Wotila_Carneiro
(usa Ubuntu)
Enviado em 28/02/2012 - 10:04h
Prezados, bom dia.
Tenho um servidor Ubuntu Server 10.04 rodando aqui na empresa, ele estava funcionando normal, mas de repente não acessava mais a internet. Ficava tentando "resolver o proxy" e nada. Ai dava um erro de DNS. Eu tentei acessar o Google pelo IP e consegui. Se eu setar o proxy manualmente ele conecta (mas fica um ponto de exclamação amarelo no ícone da rede). O problema é que o proxy é transparente e no meu iptables há a regra direcionando a porta 80 para a 3128. Aparentemente o erro é com o DNS. Alguém poderia me ajudar. Eis minhas configurações. Agradeço aos que colaborarem.
IPTABLES
#!/bin/bash
iniciar(){
#COMPARTILHAR A CONEXÃO
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 172.18.0.0/24 -o eth0 -j MASQUERADE
echo "Compartilhamento ativado!"
#TRÁFEGO ILIMITADO NAS INTERFACES DE LOOPBACK
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#POLÍTICA PADRÃO-DROPAR OS PACOTES
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
#REMOVE QUALQUER CHAINS CRIADA
iptables --delete-chain
iptables -t nat --delete-chain
iptables -N DROPAR
iptables -N BLOCKLAB
iptables -t nat -N BLOCKLAB
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#DROPA PACOTES SYN+FIN
iptables -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG --log-level 6 --log-prefix "FLAG - "
iptables -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
#ADICIONA ROTA PARA REDE CPD
route del -net 10.1.0.0 netmask 255.255.0.0 gw 10.6.0.254 2> /dev/null > /dev/null
route add -net 10.1.0.0 netmask 255.255.0.0 gw 10.6.0.254 2> /dev/null > /dev/null
#LIBERA TUDO PELA INTERFACE ADMINISTRATIVA
iptables -A FORWARD -i eth2 -j ACCEPT
iptables -A FORWARD -o eth2 -j ACCEPT
iptables -A OUTPUT -o eth2 -j ACCEPT
iptables -A OUTPUT -o eth2 -j ACCEPT
#LIBERA TUDO PARA CPD
iptables -A FORWARD -s 10.1.10.0/24 -j ACCEPT
iptables -A FORWARD -d 10.1.10.0/24 -j ACCEPT
#LIBERA TUDO PARA FORTALEZA
iptables -A FORWARD -s 10.1.0.0/16 -j ACCEPT
iptables -A FORWARD -d 10.1.0.0/16 -j ACCEPT
iptables -A INPUT -s 10.1.0.0/16 -j ACCEPT
iptables -A OUTPUT -s 10.1.0.0/16 -j ACCEPT
#REDE VALIDA FORTALEZA
iptables -A INPUT -s 10.1.10.0/1
iptables -A INPUT -d 10.1.10.0/24
#NAT LABORATÓRIO PARA REDE ADMINISTRATIVA
ifconfig eth2:0 10.6.1.230 netmask 255.255.0.0
ifconfig eth2:1 10.6.1.231 netmask 255.255.0.0
ifconfig eth2:3 10.6.1.185 netmask 255.255.0.0
ifconfig eth2:4 10.6.1.57 netmask 255.255.0.0
ifconfig eth2:5 10.6.1.49 netmask 255.255.0.0
iptables -t nat -A PREROUTING -d 10.6.1.230 -i eth2 -j DNAT --to 172.18.0.230
iptables -t nat -A PREROUTING -d 10.6.1.231 -i eth2 -j DNAT --to 172.18.0.231
iptables -t nat -A PREROUTING -d 10.6.1.185 -i eth2 -j DNAT --to 172.18.0.185
iptables -t nat -A PREROUTING -d 10.6.1.57 -i eth2 -j DNAT --to 172.18.0.57
iptables -t nat -A PREROUTING -d 10.6.1.49 -i eth2 -j DNAT --to 172.18.0.49
iptables -t nat -A POSTROUTING -s 172.18.0.230 -o eth2 -j SNAT --to 10.6.1.230
iptables -t nat -A POSTROUTING -s 172.18.0.231 -o eth2 -j SNAT --to 10.6.1.231
iptables -t nat -A POSTROUTING -s 172.18.0.185 -o eth2 -j SNAT --to 10.6.1.185
iptables -t nat -A POSTROUTING -s 172.18.0.57 -o eth2 -j SNAT --to 10.6.1.57
iptables -t nat -A POSTROUTING -s 172.18.0.49 -o eth2 -j SNAT --to 10.6.1.57
iptables -A FORWARD -s 172.18.0.230 -j ACCEPT
iptables -A FORWARD -d 172.18.0.230 -j ACCEPT
iptables -A FORWARD -s 172.18.0.231 -j ACCEPT
iptables -A FORWARD -d 172.18.0.231 -j ACCEPT
iptables -A FORWARD -s 172.18.0.185 -j ACCEPT
iptables -A FORWARD -d 172.18.0.185 -j ACCEPT
iptables -A FORWARD -s 172.18.0.57 -j ACCEPT
iptables -A FORWARD -d 172.18.0.57 -j ACCEPT
iptables -A FORWARD -s 172.18.0.49 -j ACCEPT
iptables -A FORWARD -d 172.18.0.49 -j ACCEPT
#DHCP
iptables -A INPUT -p udp --dport 67 -j ACCEPT
iptables -A INPUT -p udp --dport 68 -j ACCEPT
iptables -A OUTPUT -p udp --sport 67 -j ACCEPT
iptables -A OUTPUT -p udp --sport 68 -j ACCEPT
#DNS
iptables -A INPUT -s 172.18.0.0/24 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -s 172.18.0.0/24 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -s 172.18.0.0/24 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s 172.18.0.0/24 -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -s 172.18.0.0/24 -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -s 172.18.0.0/24 -p udp --dport 53 -j ACCEPT
#PROXY TRASNPARENTE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to 3128
#PROXY
iptables -A INPUT -p tcp -s 10.1.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp -s 172.18.0.0/24 -j ACCEPT
#SSH
iptables -A INPUT -p tcp --dport 22 -s 10.1.10.0/24 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 172.18.0.0/24 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 10.1.0.0/16 -m state --state NEW -j ACCEPT
#TRÁFEGO DE SAÍDA
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dport 21,80,443 -m state --state NEW -j ACCEPT
#TRÁFEGO DE SAÍDA DA LAN
iptables -A FORWARD -p tcp -s 172.18.0.0/24 -o eth0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p udp -s 172.18.0.0/24 -o eth0 -j ACCEPT
iptables -A FORWARD -p udp -s 172.18.0.0/24 -o eth0 -j ACCEPT
}
parar(){
iptables -F
iptables -t nat -F
echo "Regras de Firewall e Compartilhamento Desativados!"
}
case "$1" in
"start") iniciar;;
"stop") parar;;
"restart") parar; iniciar;;
*) echo "Use os parâmetros start ou stop"
esac
SQUID
http_port 3128 transparent
visible_hostname nome_servidor
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
maximum_object_size 512 MB
error_directory /usr/share/squid/errors/Portuguese
cache_swap_low 95
cache_swap_high 90
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
#DEFINIÇÃO DAS ACL'S
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl redelocal src 172.18.0.0/255.255.255.0
acl acesso_download src "/etc/squid/acesso_download"
acl liberado src "/etc/squid/acesso_livre"
acl lan src 172.18.0.0/255.255.255.0
acl
[*****] url_regex "/etc/squid/porno_br"
acl bloqueados url_regex "/etc/squid/bloqueados"
#always_direct allow all
#EXTENSOES POR MIME TYPES
acl audio req_mime_type -i ^audio
acl video req_mime_type -i ^video
#EXTENSOES POR REGEX
acl com url_regex -i \.com$
acl com2 url_regex -i \.com\?$
acl pif url_regex -i \.pif$
acl pif2 url_regex -i \.pif\?$
acl scr url_regex -i \.scr$
acl scr2 url_regex -i \.scr\?$
acl mpeg url_regex -i \.mpeg$
acl mpeg2 url_regex -i \.mpeg\?$
acl mp3 url_regex -i \.mp3$
acl mp32 url_regex -i \.mp3\?$
acl avi url_regex -i \.avi$
acl avi2 url_regex -i \.avi\?$
acl wav url_regex -i \.wav$
acl wav2 url_regex -i \.wav\?$
acl mpe url_regex -i \.mpe$
acl mpe2 url_regex -i \.mpe\?$
acl exe url_regex -i \.exe$
acl exe2 url_regex -i \.exe\?$
acl zip url_regex -i \.zip$
acl zip2 url_regex -i \.zip\?$
#BLOQUEIA O DOWNLOAD P/ TODOS DESSAS EXTENSOES ABAIXO
#http_access deny com
http_access deny com2
http_access deny pif
http_access deny pif2
http_access deny scr
http_access deny scr2
#LIBERA O ACESSO A TUDO (EXCETO O QUE ESTA ACIMA DESSA LINHA) P/ "LIBERADO"
http_access allow liberado
#BLOQUEIA O ACESSO A SITES IMPROPRIOS (EXCETO P/ "LIBERADO")
http_access deny
[*****]
http_access deny bloqueados
#LIBERA O DOWNLOAD DAS EXTENSOES ABAIXO P/ "ACESSO_DOWNLOAD"
#http_access allow acesso_download com
http_access allow acesso_download pif
http_access allow acesso_download scr
http_access allow acesso_download mpeg
http_access allow acesso_download mp3
http_access allow acesso_download avi
http_access allow acesso_download wav
http_access allow acesso_download mpe
http_access allow acesso_download exe
http_access allow acesso_download zip
http_access allow acesso_download audio
http_access allow acesso_download video
#BLOQUEIA O DOWNLOAD DAS EXTENSOES ABAIXO P/ TODOS EXCETO "ACESSO_DOWNLOAD"
http_access deny mpeg
http_access deny mpeg2
http_access deny mp3
http_access deny mp32
http_access deny avi
http_access deny avi2
http_access deny wav
http_access deny wav2
http_access deny mpe
http_access deny mpe2
http_access deny exe
http_access deny exe2
http_access deny zip
http_access deny zip2
http_access deny audio
http_access deny video
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow redelocal
http_access deny all