arasouza
(usa Debian)
Enviado em 18/06/2012 - 14:31h
Ok cara segue o squid básico, lembre-se de modificar a opção da rede local e os caminhos das pastas para sua rede, a versão é o squid3, a opção transparent pode ser substituida por intercept se der algum problema. firewall segue abaixo:
http_port 3128 transparent
visible_hostname servidor
cache_mgr webmaster@localhost
error_directory /usr/share/squid3/errors/Portuguese
hierarchy_stoplist cgi-bin ?
cache_mem 512 MB
maximum_object_size_in_memory 64 MB
maximum_object_size 100 MB
cache_dir ufs /var/spool/squid3 2048 16 256
refresh_pattern ^ftp: 360 20% 10080
refresh_pattern -i (/cgi/bin/|\?) 0 0% 0
refresh_pattern . 0 0% 4320
access_log /var/log/squid3/access.log
acl localhost src 127.0.0.1/32
acl localnet src 10.0.0.0/8
acl manager proto cache object
http_access allow manager localhost
http_access deny manager
acl purge method PURGE
http_access allow purge localhost
http_access deny purge
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 443 # https
acl Safe_ports port 488 # gss-http
acl Safe_ports port 563 # nntps
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # swat
acl Safe_ports port 1025-65535 # unregistered ports
http_access deny !Safe_ports
acl connect method CONNECT
acl SSL_ports port 443 # https
acl SSL_ports port 563 # nntps
acl SSL_ports port 873 # rsync
http_access deny connect !SSL_ports
#bloqueando o dominio inteiro
acl bloqueados dstdomain "/etc/squid3/domains
#Bloquando por palavras
acl words dstdom_regex -i "/etc/squid3/words"
http_access deny ips-bloqueados
http_access deny bloqueados
http_access allow localnet
http_access allow localhost
http_access deny all
------------------------------------------------------------------
Iptables básico: veja que a minha placa externa é a eth1 e a local é a etho analise suas placas e configure abaixo o firewall de acordo com suas necessidades. não esquece de assinalar a resposta.
#!/bin/sh
# Vari�veis
# -------------------------------------------------------
iptables=/sbin/iptables
IF_EXTERNA=eth1
IF_INTERNA=eth0
# Ativa m�dulos
# -------------------------------------------------------
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
# Ativa roteamento no kernel
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward
# Prote��o contra IP spoofing
# -------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
# Zera regras
# -------------------------------------------------------
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
# Determina a pol�tica padr�o
# -------------------------------------------------------
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#################################################
# Tabela FILTER
#################################################
# Dropa pacotes TCP indesej�veis
# -------------------------------------------------------
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIREWALL: NEW sem syn: "
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
# Dropa pacotes mal formados
# -------------------------------------------------------
iptables -A INPUT -i $IF_EXTERNA -m unclean -j LOG --log-level 6 --log-prefix "FIREWALL: pacote mal formado: "
iptables -A INPUT -i $IF_EXTERNA -m unclean -j DROP
# Aceita os pacotes que realmente devem entrar
# -------------------------------------------------------
iptables -A INPUT -i ! $IF_EXTERNA -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
# Prote��o contra trinoo
# -------------------------------------------------------
iptables -N TRINOO
iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
iptables -A TRINOO -j DROP
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27444 -j TRINOO
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 27665 -j TRINOO
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 31335 -j TRINOO
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 34555 -j TRINOO
iptables -A INPUT -p TCP -i $IF_EXTERNA --dport 35555 -j TRINOO
# Prote��o contra worms
# -------------------------------------------------------
iptables -A FORWARD -p tcp --dport 135 -i $IF_INTERNA -j REJECT
# Prote��o contra syn-flood
# -------------------------------------------------------
iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
# Prote��o contra ping da morte
# -------------------------------------------------------
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Prote��o contra port scanners
# -------------------------------------------------------
iptables -N SCANNER
iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: port scanner: "
iptables -A SCANNER -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXTERNA -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXTERNA -j SCANNER
# Loga tentativa de acesso a determinadas portas
# -------------------------------------------------------
iptables -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: ftp: "
iptables -A INPUT -p tcp --dport 23 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: telnet: "
iptables -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: smtp: "
iptables -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: http: "
iptables -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: pop3: "
iptables -A INPUT -p udp --dport 111 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: rpc: "
iptables -A INPUT -p tcp --dport 113 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: identd: "
iptables -A INPUT -p tcp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
iptables -A INPUT -p udp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: "
iptables -A INPUT -p tcp --dport 161:162 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: snmp: "
iptables -A INPUT -p tcp --dport 6667:6668 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: irc: "
iptables -A INPUT -p tcp --dport 3128 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: squid: "
# Libera acesso externo a determinadas portas
# -------------------------------------------------------
#iptables -A INPUT -p tcp --dport 22 -i $IF_EXTERNA -j ACCEPT
# Libera acesso de smtp para fora apenas para o IP XXX.XXX.XXX.XXX
# -------------------------------------------------------
#$iptables -A FORWARD -p tcp -d ! XXX.XXX.XXX.XXX --dport 25 -j LOG --log-level 6 --log-prefix "FIREWALL: SMTP proibido: "
#$iptables -A FORWARD -p tcp -d ! XXX.XXX.XXX.XXX --dport 25 -j REJECT
#################################################
# Tabela NAT
#################################################
# Ativa mascaramento de sa�da
# -------------------------------------------------------
iptables -A POSTROUTING -t nat -o $IF_EXTERNA -j MASQUERADE
# Proxy transparente
# -------------------------------------------------------
# OS COMANDOS ABAIXO FORAM RETIRADOS DAS 2 PRIMEIRAS LINHAS, ONDE FOI SUBSITITUIDO O EXTERNA PELO INTERNA PARA TESTAR O PROXY TRANSPARTENTE
iptables -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $IF_EXTERNA -p tcp --dport 8080 -j REDIRECT --to-port 3128
echo " Redirecionando portas DNS e NTP para o SQUID .......... [ OK ]"
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 123 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Bloqueia por ip o face
#--------------------------------------------------------
iptables -I FORWARD -s 10.10.20.116 -m string --algo bm --string "facebook.com" -j DROP
iptables -I FORWARD -s 10.10.20.116 -m string --algo bm --string "youtube.com" -j DROP
iptables -I OUTPUT -s 10.10.20.116 -m string --algo bm --string "facebook.com" -j DROP
iptables -I OUTPUT -s 10.10.20.116 -m string --algo bm --string "youtube.com" -j DROP
# Redireciona portas para outros servidores
# -------------------------------------------------------
#iptables -t nat -A PREROUTING -d 10.10.19.10 -p tcp --dport 22 -j DNAT --to-destination 10.10.20.250
# Redireciona portas na pr�pria m�quina
# -------------------------------------------------------
#$iptables -A PREROUTING -t nat -d 192.168.200.1 -p tcp --dport 5922 -j REDIRECT --to-ports 22
