Problema com WLM

1. Problema com WLM

jofre
(usa Outra)

Enviado em 10/09/2012 - 19:25h

Boa noite, estou com problema para acessar o msn em minha rede... estou com um servidor proxy e com um firewall, porem algo esta me bloqueando de acessar o msn... Meu squid é com autenticação e eu gostaria que alguns usuarios acessasem o msn e outro não.
meu SQUID esta assim:

#########################################
# Porta,Nome e Cache #
#########################################
http_port 3128
visible_hostname RSD
cache_mem 150 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 256 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280

#########################################
# Paginas de bloqueio #
#########################################
error_directory /usr/share/squid3/errors/pt-br

#########################################
# Log #
#########################################

cache_access_log /var/log/squid3/access.log
cache_store_log /var/log/squid3/store.log
cache_log /var/log/squid3/cache.log
cache_dir ufs /var/spool/squid3 20000 16 256

#########################################
# Range de ip darede #
#########################################

acl redelocal src 192.168.10.254/24

#########################################
# ACLs #
#########################################
acl manager proto cache_object
acl localhost src 127.0.0.1/32
#acl SSL_ports port port 443 563
acl Safe_ports port 407 #msn
acl Safe_ports port 1863 #msn2
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # swat
acl Safe_ports port 1025-65535 # portas altas
acl purge method PURGE
acl CONNECT method CONNECT

#########################################
# Direitos de Acesso #
#########################################

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge

########################################
# acesso java #
########################################
acl sitesespeciais url_regex -i www.tjms.jus.br
no_cache deny sitesespeciais
always_direct allow sitesespeciais

#acl java browser Java/1.4 Java/1.5 Java/1.6
#http_access allow java

#acl mp3 req_mime_type -i ^audio/mpeg$
#acl msn req_mime_type -i ^application/x-msn-messenger$
#acl zip req_mime_type -i ^application/x-zip-compressed$
#acl exe req_mime_type -i ^application/octet-stream$
#acl jpeg req_mime_type -i ^image/jpeg$
#acl bmp req_mime_type -i ^image/bmp$
#acl javascript req_mime_type -i ^application/x-javascript$

#########################################
# USANDO NCSA_AUTH #
#########################################

auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/squid_passwd
auth_param basic realm Entre com o Usuario e Senha.
auth_param basic children 5
auth_param basic casesensitive off
acl autenticados proxy_auth REQUIRED

#########################################
# usuarios com tudo liberado #
#########################################
acl accesso_full proxy_auth "/etc/squid3/acessos/acesso_full"
http_access allow accesso_full

########################################
# controle de banda #
########################################
acl banda_boss proxy_auth "/etc/squid3/banda/boss"
acl banda_normal proxy_auth "/etc/squid3/banda/normal"
delay_pools 2
delay_class 1 2
delay_class 2 2
delay_access 1 allow banda_boss
delay_access 2 allow banda_normal
delay_parameters 1 -1/-1 -1/-1
delay_parameters 2 25000/25000 25000/25000

#########################################
# Bloqueios #
#########################################

acl bloquear_palavras url_regex -i "/etc/squid3/bloqueio/bloqueio_palavras"

#acl login_live url_regex -i login.live.com
#http_access allow login_live

#acl msn url_regex -i "/etc/squid3/bloqueio/bloqueio_msn"
#acl acesso_total proxy_auth -i "/etc/squid3/acessos/acesso_msn" #lista de usuários com acesso full e ao MSN
#http_access deny !acesso_total msn

acl msnmessenger url_regex -i gateway/gateway.dll? live.com msn.com msads.net atdmt.com serving-sys.com hotmail.com
acl MSN rep_mime_type -i ^application/x-msn-messenger$

#Usuarios com acesso ao MSN
acl commsn src "/etc/squid3/acessos/acesso_msn"
#Libera o acesso ao msn para os usuários do grupo "commsn"
http_access allow commsn MSN
http_access allow commsn msnmessenger

#sites de acesso ao msn
acl webmsn url_regex "/etc/squid3/bloqueio/bloqueio_msn"
#Libera o acesso aos sites de acesso ao msn para os usuários do grupo "commsn"
http_access allow commsn webmsn

#Fecha o acesso ao MSN e WEBMSN para os outros usuários
http_access deny MSN
http_access deny msnmessenger
http_access deny webmsn

#########################################
# BLOQUEIA ORKUT #
#########################################

acl bloquear_orkut url_regex -i "/etc/squid3/bloqueio/bloqueio_orkut"
acl acesso_orkut proxy_auth "/etc/squid3/acessos/acesso_orkut"
http_access deny bloquear_orkut !acesso_orkut

#########################################
# BLOQUEIA FACEBOOK #
#########################################

acl bloquear_facebook url_regex -i "/etc/squid3/bloqueio/bloqueio_facebook"
acl acesso_facebook proxy_auth "/etc/squid3/acessos/acesso_facebook"
http_access deny bloquear_facebook !acesso_facebook

#########################################
# BLOQUEIA TWITTER #
#########################################

acl bloquear_twitter url_regex -i "/etc/squid3/bloqueio/bloqueio_twitter"
acl acesso_twitter proxy_auth "/etc/squid3/acessos/acesso_twitter"
http_access deny bloquear_twitter !acesso_twitter

#########################################
##### BLOQUEIA GOOGLE TALK ##############
#########################################

acl bloquear_googletalk url_regex -i "/etc/squid3/bloqueio/bloqueio_googletalk"
acl acesso_googletalk proxy_auth "/etc/squid3/acessos/acesso_googletalk"
http_access deny bloquear_googletalk !acesso_googletalk

#########################################
# BLOQUEIA YOUTUBE #
#########################################

acl bloquear_youtube url_regex -i "/etc/squid3/bloqueio/bloqueio_youtube"
acl acesso_youtube proxy_auth "/etc/squid3/acessos/acesso_youtube"
http_access deny bloquear_youtube !acesso_youtube

acl sitesespeciais url_regex -i www.tjms.jus.br
no_cache deny sitesespeciais
always_direct allow sitesespeciais

http_access deny bloquear_palavras
http_access allow autenticados
http_access allow localhost
http_access allow redelocal
http_access deny all

E meu firewall está assim

#!/bin/bash

#######################################################
# SCRIPT DE FIREWALL PARA FINS DE APRENDIZADO, MODIFIQUE-O A SEU GOSTO #
# Criado por phrich #
#######################################################

###################
# DECLARANDO VARIÁVEIS #
###################

# Interface de rede que recebe a internet
IFACE_WEB="eth0"

# Interface de rede ligada a rede interna
IFACE_LAN="eth1"

# Rede interna
REDE_INTERNA="192.168.10.254/24"

#####################################################################
# FUNÇÃO STOP #
# Esta função limpa todas as regras e libera todos os acessos, caso necessite de redirecionamentos (NAT) #
# Favor incluir as linhas referentes a nat, que não está incluso neste exemplo #
#####################################################################

# Cria a função

function stop() {

# Limpa todas as regras
iptables -F
iptables -t nat -F
iptables -t mangle -F

# Coloca as políticas padrões como ACCEPT, liberando todo e qualquer acesso
iptables -A INPUT -P ACCEPT
iptables -A OUTPUT -P ACCEPT
iptables -A FORWARD -P ACCEPT

# Habilita o roteamento no kernel #
echo 1 > /proc/sys/net/ipv4/ip_forward

# Compartilha a internet
iptables -t nat -A POSTROUTING -o $IFACE_WEB -j MASQUERADE

# Fecha a função
}

# FIM DA FUNÇÃO STOP #

####################################################################
# FUNÇÃO START #
# Esta função tem por finalidade setar as regras a fim de realizar as liberações, pois trabalharemos com #
# as políticas do iptables como DROP #
####################################################################

# Cria a função
function start () {

# Limpa as regras criadas anteriormente #

# Limpa a tabela filter
iptables -F

# Limpa a tabela nat
iptables -t nat -F

# Limpa a tabela mangle
iptables -t mangle -F

# Coloca as políticas padrões como DROP, ou seja nenhum acesso foi liberado #

#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP

# Carrega módulos #

# Em alguns casos esses módulos serão úteis, realize uma pesquisa sobre cada um #
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe nf_conntrack_ipv4
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe nf_nat
/sbin/modprobe nf_conntrack
/sbin/modprobe x_tables
/sbin/modprobe nf_nat_pptp

# Habilita o roteamento no kernel #
echo 1 > /proc/sys/net/ipv4/ip_forward

# Compartilha a internet
iptables -t nat -A POSTROUTING -o $IFACE_WEB -j MASQUERADE

#############
# REGRAS DE NAT #
#############

# Acesso remoto via RDP para um host RWindows
iptables -t nat -A PREROUTING -i $IFACE_WEB -p tcp --dport 3389 -j REDIRECT --to 192.168.10.1:3389

###############
# REGRAS DE INPUT #
###############

# Libera o squid a partir da rede interna
iptables -A INPUT -p tcp --dport 5005 -s $LAN -j ACCEPT

# Libera SSH Apenas para a rede interna
iptables -A INPUT -p tcp --dport 22 -s $LAN -j ACCEPT

################
# FIREWALL #
################

iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT
iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED --dport 3128 -j ACCEPT

#################
# CERTIFICADO #
#################

#iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
#iptables -A FORWARD -p udp --dport 443 -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
#iptables -A OUTPUT -p udp --dport 443 -j ACCEPT
#iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#iptables -A INPUT -p udp --dport 443 -j ACCEPT

################
# REGRAS DE OUTPUT #
################

# Libera as portas 80 e 443 apenas para localhost
iptables -A OUTPUT -p tcp -m multiport --dports 80,443,1863 -j ACCEPT

# Libera DNS apenas para localhost
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

# Libera FTP para localhost (muito útil para o apt-get, yum, etc)
iptables -A OUTPUT -p tcp -m multiport --dports 20,21 -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --dports 20,21 -j ACCEPT

#################
# REGRAS DE FORWARD #
#################

# Libera o acesso a clientes de email, pop e smtp
iptables -A FORWARD -p tcp -m multiport --dports 25,110 -j ACCEPT

# Fecha a função
}

# FIM DA FUNÇÃO START #

############################
# CRIANDO OS PARÂMETROS DO SCRIPT #
############################

#Aqui serão definidos os parâmetros:

# start = Ativa todas as regras, realizando os bloqueios e liberações
# stop = Limpa todoas as regras, "libera geral" ;-)
#restart = Carrega novas regras inseridas posteriormente

case $1 in

start)
start
;;

stop)
stop
;;

restart)
stop
start
;;

*)
echo "Erro, utilize os seguintes parâmetros: start | stop | restart"
exit 0
;;

esac

# FIM DO SCRIPT DE FIREWALL #

QUANDO TENTO LOGAR APARECE O SEGUINTE ERRO:

1347315638.695 1197 192.168.10.12 TCP_MISS/200 6643 POST http://gateway.messenger.hotmail.com/gateway/gateway.dll? renatodias DIRECT/65.55.64.254 application/x-msn-messenger
1347315639.294 554 192.168.10.12 TCP_MISS/200 382 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315641.309 552 192.168.10.12 TCP_MISS/200 381 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315643.323 551 192.168.10.12 TCP_MISS/200 383 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315645.336 554 192.168.10.12 TCP_MISS/200 382 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315647.353 558 192.168.10.12 TCP_MISS/200 382 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315649.357 550 192.168.10.12 TCP_MISS/200 383 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315651.394 575 192.168.10.12 TCP_MISS/200 383 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315653.391 559 192.168.10.12 TCP_MISS/200 383 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315655.393 550 192.168.10.12 TCP_MISS/200 382 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315657.411 554 192.168.10.12 TCP_MISS/200 383 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315659.430 561 192.168.10.12 TCP_MISS/200 383 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315659.841 0 192.168.10.12 TCP_DENIED/407 3597 POST http://ssw.live.com/uploaddata.aspx - NONE/- text/html

Meu msn eh o WLM o proxy jah esta configurado nele e quando eu mando ele solucionar o problema ele aparece q o servidor proxy esta OK... Soh esta dando erro na portas principais...

Alguem poderia me dar uma luz?

0 0

Quote