Configurar Iptalbes+Squid+dansguardian [RESOLVIDO]

Claudiosilva
(usa Outra)

Enviado em 22/04/2010 - 20:05h

Boa noite a todos,
intalei a versão 9.10 ubuntu server em uma máquina e estou tentando configurar o dansguardian a uma semana sem sucesso. Vou postar aqui o código dos três arquivos para que possam analizar e verificar o q pode estar errado:

se eu comentar a linha de "proxy transparente" firewall, a navegação funciona mas o filtro de conteúdo do dansguardian não. E quando ativo a regra continua existindo acesso à internet mas a navegação (porta 80) fica bloqueada para toda a rede 192.168.0.0/24.

obrigado

############################### FIREWALL ##################################

/etc/init.d/firewall (lenbrando que o rc.local possui alinha "/etc.init.d/firewall restart"

#!/bin/bash

# Interface da rede INTERNA
IF_INTERNA="eth1";

# Interface da rede EXTERNA
IF_EXTERNA="eth0";

# Definio da rede interna
REDE_INTERNA="192.168.0.0/24"
IP_NET="200.163.58.155"
IPT=/sbin/iptables

# =============== Ativa/carrega modulos ======================
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp

# =============== Limpa regras anteriores ==================
$IPT -F
$IPT -X
$IPT -F -t nat
$IPT -X -t nat
$IPT -F -t mangle
$IPT -X -t mangle

# ================ POLITICAS PADRAO (NEGAR TUDO) ===================
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# Libera todo o trafego local (nem ping funciona sem estas linhas)
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i $IF_INTERNA -j ACCEPT
$IPT -A FORWARD -i $IF_INTERNA -j ACCEPT

## Muda a prioridade dos pacotes (Type Of Service) para agilizar as coisas
$IPT -t mangle -A OUTPUT -o $IF_EXTERNA -p tcp -m multiport --dports 21,22,3389,1433,1234,80 -j TOS --set-tos 0x10

$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 1/s -j ACCEPT
$IPT -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT

# Libera a conexao para a rede interna
$IPT -t nat -A POSTROUTING -s $REDE_INTERNA -j MASQUERADE

# ativa o roteamento dinamico (compartilhar conexao)
echo 1 > /proc/sys/net/ipv4/ip_forward

# proxy tranparente
$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080

## Libera sFTP, SSH, TS, SQL1, SQL2 (para liberar acesso a WEB acressente a porta 80)
$IPT -A INPUT -i $IF_EXTERNA -p tcp -m multiport --dports 21,22,3389,1433,1234 -j ACCEPT

# Aceita os pacotes que realmente devem entrar
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT


######################################### DANSGUARDIAN ################################################

# DansGuardian config file for version 2.10.1.1

#UNCONFIGURED - Please remove this line after configuration

reportinglevel = 3

languagedir = '/etc/dansguardian/languages'

language = 'portuguese'

loglevel = 3

logexceptionhits = 2

logfileformat = 1

loglocation = '/var/log/dansguardian/access.log'

filterip =

filterport = 8080

proxyip = 127.0.0.1

proxyport = 3128

accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'

nonstandarddelimiter = on
usecustombannedimage = on
custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif'

filtergroups = 1
filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'

bannediplist = '/etc/dansguardian/lists/bannediplist'
exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'
showweightedfound = on

weightedphrasemode = 2

urlcachenumber = 1000
urlcacheage = 900

scancleancache = on
phrasefiltermode = 2
preservecase = 0
hexdecodecontent = off
forcequicksearch = off
reverseaddresslookups = off
reverseclientiplookups = off
logclienthostnames = off
createlistcachefiles = on
maxuploadsize = -1
maxcontentfiltersize = 256
maxcontentramcachescansize = 2000
maxcontentfilecachescansize = 20000
filecachedir = '/tmp'
deletedownloadedtempfiles = on
initialtrickledelay = 20
trickledelay = 10

downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf'
#downloadmanager = '/etc/dansguardian/downloadmanagers/trickle.conf'
downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf'

contentscannertimeout = 60
contentscanexceptions = off

##################################################### SQUID #######################################

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl rede_interna src 192.168.0.0/24
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow rede_interna
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
visible_hostname Servidor-Linux
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid
follow_x_forwarded_for allow localhost

#####################################################################################