Enviado em 27/03/2015 - 15:35h
Estou com problemas com meu squid3 e firewall!########################### CIDADE CLIMA #####################
########################### FIREWALL #####################
##############################################################
# Carrega os moulos
echo Modulos do firewall
modprobe ipt_string
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_state
modprobe ipt_MASQUERADE
echo Regras default
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
iptables -t mangle -F
#Definindo a politica default das cadeias, testei com drop e nada acessou
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP
#Nat da rede
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE
#liberando encaminhamento de pacotes;
echo "1" > /proc/sys/net/ipv4/ip_forward
#Bloquenado internet sem proxy
#iptables -I FORWARD -p tcp --dport 80 -j DROP
#iptables -I FORWARD -p tcp --dport 443 -j DROP
#Acesso externo Cameras
iptables -A FORWARD -p tcp --dport 37777 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 37777 -j DNAT --to 192.168.10.219
iptables -I FORWARD -p tcp --dport 37777 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp -i eth1 --dport 37777 -j DNAT --to-destination 192.168.10.219:37777
#liberar outlook
echo liberando outlook
iptables -A FORWARD -p udp -s 192.168.10.0/24 -d 200.175.89.139 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.10.0/24 -d 200.146.34.58 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.175.89.139 --sport 53 -d 192.168.10.0/24 -j ACCEPT
iptables -A FORWARD -p udp -s 200.146.34.58 --sport 53 -d 192.168.10.0/24 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.10.0/24 --dport 25 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.10.0/24 --dport 110 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.10.0/24 --dport 587 -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
iptables -A FORWARD -p tcp --sport 587 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
#Liberando porta 81
echo liberando inovar auto
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -d inovarauto.mdic.gov.br -j RETURN
#liberar acesso externo siga
echo Acesso externo Siga
iptables -A INPUT -i eth0 -p tcp --dport 1257 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 1257 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1257 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 1257 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1257 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 1257 -j DNAT --to-destination 192.168.10.90:1257
iptables -A FORWARD -p udp -d 192.168.10.90 --dport 1257 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 1257 -j DNAT --to-destination 192.168.10.90:1257
iptables -A INPUT -i eth0 -p tcp --dport 1299 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 1299 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1299 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 1299 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1299 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 1299 -j DNAT --to-destination 192.168.10.90:1299
iptables -A FORWARD -p udp -d 192.168.10.90 --dport 1299 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 1299 -j DNAT --to-destination 192.168.10.90:1299
iptables -t nat -A PREROUTING -p udp --dport 37777 -j DNAT --to-destination 192.168.10.219:37777
iptables -t nat -A PREROUTING -p udp --dport 8001 -j DNAT --to-destination 192.168.10.219:8001
echo Acesso ao Sql Server
iptables -A INPUT -i eth0 -p tcp --dport 9723 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 9723 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 9723 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 9723 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 9723 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 9723 -j DNAT --to-destination 192.168.10.91:1433
iptables -A FORWARD -p udp -d 192.168.10.91 --dport 9723 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 9723 -j DNAT --to-destination 192.168.10.91:1433
echo Fim Sql Server
#acesso aos servidores via TS
echo Liberando acesso via TS
iptables -A INPUT -i eth0 -p tcp --dport 3390 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 3390 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 3390 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 3390 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 3390 -j DNAT --to-destination 192.168.10.90:3389
iptables -A FORWARD -p udp -d 192.168.10.90 --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 3390 -j DNAT --to-destination 192.168.10.90:3389
iptables -A INPUT -i eth0 -p tcp --dport 3391 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 3391 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 3391 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 3391 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 3391 -j DNAT --to-destination 192.168.10.91:3389
iptables -A FORWARD -p udp -d 192.168.10.91 --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 3391 -j DNAT --to-destination 192.168.10.91:3389
#acesso ao BI
echo Liberando Acesso ao BI
iptables -A INPUT -i eth0 -p tcp --dport 7980 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 7980 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 7980 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 7980 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 7980 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 7980 -j DNAT --to-destination 192.168.10.91:8080
iptables -A FORWARD -p udp -d 192.168.10.91 --dport 7980 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 7980 -j DNAT --to-destination 192.168.10.91:8080
iptables -t nat -A PREROUTING -d 0/0 -p #*************************** BLOQUEIO DO FACEBOOK ***********************************************************
#!/bin/bash
#BLOQUEIOS FACEBOOK:
hora=`/bin/date +%H%M`
if `[ "$hora" -gt "0759" ] && [ "$hora" -lt "1229" ] || [ "$hora" -gt "1329" ] && [ "$hora" -lt "1759" ] `; then
op=1;
else
op=2;
fi
# para que desse certo inclui os horários sem o " - " assim compara como se fosse números inteiros
permitidos=$(egrep -v "(^#|^$)" /etc/squid3/regras/ips_fb) #Aqui ele lê a lista de IPs que possuem acesso ao Facebook, independentemente do horário, como existem linhasomentadas nesta lista com o nome do dono do IP, esse comando ignoressas linhas listando apenas os IPs
##BLOQUEIO DO FACEBOOK
FACEBOOK_IP_RANGE="31.13.64.0-31.13.127.255 31.13.24.0-31.13.31.255 74.119.76.0-74.119.79.255 69.63.176.0-69.63.191.255 69.171.224.0-69.171.255.255 66.220.144.0-66.220.159.255 204.15.20.0-204.15.23.255 173.252.64.0-173.252.127.255"
iptables -N FACEBOOK
## FACEBOOK DENY
for face in $FACEBOOK_IP_RANGE; do
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 80 -j FACEBOOK
done
FACEBOOK_ALLOW="$permitidos" #MSR_LIBERADO #Aqui libera os permitidos.
for MSR_LIBERADO in $FACEBOOK_ALLOW; do
iptables -I FACEBOOK -s $MSR_LIBERADO -j ACCEPT
done
if [ $op -eq "1" ]; then #Aqui caso esteja no horário de expediente ele é bloqueado
echo "Bloqueando"
iptables -A FACEBOOK -j REJECT
fi
if [ $op -eq "2" ]; then #E caso esteja fora do horário de serviço é liberado
echo "Liberando"
iptables -A FACEBOOK -j ACCEPT
fi
squid
# Portas padrao
acl SSL_ports port 443
acl Safe_ports port 443
#acl Safe_ports port 8080
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#dns_v4_first on
#https_port 3130 transparent cert=/etc/squid3/openssl.crt key=/etc/squid3/openssl.key
http_access allow connect SSL_Ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access allow localhost manager
#http_access deny manager
acl redelocal src 192.168.10.0/24
http_access allow redelocal
http_access deny all
#controle de cache do proxy
cache_mem 32 MB
maximum_object_size_in_memory 64 KB
minimum_object_size 0 KB
maximum_object_size 4096 MB
cache_swap_low 85
cache_swap_high 90
cache_dir ufs /var/spool/squid3 2048 16 256
cache_access_log /var/log/squid3/access.log
#Controle do arquivo de Log
logfile_rotate 10
ftp_user Squid@
#protocolos
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
######Block Video and Audio Streaming##############
acl media rep_mime_type video/flv video/x-flv
acl media rep_mime_type -i ^video/
acl media rep_mime_type -i ^video\/
acl media rep_mime_type ^application/x-shockwave-flash
acl media rep_mime_type ^application/vnd.ms.wms-hdr.asfv1
acl media rep_mime_type ^application/x-fcs
acl media rep_mime_type ^application/x-mms-framed
acl media rep_mime_type ^video/x-ms-asf
acl media rep_mime_type ^audio/mpeg
acl media rep_mime_type ^audio/x-scpls
acl media rep_mime_type ^audio/x-scpls
acl media rep_mime_type ^video/x-flv
acl media rep_mime_type ^video/mpeg4
acl media rep_mime_type ms-hdr
acl media rep_mime_type x-fcs
acl mediapr urlpath_regex \.flv(\?.*)?$
acl mediapr urlpath_regex -i \.(avi|mp4|mov|m4v|mkv|flv)(\?.*)?$
acl mediapr urlpath_regex -i \.(mpg|mpeg|avi|mov|flv|wmv|mkv|rmvb)(\?.*)?$
#********************************* GERAL *****************************************
acl ips_geral src "/etc/squid3/regras/geral/ips_liberados"
acl sites_liberados_geral url_regex -i "/etc/squid3/regras/geral/sites_liberados_geral"
acl palavras_bloqueadas url_regex -i "/etc/squid3/regras/geral/palavras_bloqueadas"
acl sites_bloqueados_geral url_regex -i "/etc/squid3/regras/geral/sites_bloqueados_geral"
#************************************************************************************
#********************************* COMERCIAL *****************************************
acl comercial src "/etc/squid3/regras/comercial/ips_comercial"
acl sites_comercial url_regex -i "/etc/squid3/regras/comercial/sites_liberados"
#********************************* COMPRAS *****************************************
acl compras src "/etc/squid3/regras/compras/ips_compras"
acl sites_compras url_regex -i "/etc/squid3/regras/compras/sites_liberados"
#********************************* CTP *****************************************
acl ctp src "/etc/squid3/regras/ctp/ips_ctp"
acl sites_ctp url_regex -i "/etc/squid3/regras/ctp/sites_liberados"
#********************************* FINANCEIRO *****************************************
acl financeiro src "/etc/squid3/regras/financeiro/ips_financeiro"
acl sites_financeiro url_regex -i "/etc/squid3/regras/financeiro/sites_liberados"
#********************************* INSPECAO *****************************************
acl inspecao src "/etc/squid3/regras/inspecao/ips_inspecao"
acl sites_inspecao url_regex -i "/etc/squid3/regras/inspecao/sites_liberados"
#********************************* PRODUCAO *****************************************
acl producao src "/etc/squid3/regras/producao/ips_producao"
acl sites_producao url_regex -i "/etc/squid3/regras/producao/sites_liberados"
#********************************* PCP *****************************************
acl pcp src "/etc/squid3/regras/pcp/ips_pcp"
acl sites_pcp url_regex -i "/etc/squid3/regras/pcp/sites_liberados"
#********************************* RH *****************************************
acl rh src "/etc/squid3/regras/rh/ips_rh"
acl sites_rh url_regex -i "/etc/squid3/regras/rh/sites_liberados"
#********************************* TI *****************************************
acl TI src "/etc/squid3/regras/TI/ips_TI"
acl ips_gestores src "/etc/squid3/regras/geral/ips_gestores"
acl almoco time MTWHF 12:30-13:30
#CONFIGURACAO DAS ACLS
http_access allow TI
http_access allow ips_geral
http_access allow almoco
http_access allow rh
http_access deny sites_bloqueados_geral
http_access deny mediapr
http_reply_access deny media !TI
http_access allow compras
http_access allow ctp
http_access allow sites_liberados_geral
http_access allow ips_gestores
http_access allow comercial sites_comercial
http_access allow financeiro sites_financeiro
http_access allow inspecao sites_inspecao
http_access allow producao sites_producao
http_access allow pcp sites_pcp
#http_access allow redelocal
http_access deny all
log_mime_hdrs on
http_port 3128
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Efeito "livro" em arquivos PDF
Como resolver o erro no CUPS: Unable to get list of printer drivers
Flatpak: remover runtimes não usados e pacotes
Mudar o gerenciador de login (GDM para SDDM e vice-versa) - parte 2
Como atualizar o Debian 8 para o 10 (10)
Dica sobre iptables ACCEPT e DROP (6)
NGNIX - Aplicar SNAT para evitar roteamento assimetrico (29)
[Python] Automação de scan de vulnerabilidades
[Python] Script para analise de superficie de ataque
[Shell Script] Novo script para redimensionar, rotacionar, converter e espelhar arquivos de imagem
[Shell Script] Iniciador de DOOM (DSDA-DOOM, Doom Retro ou Woof!)
[Shell Script] Script para adicionar bordas às imagens de uma pasta