Squid 3.3.8 + CentOS 7 - Não faz cache, não grava Log mas navega.

LeaoNarrdo
(usa Fedora)

Enviado em 28/03/2016 - 23:37h

Olá,
estou tentando configurar um cenário com squidcache + centos e não estou conseguindo fazer o cache, e o arquivo de log está vazio.

Cenário:
VirtualBOX
----- Centos7, 2 Placa de rede Wan= Modo Bridge, Lan= rede interna
----- Cliente XP, 1 Placa de rede modo= Rede interna

Centos7
-----WAN: DHCP
----- LAN: 192.168.0.200/24

Squid 3.3.8
Configuração do Squid

/etc/squid/squid.conf

http_port 3128 intercept

visible_hostname faztudo



#CACHE PARA DOWNLOADS

cache_mem 32 MB

maximum_object_size_in_memory 64 KB

maximum_object_size 512 MB

minimum_object_size 0 KB

cache_swap_low 90

cache_swap_high 95

cache_dir ufs /var/spool/squid 2048 16 256



#LOCALIZAÇO DO ARQUIVO DE LOG DO SQUI

cache_access_log /var/log/squid/access.log



refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               15       20%     4320



acl localnet src 192.168.0.0/24     # RFC 1918 possible internal network



acl SSL_ports port 443          # https

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http



acl CONNECT method CONNECT



http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager

http_access deny manager

http_access allow localnet

http_access allow localhost

http_access deny all 

Iptables

/etc/init.d/firewall.sh

#!/bin/bash

############ Variaveis #############

IPT=/sbin/iptables



####################################

IF_WAN=enp0s3

IF_LAN=enp0s8

#IP_WAN=""

IP_LAN=192.168.0.200/24

IP_GW=192.168.1.1



####### rede e seus ranges #########

REDE_INTERNA=192.168.0.0/24



####### conf squid #########

# your proxy IP

SQUIDIP=192.168.0.200/24

# your proxy listening port

SQUIDPORT=3128



############## Portas ##############

HTTP=80

HTTPS=443

SSH=22

DNS=53

POP3=110

SMTP=587



function IniciaFirewall(){



    #### politica padrao - NEGA TUDO ####



    echo "politica por omissao - negar TUDO"



    $IPT -P INPUT DROP

    $IPT -P OUTPUT DROP

    $IPT -P FORWARD DROP



    ##### configurando interfaces #######



    ifconfig $IF_LAN $IP_LAN



    route del default

    route add default gw $IP_GW



   echo "apaga as regras ja existentes"

    $IPT -F

    $IPT -X

    $IPT -Z

    $IPT -t nat -F

    $IPT -t nat -X

    $IPT -t nat -Z

    $IPT -F POSTROUTING -t nat

    $IPT -F PREROUTING -t nat

    $IPT -F OUTPUT -t nat



    ############ stateless ###############

    echo "permite loopbak"

    $IPT -A INPUT -i lo -j ACCEPT

    $IPT -A OUTPUT -o lo -j ACCEPT



    ########### statefull ################

    echo "descarta pacotes invalidos"

    $IPT -A INPUT -m state --state INVALID -j DROP



    echo "regras STATEFULL genericas"

    $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    $IPT -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

    $IPT -A FORWARD -i $IF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

    $IPT -A FORWARD -i $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT



    ########### DHCP ################

    $IPT -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT



    echo "permitir DNS [ok]"

    $IPT -A OUTPUT -p udp --sport 1024:65535 --dport $DNS -m state --state NEW -j ACCEPT

    $IPT -A FORWARD -p udp -i $IF_LAN -o $IF_WAN --dport $DNS -j ACCEPT



    echo "permite HTTP [ok]"

    #$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport $HTTP -m state --state NEW -j ACCEPT

    $IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $HTTP -j ACCEPT



    echo "permite HTTPS [ok]"

    #$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport $HTTPS -m state --state NEW -j ACCEPT

    $IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $HTTPS -j ACCEPT



    echo "libera portas para e-mail [ok]"

    $IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $POP3 -j ACCEPT

  $IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $POP3 -j ACCEPT

    $IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $SMTP -j ACCEPT



    echo "libera SSH [ok]"

    $IPT -A INPUT -p tcp --dport $SSH -j LOG --log-level 4 --log-prefix 'SSH_WAN > '

    $IPT -A INPUT -p tcp -i $IF_WAN --dport $SSH -j ACCEPT



    ########## seguranca da rede ##############

    echo "Impedindo ataque Ping of Death e ping flood no Firewall vindo da rede interna"

    #A regra abaixo limita em 1 vez por segundo (--limit 1/s) a passagem de pings (echo requests) para o Firewall

    $IPT -A INPUT -p icmp --icmp-type echo-request -i $IF_LAN -j LOG --log-level 4 --log-prefix 'PING_INERNO > '

    $IPT -A INPUT -p icmp --icmp-type echo-request -i $IF_LAN -m limit --limit 1/s -j ACCEPT



    echo "Descarte de pacotes nao identificados ICMP"

    $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP

    $IPT -A INPUT -m state -p icmp --state INVALID -j DROP

    $IPT -A FORWARD -m state -p icmp --state INVALID -j DROP



    echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1

    echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2

    echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3

    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

    echo 1 > /proc/sys/net/ipv4/tcp_syncookies



    ############ regras intercept squid cache #############

    $IPT -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT

    $IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT

    $IPT -t nat -A POSTROUTING -j MASQUERADE

    $IPT -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP



    ############ compartilha link #############

    echo "compartilha link de internet [ok]"

    $IPT -t nat -A POSTROUTING -o $IF_WAN -j MASQUERADE



    echo "habilitando encaminhamento de pacotes [ok]"

    echo 1 > /proc/sys/net/ipv4/ip_forward



}

function LiberaFirewall(){



    echo "politica Libera TUDO"



    $IPT -P INPUT ACCEPT

    $IPT -P OUTPUT ACCEPT

    $IPT -P FORWARD ACCEPT



    #########################################

    # configurando interfaces

    #########################################

    ifconfig $IF_LAN $IP_LAN

    route del default

    route add default gw $IP_GW



    echo "apaga as regras ja existentes"

    $IPT -F

    $IPT -X

    $IPT -Z

    $IPT -t nat -F

    $IPT -t nat -X

    $IPT -t nat -Z



    ########## compartilha link ###############

    echo "compartilha link de internet [ok]"

    $IPT -t nat -A POSTROUTING -o $IF_WAN -j MASQUERADE



    echo "habilitando encaminhamento de pacotes [ok]"

    echo 1 > /proc/sys/net/ipv4/ip_forward

}



case $1 in

    start)

        IniciaFirewall

        exit 0

    ;;

    stop)

        LiberaFirewall

        exit 1

    ;;

    restart)

        LiberaFirewall;IniciaFirewall

 exit 2

    ;;

    *)

        echo

        echo "Use ||start|| para iniciar as regras desse Firewall, ||restart|| para reiniciar e ||stop|| para descartar todas as politicas de seguranca, NAO FACA ISSO!"

        echo

        exit 3

    ;;

esac



# FIM: tudo que não for explicitamente permitido será negado!

 

Log do squid que não grava nada.

 ls -l /var/log/squid/

total 88

-rw-r-----. 1 squid squid     0 Mar 28 22:56 access.log

-rw-r-----. 1 squid squid 88409 Mar 28 23:02 cache.log

 

Com o Cliente XP eu consigo navegar sem problemas, mas o cache não funciona