Problema com Squid transparente.

sheikoso escreveu:

Pessoal, configurei um proxy transparente em um servidor Debian. O problema é que quando adiciono no iptables o direcionamento pro squid, o squid passa a bloquear quase tudo. E quando eu tiro o direcionamento e coloco manualmente o servidor proxy no navegador, funciona de boa, bloqueia só o que eu defini. O que deve ser?

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 10.190.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

acl dominiosbloqueados url_regex -i "/etc/squid3/regras/dominiosbloqueados"
acl arquivos urlpath_regex -i \.mp3$ \.exe$ \.iso$ \.bat$
acl liberados url_regex -i "/etc/squid3/regras/liberados"


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
#http_access deny to_localhost
http_access deny dominiosbloqueados
http_access allow liberados
#http_access deny arquivos
http_access allow localnet
http_access allow localhost
http_access deny all


# Squid normally listens to port 3128
http_port 3128

#Default:
cache_mem 256 MB

#Default:
cache_log /var/log/squid3/cache.log

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid3

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

# TAG: quick_abort_min (KB)
#Default:
# quick_abort_min 16 KB

# TAG: quick_abort_max (KB)
#Default:
# quick_abort_max 16 KB

#!/bin/bash
echo "Ativando compartilhamento "

# Ativando Roteamento de pacote
echo 1 > /proc/sys/net/ipv4/ip_forward

# adicionando módulos no kernel
modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack

# limpando todas as regras pré-existentes no iptables
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
iptables -t mangle -F

# NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 10.190.0.0/255.255.0.0 -o eth1 -j MASQUERADE

#Redirecionamento proxy 3128
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -s 10.190.0.0/255.255.0.0 -p tcp --dport 80 -j REDIRECT --to-port 3128

#Redirecionamento NFE#
iptables -t nat -A PREROUTING -d $IP$ -p tcp --dport 5661 -j DNAT --to 10.190.0.3:8080

##Cameras Semed##
iptables -t nat -A PREROUTING -d $IP$ -p tcp --dport 1001 -j DNAT --to 10.190.0.105:1001
iptables -t nat -A PREROUTING -d $IP$ -p tcp --dport 34568 -j DNAT --to 10.190.0.105:34568

##Cameras Almox##
iptables -t nat -A PREROUTING -d $IP$ -p tcp --dport 1002 -j DNAT --to 10.190.0.44:1002
iptables -t nat -A PREROUTING -d $IP$ -p tcp --dport 34569 -j DNAT --to 10.190.0.44:34569

##Cameras SEMPRU##
iptables -t nat -A PREROUTING -d $IP$ -p tcp --dport 100 -j DNAT --to 10.190.0.103:1000
iptables -t nat -A PREROUTING -d $IP$ -p tcp --dport 100 -j DNAT --to 10.190.0.103:34567

#Ip Interno Fora do Proxy
#iptables -t nat -I PREROUTING -s 10.190.0.pc -p tcp –dport 80 -j ACCEPT

echo " Compartilhamento ativado"