mauroffn
(usa Debian)
Enviado em 28/03/2011 - 11:53h
Olá Pessoal, gostaria de tirar uma duvida com voces, tenho um servidor ubuntu, rodando somente proxy, tem um script de firewall tambem, mas o problema é que consigo bloquear os sites que quero, mas não consigo liberar para ninguem, fiz algumas ACL's para liberar por ip, mas não consigo de maneira alguma, nem por tempo tambem...vou postar meu squid.conf e firewall para voces verem como está...agradeco desde de já pela boa vontade...Obrigado
http_port 3128 transparent
visible_hostname proxyendor
error_directory /usr/share/squid/errors/Portuguese/
cache_mem 64 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 21 80 143 443 563 70 210 280 488 59 777 901 993 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# ACL de Liberacao de Internet
acl ipsliberados src "/etc/squid/ipsliberados"
http_access allow ipsliberados
# ACL's de Bloqueio
# ACL de Bloqueio por site
acl bloqueados url_regex -i "/etc/squid/bloqueados"
http_access deny bloqueados
# ACL de Bloqueio por palavra
acl palavrasproibidas dstdom_regex "/etc/squid/palavrasproibidas"
http_access deny palavrasproibidas
# ACL de Bloqueio por tipo de arquivo (extensão)
acl extban url_regex -i "/etc/squid/extban"
http_access deny extban
# ACL de Bloqueio do MSN
acl msndll url_regex -i /gateway/gateway.dll
http_access deny msndll
acl msn-ports port 1863
http_access deny msn-ports
acl msn-ports2 port 1080
http_access deny msn-ports2
acl imo url_regex -i imo.im:443
http_access deny imo
#################################################################################################### Regras do Squid ##########################################################################################################################
acl redelocal src 192.168.0.0/24
http_access allow localhost
http_access allow redelocal
http_access deny all
##### FIREWALL #####
#!/bin/bash
iniciar(){
# Carregando os modulos basicos:
echo -n "Carregando os modulos"
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_state
modprobe ipt_MASQUERADE
# Compartilha a conexão:
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo " Compatilhamento ativado"
## Ativando o Proxy transparente
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo " Proxy Transparente Ativado"
# INPUT - ACCEPT
echo -n "Habilitando Entradas Aceitas..."
iptables -A INPUT -i lo -j ACCEPT
# Samba
iptables -A INPUT -p udp --dport 137 -j ACCEPT
iptables -A INPUT -p udp --dport 138 -j ACCEPT
iptables -A INPUT -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j ACCEPT
iptables -A INPUT -i $IFACE_LAN -j ACCEPT
# Gerando log das entradas barradas:
echo -n "Registrando Entradas Barradas..."
iptables -A INPUT -j LOG --log-prefix "Entrada Barrada "
echo "...........................................[OK]"
## Passivo
iptables -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Conectividade Social
iptables -t nat -A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT
# Redirecionamento das portas do MSN
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1863 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1080 -j REDIRECT --to-port 3128
iptables -A FORWARD -s 192.168.0.0/24 -d imo.im -p tcp --dport 80:443 -j DROP
# Permite conexões na interface de rede local e na porta 22:
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Regras Básicas de Firewall:
iptables -A INPUT -i lo -j ACCEPT
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
# Bloqueia as portas UDP de 0 à 1023:
iptables -A INPUT -p udp --dport 0:1023 -j DROP
# Regras de Bloqueio de MSN por porta:
iptables -A INPUT -p tcp --dport 1863 -j REJECT
iptables -A INPUT -p udp --dport 1863 -j REJECT
iptables -A INPUT -p tcp --dport 1080 -j REJECT
iptables -A INPUT -p udp --dport 1080 -j REJECT
# Regras de Liberacoes do MSN por IP's:
iptables -I FORWARD -s 192.168.0.171 -p tcp --dport 1863 -j ACCEPT
iptables -I FORWARD -s 192.168.0.171 -p tcp --dport 1080 -j ACCEPT
iptables -I FORWARD -s 192.168.0.171 -d loginnet.password.com -j ACCEPT
iptables -I FORWARD -s 192.168.0.171 -d hotmail.com -j ACCEPT
iptables -I FORWARD -s 192.168.0.171 -d hotmail.com.br -j ACCEPT
iptables -I FORWARD -s 192.168.0.181 -p tcp --dport 1863 -j ACCEPT
iptables -I FORWARD -s 192.168.0.181 -p tcp --dport 1080 -j ACCEPT
iptables -I FORWARD -s 192.168.0.181 -d loginnet.password.com -j ACCEPT
iptables -I FORWARD -s 192.168.0.181 -d hotmail.com -j ACCEPT
iptables -I FORWARD -s 192.168.0.181 -d hotmail.com.br -j ACCEPT
iptables -I FORWARD -s 192.168.0.250 -p tcp --dport 1863 -j ACCEPT
iptables -I FORWARD -s 192.168.0.250 -p tcp --dport 1080 -j ACCEPT
iptables -I FORWARD -s 192.168.0.250 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -s 192.168.0.250 -d loginnet.password.com -j ACCEPT
iptables -I FORWARD -s 192.168.0.250 -d hotmail.com -j ACCEPT
iptables -I FORWARD -s 192.168.0.250 -d hotmail.com.br -j ACCEPT
echo "---> Regras de Firewall e Compartilhamento Ativado <---"
}
parar(){
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
echo 0 > /proc/sys/net/ipv4/ip_forward
echo " Regras de Firewall e Compartilhamento desativados "
}
case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar ; iniciar ;;
*) echo "Use os parametros Start ou Stop"
esac