"
IPFW_NAT INIT "ipfw add 10 fwd 127.0.0.1,5121 tcp from [LAN_INTERFACE] to any 80"
IPFW_NAT INIT "ipfw add 10 fwd 127.0.0.1,5122 tcp from [LAN_INTERFACE] to any 5122"
IPFW_NAT GRANT "ipfw add 8 divert [NATD_PORT] ip from [CLIENT_ADDRESS] to any out xmit [WAN_INTERFACE] "
IPFW_NAT GRANT "ipfw add 9 skipto 11 all from [CLIENT_ADDRESS] to any"
IPFW_NAT REVOKE "ipfw del 8 divert [NATD_PORT] ip from [CLIENT_ADDRESS] to any out xmit [WAN_INTERFACE] "
IPFW_NAT REVOKE "ipfw del 9 skipto 11 all from [CLIENT_ADDRESS] to any"

# Rules for Freebsd IPFW_PROXY - PROXY PORT
IPFW_PROXY START "ipfw del 8"
IPFW_PROXY START "ipfw del 9"
IPFW_PROXY START "ipfw del 10"
IPFW_PROXY INIT "ipfw add 10 fwd 127.0.0.1,5121 tcp from [LAN_INTERFACE] to any 80"
IPFW_PROXY INIT "ipfw add 10 fwd 127.0.0.1,5122 tcp from [LAN_INTERFACE] to any 5122"
IPFW_PROXY GRANT "ipfw add 8 fwd 127.0.0.1:[PROXY_PORT] tcp from [CLIENT_ADDRESS] to any 80"
IPFW_PROXY GRANT "ipfw add 9 skipto 11 all from [CLIENT_ADDRESS] to any"
IPFW_PROXY REVOKE "ipfw del 8 fwd 127.0.0.1:[PROXY_PORT] tcp from [CLIENT_ADDRESS] to any 80"
IPFW_PROXY REVOKE "ipfw del 9 skipto 11 all from [CLIENT_ADDRESS] to any"
##################################################

Tenho na minha rede um servidor de domínios na eth1.

eth0: Conexão com a WEB

eth1: Rede Administrativa

eth2: Rede Alunos do Colégio.


Meu squid está normalzinho.

Alguem sabe onde estou pecando???

Obrigado
Encontrar todas as respostas deste usuário
Citar esta mensagem em uma resposta
30/03/2011, 14:52
Resposta: #2
Re: NAT não pede usuário e senha
Você quer fazer uma autenticação para os computadores conectar-se a net? se sim pode fazer com o squid

Jvianez
Todo Cristão é Livre use Linux e não seja Pirata.
Encontrar todas as respostas deste usuário
Citar esta mensagem em uma resposta
30/03/2011, 15:59
Resposta: #3
Re: NAT não pede usuário e senha
Sim eu qro. Mas meu proxy é transparente.

Ja consegui fazer o NatACL funcionar.

Ele, quando o usuario entra diz que o certificado nao é confiavel e também quando digito o usuario e senha pré configurado ele diz o seguinte no firefox:

Access DENIED
- IP address/Login/Password not allowed

E no IE:

O site recusou-se a mostrar a página da Web
HTTP 403
Causas prováveis:
•Este site requer que você faça logon.

Você pode tentar:


Alguém sabe o porque?
Encontrar todas as respostas deste usuário
Citar esta mensagem em uma resposta
31/03/2011, 07:55
Resposta: #4
Re: NAT não pede usuário e senha
Estive mexendo aqui e fui rever os LOGs do NatACL, eu segui um tutorial aqui do VOL mesmo.

Olha o que o LOG diz:

[Wed Mar 30 13:32:11] [INFO] WAN ADDRESS [eth2:192.168.3.1]

[Wed Mar 30 13:32:11] [IPTABLES_PROXY] Init
[Wed Mar 30 13:32:11] [IPTABLES_PROXY] Added interface [eth2]
[Wed Mar 30 13:32:11] [IPTABLES_PROXY] /sbin/iptables -t nat -F
[Wed Mar 30 13:32:11] [IPTABLES_PROXY] Added interface [eth2]
[Wed Mar 30 13:32:11] [IPTABLES_PROXY] /sbin/iptables -t nat -I PREROUTING -i eth2 -p tcp -s 192.168.3.0/24 -d 0/0 --dport 80 -j DNAT --to-destination 192.168.3.1:5121
[Wed Mar 30 13:33:18] [AUTH] [ 192.168.3.11] [ fabio] Invalid Password
[Wed Mar 30 13:34:42] [AUTH] [ 192.168.3.11] [ 6325] Invalid Password
[Wed Mar 30 13:42:48] [AUTH] [ 192.168.3.12] [ fabio] Invalid Password
[Wed Mar 30 13:43:16] [AUTH] [ 192.168.3.12] [ fabio] Invalid Password
[Wed Mar 30 13:43:54] [AUTH] [ 192.168.3.12] [ admin] Invalid Password
[Wed Mar 30 13:47:20] [AUTH] [ 192.168.3.12] [ fabio] Invalid Password
[Wed Mar 30 13:48:20] [AUTH] [ 192.168.3.12] [ fabio] Invalid Password
[Wed Mar 30 14:22:37] [AUTH] [ 192.168.3.12] [ fabio] Invalid Password
[Wed Mar 30 14:25:23] [AUTH] [ 192.168.3.12] [ fabio] Invalid Password
[Wed Mar 30 16:10:21] [AUTH] [ 192.168.3.12] [ fabio] Invalid Password
[Wed Mar 30 16:10:45] [AUTH] [ 192.168.3.12] [ fabio] Invalid Password
[Wed Mar 30 16:32:50] [AUTH] [ 192.168.3.12] [ fabio] Invalid Password

########################

No Mysql SQL esta assim:

mysql> use NatACL;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+------------------+
| Tables_in_NatACL |
+------------------+
| users |
+------------------+
1 row in set (0.00 sec)

mysql> select * from users;
+----+-------+----------+-------------+--------------+---------+
| id | user | password | expire_type | expire_value | address |
+----+-------+----------+-------------+--------------+---------+
| 1 | fabio | teste | 1 | 0 | NULL |
+----+-------+----------+-------------+--------------+---------+
1 row in set (0.00 sec)

##########

Gostaria de ver o SELECT do NatACL. Será que é a forma que a senha está no banco. Será que é alguma encriptação no campo password que deve ser feita na inserção (md5 e afins)?

Obrigado
Valeuu
Encontrar todas as respostas deste usuário
Citar esta mensagem em uma resposta
Responder 


Ir ao Fórum:


Usuários visualizando este tópico: 1 Visitantes

Entre em Contato | Fórum Debian | Voltar ao Topo | Voltar ao Conteúdo | Modo Leve (Arquivo) | Feeds RSS