DondaJr
(usa Debian)
Enviado em 01/11/2006 - 17:37h
Olá pessoal o/
Há muito tempo atrás deixei um script meu aqui que servia para adicinar/remover e gerenciar o squid.conf sem precisar ficar abrindo o arquivo.
O que mais uso ele é que, sempre preciso ficar bloqueando o acesso a internet de alguma maquina de minha rede ( trabalho em uma escola de informatica, e vcs sabe os alunos as vezes abusam). Para que então naum ficasse toda hora abrindo o arquivo squid.conf, fiz esse script.
O que eu tinha deixado aqui tava com uns erros, corrigi-os e agora deixo a vcs pra utilizarem e fazerem proveito
Qualquer coisa se precisarem de ajuda para entenderem me contatem pelo e-mail : andersondonda@gmail.com
Script:
#!/bin/bash
# Uma observacao: As variaves de paramentros ($1,$2) dentro das funcoes
# sao diferentes das variaves de paramentros das linhas de comandos,
# por tanto, as variaves $1 dentro das funcoes correspondem as $2 da
# linha de comando.
SQUIDFILE=/etc/squid/squid.conf
SQUIDFILEMOD=/etc/squid/squid.mod
SQUIDFILEORIGINAL=/etc/commands/microway/squid.conf
TEMPFILE=/tmp/tempsquid
REDIRECTOUT=/tmp/bloquearsquidout.log
REDIRECTERROROUT=/tmp/bloquearsquiderrorout.log
ACLCOUNTS=/etc/commands/microway/aclcounts
NUMBLOCKS=/etc/commands/microway/numblocks
LISTIPSBLOCKS=/etc/commands/microway/listips
LISTIPSBLOCKSTEMP=/tmp/listips
FILEWORDSBLOCKS=/etc/commands/lockedswords
FILEWORDSBLOCKSTEMP=/tmp/lockedswords.tmp
LOGLIST=/etc/commands/microway/loglist
function log
{
data=`date`
echo "$data $1 $2" >> $LOGLIST
}
function logview
{
cat $LOGLIST
}
function clearcache
{
/etc/commands/squidclear
}
function reboot ()
{
printf "\33[1;34mProcessando informa�es...\33[0;0m"
service squid restart 1> $REDIRECTOUT 2> $REDIRECTERROROUT
numlineserror=`grep -c '' $REDIRECTERROROUT`
if [ $numlineserror == 0 ]; then
printf "\33[1;32m[ Informa�es aceitas ]\33[0;0m"
else
printf "\33[1;31m[ Existe um erro nas informa�es fornecidas. ]\33[0;0m"
fi
echo ""
}
function addremoveerrorline ()
{
case $1 in
-add)
wheresessionerror=`sed -n '/#Sessao_Erro/=' $SQUIDFILE`
sed $wheresessionerror'adeny_info ERR_ACCESS_IND '$2 $SQUIDFILE > $SQUIDFILEMOD
mv $SQUIDFILEMOD $SQUIDFILE
;;
-rem)
sed '/deny_info ERR_ACCESS_IND '$2'/d' $SQUIDFILE > $SQUIDFILEMOD
mv $SQUIDFILEMOD $SQUIDFILE
;;
esac
}
function closeaccess ()
{
#Insere a regra acl
wheresession=`sed -n '/#Sessao_Acl/=' $SQUIDFILE`
aclcount=`cat $ACLCOUNTS`
aclcount=$(( $aclcount + 1))
echo $aclcount > $ACLCOUNTS
sed $wheresession'aacl bloqueio'$aclcount' src '$1 $SQUIDFILE > $SQUIDFILEMOD
mv $SQUIDFILEMOD $SQUIDFILE
#Insere a regra http
wheresessionhttp=`sed -n '/#Sessao_Http/=' $SQUIDFILE`
sed $wheresessionhttp'ahttp_access deny bloqueio'$aclcount $SQUIDFILE > $SQUIDFILEMOD
mv $SQUIDFILEMOD $SQUIDFILE
#Insere regra de redirecionamento de erro
addremoveerrorline -add bloqueio$aclcount
#Insere ip digitado na lista de ips
echo $1 >> $LISTIPSBLOCKS
#Organiza o numero de bloqueios
numcount=`cat $NUMBLOCKS`
if [ $numcount == Vazio ]; then
echo 1 > $NUMBLOCKS
reboot
exit 0;
else
numcount=$(( $numcount + 1))
echo $numcount > $NUMBLOCKS
fi
reboot
}
function openaccess ()
{
#Verifica se foi encontrado o ip digitado
verify=`grep -c $1 $SQUIDFILE`
if [ $verify == 0 ]; then
echo -e "\33[1;32mEste IP n� est�bloqueado. Execute bloquear -s para uma listagem de IPs.\33[0;0m"
exit 0;
else
#Remove a regra http com base na acl
whathttpremove=`sed -n '/'$1'/=' $SQUIDFILE`
sed -n $whathttpremove's/ /\n/gp' $SQUIDFILE > $TEMPFILE
nameacl=`sed -n '2p' $TEMPFILE`
sed '/http_access deny '$nameacl'/d' $SQUIDFILE > $SQUIDFILEMOD
mv $SQUIDFILEMOD $SQUIDFILE
#Remove a regra de redirecionamento de erro
addremoveerrorline -rem $nameacl
#Remove a regra acl
sed '/'$1'/d' $SQUIDFILE > $SQUIDFILEMOD
mv $SQUIDFILEMOD $SQUIDFILE
#Remove o ip da lista de bloqueados
sed '/'$1'/d' $LISTIPSBLOCKS > $LISTIPSBLOCKSTEMP
mv $LISTIPSBLOCKSTEMP $LISTIPSBLOCKS
#Reorganiza o numero de bloqueios
numcountd=`cat $NUMBLOCKS`
if [ $numcountd == 1 ]; then
echo Vazio > $NUMBLOCKS
reboot
exit 0;
else
numcountd=$(( $numcountd - 1))
echo $numcountd > $NUMBLOCKS
fi
reboot
fi
}
function closemsnaccess ()
{
iptables -A FORWARD -s $1 -p tcp --dport 1863 -j DROP
iptables -A FORWARD -s $1 -p tcp --dport 443 -j DROP
iptables -A FORWARD -s $1 -d loginnet.passport.com -j DROP
iptables -A FORWARD -s $1 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s $1 -p tcp --dport 443 -j REJECT
iptables -A FORWARD -s $1 -d loginnet.passport.com -j REJECT
nummsn=`cat /etc/commands/microway/numblockmsn`
if [ $nummsn == Vazio ]; then
numblockmsn=1
printf $numblockmsn > /etc/commands/microway/numblockmsn
printf $1 > /etc/commands/microway/msn$numblockmsn
else
numblockmsn=$(( $nummsn + 1 ))
printf $numblockmsn > /etc/commands/microway/numblockmsn
printf $1 > /etc/commands/microway/msn$numblockmsn
fi
echo -e "Bloqueio de MSN [ \33[1;32mOK\33[0;0m ]";
}
function openmsnaccess ()
{
numc=`cat /etc/commands/microway/numblockmsn`
if [ $numc == Vazio ]; then
echo Nao ha IPs bloqueados
else
for x in $(seq $numc);
do
ipblock=`cat /etc/commands/microway/msn$x`
if [ $ipblock == $1 ]; then
iptables -D FORWARD -s $1 -p tcp --dport 1863 -j DROP
iptables -D FORWARD -s $1 -p tcp --dport 443 -j DROP
iptables -D FORWARD -s $1 -d loginnet.passport.com -j DROP
iptables -D FORWARD -s $1 -p tcp --dport 1863 -j REJECT
iptables -D FORWARD -s $1 -p tcp --dport 443 -j REJECT
iptables -D FORWARD -s $1 -d loginnet.passport.com -j REJECT
echo -e "Desbloqueio MSN [ \33[1;32mOK\33[0;0m ]";
nummore=$(( ($numc - $x) ))
if [ $nummore == 0 ]; then
rm -rf /etc/commands/microway/msn$x
newnumber=$(( $numc - 1 ))
if [ $newnumber == 0 ]; then
printf Vazio > /etc/commands/microway/numblockmsn
else
printf $newnumber > /etc/commands/microway/numblockmsn
fi
else
stop=$x
for y in $(seq $nummore );
do
oldnumber=$(( $stop + 1))
mv /etc/commands/microway/msn$oldnumber /etc/commands/microway/msn$stop
stop=$(( $stop + 1 ))
done;
numc=$(( $numc - 1 ))
if [ $numc == 0 ]; then
printf Vazio > /etc/commands/microway/numblockmsn
else
printf $numc > /etc/commands/microway/numblockmsn
fi
fi
exit 0;
fi
echo Este IP nao foi bloqueado
done;
fi
}
function viewcloseds
{
printf "\33[1;31mLendo...\33[0;0m"
num=`cat $NUMBLOCKS`
if [ $num == Vazio ]; then
sleep 1
printf "\33[1;32m\rN� h�IPs bloqueados.\33[0;0m\n"
exit 0;
else
sleep 1
printf "\rExistem \33[1;31m$num\33[0;0m Ip(s) bloqueado(s). �S�) ele(s):\n"
#cat $LISTIPSBLOCKS
sed 's/10.0.1.0/"Sala Vip1 Completa"/g;s/10.0.2.0/"Sala Vip2 Completa"/g;s/10.0.3.0/"Sala Vip3 Completa"/g' $LISTIPSBLOCKS
fi
}
function restore
{
sed '/acl bloqueio/d' $SQUIDFILE > $SQUIDFILEMOD
mv $SQUIDFILEMOD $SQUIDFILE
sed '/http_access deny bloqueio/d' $SQUIDFILE > $SQUIDFILEMOD
mv $SQUIDFILEMOD $SQUIDFILE
sed '/deny_info ERR_ACCESS_IND/d' $SQUIDFILE > $SQUIDFILEMOD
mv $SQUIDFILEMOD $SQUIDFILE
echo 0 > $ACLCOUNTS
echo Vazio > $NUMBLOCKS
rm -rf $LISTIPSBLOCKS
> $LISTIPSBLOCKS
numfor=`cat /etc/commands/microway/numblockmsn`
if [ $numfor == Vazio ]; then
reboot
exit 0;
else
for c in $(seq $numfor);
do
ip=`cat /etc/commands/microway/msn1`
/etc/commands/scblock.sh -unmsn $ip
done;
fi
reboot
}
function forcerestore
{
printf "\33[1;31mDeseja realmente for�r a restaura�o?\33[1;32m[S,N]: \33[0;0m"
read resp
if [ $resp == 's' ] || [ $resp == 'S' ]; then
printf "."
rm -rf $SQUIDFILE
printf "."
cp $SQUIDFILEORIGINAL $SQUIDFILE
printf "."
printf "."
printf "."
reboot
else
if [ $resp == 'n' ] || [ $resp == 'N' ]; then
echo "Abortando..."
else
echo Opcao inexistente
fi
fi
#rm -rf $SQUIDFILE
#cp $SQUIDFILEORIGINAL $SQUIDFILE
}
function addwordsite
{
echo $1 >> $FILEWORDSBLOCKS
echo Adi�o feita com sucesso.
reboot
}
function remwordsite
{
findword=`grep -c $1 $FILEWORDSBLOCKS`
if [ $findword == 0 ]; then
echo Palavra n� encontrada
else
sed '/'$1'/d' $FILEWORDSBLOCKS > $FILEWORDSBLOCKSTEMP
mv $FILEWORDSBLOCKSTEMP $FILEWORDSBLOCKS
echo Remo�o feita com sucesso.
reboot
fi
}
###-----------------------Opcoes--------------------####
case $1 in
-ip) log -ip $2;
closeaccess $2;
;;
-d) log -d $2;
openaccess $2;
;;
-s) log -s;
viewcloseds;
;;
-msn) log -msn $2;
closemsnaccess $2;
;;
-unmsn) log -unmsn $2;
openmsnaccess $2;
;;
-r) log -r;
reboot;
;;
-restore) log -restore;
restore;
;;
-site) log -site $2;
echo Op�o retirada;
;;
-rsite) log -rsite $2;
echo Op�o retirada;
;;
-force_restore) log -force_restore;
forcerestore;
;;
-clear_cache) log -clear_cache;
clearcache;
;;
-vip1) log -vip1;
/etc/commands/./scblock.sh -ip 10.0.1.0;
;;
-vip2) log -vip2;
/etc/commands/./scblock.sh -ip 10.0.2.0;
;;
-vip3) log -vip3;
/etc/commands/./scblock.sh -ip 10.0.3.0;
;;
-view_log) logview;
;;
*)
echo "Digite man bloquear para mais informacoes"
;;
esac
OBS: Se vcs notarem as palavras #Sessao_Acl e #Sessao_Http sao apenas comentarios q deixei dentro do meu squid.conf para o script saber onde por... sou meio certinho.. gosto das coisas organizadas!! deixo meu squid.conf para analizarem tbm!!
http_port 3128
cache_mem 64 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 16 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 512 16 256
# Arquivo onde s� guardados os logs de acesso do Squid.
cache_access_log /var/log/squid/access.log
visible_hostname webservermw
# O e-mail que o Squid envia como senha ao acessar um servidor
# FTP anonimo:
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 10.0.0.250
acl SSL_ports port 443 563 # SSL
acl SSL_ports port 1025-65535 # MSN audio / video
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 1000 # eorbital e-mail configure
acl CONNECT method CONNECT
#Regra de proibicao de palavras
acl lockedswords url_regex -i "/etc/commands/lockedswords"
acl locked url_regex -i "/etc/commands/locked"
acl lockeddown url_regex -i "/etc/commands/lockeddown"
#Regra para a secretaria
acl secretaria_balcao src 10.0.0.56
#Regra para o financeiro
acl financeiro src 10.0.0.57
#Regra para a diretoria
acl diretoria src 10.0.0.55
#Regra para sucesso
acl sucessorh src 10.0.0.58
#Regra de controle de acesso ao site liberado
acl siteaccept time MTWHF 12:00-13:00
#Sessao_Acl
#Fim Sessao_Acl
#Sessao_Http
#Fim Sessao_Http
http_access allow manager localhost
http_access allow localhost
#Libera tudo para diretoria
http_access allow diretoria lockedswords
http_access allow diretoria locked
http_access allow diretoria lockeddown
#Bloqueia secretaria
http_access deny secretaria_balcao locked
http_access deny secretaria_balcao lockedswords
http_access deny secretaria_balcao lockeddown
#Bloqueia financeiro
http_access deny financeiro locked
http_access deny financeiro lockedswords
http_access deny financeiro lockeddown
#Bloqueia sucessorh
http_access deny sucessorh locked
http_access deny sucessorh lockedswords
#Libera sites liberados no horario determinado
http_access allow locked siteaccept
#Bloqueia demais solicitacoes
http_access deny locked
http_access deny lockedswords
http_access allow lockeddown
#Libera navegacao diferentes das regras acima
http_access allow all
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
deny_info ERR_ACCESS_EXTDENIED lockeddown
#Sessao_Erro
#Fim Sessao_Erro
error_directory /etc/squid/error