Seguem os arquivos do squid.conf e iptables:
==============squid.conf==================
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 8 MB
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440
0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
# ports
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 #
http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# fim
# -------------------------------------------------
# scr
acl servidor src 192.168.0.1
# proto
acl ftp proto FTP
# -------------------------------------------------
# dstdomain
#acl block_dstdomain url_regex -i "/etc/squid/bloqueio"
acl block_dstdomain dstdomain "/etc/squid/bloqueio"
acl aceitar_dom dstdomain "/etc/squid/aceitar"
# ------------------------------------------------
# url_regex
acl block_url url_regex -i "/etc/squid/bloqurl"
# ------------------------------------------------
# Limitando Tamanho dos Downloads (Max 20mb)
#reply_body_max_size 21457280 allow all
#
----------------------------------------------------------------
# horáo
acl horario time 00:30-05:59
# ----------------------------------------------------------------
http_access deny block_dstdomain !horario
http_access deny block_url !horario
http_access allow aceitar_dom
# ------------------------------------------------
# Outros
http_access allow servidor
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow ftp
http_access allow all
http_reply_access allow all
icp_access allow all
visible_hostname ALOJANET
error_directory /usr/share/squid/errors/Portuguese
coredump_dir /var/spool/squid
===============================================
===================firewall.sh=====================
#!/bin/bash
## Apaga quaisquer regras que por ventura existam
iptables
-F
iptables -X
iptables -t nat -F
iptables -t nat -X
#### Regras de policiamento ####
## bloqueia qualquer pacote que não seja explicitament permitio
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
## Permite acesso a interface loopback
iptables -A INPUT -i lo -j ACCEPT
## Permite apenas entrada das respostas as conexões desaida
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
## Aceita conexoes ICMP com limite de conexoes por minuto
iptables -A INPUT -p icmp -m limit --limit 3/m --limit-burst 3 -j ACCEPT
## Liberar a porta do ssh para os administradores
#encontra-se no arquivo admin.sh
/etc/firewall/admin/adminssh.sh
#Bloqueando tracertrourte
#iptables -A INPUT -p udp -s 0/0 -i eth0 --dport 33435:33525 -j DROP
#protecao contra port scanners ocultos
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
--limit 1/s -j ACCEPT
#Protecao contra ataques
iptables -A INPUT -m state --state INVALID -j DROP
#Bloqueando ip spoofing
iptables -A INPUT -s 192.168.0.0/24 -i eth1 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -i eth0 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -i ppp0 -j DROP
## Registra nos logs do sistema pacotes bloqueados, estes são marcados com prefixo Firewall:
#iptables -A INPUT -j LOG --log-prefix "Firewall: "
#### OUTPUT ####
#setando delay minimo
iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 53 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 80 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 443 -j TOS --set-tos Minimize-Delay
# Permite que o servidor acesse outras maquinas
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
### PREROUTING ### (redireciona o trafego
para o squid)
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
# Regras de porta para o aMule
#echo "liberando portas do aMule para Desktop..."
#iptables -t nat -A PREROUTING -i ppp0 -p TCP --dport 4662 -j DNAT --to-destination 192.168.0.159
#iptables -t nat -A PREROUTING -i ppp0 -p TCP -m multiport --dports 4662,18226,443,4661,4462,4242,3306 -j DNAT --to-destination 192.168.0.159
#iptables -t nat -A PREROUTING -i ppp0 -p UDP -m multiport --dports 4672,43166,4665,4465,4468,4246,3310 -j DNAT --to-destination 192.168.0.159
#iptables -t nat -A PREROUTING -i ppp0 -p UDP --dport 1024 -j DNAT --to-destination 192.168.0.159
#iptables -t nat -A FORWARD -i ppp0 -d 192.168.0.159 -j ACCEPT
#echo "Portas liberadas com sucesso"
#
### FORWARD ###
# Connection tracking (aceita pacotes para conexoes já estabelecidas)
iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT
##
#iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
## Redireciona dados dos administradores
/etc/firewall/admin/adminporta.sh
#bloqueando algumas coisas
#iptables -A FORWARD -m p2p -j DROP
#iptables -A FORWARD -m p2p --p2p-protocol fasttrack -j DROP
## Redireciona dados dos usuarios squid e outro barramento (liberando os usuarios)
iptables -A FORWARD -s 192.168.0.14 -o ppp0 -j ACCEPT
iptables -I INPUT -s 192.168.0.14 -p tcp --dport 3128 -j ACCEPT
#### POSTROUTING ####
## Compartilhamento da internet
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p udp -j SNAT --to 192.168.4.67
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p tcp -j SNAT --to 192.168.4.67
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE
#iptables -I FORWARD -o ppp0 -p tcp --tcp-flags
SYN,RST SYN -m tcpmss --mss 1400 -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS -o ppp0 --set-mss 1412
### Ativa o modulo responsavel pelo encaminhamento de pacotes ###
echo 1 > /proc/sys/net/ipv4/ip_forward
Atenciosamente
Carlos Beltrame - Coordenador Geral
VII Reunião Nacional de Ramos IEEE
http://www.ieee.org/go/rnr2009
Fone: 18-9795-5271
Skype: zebacking
MSN: c_beltrame@hotmail.com
----- Mensagem encaminhada ----
De: Carlos Beltrame <beltrame@ieee.org>
Para: lista debian <debian-user-portuguese@lists.debian.org>
Enviadas: Sábado, 30 de Maio de 2009 13:27:13
Assunto: IPTABLES+SQUID+Vista
Ola, tenho uma rede rodando debian lenny com squid transparente e, dos 50 micros na rede, tem dois com windows vista que quando rodo a proxy transparente, nao navegam. alguem ja passou por isso? sabem como resolver? obrigado.
Atenciosamente
Carlos Beltrame - Coordenador Geral
VII Reunião Nacional de Ramos IEEE
http://www.ieee.org/go/rnr2009
Fone: 18-9795-5271
Skype: zebacking
MSN: c_beltrame@hotmail.com
Veja quais são os assuntos do momento no Yahoo! + Buscados:
Top 10 -
Celebridades -
Música -
Esportes