guitgomes100
(usa Outra)
Enviado em 30/11/2009 - 14:12h
Oi pessoal estou com alguns problemas com minha integracao entre o squid 2.6 e o firewall. Alguns sites nao abrem como gmail, yahoo e mns das estacoes sem restricao tbem nao funciona. Nao tenho muito conhecimento nesta area e gostaria de uma ajuda se possivel. Os micros que tem total acesso tbem nao estao funcionando tudo liberado. Desde ja agradeço a colaboracao de todos.
Squid.conf
error_directory /usr/share/squid/errors/Portuguese
visible_hostname servidor
cache_mem 64 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 8192 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 #http
acl Safe_ports port 21 #ftp
acl Safe_ports port 443 563 #https,snews
acl Safe_ports port 70 #gopher
acl Safe_ports port 210 #wais
acl Safe_ports port 280 #http-mgmt
acl Safe_ports port 488 #gss-http
acl Safe_ports port 591 #filemaker
acl Safe_ports port 777 #multiling http
acl Safe_ports port 901 #swat
acl Safe_ports port 1025-65535 #portas altas
acl purge method PURGE
acl CONNECT method CONNECT
#####ACLS PERSONALIZADAS#####
acl msnmessenger url_regex -i gateway.dll
acl proibidos dstdomain "/etc/squid/proibidos.txt"
acl palavras url_regex -i "/etc/squid/palavras.txt"
acl rede_local src 20.20.20.0/24
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
#ACESSOS PERSONALIZADAS
http_access deny msnmessenger
http_access deny proibidos
http_access deny palavras
http_access allow rede_local
http_access deny all
icp_access allow all
http_port 3128 transparent
Firewall
#!/bin/bash
# Reset
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -F
iptables -X
iptables -Z
# fecha a porta 80 para internet
#iptables -A INPUT -p tcp --dport 80 -j DROP -i eth0
iptables -A INPUT -p tcp --dport 3128 -j DROP -i eth0
# compartilha a internet
#iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 20.20.20.0/24 -o eth0 -j MASQUERADE
# espaco para conceder servicos de rede entre clientes
#iptables -A FORWARD -s 20.20.20.0/24 -d servidor -j ACCEPT
#iptables -A FORWARD -d 20.20.20.0/24 -s servidor -j ACCEPT
# corta acesso inter clientes restantes
iptables -A FORWARD -s 20.20.20.0/24 -d 20.20.20.0/24 -j DROP
# clientes totalmente bloqueados
cat /etc/squid/bloqueados.txt | while read -e line2; do
iptables -A FORWARD -s $line2 -p tcp --dport 80 -j DROP
iptables -t nat -A PREROUTING -s $line2 -j DROP
done
# clientes que nao tem restricoes para internet
cat /etc/squid/liberados.txt | while read -e line2; do
iptables -A FORWARD -s $line2 -j ACCEPT
iptables -t nat -A PREROUTING -s $line2 -j ACCEPT
done
# liberacao de msn
cat /etc/squid/msn.txt | while read -e line1; do
iptables -A FORWARD -s $line1 -p tcp --dport 1863 -i eth1 -j ACCEPT
done
# proxy transparente
iptables -t nat -A PREROUTING -s 20.20.20.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
# bloqueio de MSN
iptables -A FORWARD -s 20.20.20.0/24 -p tcp --dport 1863 -j DROP
### FIM!