Re: Bloquear msn y Hotmail...

To: Ariel Nardelli <panflin@arnet.com.ar>
Cc: debian-user-spanish@lists.debian.org
Subject: Re: Bloquear msn y Hotmail...
From: Polkan Garcia <pagarcia@slcolombia.org>
Date: Tue, 26 Aug 2003 10:21:29 -0500
Message-id: <[🔎] 1061911289.11309.41.camel@igloo.idct.gov.co>
In-reply-to: <[🔎] 3F4AF599.2080706@arnet.com.ar>
References: <[🔎] 3F4AF599.2080706@arnet.com.ar>
Buenos dias.

Pues yo lo haria asi, mas o menos:
El messenger de hotmail funciona por puerto 1863, entonces seria con
iptables lo primero que quitaria, con una instruccion como la siguiente:
 
iptables -A FORWARD -p udp --dport 1863 -j REJECT
iptables -A FORWARD -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -d 64.4.13.0/24 -j REJECT

Despues para lo del squid, pensaria en usar un archivo de texto para
bloquear las palabras de los dominios/ips a prohibir, algo como esto
dentro de tu squid.conf :

#Regla para evitar webmails
acl banear url_regex "/etc/squid/ban"
acl nobanear url_regex "/etc/squid/noban"
http_access deny banear !nobanear

Con lo anterior dentro del squid.conf, solo te quedaria crear un archivo
en el /etc/squid que se llame ban y otro noban con permiso de lectura
para el usuario que lanza el squid (por lo regular squid o nobody).
En el ban escribes las palabras que quieres banear, por ejemplo mi
archivo podria ser:
microsoft
hotmail
sex
..etc...
y asi cuando el squid encuentre cualquier coincidencia con ese archivo
de texto mostraria el mensaje de error.
En el archivo noban, escribes las excepciones, por ejemplo, arriba
baneamos la palabra "sex" pero si alguien desea entrar a
windowsexplorer.com por ejemplo, se arma la palabra sex dentro del url,
entonces escribes ese dominio dentro del archivo ban y asi permites que
funcione.

Espero te sea util.

 
Cordialmente, 


El mar, 26-08-2003 a las 00:52, Ariel Nardelli escribió:
> Hola Gente...
> 
> Bueno, tengo una red interna la cual hace nat para salir a internet y el 
> squid como proxy para la red interna...
> 
> Lo que yo quiero es BLOQUEAR para que no puedan usar el msn ni que 
> tampoco puedan acceder a hotmail ni a yahoo.com entre otros, o sea no 
> dejar que accedan a ver los correos por webmail...
> Eso lo tengo que hacer por que los que trabajan aca hicieron entrar un 
> virus bajandose una de las cosas de hotmail (esos archivos 
> atacheados....) y tambien se quiere bloquear para que no puedan usar msn...
> 
> Que debo hacer? como bloqueo los puertos para el msn y tambien como hago 
> que el Squid me bloquee para que no me deje ver las paginas de hotmail.?
> 
> Aca va mi squid.conf y mi rc.iptables para que vean como lo tengo ahora..
> 
> Dicho sea de paso, por mas que fuerzo a que lo que sea https o sea 
> puerto 81 (hago el forward del puerto al squid) no logro que el squid me 
> procese las paginas https y me queda "dando vueltas" sin dejarmelas 
> ver.. por que puede ser?
> 
> -----------rc.iptables...
> #!/bin/sh
> #
> # rc.firewall-2.4-stronger
> FWVER=0.63s
> 
> #          An example of a stronger IPTABLES firewall with IP Masquerade
> #          support for 2.4.x kernels. 
> #
> # Log:
> #       0.63s - Added support for the IRC module
> #       0.62s - Initial version based upon the basic 2.4.x rc.firewall
> 
> 
> echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"
> 
> 
> #Setting the EXTERNAL and INTERNAL interfaces for the network
> #
> #  Each IP Masquerade network needs to have at least one
> #  external and one internal network.  The external network
> #  is where the natting will occur and the internal network
> #  should preferably be addressed with a RFC1918 private address
> #  scheme.
> #
> #  For this example, "eth0" is external and "eth1" is internal"
> #
> #  NOTE:  If this doesnt EXACTLY fit your configuration, you must
> #         change the EXTIF or INTIF variables above. For example:
> #
> #               EXTIF="ppp0"
> #
> #            if you are a modem user.
> #
> EXTIF="ppp0"
> INTIF="eth0"
> echo "  External Interface:  $EXTIF"
> echo "  Internal Interface:  $INTIF"
> echo "  ---"
> 
> # Specify your Static IP address here or let the script take care of it
> # for you.
> #
> #   If you prefer to use STATIC addresses in your firewalls, un-# out the
> #   static example below and # out the dynamic line.  If you don't care,
> #   just leave this section alone.
> #
> #   If you have a DYNAMIC IP address, the ruleset already takes care of
> #   this for you.  Please note that the different single and double quote
> #   characters and the script MATTER.
> #
> #
> #   DHCP users:
> #   -----------
> #   If you get your TCP/IP address via DHCP, **you will need ** to 
> enable the
> #   #ed out command below underneath the PPP section AND replace the word
> #   "eth0" with the name of your EXTERNAL Internet connection (ppp0, ippp0,
> #   etc) on the lines for "ppp-ip" and "extip".  You should also note 
> that the
> #   DHCP server can and will change IP addresses on you.  To deal with 
> this,
> #   users should configure their DHCP client to re-run the rc.firewall 
> ruleset
> #   everytime the DHCP lease is renewed.
> #
> #     NOTE #1:  Some DHCP clients like the original "pump" (the newer
> #               versions have been fixed) did NOT have the ability to run
> #               scripts after a lease-renew.  Because of this, you need to
> #               replace it with something like "dhcpcd" or "dhclient".
> #
> #     NOTE #2:  The syntax for "dhcpcd" has changed in recent versions.
> #
> #               Older versions used syntax like:
> #                         dhcpcd -c /etc/rc.d/rc.firewall eth0
> #
> #               Newer versions execute a file called 
> /etc/dhcpc/dhcpcd-eth0.exe
> #
> #     NOTE #3:  For Pump users, put the following line in /etc/pump.conf:
> #
> #                   script /etc/rc.d/rc.firewall
> #
> #   PPP users:
> #   ----------
> #   If you aren't already aware, the /etc/ppp/ip-up script is always run 
> when
> #   a PPP connection comes up.  Because of this, we can make the ruleset 
> go and
> #   get the new PPP IP address and update the strong firewall ruleset.
> #
> #   If the /etc/ppp/ip-up file already exists, you should edit it and 
> add a line
> #   containing "/etc/rc.d/rc.firewall" near the end of the file.
> #
> #   If you don't already have a /etc/ppp/ip-up sccript, you need to 
> create the
> #   following link to run the /etc/rc.d/rc.firewall script.
> #
> #       ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up
> #
> #   * You then want to enable the #ed out shell command below *
> #
> #
> # Determine the external IP automatically:
> # ----------------------------------------
> #
> EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | 
> sed -e 's/.*://'`"
> 
> # For users who with to use STATIC IP addresses:
> #
> #  # out the EXTIP line above and un-# out the EXTIP line below
> #
> #EXTIP="your.static.PPP.address"
> echo "  External IP: $EXTIP"
> echo "  ---"
> 
> 
> # Assign the internal TCP/IP network and IP address
> INTNET="192.168.0.0/24"
> INTIP="192.168.0.2/24"
> PORTFWIP="192.168.0.2"
> echo "  Internal Network: $INTNET"
> echo "  Internal IP:      $INTIP"
> echo "  Apache LAN IP:    $PORTFWIP"
> echo "  ---"
> 
> 
> # The location of various iptables and other shell programs
> #
> #   If your Linux distribution came with a copy of iptables, most
> #   likely it is located in /sbin.  If you manually compiled
> #   iptables, the default location is in /usr/local/sbin
> #
> # ** Please use the "whereis iptables" command to figure out
> # ** where your copy is and change the path below to reflect
> # ** your setup
> #
> IPTABLES=/sbin/iptables
> #IPTABLES=/usr/local/sbin/iptables
> #
> LSMOD=/sbin/lsmod
> GREP=/bin/grep
> AWK=/usr/bin/awk
> 
> 
> # Setting a few other local variables
> #
> UNIVERSE="0.0.0.0/0"
> 
> #======================================================================
> #== No editing beyond this line is required for initial MASQ testing ==
> 
> # Need to verify that all modules have all required dependencies
> #
> echo "  - Verifying that all kernel modules are ok"
> /sbin/depmod -a
> 
> echo -en "    Loading kernel modules: "
> 
> # With the new IPTABLES code, the core MASQ functionality is now either
> # modular or compiled into the kernel.  This HOWTO shows ALL IPTABLES
> # options as MODULES.  If your kernel is compiled correctly, there is
> # NO need to load the kernel modules manually. 
> #
> #  NOTE: The following items are listed ONLY for informational reasons.
> #        There is no reason to manual load these modules unless your
> #        kernel is either mis-configured or you intentionally disabled
> #        the kernel module autoloader.
> #
> 
> # Upon the commands of starting up IP Masq on the server, the
> # following kernel modules will be automatically loaded:
> #
> # NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ
> #        modules are shown below but are commented out from loading.
> # ===============================================================
> 
> #Load the main body of the IPTABLES module - "iptable"
> #  - Loaded automatically when the "iptables" command is invoked
> #
> #  - Loaded manually to clean up kernel auto-loading timing issues
> #
> echo -en "ip_tables, "
> #
> #Verify the module isn't loaded.  If it is, skip it
> #
> if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
>    /sbin/insmod ip_tables
> fi
> 
> 
> #Load the IPTABLES filtering module - "iptable_filter"
> #
> #  - Loaded automatically when filter policies are activated
> 
> 
> #Load the stateful connection tracking framework - "ip_conntrack"
> #
> # The conntrack  module in itself does nothing without other specific
> # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
> # module
> #
> #  - This module is loaded automatically when MASQ functionality is
> #    enabled
> #
> #  - Loaded manually to clean up kernel auto-loading timing issues
> #
> echo -en "ip_conntrack, "
> #
> #Verify the module isn't loaded.  If it is, skip it
> #
> if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
>    /sbin/insmod ip_conntrack
> fi
> 
> 
> #Load the FTP tracking mechanism for full FTP tracking
> #
> # Enabled by default -- insert a "#" on the next line to deactivate
> #
> echo -e "ip_conntrack_ftp, "
> #
> #Verify the module isn't loaded.  If it is, skip it
> #
> if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
>    /sbin/insmod ip_conntrack_ftp
> fi
> 
> 
> #Load the IRC tracking mechanism for full IRC tracking
> #
> # Enabled by default -- insert a "#" on the next line to deactivate
> #
> echo -en "                             ip_conntrack_irc, "
> #
> #Verify the module isn't loaded.  If it is, skip it
> #
> if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
>    /sbin/insmod ip_conntrack_irc
> fi
> 
> 
> #Load the general IPTABLES NAT code - "iptable_nat"
> #  - Loaded automatically when MASQ functionality is turned on
> #
> #  - Loaded manually to clean up kernel auto-loading timing issues
> #
> echo -en "iptable_nat, "
> #
> #Verify the module isn't loaded.  If it is, skip it
> #
> if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
>    /sbin/insmod iptable_nat
> fi
> 
> 
> #Loads the FTP NAT functionality into the core IPTABLES code
> # Required to support non-PASV FTP.
> #
> # Enabled by default -- insert a "#" on the next line to deactivate
> #
> echo -e "ip_nat_ftp"
> #
> #Verify the module isn't loaded.  If it is, skip it
> #
> if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
>    /sbin/insmod ip_nat_ftp
> fi
> 
> echo "  ---"
> 
> # Just to be complete, here is a list of the remaining kernel modules
> # and their function.  Please note that several modules should be only
> # loaded by the correct master kernel module for proper operation.
> # --------------------------------------------------------------------
> #
> #    ipt_mark       - this target marks a given packet for future action.
> #                     This automatically loads the ipt_MARK module
> #
> #    ipt_tcpmss     - this target allows to manipulate the TCP MSS
> #                     option for braindead remote firewalls.
> #                     This automatically loads the ipt_TCPMSS module
> #
> #    ipt_limit      - this target allows for packets to be limited to
> #                     to many hits per sec/min/hr
> #
> #    ipt_multiport  - this match allows for targets within a range
> #                     of port numbers vs. listing each port individually
> #
> #    ipt_state      - this match allows to catch packets with various
> #                     IP and TCP flags set/unset
> #
> #    ipt_unclean    - this match allows to catch packets that have invalid
> #                     IP/TCP flags set
> #
> #    iptable_filter - this module allows for packets to be DROPped,
> #                     REJECTed, or LOGged.  This module automatically
> #                     loads the following modules:
> #
> #                     ipt_LOG - this target allows for packets to be
> #                               logged
> #
> #                     ipt_REJECT - this target DROPs the packet and returns
> #                                  a configurable ICMP packet back to the
> #                                  sender.
> #
> #    iptable_mangle - this target allows for packets to be manipulated
> #                     for things like the TCPMSS option, etc.
> 
> 
> #CRITICAL:  Enable IP forwarding since it is disabled by default since
> #
> #           Redhat Users:  you may try changing the options in
> #                          /etc/sysconfig/network from:
> #
> #                       FORWARD_IPV4=false
> #                             to
> #                       FORWARD_IPV4=true
> #
> echo "  Enabling forwarding.."
> echo "1" > /proc/sys/net/ipv4/ip_forward
> 
> 
> # Dynamic IP users:
> #
> #   If you get your IP address dynamically from SLIP, PPP, or DHCP,
> #   enable this following option.  This enables dynamic-address hacking
> #   which makes the life with Diald and similar programs much easier.
> #
> echo "  Enabling DynamicAddr.."
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> 
> echo "  ---"
> 
> #############################################################################
> #
> # Enable Stronger IP forwarding and Masquerading
> #
> #  NOTE:  In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
> #
> #  NOTE #2:  The following is an example for an internal LAN address in the
> #            192.168.0.x network with a 255.255.255.0 or a "24" bit subnet
> #            mask connecting to the Internet on external interface "eth0". 
> #            This example will MASQ internal traffic out to the Internet
> #            not not allow non-initiated traffic into your internal network.
> #
> #           
> #         ** Please change the above network numbers, subnet mask, and your
> #         *** Internet connection interface name to match your setup
> #        
> 
> #Clearing any previous configuration
> #
> #  Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP.
> #
> #    You CANNOT change this to REJECT as it isn't a vaild setting for a
> #    policy.  If you want REJECT, you must explictly REJECT at the end
> #    of a giving INPUT, OUTPUT, or FORWARD chain
> #
> echo "  Clearing any existing rules and setting default policy to DROP.."
> $IPTABLES -P INPUT DROP 
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT DROP 
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP 
> $IPTABLES -F FORWARD
> $IPTABLES -F -t nat
> #Not needed and it will only load the unneeded kernel module
> #$IPTABLES -F -t mangle
> #
> # Flush the user chain.. if it exists
> if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
>    $IPTABLES -F drop-and-log-it
> fi
> #
> # Delete all User-specified chains
> $IPTABLES -X
> #
> # Reset all IPTABLES counters
> $IPTABLES -Z
> 
> 
> #Configuring specific CHAINS for later use in the ruleset
> #
> #  NOTE:  Some users prefer to have their firewall silently
> #         "DROP" packets while others prefer to use "REJECT"
> #         to send ICMP error messages back to the remote
> #         machine.  The default is "REJECT" but feel free to
> #         change this below.
> #
> # NOTE: Without the --log-level set to "info", every single
> #       firewall hit will goto ALL vtys.  This is a very big
> #       pain.
> #
> echo "  Creating a DROP chain.."
> $IPTABLES -N drop-and-log-it
> #$IPTABLES -A drop-and-log-it -j LOG --log-level 3
> #$IPTABLES -A drop-and-log-it -j LOG
> $IPTABLES -A drop-and-log-it -j DROP
> 
> echo -e "\n   - Loading INPUT rulesets"
> 
> #######################################################################
> # INPUT: Incoming traffic from various internfaces.  All rulesets are
> #        already flushed and set to a default policy of DROP.
> #
> 
> # loopback interfaces are valid.
> #
> $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
> 
> 
> # local interface, local machines, going anywhere is valid
> #
> $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
> 
> # regla de entrada para la interfase del VMware (vmnet8)
> #
> #$IPTABLES -A INPUT -i vmnet8 -s 172.16.83.1/32 -d 172.16.83.1/24 -j ACCEPT
> 
> # regla en la intranet para permitir broadcast dhcp
> #
> $IPTABLES -A INPUT -i $INTIF -s $UNIVERSE -d 255.255.255.255/32 -j ACCEPT
> 
> # permito acceso a dhcp solo a PCs de la LAN
> #
> $IPTABLES -A INPUT -i $INTIF -s $UNIVERSE -d $INTNET -p udp --dport 67 
> -j ACCEPT
> $IPTABLES -A INPUT -i $INTIF -s $UNIVERSE -d $INTNET -p udp --dport 68 
> -j ACCEPT
> 
> # permito acceso desde inet (sólo un host) via ftp (port 21)
> #
> #$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 21 
> -j ACCEPT
> 
> # permito acceso desde inet via ssh (port 22)
> #
> $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 22 -j 
> ACCEPT
> 
> # permito acceso desde inet a mi proxy (port 3128)
> #
> # $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 
> 3128 -j ACCEPT
> 
> # permito acceso desde inet a sendmail (port 25)
> #
> $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 25 -j 
> ACCEPT
> 
> # permito acceso desde inet a clientes ICQ 
> #
> #$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 
> 1075:1085  -j ACCEPT
> #$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 
> 4000:4100  -j ACCEPT
> 
> # Permito acceso al port 24554 que creo es el binkd
> # $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 
> 24554 -j ACCEPT
> 
> # permito acceso al port 4662 para eDonkey
> # $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 
> 4661 -j ACCEPT
> # $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 
> 4662 -j ACCEPT
> # $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p udp --dport 
> 4666 -j ACCEPT
> 
> # permito acceso desde inet al port 80
> #
> $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 80 -j 
> ACCEPT
> # $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 
> 3128 -j ACCEPT
> 
> # remote interface, claiming to be local machines, IP spoofing, get lost
> #
> $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
> 
> # external interface, from any source, for ICMP traffic is valid
> #
> #  If you would like your machine to "ping" from the Internet,
> #  enable this next line
> #
> $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
> 
> # remote interface, any source, going to permanent PPP address is valid
> #
> #$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
> 
> # Allow any related traffic coming back to the MASQ serer in
> #
> $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
> ESTABLISHED,RELATED -j ACCEPT
> 
> # Catch all rule, all other incoming is denied and logged.
> #
> $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
> 
> 
> echo -e "   - Loading OUTPUT rulesets"
> 
> #######################################################################
> # OUTPUT: Outgoing traffic from various internfaces.  All rulesets are
> #         already flushed and set to a default policy of DROP.
> #
> 
> # loopback interface is valid.
> #
> $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
> 
> 
> # local interfaces, any source going to local net is valid
> #
> $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
> 
> 
> # local interface, any source going to local net is valid
> #
> $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
> 
> # regla de salida para la interfase del VMware (vmnet8)
> #
> # $IPTABLES -A OUTPUT -o vmnet8 -s 172.16.83.1/32 -d 172.16.83.1/24 -j 
> ACCEPT
> 
> # regla de salida para la interfase del VMware (vmnet8)
> #
> # $IPTABLES -A OUTPUT -o $INTIF -s $UNIVERSE -d 255.255.255.255/32 -j ACCEPT
> 
> # outgoing to local net on remote interface, stuffed routing, deny
> #
> $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
> 
> 
> # anything else outgoing on remote interface is valid
> #
> $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
> 
> 
> # Catch all rule, all other outgoing is denied and logged.
> #
> $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
> 
> 
> echo -e "   - Loading FORWARD rulesets"
> 
> #######################################################################
> # FORWARD: Enable Forwarding and thus IPMASQ
> #
> 
> echo "     - FWD: Allow all connections OUT and only existing/related IN"
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state 
> ESTABLISHED,RELATED \
> -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> 
> # Port forward del port 80 hacia una máquina de la LAN:
> # $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \
> #  --state NEW,ESTABLISHED,RELATED -j ACCEPT
> # $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 \
> # -j DNAT --to $PORTFWIP:80
> 
> # Proxy Transparente con Squid - Puerto 80
> $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
>  -j REDIRECT --to-port 3128
> 
> # Proxy Transparente con Squid - Puerto ftp
> # $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 21 \
> #  -j REDIRECT --to-port 3128
> 
> 
> $IPTABLES -A FORWARD -j drop-and-log-it
> 
> echo "     - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> #
> #More liberal form
> #$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> #
> #Habilitar esta linea para nat a TODOS
> # $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
> 
> #Pc de Ariel
> $IPTABLES -t nat -A POSTROUTING -s 192.168.0.10 -o $EXTIF -j SNAT --to 
> $EXTIP
> 
> #Pc de Pato
> $IPTABLES -t nat -A POSTROUTING -s 192.168.0.12 -o $EXTIF -j SNAT --to 
> $EXTIP
> 
> #Pc de Gaston
> #$IPTABLES -t nat -A POSTROUTING -s 192.168.0.15 -o $EXTIF -j SNAT --to 
> $EXTIP
> 
> #Pc de Emilio
> #$IPTABLES -t nat -A POSTROUTING -s 192.168.0.18 -o $EXTIF -j SNAT --to 
> $EXTIP
> 
> #######################################################################
> 
> 
> echo -e "\nDone.\n"
> 
> --------------squid.conf
> http_port 3128
> icp_port 3130
> 
> #We recommend you to use at least the following line.
> hierarchy_stoplist cgi-bin ?
> 
> #We recommend you to use the following two lines.
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> 
> cache_mem 16 MB
> 
> cache_dir ufs /var/spool/squid 3000 16 256
> 
> reference_age 1 week
> 
> #Recommended minimum configuration:
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl all src 0.0.0.0/0.0.0.0
> # acl allowed_hosts src 192.168.0.0-192.168.0.115/255.255.255.255
> 
> acl lansrv src 192.168.0.1-192.168.0.5/255.255.255.255
> acl lansc  src 192.168.0.10-192.168.0.12/255.255.255.255 
> 192.168.0.15-192.168.0.16/255.255.255.255
> acl lancc  src 192.168.0.109/255.255.255.255 
> 192.168.0.17-192.168.0.19/255.255.255.255
> acl lansi  src 192.168.0.20-192.168.0.108/255.255.255.255 
> 192.168.0.110-192.168.0.255/255.255.255.255
> 
> # Control maximo
> # acl 2conn maxconn 2
> # http_access deny 2conn nono
> 
> # Baja velocidad por IP (Para grupo mio)
> delay_pools 2
> delay_class 1 2
> delay_class 2 2
> # delay_parameters 1 -1/-1 1000/1000 1000/1000 500/500 500/500
> delay_parameters 1 5500/5500 3000/3000 1500/1500 1000/1000
> delay_parameters 2 1000/1000 1000/1000 500/500 500/500
> delay_access 1 allow lansc
> delay_access 1 deny all
> delay_access 2 allow lancc
> delay_access 2 deny all
> 
> # acl desdeafuera src 0.0.0.0
> # http_access allow desdeafuera
> 
> acl SSL_ports port 443 563
> acl Safe_ports port 80        # http
> acl Safe_ports port 21        # ftp
> acl Safe_ports port 443 563    # https, snews
> acl Safe_ports port 70        # gopher
> acl Safe_ports port 210        # wais
> acl Safe_ports port 1025-65535    # unregistered ports
> acl Safe_ports port 280        # http-mgmt
> acl Safe_ports port 488        # gss-http
> acl Safe_ports port 591        # filemaker
> acl Safe_ports port 777        # multiling http
> acl Safe_ports port 10000    # Webmin
> acl CONNECT method CONNECT
> 
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> # Deny requests to unknown ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
> 
> http_access allow localhost
> http_access allow lansrv 
> http_access deny all lansi
> 
> icp_access allow all
> icp_access allow lansrv lansc
> icp_access deny all lansi
> 
> # -------------------
> cache_mgr root
> 
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
> ----------- fin
-- 
Polkan Garcia
Ingeniero de Sistemas 
GNU/Linux registered user #187701
BSD registered user #BSD05887
Free Software Foundation Member #1209
Attachment: signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
Reply to:
References:
- Bloquear msn y Hotmail...
  - From: Ariel Nardelli <panflin@arnet.com.ar>
Prev by Date: Re: Plugin Java en Mozilla 1.0-Debian Woody
Next by Date: Re: ADSL y 2 Ethernet
Previous by thread: Bloquear msn y Hotmail...
Next by thread: Alias de correo en Kmail
Index(es):
- Date
- Thread