thiagoubiratan
(usa Ubuntu)
Enviado em 28/09/2011 - 11:20h
blza cara..
Este e meu squid.conf
http_port 3128 transparent
visible_hostname squid
error_directory /usr/share/squid/errors/English/
#memoria usada#
cache_mem 256 MB
#esvaziar 0 cahce
maximum_object_size_in_memory 64 KB
maximum_object_size 6144 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 100 KB
ipcache_size 2048
ipcache_low 90
ipcache_high 93
cache_replacement_policy lru
memory_replacement_policy lru
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 21 80 443 563 70 210 280 488 59 777 901 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl IPs_liberados src "/etc/squid/liberados/IPs"
#acl Palavrasproibidas dstdom_regex "/etc/squid/bloqueados/Palavras"
acl Sites_Liberados url_regex -i "/etc/squid/liberados/Sites"
#acl Sites_Bloqueados url_regex -i "/etc/squid/bloqueados/Sites"
http_access allow IPs_Liberados
http_access allow Sites_Liberados
#http_access deny Palavrasproibidas
#http_access deny Sites_Bloqueados
#acl redelocal src 10.85.50.0/24
#http_access allow localhost
#http_access allow redelocal
http_access deny all
#acl extensoes url_regex -i .* .exe .mp3 .vqf .tar.gz .gz .rar .avi .mpeg .mpe .qt .ram .rm .iso .raw .mov .rmvb .mkv
#acl admin src 10.85.50.222
#acl terminais src 10.85.50.0/24
#delay_pools 2
#delay_class 1 2
#delay_parameters 1 -1/-1 -1/-1
#delay_access 1 allow admin
#delay_class 2 2
#delay_parameters 2 10000/10000 10000/10000
#delay_access 1 allow admin
e este e meu Firewall
#!/bin/bash
#update-rc.d firewall defaults
IPT=iptables
#Faixa de IP
IPSOURCE=10.85.50.0/24
#Porta do SSH
PORT=10000
#Placa de Rede
LAN=eth0
echo "Ativando Firewall..."
######################
# Limpando as Regras #
######################
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
iptables -X
###############################
# Ativando o Compartilhamento #
###############################
echo "1" > /proc/sys/net/ipv4/ip_forward
###################################
# Colocando as Regras do iptables #
###################################
iptables -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.85.50.0/24 -j MASQUERADE
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
##############
# PING-MORTE #
##############
#Bloqueio ping da morte
iptables -N PING-MORTE
iptables -A INPUT -p icmp --icmp-type echo-request -j PING-MORTE
iptables -A PING-MORTE -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A PING-MORTE -j DROP
###################
# SYN ACK and FIN #
###################
#Bloqueio de scanners ocultos (Shealt Scan)
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT
###################
# SSH-BRUT-FORCE #
##################
#Bloqueio de ataque ssh de força bruta
iptables -N SSH-BRUT-FORCE
iptables -A INPUT -i 10.85.50.0/24 -p tcp --dport 10000 -j SSH-BRUT-FORCE
iptables -A SSH-BRUT-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A SSH-BRUT-FORCE -j DROP
#########################################
### LIBERANDO AS PORTAS DO SAMBA
########################################
iptables -A INPUT -s 10.85.50.0/24 -p tcp --dport 137:139 -j ACCEPT
iptables -A INPUT -s 10.85.50.0/24 -p udp --dport 137:139 -j ACCEPT
#####################
# FILTRO DE ENTRADA #
#####################
#Libera SSH
iptables -I INPUT -p tcp --dport 10000 -s 10.85.50.0/24 -j ACCEPT
iptables -I INPUT -p udp --dport 10000 -s 10.85.50.0/24 -j ACCEPT
#Libera POSTGRES
iptables -I INPUT -p tcp --dport 5432 -s 10.85.50.0/24 -j ACCEPT
iptables -I INPUT -p udp --dport 5432 -s 10.85.50.0/24 -j ACCEPT
echo "OK"
pronto amigo.