squid: msn nao acessa

[d_darlan]

Galera, estou com um problema e gostaria muito da ajuda de vocês pra resolver esse problema. Instalei o Debian 31. R5, nele tenho um firewall e um proxy rodando, só que é ai que está o problema. O meu proxy é transparente, porem, acesso todos os sites, mas não consigo acessar o email do homail e nem o messenger. Mesmo com ele transparente, se eu for nas opções de Internet/configirações de lan e colocar o ip e a porta continuo acessando todos os sites, so que dessa maneira acesso o email do hotmail, mas não acesso o messenger. Galer ajuda ai que meu chefe já ta com a faca na minha garganta. Agradeço desde já

[mastellaro]

posta ai suas regras do squid...



vlw

[d_darlan]

blz veio, obrigado pela atenção, vou postar na ordem o meu firewall e o meu squid.conf, ok? Só pra adiantar. Tenho um pc com o Debian Sarge 3.1 r5 instalado e esse firewall e squid.conf tão rodando nele, mas com esse problema que falei anteriormente.

firewall

#!/bin/sh
#set -x

SYSCTL="/sbin/sysctl -w"

IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"

# Local Interface Information
LOCAL_IFACE="eth1"
LOCAL_IP="172.16.0.1"
LOCAL_NET="172.16.0.0/255.255.255.0"
LOCAL_BCAST="172.16.0.255"

# Ext Interface
EXT_IFACE="ppp+"
EXT_ADDRESS=""

# Localhost Interface

LO_IFACE="lo"
LO_IP="127.0.0.1"

# Save and Restore arguments handled here
if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTS > /etc/sysconfig/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/sysconfig/iptables
echo "done"
exit 0
fi


echo "Loading kernel modules ..."
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_owner
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc



if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="1"
fi

if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter="1"
fi


# This option allows a subnet to be firewalled with a single IP address.
# It's used to build a DMZ. Since that's not a focus of this firewall
# script, it's not enabled by default, but is included for reference.
# See: Proxy ARP with Linux
#if [ "$SYSCTL" = "" ]
#then
# echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#else
# $SYSCTL net.ipv4.conf.all.proxy_arp="1"
#fi


###############################################################################
#
# Flush Any Existing Rules or Chains
#

echo "Flushing Tables ..."

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F


# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
echo "Create and populate custom rule chains ..."

$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound

$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "Invalid packet:"
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN

$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN


$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPT -A icmp_packets -p ICMP -j RETURN

$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 53 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 5060 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -j RETURN

$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 20 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 53 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 1100 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 1863 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 3130 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 3389 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 5060 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 5222 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 8000 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 8021 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 10000 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 41472 -j ACCEPT
$IPT -A tcp_inbound -p TCP -j RETURN
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT



echo "Process INPUT chain ..."
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT


$IPT -A INPUT -p ALL -i $EXT_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A INPUT -p TCP -i $EXT_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $EXT_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $EXT_IFACE -j icmp_packets
$IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "INPUT packet died: "

echo "Process FORWARD chain ..."
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $EXT_IFACE -p tcp -d $LOCAL_NET --dport 80 \
-j ACCEPT
$IPT -A FORWARD -i $EXT_IFACE -p tcp -d $LOCAL_NET --dport 3389 \
-j ACCEPT

$IPT -A FORWARD -i $EXT_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "FORWARD packet died: "



echo "Process OUTPUT chain ..."
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP

$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $EXT_IFACE -j ACCEPT
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "OUTPUT packet died: "


echo "Load rules for nat table ..."

$IPT -t nat -A PREROUTING -p tcp -i $LOCAL_IFACE -s $LOCAL_NET \
-d 200.255.42.71 --dport 80 -j ACCEPT


$IPT -t nat -A PREROUTING -p tcp -i $LOCAL_IFACE -s $LOCAL_NET \
--dport 80 -j REDIRECT --to-ports 3128


$IPT -t nat -A POSTROUTING -o $EXT_IFACE -s $LOCAL_NET \
-j MASQUERADE

[d_darlan]

squid.conf

http_port 172.16.0.1:3128
icp_port 3130

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY


# cache_mem 8 MB
# cache_swap_low 90
# cache_swap_high 95
maximum_object_size 40 MB
# minimum_object_size 0 KB
# maximum_object_size_in_memory 8 KB
# ipcache_size 1024
# ipcache_low 90
# ipcache_high 95
# fqdncache_size 1024

cache_dir diskd /var/spool/squid 2048 64 64

cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none

ftp_user [email protected]

dns_retransmit_interval 5 seconds
dns_timeout 1 minutes

# dns_defnames off
connect_timeout 2 minutes


# shutdown_lifetime 10 seconds


acl all src 0.0.0.0/0.0.0.0
acl interno src '/etc/squid/acl/maquinas.txt'
acl liberado url_regex -i '/etc/squid/acl/liberado.txt'
acl proibido url_regex -i '/etc/squid/acl/proibido.txt'
acl msn_ip src 172.16.0.0/24
acl libmsn dstdomain loginnet.passport.com
acl libmsnmessenger url_regex -i gateway.dll
acl lib_msn req_mime_type -i ^application/x-msn-messenger$
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# CORRIGE O BUG DO SITE HOTMAIL.COM
acl hotmail_domains dstdomain .hotmail.msn.com
header_access Accept-Encoding deny hotmail_domains

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny proibido
http_access allow msn_ip
http_access allow libmsn
http_access allow libmsnmessenger
http_access allow lib_msn
http_access allow interno
http_access allow liberado
http_access deny all

icp_access allow interno

miss_access deny proibido
miss_access allow msn_ip
miss_access allow libmsn
miss_access allow libmsnmessenger
miss_access allow lib_msn
miss_access allow liberado
miss_access allow interno

ident_lookup_access allow interno
ident_lookup_access deny all

cache_mgr suporte

httpd_accel_host virtual
httpd_accel_port 80 443
# httpd_accel_single_host off
httpd_accel_with_proxy on
httpd_accel_uses_host_header on


dns_testnames localhost.localdomain

logfile_rotate 2

forwarded_for on

buffered_logs on

snmp_port 0

ie_refresh on


o que tiver errado pode falar. Valeu mesmo

[d_darlan]

Pô galera, tow precisando muito de ajuda nesse problema, serie muito grato a quem me ajudar.

Valeu

[mastellaro]

Kra libera tb esses domínios do msn:

login.live.com
gtwy.messenger.hotmail.com
passport.msn.com
passport.network

ve ae se dá certo, e posta o resultado



vlw

[d_darlan]

cara, valeu pela dica, mas ainda não funcionou, valeu mesmo