OT: IPCOP no filtra de forma correcta las paginas (deja pasar algunas)
Hola, esto es un OT porque no es de debian, pero como no he
encontrado una lista de ipcop con movimiento importante, los molesto a
ustedes.
Estoy usando IPCOP 1.4.21 donde tengo activo el DansGuardian
Content Filter, pero noto que DansGuardian a veces bloquea los
websites y otras veces no realiza el bloquea.
En otras palabras a veces IPCOP permite acceder a facebook y otras
me bloquea, a , youtube.com me carga aveces y otras veces carga sin
las imagenes, a wikipedia entro sin problemas. (dichas paginas no
están en "exceptionsitelist")
Mire los archivos log de dansGuardian y no encontre algo que me
guie a la solución. Pensando en que esta mal configurado el
proxy-traparente configure el FF via proxy xxx.xxx.xxx.xxx:8080 pero
sigue sin filtrar de forma correcta.
Realmente no se que mirar (estoy confundido entre los archivos de
configuración y iptables), si me pueden orientar un poco estaré muy
agradecido.
Les dejo la configuración.
# cat /etc/squid/squid.conf | grep -v ^# | grep -v ^$
shutdown_lifetime 5 seconds
icp_port 0
http_port 15.15.15.210:800 transparent
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_effective_user squid
cache_effective_group squid
pid_filename /var/run/squid.pid
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
log_mime_hdrs off
forwarded_for off
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 800 # Squid port (for icons)
acl IPCop_http port 81
acl IPCop_https port 445
acl IPCop_ips dst 15.15.15.210
acl IPCop_networks src 15.15.15.0/255.255.255.0
acl no_proxy_dst dst 15.15.15.0/255.255.255.0
acl CONNECT method CONNECT
acl dansguardian src 15.15.15.210
follow_x_forwarded_for allow dansguardian
http_access allow localhost
http_access allow IPCop_ips IPCop_networks IPCop_http
http_access allow CONNECT IPCop_ips IPCop_networks IPCop_https
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow IPCop_networks !no_proxy_dst
http_access deny all
maximum_object_size 4096 KB
minimum_object_size 0 KB
cache_mem 20000 KB
cache_dir aufs /var/log/cache 500 16 256
request_body_max_size 0 KB
reply_body_max_size 0 allow all
visible_hostname proxy.myDom.com.ar
\\--- cat /etc/squid/squid.conf
---------
root@proxy:/etc/dansguardian # cat dansguardian.conf | grep -v ^# | grep -v ^$
reportinglevel = 3
languagedir = '/home/httpd/html/dansguardian/languages'
language = arspanish
loglevel = 3
logexceptionhits =
logfileformat = 1
loglocation = /var/log/dansguardian/access.log
filterip = ''
filterport = 8080
proxyip = '15.15.15.210'
proxyport = 800
accessdeniedaddress = http://15.15.15.210:81/dansguardian/dansguardian.pl
nonstandarddelimiter = on
usecustombannedimage = 0
custombannedimagefile = '/home/httpd/html/dansguardian/transparent1x1.gif'
filtergroups = 4
filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'
bannediplist = '/etc/dansguardian/lists/bannediplist'
exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'
showweightedfound = on
weightedphrasemode = 0
urlcachenumber = 1000
urlcacheage = 900
scancleancache = on
phrasefiltermode = 1
preservecase = 0
hexdecodecontent = 0
forcequicksearch = off
reverseaddresslookups = on
reverseclientiplookups = on
logclienthostnames = on
createlistcachefiles = on
maxuploadsize = -1
maxcontentfiltersize = 256
maxcontentramcachescansize = 2000
maxcontentfilecachescansize = 20000
filecachedir = '/tmp'
deletedownloadedtempfiles = on
initialtrickledelay = 20
trickledelay = 10
downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf'
downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf'
contentscannertimeout = 60
contentscanexceptions = off
authplugin = '/etc/dansguardian/authplugins/ip.conf'
recheckreplacedurls =
forwardedfor = on
usexforwardedfor = off
logconnectionhandlingerrors = on
logchildprocesshandling = off
maxchildren = 120
minchildren = 8
minsparechildren = 4
preforkchildren = 6
maxsparechildren = 32
maxagechildren = 500
maxips = 0
ipcfilename = '/tmp/.dguardianipc'
urlipcfilename = '/tmp/.dguardianurlipc'
ipipcfilename = '/tmp/.dguardianipipc'
nodaemon = off
nologger = off
logadblocks =
loguseragent = off
daemonuser = 'nobody'
daemongroup = 'nobody'
softrestart = off
\\-- cat dansguardian.conf
root@proxy:/etc/dansguardian # netstat -pantu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 15.15.15.210:800 0.0.0.0:*
LISTEN 607/(squid)
tcp 0 0 0.0.0.0:10050 0.0.0.0:*
LISTEN 662/zabbix_agentd
tcp 0 0 0.0.0.0:1194 0.0.0.0:*
LISTEN 620/openvpn
tcp 0 0 0.0.0.0:8080 0.0.0.0:*
LISTEN 642/dansguardian
tcp 0 0 0.0.0.0:81 0.0.0.0:*
LISTEN 355/httpd
tcp 0 0 0.0.0.0:53 0.0.0.0:*
LISTEN 370/dnsmasq
tcp 0 0 0.0.0.0:445 0.0.0.0:*
LISTEN 355/httpd
tcp 0 0 0.0.0.0:222 0.0.0.0:*
LISTEN 364/sshd
tcp 0 0 15.15.15.210:10050 15.15.15.141:37310
TIME_WAIT -
tcp 0 0 15.15.15.210:10050 15.15.15.141:36856
TIME_WAIT -
tcp 0 0 15.15.15.210:10050 15.15.15.141:37176
TIME_WAIT -
tcp 0 0 15.15.15.210:10050 15.15.15.141:36844
TIME_WAIT -
tcp 0 0 15.15.15.210:10050 15.15.15.141:37227
TIME_WAIT -
tcp 0 0 15.15.15.210:10050 15.15.15.141:37284
TIME_WAIT -
tcp 0 0 15.15.15.210:10050 15.15.15.141:36708
TIME_WAIT -
tcp 0 0 15.15.15.210:10050 15.15.15.141:37340
TIME_WAIT -
tcp 0 0 15.15.15.210:10050 15.15.15.141:36758
TIME_WAIT -
tcp 0 0 15.15.15.210:35786 15.15.15.210:800
TIME_WAIT -
tcp 0 0 15.15.15.210:35787 15.15.15.210:800
TIME_WAIT -
tcp 0 0 15.15.15.210:10050 15.15.15.141:37328
TIME_WAIT -
tcp 0 0 15.15.15.210:222 15.15.15.115:41962
ESTABLISHED 692/1
tcp 0 0 15.15.15.210:10050 15.15.15.141:37257
TIME_WAIT -
udp 0 0 0.0.0.0:32901 0.0.0.0:*
607/(squid)
udp 0 0 0.0.0.0:53 0.0.0.0:*
370/dnsmasq
udp 0 0 10.55.247.1:123 0.0.0.0:*
580/ntpd
udp 0 0 200.41.142.174:123 0.0.0.0:*
580/ntpd
udp 0 0 1.1.1.1:123 0.0.0.0:*
580/ntpd
udp 0 0 15.15.15.210:123 0.0.0.0:*
580/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:*
580/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:*
580/ntpd
\\-- netstat -pantu
root@proxy:/etc/dansguardian # iptables -nvL
Chain BADTCP (2 references)
pkts bytes target prot opt in out source
destination
0 0 PSCAN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x29
0 0 PSCAN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x00
0 0 PSCAN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x01
0 0 PSCAN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x06
0 0 PSCAN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x03/0x03
223 10609 NEWNOTSYN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
Chain BOT_FORWARD (2 references)
pkts bytes target prot opt in out source
destination
Chain BOT_INPUT (2 references)
pkts bytes target prot opt in out source
destination
Chain CUSTOMFORWARD (1 references)
pkts bytes target prot opt in out source
destination
0 0 REJECT tcp -- * * 15.15.15.0/24
0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable
171 58718 BOT_FORWARD all -- * * 0.0.0.0/0
0.0.0.0/0
171 58718 OVPNFORWARD all -- * * 0.0.0.0/0
0.0.0.0/0
171 58718 BOT_FORWARD all -- * * 0.0.0.0/0
0.0.0.0/0
171 58718 OVPNFORWARD all -- * * 0.0.0.0/0
0.0.0.0/0
Chain CUSTOMINPUT (1 references)
pkts bytes target prot opt in out source
destination
212K 28M BOT_INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
212K 28M OVPNINPUT all -- * * 0.0.0.0/0
0.0.0.0/0
212K 28M BOT_INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
212K 28M OVPNINPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain CUSTOMOUTPUT (1 references)
pkts bytes target prot opt in out source
destination
Chain DHCPBLUEINPUT (1 references)
pkts bytes target prot opt in out source
destination
Chain DMZHOLES (0 references)
pkts bytes target prot opt in out source
destination
Chain GUIINPUT (1 references)
pkts bytes target prot opt in out source
destination
229 13936 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
Chain INPUT (policy DROP 293 packets, 24646 bytes)
pkts bytes target prot opt in out source
destination
212K 28M ipac~o all -- * * 0.0.0.0/0
0.0.0.0/0
212K 28M BADTCP all -- * * 0.0.0.0/0
0.0.0.0/0
212K 28M CUSTOMINPUT all -- * * 0.0.0.0/0
0.0.0.0/0
212K 28M GUIINPUT all -- * * 0.0.0.0/0
0.0.0.0/0
97584 10M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
114K 18M IPSECVIRTUAL all -- * * 0.0.0.0/0
0.0.0.0/0
114K 18M OPENSSLVIRTUAL all -- * * 0.0.0.0/0
0.0.0.0/0
2264 99616 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 DROP all -- * * 127.0.0.0/8
0.0.0.0/0 state NEW
0 0 DROP all -- * * 0.0.0.0/0
127.0.0.0/8 state NEW
111K 18M ACCEPT !icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0 state NEW
293 24646 DHCPBLUEINPUT all -- * * 0.0.0.0/0
0.0.0.0/0
293 24646 IPSECPHYSICAL all -- * * 0.0.0.0/0
0.0.0.0/0
293 24646 OPENSSLPHYSICAL all -- * * 0.0.0.0/0
0.0.0.0/0
285 24262 WIRELESSINPUT all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
293 24646 REDINPUT all -- * * 0.0.0.0/0
0.0.0.0/0
285 24262 XTACCESS all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
293 24646 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4
prefix `INPUT '
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
171 58718 ipac~fi all -- * * 0.0.0.0/0
0.0.0.0/0
171 58718 ipac~fo all -- * * 0.0.0.0/0
0.0.0.0/0
171 58718 BADTCP all -- * * 0.0.0.0/0
0.0.0.0/0
30 1800 TCPMSS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
171 58718 CUSTOMFORWARD all -- * * 0.0.0.0/0
0.0.0.0/0
145 57158 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
26 1560 IPSECVIRTUAL all -- * * 0.0.0.0/0
0.0.0.0/0
26 1560 OPENSSLVIRTUAL all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 DROP all -- * * 127.0.0.0/8
0.0.0.0/0 state NEW
0 0 DROP all -- * * 0.0.0.0/0
127.0.0.0/8 state NEW
26 1560 ACCEPT all -- eth0 * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 WIRELESSFORWARD all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 REDFORWARD all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 PORTFWACCESS all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4
prefix `OUTPUT '
Chain IPSECPHYSICAL (1 references)
pkts bytes target prot opt in out source
destination
Chain IPSECVIRTUAL (2 references)
pkts bytes target prot opt in out source
destination
Chain LOG_DROP (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain LOG_REJECT (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain NEWNOTSYN (1 references)
pkts bytes target prot opt in out source
destination
223 10609 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4
prefix `NEW not SYN? '
223 10609 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OPENSSLPHYSICAL (1 references)
pkts bytes target prot opt in out source
destination
Chain OPENSSLVIRTUAL (2 references)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 111K packets, 14M bytes)
pkts bytes target prot opt in out source
destination
111K 14M ipac~i all -- * * 0.0.0.0/0
0.0.0.0/0
111K 14M CUSTOMOUTPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OVPNFORWARD (2 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- tun+ * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0
0.0.0.0/0
Chain OVPNINPUT (2 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT all -- tun+ * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1194
0 0 ACCEPT all -- tun+ * 0.0.0.0/0
0.0.0.0/0
Chain PORTFWACCESS (1 references)
pkts bytes target prot opt in out source
destination
Chain PSCAN (5 references)
pkts bytes target prot opt in out source
destination
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4
prefix `TCP Scan? '
0 0 LOG udp -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4
prefix `UDP Scan? '
0 0 LOG icmp -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4
prefix `ICMP Scan? '
0 0 LOG all -f * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4
prefix `FRAG Scan? '
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain REDFORWARD (1 references)
pkts bytes target prot opt in out source
destination
Chain REDINPUT (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- eth1 * 0.0.0.0/0
0.0.0.0/0
Chain WIRELESSFORWARD (1 references)
pkts bytes target prot opt in out source
destination
Chain WIRELESSINPUT (1 references)
pkts bytes target prot opt in out source
destination
Chain XTACCESS (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0
200.41.142.174 tcp dpt:113
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0
200.41.142.174 tcp dpt:222
Chain ipac~fi (1 references)
pkts bytes target prot opt in out source
destination
0 0 all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
Chain ipac~fo (1 references)
pkts bytes target prot opt in out source
destination
0 0 all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 all -- * ppp0 0.0.0.0/0
0.0.0.0/0
Chain ipac~i (1 references)
pkts bytes target prot opt in out source
destination
870 161K all -- * eth0 0.0.0.0/0
0.0.0.0/0
6 433 all -- * ppp0 0.0.0.0/0
0.0.0.0/0
Chain ipac~o (1 references)
pkts bytes target prot opt in out source
destination
1487 154K all -- eth0 * 0.0.0.0/0
0.0.0.0/0
14 965 all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
\\--- iptables -nvL
Gracias por leer hasta aqui..
Reply to: