removido
(usa Nenhuma)
Enviado em 27/04/2011 - 10:50h
olá galera, to com um problema aqui no meu firewall para liberar a navegação..
meu squid ta configurado como transparente porém se algum usuario inserir um proxy direto no navegador com porta 8080 ou 80 ele consegue usar o proxy e burla meu squid que está na porta 3128.. Como corrijo isso? Os sites em https estão funcionando normalmente mas me disseram que com proxy transparente eles não funcionam.. Outra dúvida, meu dansguardian está configurado na porta 8081 mas quando tento navegar a pagina fica carregando e não vai pra frente..
vou postar minhas configs pro pessoal tentar me ajudar..
eth0: 192.168.1.0/24 (rede interna pro pessoal)
eth1: 10.1.1.6/8 (rede que recebe internet)
seguem os scripts
IPTABLES
#!/bin/sh
case "$1" in
start)
echo "Iniciando firewall..."
#Variáveis
IPTABLES="/sbin/iptables"
LAN=eth0
LAN1=eth1
LAN_INT="192.168.1.0/24"
#Módulos IPTABLES
modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe ipt_multiport
modprobe iptable_mangle
modprobe ipt_limit
#Zera todas as regras do iptables
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -X
#PolÃticas Padroes
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
#Ativar ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
#Desabilitar respostas a comandos ping
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
#####################################
# FILTER INPUT
#####################################
#Libera SSH
$IPTABLES -I INPUT -p tcp --dport 22 -s 10.1.1.0/8 -j ACCEPT
#$IPTABLES -I INPUT -p tcp --dport 22 -s 172.27.1.23 -j ACCEPT
$IPTABLES -A INPUT -m tcp -p tcp ! -s 127.0.0.1 --dport 3128 -j DROP
#Liberar Proxy para rede interna
#DESNECESSARIA P/ USO COM DANSGUARDIAN $IPTABLES -A INPUT -p tcp -i eth0 -s $LAN_INT --dport 3128 -j ACCEPT
#dansguardian monitoramento
$IPTABLES -A INPUT -p tcp -i eth0 -s $LAN_INT --dport 8081 -j ACCEPT
$IPTABLES -A INPUT -p udp -i eth0 -s $LAN_INT --dport 8081 -j ACCEPT
#Habilitando o icmp interno
$IPTABLES -I INPUT -i lo -j ACCEPT
echo "Ativado o fluxo interno"
echo "Ativado ....................................................... [ OK ]"
#Libera as portas principais do servidor
$IPTABLES -I INPUT -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -I INPUT -m state --state RELATED -j ACCEPT
$IPTABLES -I INPUT -p icmp -j ACCEPT
#Porta 80 para apache interno
$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 80 --syn -j ACCEPT
echo "Ativado a liberação das portas principais"
$IPTABLES -I INPUT -p udp -s $LAN_INT --dport 53 -j ACCEPT
######################################
# FILTER OUTPUT
######################################
#Habilitando o icmp interno
$IPTABLES -I OUTPUT -o lo -j ACCEPT
##########################################################
# FILTER FORWARD
######################################
#Roteamento de placas de REDE iptables
$IPTABLES -A FORWARD -s 0/0 -d 0/0 -j ACCEPT
#Desnecessaria p/ uso com o dansguardian $IPTABLES -A FORWARD -s $LAN_INT -p tcp --dport 3128 -j ACCEPT
#DNS
$IPTABLES -A FORWARD -p udp -s $LAN_INT --dport 53 -j ACCEPT
######################################
# PING-MORTE-FLOOD
######################################
#Bloqueio ping da morte flood
$IPTABLES -N PING-MORTE
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j PING-MORTE
$IPTABLES -A PING-MORTE -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A PING-MORTE -j DROP
echo "Ativado o bloqueio à tentativa de ataque ping da morte flood"
echo "Ativado ....................................................... [ OK ]"
####################################
# SYN ACK and FIN
####################################
#Bloqueio de scanners ocultos (Shealt Scan)
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT
echo "Bloqueado scanners ocultos"
echo "Ativado ....................................................... [ OK ]"
######################################
# SSH-BRUTE-FORCE
######################################
#Bloqueio de ataque ssh de força bruta
$IPTABLES -N SSH-BRUTE-FORCE
$IPTABLES -A INPUT -i $LAN -p tcp --dport 22 -j SSH-BRUTE-FORCE
$IPTABLES -A SSH-BRUTE-FORCE -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A SSH-BRUTE-FORCE -j DROP
echo "Ativado o bloqueio à tentativa de ataque do tipo SSH-BRUTE-FORCE"
echo "Ativado ....................................................... [ OK ]"
######################################
# NAT
######################################
############################
# BLOQUEANDO MSN
############################
$IPTABLES -A FORWARD -s 192.168.1.0/24 -p TCP --dport 1863 -j REJECT
$IPTABLES -A FORWARD -s 192.168.1.0/24 -d loginnet.passport.com -j REJECT
$IPTABLES -A FORWARD -s 192.168.1.0/24 -d messenger.hotmail.com -j REJECT
$IPTABLES -A FORWARD -s 192.168.1.0/24 -d webmessenger.msn.com -j REJECT
$IPTABLES -A FORWARD -p tcp --dport 1080 -j DROP
$IPTABLES -A FORWARD -s 192.168.1.0/24 -p tcp --dport 1080 -j REJECT
#Habilita o roteamento da porta 80 para proxy transparente do hospital
$IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner 0 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8081
$IPTABLES -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 8081
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 8081 -j REDIRECT --to-port 3128
echo "Regra para proxy transparente habilitada"
echo "Ativado ....................................................... [ OK ]"
#Roteamento de interface
$IPTABLES -t nat -A POSTROUTING -s 0/0 -j MASQUERADE
echo "Ativado o redirecionamento ip_forward"
echo "Ativado ....................................................... [ OK ]"
#Zera contadores
echo "FIREWALL CARREGADO COM SUCESSO!!"
echo "Ativado ....................................................... [ OK ]"
;;
restart)
$0 stop
$0 start
;;
status)
iptables-save > /var/log/firewall |less
cat /var/firewall/firewall
;;
stop)
iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P FORWARD ACCEPT
echo "parando firewall..."
;;
*)
echo "usage: {start|stop|restart}"
exit 1
esac
exit 0
SQUID
acl all src all
acl blockedsites url_regex -i "/etc/squid/bloqueados/block.txt"
acl unblockedsites url_regex -i "/etc/squid/bloqueados/unblock.txt"
#acl redeinterna src 192.168.1.0/24
#follow_x_forwarded_for allow redeinterna
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl QUERY urlpath_regex cgi-bin \?
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 48 MB
#Opcoes de otimizacao do sistema
maximum_object_size 1024 MB
minimum_object_size 0 KB
cache_swap_low 50
cache_swap_high 90
cache_access_log /var/log/squid/access.log
cache_effective_user proxy
http_access allow manager localhost
#http_access allow redeinterna
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny blockedsites !unblockedsites
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 127.0.0.1:3128 transparent
visible_hostname HRTGB
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid
Dansguardian
filterip =
# the port that DansGuardian listens to.
filterport = 8081
# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 127.0.0.1
# the port DansGuardian connects to proxy on
proxyport = 3128
alguem ai sabe o que pode ser ?
conto com a ajuda de vcs galera, Obrigado a todos.