braytner
(usa Debian)
Enviado em 27/02/2013 - 19:39h
Pessoal...desculpa...segue aqui os meus arquivos de configurações
Eth0 = conectada a internet através de um modem
Eth1 = Ip fixo e servidor dhcp rede interrna
##############################
#/bin/bash -x
IPTABLES=/sbin/iptables
modprobe ip_conntrack
modprobe ip_tables
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe iptable_nat
modprobe ipt_LOG
modprobe ipt_REJECT
#desligando forward
echo 0 > /proc/sys/net/ipv4/ip_forward
#limpando tabela NAT
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -Z
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -F PREROUTING
#limpando regras
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
#setando polihticas
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
#impedindo alteracao de rotas
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#prot contra responses bogus
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#prot contra syn-flood
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#contra traceroute
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#contra ip spoofing
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
#$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.1.1.1:3128
#--------INPUT--------
$IPTABLES -A INPUT -i lo -s 127.0.0.1/8 -d 127.0.0.1/8 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -s 10.1.1.0/24 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i em1 --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 3128 -s 10.1.1.0/24 -j ACCEPT
$IPTABLES -A FORWARD -s 10.1.1.0/24 -p tcp --dport 3128 -j ACCEPT
#--------OUTPUT-------
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1/8 -d 127.0.0.1/8 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
# BLOQUEIO DO FACEBOOK
iptables -A FORWARD -d 65.201.208.24/29 -j REJECT
iptables -A FORWARD -d 65.204.104.128/28 -j REJECT
iptables -A FORWARD -d 66.93.78.176/29 -j REJECT
iptables -A FORWARD -d 66.92.180.48/28 -j REJECT
iptables -A FORWARD -d 67.200.105.48/30 -j REJECT
iptables -A FORWARD -d 69.63.176.0/20 -j REJECT
iptables -A FORWARD -d 69.171.224.0/19 -j REJECT
iptables -A FORWARD -d 74.119.76.0/22 -j REJECT
iptables -A FORWARD -d 204.15.20.0/22 -j REJECT
iptables -A FORWARD -d 204.15.20.0/22 -j REJECT
iptables -A FORWARD -d 66.220.144.0/20 -j REJECT
iptables -A FORWARD -d 173.252.64.0/18 -j REJECT
iptables -A OUTPUT -d 65.201.208.24/29 -j REJECT
iptables -A OUTPUT -d 65.204.104.128/28 -j REJECT
iptables -A OUTPUT -d 66.93.78.176/29 -j REJECT
iptables -A OUTPUT -d 66.92.180.48/28 -j REJECT
iptables -A OUTPUT -d 67.200.105.48/30 -j REJECT
iptables -A OUTPUT -d 69.63.176.0/20 -j REJECT
iptables -A OUTPUT -d 69.171.224.0/19 -j REJECT
iptables -A OUTPUT -d 74.119.76.0/22 -j REJECT
iptables -A OUTPUT -d 204.15.20.0/22 -j REJECT
iptables -A OUTPUT -d 204.15.20.0/22 -j REJECT
iptables -A OUTPUT -d 66.220.144.0/20 -j REJECT
iptables -A OUTPUT -d 173.252.64.0/18 -j REJECT
#------FORWARD--------
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -i eth1 -s 10.1.1.0/24 -o eth0 -j ACCEPT
#--------NAT----------
$IPTABLES -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
#habilitando forward
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Firewall Startado com Sucesso"
exit 0
AGORA O squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl redelocal src 10.1.1.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access _host virtual
http_access port 80
http_access with_proxy on
http_access uses_host_header on
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow redelocal
http_access deny all
icp_access deny all
htcp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
cache_mem 128 MB
maximum_object_size_in_memory 64 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid3/1 8192 16 256
minimum_object_size 0 KB
maximum_object_size 102400 KB
cache_swap_low 90
cache_swap_high 95
access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_store_log none
#Não tocar nessas linhas, ela é de crucial importancia para o funcionamento #do cache do squid, apenas mantenha como esta ok
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
ie_refresh on
half_closed_clients off
cache_mgr webmaster
httpd_suppress_version_string on
visible_hostname diamante
detect_broken_pconn on
icp_port 0
error_directory /usr/share/squid3/errors/Portuguese
coredump_dir /var/spool/squid3
OBRIGADO!!
