Firewall + squid [RESOLVIDO]

1. Firewall + squid [RESOLVIDO]

Tiago Frutuoso
tiagopaulista

(usa Debian)

Enviado em 08/07/2011 - 17:02h

Boa tarde senhores,

Estou precisando tirar algumas duvidas referente ao squid, segue abaixo:

Tenho 2 ips:
eth0 192.168.1.250 mask 255.255.255.0 gt 192.168.1.254 (rede local)
eth1 192.168.0.250 mask 255.255.255.0 gt 0.0.0.0 (modem)

no Firewall estou usando a seguinte regra:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.250:3128

sudo modprobe iptable_nat
sudo modprobe ip_nat_ftp
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Mais as regras do squid não estao funcionando, segue abaixo o squid.conf

##########################################################
# Detalhes das configurações
# Desenvolvido por: TJT Tecnologia - Soluções em T.I.
# Data: 04/06/2011
##########################################################

##########################################################
# http_port: determina a porta que será usada pelo servidor.
# visible_hostname: defina o nome de exibição do servidor.
# cache_mgr: defina o e-mail do administrador para receber mensagem em casos graves.
##########################################################

http_port 127.0.0.1:3128 transparent
#http_port 3128
#ic_port 0
visible_hostname server
cache_mgr suporte@tjttecnologia.com.br

##########################################################
# Defini o idioma das páginas de mensagem de erros em português brasileiro.
##########################################################

error_directory /usr/share/squid3/errors/pt-br

##########################################################
# hierarchy_stoplist: defina palavras que se for encontradas na url, a página irá ser carregada direto do cache.
# cache_mem: defina a quantidade de memória que o servidor irá usar para o cache.
# maximum_object_size_in_memory: defina o tamanho máximo do objeto que poderá ser armazenado na memória, senão será armazenado no disco rígido.
# maximum_object_size: defina o tamanho máximo do objeto que poderá ser armazenado no disco rígido, senão será descartado o objeto.
##########################################################

hierarchy_stoplist cgi-bin ?
#cache_men 32 MB
#maximun_object_size_in_memory 64 KB
#maximun_object_size 100 MB

##########################################################
# Especificar o diretório do cache, aonde será armazenado os objetos e atribuir 2GB de espaço de armazenamento no cache.
##########################################################

cache_dir ufs /var/spool/squid3 2048 16 256

##########################################################
# Agora vamos definir o tempo de vida dos objetos no cache, para que sempre o Squid for verificá-los, saber se é necessário atualizá-los ou não.
#
# 1ª coluna: defina o tempo em minutos, em cada acesso, quando deve verificar se houve modificação no objeto.
# 2ª coluna: defina a porcentagem mínima da modificação do objeto que deve ter para ser atualizado.
# 3ª coluna: defina o tempo em minutos, quando deve efetuar uma atualização mesmo não ter sido modificado.
##########################################################

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

##########################################################
# Especificar o caminho do Log de acesso do Squid
##########################################################

access_log /var/log/squid3/access.log

##########################################################
# Criação de duas acl com o tipo src (IP de origem) adicionando o IP do servidor e o IP da rede.
##########################################################

#acl all 0.0.0.0/0.0.0.0
acl re src 192.168.0.0/192.168.0.255
acl redelocal src 127.0.0.1/255.255.255.255

#acl all 0.0.0.0/0.0.0.0
#acl localhost src 127.0.0.0/32
#acl limite src 192.168.0.0/192.168.0.255
#acl rede2 src 192.198.0.0/24
#acl to_localhost 127.0.0.0/32

##########################################################
# Parte de autenticação com o SAMBA.
##########################################################

auth_param basic program /usr/lib/squid3/pam_auth
auth_param basic children 40
auth_param basic realm Acesso Restrito
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users

##########################################################
# Criação de uma acl com o tipo proto (protocolo) e adicione o protocolo "cache_object".
# O protocolo "cache_object" é usado para obter informações sobre o estado do Squid.
# Só o servidor pode obter as informações do Squid
##########################################################

acl manager proto cache_object
http_access allow manager localhost
http_access deny manager

##########################################################
# Bloqueios por usuarios
##########################################################

acl USUARIOS proxy_auth REQUIRED
acl USUARIOS_NAO_ORKUT proxy_auth "/etc/squid3/rules/users-orkut.rules"
acl USUARIOS_NAO_YOUTUBE proxy_auth "/etc/squid3/rules/users-youtube.rules"
acl USUARIOS_NAO_TWITTER proxy_auth "/etc/squid3/rules/users-twitter.rules"
acl USUARIOS_NAO_GMAIL proxy_auth "/etc/squid3/rules/users-gmail.rules"
acl USUARIOS_NAO_EVOSERVER proxy_auth "/etc/squid3/rules/users-evoserver.rules"
acl USUARIOS_NAO_MEEBO proxy_auth "/etc/squid3/rules/users-meebo.rules"
acl USUARIOS_NAO_LIVE proxy_auth "/etc/squid3/rules/users-live.rules"

acl ORKUT url_regex orkut
acl GMAIL url_regex gmail
acl EVOSERVER url_regex evoserver
acl YOUTUBE url_regex youtube
acl TWITTER url_regex twitter
acl MEEBO url_regex meebo
acl LIVE url_regex live

##########################################################
# Criação de uma acl do tipo port (porta) e adicione as portas que serão liberadas.
##########################################################

acl SSL_ports port 433 563
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # swat
acl Safe_ports port 1025-65535 # unregistered ports

##########################################################
# Criação de uma acl do tipo method (método de requisição) e adicione o método PURGE.
# O método de requisição PURGE serve para limpar/excluir objetos armazenados no cache.
# Para permitir que apenas o servidor possa exclua objetos, adicione a seguinte regra.
##########################################################

acl purge method PURGE
acl CONNECT method CONNECT

http_access deny ORKUT USUARIOS_NAO_ORKUT
http_access deny YOUTUBE USUARIOS_NAO_YOUTUBE
http_access deny GMAIL USUARIOS_NAO_GMAIL
http_access deny EVOSERVER USUARIOS_NAO_EVOSERVER
http_access deny TWITTER USUARIOS_NAO_TWITTER
http_access deny MEEBO USUARIOS_NAO_MEEBO
http_access deny LIVE USUARIOS_NAO_LIVE

##########################################################
# Criação de uma acl do tipo method (método de requisição) e adicione o método CONNECT, que permite fazer conexão direta.
##########################################################

acl connect method CONNECT

##########################################################
# Criação de uma acl do tipo port (porta) e adicione as portas dos protocolos com SSL que foram adicionadas na acl "Safe_ports"
# e devem ser liberadas para conexão direta.
##########################################################

acl SSL_ports port 443 # https
acl SSL_ports port 563 # nntps
acl SSL_ports port 873 # rsync

##########################################################
# Para bloquear o acesso em portas que não foram liberadas para conexão direta.
##########################################################

http_access deny connect !SSL_ports

##########################################################
# Bloqueios por IP's
##########################################################

#acl ipsparcial src "/etc/squid3/ips_parcial"
#http_access deny ipsparcial

##########################################################
# Bloqueios por Dominios
##########################################################

acl domains dstdomain "/etc/squid3/domains"
http_access deny domains

##########################################################
# Bloqueios por Palavras
##########################################################

acl words url_regex -i "/etc/squid3/words"
http_access deny words

##########################################################
# Bloqueios por Extenções
##########################################################

acl extensions urlpath_regex -i "/etc/squid3/extensions"
http_access deny extensions

##########################################################
# Para bloquear o acesso em portas que não foram liberadas, adicione a seguinte regra.
##########################################################

http_access allow SSL_ports
http_access allow Safe_ports

#http_access allow all
http_access allow manager localhost
#http_access denny manager

http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

acl redelocal src 192.168.0.0/24
http_access allow localhost
http_access allow redelocal

http_access deny redelocal

##########################################################
# Sem mais acl para criar, adicione a seguinte regra para permitir que apenas as máquinas da
# rede e o servidor sejam liberados para acessar a Internet.
##########################################################

http_access allow localhost
http_access deny all
#httpd_accel_port 80
#httpd_accel_host virtual

Gostaria de saber onde estou errando.

Att,






  


2. Re: Firewall + squid [RESOLVIDO]

Tiago Frutuoso
tiagopaulista

(usa Debian)

Enviado em 09/07/2011 - 11:51h

O pessoal, me de uma força, por favor?


3. Re: Firewall + squid [RESOLVIDO]

Fabio Soares Schmidt
fs.schmidt

(usa CentOS)

Enviado em 09/07/2011 - 16:10h

Olá Tiago, por favor entenda como uma crítica construtiva, o seu squid.conf está muito confuso, as acls estão trabalhando contra você, e não para você. Eu tentaria simplificar, acredito que até mesmo para quem criou essas regras está muito dificil depurar.




4. Re: Firewall + squid [RESOLVIDO]

Natanael Henrique
natanaelhenrique

(usa Arch Linux)

Enviado em 09/07/2011 - 17:18h

Tiago, tem umas coisas erradas na sua configuração. Mas para te dizer como deve ficar me responda

Como está organizada sua rede? o diagrama dela é esse?

Internet-Modem---->>>Firewall-Squid----->>>RedeLocal


Se for, porquê você tem um gateway no endereço da rede local?
Você usa dois gateways com balanceamento de link?
Que máquina é essa que tem o ip 192.168.1.254?


5. Re: Firewall + squid [RESOLVIDO]

Tiago Frutuoso
tiagopaulista

(usa Debian)

Enviado em 09/07/2011 - 22:43h

Valeu pessoal, vou dar uma reduzida nessas acls, valeu mesmo.


Minha rede esta funcionando da seguinte maneira:

Modem ------- Firewall/Squid (192.168.1.250 - Internet / 192.168.0.250 - Redelocal) ------ Redelocal (192.168.0.0/24)

Att,


6. Re: Firewall + squid [RESOLVIDO]

Tiago Frutuoso
tiagopaulista

(usa Debian)

Enviado em 13/07/2011 - 22:05h

Dei uma melhorada no squid e esta funcionando corretamente, segue abaixo. o meu problema agora é com o Firewall:

Tenho 2 ips:
eth0 192.168.1.250 mask 255.255.255.0 gt 192.168.1.254 (modem)
eth1 192.168.0.250 mask 255.255.255.0 gt 0.0.0.0 (rede local)

no Firewall estou usando a seguinte regra:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.250:3128

sudo modprobe iptable_nat
sudo modprobe ip_nat_ftp
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

mais a rede local esta dando como acesso negado, sera que alguem pode me ajudar com o firewall

##########################################################
# Detalhes das configurações
# Desenvolvido por: TJT Tecnologia - Soluções em T.I.
# Data: 04/06/2011
##########################################################

##########################################################
# http_port: determina a porta que será usada pelo servidor.
# visible_hostname: defina o nome de exibição do servidor.
# cache_mgr: defina o e-mail do administrador para receber mensagem em casos graves.
##########################################################

http_port 127.0.0.1:3128 transparent
#http_port 3128
#ic_port 0
visible_hostname server
cache_mgr suporte@tjttecnologia.com.br

##########################################################
# Defini o idioma das páginas de mensagem de erros em português brasileiro.
##########################################################

error_directory /usr/share/squid3/errors/pt-br

##########################################################
# hierarchy_stoplist: defina palavras que se for encontradas na url, a página irá ser carregada direto do cache.
# cache_mem: defina a quantidade de memória que o servidor irá usar para o cache.
# maximum_object_size_in_memory: defina o tamanho máximo do objeto que poderá ser armazenado na memória, senão será armazenado no disco rígido.
# maximum_object_size: defina o tamanho máximo do objeto que poderá ser armazenado no disco rígido, senão será descartado o objeto.
##########################################################

hierarchy_stoplist cgi-bin ?
#cache_men 32 MB
#maximun_object_size_in_memory 64 KB
#maximun_object_size 100 MB

##########################################################
# Especificar o diretório do cache, aonde será armazenado os objetos e atribuir 2GB de espaço de armazenamento no cache.
##########################################################

cache_dir ufs /var/spool/squid3 2048 16 256

##########################################################
# Agora vamos definir o tempo de vida dos objetos no cache, para que sempre o Squid for verificá-los, saber se é necessário atualizá-los ou não.
#
# 1ª coluna: defina o tempo em minutos, em cada acesso, quando deve verificar se houve modificação no objeto.
# 2ª coluna: defina a porcentagem mínima da modificação do objeto que deve ter para ser atualizado.
# 3ª coluna: defina o tempo em minutos, quando deve efetuar uma atualização mesmo não ter sido modificado.
##########################################################

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

##########################################################
# Especificar o caminho do Log de acesso do Squid
##########################################################

access_log /var/log/squid3/access.log

##########################################################
# Criação de duas acl com o tipo src (IP de origem) adicionando o IP do servidor e o IP da rede.
##########################################################

#acl all 0.0.0.0/0.0.0.0
acl re src 192.168.0.0/192.168.0.255
acl redelocal src 127.0.0.1/255.255.255.255

##########################################################
# Parte de autenticação com o SAMBA.
##########################################################

auth_param basic program /usr/lib/squid3/pam_auth
auth_param basic children 40
auth_param basic realm Acesso Restrito
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users

##########################################################
# Criação de uma acl com o tipo proto (protocolo) e adicione o protocolo "cache_object".
# O protocolo "cache_object" é usado para obter informações sobre o estado do Squid.
# Só o servidor pode obter as informações do Squid
##########################################################

acl manager proto cache_object
http_access allow manager localhost
http_access deny manager

##########################################################
# Bloqueios por usuarios
##########################################################

acl USUARIOS proxy_auth REQUIRED
acl USUARIOS_NAO_ORKUT proxy_auth "/etc/squid3/rules/users-orkut.rules"
acl USUARIOS_NAO_YOUTUBE proxy_auth "/etc/squid3/rules/users-youtube.rules"
acl USUARIOS_NAO_TWITTER proxy_auth "/etc/squid3/rules/users-twitter.rules"
acl USUARIOS_NAO_GMAIL proxy_auth "/etc/squid3/rules/users-gmail.rules"
acl USUARIOS_NAO_EVOSERVER proxy_auth "/etc/squid3/rules/users-evoserver.rules"
acl USUARIOS_NAO_MEEBO proxy_auth "/etc/squid3/rules/users-meebo.rules"
acl USUARIOS_NAO_LIVE proxy_auth "/etc/squid3/rules/users-live.rules"

acl ORKUT url_regex orkut
acl GMAIL url_regex gmail
acl EVOSERVER url_regex evoserver
acl YOUTUBE url_regex youtube
acl TWITTER url_regex twitter
acl MEEBO url_regex meebo
acl LIVE url_regex live

##########################################################
# Criação de uma acl do tipo port (porta) e adicione as portas que serão liberadas.
##########################################################

acl SSL_ports port 433 563
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # swat
acl Safe_ports port 1025-65535 # unregistered ports

##########################################################
# Criação de uma acl do tipo method (método de requisição) e adicione o método PURGE.
# O método de requisição PURGE serve para limpar/excluir objetos armazenados no cache.
# Para permitir que apenas o servidor possa exclua objetos, adicione a seguinte regra.
##########################################################

acl purge method PURGE
acl CONNECT method CONNECT

http_access deny ORKUT USUARIOS_NAO_ORKUT
http_access deny YOUTUBE USUARIOS_NAO_YOUTUBE
http_access deny GMAIL USUARIOS_NAO_GMAIL
http_access deny EVOSERVER USUARIOS_NAO_EVOSERVER
http_access deny TWITTER USUARIOS_NAO_TWITTER
http_access deny MEEBO USUARIOS_NAO_MEEBO
http_access deny LIVE USUARIOS_NAO_LIVE

##########################################################
# Criação de uma acl do tipo method (método de requisição) e adicione o método CONNECT, que permite fazer conexão direta.
##########################################################

acl connect method CONNECT

##########################################################
# Criação de uma acl do tipo port (porta) e adicione as portas dos protocolos com SSL que foram adicionadas na acl "Safe_ports"
# e devem ser liberadas para conexão direta.
##########################################################

acl SSL_ports port 443 # https
acl SSL_ports port 563 # nntps
acl SSL_ports port 873 # rsync

##########################################################
# Para bloquear o acesso em portas que não foram liberadas para conexão direta.
##########################################################

http_access deny connect !SSL_ports

##########################################################
# Para bloquear o acesso em portas que não foram liberadas, adicione a seguinte regra.
##########################################################

http_access allow SSL_ports
http_access allow Safe_ports

#http_access allow all
http_access allow manager localhost
#http_access denny manager

http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

acl redelocal src 192.168.0.0/24
http_access allow localhost
http_access allow redelocal

http_access deny redelocal

##########################################################
# Sem mais acl para criar, adicione a seguinte regra para permitir que apenas as máquinas da
# rede e o servidor sejam liberados para acessar a Internet.
##########################################################

http_access allow localhost
http_access deny all
#httpd_accel_port 80
#httpd_accel_host virtual

Att,


7. Re: Firewall + squid [RESOLVIDO]

Natanael Henrique
natanaelhenrique

(usa Arch Linux)

Enviado em 13/07/2011 - 22:20h

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.250:3128

Tiago, não sei pq você está fazendo DNAT aqui, se você não tem um motivo pra isso então sugiro que remova a regra acima do seu firewall (pode simplesmente comentar).


sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Aqui você está invertendo as coisas (interfaces), pois a interface de entrada é a da rede local e a de saída a da internet, então corrija e deixe assim:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

Pronto, agora os problemas que você enfrentar (se tiver) devem ser de squid


8. Re: Firewall + squid [RESOLVIDO]

Tiago Frutuoso
tiagopaulista

(usa Debian)

Enviado em 13/07/2011 - 22:34h

Valeu n4t4n,

vou fazer os testes e te respondo para saber o que aconteceu.

Att,


9. Re: Firewall + squid [RESOLVIDO]

Tiago Frutuoso
tiagopaulista

(usa Debian)

Enviado em 16/07/2011 - 09:58h

Fala N4t4n,

esse não seria as regras basicas para que as maquinas locais acessem a internet?? mais não esta funcionando, ainda esta dando acesso negado para rede local.

Att,


10. Re: Firewall + squid [RESOLVIDO]

Natanael Henrique
natanaelhenrique

(usa Arch Linux)

Enviado em 16/07/2011 - 12:17h

Você colocou a eth0 como -o (out-interface) e a eth1 como -i (in-interface)?
A chain POSTROUTING não aceita -i e do mesmo modo a PREROUTING não aceita -o
http://focalinux.cipsga.org.br/guia/avancado/ch-fw-iptables.html#s-fw-iptables-outras

A mensagem de acesso negado não está sendo do squid? você pode postar um print da tela do erro?


11. Re: Firewall + squid [RESOLVIDO]

Tiago Frutuoso
tiagopaulista

(usa Debian)

Enviado em 16/07/2011 - 13:03h

Fala n4t4n,

fiz uma alteração completa do squid, segue abaixo, aparentemente esta funcionando:


http_port 127.0.0.1:3128 transparent
visible_hostname Interface

cache_mem 15 MB
maximum_object_size_in_memory 1024 KB
maximum_object_size 81920 KB
minimum_object_size 0 KB

cache_swap_low 90
cache_swap_high 95

cache_dir aufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

ftp_telnet_protocol on

auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 40
auth_param basic realm Acesso Restrito
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

read_timeout 2 days
half_closed_clients off
pconn_timeout 360 seconds
shutdown_lifetime 0 seconds

acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
acl autenticados proxy_auth REQUIRED
http_access allow autenticados

acl USUARIOS proxy_auth REQUIRED
acl USUARIOS_NAO_ORKUT proxy_auth "/etc/squid/rules/users-orkut.rules"
acl USUARIOS_NAO_YOUTUBE proxy_auth "/etc/squid/rules/users-youtube.rules"
acl USUARIOS_NAO_TWITTER proxy_auth "/etc/squid/rules/users-twitter.rules"
acl USUARIOS_NAO_GMAIL proxy_auth "/etc/squid/rules/users-gmail.rules"
acl USUARIOS_NAO_PROMOTE proxy_auth "/etc/squid/rules/users-promote.rules"
acl USUARIOS_NAO_EVOSERVER proxy_auth "/etc/squid/rules/users-evoserver.rules"
acl USUARIOS_NAO_MEEBO proxy_auth "/etc/squid/rules/users-meebo.rules"
acl USUARIOS_NAO_TERRA proxy_auth "/etc/squid/rules/users-terra.rules"
acl ORKUT url_regex orkut
acl GMAIL url_regex gmail
acl PROMOTE url_regex promote
acl EVOSERVER url_regex evoserver
acl YOUTUBE url_regex youtube
acl TWITTER url_regex twitter
acl MEEBO url_regex meebo
acl TERRA url_regex terra.com.br

acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

# # HTTPD-ACCELERATOR OPTIONS
# ---------------------------------------
# Comando do IPtables
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#
httpd_accel_port 80
httpd_accel_host virtual

# # TAG: httpd_accel_with_proxy
# --------------------------------------
#
#
httpd_accel_with_proxy on


# TAG: httpd_accel_uses_host_header on|off
#
#
httpd_accel_uses_host_header on

http_access deny USUARIOS_NAO_ORKUT ORKUT
http_access deny USUARIOS_NAO_YOUTUBE YOUTUBE
http_access deny USUARIOS_NAO_GMAIL GMAIL
http_access deny USUARIOS_NAO_PROMOTE PROMOTE
http_access deny USUARIOS_NAO_EVOSERVER EVOSERVER
http_access deny USUARIOS_NAO_TWITTER TWITTER
http_access deny USUARIOS_NAO_MEEBO MEEBO
http_access deny USUARIOS_NAO_TERRA TERRA
http_access allow USUARIOS

http_access allow SSL_ports
http_access allow Safe_ports

http_access allow all
http_access allow manager localhost
http_access deny manager

http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

acl redelocal src 192.168.0.0/24
http_access allow localhost
http_access allow redelocal

http_access deny all

error_directory /usr/share/squid-langpack/pt-br/



12. Re: Firewall + squid [RESOLVIDO]

Natanael Henrique
natanaelhenrique

(usa Arch Linux)

Enviado em 16/07/2011 - 19:15h

Blz então, precisando posta.



01 02



Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts