jeandre
(usa Ubuntu)
Enviado em 09/04/2012 - 13:23h
Boa tarde pessoal, quero pedir a ajuda de vocês para o seguinte, meu squid somente não esta aceitando fazer as atualizações do windows update no modo transparent, se eu colocar o proxy na máquina que quer fazer a atualização dai funciona e se não colocar da a mensagem abaixo no access.log.
Para o computador seria como se não tivesse a internet. mas consigo acessar todas as outras páginas e faz o log e cache certinho.
Ja mudei o squid.conf para intercept e também para transparent e continuou o mesmo.
______________________________________________________
Toda parte do widnows update no access.log
1333987486.310 314 192.168.1.104 TCP_MISS/200 398 HEAD
http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab? - DIRECT/189.11.250.74 application/octet-stream
1333987486.461 107 192.168.1.104 TCP_MISS/200 397 HEAD
http://download.windowsupdate.com/v9/microsoftupdate/redir/muauth.cab? - DIRECT/189.11.250.74 application/octet-stream
1333987486.590 94 192.168.1.104 TCP_REFRESH_MODIFIED/200 397 HEAD
http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab? - DIRECT/189.11.250.74 application/octet-stream
1333987487.298 594 192.168.1.104 TCP_MISS/200 387 HEAD
http://www.update.microsoft.com/v9/windowsupdate/selfupdate/wuident.cab? - DIRECT/65.55.200.139 application/octet-stream
1333987488.078 98 192.168.1.104 TCP_MISS/200 398 HEAD
http://download.windowsupdate.com/v9/microsoftupdate/redir/muv4muredir.cab? - DIRECT/189.11.250.74 application/octet-stream
1333987489.482 0 192.168.1.104 NONE/400 4020 NONE error:invalid-request - NONE/- text/html
1333987506.923 9656 192.168.1.104 TCP_MISS/200 387 GET
http://watson.microsoft.com/StageOne/Generic/WindowsUpdateFailure/7_5_7601_17514/80072f8f/00000000-0...? - DIRECT/65.55.53.190 text/html
____________________________________________________________________
Meu squid.conf
##squid.conf
http_port 3128 intercept
cache_mem 512 MB # Se seu servidor for dedicado, coloque neste valor a metade de sua memória RAM, do contrário use apenas 25%
cache_swap_low 90
cache_swap_high 95
#Aqui é o tamanho máximo de sua cache, no meu caso aqui é 45GB.
cache_dir aufs /media/cache/sq/ 45000 32 128
maximum_object_size 256 MB
maximum_object_size_in_memory 1 MB
access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
pid_filename /var/log/squid3/squid3.pid # pid - mudamos para esta pasta para facilitar na identificação de problemas
mime_table /usr/share/squid3/mime.conf
cache_mgr administrador@dominio.com.br
coredump_dir /media/cache/sq
# Faz com que o squid descarregue a memoria nao utilizada
memory_pools off
diskd_program /usr/lib/squid3/diskd
unlinkd_program /usr/lib/squid3/unlinkd
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Cache do Windows Update
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern
www.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
quick_abort_max 16 KB
quick_abort_pct 95
quick_abort_min 16 KB
request_header_max_size 20 KB
reply_header_max_size 20 KB
request_body_max_size 0 KB
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl lan01 src 192.168.1.0/24 # Representa a sua rede e respectiva máscara de sub-rede
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 1863 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Domínios seguros/sem autenticação
#acl dominiosLiberados dstdomain -i "/etc/squid3/dominiosLiberados"
#http_access allow dominiosLiberados
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow lan01
cache_mgr webmaster
mail_program mail
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string off
visible_hostname rdinf
# Mensagens de erro em Português
error_directory /usr/share/squid3/errors/pt-br
meu firewall
#!/bin/bash
##############################--> Variaveis <--########################################
MOD=`which modprobe`
ETH0="10.1.1.4"
ETH1="192.168.1.1"
REDE_INT="192.168.1.0/24"
SERV2003="192.168.1.100"
##############################--> Limpando todas as regras <--#########################
iptables -F
iptables -F -t nat
iptables -X
iptables -X -t nat
iptables -Z
iptables -Z -t nat
##############################--> Carregand modulos <--############################
$MOD iptable_nat
$MOD ip_conntrack
$MOD ip_conntrack_ftp
$MOD ip_nat_ftp
$MOD ipt_LOG
$MOD ipt_REJECT
$MOD ipt_MASQUERADE
########################--> Habilita roteamento no kernel<--############################
echo 1 >/proc/sys/net/ipv4/ip_forward
##############################--> Politicas de segurança <--############################
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Impede falsear pacote
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Perigo de descobrimento de rotas de roteamento (desativar em roteador)
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Risco de DoS
echo 1 > /proc/sys/net/ipv4/tcp_syncookies # So inicia a conexão quando recebe a confirmação, diminuindo a banda gasta
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter # Faz o firewall responder apenas a placa de rede que recebeu o pacote
iptables -A INPUT -m state --state INVALID -j DROP # Elimina os pacotes invalidos
###########--> Politica Padrao - Bloqueia tudo, nada entra e nada sai <--#############
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
###################--> Libera conexoes estabelecidas <--################################
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
###################-->Libera interface loopback<--####################################
iptables -A INPUT -i lo -j ACCEPT
##############################-->liberando Ping<--##################################
iptables -A INPUT -p icmp -j ACCEPT
###########################--> Liberar portas servidor samba <--###################
iptables -A INPUT -p tcp --dport 137:139 -j ACCEPT
iptables -A INPUT -p udp --dport 137:139 -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j ACCEPT
##############################-->Liberando Servidor DNS<--###########################
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
#########-->Liberando portas do servidor - SSH(60000) SQUID(3128) FTP(2121)<--#################
iptables -A INPUT -m multiport -p tcp --dport 60000,3128,2121,49152,49153 -j ACCEPT
# Liberando Porta 2121 (ftp)
iptables -A INPUT -d $ETH0 -p tcp --dport 2121 -j ACCEPT
# Liberando porta 3000 (NTOP)
iptables -A INPUT -d $REDE_INT -p tcp --dport 3000 -j ACCEPT
#########################-->Mascara conexao de rede<--#############################
iptables -t nat -A POSTROUTING -s $REDE_INT -o eth0 -j MASQUERADE
#########################-->Ativando proxy transparente<--###########################
#OBS: Essa regra so e necessaria se voce optar pelo proxy transparente, caso contrario comente!
iptables -t nat -A PREROUTING -s $REDE_INT -p tcp -m multiport --dport 80,443,8080 -j REDIRECT --to-port 3128
###########################--> Acesso ao ftp<--##################################
#OBS: Dentro da rede não necessita dessa regra
#iptables -t nat -A PREROUTING -p tcp -d $ETH0 --dport 2121 -j DNAT --to $ETH1:2121
#iptables -A FORWARD -p tcp -d $ETH1 --dport 2121 -j ACCEPT
#iptables -A FORWARD -p tcp -s $ETH1 --sport 2121 -j ACCEPT
#iptables -t nat -A POSTROUTING -p tcp -s $ETH1 --sport 2121 -o eth0 -j MASQUERADE
###########################--> Acesso ao sftp<--##################################
#OBS: Dentro da rede não necessita dessa regra
iptables -t nat -A PREROUTING -p tcp -d $ETH0 --dport 22000 -j DNAT --to $ETH1:60000
iptables -A FORWARD -p tcp -d $ETH1 --dport 60000 -j ACCEPT
iptables -A FORWARD -p tcp -s $ETH1 --sport 60000 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -s $ETH1 --sport 60000 -o eth0 -j MASQUERADE
####>> Redirecionando portas Terminal Service <<####
iptables -I FORWARD -p tcp -i eth1 --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination $SERV2003:3389