Saudações amigos do fórum, estou precisando de uma ajuda para possível correção dos meus arquivos de configuração.
Estou com um servidor de internet, Debian lenny 5, squid 2.7 ESTABLE3 e iptables. Tenho um link da embratel de 1 Mb, mas estou enfrentando problemas com minha conexão, não sei se é do squid, iptables ou do roteador. A conexão está constantemente "caindo" e o navegador não acessa mais, dando erro de conexão por alguns segundos. Até o ssh perde a conexão.
Estou postando meus scripts para análise dos usuários do fórum que puderem me ajudar.
Obrigado.
IPTABLES:
#!/bin/sh
##/usr/local/bin/fw_nat
# Variaveis
mod="/sbin/modprobe"
ipt="/sbin/iptables"
IP="200.200.200.200"
WAN="eth0"
LAN="eth1"
# Modulos do Kernel
$mod ip_tables
$mod ip_conntrack
$mod iptable_filter
$mod iptable_nat
$mod iptable_mangle
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod ipt_MASQUERADE
# IRC FTP
$mod ip_nat_ftp
$mod ip_nat_irc
$mod ip_conntrack_ftp
$mod ip_conntrack_irc
# Limpa regras ativas
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X
# Politicas padrao
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT
# Loopback
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -p tcp --dport 22 -j ACCEPT
# Mascaramento IP
#$ipt -t nat -A POSTROUTING -o $WAN -j SNAT --to-source $IP
#
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $LAN -o $WAN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# ICMP
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
# Conectividade Social
$ipt -t nat -I PREROUTING -p tcp --dport 80 -d 200.201.174.0/24 -j ACCEPT
$ipt -t nat -I PREROUTING -p tcp --dport 80 -d 200.252.47.0/24 -j ACCEPT
$ipt -t nat -I PREROUTING -p tcp --dport 80 -d 200.201.173.0/24 -j ACCEPT
# IIS
$ipt -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT --to-dest 192.168.254.2
$ipt -t nat -A POSTROUTING -d 192.168.254.2 -s 192.168.254.0/25 -p tcp --dport 80 -j SNAT --to $IP
$ipt -A FORWARD -p tcp -i $WAN --dport 80 -d 192.168.254.2 -j ACCEPT
# Protecao contra port scanner
$ipt -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
echo "Bloqueando port scanners..."
# Protecao contra ataques
$ipt -A INPUT -m state --state INVALID -j DROP
echo "Bloqueando attacks..."
# Protecao contra SYN-FLOODS
$ipt -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
echo "Bloquendo syn-floods..."
# Protecao contra ping da morte
$ipt -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
echo "Bloqueando ping da morte..."
# Bloqueando traceroute
$ipt -A INPUT -p udp -s 0/0 -i $LAN --dport 33435:33525 -j DROP
echo "Bloqueando traceroute..."
# Chain INPUT
$ipt -t mangle -A OUTPUT -o $WAN -p tcp --dport 21 -j TOS --set-tos 0x10
$ipt -t mangle -A OUTPUT -o $WAN -p tcp --dport 80 -j TOS --set-tos 0x10
$ipt -t mangle -A OUTPUT -o $WAN -p tcp --dport 53 -j TOS --set-tos 0x10
# Maximo processamento
$ipt -t mangle -A OUTPUT -o $WAN -p tcp --dport 20:21 -j TOS --set-tos 0x08
$ipt -A INPUT -i $LAN -j ACCEPT
$ipt -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
echo "Proxy transparente ativado..."
# Rejeita o restante
$ipt -A INPUT -p tcp --syn -j DROP
==================================================
SQUID:
http_port 3128 transparent
visible_hostname srv.dominio
hierarchy_stoplist cgi-bin ?
minimum_object_size 2 KB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
cache_mem 156 MB
cache_dir ufs /var/spool/squid 5000 16 256
cache_swap_low 90
cache_swap_high 95
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
# icon_directory /usr/share/squid/icons
error_directory /usr/share/squid/errors/Portuguese
#Recommended minimum configuration:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Bloqueios e permissoes
# Sites
acl sites url_regex -i "/etc/squid/regras/sites"
http_access deny sites
# Palavras
acl palavras url_regex -i "/etc/squid/regras/palavras"
http_access deny palavras
# Extensoes
acl extensoes url_regex -i "/etc/squid/regras/extensoes"
http_access deny extensoes
# IP's
acl ips src "/etc/squid/regras/ips"
http_access deny ips
# Mini aplicativos
acl miniaplicativos rep_mime_type -i "/etc/squid/regras/miniaplicativos"
http_access deny miniaplicativos
acl fate src 192.168.254.0/25
#delay_pools 1
#delay_class 1 2
#delay_parameters 1 114688/114688 26384/26384
#delay_access 1 allow fate
http_access allow localhost
http_access allow fate
http_access deny all