Problema com WLM

1. Problema com WLM

Renato Dias
jofre

(usa Outra)

Enviado em 10/09/2012 - 19:25h

Boa noite, estou com problema para acessar o msn em minha rede... estou com um servidor proxy e com um firewall, porem algo esta me bloqueando de acessar o msn... Meu squid é com autenticação e eu gostaria que alguns usuarios acessasem o msn e outro não.
meu SQUID esta assim:


#########################################
# Porta,Nome e Cache #
#########################################
http_port 3128
visible_hostname RSD
cache_mem 150 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 256 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280

#########################################
# Paginas de bloqueio #
#########################################
error_directory /usr/share/squid3/errors/pt-br

#########################################
# Log #
#########################################

cache_access_log /var/log/squid3/access.log
cache_store_log /var/log/squid3/store.log
cache_log /var/log/squid3/cache.log
cache_dir ufs /var/spool/squid3 20000 16 256

#########################################
# Range de ip darede #
#########################################

acl redelocal src 192.168.10.254/24

#########################################
# ACLs #
#########################################
acl manager proto cache_object
acl localhost src 127.0.0.1/32
#acl SSL_ports port port 443 563
acl Safe_ports port 407 #msn
acl Safe_ports port 1863 #msn2
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # swat
acl Safe_ports port 1025-65535 # portas altas
acl purge method PURGE
acl CONNECT method CONNECT

#########################################
# Direitos de Acesso #
#########################################

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge


########################################
# acesso java #
########################################
acl sitesespeciais url_regex -i www.tjms.jus.br
no_cache deny sitesespeciais
always_direct allow sitesespeciais


#acl java browser Java/1.4 Java/1.5 Java/1.6
#http_access allow java

#acl mp3 req_mime_type -i ^audio/mpeg$
#acl msn req_mime_type -i ^application/x-msn-messenger$
#acl zip req_mime_type -i ^application/x-zip-compressed$
#acl exe req_mime_type -i ^application/octet-stream$
#acl jpeg req_mime_type -i ^image/jpeg$
#acl bmp req_mime_type -i ^image/bmp$
#acl javascript req_mime_type -i ^application/x-javascript$

#########################################
# USANDO NCSA_AUTH #
#########################################

auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/squid_passwd
auth_param basic realm Entre com o Usuario e Senha.
auth_param basic children 5
auth_param basic casesensitive off
acl autenticados proxy_auth REQUIRED

#########################################
# usuarios com tudo liberado #
#########################################
acl accesso_full proxy_auth "/etc/squid3/acessos/acesso_full"
http_access allow accesso_full

########################################
# controle de banda #
########################################
acl banda_boss proxy_auth "/etc/squid3/banda/boss"
acl banda_normal proxy_auth "/etc/squid3/banda/normal"
delay_pools 2
delay_class 1 2
delay_class 2 2
delay_access 1 allow banda_boss
delay_access 2 allow banda_normal
delay_parameters 1 -1/-1 -1/-1
delay_parameters 2 25000/25000 25000/25000

#########################################
# Bloqueios #
#########################################

acl bloquear_palavras url_regex -i "/etc/squid3/bloqueio/bloqueio_palavras"

#acl login_live url_regex -i login.live.com
#http_access allow login_live

#acl msn url_regex -i "/etc/squid3/bloqueio/bloqueio_msn"
#acl acesso_total proxy_auth -i "/etc/squid3/acessos/acesso_msn" #lista de usuários com acesso full e ao MSN
#http_access deny !acesso_total msn

acl msnmessenger url_regex -i gateway/gateway.dll? live.com msn.com msads.net atdmt.com serving-sys.com hotmail.com
acl MSN rep_mime_type -i ^application/x-msn-messenger$

#Usuarios com acesso ao MSN
acl commsn src "/etc/squid3/acessos/acesso_msn"
#Libera o acesso ao msn para os usuários do grupo "commsn"
http_access allow commsn MSN
http_access allow commsn msnmessenger

#sites de acesso ao msn
acl webmsn url_regex "/etc/squid3/bloqueio/bloqueio_msn"
#Libera o acesso aos sites de acesso ao msn para os usuários do grupo "commsn"
http_access allow commsn webmsn


#Fecha o acesso ao MSN e WEBMSN para os outros usuários
http_access deny MSN
http_access deny msnmessenger
http_access deny webmsn

#########################################
# BLOQUEIA ORKUT #
#########################################

acl bloquear_orkut url_regex -i "/etc/squid3/bloqueio/bloqueio_orkut"
acl acesso_orkut proxy_auth "/etc/squid3/acessos/acesso_orkut"
http_access deny bloquear_orkut !acesso_orkut

#########################################
# BLOQUEIA FACEBOOK #
#########################################

acl bloquear_facebook url_regex -i "/etc/squid3/bloqueio/bloqueio_facebook"
acl acesso_facebook proxy_auth "/etc/squid3/acessos/acesso_facebook"
http_access deny bloquear_facebook !acesso_facebook

#########################################
# BLOQUEIA TWITTER #
#########################################

acl bloquear_twitter url_regex -i "/etc/squid3/bloqueio/bloqueio_twitter"
acl acesso_twitter proxy_auth "/etc/squid3/acessos/acesso_twitter"
http_access deny bloquear_twitter !acesso_twitter

#########################################
##### BLOQUEIA GOOGLE TALK ##############
#########################################

acl bloquear_googletalk url_regex -i "/etc/squid3/bloqueio/bloqueio_googletalk"
acl acesso_googletalk proxy_auth "/etc/squid3/acessos/acesso_googletalk"
http_access deny bloquear_googletalk !acesso_googletalk

#########################################
# BLOQUEIA YOUTUBE #
#########################################

acl bloquear_youtube url_regex -i "/etc/squid3/bloqueio/bloqueio_youtube"
acl acesso_youtube proxy_auth "/etc/squid3/acessos/acesso_youtube"
http_access deny bloquear_youtube !acesso_youtube


acl sitesespeciais url_regex -i www.tjms.jus.br
no_cache deny sitesespeciais
always_direct allow sitesespeciais


http_access deny bloquear_palavras
http_access allow autenticados
http_access allow localhost
http_access allow redelocal
http_access deny all


E meu firewall está assim


#!/bin/bash

#######################################################
# SCRIPT DE FIREWALL PARA FINS DE APRENDIZADO, MODIFIQUE-O A SEU GOSTO #
# Criado por phrich #
#######################################################

###################
# DECLARANDO VARIÁVEIS #
###################

# Interface de rede que recebe a internet
IFACE_WEB="eth0"

# Interface de rede ligada a rede interna
IFACE_LAN="eth1"

# Rede interna
REDE_INTERNA="192.168.10.254/24"

#####################################################################
# FUNÇÃO STOP #
# Esta função limpa todas as regras e libera todos os acessos, caso necessite de redirecionamentos (NAT) #
# Favor incluir as linhas referentes a nat, que não está incluso neste exemplo #
#####################################################################

# Cria a função

function stop() {

# Limpa todas as regras
iptables -F
iptables -t nat -F
iptables -t mangle -F

# Coloca as políticas padrões como ACCEPT, liberando todo e qualquer acesso
iptables -A INPUT -P ACCEPT
iptables -A OUTPUT -P ACCEPT
iptables -A FORWARD -P ACCEPT

# Habilita o roteamento no kernel #
echo 1 > /proc/sys/net/ipv4/ip_forward

# Compartilha a internet
iptables -t nat -A POSTROUTING -o $IFACE_WEB -j MASQUERADE

# Fecha a função
}

# FIM DA FUNÇÃO STOP #


####################################################################
# FUNÇÃO START #
# Esta função tem por finalidade setar as regras a fim de realizar as liberações, pois trabalharemos com #
# as políticas do iptables como DROP #
####################################################################

# Cria a função
function start () {

# Limpa as regras criadas anteriormente #

# Limpa a tabela filter
iptables -F

# Limpa a tabela nat
iptables -t nat -F

# Limpa a tabela mangle
iptables -t mangle -F


# Coloca as políticas padrões como DROP, ou seja nenhum acesso foi liberado #

#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP

# Carrega módulos #

# Em alguns casos esses módulos serão úteis, realize uma pesquisa sobre cada um #
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe nf_conntrack_ipv4
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe nf_nat
/sbin/modprobe nf_conntrack
/sbin/modprobe x_tables
/sbin/modprobe nf_nat_pptp


# Habilita o roteamento no kernel #
echo 1 > /proc/sys/net/ipv4/ip_forward

# Compartilha a internet
iptables -t nat -A POSTROUTING -o $IFACE_WEB -j MASQUERADE

#############
# REGRAS DE NAT #
#############

# Acesso remoto via RDP para um host RWindows
iptables -t nat -A PREROUTING -i $IFACE_WEB -p tcp --dport 3389 -j REDIRECT --to 192.168.10.1:3389

###############
# REGRAS DE INPUT #
###############

# Libera o squid a partir da rede interna
iptables -A INPUT -p tcp --dport 5005 -s $LAN -j ACCEPT

# Libera SSH Apenas para a rede interna
iptables -A INPUT -p tcp --dport 22 -s $LAN -j ACCEPT

################
# FIREWALL #
################

iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT
iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED --dport 3128 -j ACCEPT

#################
# CERTIFICADO #
#################


#iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
#iptables -A FORWARD -p udp --dport 443 -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
#iptables -A OUTPUT -p udp --dport 443 -j ACCEPT
#iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#iptables -A INPUT -p udp --dport 443 -j ACCEPT

################
# REGRAS DE OUTPUT #
################

# Libera as portas 80 e 443 apenas para localhost
iptables -A OUTPUT -p tcp -m multiport --dports 80,443,1863 -j ACCEPT

# Libera DNS apenas para localhost
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

# Libera FTP para localhost (muito útil para o apt-get, yum, etc)
iptables -A OUTPUT -p tcp -m multiport --dports 20,21 -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --dports 20,21 -j ACCEPT

#################
# REGRAS DE FORWARD #
#################

# Libera o acesso a clientes de email, pop e smtp
iptables -A FORWARD -p tcp -m multiport --dports 25,110 -j ACCEPT

# Fecha a função
}

# FIM DA FUNÇÃO START #

############################
# CRIANDO OS PARÂMETROS DO SCRIPT #
############################

#Aqui serão definidos os parâmetros:

# start = Ativa todas as regras, realizando os bloqueios e liberações
# stop = Limpa todoas as regras, "libera geral" ;-)
#restart = Carrega novas regras inseridas posteriormente

case $1 in

start)
start
;;

stop)
stop
;;

restart)
stop
start
;;

*)
echo "Erro, utilize os seguintes parâmetros: start | stop | restart"
exit 0
;;

esac

# FIM DO SCRIPT DE FIREWALL #



QUANDO TENTO LOGAR APARECE O SEGUINTE ERRO:


1347315638.695 1197 192.168.10.12 TCP_MISS/200 6643 POST http://gateway.messenger.hotmail.com/gateway/gateway.dll? renatodias DIRECT/65.55.64.254 application/x-msn-messenger
1347315639.294 554 192.168.10.12 TCP_MISS/200 382 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315641.309 552 192.168.10.12 TCP_MISS/200 381 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315643.323 551 192.168.10.12 TCP_MISS/200 383 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315645.336 554 192.168.10.12 TCP_MISS/200 382 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315647.353 558 192.168.10.12 TCP_MISS/200 382 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315649.357 550 192.168.10.12 TCP_MISS/200 383 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315651.394 575 192.168.10.12 TCP_MISS/200 383 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315653.391 559 192.168.10.12 TCP_MISS/200 383 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315655.393 550 192.168.10.12 TCP_MISS/200 382 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315657.411 554 192.168.10.12 TCP_MISS/200 383 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315659.430 561 192.168.10.12 TCP_MISS/200 383 POST http://65.55.71.160/gateway/gateway.dll? renatodias DIRECT/65.55.71.160 application/x-msn-messenger
1347315659.841 0 192.168.10.12 TCP_DENIED/407 3597 POST http://ssw.live.com/uploaddata.aspx - NONE/- text/html


Meu msn eh o WLM o proxy jah esta configurado nele e quando eu mando ele solucionar o problema ele aparece q o servidor proxy esta OK... Soh esta dando erro na portas principais...

Alguem poderia me dar uma luz?





  






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts