liviomm
(usa Debian)
Enviado em 27/01/2010 - 17:14h
Galera meu servidor que connecta na internet por PPOE GVT ele compartilha ainternet passando pelo squid/iptables. Neste momento nao esta sendo compartilhada a internet como estou de cabeca quente nao estou conseguindo ver o erro vou postar aqui o SQUID e IPTABLES.
###################SQUID###################
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 8 MB
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
http_port 3128 transparent
http_reply_access allow all
icp_access allow all
visible_hostname tratenge
#Suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
#Recommended minimum configuration:
acl tratenge src 192.168.151.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 8080
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl proibido dstdom_regex -i "/etc/squid/proibido"
acl renata src 192.168.151.155
acl renato src 192.168.151.57
acl renato2 src 192.168.151.26
acl estacao src 192.168.151.73
acl beth src 192.168.151.83
acl andre src 192.168.151.89
acl winder src 192.168.151.69
acl agustin src 192.168.151.62
acl aline src 192.168.151.56
acl smart dst 201.76.37.164
acl user1 src 192.168.151.122
acl user4 src 192.168.151.52
acl user5 src 192.168.151.129
acl user6 src 192.168.151.145
acl user2 src 192.168.151.200
acl user3 src 192.168.151.47 192.168.151.210
acl user4 src 192.168.151.54
acl server2 src 192.168.151.2
acl blockmsn src "/etc/squid/ips_deny_msn"
acl sitemsn url_regex -i "/etc/squid/blockmsn"
acl sites_allow url_regex -i "/etc/squid/sites_allow"
acl msn url_regex -i /gateway/gateway.dll
acl fulano src 192.168.151.60
acl MTZ022 src 192.168.151.33
# Only allow cachemgr access from localhost
http_access allow sites_allow
http_access allow smart
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access allow winder
#http_Access allow user4
http_access allow user1
http_access allow user2
http_access allow user6
http_access allow server2
http_access allow user4
http_access allow user5
http_access allow user3
http_access allow estacao
http_access allow agustin
http_access allow aline !aline
http_access allow renato
http_access allow andre
http_access allow renato2
http_access allow beth
http_access deny msn
#http_access allow junio
http_access deny blockmsn sitemsn
http_access allow renata
http_access deny proibido
http_access allow tratenge
http_access deny all
http_access allow localhost
http_access deny MTZ022
#http_access deny blockmsn sitemsn
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
##################IPTABLES######################
# Generated by iptables-save v1.4.1.1 on Mon Jan 25 09:40:56 2010
*mangle
:PREROUTING ACCEPT [416688:284930370]
:INPUT ACCEPT [129872:82442439]
:FORWARD ACCEPT [286771:202486131]
:OUTPUT ACCEPT [133494:81780748]
:POSTROUTING ACCEPT [420265:284266879]
COMMIT
# Completed on Mon Jan 25 09:40:56 2010
# Generated by iptables-save v1.4.1.1 on Mon Jan 25 09:40:56 2010
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp -s 192.168.151.0/24 --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp ! -s 192.168.151.0/24 -i ppp0 --dport 20 -j DROP
-A INPUT -p udp -m udp ! -s 192.168.151.0/24 -i ppp0 --dport 20 -j DROP
-A INPUT -p tcp -m tcp ! -s 192.168.151.0/24 -i ppp0 --dport 21 -j DROP
-A INPUT -p udp -m udp ! -s 192.168.151.0/24 -i ppp0 --dport 21 -j DROP
-A INPUT -p tcp -m tcp ! -s 192.168.151.0/24 -i ppp0 --dport 23 -j DROP
-A INPUT -p udp -m udp ! -s 192.168.151.0/24 -i ppp0 --dport 23 -j DROP
-A INPUT -p tcp -m tcp ! -s 192.168.151.0/24 -i ppp0 --dport 25 -j DROP
-A INPUT -p udp -m udp ! -s 192.168.151.0/24 -i ppp0 --dport 25 -j DROP
-A INPUT -p tcp -m tcp ! -s 192.168.151.0/24 -i ppp0 --dport 80 -j DROP
-A INPUT -p tcp -m tcp ! -s 192.168.151.0/24 -i ppp0 --dport 3128 -j DROP
-A INPUT -p udp -m udp ! -s 192.168.151.0/24 -i ppp0 --dport 80 -j DROP
-A INPUT -p tcp -m tcp ! -s 192.168.151.0/24 -i ppp0 --dport 53 -j DROP
-A INPUT -p udp -m udp ! -s 192.168.151.0/24 -i ppp0 --dport 53 -j DROP
-A INPUT -p tcp -m tcp ! -s 192.168.151.0/24 -i ppp0 --dport 111 -j DROP
-A INPUT -p udp -m udp ! -s 192.168.151.0/24 -i ppp0 --dport 111 -j DROP
-A INPUT -p tcp -m tcp ! -s 192.168.151.0/24 -i ppp0 --dport 515 -j DROP
-A INPUT -p udp -m udp ! -s 192.168.151.0/24 -i ppp0 --dport 515 -j DROP
-A INPUT -p tcp -m tcp ! -s 192.168.151.0/24 -i ppp0 --dport 3306 -j DROP
-A INPUT -p udp -m udp ! -s 192.168.151.0/24 -i ppp0 --dport 3306 -j DROP
-A FORWARD -p tcp -m tcp -s 192.168.151.5/32 --dport 1863 -j DROP
-A FORWARD -s 192.168.151.5/32 -d 65.54.186.80/32 -j DROP
-A FORWARD -s 192.168.151.5/32 -d 65.54.186.78/32 -j DROP
-A FORWARD -s 192.168.151.5/32 -d 65.54.165.178/32 -j DROP
-A FORWARD -s 192.168.151.5/32 -d 65.54.165.138/32 -j DROP
-A FORWARD -s 192.168.151.5/32 -d 65.54.186.50/32 -j DROP
-A FORWARD -p tcp -m tcp -s 192.168.151.51/32 --dport 1863 -j DROP
-A FORWARD -s 192.168.151.51/32 -d 65.54.186.78/32 -j DROP
-A FORWARD -s 192.168.151.51/32 -d 65.54.165.178/32 -j DROP
-A FORWARD -s 192.168.151.51/32 -d 65.54.165.138/32 -j DROP
-A FORWARD -s 192.168.151.51/32 -d 65.54.186.50/32 -j DROP
-A FORWARD -s 192.168.151.51/32 -d 65.54.186.80/32 -j DROP
-A FORWARD -p tcp -m tcp -s 192.168.151.53/32 --dport 1863 -j DROP
-A FORWARD -s 192.168.151.53/32 -d 65.54.165.178/32 -j DROP
-A FORWARD -s 192.168.151.53/32 -d 65.54.165.138/32 -j DROP
-A FORWARD -s 192.168.151.53/32 -d 65.54.186.50/32 -j DROP
-A FORWARD -s 192.168.151.53/32 -d 65.54.186.80/32 -j DROP
-A FORWARD -s 192.168.151.53/32 -d 65.54.186.78/32 -j DROP
-A FORWARD -p tcp -m tcp -s 192.168.151.54/32 --dport 1863 -j DROP
-A FORWARD -s 192.168.151.54/32 -d 65.54.165.138/32 -j DROP
-A FORWARD -s 192.168.151.54/32 -d 65.54.186.50/32 -j DROP
-A FORWARD -s 192.168.151.54/32 -d 65.54.186.80/32 -j DROP
-A FORWARD -s 192.168.151.54/32 -d 65.54.186.78/32 -j DROP
-A FORWARD -s 192.168.151.54/32 -d 65.54.165.178/32 -j DROP
-A FORWARD -p tcp -m tcp -s 192.168.151.55/32 --dport 1863 -j DROP
-A FORWARD -s 192.168.151.55/32 -d 65.54.186.50/32 -j DROP
-A FORWARD -s 192.168.151.55/32 -d 65.54.186.80/32 -j DROP
-A FORWARD -s 192.168.151.55/32 -d 65.54.186.78/32 -j DROP
-A FORWARD -s 192.168.151.55/32 -d 65.54.165.178/32 -j DROP
-A FORWARD -s 192.168.151.55/32 -d 65.54.165.138/32 -j DROP
-A FORWARD -p tcp -m tcp -s 192.168.151.58/32 --dport 1863 -j DROP
-A FORWARD -s 192.168.151.58/32 -d 65.54.186.80/32 -j DROP
-A FORWARD -s 192.168.151.58/32 -d 65.54.186.78/32 -j DROP
-A FORWARD -s 192.168.151.58/32 -d 65.54.165.178/32 -j DROP
-A FORWARD -s 192.168.151.58/32 -d 65.54.165.138/32 -j DROP
-A FORWARD -s 192.168.151.58/32 -d 65.54.186.50/32 -j DROP
-A FORWARD -p tcp -m tcp -s 192.168.151.59/32 --dport 1863 -j DROP
-A FORWARD -s 192.168.151.59/32 -d 65.54.186.78/32 -j DROP
-A FORWARD -s 192.168.151.59/32 -d 65.54.165.178/32 -j DROP
-A FORWARD -s 192.168.151.59/32 -d 65.54.165.138/32 -j DROP
-A FORWARD -s 192.168.151.59/32 -d 65.54.186.50/32 -j DROP
-A FORWARD -s 192.168.151.59/32 -d 65.54.186.80/32 -j DROP
-A FORWARD -p tcp -m tcp -s 192.168.151.60/32 --dport 1863 -j DROP
-A FORWARD -s 192.168.151.60/32 -d 65.54.165.178/32 -j DROP
-A FORWARD -s 192.168.151.60/32 -d 65.54.165.138/32 -j DROP
-A FORWARD -s 192.168.151.60/32 -d 65.54.186.50/32 -j DROP
-A FORWARD -s 192.168.151.60/32 -d 65.54.186.80/32 -j DROP
-A FORWARD -s 192.168.151.60/32 -d 65.54.186.78/32 -j DROP
-A FORWARD -p tcp -m tcp -s 192.168.151.61/32 --dport 1863 -j DROP
-A FORWARD -s 192.168.151.61/32 -d 65.54.165.138/32 -j DROP
-A FORWARD -s 192.168.151.61/32 -d 65.54.186.50/32 -j DROP
-A FORWARD -s 192.168.151.61/32 -d 65.54.186.80/32 -j DROP
-A FORWARD -s 192.168.151.61/32 -d 65.54.186.78/32 -j DROP
-A FORWARD -s 192.168.151.61/32 -d 65.54.165.178/32 -j DROP
-A FORWARD -p tcp -m tcp -s 192.168.151.62/32 --dport 1863 -j DROP
-A FORWARD -s 192.168.151.62/32 -d 65.54.186.50/32 -j DROP
-A FORWARD -s 192.168.151.62/32 -d 65.54.186.80/32 -j DROP
-A FORWARD -s 192.168.151.62/32 -d 65.54.186.78/32 -j DROP
-A FORWARD -s 192.168.151.62/32 -d 65.54.165.178/32 -j DROP
-A FORWARD -s 192.168.151.62/32 -d 65.54.165.138/32 -j DROP
-A FORWARD -p tcp -m tcp -s 192.168.151.65/32 --dport 1863 -j DROP
-A FORWARD -s 192.168.151.65/32 -d 65.54.186.80/32 -j DROP
-A FORWARD -s 192.168.151.65/32 -d 65.54.186.78/32 -j DROP
-A FORWARD -s 192.168.151.65/32 -d 65.54.165.178/32 -j DROP
-A FORWARD -s 192.168.151.65/32 -d 65.54.165.138/32 -j DROP
-A FORWARD -s 192.168.151.65/32 -d 65.54.186.50/32 -j DROP
-A FORWARD -p tcp -m tcp -s 192.168.151.67/32 --dport 1863 -j DROP
-A FORWARD -s 192.168.151.67/32 -d 65.54.186.78/32 -j DROP
-A FORWARD -s 192.168.151.67/32 -d 65.54.165.178/32 -j DROP
-A FORWARD -s 192.168.151.67/32 -d 65.54.165.138/32 -j DROP
-A FORWARD -s 192.168.151.67/32 -d 65.54.186.50/32 -j DROP
-A FORWARD -s 192.168.151.67/32 -d 65.54.186.80/32 -j DROP
-A FORWARD -p tcp -m tcp -s 192.168.151.69/32 --dport 1863 -j DROP
-A FORWARD -s 192.168.151.69/32 -d 65.54.165.178/32 -j DROP
-A FORWARD -s 192.168.151.69/32 -d 65.54.165.138/32 -j DROP
-A FORWARD -s 192.168.151.69/32 -d 65.54.186.50/32 -j DROP
-A FORWARD -s 192.168.151.69/32 -d 65.54.186.80/32 -j DROP
-A FORWARD -s 192.168.151.69/32 -d 65.54.186.78/32 -j DROP
-A FORWARD -p tcp -m tcp -s 192.168.151.70/32 --dport 1863 -j DROP
-A FORWARD -s 192.168.151.70/32 -d 65.54.165.138/32 -j DROP
-A FORWARD -s 192.168.151.70/32 -d 65.54.186.50/32 -j DROP
-A FORWARD -s 192.168.151.70/32 -d 65.54.186.80/32 -j DROP
-A FORWARD -s 192.168.151.70/32 -d 65.54.186.78/32 -j DROP
-A FORWARD -s 192.168.151.70/32 -d 65.54.165.178/32 -j DROP
-A FORWARD -p tcp -m tcp -s 192.168.151.71/32 --dport 1863 -j DROP
-A FORWARD -s 192.168.151.71/32 -d 65.54.186.50/32 -j DROP
-A FORWARD -s 192.168.151.71/32 -d 65.54.186.80/32 -j DROP
-A FORWARD -s 192.168.151.71/32 -d 65.54.186.78/32 -j DROP
-A FORWARD -s 192.168.151.71/32 -d 65.54.165.178/32 -j DROP
-A FORWARD -s 192.168.151.71/32 -d 65.54.165.138/32 -j DROP
-A FORWARD -p tcp -m tcp -s 192.168.151.72/32 --dport 1863 -j DROP
-A FORWARD -s 192.168.151.72/32 -d 65.54.186.80/32 -j DROP
-A FORWARD -s 192.168.151.72/32 -d 65.54.186.78/32 -j DROP
-A FORWARD -s 192.168.151.72/32 -d 65.54.165.178/32 -j DROP
-A FORWARD -s 192.168.151.72/32 -d 65.54.165.138/32 -j DROP
-A FORWARD -s 192.168.151.72/32 -d 65.54.186.50/32 -j DROP
-A FORWARD -p tcp -m tcp -s 192.168.151.0/24 --dport 1863 -j ACCEPT
-A FORWARD -s 192.168.151.0/24 -d 65.54.186.78/32 -j ACCEPT
-A FORWARD -s 192.168.151.0/24 -d 65.54.165.178/32 -j ACCEPT
-A FORWARD -s 192.168.151.0/24 -d 65.54.165.138/32 -j ACCEPT
-A FORWARD -s 192.168.151.0/24 -d 65.54.186.50/32 -j ACCEPT
-A FORWARD -s 192.168.151.0/24 -d 65.54.186.80/32 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.151.0/24 --dport 21 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.151.0/24 --dport 21 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.151.0/24 --dport 20 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.151.0/24 --dport 23 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.151.0/24 --dport 23 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.151.0/24 --dport 20 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.151.0/24 --dport 8133 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.151.0/24 --dport 8133 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.151.0/24 --dport 5060 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.151.0/24 --dport 5060 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.151.0/24 --dport 8000 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.151.0/24 --dport 8000 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.151.0/24 --dport 10000 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.151.0/24 --dport 10000 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.151.0/24 --dport 3478 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.151.0/24 --dport 3478 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.151.0/24 --dport 1299 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.151.0/24 --dport 1299 -j ACCEPT
-A FORWARD -p udp -m udp -s 192.168.151.0/24 --dport 1298 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.151.0/24 --dport 1298 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 2631 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 2004 -j ACCEPT
-A FORWARD -p tcp -m tcp -m tcpmss --tcp-flags SYN,RST SYN -j TCPMSS --mss 1400:1536 --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Jan 25 09:40:57 2010
# Generated by iptables-save v1.4.1.1 on Mon Jan 25 09:40:57 2010
*nat
:PREROUTING ACCEPT [126320:13069574]
:POSTROUTING ACCEPT [56589:3336644]
:OUTPUT ACCEPT [56213:3316047]
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.151.2:3389
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 3380 -j DNAT --to-destination 192.168.151.3:3389
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 1299 -j DNAT --to-destination 192.168.151.2:1299
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 5000:10000 -j DNAT --to-destination 192.168.151.102
-A PREROUTING -i ppp0 -p udp -m udp --dport 5000:10000 -j DNAT --to-destination 192.168.151.102
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 3002 -j DNAT --to-destination 192.168.151.101
-A PREROUTING -i ppp0 -p udp -m udp --dport 3002 -j DNAT --to-destination 192.168.151.101
-A PREROUTING -i ppp0 -p udp -m udp --dport 4672 -j DNAT --to-destination 192.168.151.210
-A PREROUTING -i ppp0 -p udp -m tcp --dport 4662 -j DNAT --to-destination 192.168.151.210
-A PREROUTING -i ppp0 -p tcp -m multiport --dports 8000,10000,5060,8133,3478 -j DNAT --to-destination 192.168.151.102
-A PREROUTING -d 200.201.174.0/24 -i eth0 -p tcp -m tcp --dport 80 -j RETURN
-A PREROUTING -d 200.201.128.0/17 -i eth0 -p tcp -m tcp --dport 80 -j RETURN
-A PREROUTING -d 200.201.166.240/32 -i eth0 -p tcp -m tcp --dport 80 -j RETURN
-A PREROUTING -d 200.201.173.68/32 -i eth0 -p tcp -m tcp --dport 80 -j RETURN
-A PREROUTING -d 200.201.173.68/32 -i eth0 -p tcp -m tcp --dport 80 -j RETURN
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 192.168.151.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.151.0/24 -d 201.76.37.164/32 -j ACCEPT
COMMIT
# Completed on Mon Jan 25 09:40:57 2010