Alex Resende
(usa Fedora)
Enviado em 01/11/2012 - 16:30h
Meu squid.conf
http_port 3128
icp_port 3130
#
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
#
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
#
#######################
# cache de ip acessados
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
#####################
cache_mem 1024 MB
#
cache_swap_low 85
cache_swap_high 90
#
maximum_object_size 512 MB
minimum_object_size 0
#
maximum_object_size_in_memory 512 KB
#
#cache_dir aufs /srv/cache_squid/squid 2048 16 256
cache_dir aufs /srv/cache_squid/squid 250000 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
client_netmask 255.255.255.0
#
##### Cache do Windows Update #####
refresh_pattern au.download.windowsupdate.com/.*.(cab|exe|msi) 10080 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*.(cab|exe|msi) 10080 100% 43200 reload-into-ims
refresh_pattern msgruser.dlservice.microsoft.com/.*.(cab|exe|msi) 10080 100% 43200 reload-into-ims
refresh_pattern windowsupdate.com/.*.(cab|exe|msi) 10080 100% 43200 reload-into-ims
refresh_pattern microsoft.com/.*.(cab|exe|msi) 10080 100% 43200 reload-into-ims
#Cache atulizacao avira ( Faz cache do Avira ) ##
refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43200 reload-into-ims
# Cache atualizacao avast
refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-ims
########### Cache Videos ###########
refresh_pattern -i .flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private
acl youtube dstdomain .youtube.com
cache allow youtube
################################
################################
quick_abort_min -1
##### ACL Dominios do Windows Update #####
acl windowsupdate dstdomain au.download.windowsupdate.com
acl windowsupdate dstdomain download.microsoft.com
acl windowsupdate dstdomain msgruser.dlservice.microsoft.com
acl windowsupdate dstdomain windowsupdate.com
acl windowsupdate dstdomain microsoft.com
################################
range_offset_limit -1 windowsupdate
range_offset_limit 0
hosts_file /etc/hosts
### sites sem passar autenticacao #####
#acl url_ign url_regex -i "/etc/squid/listas/url_ign"
#http_access allow url_ign
#Regras para tratamento do MSN
acl msnmessenger url_regex -i gateway/gateway.dll? login.live.com
acl MSN rep_mime_type -i ^application/x-msn-messenger$
#Usuarios com acesso ao MSN
acl commsn src "/etc/squid/listas/msn/commsn"
#Libera o acesso ao msn para os usuáos do grupo "commsn"
http_access allow commsn MSN
http_access allow commsn msnmessenger
#sites de acesso ao msn
acl webmsn url_regex "/etc/squid/listas/msn/sitemsnweb"
#Libera o acesso aos sites de acesso ao msn para os usuáos do grupo "commsn"
http_access allow commsn webmsn
#Fecha o acesso ao MSN e WEBMSN para os outros usuáos
http_access deny MSN
http_access deny msnmessenger
http_access deny webmsn
#**************************************#
# Este parâmetro libera o acesso dos usuários #
# pelo proxy autenticado por htpasswd. #
#**************************************#
#
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
#
#**************************************#
# Este parâmetro libera o acesso dos usuários #
# pelo proxy autenticado por PAM. #
#**************************************#
#
#********************************************************#
# Este parâmetro demonstra a mensagem na janela de autenticação #
#********************************************************#
auth_param basic realm >>>> Servidor Matheus Define <<<< Info
#
auth_param basic children 5
auth_param basic credentialsttl 8 hours
auth_param basic casesensitive off
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
#
# --------------------------------------------------------------------
# ACCESS CONTROLS
# --------------------------------------------------------------------
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8 3
#
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 443 # https
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 1025-65535 # unregistered ports
#
acl SSL_ports port 443 # https
acl SSL_ports port 465 # YAHOO - SMTP (SSL)
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl SSL_ports port 995 # YAHOO - POP3 (SSL)
#
acl purge method PURGE
acl CONNECT method CONNECT
#
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny to_localhost
#
# Criando as ACLs personalizadas
#
acl rede_interna src 192.168.4.0/24
#
#*******************************************************#
# Situação 1 - Ambiente com 3 grupos: #
# #
# Grupo 1 - usr_total - os usuários tem acesso livre a Internet #
# Grupo 2 - usr_liberado - os usuários acessam qualquer site que #
# não estiver na lista url_bloqueado #
# Grupo 3 - usr_bloqueado - os usuários acessam somente os sites #
# que estiverem na lista url_liberado #
#*******************************************************#
#
acl usuarios proxy_auth REQUIRED
#
#*** Usuarios com acesso livre
#
acl acesso_livre proxy_auth "/etc/squid/listas/usr_livre"
#
http_access allow acesso_livre
#
## EXTENCOES BLOQUEADAS ##
#acl extencoes urlpath_regex -i "/etc/squid/listas/extencoes"
#http_access deny extencoes
###### sites Liberados Para Todos #####
acl url_liberado_todos url_regex -i "/etc/squid/listas/url_liberado_todos"
http_access allow url_liberado_todos
############### bloqueio diretoria ################
acl acesso_diretoria proxy_auth "/etc/squid/listas/usr_diretoria"
acl url_diretoria url_regex -i "/etc/squid/listas/url_diretoria"
http_access deny url_diretoria
http_access allow acesso_diretoria !url_diretoria
http_access allow usuarios acesso_diretoria
## EXTENSOES BLOQUEADAS ##
acl estensoes urlpath_regex -i "/etc/squid/listas/estensoes"
http_access deny estensoes
##### bloqueia sites Https Para Todos ####
acl CONNECT method CONNECT
acl HTTPS_NEGADO dstdomain "/etc/squid/listas/https_negados"
http_access deny CONNECT HTTPS_NEGADO
http_access deny HTTPS_NEGADO
##palavras proibidas## ###
acl palavrasproibidas dstdom_regex -i "/etc/squid/listas/palavrasproibidas
http_access deny palavrasproibidas
#
#*** Usuários com acesso controlado pelos sites bloqueados
acl acesso_restrito proxy_auth "/etc/squid/listas/usr_restrito"
acl url_bloqueado url_regex -i "/etc/squid/listas/url_bloqueado"
#
http_access deny url_bloqueado
http_access allow acesso_restrito !url_bloqueado
#
#*** Usuarios com acesso somente aos sites liberados
#
acl acesso_bloqueado proxy_auth "/etc/squid/listas/usr_bloqueado"
acl url_liberado url_regex -i "/etc/squid/listas/url_liberado"
http_access allow url_liberado
http_access deny acesso_bloqueado !url_liberado
#
http_access allow usuarios acesso_livre
http_access allow usuarios acesso_restrito
http_access allow usuarios acesso_bloqueado
#
#*****************************************************#
# Situação 2 - Todos os usuários estão limitados a visitar #
# somente os sites que não estão na relacro de sites bloqueados #
# e os que não possuem as palavras na relacro das bloqueadas. #
#*****************************************************#
# Para esta situação os parâmetros de autenticação deverão #
# estar desabilitados. #
#*****************************************************#
#
# Lista de sites bloqueados
#acl url_bloqueado url_regex -i "/etc/squid/listas/url_bloqueado"
#http_access deny url_bloqueado
#
http_access deny !rede_interna
http_access allow rede_interna
http_access deny all
icp_access allow all
#
#cache_mgr matheusdefine
visible_hostname
www.matheusdefine.com.br
#
#error_directory /usr/share/squid/errors/Portuguese
error_directory /usr/share/squid/errors/pt-br
coredump_dir /var/spool/squid
Meu Firewall
#!/bin/bash
iniciar(){
#Logs
#iptables -A INPUT -p tcp --sport 80 -j LOG
#iptables -A OUTPUT -p tcp --dport 80 -j LOG
iptables -A INPUT -p tcp --dport 51000 -j LOG --log-prefix "Acesso SSH pela porta 51000 " --log-level crit
# Compartilha a conexã
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
##### net com pppoe
#iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#### net com ip fixo
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo "Compartilhamento ativado"
#ips sem passa pelo proxy (250>teste) (217>martaLinux) (204>alexLinux) (230>manutencao) (50>xpmodeOliveira)
iptables -t nat -A PREROUTING -p tcp --dport 443 -j ACCEPT -s 192.168.4.12,192.168.4.10,192.168.4.250,192.168.4.204,192.168.4.217,192.168.4.230,192.168.4.50,192.168.4.11,192.168.4.218,192.168.4.115,192.168.4.103,192.168.4.219
iptables -t nat -A PREROUTING -p tcp --dport 80 -j ACCEPT -s 192.168.4.12,192.168.4.10,192.168.4.250,192.168.4.204,192.168.4.217,192.168.4.230,192.168.4.50,192.168.4.11,192.168.4.218,192.168.4.115,192.168.4.103,192.168.4.219
# Verifica tanto a interface quanto a faixa de endereç de origem:
iptables -A INPUT -s 192.168.4.0/255.255.255.0 -i eth1 -j ACCEPT
# Permite conexõna na porta SSH :51000
#iptables -A INPUT -p tcp --dport 51000 -j ACCEPT
# DNS:
#iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
# HTTP e HTTPS:
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Proxy transparente:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo "Proxy transparente ativado"
####################################################
############### Regras de Segurança ############
####################################################
# Protegendo contra Pings
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
#Protegendo contra IP spoofing
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
iptables -A INPUT -p tcp --syn -j DROP
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Protegendo contra diversos ataques
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Protegendo contra ICMP Broadcasting
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Protegendo contra IP synflood
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Protegendo contra alteração de rota
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Protegendo contra Pings da Morte
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Protegendo contra traceroute
iptables -A INPUT -p udp --dport 33435:33525 -j LOG --log-prefix "_BLOCKED_: "
iptables -A INPUT -p udp --dport 33435:33525 -j DROP
#Protegendo contra portscanners, ping of death, ataques DoS, etc
iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "_BLOCKED_: "
iptables -A INPUT -m state --state INVALID -j DROP
# Bloqueia pacotes tcp Malformados
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
# Filtro das conexoes extabelecidas
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Protecao contra falhas de seguranca dos servicos do X Window
iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 6000:6063 -j DROP
# Bloqueia as portas UDP de 0 a 1023:
iptables -A INPUT -p udp --dport 0:1023 -j DROP
# Impede a abertura de novas conexõ efetivamente bloqueando o acesso
# externo ao seu servidor, com exceç das portas e faixas de endereç
# especificadas anteriormente:
iptables -A INPUT -p tcp --syn -j DROP
echo "Regras de firewall ativadas"
}
parar(){
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
echo 0 > /proc/sys/net/ipv4/ip_forward
echo "Regras de firewall e compartilhamento desativados"
}
case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar ;;
*) echo "Use os parâtros start ou stop"
esac
