joelsontech
(usa Debian)
Enviado em 01/12/2008 - 14:06h
Olá amigos...
eh o seguinte, o squid estah bloqueando https, sendo que eu liberei essa porta. Também a liberei no Firewall com IPTABLES.
O squid estah no modo tradicional NÃO transparente. Navega normalmente http, etc, mas basta entrar numa page https que ele bloqueia geral, por exemplo, não abre o gmail.
segue meu squid.conf:
http_port 3128
visible_hostname ARCANJO
error_directory /usr/share/squid/errors/Portuguese/
cache_mem 32 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 15 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 21 80 443 563 70 210 280 488 59 777 901 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl redelocal src 192.168.2.0/24
http_access deny !redelocal
# Autentica o usuáo:
auth_param basic realm ARCANJO PROXY-SERVER
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
acl autenticados proxy_auth REQUIRED
http_access allow autenticados
# Libera o acesso da rede local e do localhost para os autenticados,
# bloqueia os demais:
#Controle de bando pelo squid
#delay_pools 1
#delay_class 1 2
#delay_parameters 1 51200/51200 12800/12800
#delay_access 1 allow redelocal
http_access allow localhost
http_access allow redelocal
http_access deny all
e esse o script de firewall::
#!/bin/bash
echo "Iniciando script de Firewall.."
ifnet="eth0"
iflocal="eth1"
modprobe iptable_nat
#apagando todas as regras
iptables -F
iptables -t nat -F
iptables -X
iptables -Z
#definindo a politica padao como DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
################ Definindo as regras########################
iptables -A INPUT -i $ifnet -m state --state NEW,INVALID -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $iflocal -j ACCEPT
#fecha o restante das entradas
iptables -A INPUT -p tcp --syn -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $ifnet -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i $iflocal -j ACCEPT
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
#fecha forward para todas as placas
#iptables -A FORWARD -p tcp --syn -j DROP
#Protecaocontra Syn-flood:
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#Port scanner suspeito:
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#Ping da morte:
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
echo "...script de Firewall inicializado com sucesso!"