Windows Vista SPK1 não acessa Através de Proxy Transparente!

**slipbad** · 15-07-2008, 10:17

Olá,

Sou novo no forum,

Vou explicar o que esta acontecendo.

A algum tempo recebemos 4 notebook com Windows vista Ultimate com SPK1, eles nao acessam a internet nem email via outlook. O proxy transparente, funciona 100% para maquinas com XP, porém com vista nao acessa net e nem email(outlook).

Criei uma regra mais tosca para que eles acessassem a internet, porem nao passam pelas regras do proxy. Portanto totalmente fora do padrao.

Já verifiquei o firewall dos mesmo porem esta ok. nao estao barrando nada em relação ao proxy.

Segue abaixo o meu squid.conf e meu iptables.

Squid.conf

http_port 3128
hierarchy_stoplist cgi-bin ?
cache_mem 64 MB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/cache/squid 1000 16 384
maximum_object_size 4096 KB
cache_access_log /var/log/squid/access.log
error_directory /usr/share/squid/errors/Portuguese
ftp_user Squid@
# Auth_Param
auth_param ntlm program /usr/lib/squid/ntlm_auth server/serverarq
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 5 minutes
# ACLS auth_param
acl webdav method PROPFIND TRACE PURGE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK
acl outlook url_regex "/etc/squid/listas/domoutlook"
always_direct allow outlook
always_direct allow webdav

acl usuario proxy_auth REQUIRED
acl update url_regex -i "/etc/squid/listas/update"
acl baduser proxy_auth_regex -i "/etc/squid/listas/baduser"
acl privusers proxy_auth_regex -i "/etc/squid/listas/privusers"
acl TI proxy_auth_regex -i "/etc/squid/listas/ti"
acl liberados url_regex "/etc/squid/listas/liberados"
acl liberadownloads url_regex -i "/etc/squid/listas/liberadownloads"
acl bloqueados url_regex "/etc/squid/listas/bloqueados"
acl bloqoutros url_regex "/etc/squid/listas/bloqoutros"
acl bloqgeral url_regex "/etc/squid/listas/bloqgeral"
acl bloqdownloads url_regex -i "/etc/squid/listas/bloqdownloads"
acl listabranca url_regex -i "/etc/squid/listas/listabranca"

acl HOST_MSN src 10.X.X.X/255.255.255.255
acl Negar_MSN dstdomain "/etc/squid/listas/msn.txt"
acl Negar_MSN2 url_regex "/etc/squid/listas/msn2.txt"
acl msn url_regex -i /gateway/gateway.dll

####### Para bloquear um computador pelo ip acrescenta-lo no arquivo MaqBloqueadas
acl MaquinasBloqueadas src "/etc/squid/listas/MaqBloqueadas"
http_access deny MaquinasBloqueadas

----Aqui foi onde coloquei para as maquinas com vista acessarem a internet------
# ACLS

acl teste src 10.X.X.X
acl hpbruno src 10.14.2.11
acl brunohp src 10.X.X.X
cl andre src 10.X.X.X
acl novopc src 10.X.X.X
acl mauricionote src 10.X.X.X

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 8888 # http - Sodexhopass
acl Safe_ports port 82 # http - Saganet
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow teste

http_access allow hpbruno
http_access allow brunohp
http_access allow novopc
http_access allow andre
http_access allow mauricionote

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow ti

# regras de downloads
http_access allow liberadownloads
http_access deny bloqdownloads
# regras usando as listas de sites
http_access allow update
http_access deny baduser !listabranca
http_access deny bloqgeral !liberados
http_access deny bloqueados !liberados
http_access allow privusers
http_access deny bloqoutros !liberados
http_access allow usuario !baduser
http_access allow all
icp_access allow all
visible_hostname on
#http_access deny all
--------------------------------------------------------------------------------------------------------------

IPTABLES:

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local

#IPTABLES
#Estas linhas deverï¿½ ser acrescentadas em algum arquivo ex.: /etc/rc.local
/etc/rc.d/init.d/functions
/etc/sysconfig/network

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/modprobe iptable_nat
iptables -F
iptables -t nat -F

##REDIRECIONA PORTA 8080 PARA 3128

iptables -t nat -A PREROUTING -s 0/0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -s 0/0 -p udp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -s 0/0 -o eth0 -j MASQUERADE

##LIBERANDO PORTAS DO OUTLOOK
iptables -I FORWARD -s 10.X.X.X/24 -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -s 10.X.X.X/24 -p tcp --dport 110 -j ACCEPT
##FIM LIBERA PORTAS OUTLOOK

##BLOQUEIO DE MSN
iptables -A FORWARD -s 10.X.X.0/24 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 10.X.X.0/24 -d loginnet.passport.com -j REJECT

##BLOQUEI COMPUTADOR POR IP
iptables -A INPUT -s 10.X.X.X -j DROP
##FIM REGRA

# Liberando Porta 554 - Radios Web
#$IPTABLES -A FORWARD -s 10.X.X.X/24 -p tcp --dport 554 -j ACCEPT -> IDA
#$IPTABLES -A FORWARD -d 10.X.X.X/24 -p tcp --sport 554 -j ACCEPT <- VOLTA

##LIBERA PORTA PARA SANTA INES
$iptables -t nat -A POSTROUTING -s 10.X.X.X/24 -p tcp --dport 3389 -j MASQUERADE
##LIBERA PORTA PARA ACESSO REMOTO
$iptables -t nat -A POSTROUTING -s 10.X.X.X/24 -p tcp --dport 7024 -j MASQUERADE

#Scripts para iniciar Samba e Winbind
/etc/init.d/smb start
/etc/init.d/winbind start
#Script para iniciar squid
/usr/sbin/squid
--------------------------------------------------------------------------------------------

Bem ai estao o iptables e o squid.conf

qualquer coisa que eu tenha deixado de mencionar estamos ai

desde já agradeço

**alexandrecorrea** · 16-07-2008, 10:32

troca

http_port 3128

por

http_port 3128 transparent

**slipbad** · 16-07-2008, 14:57

Boa tarde,

Não informei qua a versão que uso do squid( Version 2.5.STABLE14) e pelo que vi nas minhas pesquisas esta opcao de transparent e para versoes superiores a 2.6(me corriga se estiver errado).

tentei atualizar com yum install squid, porem nao atualizou a versao. Caro eu baixa a nova versao e instale vou perder as minhas configuracoes antigas ou aproveita as configuracoes?

Caso tenha mais alguma dica que posso estar testando fico feliz.

Agradeço a dica......

Valew

**galahad** · 21-07-2008, 14:29

Se você baixar a versão nova e fizer a instalação, as configurações serão aproveitadas, mas um backup nunca é demais

**slipbad** · 21-07-2008, 17:55

Ok, vou baixar a versão mais recente e realizar a instalação. Assim que tiver feito isso posto ok.

Agradeço a força

Valew

**galahad** · 21-07-2008, 18:04

Ok!

Boa sorte! Qualquer problema que tiver por aí, é só falar que ajudamos no que for possível

**slipbad** · 22-07-2008, 15:27

Boa tarde a todos,

Instalaei o squid-3.0.STABLE8 no usr/local/squid3, so que estou com meu 2.5 rodando usr/local/squid!tem com eu no mesmo servidor rodar o squid 3.0 sem atrapalhar a conexão dos usuarios logados? E que quero testar a nova versão,porém sem derrubar ninguem?

Valew

**alexandrecorrea** · 22-07-2008, 15:31

da pra rodar sim..

muda a porta... e o local do CACHE (cache_dir)

ai manda ele executar... e ler a configuração

**slipbad** · 22-07-2008, 16:57

Olá,

Estou enfrentando dificuldade em relação a rodar o squid3.0. Vou explicar com estou fazendo. o squid 3.0 esta em usr/local/squid3. Dentro da pasta squid3 existe bin,etc,libexec,sbin,share e var.
dentro de etc mudei o nome squi.conf para squid.old e criei o squid.conf nele coloquei:
http_port 3129 transparent
cache_dir ufs /var/cache/squid3 1000 16 384
cache_access_log /var/log/squid3/access.log
error_diretory /usr/share/squid3/errors/Portuguese
as demais configuracões estao igual ao do squid que esta rodando.

Bem como faço para roda-lo?tenho que mexer alguma coisa no samba?e no iptables?devo mudar algo?
nao tenho muita ideia do que fazer para rodalo junto com o squid atual. Se puder explicar melhor como fazer.

Agradeço todas a dicas valew

**galahad** · 23-07-2008, 09:28

A única coisa, em princípio, que você vai ter que mudar é permitir no seu firewall que seus clientes se conectem na porta 3129.

**slipbad** · 06-08-2008, 09:19

Olá, resolvi configurar outro proxy com fedora 9+squid3.0+iptables.

o iptables e samba iniciam certinho, porem o squid nao inicializa apreentando a seguinte mensagem:
{root@TEste_proxy ~]#service squid start
2008/08/06 08:40:42| Processing Configuration File: /etc/squid/squid.conf(depth0)
2008/08/06 08:40:42| Starting Authentication on port 0.0.0.0:14348
2008/08/06 08:40:42| Disabling Authentication on port 0.0.0.0:14348(interception enabled)
2008/08/06 08:40:42| Initializing https proxy context
Iniciando o squid: ………………………………. [FALHOU]
{root@TEste_proxy ~]#

SQUID.conf

http_port 3128 transparent accel vhost vport

cache_mem 64 MB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/squid/cache 1000 16 256

maximum_object_size_in_memory 64 KB
minimum_object_size 0 KB
maximum_object_size 4096 MB
cache_access_log /var/squid/access.log
error_directory /usr/share/squid/errors/Portuguese
ftp_user Squid@

auth_param ntlm program /usr/lib64/squid/ntlm_auth
auth_param ntlm children 5
acl webdav method PROPFIND TRACE PURGE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK
acl outlook url_regex "/etc/squid/listas/domoutlook"
always_direct allow outlook
always_direct allow webdav

acl usuario proxy_auth REQUIRED
acl update url_regex -i "/etc/squid/listas/update"
acl baduser proxy_auth_regex -i "/etc/squid/listas/baduser"
acl privusers proxy_auth_regex -i "/etc/squid/listas/privusers"
acl TI proxy_auth_regex -i "/etc/squid/listas/ti"
acl liberados url_regex "/etc/squid/listas/liberados"
acl liberadownloads url_regex -i "/etc/squid/listas/liberadownloads"
acl bloqueados url_regex "/etc/squid/listas/bloqueados"
acl bloqoutros url_regex "/etc/squid/listas/bloqoutros"
acl bloqgeral url_regex "/etc/squid/listas/bloqgeral"
acl bloqdownloads url_regex -i "/etc/squid/listas/bloqdownloads"
acl listabranca url_regex -i "/etc/squid/listas/listabranca"
acl ipprivilegio src "/etc/squid/listas/ipprivilegio"

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 8888 # http - Sodexhopass (Andre)
acl Safe_ports port 82 # http - Saganet (Douglas)
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow ti

# regras de downloads
http_access allow liberadownloads
http_access allow ipprivilegio !bloqgeral
http_access deny bloqdownloads
# regras usando as listas de sites
http_access allow update
http_access deny baduser !listabranca
http_access deny bloqgeral !liberados
http_access deny bloqueados !liberados
http_access allow privusers
http_access deny bloqoutros !liberados
http_access allow usuario !baduser
http_access allow all
icp_access allow all
always_direct allow all
visible_hostname on

#IPTABLES
#Estas linhas dever� ser acrescentadas em algum arquivo ex.: /etc/rc.local
#. /etc/rc.d/init.d/functions
#. /etc/sysconfig/network

# echo 1 > /proc/sys/net/ipv4/ip_forward
# /sbin/modprobe iptable_nat
# iptables -F
# iptables -t nat -F
# iptables -t nat -A PREROUTING -s 0/0 -p tcp --dport 80 -j REDIRECT --to-port 3128
# iptables -t nat -A PREROUTING -s 0/0 -p udp --dport 80 -j REDIRECT --to-port 3128
# iptables -t nat -A POSTROUTING -s 0/0 -o eth1 -j MASQUERADE

#IPTABLES
#Estas linhas deverï¿½ ser acrescentadas em algum arquivo ex.: /etc/rc.local
/etc/rc.d/init.d/functions
/etc/sysconfig/network

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/modprobe iptable_nat
iptables -F
iptables -t nat -F

##REDIRECIONA PORTA 8080 PARA 3128

iptables -t nat -A PREROUTING -s 0/0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -s 0/0 -p udp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -s 0/0 -o eth0 -j MASQUERADE

##LIBERANDO PORTAS DO OUTLOOK
iptables -I FORWARD -s 10.X.X.X/24 -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -s 10.X.X.X/24 -p tcp --dport 110 -j ACCEPT
##FIM LIBERA PORTAS OUTLOOK

##BLOQUEIO DE MSN
iptables -A FORWARD -s 10.X.X.0/24 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s 10.X.X.0/24 -d loginnet.passport.com -j REJECT

##BLOQUEI COMPUTADOR POR IP
iptables -A INPUT -s 10.X.X.X -j DROP
##FIM REGRA

# Liberando Porta 554 - Radios Web
#$IPTABLES -A FORWARD -s 10.X.X.X/24 -p tcp --dport 554 -j ACCEPT -> IDA
#$IPTABLES -A FORWARD -d 10.X.X.X/24 -p tcp --sport 554 -j ACCEPT <- VOLTA

##LIBERA PORTA PARA SANTA INES
$iptables -t nat -A POSTROUTING -s 10.X.X.X/24 -p tcp --dport 3389 -j MASQUERADE
##LIBERA PORTA PARA ACESSO REMOTO
$iptables -t nat -A POSTROUTING -s 10.X.X.X/24 -p tcp --dport 7024 -j MASQUERADE

#Scripts para iniciar Samba e Winbind
/etc/init.d/smb start
/etc/init.d/winbind start
#Script para iniciar squid
/usr/sbin/squid

**alexandrecorrea** · 06-08-2008, 10:18

seria bom dar uma lida no manual....

http_port 3128 transparent accel vhost vport

ta errado..

tenta so com

http_port 3128 transparent

**slipbad** · 06-08-2008, 11:41

eu coloque http_port 3128 transparent

Porem a menssagem é a mesma e o squid nao inicializa.

Ja fiz testes colocando somente configuraçoes basicas, mesmo assim o squid nao inicializa.

alguma sugestao?

**alexandrecorrea** · 06-08-2008, 11:43

o que diz no /var/log/squid/cache.log ?

**slipbad** · 06-08-2008, 13:25

Segue o cache.log

2008/08/06 11:41:30| Adding domain aparecida.icflab.com.br from /etc/resolv.conf
2008/08/06 11:41:30| Adding nameserver 201.10.128.3 from /etc/resolv.conf
2008/08/06 11:41:30| Adding nameserver 201.10.120.3 from /etc/resolv.conf
2008/08/06 11:41:30| Adding nameserver 10.14.2.2 from /etc/resolv.conf
2008/08/06 11:41:30| User-Agent logging is disabled.
2008/08/06 11:41:30| Referer logging is disabled.
2008/08/06 11:41:30| Unlinkd pipe opened on FD 12
2008/08/06 11:41:30| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2008/08/06 11:41:30| Swap maxSize 1024000 KB, estimated 78769 objects
2008/08/06 11:41:30| Target number of buckets: 3938
2008/08/06 11:41:30| Using 8192 Store buckets
2008/08/06 11:41:30| Max Mem size: 65536 KB
2008/08/06 11:41:30| Max Swap size: 1024000 KB
2008/08/06 11:41:31| /var/squid/cache/swap.state: (13) Permission denied
FATAL: commonUfsDirOpenSwapLog: Failed to open swap log.
Squid Cache (Version 3.0.STABLE7): Terminated abnormally.
CPU Usage: 0.035 seconds = 0.022 user + 0.013 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0
2008/08/06 11:41:34| Starting Squid Cache version 3.0.STABLE7 for x86_64-redhat-linux-gnu...
2008/08/06 11:41:34| Process ID 9159
2008/08/06 11:41:34| With 1024 file descriptors available
2008/08/06 11:41:34| DNS Socket created at 0.0.0.0, port 52330, FD 7
2008/08/06 11:41:34| Adding domain aparecida.icflab.com.br from /etc/resolv.conf
2008/08/06 11:41:34| Adding nameserver 201.10.128.3 from /etc/resolv.conf
2008/08/06 11:41:34| Adding nameserver 201.10.120.3 from /etc/resolv.conf
2008/08/06 11:41:34| Adding nameserver 10.14.2.2 from /etc/resolv.conf
2008/08/06 11:41:34| User-Agent logging is disabled.
2008/08/06 11:41:34| Referer logging is disabled.
2008/08/06 11:41:34| Unlinkd pipe opened on FD 12
2008/08/06 11:41:34| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2008/08/06 11:41:34| Swap maxSize 1024000 KB, estimated 78769 objects
2008/08/06 11:41:34| Target number of buckets: 3938
2008/08/06 11:41:34| Using 8192 Store buckets
2008/08/06 11:41:34| Max Mem size: 65536 KB
2008/08/06 11:41:34| Max Swap size: 1024000 KB
2008/08/06 11:41:34| /var/squid/cache/swap.state: (13) Permission denied
FATAL: commonUfsDirOpenSwapLog: Failed to open swap log.
Squid Cache (Version 3.0.STABLE7): Terminated abnormally.
CPU Usage: 0.032 seconds = 0.024 user + 0.008 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0
2008/08/06 11:43:44| Starting Squid Cache version 3.0.STABLE7 for x86_64-redhat-linux-gnu...
2008/08/06 11:43:44| Process ID 9176
2008/08/06 11:43:44| With 1024 file descriptors available
2008/08/06 11:43:44| Performing DNS Tests...
2008/08/06 11:43:44| Successful DNS name lookup tests...
2008/08/06 11:43:44| DNS Socket created at 0.0.0.0, port 56340, FD 7
2008/08/06 11:43:44| Adding domain aparecida.icflab.com.br from /etc/resolv.conf
2008/08/06 11:43:44| Adding nameserver 201.10.128.3 from /etc/resolv.conf
2008/08/06 11:43:44| Adding nameserver 201.10.120.3 from /etc/resolv.conf
2008/08/06 11:43:44| Adding nameserver 10.14.2.2 from /etc/resolv.conf
2008/08/06 11:43:44| User-Agent logging is disabled.
2008/08/06 11:43:44| Referer logging is disabled.
2008/08/06 11:43:44| Unlinkd pipe opened on FD 12
2008/08/06 11:43:44| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2008/08/06 11:43:44| Swap maxSize 1024000 KB, estimated 78769 objects
2008/08/06 11:43:44| Target number of buckets: 3938
2008/08/06 11:43:44| Using 8192 Store buckets
2008/08/06 11:43:44| Max Mem size: 65536 KB
2008/08/06 11:43:44| Max Swap size: 1024000 KB
2008/08/06 11:43:44| Rebuilding storage in /var/squid/cache (DIRTY)
2008/08/06 11:43:44| Using Least Load store dir selection
2008/08/06 11:43:44| Current Directory is /etc/rc.d/init.d
2008/08/06 11:43:44| Loaded Icons.
2008/08/06 11:43:44| Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 13.
2008/08/06 11:43:44| HTCP Disabled.
2008/08/06 11:43:44| Ready to serve requests.
2008/08/06 11:43:46| Done scanning /var/squid/cache swaplog (0 entries)
2008/08/06 11:43:46| Finished rebuilding storage from disk.
2008/08/06 11:43:46| 0 Entries scanned
2008/08/06 11:43:46| 0 Invalid entries.
2008/08/06 11:43:46| 0 With invalid flags.
2008/08/06 11:43:46| 0 Objects loaded.
2008/08/06 11:43:46| 0 Objects expired.
2008/08/06 11:43:46| 0 Objects cancelled.
2008/08/06 11:43:46| 0 Duplicate URLs purged.
2008/08/06 11:43:46| 0 Swapfile clashes avoided.
2008/08/06 11:43:46| Took 1.79 seconds ( 0.00 objects/sec).
2008/08/06 11:43:46| Beginning Validation Procedure
2008/08/06 11:43:46| Completed Validation Procedure
2008/08/06 11:43:46| Validated 25 Entries
2008/08/06 11:43:46| store_swap_size = 0
2008/08/06 11:43:46| storeLateRelease: released 0 objects
Agradeço a ajuda....

**alexandrecorrea** · 06-08-2008, 13:32

digita ai

Código :

chown squid:squid /var/squid
chown squid:squid /var/squid/ -R

e tenta iniciar...

esta linha do log

Código :

[SIZE=3][FONT=Calibri]2008/08/06 11:41:34| /var/squid/cache/swap.state: (13) Permission denied[/FONT][/SIZE]
[SIZE=3][FONT=Calibri]FATAL: commonUfsDirOpenSwapLog: Failed to open swap log.
[/FONT][/SIZE]

é bem clara :P basta um pouco de atenção !!

**slipbad** · 25-08-2008, 09:29

Valew... Pela ajuda!!!tudo funcionando....agora....só não sei se a questão do email foi resolvida pela atualização da versão do squid, ou por que mudamos de provedor de email.

Mas no final ficou beleza....

agradeço a todos...

Windows Vista SPK1 não acessa Através de Proxy Transparente!

Ferramentas de Tópicos

Windows Vista SPK1 não acessa Através de Proxy Transparente!(RESOLVIDO!)