iasd
(usa CentOS)
Enviado em 04/06/2014 - 16:27h
o proxy é transparente lembrando que o comando modprobe nf_nat_ftp, modprobe nf_conntrack_ftp não funciona no meu iptable e o squid é o 2.7 , vc me índica algum manual bom de iptables e squid, estou precisando colocar 2mb de banda para toda a minha rede , para extensões de vídeo e áudio, pra eles não saturarem a rede
####Compartilhamento e variaveis######
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables="/sbin/iptables";
modprobe="/sbin/modprobe";
######################################
####Trata cadeias#####################
$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT ACCEPT
######################################
####Limpa cadeias#####################
$iptables -F INPUT
$iptables -F FORWARD
$iptables -F OUTPUT
$iptables -F -t nat
######################################
#eth0 e local ip
#eth1 e public ip
###########Carrega modulos############
$/modprobe nf_conntrack_ftp
$iptables -P INPUT DROP
$iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
$iptables -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
$iptables -A INPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p ALL -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$modprobe iptable_nat
$modprobe ip_nat_ftp
$modprobe ip_conntrack_ftp
######################################
$iptables -P FORWARD DROP
$iptables -P OUTPUT ACCEPT
$iptables -P INPUT DROP
######################################
##### Regras INPUT####################
#teste
$iptables -A INPUT -p tcp --dport 5556 -j LOG
#teste
$iptables -A INPUT -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
$iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
$iptables -A FORWARD -s 172.20.0.0/16 -j ACCEPT
$iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 20 -j ACCEPT
$iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 21 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp --destination-port 20 -o eth0 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp --destination-port 21 -o
########nat table#####################
$iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
$iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 1111
#############FIM NAT##################
echo "FIREWALL OK"
###########FIM LOGS###################
##########ANTI ATAQUES################
echo "REGRAS CONTRA ATAQUES EXTERNOS"
for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $spoofing
done
echo "ANTI SPOOFING..[ok]"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "ANTI REDIRECTS..[ok]"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "ANTI SOURCE-ROUTES..[ok]"
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "ANTI BUGUS-RESPONSE..[ok]"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "ANTI SYNFLOODS..[ok]"
squid
http_port 3128 transparent
http_port 1111
visible_hostname nedtecfirewall.ufes.br
ftp_passive on
cache_mem 2000 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 41940 KB
minimum_object_size 0 KB
cache_swap_low 80
cache_swap_high 85
cache_dir ufs /var/spool/squid 100 32 32
cache_access_log /var/log/squid/access.log
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern
www.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
refresh_pattern guru.avg.com/softw/90free/update/.*\.(bin|ctf) 11520 100% 43200 reload-into-ims
refresh_pattern update.avg.com/softw/90/update/.*\.(bin|ctf) 11520 100% 43200 reload-into-ims
refresh_pattern
http://update.avg.com/softw/90/update/.*\.(bin|ctf) 11520 100% 43200 reload-into-ims
#refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
emulate_httpd_log on
error_directory /usr/share/squid/errors/Portuguese
#error_directory /var/www/squid
######################## ACLS BASICAS ##########################
acl all src 0.0.0.0/0.0.0.0
acl redelocal src "/etc/squid/redelocal"
#acl permitidos src 192.168.35.0/24
#acl permitidos src 192.168.36.0/24
#acl permitidos src 192.168.200.0/24
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563 10000
acl Safe_ports port 2096
acl Safe_ports port 800 # da ufes
acl Safe_ports port 7777 # trt.mg.gov.br
acl Safe_ports port 80 # http
acl Safe_ports port 20 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
#acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 25 # Outlook
acl Safe_ports port 110 # Outlook
acl purge method PURGE
acl CONNECT method CONNECT
#################### FIM ACL BASICAS #####################################
##########################ACL CCA ########################################
#acl msn2 dstdomain "/etc/squid/trava_msn"
#acl msn url_regex -i /gateway/gateway.dll
#acl msn3 url_regex -i /ADSAdClient31.dll
#acl messenger rep_mime_type -i ^application/x-msn-messenger$
acl sites_liberados dstdomain "/etc/squid/sites_liberados"
acl mula_ports port "/etc/squid/mula_ports"
acl palavras url_regex -i "/etc/squid/palavras"
acl pl_permitidas url_regex -i "/etc/squid/pl_permitidas"
acl sites dstdomain "/etc/squid/sites"
acl liberados src "/etc/squid/liberados"
acl livre src "/etc/squid/livre"
acl liberado_msn src "/etc/squid/liberado_msn"
acl flash rep_mime_type video/flv video/x-flx
acl flash2 rep_mime_type video/x-flv
acl shockwave rep_mime_type -i ^applicationx/x-shockwave-flash$
acl streaming rep_mime_type ^video/x-ms-asf ^.*mms.*
acl media rep_mime_type ^.*mms.*
acl mediapr url_regex dvrplayer mediastream ^mms://
acl media2 rep_mime_type ^.*x-ms-asf.*
acl extencao url_regex -i \.torrent \.flv
acl mediapr2 urlpath_regex \.asf$ \.asfx$
acl media3 rep_mime_type video/flv
acl mediapr3 urlpath_regex \.flv$
acl proibir_musica urlpath_regex -i \.avi$ \.mp3$ \.wma$ \.mpeg$ \.ram$ \.ra$ \.asx$ \.mov$ \.mpg$ \.wmv$ \.flv$ \.aifc$ \.aiff$ \.asf$ \.au$ \.m3u$ \.med$ \.m1v$ \.mp2$ \.mp2v$ \.mpa$ \.mpe$ \.ogg$ \.pls$ \.snd$ \.wvx$ \.mid$ \.midi$ \.rmi$ \.mp4$ \.flv$
#ccess deny msn2
#http_access deny msn3
#http_access deny messenger
#http_access allow redelocal
#http_access deny all
##############################-FIM ACL CCA####################################
###################HTTP_ACCESS################################################
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
####################LIBERADOS#####################################
http_access allow liberados
##################################################################
###################RESTRICAO#####################################
http_access allow sites_liberados
http_access deny shockwave
http_access deny sites
http_access deny palavras !pl_permitidas
http_access deny extencao
http_access deny flash
http_access deny mediapr
http_access deny mediapr2
http_access deny mediapr3
http_reply_access deny media
http_reply_access deny media2
http_reply_access deny media3
http_access deny proibir_musica
http_access deny streaming
http_access deny mula_ports
miss_access deny mula_ports
http_access deny mula_ports all
#header_access Accept-Encoding deny msn2
#http_access deny msn
#http_access deny msn2
#http_access deny msn3
#http_access deny messenger
http_access allow redelocal
http_access deny all
########################### FIM SQUID.CONF ##################################
cache_effective_user squid
cache_effective_group squid
