Servidor distribui IPs mas ninguém navega!

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# Placa de rede do modem
auto eth0
allow-hotplug eth0
iface eth0 inet dhcp

# Placa da rede local
auto eth1
iface eth1 inet static
address 10.0.2.1
netmask 255.0.0.0
broadcast 10.0.2.255
network 10.0.2.0

auto dsl-provider
iface dsl-provider inet ppp
pre-up /sbin/ifconfig eth0 up # line maintained by pppoeconf
provider dsl-provider

#!/bin/sh
#

### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start firewall at boot time
# Description: Enable service provided by firewall.
### END INIT INFO
# Firewall criado sem fins lucrativos, por favor, mantenha os créditos.
# (c) 2010, www.SilasMatos.com.br under GNU/GPL v2.0+

iniciar(){
# IP do servidor SQUID
SQUID_SERVER="10.0.2.1"
# Interface que se conecta com a internet
INTERNET="ppp0"
# Interface da rede local
LAN_IN="eth1"
# Porta do SQUID
SQUID_PORT="3128"

# NÃO MODIFIQUE AS LINHAS ABAIXO:
# LIMPAR FIREWALL
iptables -F
iptables -X
iptables -X -t filter
iptables -F -t filter
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# CARREGAR MÓDULOS PARA NAT E SUPORTE PARA IP CONTRACK
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe tun
# COMPARTILHAMENTO DE INTERNET.
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# DEFINIR POLITICAS DE ACESSO
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# ACESSO ILIMITADO AO LOOPBACK
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# LIBERAÇÃO DE PORTAS
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j ACCEPT
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -p tcp --dport 5900 -j ACCEPT
iptables -A INPUT -p tcp --dport 5931 -j ACCEPT
iptables -A INPUT -p tcp --dport 1863 -j ACCEPT
iptables -A INPUT -p udp --dport 1863 -j ACCEPT
iptables -A INPUT -p udp --dport 27015 -j ACCEPT

#bloqueando Ping
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

#Ultra Surf, Ares, uTorrent, p2p
#iptables -A FORWARD -d 65.49.14.0/24 -j LOG --log-prefix "=UltraSurf="
#iptables -A FORWARD -d 199.59.162.71 -j LOG --log-prefix "=Ares_Galaxy="
#iptables -A FORWARD -d 98.143.146.7 -j LOG --log-prefix "=uTorrent= "
#iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j LOG --log-prefix "=uTorrent= "
#iptables -A FORWARD -m string --algo bm --string "peer_id=" -j LOG --log-prefix "=uTorrent="
#iptables -A FORWARD -m string --algo bm --string "torrent" -j LOG --log-prefix "=uTorrent="
#iptables -A FORWARD -m string --algo bm --string "announce" -j LOG --log-prefix "=uTorrent="
#iptables -A FORWARD -m string --algo bm --string "tracker" -j LOG --log-prefix "=uTorrent="
#iptables -A FORWARD -m string --algo bm --string "find_node" -j LOG --log-prefix "=uTorrent="
#iptables -A FORWARD -m string --algo bm --string "info_hash" -j LOG --log-prefix "=uTorrent="
#iptables -A FORWARD -m string --algo bm --string "get_peers" -j LOG --log-prefix "=uTorrent="

#BLOQUEAR ENDERECOS DO FACEBOOK
iptables -A INPUT -m string --algo bm --string "facebook.com" -m iprange --src-range 10.0.2.5-10.0.2.10 -j DROP

# PERMITIR UDP, DNS E FTP PASSIVO
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# DEFINIR ESTE SISTEMA COMO O ROTEADOR PADRÃO PARA O RESTO DA LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# ACESSO ILIMITADO PELA LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# NAT PARA A PORTA 80 SOLICITADA PELA LAN PARA A PORTA DO SQUID 3128 ($SQUID_PORT) PROXY TRANSPARENTE
iptables -t nat -I PREROUTING -p tcp -i $LAN_IN --dport 80 -j REDIRECT --to-port 3128

# REJEITAR O RESTO E CRIAR LOG
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
echo "Firewall Habilitado"
}
parar(){
iptables -F
iptables -X
iptables -X -t filter
iptables -F -t filter
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
echo "Firewall desabilidatado"
}
case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar ;;
*) echo "Use os parâmetros start, stop ou restart"
esac

ddns-update-style none;

option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;

default-lease-time 600;
max-lease-time 7200;

log-facility local7;


# Saude

subnet 10.0.0.0 netmask 255.0.0.0 {
option domain-name-servers 10.0.2.1 , 201.10.128.2 , 201.10.120.3;
allow client-updates;
allow unknown-clients;
authoritative;
option routers 10.0.2.1;
range 10.0.2.240 10.0.2.240;
}

#DESKTOPS

host SMS-CPD {
hardware ethernet 44:1E:A1:77:77:0E;
fixed-address 10.0.2.2;
}
host SMS-Compras2 {
hardware ethernet 6c:f0:49:fe:20:57;
fixed-address 10.0.2.3;
}
host SMS-Projetos {
hardware ethernet 44:1e:a1:77:67:92;
fixed-address 10.0.2.4;
}
host SMS-Contabilidade {
hardware ethernet 44:1E:A1:77:57:8C;
fixed-address 10.0.2.5;
}
host SMS-CPD-W {
hardware ethernet AC:81:12:6B:88:05;
fixed-address 10.0.2.9;
}
host SMS-Assessoria1 {
hardware ethernet bc:5f:f4:98:87:06;
fixed-address 10.0.2.10;

#Recommended minimum configuration:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

#Recommended minimum configuration:
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost


# IPs da rede
acl ip_liberados src "/etc/squid/ips/ip_liberados"
acl nonet src "/etc/squid/ips/nonet"

#
# INSIRA NESTE LOCAL SUAS PRÓPRIAS REGRAS.
# RECOMENDA-SE PRIMEIRO FAZER AS LIBERAÇÕES E DEPOIS OS BLOQUEIOS.
#
acl perm_pal url_regex "/etc/squid/sites/perm_pal"
acl perm_url dstdom_regex "/etc/squid/sites/perm_url"
acl perm_dom dstdomain "/etc/squid/sites/perm_dom"
http_access allow perm_pal
http_access allow perm_url
http_access allow perm_dom

#
# LIBERAR RECEPCAO
#
acl sites_nonet url_regex "/etc/squid/sites/sites_nonet"
http_access allow nonet sites_nonet
#
#bloqear sites
#
acl bloq_pal url_regex "/etc/squid/sites/bloq_pal"
acl bloq_url dstdom_regex "/etc/squid/sites/bloq_url"
acl bloq_dom dstdomain "/etc/squid/sites/bloq_dom"
http_access deny bloq_pal !ip_liberados
http_access deny bloq_url !ip_liberados
http_access deny bloq_dom !ip_liberados
#
#bloquear radios e downloads
#
reply_body_max_size 3145728 allow all
acl mimes rep_mime_type -i "/etc/squid/sites/mimes"
acl bloq_dow urlpath_regex -i "/etc/squid/sites/bloq_dow"
acl perm_eml dstdomain "/etc/squid/sites/perm_eml"
http_access deny bloq_dow !perm_eml !ip_liberados !perm_url !perm_dom
http_reply_access deny mimes !perm_eml !ip_liberados !perm_url !perm_dom

# And finally deny all other access to this proxy
http_access deny all

icp_access allow localnet
icp_access deny all

http_port 3128 transparent

hierarchy_stoplist cgi-bin ?

access_log /var/log/squid/access.log squid

#Suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320

# Don't upgrade ShoutCast responses to HTTP
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast

# Apache mod_gzip and mod_deflate known to be broken so don't trust
# Apache to signal ETag correctly on such responses
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

extension_methods REPORT MERGE MKACTIVITY CHECKOUT

hosts_file /etc/hosts

httpd_suppress_version_string off # suprime a versão do Squid
visible_hostname Proxy Sec. da Saude

[global]
log file = /var/log/samba/log.%m
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
obey pam restrictions = yes
null passwords = yes
encrypt passwords = yes
public = yes
passwd program = /usr/bin/passwd %u
passdb backend = tdbsam
dns proxy = no
server string = %h server
writeable = yes
unix password sync = yes
workgroup = SMS
os level = 20
security = share
syslog = 0
panic action = /usr/share/samba/panic-action %d
max log size = 1000
pam password change = yes

; wins server = w.x.y.z
; name resolve order = lmhosts host wins bcast
; interfaces = 127.0.0.0/8 eth0
; bind interfaces only = yes
; domain logons = yes
; logon path = \\%N\profiles\%U
; logon drive = H:
; logon script = logon.cmd
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
; add group script = /usr/sbin/addgroup --force-badname %g
; printing = bsd
; printcap name = /etc/printcap
; printing = cups
; printcap name = cups
; include = /home/samba/etc/smb.conf.%m
; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash
; winbind enum groups = yes
; winbind enum users = yes
; usershare max shares = 100

#======================= Share Definitions =======================

[apps]
path = /home/apps

[bkp]
path = /home/bkp
only user = yes
allow hosts = 10.0.2.2, 10.0.2.240

[carros]
path = /home/carros
only user = yes
allow hosts = 10.0.2.2, 10.0.2.51

[compras]
path = /home/compras
only user = yes
allow hosts = 10.0.2.2, 10.0.2.3, 10.0.2.5, 10.0.2.6, 10.0.2.4, 10.0.2.170, 10.0.2.171, 10.0.2.166, 10.0.2.167, 10.0.2.161, 10.0.2.160

silas matos escreveu:

Ele estava originalmente 10.0.2.240-10.0.2.245, eu mudei pra 240 pq tinha outros pcs pegando ips, então deixei apenas 1 ip na range, que é o 240.
Depois que eu concluir toda a configuração eu volto pro 245.

silas matos escreveu:

Liguei o servidor hoje e funcionou tudo, inclusive o samba.

Eu estava em um Debiam 5 Lenny, e parti para o Debian 7.7 Wheezy, e apenas copiei a maioria das configurações, adaptando o firewall, mas o squid e dhcp deixei os mesmos, está tudo aparentemente funcionando, menos os sites https, minha conexão faço pelo pppoeconf, então não sei como faço no dhcp para deixar o dns automático, talvez seja problema de dns isso.

Update1: dei um poff e um pon e voltou a funcionar todos os sites https. Tudo voltou ao normal ;)