GFBeck
(usa Debian)
Enviado em 15/06/2015 - 08:09h
Fenix1978BR escreveu:
Confirma no /etc/passwd se o usuário do squid é o usuário proxy
Acho que no Debian, o nome de usuário do squid é diferente... pode ser o usuário squid.
Coloca seu squid.conf pra gente dar uma olhada.
Vc colocou o squid como transparente ou não?
Seguem minhas configurações do squid que é o squid3.4.8 e do iptables
as regras comentadas são por que estou testando com o minimo de bloqueios até conseguir faczer funcionar este site corretamente.
se verificarem eu tentei criar uma regra para não fazer cache do endereço, mas quando a ativo não consigo mais acessar o site (testei com outros endereços e a regra funciona)
---------------------------------------------------------------------------------------------------------------------
meu squid.conf:
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/usuarios/passwd
auth_param basic children 5
auth_param basic credentialsttl 1 hour
auth_param basic realm digite seu loguin e senha
auth_param basic casesensitive off
# PORTA PADRÃO #
http_port 3128
# NOME DO SERVIDOR #
visible_hostname firewall
acl localhosts src 192.168.0.0/24
acl autenticados proxy_auth REQUIRED
# ACLs PADRÃO DE LIBERAÇÃO DE PORTAS #
acl SSL_ports port 443
acl SSL_ports port 2095
acl SSL_ports port 2082
acl SSL_ports port 993
acl SSL_ports port 465
acl SSL_ports port 21
acl SSL_ports port 53
acl Safe_ports port 53
acl Safe_ports port 3389
acl Safe_ports port 993
acl Safe_ports port 465
acl Safe_ports port 8888
acl Safe_ports port 3050
acl Safe_ports port 80
acl Safe_ports port 82
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 445
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# ACLs de liberação e bloqueio geral #
#acl sem_cache url_regex -i "/etc/squid3/acls/sem_cache"
acl localhosts_diretoria src "/etc/squid3/acls/localhosts_diretoria"
acl liberado_geral url_regex -i "/etc/squid3/acls/liberado_geral"
acl bloqueio_geral url_regex -i "/etc/squid3/acls/bloqueio_geral"
#no_cache deny sem_cache
http_access allow localhosts_diretoria
http_access allow localhosts liberado_geral
http_access deny localhosts bloqueio_geral
http_access allow all
# ACLs de grupos de usuarios #
#acl TI proxy_auth "/etc/squid3/usuarios/TI"
#acl diretoria proxy_auth "/etc/squid3/acls/diretoria"
#acl recepcao proxy_auth "/etc/squid3/usuarios/recepcao"
#acl atendimento proxy_auth "/etc/squid3/usuarios/atendimento"
#acl montagem proxy_auth "/etc/squid3/usuarios/montagem"
# ACLs de liberação e bloqueio pro grupos #
#acl sites_recepcao url_regex -i "/etc/squid3/acls/sites_recepcao"
#acl sites_atendimento url_regex -i "/etc/squid3/acls/sites_atendimento"
#acl sites_montagem url_regex -i "/etc/squid3/acls/sites_montagem"
#http_access allow localhosts autenticados TI
#http_access allow localhosts autenticados diretoria
#http_access allow localhosts autenticados liberado_geral
#http_access deny localhosts autenticados bloqueio_geral
#http_access deny localhosts autenticados recepcao sites_recepcao
#http_access deny localhosts autenticados atendimento sites_atendimento
#http_access deny localhosts autenticados montagem sites_montagem
#http_access allow all
hierarchy_stoplist cgi-bin \?
# CACHE DO SQUID #
cache_mem 512 MB
maximum_object_size_in_memory 50 MB
cache_dir ufs /var/spool/squid3 5120 16 256
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
minimum_object_size 0 KB
maximum_object_size 1 GB
cache_swap_low 90
cache_swap_high 95
cache_access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
coredump_dir /var/cache_squid3
# AJUSTE DO CACHE #
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
-------------------------------------------------------------------------------------------------------------------
meu iptables:
#!/bin/sh
############ Define Variaveis ########################################
echo "Definindo variaveis..................................................[..]"
WAN=eth0
LAN=eth1
REDE_INTERNA=192.168.0.0/24
echo "Variaveis ...........................................................[OK]"
# CARREGANDO MODULOS #
echo "Carregando Modulos ..................................................[..]"
modprobe ip_tables
modprobe ipt_limit
modprobe ipt_state
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_multiport
modprobe iptable_filter
#modprobe ip_queue
modprobe ipt_ttl
modprobe ipt_mac
modprobe ipt_owner
modprobe ipt_tcpmss
modprobe iptable_nat
modprobe iptable_mangle
modprobe ipt_tos
modprobe ip_nat_ftp
echo "Modulos .............................................................[OK]"
# ATIVANDO ROTEAMENTO #
echo "Ativando roteamento..................................................[..]"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Roteamento ..........................................................[OK]"
## Limpando Regras de iptables ##
echo "Limpando Regras......................................................[..]"
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -X
echo "Regras ..............................................................[OK]"
###############################################################
############ Politicas #############################################
###############################################################
echo "Dropando tudo........................................................[..]"
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
echo "DROP ................................................................[OK]"
###############################################################
############## NAT #############################################
###############################################################
echo "Definindo NAT........................................................[..]"
## Mascarando e compartilhando a internet ##
iptables -t nat -A POSTROUTING -s $REDE_INTERNA -o $WAN -j MASQUERADE
echo "NAT .................................................................[OK]"
###############################################################
############ INPUT ##############################################
###############################################################
echo "Definindo INPUT......................................................[..]"
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
## Liberações gerais de entrada apenas para LAN ##
iptables -A INPUT -i $LAN -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $LAN -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j ACCEPT
iptables -A INPUT -i $LAN -p icmp -j ACCEPT
echo "INPUT ...............................................................[OK]"
###############################################################
############ OUTPUT #############################################
###############################################################
echo "Definindo OUTPUT.....................................................[..]"
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
## Liberações gerais de saida ##
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3000 -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
echo "OUTPUT ..............................................................[OK]"
###############################################################
############ FORWARD ############################################
###############################################################
echo "Definindo FORWARD....................................................[..]"
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#####################################################
########## IP's SEM PROXY (LIBERADO TOTAL) ##########
iptables -A FORWARD -s 192.168.0.3 -j ACCEPT
iptables -A FORWARD -s 192.168.0.4 -j ACCEPT
iptables -A FORWARD -s 192.168.0.5 -j ACCEPT
iptables -A FORWARD -s 192.168.0.9 -j ACCEPT
iptables -A FORWARD -s 192.168.0.190 -p tcp -j ACCEPT
#####################################################
########## ICMP a partir da REDE_INTERNA ##########
iptables -A FORWARD -s $REDE_INTERNA -p icmp -j ACCEPT
########## Liberação do Outlook para IMAP com Gmail ##########
iptables -A FORWARD -p tcp -m multiport --dports 993,465,53 -j ACCEPT
iptables -A FORWARD -p udp -m multiport --dports 993,465,53 -j ACCEPT
echo "FORWARD .............................................................[OK]"