Squid problema com SMTP e VNC e login NTLM

gabrielpxavier
(usa Mageia)

Enviado em 15/10/2014 - 16:09h

Sistema Mageia 4 usando kernel server em um I5 4º geração 8 GB hardware tem de sobra para squid, preciso de ajuda para:

- Logar em rede NT usando NTLM, lendo grupo de usuários existentes.
- Liberar acessos seja pelo squid ou pelo iptables ou o que seja ao VNC 5900 e emails via SMTP 465/587/110/35.




Squid.conf

# Squid normally listens to port 3128
http_port 3128
visible_hostname proxy

# gerar arquivo.log
access_log /var/log/squid/access.log squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid
cache_effective_group squid
cache_mem 2400 MB
cache_swap_low 70
cache_swap_high 90
maximum_object_size 512 KB
maximum_object_size_in_memory 1024 KB

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 8192 16 64

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

#cache deny localnet

acl SSL_ports port 443 563 5900
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# Bloqueia acesso a portas nao listadas
http_access deny CONNECT !SSL_ports
#http_access allow CONNECT SSL_ports

# Bloqueia portas nao listadas como seguras
#http_access allow CONNECT Safe_ports
http_access deny CONNECT !Safe_ports


# Libera gerenciamento cache para localhost
http_access allow localhost manager
# Bloqueia acesso remoto do gerencimento da cache
http_access deny manager


acl semcache dstdomain "/etc/squid/rule/semcache"
acl semautenticacao dstdomain "/etc/squid/rule/semautenticacao"

#Vai negar dominios
acl [*****] dstdomain "/etc/squid/rule/[*****]"
acl sociais dstdomain "/etc/squid/rule/sociais"
acl branca dstdomain "/etc/squid/rule/branca"
acl spyreware dstdomain "/etc/squid/rule/spyreware"

# Negando Downloads de mp3
acl downloads urlpath_regex \.exe$

# Vai negar palavras
acl pornowords url_regex -i "/etc/squid/rule/pornowords"
acl proxy dstdomain "/etc/squid/rule/proxy"

# Liberar antes da autenticação.
http_access allow semautenticacao

# Negar cache para sites com problemas
cache deny semcache
cache deny SSL_ports
always_direct allow semcache
http_access allow semcache

# Liberar acesso lista branca

http_access allow branca

# Bloqueios
#http_access deny downloads
http_access deny proxy
http_access deny [*****]
http_access deny pornowords
http_access deny sociais
http_access deny spyreware

#acl GTALK_ports port 5222 5050
#acl GTALK_domains dstdomain .google.com
#acl GTALK_hosts dstdomain talk.google.com
#acl GTALK_methods method CONNECT
#http_access allow GTALK_methods GTALK_ports GTALK_hosts
#http_access allow GTALK_methods GTALK_ports GTALK_domains
##################################################


ssl_unclean_shutdown on queria saber o que isto faz
check_hostnames off isto tambem.


Estou editando direto no arquivo e, configurei o arquivo /etc/sysconfig/iptables tentei usar o firewall magico do mageia que se utiliza do shorewall, mas acabei desistindo e estou fazendo todo firewall pelo webmin.


O Firewall nao está liberando conexao ao VNC e está tendo problemas com as portas 465 / 587 do SMTP ou as 993 do POP.

Resumindo preciso liberar 25 110 993 995 567 465 80 443 5222 5050 5800 5900:5940 no firewall no caso tentei autorizar portas 587 dentro do squid e estou com problemas, nao passa nem por firewall nem por squid, queria fazer o firewall pelo webmin achei bem mais facil.


########################################################
# Generated by iptables-save v1.4.21 on Tue Oct 14 21:13:50 2014
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i enp3s0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to our SSH server
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Respond to pings
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
# Allow DNS zone transfers
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
# Allow DNS queries
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
# Allow connections to webserver
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Allow SSL connections to webserver
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Allow connections to mail server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 25,587,465,115,35,110
# Allow connections to FTP server
-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
# Allow connections to POP3 server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 110,995
# Allow connections to IMAP server
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 143,220,993
# Allow connections to Webmin
-A INPUT -p tcp -m tcp --dport 10000:10010 -j ACCEPT
# Allow connections to Usermin
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
COMMIT
# Completed on Tue Oct 14 21:13:50 2014
# Generated by iptables-save v1.4.21 on Tue Oct 14 21:13:50 2014
*mangle
:PREROUTING ACCEPT [1:229]
:INPUT ACCEPT [1:229]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Oct 14 21:13:50 2014
# Generated by iptables-save v1.4.21 on Tue Oct 14 21:13:50 2014
*nat
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
-A POSTROUTING -p icmp -j MASQUERADE
-A POSTROUTING -p tcp -m tcp --dport 5800:5950 -j MASQUERADE
-A POSTROUTING -p udp -m udp --dport 5800:5950 -j MASQUERADE
COMMIT
# Completed on Tue Oct 14 21:13:50 2014
# Generated by iptables-save v1.4.21 on Tue Oct 14 21:13:50 2014
*raw
:PREROUTING ACCEPT [1600:108203]
:OUTPUT ACCEPT [2743:4011487]
COMMIT
# Completed on Tue Oct 14 21:13:50 2014


#####################################################################