Pular para o conteúdo
Squid/Iptables em Firewall

Passar por fora do proxy squid

Responder tópico
  • Denunciar
  • Indicar

1. Passar por fora do proxy squid

Enviado em 08/03/2018 - 17:11h

Boa Tarde !

Preciso desviar do proxy squid alguns dispositivos internos por ip para acesso externo.
Já tentei várias dicas mas nada funciona.
Vou passar meu iptables.
No caso, estou tentando desviar o ip 192.168.1.60
Estou tentando esse desvio para testar o funcionamento do Whatsapp sem problemas.

*mangle
:PREROUTING ACCEPT [409:157554]
:INPUT ACCEPT [147:14022]
:FORWARD ACCEPT [259:142791]
:OUTPUT ACCEPT [109:17358]
:POSTROUTING ACCEPT [368:160149]
COMMIT
*nat
:PREROUTING ACCEPT [9:1680]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:70]
### regras para lista de IPs para desviar do proxy
-N PROXY
-A PREROUTING -i eth0 -p tcp --dport 80 -j PROXY
# lista de externos
-A PROXY -d 200.201.174.0 -j RETURN
-A PROXY -d 200.252.60.42 -j RETURN
-A PROXY -d 200.252.60.83 -j RETURN
-A PROXY -d 104.236.14.6 -j RETURN
-A PROXY -d viacep.com.br -j RETURN
-A PROXY -d sii.inovadorasistemas.com.br -j RETURN
-A PROXY -d sii.inovadora.com.br -j RETURN
# lista de internos
-A PROXY -s 192.168.1.60 -j RETURN
#
-A PROXY -p tcp --dport 80 -j REDIRECT --to 3128
### fim das regras para lista de IPs para desviar do proxy
-A PREROUTING -p tcp --dport 5432 -i eth1 -j DNAT --to 192.168.1.2:5432
-A PREROUTING -p udp --dport 5432 -i eth1 -j DNAT --to 192.168.1.2:5432
-A PREROUTING -p tcp --dport 3000 -i eth1 -j DNAT --to 192.168.0.254:3000
-A PREROUTING -p tcp --dport 3001 -i eth1 -j DNAT --to 192.168.0.254:3001
-A PREROUTING -p tcp --dport 3002 -i eth1 -j DNAT --to 192.168.0.254:3002
-A PREROUTING -p tcp --dport 3003 -i eth1 -j DNAT --to 192.168.0.254:3003
-A PREROUTING -p tcp --dport 3004 -i eth1 -j DNAT --to 192.168.0.254:3004
-A PREROUTING -p tcp --dport 3005 -i eth1 -j DNAT --to 192.168.0.254:3005
-A PREROUTING -p tcp --dport 3006 -i eth1 -j DNAT --to 192.168.0.254:3006
-A PREROUTING -p tcp --dport 3007 -i eth1 -j DNAT --to 192.168.0.254:3007
-A PREROUTING -p tcp --dport 3008 -i eth1 -j DNAT --to 192.168.0.254:3008
-A PREROUTING -p tcp --dport 3009 -i eth1 -j DNAT --to 192.168.0.254:3009
-A PREROUTING -p tcp --dport 3010 -i eth1 -j DNAT --to 192.168.0.254:3010
-A PREROUTING -p tcp --dport 5902 -j DNAT --to 192.168.1.2:5902
-A PREROUTING -p tcp --dport 5903 -j DNAT --to 192.168.1.2:5903
-A PREROUTING -p tcp --dport 5904 -j DNAT --to 192.168.1.2:5904
-A PREROUTING -p tcp --dport 5905 -j DNAT --to 192.168.0.1:5800
-A PREROUTING -p udp --dport 5901 -j DNAT --to 192.168.0.1:5900
-A PREROUTING -p tcp --dport 9090 -j DNAT --to 192.168.1.3:80
-A PREROUTING -p tcp --dport 4550 -j DNAT --to 192.168.1.3:4550
-A POSTROUTING -p tcp -s 192.168.1.3 --dport 4550 -j MASQUERADE
-A PREROUTING -p tcp --dport 5550 -j DNAT --to 192.168.1.3:5550
-A POSTROUTING -p tcp -s 192.168.1.3 --dport 5550 -j MASQUERADE
-A PREROUTING -p tcp --dport 6550 -j DNAT --to 192.168.1.3:6550
-A POSTROUTING -p tcp -s 192.168.1.3 --dport 6550 -j MASQUERADE
-A PREROUTING -p tcp --dport 8866 -j DNAT --to 192.168.1.3:8866
-A POSTROUTING -p tcp -s 192.168.1.3 --dport 8866 -j MASQUERADE
-A PREROUTING -p tcp --dport 9091 -j DNAT --to 192.168.1.4:80
-A PREROUTING -p tcp --dport 4551 -j DNAT --to 192.168.1.4:4550
-A POSTROUTING -p tcp -s 192.168.1.4 --dport 4551 -j MASQUERADE
-A PREROUTING -p tcp --dport 5551 -j DNAT --to 192.168.1.4:5550
-A POSTROUTING -p tcp -s 192.168.1.4 --dport 5551 -j MASQUERADE
-A PREROUTING -p tcp --dport 6551 -j DNAT --to 192.168.1.4:6550
-A POSTROUTING -p tcp -s 192.168.1.4 --dport 6551 -j MASQUERADE
-A PREROUTING -p tcp --dport 5552 -j DNAT --to 192.168.1.4:5552
-A POSTROUTING -p tcp -s 192.168.1.4 --dport 5552 -j MASQUERADE
-A PREROUTING -p tcp --dport 8867 -j DNAT --to 192.168.1.4:8867
-A POSTROUTING -p tcp -s 192.168.1.4 --dport 8867 -j MASQUERADE
-A PREROUTING -p tcp --dport 15500 -j DNAT --to 192.168.1.99:15500
-A POSTROUTING -p tcp -s 192.168.1.99 --dport 15500 -j MASQUERADE
-A PREROUTING -p udp --dport 4186 -j DNAT --to 192.168.1.99:4186
-A POSTROUTING -p udp -s 192.168.1.99 --dport 4186 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:allowed - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_packets - [0:0]
:udp_packets - [0:0]
-A FORWARD -i eth0 -s 192.168.1.60 -j ACCEPT
-A FORWARD -d 192.168.1.3 -p tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.1.3 -p tcp --sport 80 -j ACCEPT
-A FORWARD -d 192.168.1.3 -p tcp --dport 4550 -j ACCEPT
-A FORWARD -s 192.168.1.3 -p tcp --sport 4550 -j ACCEPT
-A FORWARD -d 192.168.1.3 -p tcp --dport 5550 -j ACCEPT
-A FORWARD -s 192.168.1.3 -p tcp --sport 5550 -j ACCEPT
-A FORWARD -d 192.168.1.3 -p tcp --dport 6550 -j ACCEPT
-A FORWARD -s 192.168.1.3 -p tcp --sport 6550 -j ACCEPT
-A FORWARD -d 192.168.1.3 -p tcp --dport 8866 -j ACCEPT
-A FORWARD -s 192.168.1.3 -p tcp --sport 8866 -j ACCEPT
-A FORWARD -d 192.168.1.4 -p tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.1.4 -p tcp --sport 80 -j ACCEPT
-A FORWARD -d 192.168.1.4 -p tcp --dport 4550 -j ACCEPT
-A FORWARD -s 192.168.1.4 -p tcp --sport 4550 -j ACCEPT
-A FORWARD -d 192.168.1.4 -p tcp --dport 5550 -j ACCEPT
-A FORWARD -s 192.168.1.4 -p tcp --sport 5550 -j ACCEPT
-A FORWARD -d 192.168.1.4 -p tcp --dport 6550 -j ACCEPT
-A FORWARD -s 192.168.1.4 -p tcp --sport 6550 -j ACCEPT
-A FORWARD -d 192.168.1.4 -p tcp --dport 8867 -j ACCEPT
-A FORWARD -s 192.168.1.4 -p tcp --sport 8867 -j ACCEPT
-A FORWARD -d 192.168.1.99 -p tcp --dport 15500 -j ACCEPT
-A FORWARD -s 192.168.1.99 -p tcp --sport 15500 -j ACCEPT
-A FORWARD -d 192.168.1.99 -p udp --dport 4186 -j ACCEPT
-A FORWARD -s 192.168.1.99 -p udp --sport 4186 -j ACCEPT
-A FORWARD -p tcp --dport 5902 -j ACCEPT
-A FORWARD -p tcp --dport 5903 -j ACCEPT
-A FORWARD -p tcp --dport 5904 -j ACCEPT
-A FORWARD -p tcp --dport 5905 -j ACCEPT
-A INPUT -p tcp --dport 5432 -j ACCEPT
-A INPUT -p udp --dport 5432 -j ACCEPT
-A INPUT -p tcp --sport 5432 -j ACCEPT
-A INPUT -p udp --sport 5432 -j ACCEPT
-A FORWARD -p tcp --dport 5432 -j ACCEPT
-A FORWARD -p tcp --sport 5432 -j ACCEPT
-A FORWARD -p udp --dport 5432 -j ACCEPT
-A FORWARD -p udp --sport 5432 -j ACCEPT
-A OUTPUT -p tcp --dport 5432 -j ACCEPT
-A OUTPUT -p udp --dport 5432 -j ACCEPT
-A OUTPUT -p tcp --sport 5432 -j ACCEPT
-A OUTPUT -p udp --sport 5432 -j ACCEPT
-A FORWARD -p tcp --dport 3000 -j ACCEPT
-A FORWARD -p tcp --sport 3000 -j ACCEPT
-A FORWARD -p tcp --dport 3001 -j ACCEPT
-A FORWARD -p tcp --sport 3001 -j ACCEPT
-A FORWARD -p tcp --dport 3002 -j ACCEPT
-A FORWARD -p tcp --sport 3002 -j ACCEPT
-A FORWARD -p tcp --dport 3003 -j ACCEPT
-A FORWARD -p tcp --sport 3003 -j ACCEPT
-A FORWARD -p tcp --dport 3004 -j ACCEPT
-A FORWARD -p tcp --sport 3004 -j ACCEPT
-A FORWARD -p tcp --dport 3005 -j ACCEPT
-A FORWARD -p tcp --sport 3005 -j ACCEPT
-A FORWARD -p tcp --dport 3006 -j ACCEPT
-A FORWARD -p tcp --sport 3006 -j ACCEPT
-A FORWARD -p tcp --dport 3007 -j ACCEPT
-A FORWARD -p tcp --sport 3007 -j ACCEPT
-A FORWARD -p tcp --dport 3008 -j ACCEPT
-A FORWARD -p tcp --sport 3008 -j ACCEPT
-A FORWARD -p tcp --dport 3009 -j ACCEPT
-A FORWARD -p tcp --sport 3009 -j ACCEPT
-A FORWARD -p tcp --dport 3010 -j ACCEPT
-A FORWARD -p tcp --sport 3010 -j ACCEPT
-A INPUT -p tcp --dport 3000 -j ACCEPT
-A INPUT -p tcp --sport 3000 -j ACCEPT
-A INPUT -p tcp --dport 3001 -j ACCEPT
-A INPUT -p tcp --sport 3001 -j ACCEPT
-A INPUT -p tcp --dport 3002 -j ACCEPT
-A INPUT -p tcp --sport 3002 -j ACCEPT
-A INPUT -p tcp --dport 3003 -j ACCEPT
-A INPUT -p tcp --sport 3003 -j ACCEPT
-A INPUT -p tcp --dport 3004 -j ACCEPT
-A INPUT -p tcp --sport 3004 -j ACCEPT
-A INPUT -p tcp --dport 3005 -j ACCEPT
-A INPUT -p tcp --sport 3005 -j ACCEPT
-A INPUT -p tcp --dport 3006 -j ACCEPT
-A INPUT -p tcp --sport 3006 -j ACCEPT
-A INPUT -p tcp --dport 3007 -j ACCEPT
-A INPUT -p tcp --sport 3007 -j ACCEPT
-A INPUT -p tcp --dport 3008 -j ACCEPT
-A INPUT -p tcp --sport 3008 -j ACCEPT
-A INPUT -p tcp --dport 3009 -j ACCEPT
-A INPUT -p tcp --sport 3009 -j ACCEPT
-A INPUT -p tcp --dport 3010 -j ACCEPT
-A INPUT -p tcp --sport 3010 -j ACCEPT
-A INPUT -p tcp -j bad_tcp_packets
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT
# linha squid
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p tcp -j tcp_packets
-A INPUT -i eth1 -p udp -j udp_packets
-A INPUT -i eth1 -p icmp -j icmp_packets
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT INPUT packet died: " --log-level 7
-A FORWARD -p tcp -j bad_tcp_packets
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT FORWARD packet died: " --log-level 7
-A OUTPUT -p tcp -j bad_tcp_packets
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.1.1 -j ACCEPT
# linha squid
-A OUTPUT -s 192.168.0.1 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT OUTPUT packet died: " --log-level 7
-A allowed -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A allowed -p tcp -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn:"
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A tcp_packets -p tcp -m tcp --dport 21 -j allowed
-A tcp_packets -p tcp -m tcp --dport 22 -j allowed
-A tcp_packets -p tcp -m tcp --dport 80 -j allowed
-A udp_packets -p udp -m udp --sport 53 -j ACCEPT
-A udp_packets -p udp -m udp --sport 67 -j ACCEPT
-A udp_packets -p udp -m udp --sport 2074 -j ACCEPT
-A udp_packets -p udp -m udp --sport 4000 -j ACCEPT
COMMIT



Centos 5.11
Squid 2.6

Responder tópico

2. squid

Enviado em 09/03/2018 - 17:29h

(41) 99865-7434

me chama la no wpp que vamos ver o que pode ser feito.

3. Re: Passar por fora do proxy squid

Enviado em 11/03/2018 - 00:46h

Adicionar:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -s 192.168.1.60 -j ACCEPT
Antes de:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j PROXY
Se eu não me engano é a linha número 14 do seu arquivo salvo do iptables.

Isso pode, talvez, resolver seu problema de passar por fora do proxy.

4. Ainda não deu

Enviado em 12/03/2018 - 10:46h

Bom Dia !

LSSilva,

Adicionei a linha que você sugeriu mas não adiantou ainda.
Mais alguma dica ?
O desvio pode ser total e não só no que se refere ao Whatsapp, para facilitar.
Agradeço desde já a ajuda.

5. Re: Passar por fora do proxy squid

Enviado em 12/03/2018 - 14:14h

Teria como postar seu script de firewall completo (e não este dump do iptables)?
Pois dessa forma fica mais legível pra ajudarmos melhor.

Poste também a saída dos comandos:

iptables -t nat -nL
iptables -nL

Poste também seu squid.conf.


6. configurações

Enviado em 12/03/2018 - 16:40h

Boa Tarde !

No CentOS não sei onde fica o script do firewall.
Trabalho direto com o arquivo iptables em /etc/sysconfig.

Executei iptables-save e tive esse resultado:
------------------------------------------------------------------------------------------------
# Generated by iptables-save v1.3.5 on Mon Mar 12 14:55:09 2018
*filter
:INPUT DROP [3934:230418]
:FORWARD DROP [0:0]
:OUTPUT DROP [21:1548]
:allowed - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_packets - [0:0]
:udp_packets - [0:0]
-A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -p udp -m udp --dport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 5432 -j ACCEPT
-A INPUT -p udp -m udp --sport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 3000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3001 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 3001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3002 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 3002 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3003 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 3003 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3004 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 3004 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3005 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 3005 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3006 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 3006 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3007 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 3007 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3008 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 3008 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3009 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 3009 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3010 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 3010 -j ACCEPT
-A INPUT -p tcp -j bad_tcp_packets
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p tcp -j tcp_packets
-A INPUT -i eth1 -p udp -j udp_packets
-A INPUT -i eth1 -p icmp -j icmp_packets
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT INPUT packet died: " --log-level 7
-A FORWARD -d 192.168.1.3 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.1.3 -p tcp -m tcp --sport 80 -j ACCEPT
-A FORWARD -d 192.168.1.3 -p tcp -m tcp --dport 4550 -j ACCEPT
-A FORWARD -s 192.168.1.3 -p tcp -m tcp --sport 4550 -j ACCEPT
-A FORWARD -d 192.168.1.3 -p tcp -m tcp --dport 5550 -j ACCEPT
-A FORWARD -s 192.168.1.3 -p tcp -m tcp --sport 5550 -j ACCEPT
-A FORWARD -d 192.168.1.3 -p tcp -m tcp --dport 6550 -j ACCEPT
-A FORWARD -s 192.168.1.3 -p tcp -m tcp --sport 6550 -j ACCEPT
-A FORWARD -d 192.168.1.3 -p tcp -m tcp --dport 8866 -j ACCEPT
-A FORWARD -s 192.168.1.3 -p tcp -m tcp --sport 8866 -j ACCEPT
-A FORWARD -d 192.168.1.4 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.1.4 -p tcp -m tcp --sport 80 -j ACCEPT
-A FORWARD -d 192.168.1.4 -p tcp -m tcp --dport 4550 -j ACCEPT
-A FORWARD -s 192.168.1.4 -p tcp -m tcp --sport 4550 -j ACCEPT
-A FORWARD -d 192.168.1.4 -p tcp -m tcp --dport 5550 -j ACCEPT
-A FORWARD -s 192.168.1.4 -p tcp -m tcp --sport 5550 -j ACCEPT
-A FORWARD -d 192.168.1.4 -p tcp -m tcp --dport 6550 -j ACCEPT
-A FORWARD -s 192.168.1.4 -p tcp -m tcp --sport 6550 -j ACCEPT
-A FORWARD -d 192.168.1.4 -p tcp -m tcp --dport 8867 -j ACCEPT
-A FORWARD -s 192.168.1.4 -p tcp -m tcp --sport 8867 -j ACCEPT
-A FORWARD -d 192.168.1.99 -p tcp -m tcp --dport 15500 -j ACCEPT
-A FORWARD -s 192.168.1.99 -p tcp -m tcp --sport 15500 -j ACCEPT
-A FORWARD -d 192.168.1.99 -p udp -m udp --dport 4186 -j ACCEPT
-A FORWARD -s 192.168.1.99 -p udp -m udp --sport 4186 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5902 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5903 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5904 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5905 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5432 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 5432 -j ACCEPT
-A FORWARD -p udp -m udp --dport 5432 -j ACCEPT
-A FORWARD -p udp -m udp --sport 5432 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3000 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 3000 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3001 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 3001 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3002 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 3002 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3003 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 3003 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3004 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 3004 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3005 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 3005 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3006 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 3006 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3007 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 3007 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3008 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 3008 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3009 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 3009 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3010 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 3010 -j ACCEPT
-A FORWARD -p tcp -j bad_tcp_packets
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT FORWARD packet died: " --log-level 7
-A OUTPUT -p tcp -m tcp --dport 5432 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 5432 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 5432 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 5432 -j ACCEPT
-A OUTPUT -p tcp -j bad_tcp_packets
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.1.1 -j ACCEPT
-A OUTPUT -s 192.168.0.1 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT OUTPUT packet died: " --log-level 7
-A allowed -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A allowed -p tcp -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn:"
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A tcp_packets -p tcp -m tcp --dport 21 -j allowed
-A tcp_packets -p tcp -m tcp --dport 22 -j allowed
-A tcp_packets -p tcp -m tcp --dport 80 -j allowed
-A udp_packets -p udp -m udp --sport 53 -j ACCEPT
-A udp_packets -p udp -m udp --sport 67 -j ACCEPT
-A udp_packets -p udp -m udp --sport 2074 -j ACCEPT
-A udp_packets -p udp -m udp --sport 4000 -j ACCEPT
COMMIT
# Completed on Mon Mar 12 14:55:09 2018
# Generated by iptables-save v1.3.5 on Mon Mar 12 14:55:09 2018
*nat
:PREROUTING ACCEPT [58142:4852981]
:POSTROUTING ACCEPT [1108:947195]
:OUTPUT ACCEPT [28997:1812797]
:PROXY - [0:0]
-A PREROUTING -s 192.168.1.60 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -s 192.168.1.60 -i eth0 -p udp -m udp --dport 80 -j ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j PROXY
-A PREROUTING -i eth1 -p tcp -m tcp --dport 5432 -j DNAT --to-destination 192.168.1.2:5432
-A PREROUTING -i eth1 -p udp -m udp --dport 5432 -j DNAT --to-destination 192.168.1.2:5432
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3000 -j DNAT --to-destination 192.168.0.254:3000
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3001 -j DNAT --to-destination 192.168.0.254:3001
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3002 -j DNAT --to-destination 192.168.0.254:3002
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3003 -j DNAT --to-destination 192.168.0.254:3003
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3004 -j DNAT --to-destination 192.168.0.254:3004
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3005 -j DNAT --to-destination 192.168.0.254:3005
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3006 -j DNAT --to-destination 192.168.0.254:3006
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3007 -j DNAT --to-destination 192.168.0.254:3007
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3008 -j DNAT --to-destination 192.168.0.254:3008
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3009 -j DNAT --to-destination 192.168.0.254:3009
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3010 -j DNAT --to-destination 192.168.0.254:3010
-A PREROUTING -p tcp -m tcp --dport 5902 -j DNAT --to-destination 192.168.1.2:5902
-A PREROUTING -p tcp -m tcp --dport 5903 -j DNAT --to-destination 192.168.1.2:5903
-A PREROUTING -p tcp -m tcp --dport 5904 -j DNAT --to-destination 192.168.1.2:5904
-A PREROUTING -p tcp -m tcp --dport 5905 -j DNAT --to-destination 192.168.0.1:5800
-A PREROUTING -p udp -m udp --dport 5901 -j DNAT --to-destination 192.168.0.1:5900
-A PREROUTING -p tcp -m tcp --dport 9090 -j DNAT --to-destination 192.168.1.3:80
-A PREROUTING -p tcp -m tcp --dport 4550 -j DNAT --to-destination 192.168.1.3:4550
-A PREROUTING -p tcp -m tcp --dport 5550 -j DNAT --to-destination 192.168.1.3:5550
-A PREROUTING -p tcp -m tcp --dport 6550 -j DNAT --to-destination 192.168.1.3:6550
-A PREROUTING -p tcp -m tcp --dport 8866 -j DNAT --to-destination 192.168.1.3:8866
-A PREROUTING -p tcp -m tcp --dport 9091 -j DNAT --to-destination 192.168.1.4:80
-A PREROUTING -p tcp -m tcp --dport 4551 -j DNAT --to-destination 192.168.1.4:4550
-A PREROUTING -p tcp -m tcp --dport 5551 -j DNAT --to-destination 192.168.1.4:5550
-A PREROUTING -p tcp -m tcp --dport 6551 -j DNAT --to-destination 192.168.1.4:6550
-A PREROUTING -p tcp -m tcp --dport 5552 -j DNAT --to-destination 192.168.1.4:5552
-A PREROUTING -p tcp -m tcp --dport 8867 -j DNAT --to-destination 192.168.1.4:8867
-A PREROUTING -p tcp -m tcp --dport 15500 -j DNAT --to-destination 192.168.1.99:15500
-A PREROUTING -p udp -m udp --dport 4186 -j DNAT --to-destination 192.168.1.99:4186
-A POSTROUTING -s 192.168.1.3 -p tcp -m tcp --dport
4550 -j MASQUERADE
-A POSTROUTING -s 192.168.1.3 -p tcp -m tcp --dport 5550 -j MASQUERADE
-A POSTROUTING -s 192.168.1.3 -p tcp -m tcp --dport 6550 -j MASQUERADE
-A POSTROUTING -s 192.168.1.3 -p tcp -m tcp --dport 8866 -j MASQUERADE
-A POSTROUTING -s 192.168.1.4 -p tcp -m tcp --dport 4551 -j MASQUERADE
-A POSTROUTING -s 192.168.1.4 -p tcp -m tcp --dport 5551 -j MASQUERADE
-A POSTROUTING -s 192.168.1.4 -p tcp -m tcp --dport 6551 -j MASQUERADE
-A POSTROUTING -s 192.168.1.4 -p tcp -m tcp --dport 5552 -j MASQUERADE
-A POSTROUTING -s 192.168.1.4 -p tcp -m tcp --dport 8867 -j MASQUERADE
-A POSTROUTING -s 192.168.1.99 -p tcp -m tcp --dport 15500 -j MASQUERADE
-A POSTROUTING -s 192.168.1.99 -p udp -m udp --dport 4186 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
-A PROXY -d 200.201.174.0 -j RETURN
-A PROXY -d 200.252.60.42 -j RETURN
-A PROXY -d 200.252.60.83 -j RETURN
-A PROXY -d 104.236.14.6 -j RETURN
-A PROXY -d 165.227.126.241 -j RETURN
-A PROXY -d 52.67.237.186 -j RETURN
-A PROXY -d 54.232.192.254 -j RETURN
-A PROXY -d 54.233.160.99 -j RETURN
-A PROXY -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT
# Completed on Mon Mar 12 14:55:09 2018
# Generated by iptables-save v1.3.5 on Mon Mar 12 14:55:09 2018
*mangle
:PREROUTING ACCEPT [2945075:2165081986]
:INPUT ACCEPT [2859213:2143926526]
:FORWARD ACCEPT [74185:20134693]
:OUTPUT ACCEPT [3061265:2185800230]
:POSTROUTING ACCEPT [3134527:2205524288]
COMMIT
# Completed on Mon Mar 12 14:55:09 2018



iptables -t nat -nL
-----------------------------------------------------------
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.1.60 0.0.0.0/0 tcp dpt:80
ACCEPT udp -- 192.168.1.60 0.0.0.0/0 udp dpt:80
PROXY tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5432 to:192.168.1.2:5432
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5432 to:192.168.1.2:5432
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3000 to:192.168.0.254:3000
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3001 to:192.168.0.254:3001
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3002 to:192.168.0.254:3002
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3003 to:192.168.0.254:3003
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3004 to:192.168.0.254:3004
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3005 to:192.168.0.254:3005
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3006 to:192.168.0.254:3006
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3007 to:192.168.0.254:3007
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3008 to:192.168.0.254:3008
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3009 to:192.168.0.254:3009
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3010 to:192.168.0.254:3010
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5902 to:192.168.1.2:5902
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5903 to:192.168.1.2:5903
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5904 to:192.168.1.2:5904
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5905 to:192.168.0.1:5800
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5901 to:192.168.0.1:5900
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 to:192.168.1.3:80
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4550 to:192.168.1.3:4550
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5550 to:192.168.1.3:5550
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6550 to:192.168.1.3:6550
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8866 to:192.168.1.3:8866
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9091 to:192.168.1.4:80
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4551 to:192.168.1.4:4550
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5551 to:192.168.1.4:5550
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6551 to:192.168.1.4:6550
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5552 to:192.168.1.4:5552
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8867 to:192.168.1.4:8867
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:15500 to:192.168.1.99:15500
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4186 to:192.168.1.99:4186

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE tcp -- 192.168.1.3 0.0.0.0/0 tcp dpt:4550
MASQUERADE tcp -- 192.168.1.3 0.0.0.0/0 tcp dpt:5550
MASQUERADE tcp -- 192.168.1.3 0.0.0.0/0 tcp dpt:6550
MASQUERADE tcp -- 192.168.1.3 0.0.0.0/0 tcp dpt:8866
MASQUERADE tcp -- 192.168.1.4 0.0.0.0/0 tcp dpt:4551
MASQUERADE tcp -- 192.168.1.4 0.0.0.0/0 tcp dpt:5551
MASQUERADE tcp -- 192.168.1.4 0.0.0.0/0 tcp dpt:6551
MASQUERADE tcp -- 192.168.1.4 0.0.0.0/0 tcp dpt:5552
MASQUERADE tcp -- 192.168.1.4 0.0.0.0/0 tcp dpt:8867
MASQUERADE tcp -- 192.168.1.99 0.0.0.0/0 tcp dpt:15500
MASQUERADE udp -- 192.168.1.99 0.0.0.0/0 udp dpt:4186
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain PROXY (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 200.201.174.0
RETURN all -- 0.0.0.0/0 200.252.60.42
RETURN all -- 0.0.0.0/0 200.252.60.83
RETURN all -- 0.0.0.0/0 104.236.14.6
RETURN all -- 0.0.0.0/0 165.227.126.241
RETURN all -- 0.0.0.0/0 52.67.237.186
RETURN all -- 0.0.0.0/0 54.232.192.254
RETURN all -- 0.0.0.0/0 54.233.160.99
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128



iptables -nL
-----------------------------------------
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5432
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5432
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:5432
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:5432
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3001
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3001
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3002
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3002
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3003
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3003
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3004
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3004
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3005
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3005
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3006
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3006
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3007
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3007
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3008
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3008
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3009
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3009
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3010
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3010
bad_tcp_packets tcp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 192.168.1.0/24 0.0.0.0/0
ACCEPT all -- 192.168.0.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
tcp_packets tcp -- 0.0.0.0/0 0.0.0.0/0
udp_packets udp -- 0.0.0.0/0 0.0.0.0/0
icmp_packets icmp -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT INPUT packet died: '

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 192.168.1.3 tcp dpt:80
ACCEPT tcp -- 192.168.1.3 0.0.0.0/0 tcp spt:80
ACCEPT tcp -- 0.0.0.0/0 192.168.1.3 tcp dpt:4550
ACCEPT tcp -- 192.168.1.3 0.0.0.0/0 tcp spt:4550
ACCEPT tcp -- 0.0.0.0/0 192.168.1.3 tcp dpt:5550
ACCEPT tcp -- 192.168.1.3 0.0.0.0/0 tcp spt:5550
ACCEPT tcp -- 0.0.0.0/0 192.168.1.3 tcp dpt:6550
ACCEPT tcp -- 192.168.1.3 0.0.0.0/0 tcp spt:6550
ACCEPT tcp -- 0.0.0.0/0 192.168.1.3 tcp dpt:8866
ACCEPT tcp -- 192.168.1.3 0.0.0.0/0 tcp spt:8866
ACCEPT tcp -- 0.0.0.0/0 192.168.1.4 tcp dpt:80
ACCEPT tcp -- 192.168.1.4 0.0.0.0/0 tcp spt:80
ACCEPT tcp -- 0.0.0.0/0 192.168.1.4 tcp dpt:4550
ACCEPT tcp -- 192.168.1.4 0.0.0.0/0 tcp spt:4550
ACCEPT tcp -- 0.0.0.0/0 192.168.1.4 tcp dpt:5550
ACCEPT tcp -- 192.168.1.4 0.0.0.0/0 tcp spt:5550
ACCEPT tcp -- 0.0.0.0/0 192.168.1.4 tcp dpt:6550
ACCEPT tcp -- 192.168.1.4 0.0.0.0/0 tcp spt:6550
ACCEPT tcp -- 0.0.0.0/0 192.168.1.4 tcp dpt:8867
ACCEPT tcp -- 192.168.1.4 0.0.0.0/0 tcp spt:8867
ACCEPT tcp -- 0.0.0.0/0 192.168.1.99 tcp dpt:15500
ACCEPT tcp -- 192.168.1.99 0.0.0.0/0 tcp spt:15500
ACCEPT udp -- 0.0.0.0/0 192.168.1.99 udp dpt:4186
ACCEPT udp -- 192.168.1.99 0.0.0.0/0 udp spt:4186
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5902
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5903
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5904
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5905
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5432
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:5432
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5432
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:5432
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3001
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3001
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3002
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3002
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3003
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3003
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3004
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3004
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3005
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3005
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3006
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3006
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3007
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3007
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3008
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3008
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3009
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3009
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3010
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3010
bad_tcp_packets tcp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT FORWARD packet died: '

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5432
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5432
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:5432
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:5432
bad_tcp_packets tcp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT all -- 192.168.1.1 0.0.0.0/0
ACCEPT all -- 192.168.0.1 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT OUTPUT packet died: '

Chain allowed (3 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP tcp -- 0.0.0.0/0 0.0.0.0/0

Chain bad_tcp_packets (3 references)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `New not syn:'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW

Chain icmp_packets (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11

Chain tcp_packets (1 references)
target prot opt source destination
allowed tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
allowed tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
allowed tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

Chain udp_packets (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:2074
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:4000



squid.conf.
--------------------------------------
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 256 MB
cache_dir ufs /var/spool/squid 5120 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
pid_filename /var/run/squid.pid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl localhost src 192.168.1.0/255.255.255.0
http_access allow manager localhost
acl liberado src "/etc/squid/liberado.txt"
http_access allow liberado
acl ip-bloqueado src "/etc/squid/ip-bloqueado.txt"
http_access deny ip-bloqueado
acl sites url_regex -i "/etc/squid/sites.txt"
http_access deny sites
acl palavras url_regex "/etc/squid/palavras.txt"
http_access deny palavras
http_access allow all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
error_directory /usr/share/squid/errors/Portuguese
coredump_dir /var/spool/squid

7. Re: Passar por fora do proxy squid

Enviado em 12/03/2018 - 17:56h

Adicione também:

Eth1 é a interface de internet, né?!
Se sim:

iptables -A FORWARD -p tcp -m multiport --dports 80,443 -s 192.168.1.60 -o eth1 -j ACCEPT

Testa e posta pra gente.

8. Ainda passa pelo proxy

Enviado em 13/03/2018 - 11:53h

Bom Dia !

Ainda passando pelo proxy.
Vejo pelo log.
Melhorou o envio de mensagens do Whatsapp.
Não sei se está 100%.
Estou testando.
Achei que para resolver só se desviasse tudo do proxy.

9. Não resolveu

Enviado em 16/03/2018 - 16:37h

Não resolveu Whatsapp.
Preciso desviar tudo do proxy mesmo.
Alguma dica mais ?

Responder tópico

Responder tópico

Entre na sua conta para responder.

Fazer login para responder