Configurar proxy para rede externa [RESOLVIDO]
1. Configurar proxy para rede externa [RESOLVIDO]
felipeb2a
(usa Ubuntu)
Enviado em 17/12/2016 - 09:33h
Olá pessoal, sou novo aqui no fórum e iniciante em linux. Tenho um servidor proxy dentro da minha empresa está funcionando corretamente (proxy não transparente). Porém agora temos funcionários que estão trabalhando fora empresa e preciso configurar o proxy para comunicar mesmo estão fora da nossa rede.Quando configuro o proxy no navegador e acesso de uma rede externa algumas paginas http abrem sem erros e outras apresentam acesso negado e todas as páginas em https relatam o mesmo erro.
Meu gateway é um ubuntu server 16.04.1 LTS - com DHCP - FIREWALL - PROXY
SQUID
#-----------------------------------------------------------------|CONFIGURACOES SQUID|-------------------------------------------------------------#
http_port 3128
visible_hostname proxy-server
cache_effective_user squid #significa que o Squid rodará como o usuário squid
error_directory /usr/local/squid/share/errors/pt-br #o parâmetro que coloca as páginas de erro do Squid em português
cache_mem 64 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_mgr felipe.ferreira@server.com.br #EMAIL WEBMASTER
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /usr/local/squid/var/cache 2048 16 256 #arquivo de log do Squid e o diretório de cache
cache_access_log /usr/local/squid/var/logs/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
acl manager proto cache_object
acl SSL_ports port 443 563
acl Safe_ports port 21 80 443 563 70 210 280 488 59 777 901 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT
http_access deny manager
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl qlproxy_ssl_force_bump req_header X-SSL-Bump -i force
ssl_bump stare all
ssl_bump bump all
ssl_bump server-first qlproxy_ssl_force_bump
ssl_bump server-first all
#---------------------------------------------------------------------------------------------------------------------------------------------------#
#-----------------------------------------------------------------|ACLs|----------------------------------------------------------------------------#
#-------------------------------------|MAC ADDRESS|------------------------------------------#
acl macaddressti arp "/usr/local/squid/etc/controle/mac_ti"
acl macaddressdiretores arp "/usr/local/squid/etc/controle/mac_diretores"
acl macaddressgerentes arp "/usr/local/squid/etc/controle/mac_gerentes"
#-------------------------------------|LIBERADOS|--------------------------------------------#
acl sites_liberados url_regex -i "/usr/local/squid/etc/controle/sites_liberados"
acl palavras_liberadas url_regex -i "/usr/local/squid/etc/controle/palavras_liberadas"
#-------------------------------------|BLOQUEIOS|--------------------------------------------#
acl sites_bloqueados url_regex -i "/usr/local/squid/etc/controle/sites_bloqueados"
acl extensoes_bloqueadas url_regex -i "/usr/local/squid/etc/controle/extensoes_bloqueadas"
acl palavras_bloqueadas url_regex -i "/usr/local/squid/etc/controle/palavras_bloqueadas"
#-------------------------------------|LIMITADO|--------------------------------------------#
acl sites_limitados url_regex -i "/usr/local/squid/etc/controle/sites_limitados"
#---------------------------------------------------------------------------------------------------------------------------------------------------#
#-----------------------------------------------------------------|CONTROLE DE BANDA|---------------------------------------------------------------#
#1° CONTROLE C/LIMITE
delay_pools 2
delay_class 1 2
delay_parameters 1 -1/-1 22500/22500
#2° CONTROLE C/LIMITE
delay_class 2 2
delay_parameters 2 -1/-1 -1/-1
delay_access 1 allow sites_limitados
delay_access 2 allow macaddressdiretores
#---------------------------------------------------------------------------------------------------------------------------------------------------#
#--------------------------------------------------------------|MASCARA DE REDE|--------------------------------------------------------------------#
acl redelocal src 192.168.0.0/24
#---------------------------------------------------------------------------------------------------------------------------------------------------#
#--------------------------------------------------------------|HTTP ACCESS|------------------------------------------------------------------------#
#-------------------------------------|DIRETORES|--------------------------------------------#
http_access allow macaddressdiretores
#-------------------------------------|GERENTES|---------------------------------------------#
http_access allow macaddressgerentes
#-------------------------------------|USUARIOS LIBERADOS|-----------------------------------#
#http_access allow macaddressti
#-------------------------------------|BLOQUEIOS|--------------------------------------------#
http_access deny extensoes_bloqueadas
http_access deny palavras_bloqueadas
http_access deny sites_bloqueados
#-------------------------------------|LIBERADOS|--------------------------------------------#
http_access allow sites_liberados
http_access allow palavras_liberadas
#-------------------------------------|GERAL|------------------------------------------------#
http_access allow redelocal
http_access deny all
#---------------------------------------------------------------------------------------------------------------------------------------------------#
#--------------------------------------------------------------|PAGINA DE ERRO|---------------------------------------------------------------------#
deny_info ERR_PAGE_SQUID sites_bloqueados
deny_info ERR_PAGE_SQUID extensoes_bloqueadas
#---------------------------------------------------------------------------------------------------------------------------------------------------#
IPTABLES
#!/bin/bash
##################################################################################################
# DECLARANDO AS VARIÁVEIS #
##################################################################################################
#INTERFACE DE REDE LIGADA A INTERNET
IFACE_WEB="eth0"
#INTERFACE DE REDE LIGADA A REDE INTERNA
IFACE_REDE="eth1"
#REDE INTERNA
REDE_INTERNA="192.168.0.0/24"
#PORTAS LIBERADAS TCP
PORTAS_TCP="20,21,22,53,80,443,1022,3128,8000,8001,9080,9090,10000"
#PORTAS LIBERADAS UDP
PORTAS_UDP="53,1194,123"
#PORTAS LIBERADAS PORTAS REDE INTERNA
PORTAS_REDE_INTERNA="25,110,557,993,445"
##################################################################################################
#----------------------------------->FUNCTION START<---------------------------------------------#
##################################################################################################
function start () {
##################################################################################################
# MODULOS IPTABLES #
##################################################################################################
modprobe ip_tables
modprobe iptable_nat
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe nf_conntrack_ipv4
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe nf_nat
/sbin/modprobe nf_conntrack
/sbin/modprobe x_tables
/sbin/modprobe nf_nat_pptp
##################################################################################################
# ATIVANDO ALGUMAS COISAS BASICAS DO KERNEL #
##################################################################################################
#COMENTE/DESCOMENTE, ATIVE/DESATIVE (DESABILITAR = 0 HABILITAR = 1)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Habilitar o uso de syncookies (muito útil para evitar SYN flood attacks)
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all # Descomente caso queira desabilita o "ping" (Mensagens ICMP) para sua máquina
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Não aceite redirecionar pacotes ICMP
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Ative a proteção contra respostas a mensagens de erro falsas
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Evita a peste do Smurf Attack e alguns outros de redes locais
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Desabilita roteamento de fonte, evitando que indivíduos maliciosos gerarem trafego fingindo ser da rede local
#echo 0 > /proc/sys/net/ipv4/ip_forward # Desabilita roteamento de pacotes, lembre-se de configurar as portas da CHAIN FORWARD, caso a use
##################################################################################################
# LIMPAR TABELAS #
##################################################################################################
#LIMPA AS REGRAS DA TABELA
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
##################################################################################################
# DEFINIR POLITICAS PADROES #
##################################################################################################
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
##################################################################################################
# CRIA IDA E VOLTA AS CHAINS #
##################################################################################################
#CRIA A IDA E VOLTA DO ACESSO NAS CHAINS INPUT, OUTPUT E FORWARD, ASSIM NÃO PRECISAMOS CRIAR A IDA E VOLTA NAS REGRAS
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
##################################################################################################
# REGRAS NAT #
##################################################################################################
#COMPARTILHA INTERNET ETH0 FOR ETH1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#REDIRECT SQUID
iptables -A INPUT -p tcp -i eth0 --dport 3128 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3128 -j DNAT --to-dest 192.168.0.248
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
