Proxy transaparent, e proxy automatico não funciona!

Vs976
(usa Debian)

Enviado em 21/05/2018 - 00:10h

Fala galera.
Preciso de um help aqui com mue squid. Fiz todas as configurações possiveis do squid, e quando tento configurar o proxy transparent a maquina cliente simplesmente não navega, Gostaria de um help para que me ajudem a detectar o erro. a principio achei que o erro estava nas configurações do iptables, porem esta tudo ok com estas O mesmo ocorre com a configuração de proxy automático. Esse simplesmente não funciona na maquina cliente. segue a configuração do squid, iptables e dhcp:

############SQUID########################
http_port 3128 intercept

#ERROLOG
error_directory /usr/share/squid3/errors/Portuguese

#HOSTNAME
visible_hostname SERVIDOR

#E-MAIL
cache_mgr sergio.abraao@yahoo.com.br

#USUÁRIO E GRUPO DOS ARQUIVOS E PROCESSOS DO SERVIÇO
cache_effective_user proxy

#ACESSO LOG
cache_log /var/log/squid3/cache.log

#DECLARAÇÃO DE ACLS PARA LIBERAÇÃO DE PORTAS
acl rede_local src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow rede_local

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access deny all

cache_swap_high 95
cache_swap_low 90

#CACHE SQUID
cache_mem 256 MB

########COMPARTILHAMENTO IPTABLES############

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -F
iptables -t mangle -F

modprobe ip_tables
modprobe iptable_nat

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i 192.168.1.1/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i 192.168.1.1/24 -p tcp --dport 443 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128
#/etc/init.d/compartilhar start
#sh /etc/init.d/compartilhar.sh
exit 0

##########DHCP############
#
# Sample configuration file for ISC dhcpd for Debian
#
# $Id: dhcpd.conf,v 1.1.1.1 2002/05/21 00:07:44 peloy Exp $
#

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;

default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.

#subnet 10.152.187.0 netmask 255.255.255.0 {
#}

# This is a very basic subnet declaration.

#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}

# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.

#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}

# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}

# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.

#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}

# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}

# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.

#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}

#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}

#
# Default LTSP dhcpd.conf config file.
#
authoritative;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.248;
option domain-name "example.com";
option domain-name-servers 192.168.1.1;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
next-server 192.168.1.1;
# get-lease-hostnames true;
option subnet-mask 255.255.255.0;
}

#PROXY AUTOMATICO
option wpad-url code 252 = text;
option wpad-url "http://192.168.1.1/wpad.dat\n";

LSSilva
(usa Outra)

Enviado em 21/05/2018 - 14:42h

Adicione antes de

http_port 3128 intercept 

adicionar:

http_port 3127 

"eth0" é sua interface de rede local ou de internet?
Acredito que esteja se equivocando nesta parte.
Se eth0 for local e eth1 for internet, corrigir:
onde: "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" para

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE 

Se for o contrário (eth1 for local e eth0 internet), corrigir:
onde: "iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128" para

 iptables -t nat -A PREROUTING -i eth1 -p  tcp --dport 80 -j REDIRECT --to-port 3128 

max-lease-time 7200;

default-lease-time 600;

authoritative;



subnet 192.168.1.0 netmask 255.255.255.0 {

  range 192.168.1.10 192.168.1.248;

  option domain-name-servers 192.168.1.1; 

  option broadcast-address 192.168.1.255;

  option routers 192.168.1.1;

}

 

Isso: "option domain-name-servers 192.168.1.1;" se seu servidor estiver com serviço de DNS ativo também, se não pode colocar o do google ou da sua operadora (WISP).
Se for o wpad.dat, terá que adicionar os parâmetros no DHCP também (esta configuração citada acima terá que ser alterada).
Os hosts da rede terão que saber de onde vêm os dado do proxy, certo?

Vs976
(usa Debian)

Enviado em 21/05/2018 - 19:07h

Fala LSSilva blza.
Bom ,fiz as alterações que vc me recomendou, porem sigo na mesma. A maquina cliente segue travando ao colocar proxy transparent (intercept) e não detecta configuração automática do proxy.

Duas duvidas.
Pq devo colocar "http_port 3127" antes de "http_port 3128"?

Não sei se fiz o certo, mas as configurações do proxy automático estão inseridas tanto no arquivo "isc-dhcp-server" quanto em "dhcpd.conf". Seria isso mesmo que vc recomendou fazer?

Quando digito na maquina cliente: "http://192.168.1.1/wpad,dat\n" ou "http://192.168.1.1/wpad,dat\" me aparece isso:

Not Found
The requested URL /wpad.dat/ was not found on this server.
Apache/2.4.10 (Debian) Server at 192.168.80.1 Port 80

LSSilva
(usa Outra)

Enviado em 21/05/2018 - 21:59h

Poste novamente como ficaram suas configurações depois das alterações para analisarmos.

Vs976
(usa Debian)

Enviado em 26/05/2018 - 17:27h

Desculpa a demora. Segue novamente as configurações com as alterações:
OBS: essas configurações fiz exatamente como sugerido no site da Debian. : https://servidordebian.org/pt/jessie/intranet/proxy/wpad
############SQUID########################
http_port 3127
http_port 3128 intercept

#ERROLOG
error_directory /usr/share/squid3/errors/Portuguese

#HOSTNAME
visible_hostname SERVIDOR

#E-MAIL
cache_mgr sergio.abraao@yahoo.com.br

#USUÁRIO E GRUPO DOS ARQUIVOS E PROCESSOS DO SERVIÇO
cache_effective_user proxy

#ACESSO LOG
cache_log /var/log/squid3/cache.log

#DECLARAÇÃO DE ACLS PARA LIBERAÇÃO DE PORTAS
acl rede_local src 192.168.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow rede_local

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access deny all

cache_swap_high 95
cache_swap_low 90

#CACHE SQUID
cache_mem 256 MB

########COMPARTILHAMENTO IPTABLES############

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -F
iptables -t mangle -F

modprobe ip_tables
modprobe iptable_nat

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i 192.168.1.1/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i 192.168.1.1/24 -p tcp --dport 443 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128
#/etc/init.d/compartilhar start
#sh /etc/init.d/compartilhar.sh
exit 0

##########DHCP############
#
# Sample configuration file for ISC dhcpd for Debian
#
# $Id: dhcpd.conf,v 1.1.1.1 2002/05/21 00:07:44 peloy Exp $
#

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;

default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.

#subnet 10.152.187.0 netmask 255.255.255.0 {
#}

# This is a very basic subnet declaration.

#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}

# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.

#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}

# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}

# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.

#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}

# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}

# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.

#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}

#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}

#
# Default LTSP dhcpd.conf config file.
#
authoritative;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.248;
option domain-name "example.com";
option domain-name-servers 192.168.1.1;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
next-server 192.168.1.1;
# get-lease-hostnames true;
option subnet-mask 255.255.255.0;
}

#PROXY AUTOMATICO
option wpad-url code 252 = text;
option wpad-url "http://192.168.1.1/wpad.dat\n";

#############WPAD.DAT################
function FindProxyForURL(url, host)
{
if (isPlainHostName(host) ||
isInNet(host, "192.168.1.0", "255.255.255.0") ||
isInNet(host, "127.0.0.0", "255.0.0.0"))
return "DIRECT";
else
return "PROXY 192.168.1.0:3128; DIRECT";
};

###########DNS#####################

# [...]

home.lan. A 192.168.1.0
server A 192.168.1.0

; Proxy auto configuration
wpad CNAME server

# [...]

Lembrando que isso tudo foi configurado de acordo