Rede nao navega com proxy [RESOLVIDO]

liquid
(usa Suse)

Enviado em 03/09/2010 - 17:51h

Boas amigos do VOL, por favor uma ajudinha..

Tenho um server firewall instalado em um cliente.

segue o script do firewall:

#!/bin/bash
start(){
clear
if [ "$1" = "flush" ]; then
echo " Flushing"
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F #Flush no NAT
iptables -X #Flush nas CHAINS
echo " Done "
else
clear
echo "xxxxxx"
echo "Iniciando regras do Firewall"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -X
iptables -Z

#############################################################################
echo "CONFIGURACAO DAS INTERFACES"
#############################################################################

echo "Configurando as interfaces "
echo "eth1 = 189.20.xxx.xxx "
echo "eth0 = 192.168.0.x "
echo "eth1:1 = 189.20.xxx.xxx "
INTRA=eth0
INTRA2=192.168.0.7
INTER=eth1
INTER2=189.20.xxx.xxx
SUSE=189.20.xxx.xxx #SERVIDOR SUSE-FIREWALL
SUSE2=189.20.xxx.xxx #SEGUNDO ACESSO SSH

ifconfig eth0 192.168.0.1 netmask 255.255.255.0
ifconfig eth1 189.20.xxx.xxx netmask 255.255.255.0
ifconfig eth0:1 192.168.0.7 netmask 255.255.255.0
ifconfig eth1:1 189.20.xxx.xxx netmask 255.255.255.0
route add default gw 189.20.xxx.xxx

#############################################################################
echo "REGRAS PRINCIPAIS OBRIGRATORIAS"
#############################################################################

echo "Liberabdo Loopback"

iptables -A INPUT -i lo -j ACCEPT

############################################################################

echo "EVITANDO SPOOFING"

iptables -t nat -A PREROUTING -i $INTER -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i $INTER -s 172.16.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i $INTER -s 192.168.0.0/24 -j DROP

iptables -t nat -A PREROUTING -i $INTER2 -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i $INTER2 -s 172.16.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i $INTER2 -s 192.168.0.0/24 -j DROP

############################################################################

echo "Aplicando Regras de Seguranca"

# Protecao contra synflood, ICMP Broadcasting

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter

############################################################################

# Protecao contra Portscanner, ping of Death, DoS attack.

iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -i $INTER -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -i $INTER2 -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
iptables -A FORWARD -m unclean -j DROP

###########################################################################

# Protecao contra pacotes malformados e invalidos.

iptables -N VALID_CHECK
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP

###########################################################################
echo "LIBERANDO PING"
###########################################################################

iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

###########################################################################
echo "LIBERANDO SSH PARA O FIREWALL"
###########################################################################

iptables -A INPUT -p tcp --dport 22 -d $SUSE -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -d $SUSE -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -d $SUSE2 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 192.168.0.0/24 -j ACCEPT

###########################################################################
echo "NAT DE PORTAS PARA SQUID"
###########################################################################

iptables -t nat -A PREROUTING -i $INTRA2 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $INTRA2 -p tcp --dport 8080 -j REDIRECT --to-port 3128

##########################################################################
echo "MASCARANDO O IP"
###########################################################################

iptables -t nat -A POSTROUTING -o $INTER -j MASQUERADE
iptables -t nat -A POSTROUTING -o $INTER2 -j MASQUERADE

##########################################################################
echo "LIBERACAO DE PORTAS DA INTRANET PARA INTERNET"
##########################################################################

iptables -A FORWARD -i $INTRA -j ACCEPT
iptables -A FORWARD -i $INTRA2 -j ACCEPT
iptables -A INPUT -i $INTRA2 -j ACCEPT

##########################################################################
echo "HABILITAR MODULO DE FTP "
##########################################################################

# load FTP conntrack & NAT helper modules
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

###########################################################################
echo "LIBERACAO DE PORTAS DA INTERNET PARA INTRANET"
###########################################################################

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 20 -j ACCEPT # FTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 21 -j ACCEPT # FTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 23 -j ACCEPT # TELNET
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 37000:38000 -j ACCEPT # FTP Passive Mode
iptables -A FORWARD -i $INTER -o $INTRA -p udp --dport 53 -j ACCEPT # DNS
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 80 -j ACCEPT # HTTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --sport 80 -j ACCEPT # HTTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 443 -j ACCEPT # HTTPS
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 1723 -j ACCEPT # PPTP
iptables -A FORWARD -i $INTER -o $INTRA -p udp --dport 500 -j ACCEPT # ISAKMP
iptables -A FORWARD -i $INTER -o $INTRA -p udp --dport 1701 -j ACCEPT # L2TP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 123 -j ACCEPT # NTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 25 -j ACCEPT # SMTP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 110 -j ACCEPT # POP3
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 1050 -j ACCEPT # HELPDESK
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 3389 -j ACCEPT # REMOTE
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 143 -j ACCEPT # IMAP
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 8080 -j ACCEPT # HTTP2
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 1494 -j ACCEPT # METAFRAME
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 995 -j ACCEPT # METAFRAME
# iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 3128 -j ACCEPT # SQUID
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --dport 81 -j ACCEPT # CYTRIX
iptables -A FORWARD -i $INTER -o $INTRA -p tcp --sport 81 -j ACCEPT # CITRYX

iptables -A FORWARD -i $INTER2 -o $INTRA -p tcp --dport 3389 -j ACCEPT # REMOTE 2
# iptables -A FORWARD -i $INTER2 -o $INTRA -p tcp --dport 3128 -j ACCEPT # SQUID

iptables -A FORWARD -i $INTER2 -o $INTRA2 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i $INTER2 -o $INTRA2 -p tcp --sport 80 -j ACCEPT
# iptables -A FORWARD -i $INTER2 -o $INTRA2 -p tcp --dport 3128 -j ACCEPT

############################################################################
echo "STATEFULL INSPECTION"
############################################################################

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

############################################################################
echo "CONFIGURANDO LOGS"
############################################################################

echo "Logando tentativas invalidas de navegar ( Lan )"

iptables -A FORWARD -i $INTRA -o $INTER -j LOG --log-level DEBUG --log-prefix " Intra para Internet:"

echo "Logando pacotes bloqueados da internet para a intranet"

iptables -A INPUT -p tcp -i $INTER -j LOG --log-level DEBUG --log-prefix " Pacote tcp:"
iptables -A INPUT -p icmp -i $INTER -j LOG --log-level DEBUG --log-prefix " Pacote icmp:"

e o script do squid:


script squid:

http_port 3128
visible_hostname KMPAPELFW
error_directory /usr/share/squid/errors/Portuguese/

cache_mem 128 MB
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
maximum_object_size_in_memory 500 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/cache/squid 15000 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280

#################################
# Configuracao Adicional #
#################################

auth_param basic program /usr/sbin/ncsa_auth /etc/squid/squid_passwd
auth_param basic children 5
auth_param basic realm KMPAPEL INTERNET SERVER
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

################################

acl allusers proxy_auth REQUIRED
acl superuser proxy_auth adminau admincb adminjr abrasiliano gpalma admingp dkwurzmann
acl sitespermitidos dstdomain "/etc/squid/liberados"
acl sites_permitidos url_regex "/etc/squid/key_words.txt"
acl sitesbloqueados url_regex -i "/etc/squid/bloqueados"
acl palavrasproibidas url_regex -i "/etc/squid/palavrasproibidas"

acl sitesprincipais url_regex -i "/etc/squid/principais"
http_access allow sitesprincipais

#msn
acl msn urlpath_regex -i gateway.dll
acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com byrdr.omega.contacts.msn.com
contacts.msn.com local-bay.contacts.msn.com by2.storage.msn.com sqm.microsoft.com
acl msn1 req_mime_type application/X-msn-messenger

no_cache deny msnd
no_cache deny msn
no_cache deny msn1
http_access allow msnd
http_access allow msn
http_access allow msn1

#################################
# Configuracao Default #
#################################

acl redelocal src 192.168.0.0/255.255.255.0
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 23 1863 30 3128 25 2525 1446 1494
acl Safe_ports port 80 # http
acl Safe_ports port 81 # http
acl Safe_ports port 82 # http
acl Safe_ports port 85 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 20 # ftp
acl Safe_ports port 23 # telnet
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 407 # msn
acl Safe_ports port 25 # mail
acl purge method PURGE
acl CONNECT method CONNECT

#################################
# Configuracao Adicional #
#################################

http_access deny palavrasproibidas
http_access allow superuser
http_access allow sites_permitidos allusers
http_access allow sitespermitidos allusers
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny sitesbloqueados
http_access deny palavrasproibidas

#################################
# Configuracao Default #
#################################

http_access allow redelocal
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all

# As linhas abaixo evitam anunciar hosts e squid na Internet
header_access via deny all
header_access X-Forwarded-For deny all

# Habilitar estas linhas abaixo para PROXY TRANSPARENTE
# httpd_accel_host virtual
# httpd_accel_port 80
# httpd_accel_with_proxy on
# httpd_accel_uses_host_header on
coredump_dir /var/cache/squid

O servidor navega normal com e sem proxy, mas a maquinas locais não navegam com proxy, parece que nem enxergam o proxy.

Ja fiz todos os testes basicos e nada
Alguem pode me dar uma luz?? Muito Obrigado

renato_pacheco
(usa Debian)

Enviado em 03/09/2010 - 20:18h

Lógico q num vai! Vc tá liberando o FORWARD pra porta 80 pra todo mundo! Primeiramente, modifique a política do INPUT e FORWARD pra DROP. Depois comente a linha q libera a conexão pra porta 80, ok?

Em tempo: descomente a linha q faz o FORWARD pra porta 3128 (squid).

liquid
(usa Suse)

Enviado em 08/09/2010 - 15:28h

Renato vlw pela dica mas acho que voce no entendeu, no caso o script tem uma opção de flush, caso queira abrir as regras, mas o que esta valendo é o padrao:

INPUT DROP, FORWARD DROP, OUTPUT ACCEPT

e o redirecionamento do SQUID porta 3128 no esta comentado.

Alguem tem mais alguma sugestão??

liquid
(usa Suse)

Enviado em 08/09/2010 - 18:21h

Consegui resolver este problema.

Na gui de liberação para internet, a regra de input esta errada, precisi especificar o source da rede, então adicionei a seguinte regra:

iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT

e funcionou normalmente.