Configurar proxy para rede externa [RESOLVIDO]

felipeb2a
(usa Ubuntu)

Enviado em 17/12/2016 - 09:33h

Olá pessoal, sou novo aqui no fórum e iniciante em linux. Tenho um servidor proxy dentro da minha empresa está funcionando corretamente (proxy não transparente). Porém agora temos funcionários que estão trabalhando fora empresa e preciso configurar o proxy para comunicar mesmo estão fora da nossa rede.
Quando configuro o proxy no navegador e acesso de uma rede externa algumas paginas http abrem sem erros e outras apresentam acesso negado e todas as páginas em https relatam o mesmo erro.

Meu gateway é um ubuntu server 16.04.1 LTS - com DHCP - FIREWALL - PROXY
SQUID

#-----------------------------------------------------------------|CONFIGURACOES SQUID|-------------------------------------------------------------#
http_port 3128
visible_hostname proxy-server
cache_effective_user squid #significa que o Squid rodará como o usuário squid
error_directory /usr/local/squid/share/errors/pt-br #o parâmetro que coloca as páginas de erro do Squid em português
cache_mem 64 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_mgr felipe.ferreira@server.com.br #EMAIL WEBMASTER
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /usr/local/squid/var/cache 2048 16 256 #arquivo de log do Squid e o diretório de cache
cache_access_log /usr/local/squid/var/logs/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
acl manager proto cache_object
acl SSL_ports port 443 563
acl Safe_ports port 21 80 443 563 70 210 280 488 59 777 901 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT
http_access deny manager
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl qlproxy_ssl_force_bump req_header X-SSL-Bump -i force
ssl_bump stare all  
ssl_bump bump all  
ssl_bump server-first qlproxy_ssl_force_bump
ssl_bump server-first all
#---------------------------------------------------------------------------------------------------------------------------------------------------#

#-----------------------------------------------------------------|ACLs|----------------------------------------------------------------------------#
#-------------------------------------|MAC ADDRESS|------------------------------------------#

acl macaddressti arp "/usr/local/squid/etc/controle/mac_ti"
acl macaddressdiretores arp "/usr/local/squid/etc/controle/mac_diretores"
acl macaddressgerentes arp "/usr/local/squid/etc/controle/mac_gerentes"
#-------------------------------------|LIBERADOS|--------------------------------------------#

acl sites_liberados url_regex -i "/usr/local/squid/etc/controle/sites_liberados"
acl palavras_liberadas url_regex -i "/usr/local/squid/etc/controle/palavras_liberadas"

#-------------------------------------|BLOQUEIOS|--------------------------------------------#

acl sites_bloqueados url_regex -i "/usr/local/squid/etc/controle/sites_bloqueados"
acl extensoes_bloqueadas url_regex -i "/usr/local/squid/etc/controle/extensoes_bloqueadas"
acl palavras_bloqueadas url_regex -i "/usr/local/squid/etc/controle/palavras_bloqueadas"

#-------------------------------------|LIMITADO|--------------------------------------------#

acl sites_limitados url_regex -i "/usr/local/squid/etc/controle/sites_limitados"

#---------------------------------------------------------------------------------------------------------------------------------------------------#

#-----------------------------------------------------------------|CONTROLE DE BANDA|---------------------------------------------------------------#

#1° CONTROLE C/LIMITE
delay_pools 2
delay_class 1 2
delay_parameters 1 -1/-1 22500/22500

#2° CONTROLE C/LIMITE
delay_class 2 2
delay_parameters 2 -1/-1 -1/-1

delay_access 1 allow sites_limitados
delay_access 2 allow macaddressdiretores

#---------------------------------------------------------------------------------------------------------------------------------------------------#

#--------------------------------------------------------------|MASCARA DE REDE|--------------------------------------------------------------------#

acl redelocal src 192.168.0.0/24

#---------------------------------------------------------------------------------------------------------------------------------------------------#

#--------------------------------------------------------------|HTTP ACCESS|------------------------------------------------------------------------#
#-------------------------------------|DIRETORES|--------------------------------------------#
http_access allow macaddressdiretores

#-------------------------------------|GERENTES|---------------------------------------------#
http_access allow macaddressgerentes

#-------------------------------------|USUARIOS LIBERADOS|-----------------------------------#
#http_access allow macaddressti

#-------------------------------------|BLOQUEIOS|--------------------------------------------#
http_access deny extensoes_bloqueadas
http_access deny palavras_bloqueadas
http_access deny sites_bloqueados

#-------------------------------------|LIBERADOS|--------------------------------------------#
http_access allow sites_liberados
http_access allow palavras_liberadas

#-------------------------------------|GERAL|------------------------------------------------#
http_access allow redelocal
http_access deny all

#---------------------------------------------------------------------------------------------------------------------------------------------------#

#--------------------------------------------------------------|PAGINA DE ERRO|---------------------------------------------------------------------#

deny_info ERR_PAGE_SQUID sites_bloqueados
deny_info ERR_PAGE_SQUID extensoes_bloqueadas

#---------------------------------------------------------------------------------------------------------------------------------------------------#
 

IPTABLES

#!/bin/bash

##################################################################################################
#                                    DECLARANDO AS VARIÁVEIS                                     #
##################################################################################################

#INTERFACE DE REDE LIGADA A INTERNET
IFACE_WEB="eth0"

#INTERFACE DE REDE LIGADA A REDE INTERNA
IFACE_REDE="eth1"

#REDE INTERNA
REDE_INTERNA="192.168.0.0/24"

#PORTAS LIBERADAS TCP
PORTAS_TCP="20,21,22,53,80,443,1022,3128,8000,8001,9080,9090,10000"

#PORTAS LIBERADAS UDP
PORTAS_UDP="53,1194,123"

#PORTAS LIBERADAS PORTAS REDE INTERNA
PORTAS_REDE_INTERNA="25,110,557,993,445"

##################################################################################################
#----------------------------------->FUNCTION START<---------------------------------------------#
##################################################################################################
function start () {
##################################################################################################
#                                    MODULOS IPTABLES                                            #
##################################################################################################
modprobe ip_tables
modprobe iptable_nat
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe nf_conntrack_ipv4
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe nf_nat
/sbin/modprobe nf_conntrack
/sbin/modprobe x_tables
/sbin/modprobe nf_nat_pptp

##################################################################################################
#                                    ATIVANDO ALGUMAS COISAS BASICAS DO KERNEL                   #
##################################################################################################
#COMENTE/DESCOMENTE, ATIVE/DESATIVE (DESABILITAR = 0 HABILITAR = 1)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies                     # Habilitar o uso de syncookies (muito útil para evitar SYN flood attacks)
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all               # Descomente caso queira desabilita o "ping" (Mensagens ICMP) para sua máquina
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects          # Não aceite redirecionar pacotes ICMP
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses  # Ative a proteção contra respostas a mensagens de erro falsas
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts        # Evita a peste do Smurf Attack e alguns outros de redes locais
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route       # Desabilita roteamento de fonte, evitando que indivíduos maliciosos gerarem trafego fingindo ser da rede local
#echo 0 > /proc/sys/net/ipv4/ip_forward                        # Desabilita roteamento de pacotes, lembre-se de configurar as portas da CHAIN FORWARD, caso a use


##################################################################################################
#                                    LIMPAR TABELAS                                              #
##################################################################################################
#LIMPA AS REGRAS DA TABELA
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

##################################################################################################
#                                    DEFINIR POLITICAS PADROES                                   #
##################################################################################################
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

##################################################################################################
#                                    CRIA IDA E VOLTA AS CHAINS                                  #
##################################################################################################
#CRIA A IDA E VOLTA DO ACESSO NAS CHAINS INPUT, OUTPUT E FORWARD, ASSIM NÃO PRECISAMOS CRIAR A IDA E VOLTA NAS REGRAS
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

##################################################################################################
#                                    REGRAS NAT                                                  #
##################################################################################################
#COMPARTILHA INTERNET ETH0 FOR ETH1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#REDIRECT SQUID
iptables -A INPUT -p tcp -i eth0 --dport 3128 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3128 -j DNAT --to-dest 192.168.0.248
 

souzacarlos
(usa Outra)

Enviado em 19/12/2016 - 13:44h

Boa tarde
Você não informou como está essa comunicação externa, esses usuários externos estão em uma VPN? Você está em alguma rede MPLS? Ou é um simples acesso via Internet?

Caso a opção seja a terceira não é muito recomendada, porém funciona! Caso esses clientes externos estejam alocados juntos recomendo um server proxy neste local externo replicando as configs que vc já utiliza nesse server atual!

Abraço

Network Analyst
contact skype: carlossouzainfo

felipeb2a
(usa Ubuntu)

Enviado em 19/12/2016 - 15:50h

Boa tarde!
É a terceira opção (simples acesso via Internet), porém os funcionários não estão alocados em um único lugar.
Por isso abri uma porta do meu server atual e redirecionei o squid para acesso externo, mas o servidor está com vários problemas de acesso a paginas http e https (Não abre páginas https e páginas http algumas ficam com erro de url ou acesso negado).

souzacarlos
(usa Outra)

Enviado em 19/12/2016 - 17:40h

Então, realmente costuma dar bastante problema com este tipo de configuração, recomendo a criação de uma VPN para acesso seguro, isso vai diminuir um pouco teus problemas, mas não todos.
Ai vem a pergunta, realmente existe a necessidade desses clientes externos acessarem a Internet via proxy?

Network Analyst
contact skype: carlossouzainfo

felipeb2a
(usa Ubuntu)

Enviado em 04/01/2017 - 12:06h

Desculpe a demora de responder o tópico resolvi o problema configurando uma vpn para os funcionários externos.
Obrigado pelas dicas!