Como Pcs com DNS passam pelo Squid ???

[jadirorza]

Seguinte, galera. Algum mané andou espalhando os nº de DNS aqui na Prefeitura. A galera tá desconfigurando o proxy e colocando DNS nas maquinas. Aí, já viu, né? É MSN, Orkut, etc. Todo meu trabalho pra configurar o Squid dançou.
De que forma isso funciona? Falta aquela regra no Firewall REDIRECT 80 to 3128 ??? Se falta, onde eu acho essa configuração?
Na real, já li um bocado de Iptables, mas não sei onde mexer.
rc.firewall? firewall.conf? Basta colocar as regras no rc.d?
Meu Tux é um RH9...
Alguem tem alguma idéia??? :?
Se for no rc.firewall, parece que tá default...

[fpmazzi]

Seguinte, galera. Algum mané andou espalhando os nº de DNS aqui na Prefeitura. A galera tá desconfigurando o proxy e colocando DNS nas maquinas. Aí, já viu, né? É MSN, Orkut, etc. Todo meu trabalho pra configurar o Squid dançou.
De que forma isso funciona? Falta aquela regra no Firewall REDIRECT 80 to 3128 ??? Se falta, onde eu acho essa configuração?
Na real, já li um bocado de Iptables, mas não sei onde mexer.
rc.firewall? firewall.conf? Basta colocar as regras no rc.d?
Meu Tux é um RH9...
Alguem tem alguma idéia??? :?
Se for no rc.firewall, parece que tá default...

Kra vc pode colocar a regra do iptables, direto no rc.local, ou criar um arquivo, torna-lo executavel e colocar as regras d iptables la dentro .. e dps copie ele no diretorio /sbin, colocando neste diretorio e no rc.local digita la firewall.sh por exemplo ae ja era ele executa

[powed0wn]

Como vai, rapaz?! =)

Bom, tudo vai das suas politicas... não entendi direito o que tem a ver com o acesso e o dns da sua rede, mas.... vamos tentar.

Creio que a melhor forma de fazer com que seus usuarios acessem somente o necessário é fazendo politicas "restritivas" e não somente redirecionar porta 80,443 para o squid... Resumindo, voce precisa "negar todos os forwards" da sua rede e sair "todos os acessos" do squid.

No squid, por exemplo, não é muito elegante barrar sites por url, palavras, pois acaba ficando uma lista enorme e ainda um pouco vulneravel. Seria interessante instalar o DansGuardian (www.dansguardian.org), que seria um real filtro de conteúdo, http's proxy, pornografia etc etc etc... Vale à pena conferir.

No firewall (iptables), eu costumo fazer assim:

--------------------- recortar aqui -------------------------

#!/bin/sh
echo =-=-=-=-=-=-=-=- Iniciando Firewall -=-=-=-=-=-=-=-=-=
echo " By power_d0wn - Rodrigo Martins"
echo =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

######################################################################################
############################### Variáveis do script ##################################
######################################################################################

fw="/usr/sbin/iptables"

#Informações IP / LAN
ANY_WHERE="0/0"
IP_EXT="200.x.y.z/32"
IP_INT="192.168.0.254/32"
LAN="192.168.0.0/24"

#Informações Interfaces (Interna/Externa)
IF_INT="eth0"
IF_EXT="eth1"

#Informações de PORTAS Liberadas
#Portas autorizadas para INPUT (Interna/Externa)
SAFE_PORTS="80,2222"

#Portas autorizadas para LAN (Interna)
SAFE_PORTS_LAN="53,3128"

#Portas autorizadas para FORWARD (Interna --> Externa)
SAFE_PORTS_FORWARD=""

#Portas autorizadas para MASCARAMENTO (MASQUERADE)
SAFE_PORTS_MASQUERADE="21,22,25,53,80,110,443,1863,2631,3456,5190,9780"

#Portas autorizadas para IDS (portsentry)
# Vale a pena lembrar que, caso nao haja variaveis aqui, ficará
# inutil o portsentry na maquina, visto que ele abre diversas portas
# (conforme configuracao), e necessariamente receberá conexoes nestas.
SAFE_PORTS_IDS="1,5,7,11,13,15,79,111,119,143,445,540,635,1524"
######################################################################################
######################################################################################

######################################################################################
############################# Limpando regras antigas ################################
######################################################################################
$fw -F
$fw -X
$fw -Z

$fw -t nat -F
$fw -t nat -X
$fw -t nat -Z

$fw -t mangle -F
$fw -t mangle -X
$fw -t mangle -Z
######################################################################################
######################################################################################

######################################################################################
################################# S E C U R I T Y ####################################
######################################################################################

############################################################
############# Definindo Regras de Policiamento #############
############################################################
$fw -P INPUT DROP
$fw -P OUTPUT ACCEPT
$fw -P FORWARD DROP
############################################################

############################################################
##### Rejeitando pacotes fragmentados / mal formados #######
############################################################
$fw -A INPUT -m state --state INVALID -j DROP
$fw -A OUTPUT -m state --state INVALID -j DROP
$fw -A FORWARD -m state --state INVALID -j DROP

$fw -A INPUT -f -j DROP
$fw -A OUTPUT -f -j DROP
$fw -A FORWARD -f -j DROP
############################################################

############################################################
######## Negando pacotes ICMP (INPUT / FORWARD) ############
############################################################
## Estamos autorizando ping com intervalos de 1 em 1 seg, ##
###### para evitar ataques do tipo "ping da morte". ########
$fw -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

$fw -A FORWARD -s $LAN -i $IF_INT -o $IF_EXT -p icmp -j DROP
$fw -A FORWARD -s $ANY_WHERE -i $IF_EXT -o $IF_INT -p icmp -j DROP
############################################################
######################################################################################
######################################################################################

######################################################################################
###################### P O L I T I C A S D E A C E S S O #########################
########################## I N P U T E F O R W A R D #############################
######################################################################################

############################################################
##### Definindo ACESSO TOTAL para o Localhost (Local) ######
############################################################
$fw -A INPUT -s localhost -i lo -j ACCEPT
############################################################

############################################################
## Liberando as portas para fora e para a rede interna #####
############################################################
# Acesso somente status (ESTABELECIDO,RELATADO)
$fw -A INPUT -s $LAN -i $IF_INT -m state --state RELATED,ESTABLISHED -j ACCEPT
$fw -A INPUT -s $ANY_WHERE -i $IF_EXT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Acesso à portas (redes interna/externa)
$fw -A INPUT -s $ANY_WHERE -i $IF_EXT -p tcp -m multiport --dport $SAFE_PORTS -j ACCEPT
$fw -A INPUT -s $ANY_WHERE -i $IF_EXT -p udp -m multiport --dport $SAFE_PORTS -j ACCEPT

# Acesso à portas (rede interna)
$fw -A INPUT -s $LAN -i $IF_INT -p tcp -m multiport --dport $SAFE_PORTS_LAN -j ACCEPT
$fw -A INPUT -s $LAN -i $IF_INT -p udp -m multiport --dport $SAFE_PORTS_LAN -j ACCEPT

# Acesso à portas (ids -> portsentry, somente externo)
$fw -A INPUT -s $ANY_WHERE -i $IF_EXT -p tcp -m multiport --dport $SAFE_PORTS_IDS -j ACCEPT
$fw -A INPUT -s $ANY_WHERE -i $IF_EXT -p udp -m multiport --dport $SAFE_PORTS_IDS -j ACCEPT
############################################################

######################################################################################
######################## Network Address Translation (NAT) ###########################
############################ M A S C A R A M E N T O #################################
######################################################################################

############################################################
######### Autorizar Acesso Direto ################
############### USE COM CUIDADO! ######################
############################################################
#HOSTS_ALL="192.168.0.1/32"
# for EACH_HOST in ${HOSTS_ALL}; do
# $fw -I FORWARD -s ${EACH_HOST} -i $IF_INT -o $IF_EXT -d $ANY_WHERE -j ACCEPT
# $fw -t nat -I POSTROUTING -s ${EACH_HOST} -o $IF_EXT -j MASQUERADE
# done
############################################################

############################################################
######## Autorizar encaminhamento de algumas portas ########
######## Forward de pacotes (estações) ########
############################################################
$fw -A FORWARD -d $LAN -i $IF_EXT -o $IF_INT -m state --state RELATED,ESTABLISHED -j ACCEPT
$fw -A FORWARD -s $LAN -i $IF_INT -o $IF_EXT -m state --state RELATED,ESTABLISHED -j ACCEPT

############################################################
############## Mascarando portas autorizadas ###############
############################################################
$fw -t nat -A POSTROUTING -s $LAN -o $IF_EXT -p tcp -m multiport --dport $SAFE_PORTS_MASQUERADE -j MASQUERADE
$fw -t nat -A POSTROUTING -s $LAN -o $IF_EXT -p udp -m multiport --dport $SAFE_PORTS_MASQUERADE -j MASQUERADE
############################################################

######################################################################################
######################################################################################

######################################################################################
########################## Encaminhamentos especificos à #############################
################################## hosts externos ####################################
######################################################################################

############################################################
#Autorização para recebimento de mensagens externamente POP#
############################################################
HOSTS_ALL="pop3.uol.com.br pop3a.uol.com.br"
for EACH_HOST in ${HOSTS_ALL}; do
$fw -A FORWARD -i $IF_INT -o $IF_EXT -s $LAN -d ${EACH_HOST} -p tcp --dport 110 -j ACCEPT
$fw -A FORWARD -i $IF_INT -o $IF_EXT -s $LAN -d ${EACH_HOST} -p tcp --dport 9780 -j ACCEPT
done
############################################################

############################################################
####Autorização para envio de mensagens externamente SMTP###
############################################################
HOSTS_ALL="smtp.uol.com.br smtpa.uol.com.br"
for EACH_HOST in ${HOSTS_ALL}; do
$fw -A FORWARD -i $IF_INT -o $IF_EXT -s $LAN -d ${EACH_HOST} -p tcp --dport 25 -j ACCEPT
done
############################################################

############################################################
######### Autorização para conexões DNS externamente #######
############################################################
HOSTS_ALL="200.204.0.10/32 200.204.0.138/32"
for EACH_HOST in ${HOSTS_ALL}; do
$fw -A FORWARD -i $IF_INT -o $IF_EXT -s $LAN -d ${EACH_HOST} -j ACCEPT
done
############################################################

############################################################
######### Autorizar o Sistema da Receita IRRF #############
############################################################
HOSTS_ALL="161.148.185.0/24"
for EACH_HOST in ${HOSTS_ALL}; do
$fw -A FORWARD -i $IF_INT -o $IF_EXT -s $LAN -d ${EACH_HOST} -p all -j ACCEPT
$fw -A FORWARD -i $IF_EXT -o $IF_INT -s ${EACH_HOST} -d $LAN -p all -j ACCEPT
done
############################################################

############################################################
######### Autorizar o Sistema da Caixa Econ. #############
############################################################
HOSTS_ALL="www.caixa.gov.br cmt.caixa.gov.br www1.caixa.gov.br 200.201.173.0/24 200.201.174.0/24 200.201.166.0/24"
for EACH_HOST in ${HOSTS_ALL}; do
$fw -A FORWARD -i $IF_INT -o $IF_EXT -s $LAN -d ${EACH_HOST} -p all -j ACCEPT
$fw -A FORWARD -i $IF_EXT -o $IF_INT -s ${EACH_HOST} -d $LAN -p all -j ACCEPT
done
############################################################

-----------------------------recortar aqui ----------------------------

Entendeu?! =)

São politicas restrititas que não resolvem 100% das problemas com acessos, mas ajudam bastante.

Abraços,

Rodrigo Martins

[luizhumberto]

Utilize o forward como drop, e depois libere somente as portas que precisa.
Ou então bloqueie no forward as portas 80,443. Deixando apenas que o proxy tenha acesso.

Abraços,

[felco]

Voce precisa redirecionar a porta 80 TCP para o Squid sim. Caso contrario voce permitira que suas regras no Squid sejam burladas.
É interessante tambem manter um servidor DNS local, como dnsmasq, esse é interessante porque permite que voce adcione fake-hosts facilmente, assim, voce nao precisa criar uma regra cabulosa para o Orkut, voce define que qualquer coisa no domain orkut.com va para um servidor local com apache, e la voce coloca um pagina dizendo que o site esta bloqueado.
Nesse caso, do DNS local, voce tem que redireciona as conexoes que vao para porta 53 UDP para teu DNS local, assim nao adianta coloca um Proxy diferente no browser, ele nao vai encontrar o site.

Alem disso, e muito util seguir o conselho do amigo acima, comece bloqueando tudo no FORWARD e libere so oque voce precisa.

Se voce manter servidores locais como eu disse, voce pode tranquilamente nao liberar porta alguma diretamente, mas somente liberer o acesso a porta 80 TCP para o proprio Squid e a 53 UDP para o proprio dnsmasq, assim ninguem na verdade acessa nada diretamente, o usuario nao percebe porque pra ele o ambiente nao parece ter controle, nesse caso voce nao vai permitir que a rede(Ex.: 192.168.0.0/24) saia atravez de MASQ ou SNAT, apenas os seus servidores(Squid e dnsmasq), dessa forma qualquer requisicao DNS vai cair no dnsmasq e ele ira responder conforme voce achar melhor, tipo login.messenger.com = 192.168.0.100, saco?
E se o seu queridissimo usuario configurar outro DNS no Windows, ele, inevitavelmente, caira no dnsmasq. E se ele configurar no hosts da maquina dele algo assim:

Código :

www.orkut.com 216.239.51.86

Faz sentido, assim ele nao precisaria de um DNS!
Nesse caso voce precisa garantir que ninguem vai acessar a porta 80 diretamente, somente o Squid pode ter acesso a essa porta externamente e no seu Squid voce precisa criar uma acl apenas rejeitando acesso a esse dominio, orkut.com.

Os redirects firariam assim, nesse exemplo tanto o DNS quanto o Proxy ficariam em maquinas distintas do Firewall:

Código :

iptables -A PREROUTING -s <Lan>!<LocalServ> -p tcp --dport 80 -j DNAT --to 192.168.0.50:3128
iptables -A PREROUTING -s <Lan>!<LocalServ> -p udp --dport 53 -j DNAT --to 192.168.0.55:53

Edit: Temos que especificar a Lan e excluir o servidor local para que a regra nao falhe e tambem nao entre em looping.

Por que DNAT e nao REDIRECT?
Porque nesse caso, estamos na verdade repassando a conexao para uma outra maquina e nao redirecionando para um porta local, entao é necessario que o Firewall manipule o endereco de destino do pacote.
No caso de o Proxy eo DNS estarem na propria maquina do Firewall ficaria:

Código :

iptables -A PREROUTING -s <Lan>!<LocalServ> -p tcp --dport 80 -j REDIRECT --to 3128
iptables -A PREROUTING -s <Lan>!<LocalServ> -p udp --dport 53 -j REDIRECT --to 53

Ainda sera preciso que voce nao deixe ninguem acessar a Internet diretamente, entao voce usaria o seguinte:
Ao invez de fazermos um MASQ ou SNAT para todos, faremos para os Servers:
Voce tem algo assim:

Código :

iptables -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

Teria que ser algo assim:

Código :

iptables -A POSTROUTING -s 192.168.0.50 -j MASQUERADE

Código :

iptables -A POSTROUTING -s 192.168.0.55 -j MASQUERADE

A idea aqui e que voce nao de acesso a maquina do usuario a Internet, mas que seus servidores na rede tenham acesso exclusivo a Internet e esses por sua vez vao repassar o acesso que eles tem a essas maquinas, porem diferente do usual, voce vai controlar os servidores e voce quem permitira acesso aos servicos que quiser.

Em relacao aonde definir as regras do iptables, procure nao utilizar o rc.local, dependendo da sua distribuicao ela ja tera um local apropriado ou um servico devidamente configurado para chamar ou aplicar a regras.

Nao sei se deu pra entender a idea, qualquer coisa continua postando!

Off: Maior post evah!!!! LOL

[jadirorza]

Valeu pelas respostas, galera! Firewall, Squid, aqui eh tudo na mesma maquina, um Red Hat 9.
Li em algum lugar tambem que preciso, pra redirecionar a 80 pro Squid, preciso antes do seguinte comando:

Código :

echo "1" >/proc/sys/net/ipv4/ip_forward

Alguem confirma?
Achei no rc.local um comando pra abrir o etc/rc.firewall , mas
parece que esse script ta Defaut...

[luizhumberto]

Sim, pois ele quem ativa o roteamento no caso do echo "1" se fosse "0", seria desativado.

[jadirorza]

Valeu pela força. Vou tentar aqui pra ver no que dá.