Problemas com Restrição de Acessos SQUID [RESOLVIDO]

1. Problemas com Restrição de Acessos SQUID [RESOLVIDO]

fixxctba
(usa Ubuntu)

Enviado em 17/10/2011 - 16:23h

Boa Tarde,

Tenho o Ubuntu 11 instalado com IPTABLES + Squid 2.7. Com as seguintes linhas no SQUID.CONF.
Minha dúvida é... Queria criar uma regra da seguinte forma:

192.168.1.10
192.168.1.11
192.168.1.12
192.168.1.13

Tem permissão para YAHOO, MSN, YOUTUBE
Não tem permissão para [*****], SEXO, BATE-PAPO

192.168.1.14
192.168.1.15
192.168.1.16
192.168.1.17

Tem permissão para tudo.

192.168.1.18
192.168.1.19
192.168.1.20
192.168.1.21

Não tem permissão para nada.

Alguém poderia me ajudar?
Pois como perceberam consegui apenas bloquear palavras pra todos os usuários. E criei uma lista de IPs que não tem bloqueio algum. Porém os casos são mais especificos aqui e não sei como fazer.

Valeu!

---------------------------------------------------------------------------------------------
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 192.168.1.0/24

acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl acesso_total src "/etc/squid/acesso_total"
acl proibir_palavras url_regex -i "/etc/squid/palavras"

#http_access deny all
http_access allow acesso_total
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny proibir_palavras

icp_access allow localnet
icp_access deny all

http_port 3128 transparent

hierarchy_stoplist cgi-bin ?

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320

acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

hosts_file /etc/hosts

coredump_dir /var/spool/squid

error_directory /usr/share/squid/errors/pt-br

0 0

Quote

2. Re: Problemas com Restrição de Acessos SQUID [RESOLVIDO]

n4t4n
(usa Arch Linux)

Enviado em 26/10/2011 - 20:22h

Colocando a solução encontrada aqui você ajuda outras pessoas que procuram pelo mesmo erro.

Abraço

0 0

Quote

3. Re: Problemas com Restrição de Acessos SQUID [RESOLVIDO]

fixxctba
(usa Ubuntu)

Enviado em 27/10/2011 - 07:17h

Bom, o que funcionou no meu Squid + Iptables para o Ubuntu 11 foi a seguinte configuração:

##################################SQUID.CONF#############################################

acl all src 192.168.1.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32

acl localnet src 192.168.1.0/24
#
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

acl acesso_total src "/etc/squid/iptotal/total" ##IP's com Acesso Total##
acl ip_restrito src "/etc/squid/iprestrito/restrito" ##IP's com Acesso Restrito##
acl proibir_words url_regex -i "etc/squid/deny/words" ##Bloquear Palavras##
acl proibir_batepapo dstdomain "/etc/squid/deny/batepapo" ##Bloquear Bate Papo#
acl proibir_email dstdomain "/etc/squid/deny/email" ##Bloquear E-mail pessoal##
acl proibir_msn dstdomain "/etc/squid/deny/msn" ##Bloquear MSN##
acl proibir_orkut dstdomain "/etc/squid/deny/orkut" ##Bloquear Orkut##
acl proibir_radio dstdomain "/etc/squid/deny/radio" ##Bloquear Radio Online##
acl proibir_tube dstdomain "/etc/squid/deny/tube" ##Bloquear Tubes e Tv Online##
acl proibir_yahoo dstdomain "/etc/squid/deny/yahoo" ##Bloquear Yahoo##
acl proibir_sites dstdomain "/etc/squid/deny/sites" ##Bloquear Outros Sites##

http_access allow acesso_total
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny proibir_yahoo !ip_restrito ##Aqui eu tive que liberar o yahoo para algumas maquinas##
http_access deny proibir_words
http_access deny proibir_msn
http_access deny proibir_email
http_access deny proibir_orkut
http_access deny proibir_radio
http_access deny proibir_tube

icp_access allow localnet
icp_access deny all

http_port 3128 transparent
always_direct allow all

hierarchy_stoplist cgi-bin ?

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320

acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

hosts_file /etc/hosts

error_directory /usr/share/squid/errors/pt-br

dns_nameservers 200.204.0.10 200.204.0.138

cache_mem 256 MB

maximum_object_size_in_memory 128 KB

maximum_object_size 100 MB
minimum_object_size 0 KB

cache_swap_low 90
cache_swap_high 95

cache_dir ufs /var/spool/squid 4000 16 256
########################################################################################

Criei um aquivo no init.d chamado internet para IPTABLES:

###Compartilhamento Internet###

modprobe ip_tables
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

##############################

Obrigado pela ajuda!!!

0 0

Quote