Acesso remoto ERP - Squid bloqueando

fradeck
(usa Outra)

Enviado em 09/06/2015 - 13:46h

Bom dia.
Estou com um problema e não sei mais o que fazer para resolver. Já deixei o firewall com tudo liberado e o squid também, a situação é a seguinte:
A filial acessa remoto nosso ERP e parou de funcionar.
Quando para o squid o acesso normaliza se subo ele não consigo mais acessar o ERP (não dá erro, fica carregando e não funciona)
Alguma luz?
Estou em fase de melhorias ainda do firewall
Segue meu firewall e squid

###########################  FIREWALL    #####################
##############################################################
#Interpretador de comandos
#!/bin/bash
# Carrega os moulos
echo Modulos do firewall
modprobe ipt_string
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_state
modprobe ipt_MASQUERADE
#zerando as regras;
echo Regras default
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
iptables -t mangle -F
#Alterando a politica das Chains
#Alterando a politica das Chains
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#iptables -t nat -A POSTROUTING -p tcp -m multiport --dport 25,58215,110,465,587,995 -j MASQUERADE
#skype incoming connections
#iptables -A INPUT -p udp --dport 58215 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp --dport 58215 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -p tcp --dport 39856 -j ACCEPT
#iptables -I FORWARD -m string --algo bm --string "skype.com" -j ACCEPT
#Nat da rede
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#liberando encaminhamento de pacotes;
echo "1" > /proc/sys/net/ipv4/ip_forward

# Libera o acesso SSH de qualquer origem
echo Liberando acesso SSH
iptables -A INPUT -p tcp --dport 7351 -j ACCEPT
# Libera o squid a partir da rede interna
#echo Liberando rede interna
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
#Acesso externo Cameras
echo "acesso as cameras"
iptables -A INPUT -i eth0 -p tcp --dport 37777 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 37777 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 37777 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 37777 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.219 --dport 37777 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 37777 -j DNAT --to-destination 192.168.10.90:37777
iptables -A FORWARD -p udp -d 192.168.10.219 --dport 37777 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 37777 -j DNAT --to-destination 192.168.10.219:37777

#liberar acesso externo siga
echo Acesso externo Siga
iptables -A INPUT -i eth0 -p tcp --dport 1257 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1257 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 1257 -j DNAT --to-destination 192.168.10.90:1257

iptables -A INPUT -i eth0 -p tcp --dport 1299 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1299 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 1299 -j DNAT --to-destination 192.168.10.90:1299


iptables -A INPUT -i eth0 -p tcp --dport 1256 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1256 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 1256 -j DNAT --to-destination 192.168.10.90:1256



echo Acesso ao Sql Server
iptables -A INPUT -i eth0 -p tcp --dport 9723 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 9723 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 9723 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 9723 -j DNAT --to-destination 192.168.10.91:1433

#acesso aos servidores via TS
echo Liberando acesso via TS
iptables -A INPUT -i eth0 -p tcp --dport 3390 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 3390 -j DNAT --to-destination 192.168.10.90:3389

iptables -A INPUT -i eth0 -p tcp --dport 3391 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 3391 -j DNAT --to-destination 192.168.10.91:3389
#acesso ao BI
echo Liberando Acesso ao BI
iptables -A INPUT -i eth0 -p tcp --dport 7980 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 7980 -j ACCEPT

iptables -A INPUT -i eth0 -p udp --dport 7980 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 7980 -j ACCEPT

iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 7980 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 7980 -j DNAT --to-destination 192.168.10.91:8080

iptables -A FORWARD -p udp -d 192.168.10.91 --dport 7980 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 7980 -j DNAT --to-destination 192.168.10.91:8080

iptables -t nat -A PREROUTING -d 0/0 -p tcp --dport 7980 -j DNAT --to 192.168.10.91:7980

#*************************** BLOQUEIO DO FACEBOOK ***********************************************************
echo "Acesso Facebook"
#BLOQUEIOS FACEBOOK:
hora=`/bin/date +%H%M`
if `[ "$hora" -gt "0759" ] && [ "$hora" -lt "1229" ] || [ "$hora" -gt "1329" ] && [ "$hora" -lt "2359" ] `; then
    op=1;
else
    op=2;
fi
permitidos=$(egrep -v "(^#|^$)" /etc/squid3/regras/ips_fb)  
##BLOQUEIO DO FACEBOOK
FACEBOOK_IP_RANGE="31.13.64.0-31.13.127.255 31.13.24.0-31.13.31.255 74.119.76.0-74.119.79.255 69.63.176.0-69.63.191.255 69.171.224.0-69.171.255.255 66.220.144.0-66.220.159.255 204.15.20.0-204.15.23.255 173.252.64.0-173.252.127.255"
iptables -N FACEBOOK

## FACEBOOK DENY
for face in $FACEBOOK_IP_RANGE; do
    iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 443 -j FACEBOOK
    iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 80 -j FACEBOOK
done

FACEBOOK_ALLOW="$permitidos" #MSR_LIBERADO  #Aqui libera os permitidos.

for MSR_LIBERADO in $FACEBOOK_ALLOW; do
    iptables -I FACEBOOK -s $MSR_LIBERADO -j ACCEPT
done

if [ $op -eq "1" ]; then  
    echo "Bloqueando"
    iptables -A FACEBOOK -j REJECT
fi

if [ $op -eq "2" ]; then  #E caso esteja fora do horáo de serviçéiberado
    echo "Liberando"
    iptables -A FACEBOOK -j ACCEPT
fi
#****************************************************************************************************************
 

SQUID

# Portas padrao
acl SSL_ports port 443
acl Safe_ports port 443
#acl Safe_ports port 8080
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT


http_access allow connect SSL_Ports

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

#http_access allow localhost manager
#http_access deny manager
acl redelocal src 192.168.10.0/24
#http_access allow redelocal
#http_access deny all

#controle de cache do proxy
cache_mem 32 MB
maximum_object_size_in_memory 64 KB
minimum_object_size 0 KB
maximum_object_size 4096 MB

cache_swap_low 85
cache_swap_high 90
cache_dir ufs /var/spool/squid3 2048 16 256
cache_access_log /var/log/squid3/access.log
#Controle do arquivo de Log
logfile_rotate 10
ftp_user Squid@
#protocolos
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
######Block Video and Audio Streaming##############
acl media rep_mime_type video/flv video/x-flv
acl media rep_mime_type -i ^video/
acl media rep_mime_type -i ^video\/
acl media rep_mime_type ^application/x-shockwave-flash
acl media rep_mime_type ^application/vnd.ms.wms-hdr.asfv1
acl media rep_mime_type ^application/x-fcs
acl media rep_mime_type ^application/x-mms-framed
acl media rep_mime_type ^video/x-ms-asf
acl media rep_mime_type ^audio/mpeg
acl media rep_mime_type ^audio/x-scpls
acl media rep_mime_type ^video/x-flv
acl media rep_mime_type ^video/mpeg4
acl media rep_mime_type ms-hdr
acl media rep_mime_type x-fcs
acl mediapr urlpath_regex \.flv(\?.*)?$
acl mediapr urlpath_regex -i \.(avi|mp4|mov|m4v|mkv|flv)(\?.*)?$
acl mediapr urlpath_regex -i \.(mpg|mpeg|avi|mov|flv|wmv|mkv|rmvb)(\?.*)?$




#********************************* GERAL *****************************************
acl ips_geral src "/etc/squid3/regras/geral/ips_liberados"
acl sites_liberados_geral url_regex -i "/etc/squid3/regras/geral/sites_liberados_geral"
acl palavras_bloqueadas url_regex -i "/etc/squid3/regras/geral/palavras_bloqueadas"
acl sites_bloqueados_geral url_regex -i "/etc/squid3/regras/geral/sites_bloqueados_geral"
#************************************************************************************

#********************************* COMERCIAL *****************************************
acl comercial src "/etc/squid3/regras/comercial/ips_comercial"
acl sites_comercial url_regex -i "/etc/squid3/regras/comercial/sites_liberados"

#********************************* COMPRAS *****************************************
acl compras src "/etc/squid3/regras/compras/ips_compras"
acl sites_compras url_regex -i "/etc/squid3/regras/compras/sites_liberados"

#********************************* CTP *****************************************
acl ctp src "/etc/squid3/regras/ctp/ips_ctp"
acl sites_ctp url_regex -i "/etc/squid3/regras/ctp/sites_liberados"

#********************************* FINANCEIRO *****************************************
acl financeiro src "/etc/squid3/regras/financeiro/ips_financeiro"
acl sites_financeiro url_regex -i "/etc/squid3/regras/financeiro/sites_liberados"

#********************************* INSPECAO *****************************************
acl inspecao src "/etc/squid3/regras/inspecao/ips_inspecao"
acl sites_inspecao url_regex -i "/etc/squid3/regras/inspecao/sites_liberados"

#********************************* PRODUCAO *****************************************
acl producao src "/etc/squid3/regras/producao/ips_producao"
acl sites_producao url_regex -i "/etc/squid3/regras/producao/sites_liberados"
#********************************* PCP *****************************************
acl pcp src "/etc/squid3/regras/pcp/ips_pcp"
acl sites_pcp url_regex -i "/etc/squid3/regras/pcp/sites_liberados"

#********************************* RH *****************************************
acl rh src "/etc/squid3/regras/rh/ips_rh"
acl sites_rh url_regex -i "/etc/squid3/regras/rh/sites_liberados"
#********************************* TI *****************************************
acl TI src "/etc/squid3/regras/TI/ips_TI"

acl ips_gestores  src "/etc/squid3/regras/geral/ips_gestores"


acl almoco time MTWHF 12:30-13:30

#CONFIGURACAO DAS ACLS
http_access allow TI
http_access allow ips_geral
http_access allow almoco
http_access allow rh
http_access deny sites_bloqueados_geral
http_access deny mediapr
http_reply_access deny media !TI
http_access allow financeiro
http_access allow compras
http_access allow ctp
http_access allow sites_liberados_geral
http_access allow ips_gestores
http_access allow comercial sites_comercial
http_access allow inspecao sites_inspecao
http_access allow producao sites_producao
http_access allow pcp sites_pcp
#http_access allow redelocal
http_access deny all


log_mime_hdrs on
http_port 3128
#coredump_dir /var/spool/squid3
#refresh_pattern ^ftp:           1440    20%     10080
#refresh_pattern ^gopher:        1440    0%      1440
#refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
#refresh_pattern .               0       20%     4320
                                                                                
 

jcoli
(usa Debian)

Enviado em 10/06/2015 - 05:35h

Qual ERP?


Jeferson Coli
---------------------
www.tecnocoli.com.br

fradeck
(usa Outra)

Enviado em 10/06/2015 - 08:13h

Protheus
E no acesso remoto por TS está extremamente lento, paro o squid normaliza