maoflaric
(usa CentOS)
Enviado em 24/09/2024 - 15:37h
Bom dia, tarde, noite,
Estou querendo subir um firewall iptables com serviço de proxy squid e dhcpd-server no SO Alma Linux 9.4. Todos os serviços estão funcionando normalmente, porém não consigo setar o proxy transparente o que seria bem melhor.
Alguém poderia me ajudar?
Vou por aqui o que já fiz no squid e no iptables.
#SQUID.CONF
#### Cabeçalho ####
http_port 172.17.10.1:3128
http_port 127.0.0.1:3128
visible_hostname fw-upa-cidoperaia-01
dns_nameservers 192.166.254.60
dns_nameservers 192.166.254.70
cache_mem 2048 MB
maximum_object_size_in_memory 512 MB
maximum_object_size 512 MB
minimum_object_size 0 MB
cache_swap_high 95
cache_swap_low 90
httpd_suppress_version_string on
cache_dir ufs /var/spool/squid 2048 16 256
error_directory /usr/share/squid/errors/pt-br
cache_log /var/log/squid/cache.log
access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 20% 2280
refresh_pattern . 15 20% 2280
#### Regras ACLs de bloqueio de sites ####
# sites liberados
acl sites_liberados url_regex -i "/etc/squid/sites_liberados"
http_access allow sites_liberados
acl SitesBloqueados url_regex -i "/etc/squid/SitesBloqueados"
http_access deny SitesBloqueados
acl SitesImproprios url_regex -i "/etc/squid/SitesImproprios"
http_access deny SitesImproprios
#### ACLs Portas ####
acl SSL_ports port 5938 # teamviewer
acl SSL_ports port 3389 # teamviewer
acl SSL_ports port 2200 # ssh
acl SSL_ports port 443 # https
acl SSL_ports port 444 # https
acl SSL_ports port 3001 # https
acl SSL_ports port 3002 # https
acl SSL_ports port 3003 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl SSL_ports port 8059 #
acl SSL_ports port 8050 #
acl SSL_ports port 8058 #
acl SSL_ports port 8061 # Sistema Ponto
acl SSL_ports port 2021 # Sistema Ponto
acl SSL_ports port 2022 # Sistema Ponto
acl SSL_ports port 3000 # Sistema Ponto
acl SSL_ports port 3001 # node socket sisupa
acl SSL_ports port 3002 # node socket sisupa
acl SSL_ports port 3003 # node socket sisupa
acl SSL_ports port 3005 # node socket sisupa
acl safe_ports port 5938 # teamviewer
acl Safe_ports port 3389 # teamviewer
acl Safe_ports port 2200 # ssh
acl Safe_ports port 80 # http
acl Safe_ports port 83 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 444 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 8050 # Sistema Ponto
acl Safe_ports port 8058 # Sistema Ponto
acl Safe_ports port 8059 # Sistema Ponto
acl Safe_ports port 8061 # Sistema Ponto
acl Safe_ports port 2021 # Sistema Ponto
acl Safe_ports port 2022 # Sistema Ponto
acl Safe_ports port 3000 # Sistema Ponto
acl Safe_ports port 3001 # Sistema Ponto
acl porge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
#http_access allow purge localhost
#http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
########## HIERARQUIA DE PROXY ###########
#SEATI PROXY
cache_peer 192.166.254.2 parent 3128 3130 no-query no-digest
#### Regra de acesso local ####
acl redelan src 172.17.10.0/24
http_access allow localhost
http_access allow redelan
http_access deny all
## Agora o script que fiz para o iptables
#!/bin/bash
# chkconfig: 2345 25 98
# SCRIPT DE FIREWALL COM GATEWAY NA REDE!
# DECLARANDO VARIAVEIS
IF_LOCAL="enp3s0" # interface local network
INTERNET="enp2s0" # external interface
LOCAL_NETWORK="172.17.10.0/24"
LOOPBACK="lo" # loopback interface
IPTABLES="/sbin/iptables" # Daemon of firewall
begin(){
# LIMPA (FLUSH) TODAS AS REGRAS DA TABELA DE FILTRAGEM
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X
$IPTABLES -F -t nat
$IPTABLES -X
# POLICIES DEFAULT
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
# COMPARTILHANDO CONEXÃO
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
# INICIO DE REGRAS APLICADAS COM DESTINO AO FIREWALL
$IPTABLES -A INPUT -i $LOOPBACK -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p tcp --dport 2200 -j ACCEPT
$IPTABLES -A INPUT -i $IF_LOCAL -p tcp --dport 2200 -j ACCEPT
$IPTABLES -A INPUT -i $IF_LOCAL -p tcp --dport 3128 -s $LOCAL_NETWORK -d 172.17.10.1 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p udp --dport 161 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p icmp -j ACCEPT
# INICIO DE REGRAS PARA REDE LOCAL
$IPTABLES -A FORWARD -i $IF_LOCAL -p udp --dport 53 -s $LOCAL_NETWORK -j ACCEPT
$IPTABLES -A FORWARD -i $IF_LOCAL -p icmp -j ACCEPT
# RULES FOR SNAT
$IPTABLES -t nat -A POSTROUTING -o $INTERNET -s $LOCAL_NETWORK -j SNAT --to-source 10.70.7.5
$IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 53,389,636,135,139,445,110,995,25,465,587 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m udp -m multiport --dports 53,389,636 -j ACCEPT
# TERMINO REGRAS PARA REDE LOCAL
# ESTABILIZANDO CONEXÕES
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
echo "INICIANDO O FIREWALL..."
}
stop(){
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -t mangle -F
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -X
echo "FIREWALL PARADO, REDE DESPROTEGIDA"
}
case "$1" in
"start") begin ;;
"stop") stop ;;
"restart") stop; begin ;;
*) echo "Use os parametros start ou stop"
esac
### Alguma dica de regra que eu possa aplicar para o proxy transparent?
Desde já agradeço.