Acesso passado pelo firewall [RESOLVIDO]

1. Acesso passado pelo firewall [RESOLVIDO]

xlinux
(usa Ubuntu)

Enviado em 19/02/2016 - 18:01h

Boa tarde,

Tenho um pc aqui atuando como squid/firewall, o que fiz foi o seguinte tenho a internet chegando no modem 192.168.25.1 e placa no linux eth0 192.168.25.2 e eth1 192.168.1.1 distribuindo para a rede a net funciona normal com proxy autenticado, no entanto percebo que o pessoal mesmo configurado o proxy no navegado tão passado direto. vou postar aqui meu fire e proxy se puderem me ajudar. Obrigado.

#squid
#autenticacao
auth_param basic children 5
auth_param basic credentialsttl 2 hours
authenticate_cache_garbage_interval 10 minutes
authenticate_ttl 10 minutes
authenticate_ip_ttl 0 seconds
auth_param basic realm Autenticador, Digite seu Login e Senha.
auth_param basic children 5
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/shadow

http_port 192.168.1.1:3128

visible_hostname fire
error_directory /usr/share/squid3/errors/Portuguese

#####Inicio do Cache#####

cache_mem 128 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB

cache_swap_low 90
cache_swap_high 95

cache_dir ufs /var/log/squid3 2048 16 256
cache_access_log /var/log/squid3/access.log

refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280

####Fim do Cache#####

# Portas Liberadas
acl SSL_ports port 443
acl SSL_ports port 10000 # Webmin HTTPS
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 3050 # firebird
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 10000 # Webmin
acl Safe_ports port 3306 # Cartago
acl Safe_ports port 82 # conectividade digital
acl Safe_ports port 81 # conectividade digital
acl Safe_ports port 3443 # Sped receita federal
acl Safe_ports port 3337 # Sped
acl Safe_ports port 3338 # Sped
http_access deny !Safe_ports

# ACL PARA CONEXAO METODO SSL
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports

#ACLs PARA IP LIBERADO

acl ip_liberado src "/etc/squid3/ip_liberado"
http_access allow ip_liberado

# ACLs PARA SITES LIBERADOS
acl sites_liberados url_regex -i "/etc/squid3/sites_liberados"
http_access allow sites_liberados

# ACLs PARA SITES BLOQUEADOS
#acl sites_bloqueados url_regex -i "/etc/squid3/bloqueados"
#http_access deny sites_bloqueados

#ACL PARA BLOQUEAR PROXY ANONIMO

acl sites_proxy url_regex -i "/etc/squid3/proxy"
http_access deny sites_proxy

#ACL PARA BLOQUEIO DE SPYWARES

acl sites_spywares url_regex -i "/etc/squid3/spywares"
http_access deny sites_spywares

#ACL PARA BLOQUEIO EM BLOG E CHAT
acl sites_blogchat url_regex -i "/etc/squid3/blogchat"
http_access deny sites_blogchat

#ACL PARA BLOQUEIO DE MUSICAS

acl sites_musicas url_regex -i "/etc/squid3/musicas"
http_access deny sites_musicas

#ACL STREAMING DE AUDIO E VIDEO

acl streaming req_mime_type ^video/x-ms-asf
acl proibir_musica urlpath_regex -i .aif$ .aifc$ .aiff$ .asf$ .asx$ .avi$ .au$ .m3u$ .med$ .mp3$ .m1v$ .mp2$ .mp2v$ .mpa$ .mov$ .mpe$ .mpg$ .mpeg$ .ogg$ .pls$ .ram$ .ra$ .ram$ .snd$ .wma$ .wmv$ .wvx$ .mid$ .midi$ .rmi$

http_access deny proibir_musica
http_reply_access deny streaming

#CONTROLE DE BANDA
acl liberado src "/etc/squid3/liberado"
acl limitado src "/etc/squid3/limitado"
delay_pools 2
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_access 1 allow liberado
delay_class 2 2
delay_parameters 2 5280000/5280000 5280000/5280000
delay_access 2 allow limitado

Firewall

#!/bin/bash

#Limpa todas as regras

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -F

# Carrega modulos do iptables

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_string

# Cria regra default para Chains

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#Compartilhando a Internet

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# Libera Rede Interna

iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -i eth0 -j ACCEPT
iptables -I INPUT -i eth1 -j ACCEPT

iptables -t nat -I PREROUTING -s 192.168.1.4 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.1.17 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.1.200 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.1.41 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.1.38 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.1.34 -j ACCEPT

# Redireciona porta 80 para porta do proxy

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -A FORWARD -t filter -j ACCEPT
iptables -A FORWARD -t filter -j ACCEPT -m state --state ESTABLISHED,RELATED,NEW
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Libera Terminal Service

iptables -I FORWARD -p tcp -d 192.168.1.1 --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 192.168.1.4:3389

# Libera Firebird

iptables -I FORWARD -p tcp -d 192.168.1.1 --dport 3050 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 3050 -j DNAT --to-destination 192.168.1.4:3050

# Libera Tef

iptables -I FORWARD -p tcp -d 192.168.1.1 --dport 4096 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 4096 -j DNAT --to-destination 192.168.1.4:4096

# Libera Zebedee

iptables -I FORWARD -p tcp -d 192.168.1.1 --dport 11965 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 11965 -j DNAT --to-destination 192.168.1.4:11965

# Libera Cameras

iptables -I FORWARD -p tcp -d 192.168.1.1 --dport 7000 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 7000 -j DNAT --to-destination 192.168.1.191:7000

# Libera Symac

iptables -I FORWARD -p tcp -d 191.33.169.146 --dport 5910:5922 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 5910:5922 -j DNAT --to-destination 192.168.1.4:5910-5922

# Bloqueio da Porta 80 e 443 TCP
iptables -A FORWARD -p tcp --destination-port 80 -s 192.168.1.0/24 -j DROP
iptables -A FORWARD -p tcp --destination-port 443 -s 192.168.1.0/24 -j DROP

#LIBERA DNS SERVER PARA A REDE

iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp --dport 53 -j ACCEPT

# Bloqueio ultra-surf

iptables -A FORWARD -p tcp -d 65.49.2.0/24 -j DROP
iptables -A FORWARD -p tcp -d 65.49.14.0/24 -j DROP
iptables -A FORWARD -p tcp --dport 19769 -j DROP

##PROTECOES

# Protege contra port scanners avan?ados (Ex.: nmap)

iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 20/m -j DROP

# Bloqueando tracertroute
iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j DROP

# Protecoes contra ataques
iptables -A INPUT -m state --state INVALID -j DROP

#iMesh:

iptables -A FORWARD -d 216.35.208.0/24 -j DROP

#Bloqueando os -:P2P:- (se voce deseja utilizar um desses softwares, apenas retire o comentario e substitua a condicao de: REJECT, para ACCEPT)

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 6881:6889 -j DNAT --to-dest 192.168.1.1
iptables -A FORWARD -p tcp -i eth1 --dport 6881:6889 -d 192.168.1.1 -j DROP

#BearShare:

iptables -A FORWARD -p tcp --dport 6346 -j DROP

#WinMX:

iptables -A FORWARD -d 209.61.186.0/24 -j DROP

iptables -A FORWARD -d 64.49.201.0/24 -j DROP

#Napigator:

iptables -A FORWARD -d 209.25.178.0/24 -j DROP

#Morpheus:

iptables -A FORWARD -d 206.142.53.0/24 -j DROP

iptables -A FORWARD -p tcp --dport 1214 -j DROP

#Limewire:

iptables -A FORWARD -p tcp --dport 6346 -j DROP

#Audiogalaxy:

iptables -A FORWARD -d 64.245.58.0/23 -j DROP
iptables -A FORWARD -m string --string "find_node" --algo bm -j DROP

#Bloqueia utorrent
iptables -A FORWARD -s 192.168.1.0/24 -p udp -j DROP
iptables -A FORWARD -d 192.168.1.0/24 -p udp -j DROP

0 0

Quote