Configurando o PROXY manualmente no Browse

1. Configurando o PROXY manualmente no Browse

helionney
(usa Mandriva)

Enviado em 22/05/2013 - 10:06h

Amigos o meu problema é que o PROXY não funciona se eu configurar maualmete nos browsers das estações de minha rede, mas o se eu configurar na máquina em que o servidor está ele funciona normalmente. O que estou fazendo de errado.
Segue abaixo a configuração do meu squid/iptables:

FIREWALL

#!/bin/bash
#firewall

function definindo_variaveis
{
#
#DEFININDO VARIAVEIS
#
IPTABLES=/sbin/iptables
prog=firewall
#numero do ip com mascara 24 refere-se a rede.
#numero do ip com mascara 32 refere-se ao servidor.
#numero do ip com mascara 0/0 refere-se todos os ip de todas as redes.

#Endereco ip das interfaces.
LO_IP="127.0.0.1";

ETH0_IP="192.168.4.254";
ETH1_IP="192.168.2.242";
#ETH11_IP="186.216.160.74";
#ETH11_IP="10.10.171.200";

#Interfaces.
IFACE_LO="lo";

IFACE_ETH0="eth0";
IFACE_ETH1="eth1";

#Redes.
INTERNET="0.0.0.0/0";

ETH0_NET="192.168.4.0/24";
ETH1_NET="192.168.2.0/24";
#ETH11_NET="10.10.171.0/30";
}

#Protegendo o kernel contra solicitacoes de virus, a tabela arp ficara gigante
#e causara (Neighbour table overflow)
function carga_arp
{
echo 16384 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 32768 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 65535 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
}

function status
{
IPTABLES=/sbin/iptables
prog=firewall

echo "Status do $proc:"
$IPTABLES -L
$IPTABLES -L -t nat
$IPTABLES -L -t mangle
}

function checa_modulos
{
/sbin/depmod -a
}

function chama_modulos
{
#Levanta os modulos do kernel, responsaveis pelo iptables, nat e nat em conexoes ftp.
#Modulos necessarios.
#Verificar cada um.
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe iptable_filter
modprobe iptable_mangle
modprobe ipt_LOG
modprobe ipt_limit
modprobe ipt_state
}

function configura_proc
{
#habilita o forward do kernel
#Esta funcao ja esta habilitada no script roteador
echo 1 > /proc/sys/net/ipv4/ip_forward

#Protecao contra ICMP Broadcasting:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Esta funcao habilita o maximo de dados pelo servidor.
#Isso inibe a queda do mesmo.
#Tabela de alocacao.
#16MBs = 1024.
#32MBs = 2048.
#64MBs = 4096.
#128MBs = 8192.
#256MBs = 16384.
#384MBs = 24576.
#512MBs = 32768.
#1000MBs= 65536.
if [ -f /proc/sys/net/ipv4/ip_conntrack_max ]; then
echo 65536 > /proc/sys/net/ipv4/ip_conntrack_max
fi

#evitando ip-spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
fi

#Protejendo contra cookies
if [ -e /proc/sys/net/ipv4/tcp_syncoohies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi

#ativando o kernel para ip dinamico
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
fi
}

function limpa_regras
{
#limpando as regras
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}

function politicas
{
#
#definindo as politicas (padrao) utilizada pelo firewall
#

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

}

function cria_regras
{
$IPTABLES -N PKTRUI
$IPTABLES -N PKTPER
$IPTABLES -N PKTICM
}

function configura_regras
{
#
#Analise de pacotes tcp nao permitidos.
#

#Adicionei os logs nos pacotes, para gerar relatorios de tentativas de invasao.
#Pacotes adulterados com syn = 1 e ack =1, em uma nova conexao.

#parando os logs.
#$IPTABLES -A PKTRUI -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j LOG --log-level DEBUG --log-prefix "Pacote (Rg01) Adulterado: "

$IPTABLES -A PKTRUI -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
#Mesma regra na analise a regra anterior e mais efeciente,
#e a proxima e mas casca de pescoso barra tudo, nao interessa se e nova conexao
#ou estabelecida.
#$IPTABLES -A PKTRUI --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

#Pacotes adulterados com syn = 0, em uma nova conexao.

#parando os logs.
#$IPTABLES -A PKTRUI -p tcp ! --syn -m state --state NEW -j LOG --log-level DEBUG --log-prefix "Pacote (Rg02) Adulterado: "

$IPTABLES -A PKTRUI -p tcp ! --syn -m state --state NEW -j DROP

#Anti Anomalias de Pacotes.
#$IPTABLES -A PKTRUI -m unclean -j LOG --log-level DEBUG --log-prefix "Pacote (Rg03) Adulterado: "
#$IPTABLES -A PKTRUI -p tcp -m unclean -j DROP
#$IPTABLES -A PKTRUI -m unclean -j DROP

#
#Modifiquei essas regras adicionando o fragmento (-m state --state NEW).
#Para que o firewall ficasse mas eficiente.

#Pacotes adulterados com fin=1, urg=1, psh=1, em uma nova conexao.

#parando os logs.
#$IPTABLES -A PKTRUI -p tcp --tcp-flags ALL FIN,URG,PSH -m state --state NEW -j LOG --log-level DEBUG --log-prefix "Pacote (Rg04) Adulterado: "

$IPTABLES -A PKTRUI -p tcp --tcp-flags ALL FIN,URG,PSH -m state --state NEW -j DROP

#Pacotes adulterados com syn=1, rst=1, ack=1, fin=1, urg=1, em uma nova conexao.

#parando os logs.
#$IPTABLES -A PKTRUI -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m state --state NEW -j LOG --log-level DEBUG --log-prefix "Pacote (Rg05) Adulterado: "

$IPTABLES -A PKTRUI -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m state --state NEW -j DROP

#Pacotes adulterados com todos os flasgs setados em 1, em uma nova conexao.

#parando os logs.
#$IPTABLES -A PKTRUI -p tcp --tcp-flags ALL ALL -m state --state NEW -j LOG --log-level DEBUG --log-prefix "Pacote (Rg06) Adulterado: "

$IPTABLES -A PKTRUI -p tcp --tcp-flags ALL ALL -m state --state NEW -j DROP

#Pacotes adulterados com fin=1, em uma nova conexao.

#parando os logs.
#$IPTABLES -A PKTRUI -p tcp --tcp-flags ALL FIN -m state --state NEW -j LOG --log-level DEBUG --log-prefix "Pacote (Rg07) Adulterado: "

$IPTABLES -A PKTRUI -p tcp --tcp-flags ALL FIN -m state --state NEW -j DROP

#Pacotes adulterados com syn=1, rst=1, em uma nova conexao.

#parando os logs.
#$IPTABLES -A PKTRUI -p tcp --tcp-flags SYN,RST SYN,RST -m state --state NEW -j LOG --log-level DEBUG --log-prefix "Pacote (Rg08) Adulterado: "

$IPTABLES -A PKTRUI -p tcp --tcp-flags SYN,RST SYN,RST -m state --state NEW -j DROP

#Pacotes adulterados com syn=1, fin=1, em uma nova conexao.

#parando os logs.
#$IPTABLES -A PKTRUI -p tcp --tcp-flags SYN,FIN SYN,FIN -m state --state NEW -j LOG --log-level DEBUG --log-prefix "Pacote (Rg09) Adulterado: "

$IPTABLES -A PKTRUI -p tcp --tcp-flags SYN,FIN SYN,FIN -m state --state NEW -j DROP

#Pacotes adulterados com flag que nao existe, em uma nova conexao

#parando os logs.
#$IPTABLES -A PKTRUI -p tcp --tcp-flags ALL NONE -m state --state NEW -j LOG --log-level DEBUG --log-prefix "Pacote (Rg10) Adulterado: "

$IPTABLES -A PKTRUI -p tcp --tcp-flags ALL NONE -m state --state NEW -j DROP
#
#Analise de pacotes tcp permitidos.
#

#Anti Syn-flood
#Sequencia de pacotes com mais de uma chamada.
$IPTABLES -A PKTPER -p tcp -m limit --limit 1/s -j ACCEPT

#Antin NMap-Port scanning.
#Sequencia de pacotes enviados do programa nmap, que varre conexoes ativas.
$IPTABLES -A PKTPER -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

#Pacotes permitos
$IPTABLES -A PKTPER -p tcp --syn -j ACCEPT
$IPTABLES -A PKTPER -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PKTPER -p tcp -j DROP

#Ping da Morte.
#Sequencia de pacotes ping, que sobrecarregar as conexoes com o servidor.
$IPTABLES -A PKTICM -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#Pacotes icmp permitidos
$IPTABLES -A PKTICM -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A PKTICM -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
}

function configura_saida_fw
{
#Eliminando intrusos.
$IPTABLES -A OUTPUT -p tcp -j PKTRUI

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $ETH0_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $ETH1_IP -j ACCEPT

# $IPTABLES -A OUTPUT -p ALL -s $ETH11_IP -j ACCEPT

#Log dos pacotes de saida que nao restornaram.
#parando os logs.
#$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "Pacote de saida morto: "
}

function configura_entrada_fw
{
#Eliminando intrusos
$IPTABLES -A INPUT -p tcp -j PKTRUI

#Permitindo pacotes que vem pela interface lo para os ips das interfaces
$IPTABLES -A INPUT -p ALL -i $IFACE_LO -s $LO_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $IFACE_LO -s $ETH0_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $IFACE_LO -s $ETH1_IP -j ACCEPT

# $IPTABLES -A INPUT -p ALL -i $IFACE_LO -s $ETH11_IP -j ACCEPT

#Tratando os servicos na interface eth0 (rede interna)

#Priorizando navegacao.
#$IPTABLES -t mangle -A PREROUTING -p tcp -d 0/0 --dport 80 -j TOS --set-tos 16

$IPTABLES -A INPUT -s 192.168.4.0/24 -j DROP

#Permitindo pacotes icmp.
$IPTABLES -A INPUT -p icmp -i $IFACE_ETH0 -s $ETH0_NET -j PKTICM
#$IPTABLES -A INPUT -p icmp -i $IFACE_ETH0 -s 172.16.11.0 -j PKTICM

#Permitindo conexoes ssh.
# $IPTABLES -A INPUT -p tcp -i $IFACE_ETH0 -s $ETH0_NET --dport 41075 -j ACCEPT

#Servidor de proxy.

# $iptables -A INPUT -i 192.168.4.0/254 -p tcp --dport 3128 -j ACCEPT

# iptables -t nat -A PREROUTING -i $IFACE_ETH0 -p tcp --dport 80 -j REDIRECT --to-port 3128

# $IPTABLES -A INPUT -p tcp -d $ETH0_IP --dport 3128 -j ACCEPT

# $IPTABLES -A INPUT -p tcp -i $IFACE_ETH0 -s 192.168.4.254 --dport 3128 -j ACCEPT

$IPTABLES -A INPUT -p tcp -i $IFACE_ETH0 -s 192.168.4.0/24 --dport 3128 -j ACCEPT

#Servidor de web.
$IPTABLES -A INPUT -p tcp -i $IFACE_ETH0 -s $ETH0_NET --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $IFACE_ETH0 -s 192.168.4.0/24 --dport 80 -j ACCEPT

#Libera conexao VPN
#Regras adicionadas em carater temporario para acesso das redes na nuvem VPN
#######
#Permitindo pacotes icmp.
#$IPTABLES -A INPUT -p icmp -i $IFACE_ETH0 -s 172.16.0.0/16 -j PKTICM
$IPTABLES -A INPUT -p icmp -i $IFACE_ETH0 -s 192.168.4.0/24 -j PKTICM
# $IPTABLES -A INPUT -p icmp -i $IFACE_ETH0 -s 172.16.11.0/24 -j PKTICM
# $IPTABLES -A INPUT -p icmp -i $IFACE_ETH0 -s 192.168.8.0/24 -j PKTICM

#Permitindo conexoes ssh.
#$IPTABLES -A INPUT -p tcp -i $IFACE_ETH0 -s 172.16.0.0/16 --dport 41075 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $IFACE_ETH0 -s 192.168.4.0/24 --dport 41075 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $IFACE_ETH0 -s 192.168.8.0/24 --dport 41075 -j ACCEPT

#Servidor de proxy.
#$IPTABLES -A INPUT -p tcp -i $IFACE_ETH0 -s 172.16.0.0/16 --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $IFACE_ETH0 -s 192.168.4.254 --dport 3128 -j ACCEPT
# $IPTABLES -A INPUT -p tcp -i $IFACE_ETH0 -s 192.168.10.0/24 --dport 3128 -j ACCEPT
# $IPTABLES -A INPUT -p tcp -i $IFACE_ETH0 -s 192.168.8.0/24 --dport 3128 -j ACCEPT

#Servidor de web.
#$IPTABLES -A INPUT -p tcp -i $IFACE_ETH0 -s 172.16.0.0/16 --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $IFACE_ETH0 -s 192.168.4.0/24 --dport 80 -j ACCEPT
# $IPTABLES -A INPUT -p tcp -i $IFACE_ETH0 -s 192.168.10.0/24 --dport 80 -j ACCEPT
# $IPTABLES -A INPUT -p tcp -i $IFACE_ETH0 -s 192.168.8.0/24 --dport 80 -j ACCEPT

#Tratando os servicos na interface eth1 (rede internet vctelecom)

#Permitindo pacotes icmp.
$IPTABLES -A INPUT -p icmp -i $IFACE_ETH1 -s $ETH1_NET -j PKTICM
#$IPTABLES -A INPUT -p icmp -i $IFACE_ETH1 -s $INTERNET -j PKTICM

#Permitindo pacotes tcp para conexoes ssh, somente para rede interna
#$IPTABLES -A INPUT -p tcp -i $IFACE_ETH1 -s $ETH1_NET --dport 41075 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -i $IFACE_ETH1 -s $INTERNET --dport 41075 -j ACCEPT

#Redirecionar para siaweb e scpiweb.
# $IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH1 -d 186.216.160.78 --dport 5601 -j DNAT --to-destination 192.168.0.252:5601
# $IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH0 -d 186.216.160.78 --dport 5601 -j DNAT --to-destination 192.168.0.252:5601
#Redirecionar para issweb.
# $IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH1 -d 186.216.160.78 --dport 8080 -j DNAT --to-destination 192.168.0.252:8080
# $IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH0 -d 186.216.160.78 --dport 8080 -j DNAT --to-destination 192.168.0.252:8080

#Liberando acesso Spark
# $IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH1 -d 186.216.160.78 --dport 5222:5223 -j DNAT --to-destination 192.168.0.42
# $IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH1 -d 186.216.160.78 --dport 5269 -j DNAT --to-destination 192.168.0.42

#Redirecionar para contra cheque.
#$IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH1 -d 186.216.160.78 --dport 8084 -j DNAT --to-destination 192.168.0.170:84

#
#Servicos do servidor apl intranet/internet.
#
#-----------------------------------------------------------------------------------------------------------------------------------

#Redirecionar para apl intranet ssh.
# $IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH1 -d 186.216.160.74 --dport 41075 -j DNAT --to-destination 192.168.0.1:41075
# $IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH0 -d 186.216.160.74 --dport 41075 -j DNAT --to-destination 192.168.0.1:41075

#Redirecionar para apl intranet http.
# $IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH1 -d 186.216.160.74 --dport 8099 -j DNAT --to-destination 192.168.0.1:80
# $IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH0 -d 186.216.160.74 --dport 8099 -j DNAT --to-destination 192.168.0.1:80

#Redirecionar para apl intranet ftp.
# $IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH1 -d 186.216.160.74 --dport 20 -j DNAT --to-destination 192.168.0.1:20
# $IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH1 -d 186.216.160.74 --dport 21 -j DNAT --to-destination 192.168.0.1:21
#-----------------------------------------------------------------------------------------------------------------------------------

#
#Servicos do servidor de banco de dados intranet/internet.
#
#-----------------------------------------------------------------------------------------------------------------------------------

#Redirecionar para banco dados intranet ssh.
# $IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH1 -d 186.216.160.74 --dport 31898 -j DNAT --to-destination 192.168.0.2:41075

#Redirecionar para banco dados intranet.
# $IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH1 -d 186.216.160.74 --dport 8090 -j DNAT --to-destination 192.168.0.2:80
# $IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH0 -d 186.216.160.74 --dport 8090 -j DNAT --to-destination 192.168.0.2:80

#Redirecionar para apl intranet ftp.
#$IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH1 -d 186.216.160.74 --dport 20 -j DNAT --to-destination 192.168.0.1:20
#$IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH1 -d 186.216.160.74 --dport 21 -j DNAT --to-destination 192.168.0.1:21
#-----------------------------------------------------------------------------------------------------------------------------------

#Liberando Rede Local para acessar Servidores Internos

# $IPTABLES -t nat -A OUTPUT -p tcp -d 186.216.160.78 --dport 5601 -j DNAT --to 192.168.0.252:5601
# $IPTABLES -t nat -A OUTPUT -p tcp -d 186.216.160.78 --dport 8080 -j DNAT --to 192.168.0.252:8080
# $IPTABLES -t nat -A OUTPUT -p tcp -d 186.216.160.74 --dport 8099 -j DNAT --to 192.168.0.1:80
# $IPTABLES -t nat -A OUTPUT -p tcp -d 186.216.160.74 --dport 8090 -j DNAT --to 192.168.0.2:80
# $IPTABLES -t nat -A OUTPUT -p tcp -d 186.216.160.78 --dport 8086 -j DNAT --to 192.168.0.17:86
# $IPTABLES -t nat -A OUTPUT -p tcp -d 186.216.160.78 --dport 8084 -j DNAT --to 192.168.0.170:84

#$IPTABLES -A OUTPUT -p tcp -d www.imo.im --dport 80 -j REJECT

#Redirecionar para protocoloweb.
# $IPTABLES -t nat -A PREROUTING -p tcp -i $IFACE_ETH1 -d 186.216.160.78 --dport 8086 -j DNAT --to-destination 192.168.0.17:86

#Permitindo toda conexao estabelecida que vem para o fw.
#O Pedro tinha razao o firewall obedece seguencia estruturada de execucao.
$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

#Liberando range para FTP
#$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -i eth+ -s 0/0 -p tcp --dport 20:21 -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT -i eth+ -s 0/0 -p tcp --sport 20:21 -m state --state ESTABLISHED -j ACCEPT

#Log dos pacotes de entrada que nao podem sair.
#parando os logs.
#$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "Pacote de entrada morto: "
}

function configura_passagem
{
#Eliminando intrusos

$IPTABLES -A FORWARD -p tcp -j PKTRUI

#Liberando portas especificas
#FTP
$IPTABLES -A FORWARD -p tcp --dport 20 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 21 -j ACCEPT
#Caixa
$IPTABLES -A FORWARD -p tcp --dport 2631 -j ACCEPT
#Receita
$IPTABLES -A FORWARD -p tcp --dport 3456 -j ACCEPT
#EdiItau
$IPTABLES -A FORWARD -p tcp --dport 11001 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 8676 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 10000 -j ACCEPT

#Regra adicionada em carater temporario para acesso das redes na nuvem VPN
#$IPTABLES -A FORWARD -s 172.16.0.0/16 -j ACCEPT

/etc/firewall/firewall.conf

#Retorno da internet.
$IPTABLES -A FORWARD -p ALL -o $IFACE_ETH0 -s $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

#Log dos pacotes que passam pelo fw, que nao retornam.
#parando os logs.
#$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "Pacote de passagem morto: "

}

function configura_mascaramento
{

#Mascaramento de saida (nao possui paramentro -i interface).

# $IPTABLES -t nat -A POSTROUTING -p ALL -s $ETH0_NET -d $INTERNET -o $IFACE_ETH1 -j SNAT --to 192.168.4.254

# $IPTABLES -t nat -A POSTROUTING -p ALL -s $INTERNET -d $ETH0_NET -j SNAT --to 192.168.0.3
#$IPTABLES -t nat -A POSTROUTING -p ALL -s 192.168.0.252 --sport 5601 -j SNAT --to 186.216.160.78
#$IPTABLES -t nat -A POSTROUTING -p ALL -s $ETH0_NET -d $INTERNET -o $IFACE_ETH1 -j MASQUERADE

#$IPTABLES -t nat -A POSTROUTING -p ALL -s 172.16.0.0/16 -d $INTERNET -o $IFACE_ETH1 -j MASQUERADE

# $iptables -t nat -A PREROUTING -s 192.168.4.254 -p tcp --dport 80 -j ACCEPT

# $IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

$IPTABLES -t nat -A POSTROUTING -p ALL -s 192.168.4.0/24 -d $INTERNET -o $IFACE_ETH1 -j MASQUERADE

# $IPTABLES -t nat -A POSTROUTING -p ALL -s 192.168.8.0/24 -d $INTERNET -o $IFACE_ETH1 -j MASQUERADE

#/etc/firewall.mask
}

function configura_redirecionamento
{
/etc/firewall/firewall.redirect
}

case "$1" in

start)
echo "Iniciando $proc:"
definindo_variaveis;
carga_arp;
checa_modulos;
chama_modulos;
configura_proc;
limpa_regras;
politicas;
cria_regras;

configura_regras;
configura_saida_fw;
configura_entrada_fw;
configura_passagem;
configura_mascaramento;
#configura_redirecionamento
;;

stop)
echo "Parando $proc:"
definindo_variaveis;
limpa_regras;
;;

restart)
echo "Reiniciando $proc:"
$0 stop
$0 start
echo
;;

status)
status
;;
*)

echo "Use: $0 {start|stop|restart|status}"
;;

esac
exit 0

SQUID.CONF

#
# Recommended minimum configuration:
#

#ttp_port 192.168.4.254:3128
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.4.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access allow localhost

# Squid normally listens to port 3128
http_port 192.168.4.254:3128
hostname_aliases SRV-FIREWALL
visible_hostname SRV-FIREWALL
cache_mgr helionney@yahoo.com.br
cache_dir ufs /cache 205000 16 256

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
error_directory /usr/share/squid/errors/pt-br
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
shutdown_lifetime 5 seconds
cache_effective_user squid
cache_effective_group squid

hierarchy_stoplist cgi-bin ?
cache_mem 512 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 100 MB
dns_nameservers 192.168.2.254
dns_nameservers 8.8.8.8

Amigos onde estou errando.

0 0

Quote