Buckminster
(usa Debian)
Enviado em 12/06/2013 - 14:29h
freedpinheiro escreveu:
#internet eth1 ip 10.1.1.5
#redelocal eth0 ip 10.11.12.254
root@ubuntu:~# squid3 start
2013/06/12 06:43:14| WARNING: Netmasks are deprecated. Please use CIDR masks instead.
2013/06/12 06:43:14| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges.
2013/06/12 06:43:14| WARNING: For now we will assume you meant to write /24
2013/06/12 06:43:14| Warning: empty ACL: acl proibir_palavras url_regex -i "/etc/squid3/palavras"
root@ubuntu:~#
#Squid.conf
http_port 3128 transparent
cache_mem 256 MB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid3 45000 16 256
maximum_object_size 30000 KB
maximum_object_size_in_memory 40 KB
access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
pid_filename /var/log/squid3/squid3.pid
mime_table /usr/share/squid3/mime.conf
cache_mgr freedpinheiro@gmail.com
memory_pools off
diskd_program /usr/lib/squid3/diskd
unlinkd_program /usr/lib/squid3/unlinkd
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_max 16 KB
quick_abort_pct 95
quick_abort_min 16 KB
request_header_max_size 20 KB
reply_header_max_size 20 KB
request_body_max_size 0 KB
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl vlan24 src 10.11.12.0/24
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563 1863
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
### -bloqueio de paginas
acl permitir_rede src 10.11.12.0/255.255.255.0
acl proibir_sites dstdomain "/etc/squid3/sites"
acl proibir_palavras url_regex -i "/etc/squid3/palavras"
http_access deny proibir_palavras
http_access deny proibir_sites
http_access allow permitir_rede
### - fim do bloqueio
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow vlan24
cache_mgr webmaster
mail_program mail
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string off
visible_hostname Ubuntu
error_directory /usr/share/squid3/errors/Portuguese
#FIREWALL
/etc/init.d/firewall
#!bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 3128 -i eth1 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -i eth1 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -i eth1 -j ACCEPT
iptables -A INPUT -p tcp --dport 123 -i eth1 -j ACCEPT
iptables -A INPUT -p udp --dport 123 -i eth1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.11.12.0/255.255.255.0 -o eth0 -j MASQUERADE
Verifique a versão do teu Squid:
squid -v
e posta aqui a saída do comando acima.
Essa regra no Iptables
iptables -t nat -A POSTROUTING -s 10.11.12.0/255.255.255.0 -o eth0 -j MASQUERADE
deixe assim:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 << e acrescente essa regra logo abaixo.
Salve e saia do arquivo e reinicie o Squid e o Iptables e teste.