julio1400
(usa Ubuntu)
Enviado em 18/12/2008 - 14:11h
Olá, boa tarde, sou novo com linux.
estou montando um servidor proxy e estou com alguns problemas, estou usando o ubuntu server 8.04.
quando tento acessar meus relatórios do squid pelo sarg eles estão sendo bloqueados pelo squid(está me aparecendo a tela de bloqueio do squid).
já deixei o script do squid sem nenhuma acl de controle de acesso.
segue meu squid como está e não está funcionando o relatório dando bloqueio.
#inicio
#selecionando a porta do squid
http_port 8080 transparent
#informando o nome do servidor
visible_hostname firewall
#parametros de configuracao do squid
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache_mem 64 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 50
cache_swap_high 90
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
# ACLs normais
acl all src 172.10.0.0/255.255.0.0
delay_pools 1
delay_class 1 2
delay_parameters 1 114688/114688 32768/32768
delay_access 1 allow all
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl SSL_ports port 873
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 631
acl Safe_ports port 873
acl Safe_ports port 901
acl purge method PURGE
acl CONNECT method CONNECT
no_cache deny QUERY
#Aplicaç das ACL's
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow purge localhost
http_access deny purge
http_access allow localhost
http_access allow all
e meu firewall tbm
#!/bin/sh
#################################################
#Craiando as variaveis #
#################################################
externa='eth0'
interna='eth1'
fabiana='172.10.2.54'
meuip='200.207.92.165'
mundo='0/0'
firewall_start(){
#limpando o firewall
iptables -F
iptables -F -t nat
iptables -X
#carregando os modulos
modprobe iptable_nat
modprobe ip_nat_ftp
#repassa os pacotes para o resto da rede
echo 1 > /proc/sys/net/ipv4/ip_forward
#faz o mascaramento
iptables -t nat -I POSTROUTING -s 172.10.0.0/16 -j MASQUERADE
iptables -A FORWARD -s 172.10.0.0/16 -j ACCEPT
#regra do squid
iptables -t nat -A PREROUTING -i $interna -p tcp --dport 80 -j REDIRECT --to-port 3129
#regra interna
#iptables -t nat -A PREROUTING -s $fabiana -i $interna -p tcp --dport 3306 -j DNAT --to-dest 172.10.1.2
#iptables -t nat -A PREROUTING -s $fabiana -i $interna -p tcp --dport 1001 -j DNAT --to-dest 172.10.1.2
#regra para o dansguardian
#iptables -t nat -A PREROUTING -i $interna -p tcp --dport 80 -j REDIRECT --to-port 3128
#cria log
#iptables -A INPUT -p tcp -dport 80 -i $externa -j LOG --log-level 6 --log-prefix "FIREWALL: http:"
# Enable free use of loopback interfaces
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# All TCP sessions should begin with SYN
iptables -A INPUT -p tcp ! --syn -m state --state NEW -s 172.10.0.0/16 -j DROP
#Liberando portas
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -s 172.10.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s 172.10.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -s 172.10.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -m state --state NEW -s 172.10.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 3389 -m state --state NEW -s 172.10.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 1001 -m state --state NEW -s 172.10.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -m state --state NEW -s 172.10.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -s 172.10.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 587 -m state --state NEW -s 172.10.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 465 -m state --state NEW -s 172.10.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -m state --state NEW -s 172.10.0.0/16 -j ACCEPT
# Aceita pacotes UDP
iptables -A INPUT -p udp --dport 123 -s 172.10.0.0/16 -j ACCEPT
iptables -A INPUT -p udp --dport 67 -s 172.10.0.0/16 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -s 172.10.0.0/16 -j ACCEPT
#Aceita inbound ICMP menssagens
iptables -A INPUT -p ICMP --icmp-type 8 -s 172.10.0.0/16 -j ACCEPT
iptables -A INPUT -p ICMP --icmp-type 11 -s 172.10.0.0/16 -j ACCEPT
#nat do SSH exemplo
#iptables -t nat -A PREROUTING -i $externa -p tcp --dport 22:22 -j DNAT --to-dest 172.10.2.100
#iptables -A FORWARD -p tcp -i $externa --dport 22:22 -d 172.10.2.100 -j ACCEPT
#iptables -t nat -A PREROUTING -i $externa -p udp --dport 22:22 -j DNAT --to-dest 172.10.2.100
#iptables -A FORWARD -p udp -i $externa --dport 22:22 -d 172.10.2.100 -j ACCEPT
#nat do SSH
iptables -t nat -A PREROUTING -s $mundo -p tcp -d $meuip --dport 22:22 -j DNAT --to-dest 172.10.2.100
iptables -A FORWARD -p tcp --dport 22:22 -d 172.10.2.100 -j ACCEPT
iptables -t nat -A PREROUTING -s $mundo -p udp -d $meuip --dport 22:22 -j DNAT --to-dest 172.10.2.100
iptables -A FORWARD -p udp --dport 22:22 -d 172.10.2.100 -j ACCEPT
#nat do rdp
iptables -t nat -A PREROUTING -s $mundo -p tcp -d $meuip --dport 3389:3389 -j DNAT --to-dest 172.10.1.1
iptables -A FORWARD -p tcp --dport 3389:3389 -d 172.10.1.1 -j ACCEPT
iptables -t nat -A PREROUTING -s $mundo -p udp -d $meuip --dport 3389:3389 -j DNAT --to-dest 172.10.1.1
iptables -A FORWARD -p udp --dport 3389:3389 -d 172.10.1.1 -j ACCEPT
#nat do FTP
iptables -t nat -A PREROUTING -s 0/0 -p tcp -d $meuip --dport 21:21 -j DNAT --to-dest 172.10.1.1
iptables -A FORWARD -p tcp --dport 21:21 -d 172.10.1.1 -j ACCEPT
iptables -t nat -A PREROUTING -s 0/0 -p udp -d $meuip --dport 21:21 -j DNAT --to-dest 172.10.1.1
iptables -A FORWARD -p udp --dport 21:21 -d 172.10.1.1 -j ACCEPT
#nat do ISIA Interno
iptables -t nat -A PREROUTING -s 0/0 -p tcp -d $meuip --dport 1001:1001 -j DNAT --to-dest 172.10.1.2
iptables -A FORWARD -p tcp --dport 1001:1001 -d 172.10.1.1 -j ACCEPT
iptables -t nat -A PREROUTING -s 0/0 -p udp -d $meuip --dport 1001:1001 -j DNAT --to-dest 172.10.1.2
iptables -A FORWARD -p udp --dport 1001:1001 -d 172.10.1.1 -j ACCEPT
#nat do BANCO INTERNO
iptables -t nat -A PREROUTING -s 0/0 -p tcp -d $meuip --dport 3306:3306 -j DNAT --to-dest 172.10.1.2
iptables -A FORWARD -p tcp --dport 3306:3306 -d 172.10.1.1 -j ACCEPT
iptables -t nat -A PREROUTING -s 0/0 -p udp -d $meuip --dport 3306:3306 -j DNAT --to-dest 172.10.1.2
iptables -A FORWARD -p udp --dport 3306:3306 -d 172.10.1.1 -j ACCEPT
# block
#iptables -A INPUT -p tcp --syn -j DROP
}
firewall_stop(){
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}
case "$1" in
"start")
firewall_start
;;
"stop")
firewall_stop
echo "O Firewall esta sendo desativado"
sleep 2
echo "ok."
;;
"restart")
echo "O Firewall esta sendo reiniciado"
sleep 1
echo "ok."
firewall_stop; firewall_start
;;
*)
iptables -L -n
esac