Squid 3.3.8 + CentOS 7 - Não faz cache, não grava Log mas navega.

1. Squid 3.3.8 + CentOS 7 - Não faz cache, não grava Log mas navega.

Leonardo Leão
LeaoNarrdo

(usa Fedora)

Enviado em 28/03/2016 - 23:37h

Olá,
estou tentando configurar um cenário com squidcache + centos e não estou conseguindo fazer o cache, e o arquivo de log está vazio.

Cenário:
VirtualBOX
----- Centos7, 2 Placa de rede Wan= Modo Bridge, Lan= rede interna
----- Cliente XP, 1 Placa de rede modo= Rede interna

Centos7
-----WAN: DHCP
----- LAN: 192.168.0.200/24

Squid 3.3.8
Configuração do Squid

/etc/squid/squid.conf
http_port 3128 intercept
visible_hostname faztudo

#CACHE PARA DOWNLOADS
cache_mem 32 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256

#LOCALIZAÇO DO ARQUIVO DE LOG DO SQUI
cache_access_log /var/log/squid/access.log

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 15 20% 4320

acl localnet src 192.168.0.0/24 # RFC 1918 possible internal network

acl SSL_ports port 443 # https
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all


Iptables

/etc/init.d/firewall.sh


#!/bin/bash
############ Variaveis #############
IPT=/sbin/iptables

####################################
IF_WAN=enp0s3
IF_LAN=enp0s8
#IP_WAN=""
IP_LAN=192.168.0.200/24
IP_GW=192.168.1.1

####### rede e seus ranges #########
REDE_INTERNA=192.168.0.0/24

####### conf squid #########
# your proxy IP
SQUIDIP=192.168.0.200/24
# your proxy listening port
SQUIDPORT=3128

############## Portas ##############
HTTP=80
HTTPS=443
SSH=22
DNS=53
POP3=110
SMTP=587

function IniciaFirewall(){

#### politica padrao - NEGA TUDO ####

echo "politica por omissao - negar TUDO"

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

##### configurando interfaces #######

ifconfig $IF_LAN $IP_LAN

route del default
route add default gw $IP_GW

echo "apaga as regras ja existentes"
$IPT -F
$IPT -X
$IPT -Z
$IPT -t nat -F
$IPT -t nat -X
$IPT -t nat -Z
$IPT -F POSTROUTING -t nat
$IPT -F PREROUTING -t nat
$IPT -F OUTPUT -t nat

############ stateless ###############
echo "permite loopbak"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

########### statefull ################
echo "descarta pacotes invalidos"
$IPT -A INPUT -m state --state INVALID -j DROP

echo "regras STATEFULL genericas"
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT

########### DHCP ################
$IPT -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT

echo "permitir DNS [ok]"
$IPT -A OUTPUT -p udp --sport 1024:65535 --dport $DNS -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p udp -i $IF_LAN -o $IF_WAN --dport $DNS -j ACCEPT

echo "permite HTTP [ok]"
#$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport $HTTP -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $HTTP -j ACCEPT

echo "permite HTTPS [ok]"
#$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport $HTTPS -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $HTTPS -j ACCEPT

echo "libera portas para e-mail [ok]"
$IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $POP3 -j ACCEPT
$IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $POP3 -j ACCEPT
$IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $SMTP -j ACCEPT

echo "libera SSH [ok]"
$IPT -A INPUT -p tcp --dport $SSH -j LOG --log-level 4 --log-prefix 'SSH_WAN > '
$IPT -A INPUT -p tcp -i $IF_WAN --dport $SSH -j ACCEPT

########## seguranca da rede ##############
echo "Impedindo ataque Ping of Death e ping flood no Firewall vindo da rede interna"
#A regra abaixo limita em 1 vez por segundo (--limit 1/s) a passagem de pings (echo requests) para o Firewall
$IPT -A INPUT -p icmp --icmp-type echo-request -i $IF_LAN -j LOG --log-level 4 --log-prefix 'PING_INERNO > '
$IPT -A INPUT -p icmp --icmp-type echo-request -i $IF_LAN -m limit --limit 1/s -j ACCEPT

echo "Descarte de pacotes nao identificados ICMP"
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A INPUT -m state -p icmp --state INVALID -j DROP
$IPT -A FORWARD -m state -p icmp --state INVALID -j DROP

echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

############ regras intercept squid cache #############
$IPT -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
$IPT -t nat -A POSTROUTING -j MASQUERADE
$IPT -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP

############ compartilha link #############
echo "compartilha link de internet [ok]"
$IPT -t nat -A POSTROUTING -o $IF_WAN -j MASQUERADE

echo "habilitando encaminhamento de pacotes [ok]"
echo 1 > /proc/sys/net/ipv4/ip_forward

}
function LiberaFirewall(){

echo "politica Libera TUDO"

$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

#########################################
# configurando interfaces
#########################################
ifconfig $IF_LAN $IP_LAN
route del default
route add default gw $IP_GW

echo "apaga as regras ja existentes"
$IPT -F
$IPT -X
$IPT -Z
$IPT -t nat -F
$IPT -t nat -X
$IPT -t nat -Z

########## compartilha link ###############
echo "compartilha link de internet [ok]"
$IPT -t nat -A POSTROUTING -o $IF_WAN -j MASQUERADE

echo "habilitando encaminhamento de pacotes [ok]"
echo 1 > /proc/sys/net/ipv4/ip_forward
}

case $1 in
start)
IniciaFirewall
exit 0
;;
stop)
LiberaFirewall
exit 1
;;
restart)
LiberaFirewall;IniciaFirewall
exit 2
;;
*)
echo
echo "Use ||start|| para iniciar as regras desse Firewall, ||restart|| para reiniciar e ||stop|| para descartar todas as politicas de seguranca, NAO FACA ISSO!"
echo
exit 3
;;
esac

# FIM: tudo que não for explicitamente permitido será negado!



Log do squid que não grava nada.
 ls -l /var/log/squid/
total 88
-rw-r-----. 1 squid squid 0 Mar 28 22:56 access.log
-rw-r-----. 1 squid squid 88409 Mar 28 23:02 cache.log


Com o Cliente XP eu consigo navegar sem problemas, mas o cache não funciona


  






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts