Pessoal ja quebrei a cabeça e não consigo achar onde esta o erro (ou estou muito cego hehehe :toim: ).
A situação é a seguinte:
Não consigo usar proxy transparente as páginas simplesmente não abrem em nenhum cliente. Mas se marcar as configurações de proxy no browser ai funciona perfeitamente. Segue abaixo meu squid.conf e meu firewall.
Squid.conf
Código :http_port 8080 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_dir ufs /var/spool/squid 7000 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log pid_filename /var/run/squid.pid auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl mynet src 192.168.1.0/255.255.255.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow mynet http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all cache_mgr [email][email protected][/email] cache_effective_user squid cache_effective_group squid httpd_accel_port 80 httpd_accel_port 21 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on visible_hostname ns.meuhost.com error_directory /etc/squid/errors coredump_dir /var/spool/squid
Firewall
Código :#!/bin/bash # Variaveis # ------------------------------------------------------- iptables=/sbin/iptables IF_EXTERNA=ppp0 IF_INTERNA=eth0 echo "Variaveis OK!" # Ativa modulos # ------------------------------------------------------- /sbin/modprobe iptable_nat /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp /sbin/modprobe ipt_LOG /sbin/modprobe ipt_REJECT /sbin/modprobe ipt_MASQUERADE echo "Carga dos Modulos OK!" # Ativa roteamento no kernel # ------------------------------------------------------- echo "1" > /proc/sys/net/ipv4/ip_forward echo "Roteamento OK!" # Protecao contra IP spoofing # ------------------------------------------------------- echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter echo "Protecao contra IP Spoofing OK!" # Zera regras # ------------------------------------------------------- $iptables -F $iptables -X $iptables -F -t nat $iptables -X -t nat $iptables -F -t mangle $iptables -X -t mangle echo "Flush das regras OK!" # Determina a politica padrao # ------------------------------------------------------- $iptables -P INPUT DROP $iptables -P OUTPUT DROP $iptables -P FORWARD DROP echo "Politica padrao OK!" # Dropa pacotes TCP indesejaveis # ------------------------------------------------------- $iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level 6 --log-prefix "FIREWALL: NEW sem syn: " $iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP # Dropa pacotes mal formados # ------------------------------------------------------- #$iptables -A INPUT -i $IF_EXTERNA -m unclean -j LOG --log-level 6 --log-prefix "FIREWALL: Pac. Mal Formado: " #$iptables -A INPUT -i $IF_EXTERNA -m unclean -j DROP # Protecao contra worms # ------------------------------------------------------- $iptables -A FORWARD -p tcp --dport 135 -i $IF_INTERNA -j REJECT # Aceita os pacotes que realmente devem entrar # ------------------------------------------------------- $iptables -A INPUT -i ! $IF_EXTERNA -j ACCEPT $iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT $iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT echo "Pacotes IN/OUT OK!" # Protecao contra trinoo # ------------------------------------------------------- $iptables -N TRINOO $iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: " $iptables -A TRINOO -j DROP $iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 27444 -j TRINOO $iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 27665 -j TRINOO $iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 31335 -j TRINOO $iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 34555 -j TRINOO $iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 35555 -j TRINOO echo "Protecao contra TRINOO OK!" # Protecao contra tronjans # ------------------------------------------------------- $iptables -N TROJAN $iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: " $iptables -A TROJAN -j DROP $iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 666 -j TROJAN $iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 666 -j TROJAN $iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 4000 -j TROJAN $iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 6000 -j TROJAN $iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 6006 -j TROJAN $iptables -A INPUT -p tcp -i $IF_EXTERNA --dport 16660 -j TROJAN echo "Protecao contra TROJANS OK!" # Protecao contra syn-flood # ------------------------------------------------------- $iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT $iptables -A FORWARD -p tcp -j DROP echo "Protecao contra SYN-FLOOD OK!" # Protecao contra ping da morte # ------------------------------------------------------- $iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT $iptables -A FORWARD -p icmp -j DROP echo "Protecao contra Ping-Of-Death OK!" # Protecao contra port scanners # ------------------------------------------------------- $iptables -N SCANNER $iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: port scanner: " $iptables -A SCANNER -j DROP $iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $IF_EXTERNA -j SCANNER $iptables -A INPUT -p tcp --tcp-flags ALL NONE -i $IF_EXTERNA -j SCANNER $iptables -A INPUT -p tcp --tcp-flags ALL ALL -i $IF_EXTERNA -j SCANNER $iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $IF_EXTERNA -j SCANNER $iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $IF_EXTERNA -j SCANNER $iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $IF_EXTERNA -j SCANNER $iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $IF_EXTERNA -j SCANNER echo "Protecao contra Port-Scanners OK!" # Loga tentativa de acesso a determinadas portas # ------------------------------------------------------- $iptables -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: ftp: " $iptables -A INPUT -p tcp --dport 22 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: ssh: " $iptables -A INPUT -p tcp --dport 23 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: telnet: " $iptables -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: smtp: " $iptables -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: http: " $iptables -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: pop3: " $iptables -A INPUT -p udp --dport 111 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: rpc: " $iptables -A INPUT -p tcp --dport 113 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: identd: " $iptables -A INPUT -p tcp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: " $iptables -A INPUT -p udp --dport 137:139 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: samba: " $iptables -A INPUT -p tcp --dport 143 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: IMAP: " $iptables -A INPUT -p tcp --dport 161:162 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: snmp: " $iptables -A INPUT -p tcp --dport 6667:6668 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: irc: " $iptables -A INPUT -p tcp --dport 3128 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: squid: " $iptables -A INPUT -p tcp --dport 8080 -i $IF_EXTERNA -j LOG --log-level 6 --log-prefix "FIREWALL: squid: " echo "Logs OK!" # Habilitando acesso a determinadas portas # -------------------------------------------------------- $iptables -A INPUT -p tcp --dport 21 -i $IF_EXTERNA -j ACCEPT $iptables -A INPUT -p tcp --dport 22 -i $IF_EXTERNA -j ACCEPT $iptables -A INPUT -p tcp --dport 25 -i $IF_EXTERNA -j ACCEPT $iptables -A INPUT -p udp --dport 53 -i $IF_EXTERNA -j ACCEPT $iptables -A INPUT -p tcp --dport 80 -i $IF_EXTERNA -j ACCEPT $iptables -A INPUT -p tcp --dport 110 -i $IF_EXTERNA -j ACCEPT $iptables -A INPUT -p tcp --dport 143 -i $IF_EXTERNA -j ACCEPT $iptables -A INPUT -p tcp --dport 443 -i $IF_EXTERNA -j ACCEPT echo "Acesso a determinadas portas OK!" # Proxy transparente # ------------------------------------------------------- $iptables -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 80 -j REDIRECT --to-port 8080 $iptables -t nat -A PREROUTING -i $IF_INTERNA -p tcp --dport 3128 -j REDIRECT --to-port 8080
:cry: Pessoal li várias vz esses scripts e não consigo achar o problema, por favor