Acesso Negado pelo Squid do Servidor Debian [RESOLVIDO]

fhsxp
(usa KUbuntu)

Enviado em 26/11/2014 - 11:55h

Olá pessoal

Configurei um servidor Debian 7.0.7, com Squid3 + Iptables. Porém ao tentar acessar qualquer diretório do Apache desse servidor, o Squid bloqueia o acesso, aparece a seguinte mensagem:


------------------------------------------------------------------------------------
O seguinte erro foi encontrado ao tentar recuperar a URL: http://192.168.1.250/
Conexão para 192.168.1.250 falhou.
O sistema retornou: (111) Connection refused
O host ou rede remota pode estar fora do ar. Por favor, faça a requisição novamente.
------------------------------------------------------------------------------------


Antes de configurar o Squid + Iptables, estava funcionando normalmente, devo estar errando em alguma configuração.

Alguém tem alguma idéia de como resolver?

buckminster
(usa Debian)

Enviado em 26/11/2014 - 12:15h

Idéias para resolver tenho várias...

Assim que tu postar as configurações eu posto as minhas idéias, senão não serão idéias, serão meras adivinhações.

fhsxp
(usa KUbuntu)

Enviado em 26/11/2014 - 12:19h

acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
#http_access deny manager

#http_access deny to_localhost

cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_mem 512 Mb
cache_swap_log /var/spool/squid/swap.log
cache_dir diskd /var/spool/squid 2048 16 256

# Porta de acesso a internet
http_port 3128 transparent

# Nome da Rede
visible_hostname m4web

acl all src
acl rede_interna src 192.168.1.0/24

###### Bloqueios ################
acl lista_negra url_regex -i "/etc/squid/lista_negra"
acl lista_branca url_regex -i "/etc/squid/lista_branca"

http_access deny lista_negra !lista_branca

http_access allow localnet
http_access allow localhost
http_access allow all

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

fhsxp
(usa KUbuntu)

Enviado em 26/11/2014 - 12:21h

#! /bin/bash

#####################################################################
###################### Inicio Firewall ##############################
#####################################################################

rede_interna="192.168.1.0/24"

/sbin/modprobe ip_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_queue
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_mangle
/sbin/modprobe ipt_state
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_multiport
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_string

## Limpando as regras existentes ##
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -t filter -F
/sbin/iptables -X
/sbin/iptables -Z

## Definindo politica padrão (!nega ACEITA entrada e permite saída)
/sbin/iptables -P INPUT ACCEPT ##ACEITANDO ENTRADA
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

## Estabelece relação de confiança entre maquinas da rede local (eth1)
/sbin/iptables -A INPUT -i eth1 -s 192.168.1.0/255.255.255.0 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


########################################################################
##################### Compartilhamento Internet ########################
########################################################################

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#Habilitando encaminhamento de pacotes e outras opções
echo 1 > /proc/sys/net/ipv4/ip_forward
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all


#########################################################################
############################ SQUID ######################################
#########################################################################

/sbin/iptables -I PREROUTING -t nat -p tcp -s $rede_interna --dport 80 -j REDIRECT --to-port 3128

/sbin/iptables -t nat -I POSTROUTING -s $rede_interna -j MASQUERADE
###/sbin/iptables -A FORWARD -s $rede_interna -d loginnet.passport.com -j REJECT

########################################################################
################## Bloqueio Torrents ###################################
########################################################################
/sbin/iptables -A FORWARD -s $rede_interna -p tcp --destination-port 6881:65535 -j REJECT
/sbin/iptables -A INPUT -s $rede_interna -p tcp --destination-port 6881:65535 -j REJECT

########################################################################
################# Bloqueio P2P/UltraSurf/Tor/Ares/uTorrent #############
########################################################################

## UltraSurf ##
/sbin/iptables -A FORWARD -d 65.49.14.0/24 -j LOG --log-prefix "=UltraSurf= "

## Ares Galaxy ##
/sbin/iptables -A FORWARD -d 199.59.162.71 -j LOG --log-prefix "=Ares_Galaxy= "
/sbin/iptables -A FORWARD -d ares.net -j LOG --log-prefix "=Ares_Galaxy= "
cat /home/server/ares_ip_list | while read line; do iptables -A FORWARD -d $line -j LOG --log-prefix "=Ares_Galaxy= "; done

## Tor Browser ##
#cat /home/server/tor_ip_list | while read line; do iptables -A FORWARD -d $line -j LOG --log-prefix "=TorProject= "; done
/sbin/iptables -A FORWARD -d torproject.org -j DROP

## uTorrent ##
/sbin/iptables -A FORWARD -d 98.143.146.7 -j LOG --log-prefix "=uTorrent= "
/sbin/iptables -A FORWARD -d update.bittorrent.com -j LOG --log-prefix "=uTorrent= "
/sbin/iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j LOG --log-prefix "=uTorrent= "
/sbin/iptables -A FORWARD -m string --algo bm --string "peer_id=" -j LOG --log-prefix "=uTorrent= "
/sbin/iptables -A FORWARD -m string --algo bm --string "torrent" -j LOG --log-prefix "=uTorrent= "
/sbin/iptables -A FORWARD -m string --algo bm --string "announce" -j LOG --log-prefix "=uTorrent= "
/sbin/iptables -A FORWARD -m string --algo bm --string "tracker" -j LOG --log-prefix "=uTorrent= "
/sbin/iptables -A FORWARD -m string --algo bm --string "find_node" -j LOG --log-prefix "=uTorrent= "
/sbin/iptables -A FORWARD -m string --algo bm --string "info_hash" -j LOG --log-prefix "=uTorrent= "
/sbin/iptables -A FORWARD -m string --algo bm --string "get_peers" -j LOG --log-prefix "=uTorrent= "



########################################################################
###################### FIM FIREWALL ####################################
########################################################################

buckminster
(usa Debian)

Enviado em 26/11/2014 - 16:44h

Aparentemente tuas configurações estão corretas.
Teu firewall está todo aberto.

Verifique se tu realmente tens o Apache instalado na máquina e se o serviço está iniciado.

fhsxp
(usa KUbuntu)

Enviado em 26/11/2014 - 16:59h

Agradeço pela ajuda [buckminster], e peço desculpas por não ter me atentado em testar o Apache antes.

Resolvi o problema seguindo o tutorial conforme o link http://ubuntuforums.org/showthread.php?t=1636667

Pois ao tentar reiniciar o serviço do apache2, o seguinte erro era retornado:
# service apache2 restart

# Starting web server: apache2(98)Address already in use: make_sock: could not bind to address [::]:80

Então executei o comando:
# netstat -ltnp | grep ':80'

A saída foi:
# tcp6 0 0 :::80 :::* LISTEN 1047/apache2

Então foi só matar o processo e reiniciar o serviço do Apache 2

# kill -9 1047

# service apache2 restart

E pronto! "It works"

buckminster
(usa Debian)

Enviado em 26/11/2014 - 19:41h

De nada.