Re: ajuda com iptables+squid

To: Carlos Beltrame <beltrame@ieee.org>
Cc: lista debian <debian-user-portuguese@lists.debian.org>
Subject: Re: ajuda com iptables+squid
From: Catulo Hansen <catulok@gmail.com>
Date: Wed, 28 Apr 2010 23:54:07 -0300
Message-id: <[🔎] s2x85da0e3a1004281954o75229275zb177b4893ddb892@mail.gmail.com>
In-reply-to: <[🔎] 16212.40418.qm@web65710.mail.ac4.yahoo.com>
References: <[🔎] 16212.40418.qm@web65710.mail.ac4.yahoo.com>

Beltrane,

Comenta a seguinte linha no teu script d firewall:

#ptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j MASQUERADE

Isso não tá te ajudando, tú já tá fazendo nat N:1 com a seguinte regra
no teu script:

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p udp -j
SNAT --to 192.168.4.3
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p tcp -j
SNAT --to 192.168.4.3

Só use "MASQUERADE", quando o ip de saida for dinâmico, no seu caso está fixo.


2010/4/28 Carlos Beltrame <beltrame@ieee.org>:
> Ola pessoal, volto eu com mais problemas pedidno ajuda =]
> O sinal de internet xega via radio pela eth1 configurada como 192.168.4.3, e
> atraves do firewall compartilhando para minha rede 192.168.0.0/24. A
> intensão é rodar squid transparente e até funciona, porem a rede ta lenta, o
> acesso a sites e download ta lento, qdo acesso direto com o AP que recebe o
> sinal de fora no meu pc, a net voa kkkkk. O msn principalmente, qdo conecta,
> fica uns 2 minutos conectado e dp cai. Enfim, segue abaixo meu firewall.sh e
> meu squid.conf gostaria de saber se há como melhorar o desempenho, se ha
> algo errado. Procurei comentar minha intensao em cada linha abaixo:
>
> ==============firewall====================
> #!/bin/bash
>
> ## Apaga quaisquer regras que por ventura existam
> iptables -F
> iptables -X
> iptables -t nat -F
> iptables -t nat -X
> #### Regras de policiamento ####
>
> ## bloqueia qualquer pacote que nÃÂ£o seja explicitament permitio
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> ## Permite acesso a interface loopback
> iptables -A INPUT -i lo -j ACCEPT
>
> ## Permite apenas entrada das respostas as conexÃÂµes desaida
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> #protecao contra port scanners ocultos
> iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit
> 1/s -j ACCEPT
> iptables -t filter -A INPUT -p icmp --icmp-type echo-request -m limit
> --limit 1/s -j ACCEPT
>
> #Protecao contra ataques
> iptables -A INPUT -m state --state INVALID -j DROP
>
> #setando delay minimo
> iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 53 -j TOS --set-tos
> Minimize-Delay
> iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 80 -j TOS --set-tos
> Minimize-Delay
> iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 443 -j TOS --set-tos
> Minimize-Delay
> iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 10000 -j TOS --set-tos
> Minimize-Delay
>
> #### OUTPUT ####
> # Permite que o servidor acesse outras maquinas
> iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>
> ### PREROUTING ###
> iptables -t nat -A PREROUTING -s 192.168.0.0/24  -p tcp --dport 80 -j
> REDIRECT --to-port 3128
> iptables -t nat -A PREROUTING -s 192.168.0.0/24  -p udp --dport 80 -j
> REDIRECT --to-port 3128
>
> ### FORWARD ###
>
> # Connection tracking (aceita pacotes para conexoes jÃ¡ estabelecidas)
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> ## Redireciona dados dos administradores
> /etc/firewall/admin/adminporta.sh
> /etc/firewall/admin/adminssh.sh
>
> ## Redireciona dados dos usuarios squid e outro barramento
> #exemplo:
> # iptables -I INPUT -s 192.168.0.106 -p tcp --dport 3128 -j ACCEPT
> # iptables -A FORWARD -s 192.168.0.106 -o eth1 -j ACCEPT
> /etc/firewall/liberados/liberados.sh
>
> #### POSTROUTING ####
>
> ## Compartilhamento da internet
> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p udp -j SNAT --to
> 192.168.4.3
> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p tcp -j SNAT --to
> 192.168.4.3
>
>
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j MASQUERADE
> iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
> -o eth1 --set-mss 1412
>
> ### Ativa o modulo responsavel pelo encaminhamento de pacotes ###
> echo 1 > /proc/sys/net/ipv4/ip_forward
> ========================================================================
>
>
> ====================squid.conf===========================
> http_port 3128 transparent
> visible_hostname INTERNET
>
> cache_mem 512 MB
> maximum_object_size_in_memory 64 KB
> maximum_object_size 700 MB
> minimum_object_size 0 KB
>
> cache_swap_low 90
> cache_swap_high 95
>
> cache_dir ufs /var/spool/squid  50000 16 256
>
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
>
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> access_log /var/log/squid/access.log squid
> hosts_file /etc/hosts
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern .               0       20%     4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443          # https
> acl SSL_ports port 563          # snews
> acl SSL_ports port 873          # rsync
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl Safe_ports port 631         # cups
> acl Safe_ports port 873         # rsync
> acl Safe_ports port 901         # SWAT
> acl Safe_ports port 6881
> acl purge method PURGE
> acl CONNECT method CONNECT
>
> acl servidor src 192.168.0.1
>
> acl horario time 00:30-06:00
> acl proibir_dominio dstdomain "/etc/squid/bloqueio"
> acl proibir_url url_regex -i "/etc/squid/bloqurl"
>
> acl aceitar_dom dstdomain "/etc/squid/aceitar"
>
> http_access deny proibir_dominio !horario
> http_access deny proibir_url !horario
>
> http_access allow aceitar_dom
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow servidor
> http_access allow all
> http_reply_access allow all
> icp_access allow all
> coredump_dir /var/spool/squid
> ===========================================================
>
> Espero ter sido claro, no aguardo, gde abraço.
>
> Yours Truly
> Carlos Beltrame - Eletrical Engineer
> IEEE - HTC Brazilian Representative
> Mobile: +55 18-9795-5271
> MSN   : c_beltrame@hotmail.com
> Skype : zebacking
> UNESP - Campus of Ilha Solteira
>
>
>



-- 
-
Catulo Kruuse Hansen
LPI000199593
LPIC-2
CompTIA Linux+
CLA (Novell Certified Linux Administrator)
Data Center Technical Specialist
catulohansen.blogspot.com

Reply to:

Follow-Ups:
- Re: ajuda com iptables+squid
  - From: Rodolfo <rof20004@gmail.com>

References:
- ajuda com iptables+squid
  - From: Carlos Beltrame <beltrame@ieee.org>

Prev by Date: RES: DHCP3Server + 2 Gateways
Next by Date: clonar MAC
Previous by thread: Re: Res: ajuda com iptables+squid
Next by thread: Re: ajuda com iptables+squid
Index(es):
- Date
- Thread