Enviado em 28/03/2016 - 23:37h
Olá,http_port 3128 intercept
visible_hostname faztudo
#CACHE PARA DOWNLOADS
cache_mem 32 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
#LOCALIZAÇO DO ARQUIVO DE LOG DO SQUI
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 15 20% 4320
acl localnet src 192.168.0.0/24 # RFC 1918 possible internal network
acl SSL_ports port 443 # https
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
#!/bin/bash
############ Variaveis #############
IPT=/sbin/iptables
####################################
IF_WAN=enp0s3
IF_LAN=enp0s8
#IP_WAN=""
IP_LAN=192.168.0.200/24
IP_GW=192.168.1.1
####### rede e seus ranges #########
REDE_INTERNA=192.168.0.0/24
####### conf squid #########
# your proxy IP
SQUIDIP=192.168.0.200/24
# your proxy listening port
SQUIDPORT=3128
############## Portas ##############
HTTP=80
HTTPS=443
SSH=22
DNS=53
POP3=110
SMTP=587
function IniciaFirewall(){
#### politica padrao - NEGA TUDO ####
echo "politica por omissao - negar TUDO"
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
##### configurando interfaces #######
ifconfig $IF_LAN $IP_LAN
route del default
route add default gw $IP_GW
echo "apaga as regras ja existentes"
$IPT -F
$IPT -X
$IPT -Z
$IPT -t nat -F
$IPT -t nat -X
$IPT -t nat -Z
$IPT -F POSTROUTING -t nat
$IPT -F PREROUTING -t nat
$IPT -F OUTPUT -t nat
############ stateless ###############
echo "permite loopbak"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
########### statefull ################
echo "descarta pacotes invalidos"
$IPT -A INPUT -m state --state INVALID -j DROP
echo "regras STATEFULL genericas"
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
########### DHCP ################
$IPT -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT
echo "permitir DNS [ok]"
$IPT -A OUTPUT -p udp --sport 1024:65535 --dport $DNS -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p udp -i $IF_LAN -o $IF_WAN --dport $DNS -j ACCEPT
echo "permite HTTP [ok]"
#$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport $HTTP -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $HTTP -j ACCEPT
echo "permite HTTPS [ok]"
#$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport $HTTPS -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $HTTPS -j ACCEPT
echo "libera portas para e-mail [ok]"
$IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $POP3 -j ACCEPT
$IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $POP3 -j ACCEPT
$IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $SMTP -j ACCEPT
echo "libera SSH [ok]"
$IPT -A INPUT -p tcp --dport $SSH -j LOG --log-level 4 --log-prefix 'SSH_WAN > '
$IPT -A INPUT -p tcp -i $IF_WAN --dport $SSH -j ACCEPT
########## seguranca da rede ##############
echo "Impedindo ataque Ping of Death e ping flood no Firewall vindo da rede interna"
#A regra abaixo limita em 1 vez por segundo (--limit 1/s) a passagem de pings (echo requests) para o Firewall
$IPT -A INPUT -p icmp --icmp-type echo-request -i $IF_LAN -j LOG --log-level 4 --log-prefix 'PING_INERNO > '
$IPT -A INPUT -p icmp --icmp-type echo-request -i $IF_LAN -m limit --limit 1/s -j ACCEPT
echo "Descarte de pacotes nao identificados ICMP"
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A INPUT -m state -p icmp --state INVALID -j DROP
$IPT -A FORWARD -m state -p icmp --state INVALID -j DROP
echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
############ regras intercept squid cache #############
$IPT -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
$IPT -t nat -A POSTROUTING -j MASQUERADE
$IPT -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
############ compartilha link #############
echo "compartilha link de internet [ok]"
$IPT -t nat -A POSTROUTING -o $IF_WAN -j MASQUERADE
echo "habilitando encaminhamento de pacotes [ok]"
echo 1 > /proc/sys/net/ipv4/ip_forward
}
function LiberaFirewall(){
echo "politica Libera TUDO"
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#########################################
# configurando interfaces
#########################################
ifconfig $IF_LAN $IP_LAN
route del default
route add default gw $IP_GW
echo "apaga as regras ja existentes"
$IPT -F
$IPT -X
$IPT -Z
$IPT -t nat -F
$IPT -t nat -X
$IPT -t nat -Z
########## compartilha link ###############
echo "compartilha link de internet [ok]"
$IPT -t nat -A POSTROUTING -o $IF_WAN -j MASQUERADE
echo "habilitando encaminhamento de pacotes [ok]"
echo 1 > /proc/sys/net/ipv4/ip_forward
}
case $1 in
start)
IniciaFirewall
exit 0
;;
stop)
LiberaFirewall
exit 1
;;
restart)
LiberaFirewall;IniciaFirewall
exit 2
;;
*)
echo
echo "Use ||start|| para iniciar as regras desse Firewall, ||restart|| para reiniciar e ||stop|| para descartar todas as politicas de seguranca, NAO FACA ISSO!"
echo
exit 3
;;
esac
# FIM: tudo que não for explicitamente permitido será negado!
ls -l /var/log/squid/
total 88
-rw-r-----. 1 squid squid 0 Mar 28 22:56 access.log
-rw-r-----. 1 squid squid 88409 Mar 28 23:02 cache.log
Enviar mensagem ao usuário trabalhando com as opções do php.ini
Meu Fork do Plugin de Integração do CVS para o KDevelop
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Compartilhamento de Rede com samba em modo Público/Anônimo de forma simples, rápido e fácil
Cups: Mapear/listar todas as impressoras de outro Servidor CUPS de forma rápida e fácil
Criando uma VPC na AWS via CLI
Toda vez que tento atualizar o clamav me deparo com erros ao atualizar... (0)
Meu notebook não está funcionando no monitor secundário (2)
Queria saber se existe alguma forma de desistalar programa no ubuntu s... (2)
Quero saber sobre os melhores aplicativos de office para usar em 2024 ... (1)