Re: iptables + squid transparente + liberar https e msn com vídeo/áudio
Bom Matheus aqui uso:
Debian Etch kernel 2.6.18-6-686
Squid Cache: Version 2.6.STABLE5
Aqui tenho 3 placas de rede uma Wan (eth2) duas Lan (eth1,eth0) segue
abaixo o meu script do iptables e meu squid.conf com o masquerade
funcionando e o msn tb nos ips que estão liberados para usa-lo
IPTABLES
#!/bin/bash
### BEGIN INIT INFO
# Provides: Compartilhar
# Required-Start:
# Required-Stop:
# Default-Start: S
# Default-Stop:
# Short-Description: Ativa o NAT e regras do IPTABLES.
# Description:
### END INIT INFO
iniciar(){
#Libera a interface de loopback
iptables -A INPUT -i lo -j ACCEPT
#Habilita o NAT
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
#Protege contra IP spoofing
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
#Descarta pacotes mal formados protegendo contra ataques diversos
iptables -A INPUT -m state --state INVALID -j DROP
#Libera a porta do SQUID
#iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
#Libera a Porta 22 do SSH para todos
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#Libera as portas do SAMBA
iptables -A INPUT -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j ACCEPT
iptables -A INPUT -p udp --dport 137:138 -j ACCEPT
#Libera as portas do DNS
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
#libera a porta do NTP
iptables -A INPUT -p udp --dport 123 -j ACCEPT
#libera as portas HTTP e HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#Proxy transparente na interface eth1(Professores)
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --
to-port 3128
iptables -A INPUT -s 192.168.6.0/24 -p tcp --dport 3128 -j ACCEPT
#IPs PROFESSORES com todas as portas liberadas
iptables -A INPUT -s 192.168.6.0/24 -p tcp --dport 1:65535 -j ACCEPT
iptables -A FORWARD -s 192.168.6.0/24 -p tcp --dport 1:65535 -j ACCEPT
#IPs LABORATORIO com todas as portas liberadas
iptables -A INPUT -s 192.168.5.250 -p tcp --dport 1025:65535 -j ACCEPT
iptables -A FORWARD -s 192.168.5.250 -p tcp --dport 1025:65535 -j
ACCEPT
#Proxy Transparente na interface eth0 (Laboratorio)
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --
to-port 3128
iptables -A INPUT -s 192.168.5.0/24 -p tcp --dport 3128 -j ACCEPT
#Libera a Porta do Windows Terminal Server
iptables -A INPUT -s 192.168.5.0/24 -p tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -s 192.168.5.0/24 -p tcp --dport 3389 -j ACCEPT
#Bloqueia Portas de 1025 a 65535
iptables -A INPUT -s 192.168.5.0/24 -p tcp --dport 1025:65535 -j DROP
iptables -A FORWARD -s 192.168.5.0/24 -p tcp --dport 1025:65535 -j
DROP
#Garante que o FIREWALL permitira pacotes de conexões, já iniciadas
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Impede a abertura de novas conexões, efetivamente bloqueando o
acesso
#externo ao seu servidor, com exceção das portas e faixas de
endereços
#especificados anteriormente
iptables -A INPUT -p tcp --syn -j DROP
echo "Regras de FIREWALL e compartilhamento ATIVADOS"
}
parar(){
iptables -F
iptables -F -t nat
echo "Regras de FIREWALL e compartilhamento DESATIVADOS"
}
case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar ;;
*) echo "Use os parametros start ou stop"
esac
SQUID
http_port 192.168.5.252:3128 transparent
http_port 192.168.6.252:3128 transparent
cache_mem 256 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/cache/squid 2048 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
#emulate_http_log off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 82 21 443 563 70 210 3050 #1025-65535
acl Safe_ports port 280 #http-mgmt
acl Safe_ports port 488 #gss-http
acl Safe_ports port 591 #filemaker
acl Safe_ports port 777 #multiling http
acl CONNECT method CONNECT
#Bloqueia o MSN
acl msn_livre src "/etc/squid/ips_liberados"
acl msn_web url_regex webmessenger.msn.com
acl msn url_regex -i /gateway/gateway.dll
#Bloqueia o Gtalk
acl gtalk url_regex -i mail.google.com/mail/channel/bind
http_access deny gtalk
### Block AOL and YAHOO
acl aolyahoo dstdomain login.oscar.aol.com
acl aolyahoo dstdomain pager.yahoo.com
acl aolyahoo dstdomain shttp.msg.yahoo.com
acl aolyahoo dstdomain update.messenger.yahoo.com
acl aolyahoo dstdomain update.pager.yahoo.com
http_access deny aolyahoo !msn_livre
http_access deny msn_web
http_access deny msn
#pode acessar tudo
acl ips_liberados src "/etc/squid/ips_liberados"
#nao acessa nada
acl ips_proibidos src "/etc/squid/ips_proibidos"
#hosts totalmente liberados
acl hosts_liberados dst "/etc/squid/hosts_liberados"
#hosts totalmente proibidos
acl hosts_proibidos dst "/etc/squid/hosts_proibidos"
#urls laboratório
acl liberadas_lab url_regex "/etc/squid/liberadas_lab"
acl proibidas_lab url_regex -i "/etc/squid/proibidas_lab"
#ips laboratorio
acl intranet_lab src 192.168.5.0/255.255.255.0
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#regra ips liberados lab
http_access allow ips_liberados
http_access allow hosts_liberados
http_access deny ips_proibidos
#Intranet Lab
http_access deny intranet_lab gtalk
http_access allow intranet_lab liberadas_lab
http_access deny intranet_lab proibidas_lab
http_access deny intranet_lab hosts_proibidos
http_access allow intranet_lab
#regra ips especiais
#regra hosts liberados
http_access allow hosts_liberados
http_access deny hosts_proibidos
icp_access allow all
miss_access allow all
#logfile_rotate 4
error_directory /usr/share/squid/errors/Portuguese
Reply to: