Ola a todos,
Pessoal trabalho em uma secretaria de educação de uma cidade no interior do ceará e não estou conseguindo configurar o squid 3 no fedora 11 como proxy transparente, só funciona se eu setar nos browses dos terminais. Acontece que são muitos computadores e tem muitos visitantes que usam a rede wireless. Então o proxy é muito importante, até porque tenho que bloquear conteudo indesejaveis.
Meu squid.conf está configurado assim.
http_port 3128 transparent
cache_mem 8 MB
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_dir diskd /var/spool/squid 30000 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
half_closed_clients off
acl blocked url_regex -i "/etc/squid/bloqueados/block.txt"
acl unblocked url_regex -i "/etc/squid/bloqueados/unblock.txt"
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow to_localhost
http_access deny blocked !unblocked
acl mynetwork src 192.168.0.0/24
http_access allow localhost
http_access allow mynetwork
http_reply_access allow all
icp_access allow all
deny_info ERR_ACCESS_DENIED all
memory_pools off
coredump_dir /var/spool/squid
ie_refresh on
dentro do rc.local eu coloquei as seguintes regras de iptables:
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
modprobe ip_tables
modprobe ip_conntrack
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
iptables -F
iptables -t nat -F
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.0/255.255.255.0 --dport 80 -i eth0 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -p tcp -m multiport -s 192.168.0.0/255.255.255.0 --dport 8080 -i eth0 -j REDIRECT --to-ports 3128
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
agradeço qualquer ajuda.
Antonio Sales