Só poderá navegar com o proxy!

[Ricardo <rvbranco@gmail.com>]

Bom dia, galera

 

Como fazer com que as pessoas acessam a internet somente pelo proxy, tenho o squid configurado na porta 3128 e algumas regras com o iptables

 

Regras com Iptables:

 

#!/bin/sh

# DECLARANDO VARIAVEIS
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"

# CARREGANDO MODULOS
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE iptable_nat
$MODPROBE ip_nat_ftp
$MODPROBE ipt_LOG
$MODPROBE ipt_state
$MODPROBE ipt_MASQUERADE

# INICIANDO REGRAS
$IPTABLES -F
$IPTABLES -Z
$IPTABLES -X
$IPTABLES -t nat -F

# DEFININDO POLITICAS
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

# HABILITANDO ROTEAMENTO
echo 1 > /proc/sys/net/ipv4/ip_forward
# DESABILITANDO PROTECAO A ECHO DE BROADCAST ICMP
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# HABILITANDO PROTEAO A MENSAGEM DE "BAD ERROR"
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# DESABILITANDO REDIRECIONAMENTO DE ICMP
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# CONTRA PING DA MORTE
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# CONTRA ATAQUES SYN-FLOOD
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# CONTRA PORT SCANNERS
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

# CONEXOES INTERNAS SAO MANTIDAS APOS A PRIMEIRA VERIFICACAO (INPUT)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# LIBERANDO O INPUT PARA A INTERFACE DE LOOPBACK
$IPTABLES -A INPUT -p ALL -s 127.0.0.1 -i lo -j ACCEPT
$IPTABLES -A INPUT -p ALL -s 192.168.0.4 -i lo -j ACCEPT

# PROTECAO CONTRA IP SPOOFING
$IPTABLES -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/16 -i eth0 -j DROP
$IPTABLES -A INPUT -s 192.168.0.0/24 -i eth0 -j DROP

# LIBERANDO O INPUT PARA O PING (RESPOSTA)
$IPTABLES -A INPUT -p icmp -i eth1 --icmp-type 0 -s 0/0 -d 192.168.0.4 -j ACCEPT

# LIBERA SQUID PARA A REDE INTERNA
$IPTABLES -A INPUT -p tcp -i eth1 -s 192.168.0.0/24 --dport 3128 -j ACCEPT

# LIBERANDO ACESSO SSH
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

# LIBERANDO ACESSO HTTP
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT

# LIBERANDO ACESSO FTP
# $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT

# LIBERANDO AS RESPOSTAS DE SERVIDORES WWW PARA O SQUID
$IPTABLES -A INPUT -p tcp -i eth0 --sport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth0 --sport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth0 --sport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth0 --sport 21 -j ACCEPT

# CONEXOES INTERNAS SAO MANTIDAS APOS A PRIMEIRA VERIFICACAO (FORWARD)
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# RESOLVENDO REQUISICOES DO OUTLOOK
$IPTABLES -A FORWARD -p udp -s 192.168.0.0/24 -d 200.204.0.10 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s 192.168.0.0/24 -d 200.204.0.138 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s 200.204.0.10 -d 192.168.0.0/24 --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s 200.204.0.138 -d 192.168.0.0/24 --dport 53 -j ACCEPT

# LIBERANDO PORTAS PARA A RESOLUCAO DO OUTLOOK
$IPTABLES -A FORWARD -p tcp -s 192.168.0.0/24 --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s 192.168.0.0/24 --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --sport 110 -j ACCEPT

# COMPARTILHA O ACESSO A INTERNET
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

Valeu!