IPTABLES/SQUID com NET VIRTUA

edirjr
(usa Fedora)

Enviado em 27/01/2008 - 14:15h

Caros amigos, estou com um probleminha. Tenho uma conexão NET VIRTUA com ip dinâmico. Tenho uma maquina com duas placas de rede (eth0-net e eth1-rede interna). Estou usando SQUID 2.5. Tudo configurado, porém, não consigo coloca-lo como proxy transparente, apenas, definindo a configuração de proxy nas estações. Estou enviando minhas configurações:

Arquivo squid.conf
http_port 3128
visible_hostname agata
cache_mem 64 MB # quantidade da cache usada na memória ram,
maximum_object_size_in_memory 64 KB
maximum_object_size 700 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 5000 16 256
refresh_pattern ^ftp: 15 2% 2280
refresh_pattern ^gother: 15 0% 2280
refresh_pattern . 15 20% 2280
cache_effective_user squid
cache_access_log /var/log/squid/access.log
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered pors
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl permitidos src 10.0.0.5
acl redelocal src 10.0.0.0/8
http_access allow localhost
http_access allow permitidos
acl proibidos url_regex "/etc/squid/proibidos"
acl excecoes url_regex "/etc/squid/excecoes"
http_access deny proibidos !excecoes
acl exe url_regex -i .exe
acl zip url_regex -i .zip
acl rar url_regex -i .rar
acl scr url_regex -i .scr
acl msi url_regex -i .msi
acl wmv url_regex -i .wmv
acl pif url_regex -i .pif
acl avi url_regex -i .avi
http_access deny exe !excecoes
http_access deny zip !excecoes
http_access deny rar !excecoes
http_access deny scr !excecoes
http_access deny msi !excecoes
http_access deny wmv !excecoes
http_access deny pif !excecoes
http_access deny avi !excecoes
http_access allow redelocal
http_access deny all
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Arquivo FIREWALL
#!/bin/bash
firewall_start(){
iptables -A INPUT -s 10.0.0.0/255.0.0.0 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
iptables -A INPUT -p tcp --destiantion-port 10000 -j ACCEPT
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
iptables -A INPUT -p udp --dport 33435:33525 -j DROP
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
iptables -A FORWARD -m unclean -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -N VALID_CHECK
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp -s 127.0.0.1/255.0.0.0 -j ACCEPT
iptables -A INPUT -p udp --dport 1:1024 -j DROP
iptables -A INPUT -p udp --dport 59229 -j DROP
iptables -A INPUT -p tcp --syn -j DROP
/etc/skel-fix/firewall-msg
}
firewall_stop(){
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}
case "$1" in
"start")
firewall_start
;;
"stop")
firewall_stop
echo "O firewall está¡ sendo desativado"
sleep 2
echo "ok."
;;
"restart")
echo "O firewall está¡ sendo desativado"
sleep 1
echo "ok."
firewall_stop; firewall_start
;;
*)
iptables -L -n
esac

modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -A INPUT -p TCP -s 0/0 -d 10.0.0.1 --dport 3128 -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

Me ajudem......... Obrigado

matheus.silva
(usa Debian)

Enviado em 27/01/2008 - 14:49h

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
Olá.. tente colocar essa linha após o masquerading e antes de ativar o forward de pacotes (no meu script a ultima coisa que faço é ativar o forward dos pacotes)

e no squid.conf adicione o seguinte:

http_port 3128 transparent


tenta ai e posta o resultado!

edirjr
(usa Fedora)

Enviado em 27/01/2008 - 15:24h

Ficou assim:
modprobe iptable_nat
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -p TCP -s 0/0 -d 10.0.0.1 --dport 3128 -m state --state NEW -j ACCEPT

Como utilizo o SQUID 2.5 a linha:
http_port 3128 não aceita TRANSPARENT

matheus.silva
(usa Debian)

Enviado em 27/01/2008 - 15:28h

Desculpe pelo vacilo..

continue com as suas configurações pra proxy transparente...

nem me atentei que era 2.5...

edirjr
(usa Fedora)

Enviado em 27/01/2008 - 15:31h

Mesmo assim ainda nao funcionou. O que posso estar fazendo errado. To pra ficar doido.

matheus.silva
(usa Debian)

Enviado em 27/01/2008 - 15:36h

Cara vc tem msn? se tive me add ae:

matheusmsilva@hotmail.com

matheus.silva
(usa Debian)

Enviado em 27/01/2008 - 15:41h

Dá uma olhada no meu script...

echo "Firewall Flushing - Stage 1"

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F PREROUTING

echo "Loading Modules - Stage 2"

modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_tftp
modprobe ip_conntrack_irc
modprobe iptable_mangle
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_tftp
modprobe ip_nat_irc
modprobe ipt_MASQUERADE

echo "Standard Policies - Stage 3"

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

echo "Local Protection - Stage 4"

echo "Anti-spoofing Protection"
for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $spoofing
done

echo "Protection against ping"
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

echo "Syn-flood protection"
#iptables -t filter -A INPUT -p tcp --syn -m limit --limit 6/s -j ACCEPT
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo
echo

echo "Initial Rules - Stage 5"

echo "Allowing localhost traffic"
iptables -A INPUT -i lo -j ACCEPT

echo "Keeping established connections"
iptables -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

echo "Activating masquerading"
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Denying MSN"
#iptables -A FORWARD -s 10.0.0.0/8 -d 0/0 -p tcp --dport 1863 -j REJECT
#iptables -A FORWARD -i eth1 -p tcp --dport 1863 -j REJECT
#iptables -A OUTPUT -i eth1 -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -i eth1 -d loginnet.passport.com -j REJECT
#iptables -A FORWARD -i eth1 -d messenger.hotmail.com -j REJECT
#iptables -A FORWARD -i eth1 -d webmessenger.msn.com -j REJECT
#iptables -A FORWARD -p tcp --dport 1080 -j DROP
#iptables -A FORWARD -i eth1 -p tcp --dport 1080 -j REJECT
#iptables -A FORWARD -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -i eth1 -d loginnet.passport.com -j DROP
#iptables -A FORWARD -i eth1 -p tcp --dport 5190 -j DROP

#regra pra redirecionar servicos pra rede interna
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to 192.168.90.2:8080

echo "Redirecting Squid Traffic"
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DROP
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 3128 -j DROP
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 1863 -j REDIRECT --to-port 80

echo "Dropping mal-formed packets"
iptables -A INPUT -i eth0 -m unclean -j LOG --log-level 6 --log-prefix "Firewall Bad PKT:"
iptables -A INPUT -i eth0 -m unclean -j DROP

echo "Controlling what's going away"
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

echo "Protections - Stage 6"

echo "Protection against Trinoo"
iptables -N TRINOO
iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "Firewall - Trinoo: "
iptables -A TRINOO -j DROP
iptables -A INPUT -p tcp -i eth0 --dport 27444 -j TRINOO
iptables -A INPUT -p tcp -i eth0 --dport 27665 -j TRINOO
iptables -A INPUT -p tcp -i eth0 --dport 31335 -j TRINOO
iptables -A INPUT -p tcp -i eth0 --dport 34555 -j TRINOO
iptables -A INPUT -p tcp -i eth0 --dport 35555 -j TRINOO

echo "Protection against Trojan"
iptables -N TROJAN
iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "Firewall - Trojan: "
iptables -A TROJAN -j DROP
iptables -A INPUT -p tcp -i eth0 --dport 666 -j TROJAN
iptables -A INPUT -p tcp -i eth0 --dport 4000 -j TROJAN
iptables -A INPUT -p tcp -i eth0 --dport 6000 -j TROJAN
iptables -A INPUT -p tcp -i eth0 --dport 6006 -j TROJAN
iptables -A INPUT -p tcp -i eth0 --dport 16660 -j TROJAN

echo "Protection against Worms"
iptables -A FORWARD -p tcp --dport 135 -i eth1 -j DROP

echo "Protection against Scanners"
iptables -N SCANNER
iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "Firewall: port scanner: "
iptables -A SCANNER -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL NONE -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL ALL -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i eth0 -j SCANNER

echo "Filtering Auth service"
iptables -A INPUT -p tcp --dport 113 -j DROP
iptables -A INPUT -p udp --dport 113 -j DROP

echo "Filtering Location service"
iptables -A INPUT -p tcp --dport 135 -j DROP
iptables -A INPUT -p udp --dport 135 -j DROP

echo "Filtering Profile Naming System"
iptables -A INPUT -p tcp --dport 136 -j DROP
iptables -A INPUT -p udp --dport 136 -j DROP

echo "Filtering SSH"
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p tcp --dport 65000 -j ACCEPT
iptables -A FORWARD -p tcp -i eth1 --dport 65000 -j ACCEPT

echo "Filtering NetBIOS Naming Service"
iptables -A INPUT -p tcp --dport 137 -j DROP
iptables -A INPUT -p udp --dport 137 -j DROP
iptables -A OUTPUT -p tcp --sport 137 -j DROP
iptables -A OUTPUT -p udp --sport 137 -j DROP
iptables -A FORWARD -p tcp --dport 137 -j DROP
iptables -A FORWARD -p udp --dport 137 -j DROP
iptables -A FORWARD -p tcp --sport 137 -j DROP
iptables -A FORWARD -p udp --sport 137 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 137 -j DROP
iptables -t nat -A PREROUTING -p udp --dport 137 -j DROP
iptables -t nat -A PREROUTING -p tcp --sport 137 -j DROP
iptables -t nat -A PREROUTING -p udp --sport 137 -j DROP
iptables -A INPUT -p tcp --dport 138 -j DROP
iptables -A INPUT -p udp --dport 138 -j DROP
iptables -A OUTPUT -p tcp --sport 138 -j DROP
iptables -A OUTPUT -p udp --sport 138 -j DROP
iptables -A FORWARD -p tcp --dport 138 -j DROP
iptables -A FORWARD -p udp --dport 138 -j DROP
iptables -A OUTPUT -p tcp --sport 138 -j DROP
iptables -A OUTPUT -p udp --sport 138 -j DROP
iptables -A FORWARD -p tcp --dport 138 -j DROP
iptables -A FORWARD -p udp --dport 138 -j DROP
iptables -A FORWARD -p tcp --sport 138 -j DROP
iptables -A FORWARD -p udp --sport 138 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 138 -j DROP
iptables -t nat -A PREROUTING -p udp --dport 138 -j DROP
iptables -t nat -A PREROUTING -p tcp --sport 138 -j DROP
iptables -t nat -A PREROUTING -p udp --sport 138 -j DROP
iptables -A INPUT -p tcp --dport 139 -j DROP
iptables -A INPUT -p udp --dport 139 -j DROP
iptables -A OUTPUT -p tcp --sport 139 -j DROP
iptables -A OUTPUT -p udp --sport 139 -j DROP
iptables -A FORWARD -p tcp --dport 139 -j DROP
iptables -A FORWARD -p udp --dport 139 -j DROP
iptables -A FORWARD -p tcp --sport 139 -j DROP
iptables -A FORWARD -p udp --sport 139 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 139 -j DROP
iptables -t nat -A PREROUTING -p udp --dport 139 -j DROP
iptables -t nat -A PREROUTING -p tcp --sport 139 -j DROP
iptables -t nat -A PREROUTING -p udp --sport 139 -j DROP
iptables -A INPUT -p tcp --dport 445 -j DROP
iptables -A INPUT -p udp --dport 445 -j DROP
iptables -A OUTPUT -p tcp --sport 445 -j DROP
iptables -A OUTPUT -p udp --sport 445 -j DROP
iptables -A FORWARD -p tcp --dport 445 -j DROP
iptables -A FORWARD -p udp --dport 445 -j DROP
iptables -A FORWARD -p tcp --sport 445 -j DROP
iptables -A FORWARD -p udp --sport 445 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 445 -j DROP
iptables -t nat -A PREROUTING -p udp --dport 445 -j DROP
iptables -t nat -A PREROUTING -p tcp --sport 445 -j DROP
iptables -t nat -A PREROUTING -p udp --sport 445 -j DROP

echo "Last Configs - Stage 7"

echo "Denying everything else..."
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
#iptables -t nat -A PREROUTING -j DROP

echo "Enabling ip packet forwarding"
echo "1" > /proc/sys/net/ipv4/ip_forward