wb.negocios
(usa Ubuntu)
Enviado em 04/11/2011 - 12:58h
Olá,
+-- primeiramente - sou grato a Deus por tudo que tem feito na minha vida!
+-- Segundo - vou postar a minha contribuíção aqui no fórum, pois eu também tenho recebido muita ajuda por aqui.
+-------- configurando firewall ubuntu 9.4 --------+
1 Passo - apague os programas de terceiros no "Canais de Software", e instale estes abaixo para que o apt-get update funcione.
deb
http://old-releases.ubuntu.com/ubuntu/ jaunty main restricted
deb
http://old-releases.ubuntu.com/ubuntu/ jaunty-updates main restricted
deb
http://old-releases.ubuntu.com/ubuntu/ jaunty universe
deb
http://old-releases.ubuntu.com/ubuntu/ jaunty-updates universe
deb
http://old-releases.ubuntu.com/ubuntu/ jaunty multiverse
deb
http://old-releases.ubuntu.com/ubuntu/ jaunty-updates multiverse
deb
http://old-releases.ubuntu.com/ubuntu/ jaunty-security main restricted
deb
http://old-releases.ubuntu.com/ubuntu/ jaunty-security universe
deb
http://old-releases.ubuntu.com/ubuntu/ jaunty-security multiverse
2 Passo - Abra o prompt de comando.
crie o usuário root: sudo passwd root, e defina a senha.
3 Passo - Loge como root.
4 Passo - apt-get install iptables, depois apt-get install squid, depois apt-get install sarg.
5 Passo – vá em sistema/preferencia/conexões de rede, deixe a eth0 (recebe internet) automático,e eth1(rede) compartilhado.
6 Passo – vá para cd/etc/init.d, crie um arquivo “firewall”, ex: gedit firewall e insira:
#!/bin/bash
############ Arquivo Interfaces ########################
########### Autor: Fabricio A. Cunha ##################
# IP da Rede
NETWORK="10.42.43.0/24"
####### Carrega todos os modulos do iptables ###############
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_state
modprobe ipt_MASQUERADE
modprobe ipt_REJECT
####### Compartilha a conexão ######################
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
########## liberando o INPUT para a interface de loopback:
iptables -A INPUT -p ALL -s 127.0.0.1 -i lo -j ACCEPT
# REDE INTERNA LIBERADA
iptables -A INPUT -p ALL -s $NETWORK -i lo -j ACCEPT
############ Fecho Todas as Portas #################
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
############# Liberando Portas ###############################################
iptables -I FORWARD -p tcp -s $NETWORK --dport 21 -j ACCEPT
iptables -I FORWARD -p tcp -s $NETWORK --sport 21 -j ACCEPT
iptables -I FORWARD -p tcp -s $NETWORK --dport 22 -j ACCEPT
iptables -I FORWARD -p tcp -s $NETWORK --sport 22 -j ACCEPT
iptables -I FORWARD -p tcp -s $NETWORK --dport 25 -j ACCEPT
iptables -I FORWARD -p tcp -s $NETWORK --sport 25 -j ACCEPT
iptables -I FORWARD -p tcp -s $NETWORK --dport 53 -j ACCEPT
iptables -I FORWARD -p tcp -s $NETWORK --sport 53 -j ACCEPT
iptables -I FORWARD -p tcp -s $NETWORK --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -s $NETWORK --sport 80 -j ACCEPT
iptables -I FORWARD -p tcp -s $NETWORK --dport 110 -j ACCEPT
iptables -I FORWARD -p tcp -s $NETWORK --sport 110 -j ACCEPT
iptables -I FORWARD -p tcp -s $NETWORK --dport 443 -j ACCEPT
iptables -I FORWARD -p tcp -s $NETWORK --sport 443 -j ACCEPT
#------------------------------------------------------------------------------------------------------+
# LIBERANDO GERAL MSN |
#------------------------------------------------------------------------------------------------------+
iptables -I FORWARD -p tcp -s $NETWORK --dport 1863 -j ACCEPT
iptables -I FORWARD -p tcp -s $NETWORK --sport 1863 -j ACCEPT
#------------------------------------------------------------------------------------------------------+
# LIBERANDO MYSQL |
#------------------------------------------------------------------------------------------------------+
iptables -A INPUT -s $NETWORK -p tcp --dport 3306 -j ACCEPT
iptables -A FORWARD -s $NETWORK -p tcp --dport 3306 -j ACCEPT
iptables -A OUTPUT -s $NETWORK -p tcp --dport 3306 -j ACCEPT
######### Permite Ping com rede Externa##################################
iptables -A INPUT -p icmp --icmp-type 8 -i eth1 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s 0/0 -j ACCEPT
######## Nat Redirecionamento de Portas ##########
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
7 Passo – vá para cd/etc/squid, e abra o arquivo squid.conf e insira:
# Arquivo de configuração do SQUID transparente
# Fabricio
# wb.negocios@gmail.com
# Mensagem de erro em Português
error_directory /usr/share/squid/errors/Portuguese
# Porta do Squid
http_port 10.42.43.1:3128 transparent
# Nome do Servidor
visible_hostname Fwlinux
cache_mem 256 MB
maximum_object_size_in_memory 128 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # swat
acl Safe_ports port 1025-65535 # portas altas
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Bloqueios por palavras
acl palavraproibida url_regex -i "/etc/squid/palavraproibida"
http_access deny palavraproibida
# Bloqueios de sites por URL
acl urlproibida url_regex -i "/etc/squid/urlproibida"
http_access deny urlproibida
# Usuários liberados
acl ipusuarioliberado src "/etc/squid/ipusuarioliberado"
http_access allow ipusuarioliberado
acl redelocal src 10.42.43.0/24
http_access allow localhost
http_access allow redelocal
http_access deny all
8 Passo – crie os arquivos:
palavraproibida – ex: sexo, drogas etc
urlproibida – ex:
www.uol.com.br
ipusuarioliberado – ex: 10.42.43.x
9 Passo – como fica o ip da máquina local
IP- 10.42.43.x
Masq- 255.255.255.0
Gateway- 10.42.43.1
dns- 10.42.43.1
Se preferir altere o ip da rede conforme desejado, lembrado de especificá-lo manualmente e não compartilhado, fazendo o mesmo no iptables e squid.
Bom pessoal fazendo assim você já possui o seu proxy rodando sem problemas.
Basta usar a sua criatividade e adicionar regras conforme a sua necessidade.
Fabricio A Cunha - email: wb.negocios@gmail.com