Galera, sempre visito o fórum/blog para ficar a par das notícias sobre Linux, mas hoje precisei criar uma conta devido ao problema do MSN Live.
Já tentei de tudo, mas creio que algo está errado nas ordens das ACLs:
Iptables
Código :#!/bin/bash # Limpa tabela atual iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Habilita Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Desabilita resposta para ping # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all # Desabilita Port Scan echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Protecao contra IP Spoofing for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 >$i done # Protege contra Synflood echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done # Log packets with impossible addresses for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done echo "ATIVANDO FIREWALL ... [ OK ]" modprobe ip_conntrack modprobe ipt_MASQUERADE modprobe ipt_LOG modprobe ip_tables modprobe iptable_nat modprobe ip_nat_ftp modprobe ip_nat_irc modprobe ip_conntrack_ftp # Barra todo o forward que nao estiver listado abaixo iptables -t filter -P FORWARD DROP # Libera trafego livre para loopback iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT # Definicoes iniciais - Rede privada pode fazer novas conexoes iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Liberacoes para a rede privada 192.168.1.0 iptables -t filter -A FORWARD -s [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -o eth1 -j ACCEPT iptables -t filter -A FORWARD -d [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -s 0/0 -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A FORWARD -s [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -o eth0 -j ACCEPT iptables -t filter -A FORWARD -d [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -s 0/0 -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Permitindo NAT para a rede local iptables -t nat -A POSTROUTING -s [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -o eth0 -j SNAT --to 200.217.189.xxx # ======== REGRAS PARA MSN MESSENGER ========= # Bloqueando MSN (esta regra deve ficar antes da linha que direciona a conexao da porta 80 para a 3128 do Squid) iptables -I FORWARD -s [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -p tcp --dport 1863 -j DROP iptables -I FORWARD -s [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -p tcp --dport 5190 -j DROP # ========================================= # == Tornando o proxy transparente, permitindo acesso direto ao Conectividade Social e Sites da Caixa iptables -t nat -A PREROUTING -p tcp -d [URL="http://200.201.174.0/24"]200.201.174.0/24[/URL] -j ACCEPT iptables -t nat -I PREROUTING -p tcp -d [URL="http://200.201.0.0/16"]200.201.0.0/16[/URL] -j ACCEPT iptables -I FORWARD -p tcp -d [URL="http://200.201.0.0/16"]200.201.0.0/16[/URL] -j ACCEPT iptables -t nat -A PREROUTING -i eth1 -p tcp -d ! [URL="http://200.201.174.0/24"]200.201.174.0/24[/URL] --dport 80 -j REDIRECT --to-port 3128 iptables -I FORWARD -s [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -d obsupgdp.caixa.gov.br -j ACCEPT iptables -I FORWARD -s obsupgdp.caixa.gov.br -d [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -j ACCEPT iptables -I FORWARD -s [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -d cmt.caixa.gov.br -j ACCEPT iptables -I FORWARD -s cmt.caixa.gov.br -d [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] -j ACCEPT # ============================================================================================================= # Regras Finais iptables -I INPUT -j ACCEPT iptables -I FORWARD -j ACCEPT iptables -I OUTPUT -j ACCEPT # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP # === FIM DO FIREWALL
Squid.conf
http://img509.imageshack.us/img509/2...clsquidlw6.pngCódigo :http_port 3128 transparent icp_port 0 htcp_port 0 hierarchy_stoplist cgi-bin ? visible_hostname squidserver dns_nameservers 192.168.1.5 200.217.189.xxx 200.217.189.xxx acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 128 MB cache_dir ufs /var/spool/squid 1024 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log cache_swap_low 90 cache_swap_high 95 maximum_object_size 76800 KB minimum_object_size 0 KB maximum_object_size_in_memory 4096 KB refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src [URL="http://0.0.0.0/0.0.0.0"]0.0.0.0/0.0.0.0[/URL] # ===================== # ACLs DA EMPRESA # ===================== # ACL para bloquear/liberar MSN acl messenger req_mime_type -i ^application/x-msn-messenger http_access deny messenger acl msn_gateway url_regex -i "/etc/squid/acl/msn_gateway" http_access deny msn_gateway acl ip_daniel src "/etc/squid/acl/ip_daniel" acl ip_liberados src "/etc/squid/acl/ip_liberados" acl ip_bloqueadototal src "/etc/squid/acl/ip_bloqueadototal" acl sites_free url_regex -i "/etc/squid/acl/sites_free" acl sites_orkut url_regex -i "/etc/squid/acl/sites_orkut" acl sites_youtube url_regex -i "/etc/squid/acl/sites_youtube" acl sites_proxy url_regex -i "/etc/squid/acl/sites_proxy" acl sites_radio url_regex -i "/etc/squid/acl/sites_radio" acl sites_bloqueados url_regex -i "/etc/squid/acl/sites_bloqueados" acl sites_webmessenger url_regex -i "/etc/squid/acl/sites_webmessenger" acl sites_hacking url_regex -i "/etc/squid/acl/sites_hacking" acl download url_regex -i "/etc/squid/acl/download" # ACL: Estacao enjaulada apenas para acessar o Sintegra acl ip_sintegra src "/etc/squid/acl/ip_sintegra" acl sites_sintegra url_regex -i "/etc/squid/acl/sites_sintegra" # ====== HTTP ACCESS RULES http_access deny sites_bloqueados !ip_daniel http_access deny sites_hacking !ip_daniel http_access deny sites_webmessenger http_access deny download !ip_daniel http_access deny sites_proxy !ip_daniel http_access deny sites_orkut !ip_daniel http_access deny sites_youtube !ip_daniel http_access deny sites_radio !ip_daniel http_access deny ip_bloqueadototal # ====== ACLs da Rede acl mariza src [URL="http://192.168.1.0/24"]192.168.1.0/24[/URL] acl manager proto cache_object acl localhost src [URL="http://127.0.0.1/255.255.255.255"]127.0.0.1/255.255.255.255[/URL] acl to_localhost dst [URL="http://127.0.0.0/8"]127.0.0.0/8[/URL] acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost # ===== http_access allow ip_liberados http_access allow ip_sintegra http_access allow sites_sintegra http_access allow sites_free # ===== http_access deny mariza http_access deny all http_reply_access allow all icp_access allow all # ===== cache_effective_user proxy cache_effective_group proxy cache_mgr [EMAIL="[email protected]"][email protected][/EMAIL] # ====== Diretorio de Erros error_directory /usr/share/squid/errors/Portuguese/
Quaisquer dúvidas sobre as ACLs eu responderei prontamente.
Preciso bloquear o bendito MSN Live somente. Sites do Hotmail.com e Live.com poderão ser acessados normalmente (ordens do Gerente de TI).
Grato.