Problema com squid e iptables
1. Problema com squid e iptables
jofre
(usa Outra)
Enviado em 23/08/2012 - 17:57h
antes de mais nada deem uma olhada no meu squid.conf e no meu iptables.confroot@Renato:/etc/init.d# sudo cat /etc/init.d/iptables.conf
#!/bin/bash
#######################################################
# SCRIPT DE FIREWALL PARA FINS DE APRENDIZADO, MODIFIQUE-O A SEU GOSTO #
# Criado por phrich #
#######################################################
###################
# DECLARANDO VARIÁVEIS #
###################
# Interface de rede que recebe a internet
IFACE_WEB="eth0"
# Interface de rede ligada a rede interna
IFACE_LAN="wlan0"
# Rede interna
REDE_INTERNA="192.168.1.100/24"
#####################################################################
# FUNÇÃO STOP #
# Esta função limpa todas as regras e libera todos os acessos, caso necessite de redirecionamentos (NAT) #
# Favor incluir as linhas referentes a nat, que não está incluso neste exemplo #
#####################################################################
# Cria a função
function stop() {
# Limpa todas as regras
iptables -F
iptables -t nat -F
iptables -t mangle -F
# Coloca as políticas padrões como ACCEPT, liberando todo e qualquer acesso
iptables -A INPUT -P ACCEPT
iptables -A OUTPUT -P ACCEPT
iptables -A FORWARD -P ACCEPT
# Habilita o roteamento no kernel #
echo 1 > /proc/sys/net/ipv4/ip_forward
# Compartilha a internet
iptables -t nat -A POSTROUTING -o $IFACE_WEB -j MASQUERADE
# Fecha a função
}
# FIM DA FUNÇÃO STOP #
####################################################################
# FUNÇÃO START #
# Esta função tem por finalidade setar as regras a fim de realizar as liberações, pois trabalharemos com #
# as políticas do iptables como DROP #
####################################################################
# Cria a função
function start () {
# Limpa as regras criadas anteriormente #
# Limpa a tabela filter
iptables -F
# Limpa a tabela nat
iptables -t nat -F
# Limpa a tabela mangle
iptables -t mangle -F
# Coloca as políticas padrões como DROP, ou seja nenhum acesso foi liberado #
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Carrega módulos #
# Em alguns casos esses módulos serão úteis, realize uma pesquisa sobre cada um #
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe nf_conntrack_ipv4
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe nf_nat
/sbin/modprobe nf_conntrack
/sbin/modprobe x_tables
/sbin/modprobe nf_nat_pptp
# Habilita o roteamento no kernel #
echo 1 > /proc/sys/net/ipv4/ip_forward
# Compartilha a internet
iptables -t nat -A POSTROUTING -o $IFACE_WEB -j MASQUERADE
#############
# REGRAS DE NAT #
#############
# Acesso remoto via RDP para um host RWindows
iptables -t nat -A PREROUTING -i $IFACE_WEB -p tcp --dport 3389 -j REDIRECT --to 192.168.1.100:3389
###############
# REGRAS DE INPUT #
###############
# Libera o squid a partir da rede interna
iptables -A INPUT -p tcp --dport 5005 -s $LAN -j ACCEPT
# Libera SSH Apenas para a rede interna
iptables -A INPUT -p tcp --dport 22 -s $LAN -j ACCEPT
################
# REGRAS DE OUTPUT #
################
# Libera as portas 80 e 443 apenas para localhost
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
# Libera DNS apenas para localhost
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
# Libera FTP para localhost (muito útil para o apt-get, yum, etc)
iptables -A OUTPUT -p tcp -m multiport --dports 20,21 -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --dports 20,21 -j ACCEPT
#################
# REGRAS DE FORWARD #
#################
# Libera o acesso a clientes de email, pop e smtp
iptables -A FORWARD -p tcp -m multiport --dports 25,110 -j ACCEPT
# Fecha a função
}
# FIM DA FUNÇÃO START #
############################
# CRIANDO OS PARÂMETROS DO SCRIPT #
############################
#Aqui serão definidos os parâmetros:
# start = Ativa todas as regras, realizando os bloqueios e liberações
# stop = Limpa todoas as regras, "libera geral" ;-)
#restart = Carrega novas regras inseridas posteriormente
case $1 in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo "Erro, utilize os seguintes parâmetros: start | stop | restart"
exit 0
;;
esac
# FIM DO SCRIPT DE FIREWALL #
root@Renato:/etc/init.d#
##################################################################################################
root@Renato:/etc/init.d# sudo cat /etc/squid3/squid.conf
#########################################
# Porta,Nome e Cache #
#########################################
http_port 5005
visible_hostname RSD
cache_mem 150 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 256 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
#########################################
# Paginas de bloqueio #
#########################################
error_directory /usr/share/squid3/errors/pt-br
#########################################
# Log #
#########################################
cache_access_log /var/log/squid3/access.log
cache_store_log /var/log/squid3/store.log
cache_log /var/squid3/logs/cache.log
cache_dir ufs /var/spool/squid3 20000 16 256
#########################################
# Range de ip darede #
#########################################
acl redelocal src 192.168.1.254/24
#########################################
# ACLs #
#########################################
acl manager proto cache_object
acl localhost src 127.0.0.1/32
#acl SSL_ports port port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # swat
acl Safe_ports port 1025-65535 # portas altas
acl purge method PURGE
acl CONNECT method CONNECT
#########################################
# Direitos de Acesso #
#########################################
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
#########################################
# USANDO NCSA_AUTH #
#########################################
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/squid_passwd
auth_param basic realm Entre com o Usuario e Senha.
auth_param basic children 5
auth_param basic casesensitive off
acl autenticados proxy_auth REQUIRED
#########################################
# usuarios com tudo liberado #
#########################################
acl accesso_full proxy_auth "/etc/squid3/acessos/acesso_full"
http_access allow accesso_full
########################################
# controle de banda #
########################################
acl banda_boss proxy_auth "/etc/squid3/banda/boss"
acl banda_normal proxy_auth "/etc/squid3/banda/normal"
delay_pools 2
delay_class 1 2
delay_class 2 2
delay_access 1 allow banda_boss
delay_access 2 allow banda_normal
delay_parameters 1 -1/-1 -1/-1
delay_parameters 2 25000/25000 25000/25000
#########################################
# Bloqueios #
#########################################
acl bloquear_palavras url_regex -i "/etc/squid3/bloqueio/bloqueio_palavras"
acl bloquear_msn dstdomain "/etc/squid3/bloqueio/bloqueio_msn"
acl acesso_msn proxy_auth "/etc/squid3/acessos/acesso_msn
http_access deny bloquear_msn !acesso_msn
#########################################
# BLOQUEIA ORKUT #
#########################################
acl bloquear_orkut url_regex -i "/etc/squid3/bloqueio/bloqueio_orkut"
acl acesso_orkut proxy_auth "/etc/squid3/acessos/acesso_orkut"
http_access deny bloquear_orkut !acesso_orkut
#########################################
# BLOQUEIA FACEBOOK #
#########################################
acl bloquear_facebook url_regex -i "/etc/squid3/bloqueio/bloqueio_facebook"
acl acesso_facebook proxy_auth "/etc/squid3/acessos/acesso_facebook"
http_access deny bloquear_facebook !acesso_facebook
#########################################
# BLOQUEIA TWITTER #
#########################################
acl bloquear_twitter url_regex -i "/etc/squid3/bloqueio/bloqueio_twitter"
acl acesso_twitter proxy_auth "/etc/squid3/acessos/acesso_twitter"
http_access deny bloquear_twitter !acesso_twitter
#########################################
##### BLOQUEIA GOOGLE TALK ##############
#########################################
acl bloquear_googletalk url_regex -i "/etc/squid3/bloqueio/bloqueio_googletalk"
acl acesso_googletalk proxy_auth "/etc/squid3/acessos/acesso_googletalk"
http_access deny bloquear_googletalk !acesso_googletalk
#########################################
# BLOQUEIA YOUTUBE #
#########################################
acl bloquear_youtube url_regex -i "/etc/squid3/bloqueio/bloqueio_youtube"
acl acesso_youtube proxy_auth "/etc/squid3/acessos/acesso_youtube"
http_access deny bloquear_youtube !acesso_youtube
http_access deny bloquear_palavras
http_access allow autenticados
http_access allow localhost
http_access allow redelocal
http_access deny all
Problemas:
1 - iptables quando ativo não deixa navegar em nada.
2 - não consegui de forma alguma bloquear o msn (gostaria de dexar abilitado para alguns usuarios por autenticação.
3 - meu squid só funciona com o navegador configurado, caso o usuario tire o proxy ele navega normalmente.
Especificações:
squid3
ubuntu
ip do servidor - 192.168.1.100
Obrigado pela ajuda.