Problemas com Proxy Transparent [RESOLVIDO]

LeonardoKadina
(usa Ubuntu)

Enviado em 22/09/2009 - 12:13h

Pessoal, estou com uma dor de cabeça danada sou meio novato em Firewall, por isso peço ajuda aos universitários (risos).

Seguinte eu configuro o meu IPTABLES com as configurações direciono a porta da minha internet para o meu PROXY, mas se eu não ativar o PROXY nas máquinas dos usuários não rola!
Estou postando o meu IPTABLES e o meu SQUID me de uma força estou faz dias batendo a cabeça e não ta dando certo.

Agradeço desde já.
Scripts
SQUID:
http_port 3128 transparent
#Cache
cache_mem 100 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 16384 kb
minimum_object_size 0 KB

access_log /var/log/squid/access.log
error_directory /usr/share/squid/errors/Portuguese

visible_hostname telecom
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cahe_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 25 #
acl Safe_ports port 110 #
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 1030 #Atlas
acl Safe_ports port 4156 #avg
acl Safe_ports port 6060 #netsms
acl Safe_ports port 8080 #matrix
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#ip liberados
acl liberados src "/etc/squid/liberados"
http_access allow liberados
# bloqueia sites
acl blo dstdomain "/etc/squid/blo"
#deny_info url:/etc/share/squid/erros/Portuguese/index blo
http_access deny blo
# bloqueia proxy
acl pro dstdomain "/etc/squid/pro"
http_access deny pro
#bloqueia msn
acl msn dstdomain "/etc/squid/msn"
http_access deny msn
#bloqueia site de compartilhamento.
acl shared dstdomain "/etc/squid/geral/shared"
#bloqueia sites de Radios.
acl radio dstdomain "/etc/squid/geral/radio"
http_access deny radio
#bloquida extensão de arquivo
acl exp_extensao urlpath_regex -i "/etc/squid/expressao/exp_extensao"
http_access deny exp_extensao
#bloquia expressoes geral
acl exp_geral url_regex -i "/etc/squid/expressao/exp_geral"
http_access deny exp_geral
#bloqueia expressao de sexo
acl exp_sexo url_regex -i "/etc/squid/expressao/exp_sexo"
http_access deny exp_sexo
#blequear os metidos a haker
acl exp_hacker url_regex -i "/etc/squid/expressao/exp_hacker"
http_access deny exp_hacker
acl redelocal src ip_da_rede/24
http_access allow localhost
http_access allow redelocal
http_access deny all

LeonardoKadina
(usa Ubuntu)

Enviado em 22/09/2009 - 12:19h

E tbm o meu Iptables.

#! /bin/bash

clear

echo "Modulos carreagdos"
#Carregar moduloss
modprobe iptable_nat
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_filter
modprobe iptable_mangle
modprobe ipt_LOG
modprobe ip_gre
modprobe ipt_MASQUERADE
modprobe ip_nat
modprobe ip_nat_ftp
printf "Limpando tabelas e setando variaveis do kernel.. \n"
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
printf "*****************************ok********************************* \n"
#Definir regras
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
echo "Regras definidas."
printf "*****************************ok********************************* \n"
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
printf "*****************************ABRINDO FAIXA DE IP********************************* \n"
# Abre a faixa de ip.
iptables -A INPUT -s IP_da_Rede/255.255.255.0 -j ACCEPT
printf "*****************************ok********************************* \n"

printf "*****************************CRIANDO MASQUERADE********************************* \n"
#cria um masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
printf "*****************************ok********************************* \n"

printf "*****************************ABRINDO PORTAS 22, 21 e 80********************************* \n"
# Abre a 22 e 21 porta (inclusive para a Internet):
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
printf "*****************************ok********************************* \n"

printf "*****************************NET********************************* \n"
# net
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
printf "*****************************ok********************************* \n"

printf "*****************************IGNORANDO PINGS********************************* \n"
# Ignora pings.
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
printf "*****************************ok********************************* \n"

printf "*****************************Impedindo pacotes mal formados********************************* \n"
# Impede pacotes mal formados
iptables -A INPUT -m state --state INVALID -j DROP
printf "*****************************ok********************************* \n"

printf "*****************************Abrindo Trafego interno********************************* \n"
# Abre o trafego interno
iptables -A INPUT -i lo -j ACCEPT
printf "*****************************ok********************************* \n"

printf "*****************************Iniciando Proxy Transparente********************************* \n"
#Proxy transparente.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

#iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.11 -p tcp --sport 2000 -j REDIRECT --to-port 2000
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2000 -j DNAT --to 192.168.1.11
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to 192.168.1.11
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5550 -j DNAT --to 192.168.1.11
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4550 -j DNAT --to 192.168.1.11
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3550 -j DNAT --to 192.168.1.11
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 200 -j DNAT --to 192.168.1.11
printf "*****************************ok********************************* \n"

printf "*****************************Iniciando Regras FORWARD********************************* \n"
#Regras FORWARD.
iptables -A FORWARD -p tcp -i eth1 -s IP_da_Rede/24 --dport 3128 -j ACCEPT
iptables -A FORWARD -p udp -i eth1 -s IP_da_Rede/24 --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp -i eth1 -s IP_da_Rede/24 --dport 8080 -j ACCEPT
iptables -A FORWARD -p tcp -i eth1 -s IP_da_Rede/24 --dport 149 -j ACCEPT
iptables -A FORWARD -p tcp -i eth1 -s IP_da_Rede/24 --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp -i eth1 -s IP_da_Rede/24 --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -i eth1 -s IP_da_Rede/24 --dport 443 -j ACCEPT
#iptables -A FORWARD -p tcp -i eth1 -s IP_da_Rede/24 --dport 2000 -j ACCEPT #Camera
#iptables -A FORWARD -p tcp -i eth1 -s IP_da_Rede/24 --dport 3550 -j ACCEPT #Camera
#iptables -A FORWARD -p tcp -i eth1 -s IP_da_Rede/24 --dport 4550 -j ACCEPT #Camera
#iptables -A FORWARD -p tcp -i eth1 -s IP_da_Rede/24 --dport 5550 -j ACCEPT #Camera
#iptables -A FORWARD -p tcp -i eth1 -s IP_da_Rede/24 --dport 3389 -j ACCEPT #Terminal Server Servidor de Camera
#iptables -A FORWARD -p tcp -i eth1 -s IP_da_Rede/24 --dport 200 -j ACCEPT #Camera
#iptables -A FORWARD -p tcp -i eth1 -s IP_da_Rede/24 --dport 587 -j ACCEPT #SMTP Art- vide
printf "*****************************DROPS********************************* \n"
iptables -A FORWARD -p udp -i eth1 -j DROP
iptables -A FORWARD -p tcp -i eth1 -j DROP
printf "*****************************FIM********************************* \n"

junior
(usa Ubuntu)

Enviado em 22/09/2009 - 13:59h

Olá amigo, na primeira linha do seu squid, ao invés de colocar http_port 3128 transparent, coloque: http_port IP_DO_SERVIDOR:3128 transparent

E nas regras do iptables, certifique-se que eth0 é a interface que você está utilizado realmente.

hungaro
(usa Ubuntu)

Enviado em 22/09/2009 - 15:20h

Kra joga essa linha no seu firewall

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

eth1 = rede interna

qualquer coisa posta ai