andrebh
(usa Debian)
Enviado em 10/05/2012 - 12:05h
Boa Tarde,
Estou configurando um servidor para rodar como proxy e firewall. Porém estou tendo dificuldades para bloquear o uso do MSN.
Segue abaixo configurações do IPtables e Squid. O Compartilhamento funciona redondinho, bloqueio por sites e palavras, mas o bendito do msn continua rodando.
Arquivo Squid.conf
http_port 3128 transparent
visible_hostname Debian6
error_directory /usr/share/squid/errors/pt-br/
cache_mem 64 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 21 80 443 563 70 210 280 488 591 777 901 3306 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# ACL'S DE PERMISSAO
# ACL`S de PERMISSAO POR MAC
acl macliberados arp "/etc/squid/rules/macliberados"
http_access allow macliberados
# ALC DE PEMISSAO POR IP
#acl ipsliberados src "/etc/squid/ipsliberados"
#http_access allow ipsliberados
# ACL DE PERMISSAO POR HORARIO
#acl almoco time 12:00-14:00
#http_access allow almoco
# ACL's de Bloqueio
# ACL de Bloqueio por site
acl bloqueados url_regex -i "/etc/squid/rules/bloqueados"
http_access deny bloqueados
# ACL de Bloqueio por palavra
acl palavrasproibidas dstdom_regex "/etc/squid/rules/palavrasproibidas"
http_access deny palavrasproibidas
# ACL de Bloqueio por tipo de arquivo (extensão)
acl extban url_regex -i "/etc/squid/rules/extban"
http_access deny extban
#################################################################################################### Regras do Squid ##########################################################################################################################
acl redelocal src 172.1.1.0/24
http_access allow localhost
http_access allow redelocal
http_access deny all
Iptables
#!/bin/bash
echo "Script de Compartilhamento de Internet"
#REDE_INTERNA="172.1.1.0/24"
#IP_LAN="190.168.1.252"
iniciar(){
# Compartilha a conexão:
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo "---> Compatilhamento ativado <---"
# Proxy Transparente:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo "---> Proxy Transparente Ativado <---"
## Bloqueando MSN
# Host Liberados
#iptables -A FORWARD -s 192.168.3.100/32 -p tcp --dport 1863 -j ACCEPT
#iptables -A FORWARD -s 192.168.3.100/32 -p tcp --dport 1080 -j ACCEPT
#iptables -A FORWARD -s 192.168.3.100/32 -d loginnet.passport.com -j ACCEPT
#echo "---> Liberando IP's para MSN <--- "
# Bloqueando os Demais
iptables -A FORWARD -s 172.1.1.0/24 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 172.1.1.0/24 -d loginnet.passport.com -j REJECT
iptables -A FORWARD -s 172.1.1.0/24 -d messenger.hotmail.com -j REJECT
iptables -A FORWARD -s 172.1.1.0/24 -d webmessenger.msn.com -j REJECT
iptables -A FORWARD -p tcp --dport 1080 -j DROP
iptables -A FORWARD -s 172.1.1.0/24 -p tcp --dport 1080 -j REJECT
#iptables -A FORWARD -i eth1 -p tcp --dport 1863 -j REJECT
#iptables -A FORWARD -i eth1 -p tcp --dport 1080 -j REJECT
#iptables -A FORWARD -i eth1 -d loginnet.passport.com -j REJECT
#echo "---> Bloqueando demais usuarios sem acesso MSN <---"
# Permite conexões na interface de rede local e na porta 21 e 22:
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
echo "---> Acesso FTP Ativado <---"
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
echo "---> Permissão de Acesso Remoto Ativado <---"
# Permite conexoes na interface da porta 3000 e 1000:
iptables -A INPUT -p tcp --dport 3000 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
# Regra de Bloqueio do UltraSurf (Maquinas que apresentarão lentidão devido tentativa)
for end in `cat /etc/squid/rules/ultrasurf`
do
iptables -A OUTPUT -d $end -p tcp --dport 443 -j DROP
iptables -A FORWARD -d $end -p tcp --dport 443 -j DROP
iptables -A INPUT -s $end -p tcp --dport 443 -j DROP
done
# Regra de Bloqueio de URL's https
#for I in `cat /etc/squid/rules/https`
#do
# iptables -A FORWARD -s 192.168.1.0/24 -d $I -p tcp --dport 443 -j DROP
#done
# Regras Básicas de Firewall:
iptables -A INPUT -i lo -j ACCEPT
Agradeço quem puder auxiliar, estou me atualizando com o uso do Linux...