Acesso remoto ERP - Squid bloqueando

fradeck
(usa Outra)

Enviado em 09/06/2015 - 13:46h

Bom dia.
Estou com um problema e não sei mais o que fazer para resolver. Já deixei o firewall com tudo liberado e o squid também, a situação é a seguinte:
A filial acessa remoto nosso ERP e parou de funcionar.
Quando para o squid o acesso normaliza se subo ele não consigo mais acessar o ERP (não dá erro, fica carregando e não funciona)
Alguma luz?
Estou em fase de melhorias ainda do firewall
Segue meu firewall e squid

###########################  FIREWALL    #####################

##############################################################

#Interpretador de comandos

#!/bin/bash

# Carrega os moulos

echo Modulos do firewall

modprobe ipt_string

modprobe ip_tables

modprobe iptable_filter

modprobe ip_conntrack

modprobe ip_conntrack_ftp

modprobe iptable_nat

modprobe ip_nat_ftp

modprobe ipt_LOG

modprobe ipt_state

modprobe ipt_MASQUERADE

#zerando as regras;

echo Regras default

iptables -F INPUT

iptables -F OUTPUT

iptables -F FORWARD

iptables -t nat -F

iptables -t mangle -F

#Alterando a politica das Chains

#Alterando a politica das Chains

iptables -P INPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -P OUTPUT ACCEPT

#iptables -t nat -A POSTROUTING -p tcp -m multiport --dport 25,58215,110,465,587,995 -j MASQUERADE

#skype incoming connections

#iptables -A INPUT -p udp --dport 58215 -m state --state NEW,ESTABLISHED -j ACCEPT

#iptables -A INPUT -p tcp --dport 58215 -m state --state NEW,ESTABLISHED -j ACCEPT

#iptables -A FORWARD -p tcp --dport 39856 -j ACCEPT

#iptables -I FORWARD -m string --algo bm --string "skype.com" -j ACCEPT

#Nat da rede

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

#liberando encaminhamento de pacotes;

echo "1" > /proc/sys/net/ipv4/ip_forward



# Libera o acesso SSH de qualquer origem

echo Liberando acesso SSH

iptables -A INPUT -p tcp --dport 7351 -j ACCEPT

# Libera o squid a partir da rede interna

#echo Liberando rede interna

iptables -A INPUT -p tcp --dport 3128 -j ACCEPT

#Acesso externo Cameras

echo "acesso as cameras"

iptables -A INPUT -i eth0 -p tcp --dport 37777 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 37777 -j ACCEPT

iptables -A INPUT -i eth0 -p udp --dport 37777 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport 37777 -j ACCEPT

iptables -A FORWARD -p tcp -d 192.168.10.219 --dport 37777 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 37777 -j DNAT --to-destination 192.168.10.90:37777

iptables -A FORWARD -p udp -d 192.168.10.219 --dport 37777 -j ACCEPT

iptables -t nat -A PREROUTING -p udp --dport 37777 -j DNAT --to-destination 192.168.10.219:37777



#liberar acesso externo siga

echo Acesso externo Siga

iptables -A INPUT -i eth0 -p tcp --dport 1257 -j ACCEPT

iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1257 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 1257 -j DNAT --to-destination 192.168.10.90:1257



iptables -A INPUT -i eth0 -p tcp --dport 1299 -j ACCEPT

iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1299 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 1299 -j DNAT --to-destination 192.168.10.90:1299





iptables -A INPUT -i eth0 -p tcp --dport 1256 -j ACCEPT

iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 1256 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 1256 -j DNAT --to-destination 192.168.10.90:1256







echo Acesso ao Sql Server

iptables -A INPUT -i eth0 -p tcp --dport 9723 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport 9723 -j ACCEPT

iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 9723 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 9723 -j DNAT --to-destination 192.168.10.91:1433



#acesso aos servidores via TS

echo Liberando acesso via TS

iptables -A INPUT -i eth0 -p tcp --dport 3390 -j ACCEPT

iptables -A FORWARD -p tcp -d 192.168.10.90 --dport 3389 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 3390 -j DNAT --to-destination 192.168.10.90:3389



iptables -A INPUT -i eth0 -p tcp --dport 3391 -j ACCEPT

iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 3389 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 3391 -j DNAT --to-destination 192.168.10.91:3389

#acesso ao BI

echo Liberando Acesso ao BI

iptables -A INPUT -i eth0 -p tcp --dport 7980 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 7980 -j ACCEPT



iptables -A INPUT -i eth0 -p udp --dport 7980 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport 7980 -j ACCEPT



iptables -A FORWARD -p tcp -d 192.168.10.91 --dport 7980 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 7980 -j DNAT --to-destination 192.168.10.91:8080



iptables -A FORWARD -p udp -d 192.168.10.91 --dport 7980 -j ACCEPT

iptables -t nat -A PREROUTING -p udp --dport 7980 -j DNAT --to-destination 192.168.10.91:8080



iptables -t nat -A PREROUTING -d 0/0 -p tcp --dport 7980 -j DNAT --to 192.168.10.91:7980



#*************************** BLOQUEIO DO FACEBOOK ***********************************************************

echo "Acesso Facebook"

#BLOQUEIOS FACEBOOK:

hora=`/bin/date +%H%M`

if `[ "$hora" -gt "0759" ] && [ "$hora" -lt "1229" ] || [ "$hora" -gt "1329" ] && [ "$hora" -lt "2359" ] `; then

    op=1;

else

    op=2;

fi

permitidos=$(egrep -v "(^#|^$)" /etc/squid3/regras/ips_fb)  

##BLOQUEIO DO FACEBOOK

FACEBOOK_IP_RANGE="31.13.64.0-31.13.127.255 31.13.24.0-31.13.31.255 74.119.76.0-74.119.79.255 69.63.176.0-69.63.191.255 69.171.224.0-69.171.255.255 66.220.144.0-66.220.159.255 204.15.20.0-204.15.23.255 173.252.64.0-173.252.127.255"

iptables -N FACEBOOK



## FACEBOOK DENY

for face in $FACEBOOK_IP_RANGE; do

    iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 443 -j FACEBOOK

    iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range $face --dport 80 -j FACEBOOK

done



FACEBOOK_ALLOW="$permitidos" #MSR_LIBERADO  #Aqui libera os permitidos.



for MSR_LIBERADO in $FACEBOOK_ALLOW; do

    iptables -I FACEBOOK -s $MSR_LIBERADO -j ACCEPT

done



if [ $op -eq "1" ]; then  

    echo "Bloqueando"

    iptables -A FACEBOOK -j REJECT

fi



if [ $op -eq "2" ]; then  #E caso esteja fora do horáo de serviçéiberado

    echo "Liberando"

    iptables -A FACEBOOK -j ACCEPT

fi

#****************************************************************************************************************

 

SQUID

# Portas padrao

acl SSL_ports port 443

acl Safe_ports port 443

#acl Safe_ports port 8080

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT





http_access allow connect SSL_Ports



http_access deny !Safe_ports



http_access deny CONNECT !SSL_ports



#http_access allow localhost manager

#http_access deny manager

acl redelocal src 192.168.10.0/24

#http_access allow redelocal

#http_access deny all



#controle de cache do proxy

cache_mem 32 MB

maximum_object_size_in_memory 64 KB

minimum_object_size 0 KB

maximum_object_size 4096 MB



cache_swap_low 85

cache_swap_high 90

cache_dir ufs /var/spool/squid3 2048 16 256

cache_access_log /var/log/squid3/access.log

#Controle do arquivo de Log

logfile_rotate 10

ftp_user Squid@

#protocolos

refresh_pattern ^ftp: 15 20% 2280

refresh_pattern ^gopher: 15 0% 2280

refresh_pattern . 15 20% 2280

######Block Video and Audio Streaming##############

acl media rep_mime_type video/flv video/x-flv

acl media rep_mime_type -i ^video/

acl media rep_mime_type -i ^video\/

acl media rep_mime_type ^application/x-shockwave-flash

acl media rep_mime_type ^application/vnd.ms.wms-hdr.asfv1

acl media rep_mime_type ^application/x-fcs

acl media rep_mime_type ^application/x-mms-framed

acl media rep_mime_type ^video/x-ms-asf

acl media rep_mime_type ^audio/mpeg

acl media rep_mime_type ^audio/x-scpls

acl media rep_mime_type ^video/x-flv

acl media rep_mime_type ^video/mpeg4

acl media rep_mime_type ms-hdr

acl media rep_mime_type x-fcs

acl mediapr urlpath_regex \.flv(\?.*)?$

acl mediapr urlpath_regex -i \.(avi|mp4|mov|m4v|mkv|flv)(\?.*)?$

acl mediapr urlpath_regex -i \.(mpg|mpeg|avi|mov|flv|wmv|mkv|rmvb)(\?.*)?$









#********************************* GERAL *****************************************

acl ips_geral src "/etc/squid3/regras/geral/ips_liberados"

acl sites_liberados_geral url_regex -i "/etc/squid3/regras/geral/sites_liberados_geral"

acl palavras_bloqueadas url_regex -i "/etc/squid3/regras/geral/palavras_bloqueadas"

acl sites_bloqueados_geral url_regex -i "/etc/squid3/regras/geral/sites_bloqueados_geral"

#************************************************************************************



#********************************* COMERCIAL *****************************************

acl comercial src "/etc/squid3/regras/comercial/ips_comercial"

acl sites_comercial url_regex -i "/etc/squid3/regras/comercial/sites_liberados"



#********************************* COMPRAS *****************************************

acl compras src "/etc/squid3/regras/compras/ips_compras"

acl sites_compras url_regex -i "/etc/squid3/regras/compras/sites_liberados"



#********************************* CTP *****************************************

acl ctp src "/etc/squid3/regras/ctp/ips_ctp"

acl sites_ctp url_regex -i "/etc/squid3/regras/ctp/sites_liberados"



#********************************* FINANCEIRO *****************************************

acl financeiro src "/etc/squid3/regras/financeiro/ips_financeiro"

acl sites_financeiro url_regex -i "/etc/squid3/regras/financeiro/sites_liberados"



#********************************* INSPECAO *****************************************

acl inspecao src "/etc/squid3/regras/inspecao/ips_inspecao"

acl sites_inspecao url_regex -i "/etc/squid3/regras/inspecao/sites_liberados"



#********************************* PRODUCAO *****************************************

acl producao src "/etc/squid3/regras/producao/ips_producao"

acl sites_producao url_regex -i "/etc/squid3/regras/producao/sites_liberados"

#********************************* PCP *****************************************

acl pcp src "/etc/squid3/regras/pcp/ips_pcp"

acl sites_pcp url_regex -i "/etc/squid3/regras/pcp/sites_liberados"



#********************************* RH *****************************************

acl rh src "/etc/squid3/regras/rh/ips_rh"

acl sites_rh url_regex -i "/etc/squid3/regras/rh/sites_liberados"

#********************************* TI *****************************************

acl TI src "/etc/squid3/regras/TI/ips_TI"



acl ips_gestores  src "/etc/squid3/regras/geral/ips_gestores"





acl almoco time MTWHF 12:30-13:30



#CONFIGURACAO DAS ACLS

http_access allow TI

http_access allow ips_geral

http_access allow almoco

http_access allow rh

http_access deny sites_bloqueados_geral

http_access deny mediapr

http_reply_access deny media !TI

http_access allow financeiro

http_access allow compras

http_access allow ctp

http_access allow sites_liberados_geral

http_access allow ips_gestores

http_access allow comercial sites_comercial

http_access allow inspecao sites_inspecao

http_access allow producao sites_producao

http_access allow pcp sites_pcp

#http_access allow redelocal

http_access deny all





log_mime_hdrs on

http_port 3128

#coredump_dir /var/spool/squid3

#refresh_pattern ^ftp:           1440    20%     10080

#refresh_pattern ^gopher:        1440    0%      1440

#refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

#refresh_pattern .               0       20%     4320

                                                                                

 

jcoli
(usa Debian)

Enviado em 10/06/2015 - 05:35h

Qual ERP?


Jeferson Coli
---------------------
www.tecnocoli.com.br

fradeck
(usa Outra)

Enviado em 10/06/2015 - 08:13h

Protheus
E no acesso remoto por TS está extremamente lento, paro o squid normaliza