porta transparente não funciona

edu_dm
(usa Slackware)

Enviado em 22/02/2011 - 11:43h

olá amigos tenho um servidor aki com squid e firewall, apos um problema na máquina tive que formatar e o firewall que estava funcionando blza deu um pau aki a porta do squid naun fica transparente nem a pau so configurando o navegador, segue abaixo o script:

#!/bin/bash

fire_start() {
echo 1 > /proc/sys/net/ipv4/ip_forward

# ---------------------------------VARIAVEIS DE AMBIENTE
IPTABLES=`which iptables`
INTNET="172.16.0.0/24"
EXTDEV="eth0"
POLICY="DROP"
INTDEV="eth1"
FIREWALL="172.16.0.1"
PROXY_PORT="3128"

# CARREGAR MODULOS
echo -n " Carregando modulos "
modules="
ip_queue
ip_tables
ipt_ECN
ipt_LOG
ipt_MARK
ipt_MASQUERADE
ipt_NETMAP
ipt_REDIRECT
ipt_REJECT
ipt_SAME
ipt_TOS
ipt_TTL
ipt_addrtype
ipt_ah
ipt_ecn
ipt_iprange
ipt_owner
ipt_recent
ipt_tos
ipt_ttl
iptable_filter
iptable_mangle
iptable_nat
iptable_raw
nf_conntrack_ipv4
nf_nat
nf_nat_amanda
nf_nat_ftp
nf_nat_h323
nf_nat_irc
nf_nat_pptp
nf_nat_proto_gre
nf_nat_sip
nf_nat_snmp_basic
nf_nat_tftp


ipt_REJECT
ipt_TOS
ipt_LOG
iptable_mangle
iptable_filter
iptable_nat
ip_nat_ftp
ip_conntrack
ip_conntrack_ftp
ip_conntrack_irc
ip_nat_irc
ipt_mac
ipt_state
ipt_mark
ip_nat_pptp
ip_conntrack_pptp

"
for module in $modules; do
modprobe $module 2>/dev/null 1>/dev/null
echo -n "."
done
echo "OK"
# zera tudo
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X

# LOOPBACK
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# liberar smtp e pop
$IPTABLES -A FORWARD -p tcp -m multiport --dport 25,110,443 -j ACCEPT
$IPTABLES -A POSTROUTING -t nat -p tcp -m multiport --dport 25,110,443 -o $EXTDEV -j MASQUERADE

# Liberar conectividade social

$IPTABLES -A FORWARD -d 200.201.173.0/24 -j ACCEPT
$IPTABLES -A FORWARD -d 200.201.174.0/24 -j ACCEPT
$IPTABLES -A POSTROUTING -t nat -d 200.201.173.0/24 -o $EXTDEV -j MASQUERADE
$IPTABLES -A POSTROUTING -t nat -d 200.201.174.0/24 -o $EXTDEV -j MASQUERADE


# Acesso Liberado (Rede Interna --> Firewall ----> Internet )
echo -n " Liberando usuarios com acesso privilegiado"
for LIBERADOS in `cat /etc/firewall/fullaccess |awk '{print $1}'`; do
$IPTABLES -A FORWARD -s $LIBERADOS -j ACCEPT
$IPTABLES -A POSTROUTING -t nat -s $LIBERADOS -o $EXTDEV -j MASQUERADE
done
echo -n "."
echo "."
echo "OK"

echo "."
echo "OK"


# Proxy transparente
$IPTABLES -t nat -A PREROUTING -i $INTDEV -p tcp --dport 80 -j REDIRECT --to-port $PROXY_PORT

# Acesso webmin
$IPTABLES -A INPUT -p tcp --dport 10000 -j ACCEPT

# Acesso ssh
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

# liberar ping
$IPTABLES -A FORWARD -p icmp -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT

# vpn
$IPTABLES -A INPUT -i $EXTDEV -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A INPUT -p 50 -j ACCEPT

# liberar dns
$IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

# Rede Interna acessa o firewall
$IPTABLES -A INPUT -s $INTNET -j ACCEPT

# conexoes estabelecidas
$IPTABLES -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


# Setando politica padrao
$IPTABLES -P INPUT $POLICY
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD $POLICY

# Gerar log
# $IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD-DROP: "
# $IPTABLES -A INPUT -j LOG --log-prefix "INPUT-DROP: "

}

fire_stop() {
IPTABLES=`which iptables`
echo "Desativando Firewall..."
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -X -t nat
$IPTABLES -Z
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F POSTROUTING -t nat
$IPTABLES -F PREROUTING -t nat


$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

}


fire_restart() {
fire_stop
sleep 1
fire_start
}

case "$1" in
'start')
fire_start
;;
'stop')
fire_stop
;;
'restart')
fire_restart
;;
*)
echo "use $0 start|stop|restart"
esac

rodrigoh79
(usa Debian)

Enviado em 22/02/2011 - 11:49h

E o squid.conf?

edu_dm
(usa Slackware)

Enviado em 22/02/2011 - 11:57h

http_port 3128 transparent
icp_port 0
cache_replacement_policy heap LFUDA
cache_dir aufs /var/cache/squid 10000 64 256
memory_replacement_policy heap GDSF
cache_mem 128 MB
maximum_object_size 256 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 256 KB
cache_swap_low 90
cache_swap_high 95
ipcache_size 1024
fqdncache_size 1024

ipcache_low 90
ipcache_high 95

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin ?
no_cache deny QUERY

pid_filename /var/run/proxy.pid
debug_options ALL,1
log_fqdn off

refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280





acl redeinterna src 172.16.0.0/24

acl all src 0.0.0.0/0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 82
acl Safe_ports port 80 # http
acl Safe_ports port 3001 # java
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 3001 #prog_ze
acl CONNECT method CONNECT

# sites
acl sites_bloqueados url_regex -i "/etc/squid/acl/sites/sites_bloqueados"
acl sites_permitidos url_regex -i "/etc/squid/acl/sites/sites_permitidos"


# Grupos
acl grupo_admin src "/etc/squid/acl/usuarios/grupo_admin"
acl grupo_func src "/etc/squid/acl/usuarios/grupo_func"


# Controle de conteudo

http_access allow grupo_admin !sites_bloqueados
http_access allow grupo_func sites_permitidos

http_access allow manager localhost

http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

cache_log none
cache_store_log none
cache_access_log /var/log/squid/access.log
#cache_access_log none

cache_mgr localhost
cache_effective_user squid
cache_effective_group squid
visible_hostname localhost

dns_testnames registro.br

zph_mode tos
zph_local 0x08
zph_parent 0
zph_option 136