Ip passando por fora do proxy [RESOLVIDO]

1. Ip passando por fora do proxy [RESOLVIDO]

Francisco Jorge
FR4NC15C0JH

(usa Ubuntu)

Enviado em 26/05/2014 - 09:27h

Bom dia pessoal do VOL,

Estou com problemas ao tentar passar alguns ips por fora do proxy.
Fiz muita pesquisa e testei de varias maneiras e nao conseguir fazer a configuração.
Sem o proxy nao consigo navegar.
Segue meu script do firewall.
Na Parte IP sem Proxy esta os comandos usados que nao deram certo.

#!/bin/bash

#Limpando todas as regras do iptables

/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -L -n
echo Limpeza das Tabelas ...... [ok]

#Logando input, output,forward

iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG
echo Log carregado ...... [ok]

# IPS SEM PROXY
iptables -t nat -I PREROUTING -s 10.1.1.15 -j ACCEPT
#iptables -t nat -A POSTROUTING -s 10.1.1.15 -o eth1 -j MASQUERADE
#iptables -t nat -A PREROUTING -i eth1 -p tcp -s 10.1.1.15 -j RETURN
#iptables -t nat -I PREROUTING -s 10.1.1.15 -p tcp --dport 80 -j ACCEPT
#iptables -t nat -A PREROUTING -s $10.1.1.15 -p tcp --dport 80 -j ACCEPT
#iptables -I INPUT -m mac --mac-source 00:00:00:00:00 -s ! 10.1.1.15 -j DROP
#iptables -t nat -I PREROUTING -s 10.1.1.15 -p tcp --dport 80 -j ACCEPT

# NAT REDE
#iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth1 -j SNAT --to 0.0.0.0
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#echo Liberando Internet ........ [ok]

# REGRA DE REDIRECIONAMENTO PARA O PROXY
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth1 -j SNAT --to 0.0.0.0
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A INPUT -i eth2 -p tcp -s 10.1.1.0/255.255.255.0 --dport 3128 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 3128 -j DROP
echo Internet Iniciada ...... [ok]

#Impedindo ataque Ping of Death na rede
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#Impedindo ataque de Denial Of Service Dos na rede e servidor
iptables -I FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p tcp -m limit --limit 1/s -j ACCEPT

#Protecao contra worms
iptables -I FORWARD -p tcp --dport 135 -j LOG --log-level info --log-prefix 'WORMS REDE>'
iptables -A FORWARD -p tcp --dport 135 -j DROP
iptables -I INPUT -p tcp --dport 135 -j LOG --log-level info --log-prefix 'WORMS >'
iptables -A INPUT -p tcp --dport 135 -j DROP

#Bloqueando googletalkgmail

iptables -A FORWARD -d talk.l.google.com -p tcp --dport 443 -j DROP
iptables -A FORWARD -d chatenabled.mail.google.com -p tcp --dport 443 -j DROP

iptables -A FORWARD -d talk.google.com -p tcp --dport 443 -j DROP
iptables -A FORWARD -d talkx.l.google.com -p tcp --dport 443 -j DROP

#Dropando porta 80,11,60661 respectivamente na interface externa
iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP
iptables -A INPUT -i eth1 -p tcp --dport 111 -j DROP
iptables -A INPUT -i eth1 -p tcp --dport 60661 -j DROP

#Conectividade Social
iptables -t nat -A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT

#Bloqueando acesso aos jogos
iptables -A FORWARD -s 186.192.82.97 -j DROP

#Liberando portas de entrada
iptables -A INPUT -p tcp -s 10.1.1.0/24 --dport 7025 -j ACCEPT # smtp zimbra
iptables -A INPUT -p tcp -s 10.1.1.0/24 --dport 25 -j ACCEPT # smtp
iptables -A INPUT -p tcp -s 10.1.1.0/24 --dport 587 -j ACCEPT # smtp
iptables -A INPUT -p tcp -s 10.1.1.0/24 --dport 110 -j ACCEPT # pop
iptables -A INPUT -p tcp -s 10.1.1.0/24 --dport 995 -j ACCEPT # pops
iptables -A INPUT -p tcp -s 10.1.1.0/24 --dport 143 -j ACCEPT # imap
iptables -A INPUT -p tcp -s 10.1.1.0/24 --dport 993 -j ACCEPT # imap
iptables -A INPUT -p tcp -s 10.1.1.0/24 --dport 443 -j ACCEPT # https
iptables -A INPUT -p tcp -s 10.1.1.0/24 --dport 8443 -j ACCEPT # SICGoias
iptables -A INPUT -p tcp -s 10.1.1.0/24 --dport 21 -j ACCEPT # ftp
iptables -A INPUT -p tcp -s 10.1.1.0/24 --dport 53 -j ACCEPT # dns
iptables -A INPUT -p tcp -s 10.1.1.0/24 --dport 8017 -j ACCEPT # sintegra
iptables -A INPUT -p tcp -s 10.1.1.0/24 --dport 2631 -j ACCEPT # conectividade
iptables -A INPUT -p tcp -s 10.1.1.0/24 --dport 3456 -j ACCEPT # DCTF
iptables -A INPUT -p tcp -s 10.1.1.0/24 --dport 22792 -j ACCEPT # SKYPE
iptables -A INPUT -i eth2 -p tcp --dport 7025 -j ACCEPT # zimbra
iptables -A OUTPUT -o eth2 -p tcp --sport 7025 -j ACCEPT # zimbra

#Liberando Nat
iptables -t nat -A PREROUTING -d 0.0.0.0 -p tcp -m tcp --dport 0000 -j DNAT --to 10.1.1.2:0000 # Redirect Protheus Oficial
iptables -t nat -A PREROUTING -d 0.0.0.0 -p tcp -m tcp --dport 0000 -j DNAT --to 10.1.1.16:00 # Redirect base Red Hat teste
iptables -t nat -A PREROUTING -d 0.0.0.0 -p tcp -m tcp --dport 0000 -j DNAT --to 10.1.1.110:00 # Redirect Protheus base teste
iptables -t nat -A PREROUTING -d 0.0.0.0 -p tcp -m tcp --dport 0000 -j DNAT --to 10.1.1.4:0000 # Redirect Windows Server 2003 Terminal Server





  


2. Re: Ip passando por fora do proxy [RESOLVIDO]

Buckminster
Buckminster

(usa Debian)

Enviado em 26/05/2014 - 12:05h

Tente assim:

Para proxy autenticado
iptables -t nat -I PREROUTING -s 10.1.1.15 -p tcp --dport 80 -j ACCEPT

Para proxy transparente
iptables -t nat -I PREROUTING -s 10.1.1.15 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -s 10.1.1.15 -p tcp --dport 80 -j ACCEPT

Coloque as regras antes da regra de redirecionamento para o proxy, para garantir.


3. Re: Ip passando por fora do proxy [RESOLVIDO]

Francisco Jorge
FR4NC15C0JH

(usa Ubuntu)

Enviado em 26/05/2014 - 14:50h

Buckminster escreveu:

Tente assim:

Para proxy autenticado
iptables -t nat -I PREROUTING -s 10.1.1.15 -p tcp --dport 80 -j ACCEPT

Para proxy transparente
iptables -t nat -I PREROUTING -s 10.1.1.15 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -s 10.1.1.15 -p tcp --dport 80 -j ACCEPT

Coloque as regras antes da regra de redirecionamento para o proxy, para garantir.


Opa blz...
Ja tinha feito essa configuração e a refiz com sua dica,e msm assim nao deu certo.
Tirei a regra de transferencia de porta e msm assim nao navega sem proxy.
Sera que o problema pode esta no squid.conf?
Segue meu Tail do log do squid:

1401113014.826      0 91.188.124.225 TCP_DENIED/407 3706 GET http://www.google.com/search? - NONE/- text/html
1401113027.209 0 91.188.124.225 TCP_DENIED/407 3707 GET http://92.222.28.46/httptest.php - NONE/- text/html
1401113070.224 0 10.1.1.15 TCP_DENIED/407 3670 GET http://www.msftncsi.com/ncsi.txt - NONE/- text/html
1401113170.810 0 10.1.1.15 TCP_DENIED/407 3670 GET http://www.msftncsi.com/ncsi.txt - NONE/- text/html
1401113225.753 0 10.1.1.15 TCP_DENIED/407 3670 GET http://www.msftncsi.com/ncsi.txt - NONE/- text/html
1401113291.297 0 10.1.1.15 TCP_DENIED/407 3670 GET http://www.msftncsi.com/ncsi.txt - NONE/- text/html
1401113360.793 0 10.1.1.15 TCP_DENIED/407 3670 GET http://www.msftncsi.com/ncsi.txt - NONE/- text/html
1401113425.902 0 10.1.1.15 TCP_DENIED/407 3670 GET http://www.msftncsi.com/ncsi.txt - NONE/- text/html
1401113525.906 0 10.1.1.15 TCP_DENIED/407 3670 GET http://www.msftncsi.com/ncsi.txt - NONE/- text/html
1401113591.055 0 10.1.1.15 TCP_DENIED/407 3670 GET http://www.msftncsi.com/ncsi.txt - NONE/- text/html
1401113706.054 0 10.1.1.15 TCP_DENIED/407 3670 GET http://www.msftncsi.com/ncsi.txt - NONE/- text/html
1401113771.251 0 10.1.1.15 TCP_DENIED/407 3670 GET http://www.msftncsi.com/ncsi.txt - NONE/- text/html
1401113901.185 0 10.1.1.15 TCP_DENIED/407 3670 GET http://www.msftncsi.com/ncsi.txt - NONE/- text/html
1401113966.770 0 10.1.1.15 TCP_DENIED/407 3670 GET http://www.msftncsi.com/ncsi.txt - NONE/- text/html
1401114126.384 0 10.1.1.15 TCP_DENIED/407 3670 GET http://www.msftncsi.com/ncsi.txt - NONE/- text/html
1401114331.508 0 10.1.1.15 TCP_DENIED/407 3670 GET http://www.msftncsi.com/ncsi.txt - NONE/- text/html
1401114396.574 0 10.1.1.15 TCP_DENIED/407 3670 GET http://www.msftncsi.com/ncsi.txt - NONE/- text/html

1401114552.180 0 10.1.1.15 TCP_DENIED/407 3670 GET http://www.msftncsi.com/ncsi.txt - NONE/- text/html



4. Re: Ip passando por fora do proxy [RESOLVIDO]

Buckminster
Buckminster

(usa Debian)

Enviado em 26/05/2014 - 15:07h

Essa regra

iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth1 -j SNAT --to 0.0.0.0

pode comentar ela.
E teste para ver se agora os IPs passam por fora do proxy.

Essa regra aqui

iptables -A INPUT -i eth1 -p tcp --dport 3128 -j DROP

comenta ela também, tu está direcionando para a porta 3128 e depois está bloqueando ela, mesmo sendo em outra placa de rede isso pode confundir o Iptables, além disso não é necessário.

Posta aqui teu squid.conf.


5. Re: Ip passando por fora do proxy [RESOLVIDO]

Francisco Jorge
FR4NC15C0JH

(usa Ubuntu)

Enviado em 27/05/2014 - 11:56h

Buckminster escreveu:

Essa regra

iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth1 -j SNAT --to 0.0.0.0

pode comentar ela.
E teste para ver se agora os IPs passam por fora do proxy.

Essa regra aqui

iptables -A INPUT -i eth1 -p tcp --dport 3128 -j DROP

comenta ela também, tu está direcionando para a porta 3128 e depois está bloqueando ela, mesmo sendo em outra placa de rede isso pode confundir o Iptables, além disso não é necessário.

Posta aqui teu squid.conf.


Opa irei testar as dicas agora.
Segue meu Squid.conf:
OBS: A regra de integração com AD nao esta em funcionamento ainda.

#### PORTA ####
http_port 3128

#################################################################
## CONFIGURACAO DO CACHE
#################################################################
cache_mem 32 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_log /var/log/squid3/cache.log

#################################################################
## LOCALIZACAO DOS LOGS
#################################################################
cache_access_log /var/log/squid3/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
logfile_rotate 4

###############################################################
## PAGINA DE ERRO EM PORTUGUES
error_directory /usr/share/squid3/errors/pt-br

################################################################
## LIBERA CAIXA ECONOMICA FEDERAL (conectividade social)
################################################################
acl caixa dstdomain -i .caixa.gov.br
http_access allow caixa
always_direct allow caixa

#################################################################
## LIBERAR SKYPE
#################################################################
acl skype_domain dstdom_regex skype.com
http_access allow skype_domain

#################################################################
## INTEGRACAO COM ACTIVE DIRECTORY
#################################################################
## Paramentros para consultar a estrutura do AD
#auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=aaaaa,dc=meudominio,dc=com,dc=br" -D "cn=Administrator,cn=Users,dc=aaaaa,dc=meudominio,dc=com,dc=br" -w "0000000" -f sAMAccountName=%s -h 10.1.1.6

## Parametro para consulta de Grupo em determinada OU (Organization Unit)
#external_acl_type ldap_group %LOGIN /usr/lib/squid3/squid_ldap_group -R -b "dc=aaaaa,dc=meudominio,dc=com,dc=br" -D "cn=Administrator,cn=Users,dc=aaaaa,dc=meudominio,dc=com,dc=br" -w "0000000" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,cn=Users,dc=aaaaa,dc=meudominio,dc=com,dc=br))" -h 10.1.1.6

################################################################
## AUTENTICACAO USUARIOS NO LINUX
################################################################
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
auth_param basic children 5
auth_param basic realm | Grupo Empresa
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
visible_hostname s3cserver2
cache_mgr ti@empresa.com.br

#################################################################
## LIBERA LOCALHOST E REDE LOCAL
#################################################################
acl localhost src 127.0.0.1/32
acl localnet src 10.1.1.0/24

#################################################################
## BLOQUEIO MSN HOTMAIL E OUTLOOK
#################################################################
acl macs_msn_on arp "/etc/squid3/listas/macs_msn_on"
acl url_msn url_regex -i "/etc/squid3/listas/url_msn"

#################################################################
## ACL BLOQUEIO MSN HOTMAIL E OUTLOOK
#################################################################
http_access deny url_msn
http_access deny url_msn !macs_msn_on

################################################################
## BLOQUEIO GOOGLE TALK GMAIL
acl url_gtalk url_regex -i "/etc/squid3/listas/url_gtalk"
http_access deny url_gtalk all

## LIBERANDO GTALK
#acl ip_gtalk_liberado src "/etc/squid/listas/ip_gtalk_liberado"
#http_access allow ip_gtalk_liberado !url_gtalk

acl macs_gtalk_on arp "/etc/squid3/listas/macs_gtalk_on"
http_access deny url_gtalk !macs_gtalk_on

#################################################################
## ESQUEMA DE CONTROLE POR GRUPOS DE USUARIOS
#################################################################
## Acesso total
acl acesso_livre proxy_auth "/etc/squid3/listas/usr_livre"
#acl acesso_livre_ad external ldap_group TI
http_access allow acesso_livre
#http_access allow acesso_livre_ad

## Acesso restrito
acl acesso_restrito proxy_auth "/etc/squid3/listas/usr_restrito"
acl url_bloqueado url_regex -i "/etc/squid3/listas/url_bloqueado"
#acl acesso_restrito_ad external ldap_group Administracao
http_access allow acesso_restrito !url_bloqueado
#http_access allow acesso_restrito_ad !url_bloqueado

## Acesso somente a sites liberados
acl acesso_bloqueado proxy_auth "/etc/squid3/listas/usr_bloqueado"
acl url_liberado url_regex -i "/etc/squid3/listas/url_liberado"
#acl acesso_bloqueado_ad1 external ldap_group RH
#acl acesso_bloqueado_ad2 external ldap_group Logistica
#acl acesso_bloqueado_ad3 external ldap_group Laboratorio
#acl acesso_bloqueado_ad4 external ldap_group DOCEVIDA
http_access allow url_liberado
http_access deny acesso_bloqueado !url_liberado
#http_access deny acesso_bloqueado_ad1 !url_liberado
#http_access deny acesso_bloqueado_ad2 !url_liberado
#http_access deny acesso_bloqueado_ad3 !url_liberado
#http_access deny acesso_bloqueado_ad4 !url_liberado

#################################################################
## BLOQUEIO DE PESQUISA POR PALAVRAS
#################################################################
acl bloqueio_por_palavras url_regex -i "/etc/squid3/listas/palavras"
http_access deny bloqueio_por_palavras

#################################################################
## BLOQUEIO DE PESQUISA POR PALAVRAS
#################################################################
acl bloqueio_por_palavras url_regex -i "/etc/squid3/listas/palavras"
http_access deny bloqueio_por_palavras

#################################################################
## BLOQUEIO DE EXTENSOES VIA BROWSER
#################################################################
acl bloqueio_extensoes url_regex -i "/etc/squid3/listas/extensoes"
http_access deny bloqueio_extensoes

################################################################
## AUTENTICACAO
################################################################
acl usuarios proxy_auth REQUIRED
http_access allow usuarios

################################################################
## LIBERACAO DE PORTAS
################################################################
acl purge method PURGE
http_access allow purge localhost
http_access deny purge

acl Safe_ports port 21 # ftp
acl Safe_ports port 25 # smtp
acl Safe_ports port 587 # smtp
acl Safe_ports port 110 # pop
acl Safe_ports port 143 # imap
acl Safe_ports port 995 # pop3s
acl Safe_ports port 993 # imaps
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 443 # https
acl Safe_ports port 488 # gss-http
acl Safe_ports port 563 # mntps
acl Safe_ports port 591 # filemaker
acl Safe_ports port 633 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # swat
acl Safe_ports port 2631 # conectividade social
acl Safe_ports port 3001 # ntop
acl Safe_ports port 8088 # banco daniele
acl Safe_ports port 8443 # SIC
acl Safe_ports port 22792 # SKYPE
acl Safe_ports port 1025-65535 # unregistered ports
http_access deny !Safe_ports

acl connect method CONNECT
acl ssl_ports port 443 # https
acl ssl_ports port 563 # mntps
acl ssl_ports port 873 # rsync
http_access deny connect !SSL_ports
#############################################################




6. Re: Ip passando por fora do proxy [RESOLVIDO]

Buckminster
Buckminster

(usa Debian)

Enviado em 27/05/2014 - 14:32h

Acrescente as regras abaixo na posição indicada:

/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -L -n
echo Limpeza das Tabelas ...... [ok]

#Definindo políticas padrões <<< acescente essas regras

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#Liberando a Loopback <<< acescente essa regra

iptables -A INPUT -i lo -j ACCEPT # adiciona regra na chain INPUT para liberar a loopback

#Regras de segurança na internet e de aceitação de pacotes <<< acescente essas regras

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP

#Logando input, output,forward

iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG
echo Log carregado ...... [ok]

# IPS SEM PROXY
iptables -t nat -I PREROUTING -s 10.1.1.15 -p tcp --dport 80 -j ACCEPT

# NAT REDE
#iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth1 -j SNAT --to 0.0.0.0
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#echo Liberando Internet ........ [ok]

# REGRA DE REDIRECIONAMENTO PARA O PROXY
#iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth1 -j SNAT --to 0.0.0.0
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A INPUT -i eth2 -p tcp -s 10.1.1.0/255.255.255.0 --dport 3128 -j ACCEPT
#iptables -A INPUT -i eth1 -p tcp --dport 3128 -j DROP
echo Internet Iniciada ...... [ok]

Acrescente essa parte acima como está.
Estava faltando definir as políticas padrões. Elas vem por padrão todas como ACCEPT. Deixe as políticas
INPUT e FORWARD como DROP e a OUTPUT como ACCEPT, depois tu vai liberando e/ou bloquenado o que quiser.

Faça as alterações, reinicie o Iptables e teste.
Se quiser faça um backup do teu script.

Vamos alterando aos poucos para não dar confusão.
Depois a gente mexe no teu Squid, se for preciso.


7. Re: Ip passando por fora do proxy [RESOLVIDO]

Juarez Silva
jslimma

(usa Debian)

Enviado em 27/05/2014 - 15:58h

Olá,

Coloca essa regra e testa, comigo funciona.

iptables -t nat -I PREROUTING -s ipinterno -p tcp --dport 80 -j ACCEPT

boa sorte!


8. Re: Ip passando por fora do proxy [RESOLVIDO]

Francisco Jorge
FR4NC15C0JH

(usa Ubuntu)

Enviado em 27/05/2014 - 17:56h

Buckminster escreveu:

Acrescente as regras abaixo na posição indicada:

/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -L -n
echo Limpeza das Tabelas ...... [ok]

#Definindo políticas padrões <<< acescente essas regras

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#Liberando a Loopback <<< acescente essa regra

iptables -A INPUT -i lo -j ACCEPT # adiciona regra na chain INPUT para liberar a loopback

#Regras de segurança na internet e de aceitação de pacotes <<< acescente essas regras

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP

#Logando input, output,forward

iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG
echo Log carregado ...... [ok]

# IPS SEM PROXY
iptables -t nat -I PREROUTING -s 10.1.1.15 -p tcp --dport 80 -j ACCEPT

# NAT REDE
#iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth1 -j SNAT --to 0.0.0.0
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#echo Liberando Internet ........ [ok]

# REGRA DE REDIRECIONAMENTO PARA O PROXY
#iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth1 -j SNAT --to 0.0.0.0
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A INPUT -i eth2 -p tcp -s 10.1.1.0/255.255.255.0 --dport 3128 -j ACCEPT
#iptables -A INPUT -i eth1 -p tcp --dport 3128 -j DROP
echo Internet Iniciada ...... [ok]

Acrescente essa parte acima como está.
Estava faltando definir as políticas padrões. Elas vem por padrão todas como ACCEPT. Deixe as políticas
INPUT e FORWARD como DROP e a OUTPUT como ACCEPT, depois tu vai liberando e/ou bloquenado o que quiser.

Faça as alterações, reinicie o Iptables e teste.
Se quiser faça um backup do teu script.

Vamos alterando aos poucos para não dar confusão.
Depois a gente mexe no teu Squid, se for preciso.


Cara segui seu tutorial e msm assim continua acessando so por proxy. "ESTRANHO"
Fiz mais testes e comentei todas as regras e msm assim so por proxy o acesso é liberado.

# IPS SEM PROXY
iptables -t nat -I PREROUTING -s 10.1.1.15 -p tcp --dport 80 -j ACCEPT (Aqui fiz comentado e sem comentado)

# REGRA DE REDIRECIONAMENTO PARA O PROXY
#iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth1 -j SNAT --to ipdomeuprovedor
#iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#iptables -A INPUT -i eth2 -p tcp -s 10.1.1.0/255.255.255.0 --dport 3128 -j ACCEPT
#iptables -A INPUT -i eth1 -p tcp --dport 3128 -j DROP
echo Internet Iniciada ...... [ok]





9. Re: Ip passando por fora do proxy [RESOLVIDO]

Buckminster
Buckminster

(usa Debian)

Enviado em 28/05/2014 - 07:17h

Faça um teste, acrescente a regra abaixo na posição indicada usando o script com as modificações que enviei:

iptables -t nat -I PREROUTING -s 10.1.1.15 -p tcp --dport 80 -j ACCEPT
iptables -t nat -I PREROUTING -s 10.1.1.15 -p tcp --dport 3128 -j ACCEPT << acrescente essa regra, reinicie o iptables e teste.


10. Re: Ip passando por fora do proxy [RESOLVIDO]

Francisco Jorge
FR4NC15C0JH

(usa Ubuntu)

Enviado em 28/05/2014 - 22:32h

Buckminster escreveu:

Faça um teste, acrescente a regra abaixo na posição indicada usando o script com as modificações que enviei:

iptables -t nat -I PREROUTING -s 10.1.1.15 -p tcp --dport 80 -j ACCEPT
iptables -t nat -I PREROUTING -s 10.1.1.15 -p tcp --dport 3128 -j ACCEPT << acrescente essa regra, reinicie o iptables e teste.


Opa Buckminster.
Cara conseguir resolver com muitos testes, tutoriais e seu help.
tive que mudar algumas coisas q deu certo.

#Definindo políticas padrões

iptables -P INPUT ACCEPT #MUDEI PRA ACCEPT
iptables -P FORWARD ACCEPT #MUDEI PRA ACCEPT
iptables -P OUTPUT ACCEPT

#IPS SEM PROXY
iptables -t nat -I PREROUTING -s 10.1.1.148 -p tcp --dport 80 -j ACCEPT

# REGRA DE REDIRECIONAMENTO PARA O PROXY
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth1 -j MASQUERADE
iptables -A INPUT -i eth2 -p tcp -s 10.1.1.0/255.255.255.0 --dport 3128 -j ACCEPT
echo Internet Iniciada ...... [ok]


Pra mudar a regra pra mac basta trocar a regra de ip por essa?
iptables -I INPUT -m mac --mac-source 00:26:B9:07:DE:B7 -s ! 10.1.1.15 -j DROP
iptables -t nat -I PREROUTING -s 10.1.1.15 -p tcp --dport 80 -j ACCEPT







Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts