Squid3 + proxy

fradeck
(usa Outra)

Enviado em 27/03/2015 - 15:35h

Estou com problemas com meu squid3 e firewall!
O proxy setado no navegador ou com wpad funciona normal com as regras de bloqueio.
Porém quando retiro o proxy o usuário acessa a internet normalmente.
Segue meu squid e firewall.

########################### CIDADE CLIMA #####################

###########################  FIREWALL    #####################

##############################################################

# Carrega os moulos

echo Modulos do firewall

modprobe ipt_string

modprobe ip_tables

modprobe iptable_filter

modprobe ip_conntrack

modprobe ip_conntrack_ftp

modprobe iptable_nat  
 


modprobe ip_nat_ftp

modprobe ipt_LOG

modprobe ipt_state

modprobe ipt_MASQUERADE





echo Regras default

iptables -F INPUT

iptables -F OUTPUT

iptables -F FORWARD

iptables -t nat -F

iptables -t mangle -F



#Definindo a politica default das cadeias, testei com drop e nada acessou

#iptables -P INPUT DROP

#iptables -P OUTPUT DROP

#iptables -P FORWARD DROP





#Nat da rede

iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE



#liberando encaminhamento de pacotes;

echo "1" > /proc/sys/net/ipv4/ip_forward



#Bloquenado internet sem proxy



#iptables -I FORWARD -p tcp --dport 80 -j DROP

#iptables -I FORWARD -p tcp --dport 443 -j DROP





#Acesso externo Cameras

iptables -A FORWARD -p tcp --dport 37777 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 37777 -j DNAT --to 192.168.10.219

iptables -I FORWARD -p tcp --dport 37777 -j ACCEPT

iptables -t nat -I PREROUTING -p tcp -i eth1 --dport 37777 -j DNAT --to-destination 192.168.10.219:37777

#liberar outlook

echo liberando outlook

iptables -A FORWARD -p udp -s 192.168.10.0/24 -d 200.175.89.139 --dport 53 -j ACCEPT

iptables -A FORWARD -p udp -s 192.168.10.0/24 -d 200.146.34.58  --dport 53 -j ACCEPT

iptables -A FORWARD -p udp -s 200.175.89.139 --sport 53 -d 192.168.10.0/24 -j ACCEPT

iptables -A FORWARD -p udp -s 200.146.34.58 --sport 53 -d 192.168.10.0/24 -j ACCEPT

iptables -A FORWARD -p TCP -s 192.168.10.0/24 --dport 25 -j ACCEPT

iptables -A FORWARD -p TCP -s 192.168.10.0/24 --dport 110 -j ACCEPT

iptables -A FORWARD -p TCP -s 192.168.10.0/24 --dport 587 -j ACCEPT

iptables -A FORWARD -p tcp --sport 25 -j ACCEPT

iptables -A FORWARD -p tcp --sport 110 -j ACCEPT

iptables -A FORWARD -p tcp --sport 587 -j ACCEPT

iptables -t nat -A POSTROUTING -j MASQUERADE



#Liberando porta 81

echo liberando inovar auto

#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -d inovarauto.mdic.gov.br -j RETURN

#liberar acesso externo siga

echo Acesso externo Siga

iptables -A INPUT -i eth0 -p tcp --dport 1257 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 1257 -j ACCEPT

iptables -A INPUT -i eth0 -p udp --dport 1257 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport 1257 -j ACCEPT

iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1257 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 1257 -j DNAT --to-destination 192.168.10.90:1257

iptables -A FORWARD -p udp -d 192.168.10.90 --dport 1257 -j ACCEPT

iptables -t nat -A PREROUTING -p udp --dport 1257 -j DNAT --to-destination 192.168.10.90:1257



iptables -A INPUT -i eth0 -p tcp --dport 1299 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 1299 -j ACCEPT

iptables -A INPUT -i eth0 -p udp --dport 1299 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport 1299 -j ACCEPT

iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1299 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 1299 -j DNAT --to-destination 192.168.10.90:1299

iptables -A FORWARD -p udp -d 192.168.10.90 --dport 1299 -j ACCEPT

iptables -t nat -A PREROUTING -p udp --dport 1299 -j DNAT --to-destination 192.168.10.90:1299





iptables -t nat -A PREROUTING -p udp --dport 37777 -j DNAT --to-destination 192.168.10.219:37777

iptables -t nat -A PREROUTING -p udp --dport 8001 -j DNAT --to-destination 192.168.10.219:8001



echo Acesso ao Sql Server

iptables -A INPUT -i eth0 -p tcp --dport 9723 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 9723 -j ACCEPT

iptables -A INPUT -i eth0 -p udp --dport 9723 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport 9723 -j ACCEPT

iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 9723 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 9723 -j DNAT --to-destination 192.168.10.91:1433

iptables -A FORWARD -p udp -d 192.168.10.91 --dport 9723 -j ACCEPT

iptables -t nat -A PREROUTING -p udp --dport 9723 -j DNAT --to-destination 192.168.10.91:1433

echo Fim Sql Server

#acesso aos servidores via TS

echo Liberando acesso via TS

iptables -A INPUT -i eth0 -p tcp --dport 3390 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 3390 -j ACCEPT

iptables -A INPUT -i eth0 -p udp --dport 3390 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport 3390 -j ACCEPT

iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 3389 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 3390 -j DNAT --to-destination 192.168.10.90:3389

iptables -A FORWARD -p udp -d 192.168.10.90 --dport 3389 -j ACCEPT

iptables -t nat -A PREROUTING -p udp --dport 3390 -j DNAT --to-destination 192.168.10.90:3389



iptables -A INPUT -i eth0 -p tcp --dport 3391 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 3391 -j ACCEPT

iptables -A INPUT -i eth0 -p udp --dport 3391 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport 3391 -j ACCEPT

iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 3389 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 3391 -j DNAT --to-destination 192.168.10.91:3389

iptables -A FORWARD -p udp -d 192.168.10.91 --dport 3389 -j ACCEPT

iptables -t nat -A PREROUTING -p udp --dport 3391 -j DNAT --to-destination 192.168.10.91:3389



#acesso ao BI

echo Liberando Acesso ao BI

iptables -A INPUT -i eth0 -p tcp --dport 7980 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 7980 -j ACCEPT



iptables -A INPUT -i eth0 -p udp --dport 7980 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport 7980 -j ACCEPT



iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 7980 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 7980 -j DNAT --to-destination 192.168.10.91:8080



iptables -A FORWARD -p udp -d 192.168.10.91 --dport 7980 -j ACCEPT

iptables -t nat -A PREROUTING -p udp --dport 7980 -j DNAT --to-destination 192.168.10.91:8080



iptables -t nat -A PREROUTING -d 0/0 -p #*************************** BLOQUEIO DO FACEBOOK ***********************************************************

#!/bin/bash

#BLOQUEIOS FACEBOOK:

hora=`/bin/date +%H%M`

if `[ "$hora" -gt "0759" ] && [ "$hora" -lt "1229" ] || [ "$hora" -gt "1329" ] && [ "$hora" -lt "1759" ] `; then

    op=1;

else

    op=2;

fi

# para que desse certo inclui os horários sem o " - " assim compara como se fosse números inteiros



permitidos=$(egrep -v "(^#|^$)" /etc/squid3/regras/ips_fb)  #Aqui ele lê a lista de IPs que possuem acesso ao Facebook, independentemente do horário, como existem linhasomentadas nesta lista com o nome do dono do IP, esse comando ignoressas linhas listando apenas os IPs



##BLOQUEIO DO FACEBOOK

FACEBOOK_IP_RANGE="31.13.64.0-31.13.127.255 31.13.24.0-31.13.31.255 74.119.76.0-74.119.79.255 69.63.176.0-69.63.191.255 69.171.224.0-69.171.255.255 66.220.144.0-66.220.159.255 204.15.20.0-204.15.23.255 173.252.64.0-173.252.127.255"

iptables -N FACEBOOK



## FACEBOOK DENY

for face in $FACEBOOK_IP_RANGE; do

    iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 443 -j FACEBOOK

    iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 80 -j FACEBOOK

done



FACEBOOK_ALLOW="$permitidos" #MSR_LIBERADO  #Aqui libera os permitidos.



for MSR_LIBERADO in $FACEBOOK_ALLOW; do

    iptables -I FACEBOOK -s $MSR_LIBERADO -j ACCEPT

done



if [ $op -eq "1" ]; then  #Aqui caso esteja no horário de expediente ele é bloqueado

    echo "Bloqueando"

    iptables -A FACEBOOK -j REJECT

fi



if [ $op -eq "2" ]; then  #E caso esteja fora do horário de serviço é liberado

    echo "Liberando"

    iptables -A FACEBOOK -j ACCEPT

fi 

squid

# Portas padrao

acl SSL_ports port 443

acl Safe_ports port 443

#acl Safe_ports port 8080

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT



#dns_v4_first on



#https_port 3130 transparent cert=/etc/squid3/openssl.crt key=/etc/squid3/openssl.key



http_access allow connect SSL_Ports



http_access deny !Safe_ports



http_access deny CONNECT !SSL_ports



#http_access allow localhost manager

#http_access deny manager

acl redelocal src 192.168.10.0/24

http_access allow redelocal

http_access deny all



#controle de cache do proxy

cache_mem 32 MB

maximum_object_size_in_memory 64 KB

minimum_object_size 0 KB

maximum_object_size 4096 MB



cache_swap_low 85

cache_swap_high 90

cache_dir ufs /var/spool/squid3 2048 16 256

cache_access_log /var/log/squid3/access.log

#Controle do arquivo de Log

logfile_rotate 10

ftp_user Squid@

#protocolos

refresh_pattern ^ftp: 15 20% 2280

refresh_pattern ^gopher: 15 0% 2280

refresh_pattern . 15 20% 2280



######Block Video and Audio Streaming##############



acl media rep_mime_type video/flv video/x-flv

acl media rep_mime_type -i ^video/

acl media rep_mime_type -i ^video\/

acl media rep_mime_type ^application/x-shockwave-flash

acl media rep_mime_type ^application/vnd.ms.wms-hdr.asfv1

acl media rep_mime_type ^application/x-fcs

acl media rep_mime_type ^application/x-mms-framed

acl media rep_mime_type ^video/x-ms-asf

acl media rep_mime_type ^audio/mpeg

acl media rep_mime_type ^audio/x-scpls

acl media rep_mime_type ^audio/x-scpls

acl media rep_mime_type ^video/x-flv

acl media rep_mime_type ^video/mpeg4

acl media rep_mime_type ms-hdr

acl media rep_mime_type x-fcs

acl mediapr urlpath_regex \.flv(\?.*)?$

acl mediapr urlpath_regex -i \.(avi|mp4|mov|m4v|mkv|flv)(\?.*)?$

acl mediapr urlpath_regex -i \.(mpg|mpeg|avi|mov|flv|wmv|mkv|rmvb)(\?.*)?$









#********************************* GERAL *****************************************

acl ips_geral src "/etc/squid3/regras/geral/ips_liberados"

acl sites_liberados_geral url_regex -i "/etc/squid3/regras/geral/sites_liberados_geral"

acl palavras_bloqueadas url_regex -i "/etc/squid3/regras/geral/palavras_bloqueadas"

acl sites_bloqueados_geral url_regex -i "/etc/squid3/regras/geral/sites_bloqueados_geral"

#************************************************************************************



#********************************* COMERCIAL *****************************************

acl comercial src "/etc/squid3/regras/comercial/ips_comercial"

acl sites_comercial url_regex -i "/etc/squid3/regras/comercial/sites_liberados"



#********************************* COMPRAS *****************************************

acl compras src "/etc/squid3/regras/compras/ips_compras"

acl sites_compras url_regex -i "/etc/squid3/regras/compras/sites_liberados"



#********************************* CTP *****************************************

acl ctp src "/etc/squid3/regras/ctp/ips_ctp"

acl sites_ctp url_regex -i "/etc/squid3/regras/ctp/sites_liberados"



#********************************* FINANCEIRO *****************************************

acl financeiro src "/etc/squid3/regras/financeiro/ips_financeiro"

acl sites_financeiro url_regex -i "/etc/squid3/regras/financeiro/sites_liberados"



#********************************* INSPECAO *****************************************

acl inspecao src "/etc/squid3/regras/inspecao/ips_inspecao"

acl sites_inspecao url_regex -i "/etc/squid3/regras/inspecao/sites_liberados"



#********************************* PRODUCAO *****************************************

acl producao src "/etc/squid3/regras/producao/ips_producao"

acl sites_producao url_regex -i "/etc/squid3/regras/producao/sites_liberados"



#********************************* PCP *****************************************

acl pcp src "/etc/squid3/regras/pcp/ips_pcp"

acl sites_pcp url_regex -i "/etc/squid3/regras/pcp/sites_liberados"



#********************************* RH *****************************************

acl rh src "/etc/squid3/regras/rh/ips_rh"

acl sites_rh url_regex -i "/etc/squid3/regras/rh/sites_liberados"



#********************************* TI *****************************************

acl TI src "/etc/squid3/regras/TI/ips_TI"



acl ips_gestores  src "/etc/squid3/regras/geral/ips_gestores"





acl almoco time MTWHF 12:30-13:30



#CONFIGURACAO DAS ACLS

http_access allow TI

http_access allow ips_geral

http_access allow almoco

http_access allow rh

http_access deny sites_bloqueados_geral

http_access deny mediapr

http_reply_access deny media !TI

http_access allow compras

http_access allow ctp

http_access allow sites_liberados_geral

http_access allow ips_gestores

http_access allow comercial sites_comercial

http_access allow financeiro sites_financeiro

http_access allow inspecao sites_inspecao

http_access allow producao sites_producao

http_access allow pcp sites_pcp

#http_access allow redelocal

http_access deny all





log_mime_hdrs on

http_port 3128 

anewvision
(usa Debian)

Enviado em 27/03/2015 - 20:13h

Torna seu proxy transparente e criar um redirecionamento no firewall para tudo que chegar na porta 80 vá para porta 3128. Assim não precisa configurar proxy nos clientes.

fradeck
(usa Outra)

Enviado em 28/03/2015 - 17:21h

Preciso que não seja transparente o proxy, pois com ele transparente as requisições https não consigo filtrar.