maos na massa!!! help :p

daniel_4fun
(usa Debian)

Enviado em 07/07/2011 - 11:34h

Bem, até entao tenho um debian, rodando squid, mas tenho q ta indo nas maquinas, configurar o proxy, isso é pouco funcional, dai vou colocar o iptables, para fazer o squid transparente, mas nunca fiz.. andei dando uma pesquisada, e eis o q eu preciso, se possivel, queria uma ajuda da galera aqui do VOL...

* preciso configurar o arquivo interfaces, atualmente se encontra desta forma;

# Interface de rede local
#
auto lo
iface lo inet loopback
#
#
# Placa de rede 1
auto eth0
iface eth0 inet static
address 192.168.254.201
netmask 255.255.255.0
brodcast 192.168.254.255
network 192.168.254.0
gateway 192.168.254.254
#
# dai preciso de uma segunda placa de rede configurada na rede 10.1.100.x , essa placa ja esta conectada ao micro, mas n esta configurada..

acho que vou precisar de um servidor dhcp tbm, no meu modem ele distribui os ip's da faixa 192.168.254.x , mas dai desativo e configuro um servidor dhcp no debian...

> meu squid funciona com autenticação, acho que a unica coisa q tenho q alterar nele, é a linha
http_port 3128 e adicionar "transparent" ...
..
pretendo usar essa configuração de firewall; mas nao sei quais permissões dar, e aonde deixar o msm; e como deixar automatica a execução dele na inicialização;

#!/bin/sh
### Script criado por Lucas Possamai ######################################
###############################################################
###############################################################
############ Define Variaveis ########################################

echo "Definindo variaveis.................................[OK]"
EXT=eth1
INT=eth0

modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

echo "Ativando roteamento.................................[OK]"
echo "1" > /proc/sys/net/ipv4/ip_forward

echo "Limpando Regras.....................................[OK]"
### Limpando regras iptables ###
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -X
###############################################################
############ Politicas #############################################
###############################################################

echo "Dropando tudo.......................................[OK]"
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

###############################################################
############## NAT #############################################
###############################################################

echo "Definindo NAT.......................................[OK]"
## Redireciona SQUID rede INT ##
iptables -t nat -A PREROUTING -i $INT -s 192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128

## Mascarando internet ##
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o $EXT -j MASQUERADE

###############################################################
############ INPUT ##############################################
###############################################################

echo "Definindo INPUT......................................[OK]"
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
## Aceita conexao SSH qualquer lugar ##
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
## Aceita APACHE ##
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
## Aceita ping ##
iptables -A INPUT -p icmp -j ACCEPT
## Libera SQUID na rede INT ##
iptables -A INPUT -i $INT -p tcp --dport 3128 -j ACCEPT

###############################################################
############ OUTPUT #############################################
###############################################################

echo "Definindo OUTPUT.....................................[OK]"
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

###############################################################
############ FORWARD ############################################
###############################################################

echo "Definindo FORWARD.....................................[OK]"
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
## Liberando ( TCP ) DNS, smtp, pop, http e squid para rede interna ##
iptables -A FORWARD -p tcp -m multiport --dports 25,53,80,110,3128 -j ACCEPT
## Liberando DNS ( UDP ) para rede interna ##
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
## Liberando PING para rede interna ##
iptables -A FORWARD -p icmp -j ACCEPT

jairovisks
(usa Debian)

Enviado em 08/07/2011 - 17:46h

Olá,

O script de firewall você pode colar todo esse texto dentro do arquivo rc.local, que assim ele ativará no logon.

Na questão do squid não é TÃO simples, mas também não é difícil.

Se você não quer utilizar autenticação tem que retirar as diretivas de autenticação dentro do squid, pois proxy transparent não rola com autenticação...

abs