Problemas no redirecionamento de porta squid
Bom dia, estou precisando com urgência de uma ajuda.
É um seguinte:
Estou tentando fazer um redirecionameto da porta squid via NAT.
A minha rede interna é: 192.168.0.X, meu squid esta configurado para trabalhar na porta 3128.
Configuro nas estações para utilizarem o proxy para o endereço 192.168.0.1 porta 3128.
Minha interface local no firewall é eth1 192.168.0.1
Tenho as seguintes regras de Firewall:
#!/bin/sh
# Script Firewall
#
#
###################################################
# Definicoes Basicas
###################################################
IPTABLES="/sbin/iptables"
# HABILITANDO ROTEAMENTO
#
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
###################################################
# Limpeza geral
###################################################
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
###################################################
#Setup de politicas
###################################################
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
############################################################
# NAT - NETWORK ADRESS TRANSLATION
############################################################
$IPTABLES -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -t nat -A PREROUTING -p udp -i eth1 --dport 80 -j REDIRECT --to-port 3128
####
# Rede Invalida
####
$IPTABLES -A FORWARD -i eth0 -o eth1 -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT
####
# Loopback interface
####
$IPTABLES -A INPUT -i lo -j ACCEPT
############################################################
# Regras Finais (DROP C/ LOG)
############################################################
$IPTABLES -A INPUT -j dropwall
$IPTABLES -A FORWARD -j dropwall
$IPTABLES -A OUTPUT -j dropwall
**** Dessa forma não a meio de fazer as estações navegarem, a log do squid não registra nada.
O firewall me retorna essa log
Dec 19 09:44:41 fw kernel: Dropwall:IN=eth1 OUT= MAC=00:06:29:26:00:94:00:11:5b:d4:c6:75:08:00 SRC=192.168.0.11 DST=192.168.0.1 LEN=378 TOS=0x00 PREC=0x00 TTL=128 ID=31212 DF PROTO=TCP SPT=1257 DPT=3128 WINDOW=15753 RES=0x00 ACK PSH URGP=0
Se criou uma regra de firewall de forma: (Retirando os DROPs)
#!/bin/sh
# Script Firewall
#
#
###################################################
# Definicoes Basicas
###################################################
IPTABLES="/sbin/iptables"
# HABILITANDO ROTEAMENTO
#
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
###################################################
# Limpeza geral
###################################################
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
############################################################
# NAT - NETWORK ADRESS TRANSLATION
############################################################
$IPTABLES -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -t nat -A PREROUTING -p udp -i eth1 --dport 80 -j REDIRECT --to-port 3128
####
# Rede Invalida
####
$IPTABLES -A FORWARD -i eth0 -o eth1 -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT
####
# Loopback interface
####
$IPTABLES -A INPUT -i lo -j ACCEPT
Ai funciona, o que esta faltando tenho q criar mais alguma regra para porta 3128, como faço isso? em que ponto do script ela deve ser incluida...
Agradeço desde já.
WASLEY
Problemas no redirecionamento de porta squid
pra voce descobrir aonde esta dropando voce tem que colocar regras de LOG em suas CHAINS entao voce tenta abrir conexoes e vai verificando o log... eh bem trabalhoso...
existe um projeto de firewall muito bacana.... chama tuxfrw da uma olhada nele, ele procura ser bem restritivo