problemas com https

**vaini** · 12-09-2012, 14:35

Boa tarde a todos. Estou com um problemão, que sozinho não consegui resolver.
Preciso liberar o acesso a sites https. Não sei o porque esta sendo bloqueado.
É tudo muito simples, navegação completa com apenas alguns sites bloqueados.

Agradeço desde ja a ajuda de todos.
Segue abaixo meu firewall, bem como squid.

#!/bin/sh
IPTABLES="/sbin/iptables"
WAN=ppp0
LAN=eth1
REDE="192.168.0.0/24"

#Carregando modulos do iptables
modprobe iptable_nat
modprobe iptable_mangle
modprobe iptable_filter

#limpando tudo
$IPTABLES -t filter -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t filter -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

#politica padrao
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t filter -P FORWARD DROP

#ativando roteamento de pacote
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE
$IPTABLES -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j REDIRECT --to 3128

#evita problemas de conexao quando o ip externo for dinamico (programa diald)
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#bloqueio a syn-flood, ip spoofing, port scanner e icmp falsos
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#permite que conexoes ja criadas pela LAN retornem sem criar novas regras
$IPTABLES -t filter -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -t filter -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

#bloqueando synfloods e port scanners
$IPTABLES -t filter -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
$IPTABLES -t filter -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
$IPTABLES -t filter -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

#liberando acesso ao servidor
$IPTABLES -t filter -A INPUT -i lo -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o lo -j ACCEPT

#liberando passagem de pacotes entre interfaces
$IPTABLES -t filter -A FORWARD -i $LAN -o $WAN -j ACCEPT

#aceitando e protegendo ping
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
$IPTABLES -t filter -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -t filter -A INPUT -p icmp -m state --state INVALID -j DROP
$IPTABLES -t filter -A OUTPUT -p icmp -m state --state INVALID -j DROP
$IPTABLES -t filter -A FORWARD -p icmp -m state --state INVALID -j DROP

#liberandos portas para acesso interno
$IPTABLES -t filter -A INPUT -i $LAN -p tcp -m multiport --dports 80,3128,10000 -j ACCEPT
$IPTABLES -t filter -A INPUT -i $LAN -p udp -m multiport --dports 80,3128,10000 -j ACCEPT

#liberando samba para a rede interna
$IPTABLES -t filter -A INPUT -i $LAN -s $REDE -p tcp -m multiport --dports 137,138,139,445 -j ACCEPT
$IPTABLES -t filter -A INPUT -i $LAN -s $REDE -p udp -m multiport --dports 137,138,139,445 -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $LAN -s $REDE -p tcp -m multiport --dports 137,138,139,445 -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $LAN -s $REDE -p udp -m multiport --dports 137,138,139,445 -j ACCEPT

#liberando acesso externo ao webmin
$IPTABLES -t filter -A INPUT -i $WAN -p tcp --dport 10000 -j ACCEPT

#liberando DNS
$IPTABLES -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $LAN -p udp --dport 53 -j ACCEPT

#liberando HTTPS
$IPTABLES -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $LAN -p tcp --dport 443 -j ACCEPT

#liberando SMTP/POP para a LAN
$IPTABLES -t filter -A FORWARD -i $LAN -p tcp --dport 25 -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $LAN -p tcp --dport 110 -j ACCEPT

#liberando entrada/retorno do SSH
$IPTABLES -t filter -A INPUT -p tcp --dport 1226 -j ACCEPT
$IPTABLES -t filter -A FORWARD -p tcp --dport 1226 -j ACCEPT

#liberando TS
$IPTABLES -t filter -A INPUT -p tcp --dport 3389 -j ACCEPT
$IPTABLES -t filter -A FORWARD -p tcp --dport 3389 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp --dport 3389 -j DNAT --to 192.168.0.2:3389

#liberando servidor das cameras
$IPTABLES -t filter -A INPUT -p tcp --dport 2550 -j ACCEPT
$IPTABLES -t filter -A FORWARD -p tcp --dport 2550 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp --dport 2550 -j DNAT --to 192.168.0.3:2550

#liberando acesso remoto via radmin
$IPTABLES -t filter -A INPUT -p tcp --dport 60020 -j ACCEPT
$IPTABLES -t filter -A FORWARD -p tcp --dport 60020 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $WAN -p tcp --dport 60020 -j DNAT --to 192.168.0.20:61145

#setando alta prioridade para a porta 1433
$IPTABLES -t mangle -A INPUT -p tcp --dport 1433 -j TOS --set-tos 16
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 1433 -j TOS --set-tos 16
$IPTABLES -t mangle -A FORWARD -p tcp --dport 1433 -j TOS --set-tos 16
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 1433 -j TOS --set-tos 16

#fim das regras

SQUID.CONF

http_port 3128 transparent
visible_hostname LINUX
hierarchy_stoplist cgi-bin?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 1024 MB
maximum_object_size_in_memory 100 KB
maximum_object_size 15360 KB
minimum_object_size 0 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
cache_replacement_policy lru
memory_replacement_policy lru
logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
access_log /var/log/squid/access.log squid
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 3000 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_swap_log /var/spool/squid/swap.log
error_directory /usr/share/squid/errors/Portuguese
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
dns_nameservers 200.204.0.10 200.204.0.138

# >> ACLs <<
acl all src 0.0.0.0/0.0.0.0
acl rede src 192.168.0.0/24
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 407
acl Safe_ports port 25
acl Safe_ports port 110
acl purge method PURGE
acl CONNECT method CONNECT

acl SitesBloqueados url_regex -i "/etc/squid/sites.deny"
acl SemCache url_regex -i "/etc/squid/sites.nocache"

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny to_localhost

no_cache deny SemCache
http_access deny SitesBloqueados
http_access allow rede
http_access deny all

**demattos** · 13-09-2012, 08:16

amigo bom dia, da uma olhada no seu conf do squid vc esta com duas acls para a porta 443 usada para o SSL um esta sendo liberada e outra esta sendo bloqueada, verifica sua conf

post o resultados ai depois

problemas com https

Ferramentas de Tópicos

problemas com https

Re: problemas com https