edson.linux.com
(usa Debian)
Enviado em 25/07/2010 - 11:24h
#====PARAMENTROS DE AUTENTICAÇÃO====#
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic credentialsttl 1 hour
auth_param basic casesensitive on
#====REGRAS PADRÃO DO SQUID====#
http_port 3128
error_directory /usr/share/squid/errors/Portuguese/
#====OPÇÕES DE CACHE====#
cache_dir ufs /var/cache/squid 5000 16 256
#====LOG====#
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
#====ACLs====#
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl SSL_ports port 443 563
acl Safe_ports port 80 21 70 210 888 25 110 53
acl CONNECT method CONNECT
acl porta_liberada port 3899
acl porta_liberada port 4899
acl porta25 myport 25
acl porta110 myport 110
acl autenticados proxy_auth REQUIRED
acl permitidos src 10.130.2.0/24
acl all src 10.130.2.0/24
http_access allow CONNECT porta25
http_access allow CONNECT porta110
http_access allow porta_liberada
http_access allow autenticados permitidos
http_access deny all
#CONFIGURAÇÃO DO FIREWALL#
#!/bin/bash
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
iptables -t nat -F
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#### Port scanners ocultos ####
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#### Protecao contra ping da morte ####
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#### Protecao Contra IP Spoofing[C
iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
iptables -A INPUT -s 172.16.0.0/16 -i eth0 -j DROP
iptables -A INPUT -s 10.130.2.0/24 -i eth0 -j DROP
#### Manter conexao de pacote aceito ####
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#### NAT VOIP ####
#### Contorna problema para NAT full-cone ####
#### Encaminhamento de pacotes para os devices VOIP ####
#### Regra de NAT LIBERAÇÃO ####
iptables -t nat -A POSTROUTING -s 10.130.2.126 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.130.2.191 -j MASQUERADE
E após usar o comando IPTABLES -L me aparece essa regras.
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination