Amigos,
Instalei o debina, coloquei o squid + iptables, navego numa boa, mas não baixo as mensagens no outlook ( porta 25 e 110 ) não conecta pelo telnet.
Squid.conf
#http_port 3128
http_port 3128 transparent
visible_hostname debian.number.com.br
# Configuração do cache
cache_mem 128 MB
#maximum_object_size_in_memory 1536 KB
maximum_object_size 4096 KB
#minimum_object_size 0 KB
cache_swap_low 95
cache_swap_high 98
cache_dir ufs /var/spool/squid 800 32 32
# Localização do log de acessos do Squid
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
connect_timeout 30 seconds
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Libera acessos na hora que quiser (horaliberada)
#acl almoco time 12:00-14:00
#http_access allow horaliberada
# Regra para bloquear por palavras, arquivo em porn.txt
acl porn dstdom_regex "/etc/squid/porn.txt"
http_access deny porn
# Regra para liberar por palavras, arquivo em noporn.txt
acl noporn dstdom_regex "/etc/squid/noporn.txt"
http_access allow noporn
# Regra para Bloquear por domínio
#acl bloqueados dstdomain orkut.com www.orkut.com playboy.abril.com.br
#http_access deny bloqueados
# Autenticação dos usuários
#auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
#acl autenticados proxy_auth REQUIRED
#http_access allow autenticados
# Libera para a rede local
acl redelocal src 192.168.0.0/24
http_access allow localhost
http_access allow redelocal
# Bloqueia acessos externos
http_access deny all
# Proxy transparente
#httpd_accel_host virtual
#httpd_accel_port 80
#httpd_accel_with_proxy on
#httpd_accel_uses_host_header on
cache_mgr [email protected]
cache_effective_user squid
cache_effective_group squid
iptables.up.rules
# Generated by iptables-save v1.3.6 on Tue Sep 25 11:59:43 2007
*nat
:PREROUTING ACCEPT [4461:1258346]
:POSTROUTING ACCEPT [241:22746]
:OUTPUT ACCEPT [253:23976]
-A PREROUTING -d 192.168.0.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 200.187.64.134
-A PREROUTING -d 192.168.0.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 200.187.64.133
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j SNAT --to-source 200.201.158.110
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j MASQUERADE
#-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue Sep 25 11:59:43 2007
# Generated by iptables-save v1.3.6 on Tue Sep 25 11:59:43 2007
*mangle
:PREROUTING ACCEPT [6707:1907215]
:INPUT ACCEPT [2836:733195]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2490:1178774]
:POSTROUTING ACCEPT [2600:1192994]
COMMIT
# Completed on Tue Sep 25 11:59:43 2007
# Generated by iptables-save v1.3.6 on Tue Sep 25 11:59:43 2007
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 53 -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 3128 -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 137:139 -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.0.0/255.255.255.0 --dport 137:139 -j ACCEPT
-A INPUT -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 1080 -j ACCEPT
-A INPUT -p tcp --dport 1080 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 1080 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 563 -j ACCEPT
-A INPUT -p tcp -i eth0 --dport 3128 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p udp -s 192.168.0.0/24 -d 200.170.225.11 --dport 53 -j ACCEPT
-A FORWARD -p udp -s 200.170.225.11 --sport 53 -d 192.168.0.0/24 -j ACCEPT
-A FORWARD -p udp -s 192.168.0.0/24 -d 200.195.247.216 --dport 53 -j ACCEPT
-A FORWARD -p udp -s 200.195.247.216 --sport 53 -d 192.168.0.0/24 -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.255.0 -i eth1 -o eth0 -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.255.0 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.255.0 -d 192.168.0.10 -j ACCEPT
-A FORWARD -p TCP -s 192.168.0.0/24 --dport 25 -j ACCEPT
-A FORWARD -p TCP -s 192.168.0.0/24 --dport 110 -j ACCEPT
-A FORWARD -p tcp --sport 25 -j ACCEPT
-A FORWARD -p tcp --sport 110 -j ACCEPT
# -A FORWARD -p tcp -d mail.number.com.br -i eth0 --dport 25 -j ACCEPT
-A FORWARD -p tcp -d 200.187.64.134 -i eth0 --dport 25 -j ACCEPT
# -A FORWARD -p tcp -d smtp.ig.com.br -i eth0 --dport 25 -j ACCEPT
-A FORWARD -p tcp -d 200.226.132.230 -i eth0 --dport 25 -j ACCEPT
-A FORWARD -p tcp -i eth0 --dport 53 -j ACCEPT
-A FORWARD -p udp -i eth0 --dport 53 -j ACCEPT
# -A FORWARD -p tcp -d pop.number.com.br -i eth0 --dport 110 -j ACCEPT
-A FORWARD -p tcp -d 200.187.64.133 -i eth0 --dport 110 -j ACCEPT
# -A FORWARD -p tcp -d pop.ig.com.br -i eth0 --dport 110 -j ACCEPT
-A FORWARD -p tcp -d 200.226.132.13 -i eth0 --dport 110 -j ACCEPT
-A FORWARD -p tcp -i eth0 --dport 3128 -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 110 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.0.0/255.255.255.0 --dport 1080 -j ACCEPT
-A FORWARD -p tcp -s 192.168.0.0/24 --dport 443 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT
# Completed on Tue Sep 25 11:59:43 2007
Me mostrem o que falta ou o que está errado, não consigo mais achar nada.
obrigado
-
24-10-2007, 17:33 #1
- Ingresso
- Mar 2005
- Posts
- 38
Não conecta na porta 25 e 110
-
24-10-2007, 20:38 #2wesleybsdVisitante Conselho
Meu jovem
Faco o seguinte, Tira esse lixo de linux e coloca freebsd com algumas regras basicas.
#!/bin/sh
#
# Modelo de firewall para ser colocado no gateway principal da FreeBSD Consult
# com acesso direto a rede externa.
# www.freebsdconsult.com.br / [email protected]
################################################################
## Declarando minhas variaveis
################################################################
## zerando o firewall
ipfw -q pipe flush
ipfw -q flush
Ext_Interfaces1="xl0"
Int_Interfaces1="rl0"
Int_Interfaces2="rl1"
Int_Interfaces3="xl3"
Int_Interfaces4="wi0"
# Redes Clientes - Todas as redes dos clientes do provedor que passam por esse gateway
MyClients=" 10.215.0.0/16 "
# Redes Locais - Redes dos clientes que sao atendidas diretamente por esse gateway
MyLocalNets=" 10.215.0.0/16 "
# Gateways locais - Gateways das redes indicadas acima
MyGateways="10.215.0.253"
# Captive Portal
CaptivePortal="10.215.0.20"
CaptivePort="81"
# Rede usada pelo Backbone
MyBackbone="201.57.42.0/24"
# Rede dos Servidores ( www, mail, dns )
MyServersNet=" 201.57.42.0/24 "
MyWWWServers=" 201.57.42.32 "
MyMAILServers=" 201.57.42.32 "
MyFTPServers="1.2.3.4"
MySSHServers="1.2.3.4"
MySAMBAServers="1.2.3.4"
# Rede Interna
MyInternalNets="192.168.100.0/24"
# Clientes e Dominios sem Proxy
ClientsSemProxy=""
DominiosSemProxy=""
# Redes Invalidas - rfc 1918
InvalidNets="{ 0.0.0.0/8 or 169.254.0.0/16 or 192.0.2.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 }"
################################################################
## Verificar regras dinamicas
################################################################
# Verificar regras dinamicas
ipfw delete 1
ipfw add 1 check-state
###############################################################
## Permitir Pacotes DHCP
###############################################################
ipfw delete set 5
ipfw add 20 set 5 permit udp from any 68 to 255.255.255.255 67 in
ipfw add 21 set 5 permit udp from any 68 to me 67 in
ipfw add 22 set 5 permit udp from me 67 to any 68 out
###############################################################
## Stop RFC1918 nets
###############################################################
ipfw delete set 6
ipfw add 40 set 6 deny all from ${InvalidNets} to any in via ${Ext_Interfaces1}
# Bloqueio portas virus conhecidos
ipfw delete set 10
ipfw add 50 set 10 drop log logamount 100 tcp from any to any
135-139,445,593,1080,1433,1434,1900,2283,2535,2745,3410,4444,5249,5554,6777,8866,8998,9996,9898,10000,10080,12345,17300,27374,38293,65506
ipfw add 210 set 10 drop log logamount 100 udp from any to any
135-139,445,593,1080,1433,1434,1900,2283,2535,2745,3410,4444,5249,5554,6777,8866,8998,9996,9898,10000,10080,12345,17300,27374,38293,65506
################################################################
## Adcionando ajustes ao kernel
################################################################
# Ajustes de Kernel
# apos passar em regras do dummynet o pacote retorna ao firewall na regra seguinte
sysctl -w net.inet.ip.fw.one_pass=0
# ativa controle em layer2
sysctl -w net.link.ether.ipfw=0
# Loga tentativas de conexoes em portas fechadas ( tcp / udp )
sysctl -w net.inet.tcp.log_in_vain=1
sysctl -w net.inet.udp.log_in_vain=1
# Tempo de espera por um ACK
sysctl -w net.inet.tcp.msl=7500
# Enviar RST ou descartar os pacotes para uma porta fechada - 1 - envia RST, 2 - nao envia RST
sysctl -w net.inet.tcp.blackhole=2
sysctl -w net.inet.udp.blackhole=2
# Numero de sockets - o padrao eh 128 - Max - 32767
sysctl -w kern.ipc.somaxconn=32767
# Drop ICMP redirect
sysctl -w net.inet.icmp.drop_redirect=0
sysctl -w net.inet.icmp.log_redirect=0
sysctl -w net.inet.ip.redirect=0
# Drop Sorce Routing
sysctl -w net.inet.ip.sourceroute=0
sysctl -w net.inet.ip.accept_sourceroute=0
# Contra smurf attacks
sysctl -w net.inet.icmp.bmcastecho=0
# negar inforcacoes sobre a mascara de rede
sysctl -w net.inet.icmp.maskrepl=0
###############################################################
## deny-and-log pacotes mal formados
###############################################################
# XMAS tree
ipfw add 100 set 10 deny log logamount 100 tcp from any to any in tcpflags fin,psh,urg
# NULL scan (no flag set at all)
ipfw add 110 set 10 deny log logamount 100 tcp from any to any in tcpflags !fin,!syn,!rst,!psh,!ack,!urg
# SYN flood (SYN,FIN)
ipfw add 120 set 10 deny log logamount 100 tcp from any to any in tcpflags syn,fin
# Stealth FIN scan (FIN,RST)
ipfw add 130 set 10 deny log logamount 100 tcp from any to any in tcpflags fin,rst
# Negar pacotes com informacoes de roteamento
ipfw add 140 set 10 deny log logamount 100 ip from any to any in ipoptions ssrr,lsrr,rr,ts
################################################################
# Os clientes desta rede devem passar pelo portal
################################################################
ipfw delete set 8
ipfw add 700 set 8 skipto 3000 ip from ${MyLocalNets} to any
ipfw add 700 set 8 skipto 3000 ip from any to ${MyLocalNets}
#####################################################################
# Pacotes dos clientes de outras redes, mas que passam neste gateway
# saltar para a regra 30000
#####################################################################
ipfw add 800 set 8 skipto 30000 ip from any to any
###############################################################
## regras do captive portal
## da regra 19000 a 19999
###############################################################
ipfw delete set 16
# Permitir DNS
ipfw add 19900 set 16 permit ip from any to any 53
ipfw add 19910 set 16 permit ip from any 53 to any
# Permitir Pagina do portal
ipfw add 19920 set 16 permit ip from any to any 81,82
ipfw add 19930 set 16 permit ip from any 81,82 to any
# Permitir Pagina do provedor
ipfw add 19940 set 16 permit ip from any to ${MyWWWServers} 80,443
ipfw add 19950 set 16 permit ip from any 80,443 to ${MyWWWServers}
# Permitir retorno do site que seria acessado - Sem isso, nao desvia para o portal
ipfw add 19980 permit ip from any 80 to any
ipfw add 19990 set 16 fwd 127.0.0.1,82 ip from ${MyLocalNets} to any 80,443,3128
ipfw add 19999 set 16 drop log ip from any to any
################################################################
## Firewall
## da regra de 30000 a 39999
################################################################
ipfw delete set 20
# Regras para acesso aos servidores do provedor
ipfw add 30000 set 20 permit ip from ${MyMAILServers} to ${MyMAILServers} setup keep-state
# limita o numero de conexoes para o servidor de emails - impede ataques
ipfw add 30010 set 20 permit ip from any to ${MyMAILServers} 25 limit src-addr 5
ipfw add 30020 set 20 permit ip from ${MyMAILServers} to any 25
# descomente a linha seguinte para so permitir que o seu servidor envie emails
# ipfw add 30030 set 20 deny log logamount 100 ip from any to any 25
# Proteger porta 3128 de clientes - Nao permitir
ipfw add 32500 set 20 deny log logamount 100 ip from any to any 3128
################################################################
## Liberando acesso a nossas redes
################################################################
# negar trafego entre clientes
ipfw delete set 21
ipfw add 39000 set 21 permit ip from ${MyLocalNets} to ${MyGateways} setup keep-state
ipfw add 39010 set 21 permit ip from ${MyGateways} to ${MyLocalNets} setup keep-state
#ipfw add 39020 set 21 drop log ip from ${MyLocalNets} to ${MyLocalNets}
#ipfw add 39030 set 21 drop log ip from ${MyLocalNets} to ${MyClients}
################################################################
## Fazer Proxy Transparente
## da regra 40000 a 44999
################################################################
# Fazer Transparent Proxy
ipfw delete set 25
#ipfw add 40000 set 25 skipto 45000 ip from ${ClientsSemProxy} to any 80,443
#ipfw add 40000 set 25 skipto 45000 ip from any to ${DominiosSemProxy} 80,443
#ipfw add 44900 set 25 permit ip from me to any 80,443
#ipfw add 44910 set 25 fwd 127.0.0.1,3128 ip from ${MyClients} to any 80,443
#ipfw add 44999 set 25 drop ip from ${MyClients} to any 80,443
################################################################
## Fazer NAT
## da regra 45000 a 46000
## ** particularmente eu prefiro nat do PF **
################################################################
ipfw delete set 28
ipfw add 45000 divert natd ip from any to 201.57.42.33 in via xl0
ipfw add 45010 divert natd ip from any to any out via xl0
################################################################
## Liberando tudo que chegar aqui
## por padrao, provedores sao "abertos"
################################################################
ipfw delete set 30
ipfw add 65000 set 30 allow ip from any to any
################################################################
############### Layer2 - Clientes #####################
################################################################
ipfw delete set 12
#
# Cliente que nao tem portal
ipfw add 3000 set 12 skipto 20000 ip from 1.2.3.4 to any
ipfw add 3000 set 12 skipto 20000 ip from any to 1.2.3.4
#
################################################################
############# Controle de Banda - Clientes #####################
################################################################
ipfw delete set 18
#
# Clientes sem portal
#ipfw add 20000 set 18 pipe 20000 ip from 1.2.3.4 to any in via rl0
#ipfw add 20001 set 18 pipe 20000 ip from any to rl0 out via rl0
#ipfw pipe delete 20000
#ipfw pipe 20000 config bw 450Kbit/s
Seja feliz
acabe com seus problemas JOVEM
-
25-10-2007, 08:25 #3
- Ingresso
- Sep 2006
- Posts
- 104
Você ativou o roteamento de pacotes do kernel? talvez seja isso seu problema
=)
Postado originalmente por antelo
-
25-10-2007, 14:55 #4
- Ingresso
- Mar 2005
- Posts
- 38
Pessoal,
EU não habilitei o roteamento não, porque se eu habilitar, o browser funicona mesmo sem tiver o proxy.
Gostaria de uma solução que SÓ funciona-se o brower com o proxy e pudesse me conectar com o outlook ( 25 e 110 ).
Entendeu como estou pensando?
Tem algúm modo que o meu brower precise do proxy e o roteamento do kernel fique habilitado?
valeu pela ajuda.
-
25-10-2007, 15:07 #5
- Ingresso
- May 2007
- Posts
- 302
Você praticamente fez isso no squid.conf: Postado originalmente por antelo
Código :http_port 3128 transparent
Se o servidor que contém o Squid-Cache for o Gateway da rede, você não precisa configurar nada de proxy em nenhum navegador. O que tem que fazer é simplesmente redirecionar todas as solicitações encaminhadas para as portas 80 e 8080 direto para a porta 3128 com um softwares firewall (Ex: iptables).
Aí você poderá ativar o ip_forward que não terá santo que fuja do proxy.
Putz, que humildade. Postado originalmente por wesleybsd
-
25-10-2007, 15:19 #6
- Ingresso
- Mar 2005
- Posts
- 38
Meu squid-cache é o gateway sim.
Do jeito que está o brower só funciona com o proxy, mas eu não consigo me contectar com as portas 25 e 110.
Se eu habilitar o roteamento, consigo conectar nas posrtas 25 e 110, mas o meu brower funciona sem o proxy.
Quero que o browser funcione somente com o proxy e me conectar nas portas 25 e 110 sem problemas.
Obrigado
-
25-10-2007, 15:38 #7
- Ingresso
- May 2007
- Posts
- 302
Então...é como eu disse.
Você só precisa de uma regra de firewall para redirecionar as solicitações das portas 80 e 8080 para a porta 3128.
Código :iptables -t nat -A PREROUTING -m multiport -p tcp --dport 80,8080 -j REDIRECT --to-port 3128
Com isso não é preciso nenhuma configuração de proxy em nenhum navegador.
Daí é só ativar o roteamento e partir pro abraço.
-
25-10-2007, 15:49 #8
- Ingresso
- Mar 2005
- Posts
- 38
Eu tenho esta linha no meu iptables
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
Não é a mesma estrutura, me descukpe é que sou leigo, estou iniciando no mundo do linux, obrigado por estar me ajudando.
Eu já uso esta linha e mesmo assim não funciona do jeito que quero.
valeu
-
25-10-2007, 16:16 #9
- Ingresso
- May 2007
- Posts
- 302
A sintaxe está incorreta.
Troque essa linha pela que eu te passei e faça um teste.
-
25-10-2007, 16:21 #10
- Ingresso
- Mar 2005
- Posts
- 38
Eu preciso estar com o proxy no browser, não quero que funcione sem o proxy.
valeu
-
25-10-2007, 16:28 #11
- Ingresso
- May 2007
- Posts
- 302
Acho que sua dificuldade pode ser a falta de conhecimento quanto ao assunto...
Informe-se com alguma literatura referente ao protocolo Proxy. Em especial o que vem a ser um Proxy Transparente. E você entenderá que não precisa configurar nada no navegador para que ele passe pelo proxy.
Com a sua configuração atual do squid.conf e com a regra que te passei, isso é perfeitamente possível.
-
25-10-2007, 16:43 #12
- Ingresso
- Mar 2005
- Posts
- 38
Concordo com você em parte, sei que não preciso de proxy para navegar, mas aí te pergunto, se um funcionário instalar o firefox ele conseguirá navegar numa boa, e sendo assim, eu não terei mais relatório dele, por isso que eu preciso que o browser passe pelo proxy.
-
25-10-2007, 16:50 #13
- Ingresso
- May 2007
- Posts
- 302
Cara...você ainda não entendeu absolutamente nada do que eu falei.
Eu não disse que não é preciso proxy para navegar.
Eu disse que não é necessária nenhuma configuração no navegador para se passar pelo proxy.
Por isso recomendei a você ler mais sobre o protocolo.
Citação