sill
(usa Debian)
Enviado em 11/03/2009 - 10:00h
Bom dia pessoal,
Gostaria de pedir que analisem meus scripts pois não consigo fazer a internet funcionar nas estações.
Meu servidor é um Debian 5.0 e está funcionando a internet numa boa.
Minha conexão é o speedy da telefõnica (ip fixo)
[MODEM]----[SERVER ETH0][SERVER ETH1]------[SWITCH]---[REDE LOCAL]
Minha rede local é Win XP
Vou postar minhas configurações de rede, squid e firewall
*************** REDE ***********
#The loopback network interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 192.168.x.x
netmask 255.255.255.0
broadcast 192.168.x.255
network 192.168.x.x
************* MINHA ESTAÇÃO XP ***********
IP 192.168.x.x
MASC 255.255.255.0
GAT (O MESMO IP DO SERVIDOR)
DNS (TBM O IP DO SERVIDOR)
************ RESOLV.CONF *****************
### BEGIN INFO
domain lan
search lan
nameserver 200.204.0.10
nameserver 200.204.0.138
************ SQUID ***********************
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 8 MB #memória ram disponibilizado para o proxy
cache_swap_low 90
cache_swap_high 95
cache_mgr meu_email@empresa.com.br
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_effective_user (usuario)
cache_effective_group (grupo)
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
error_directory /usr/share/squid/errors/Portuguese
coredump_dir /var/spool/squid
visible_hostname squid.empresa.com.br
hosts_file /etc/hosts
#Padrao de atualização do cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
#Libera o squid para ser utilizado por todos os ips
acl blockedsites url_regex -i "/etc/squid/bloqueados/block.txt"
acl unblockedsites url_regex -i "/etc/squid/bloqueados/unblock.txt"
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
#Regra localhost
acl localhost src 127.0.0.1/255.255.255.255
#Regra para a rede local
acl redelocal src 192.168.0.0/24 #não sei se devo deixar assim ou com o ip do server (eth1) já tentei dos 2 jeitos e não dá certo
#Especificaçao das portas seguras
acl SSL_ports port 443 563 10000 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 1000 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
#Regras basicas para o gerenciamento do proxy
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
#Proibe o acesso fora das portas listadas
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#Permite o acesso do localhost e de rede local ao proxy
http_access deny blockedsites !unblockedsites
http_access allow localhost
http_access allow redelocal
http_access deny all
http_reply_access allow all
icp_access allow all
************ FIREWALL ********************
#!/bin/bash
# REGRAS DE FIREWALL PROXY ;SQUID ;APACHE ;SARG ;DHCP3-SERVER ;BIND
#########################################################################
#
echo
echo "=========================================="
echo "| :: SETTING IPTABLES'S CONFIGURATION :: |"
echo "=========================================="
#
EXTERNAL=eth0
INTERNAL=eth1
IP=192.168.x.x/24 (o mesmo ip do servidor)
#
flush_rules()
{
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -Z
}
#
add_rules()
{
######################Habilitando o roteamento
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Roteamento .........................[ OK ]"
#
#
######################CARREGANDO MODULOS
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_state
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ipt_multiport
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_tos
/sbin/modprobe ipt_limit
echo "Loading iptables's modules .........[ OK ]"
#
######################Liberacao do Loopback
iptables -A INPUT -i lo -j ACCEPT
#
######################Ativa mascaramento de saida
iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
#
######################REDIRECIONANDO PROXY TRANSPARENTE
iptables -t nat -A PREROUTING -i $INTERNAL -p tcp --dport 80 -j REDIRECT --to-port 3128
#
####################DNS
iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p udp --dport 53 -o $EXTERNAL
#
#####################Mascaramento
iptables -t nat -A POSTROUTING -s $IP -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $IP -o $EXTERNAL -j MASQUERADE
#
####################Proteção contra ping da morte
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#
######################Protege contra pacotes danificados
#Portscanners, Ping of Death, ataques DoS, Syb-flood e Etc
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
#
#######################Allow all connections OUT and only related ones IN
iptables -A FORWARD -i $EXTERNAL -o $INTERNAL -m state --state ESTABLISHED,RELATED -j ACCEPT
#
#Fecha portas
iptables -A INPUT -i $EXTERNAL -m state --state ! ESTABLISHED,RELATED -j DROP
#
#Ponto Chave do firewall! Se nao entrar em nenhuma regra acima rejeita tudo!
iptables -A INPUT -i $EXTERNAL -p tcp --syn -j DROP
#
# Mesmo assim fechar todas as portas abaixo de 32000
iptables -A INPUT -i $EXTERNAL -p tcp --dport :32000 -j DROP
#
}
case $1 in
start)
echo -n Starting Firewall...
add_rules
echo "Done"
;;
stop)
echo -n Stoping Firewall...
flush_rules
echo "Done"
;;
restart)
echo Restarting Firewall...
flush_rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
echo "Cleaning all rules .................[ OK ]"
add_rules
echo "Done"
;;
status)
echo "============================ Firewall rules:"
iptables -L -n
echo "============================ Masquerade tables:"
iptables -t nat -L -n
echo "============================ Mangle table:"
iptables -t mangle -L -n
;;
*)
echo Usar: "$0 { status | start | stop | restart }"
;;
esac
exit 0
**************** OBSERVAÇÃO **************
Estou conseguindo pingar do meu pc para o servidor mas não consigo conectar na internet. Fica um tempão tentando carregar a pagina e não conecta.
dentros dos arquivos block.txt eu coloquei
www.terra.com.br e dentro de unblock.txt eu coloquei
www.google.com.br