Proxy e firewall

1. Proxy e firewall

marcusl1nk
(usa Red Hat)

Enviado em 23/03/2010 - 10:52h

Eu utilizo squid na minha rede, mas todas as maquinas da rede que passam por ela não conseguem acessar um site que é nescessario para realizar os trampos da empresa.

o squid conf segue assim:
#TAGs:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin /?
no_cache deny QUERY
cache_mem 5 MB
cache_log /var/log/squid/cache.log
access_log /var/log/squid/access.log squid
pid_filename /var/run/squid.pid
cache_dir ufs /var/cache/squid 100 16 256
http_port 3128
icp_port 0 # padrao 3130
cache_effective_user proxy
cache_mgr suporte@munditech.com
maximum_object_size 16 mb
dns_nameservers 208.67.222.222 208.67.222.220
#dns_testnames microsoft.com internic.net netscape.com nlanr.net
memory_pools off
visible_hostname Internet Server
request_body_max_size 100 mb
coredump_dir none
error_directory /usr/share/squid/errors/Portuguese
auth_param basic program /usr/bin/ncsa_auth /etc/squid/passwd
auth_param basic children 5
authenticate_ttl 1 hours
auth_param basic realm SERVIDOR DE INTERNET MUNDITECH
auth_param basic credentialsttl 2 hours
authenticate_ip_ttl 0 seconds
server_persistent_connections off
#############################################################################
#Acl padrمo:

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 809 # libera acesso ao site da sptrans
acl purge method PURGE
acl CONNECT method CONNECT
################################################################################
#Acl da rede interna!!
#acl conexoes maxconn 25
acl adm proxy_auth "/etc/squid/liberado" # Dل acesso total aos usuلrios do arquivo liberado
###acl rede_int src 192.168.0.0/24 192.168.1.0/24
acl rede_int src 192.168.0.0/255.255.255.0 192.168.1.0/24
acl publico proxy_auth REQUIRED
acl digitadores proxy_auth digitador
acl cultura_inglesa dstdomain .FreeOnlineSurveys.com
acl legiscenter dstdomain intranet.legiscenter.com.br
acl blacklist url_regex -i "/etc/squid/blacklist.txt"
acl chat_eletropaulo dstdomain .eletropaulo.com.br
################################################################################
# configuracao padrao!!
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
###############################################################################
# configuracao propria!!!
http_access allow rede_int adm
http_access deny digitadores !cultura_inglesa
http_access allow chat_eletropaulo
http_access allow rede_int publico !blacklist
no_cache deny legiscenter
#icp_access deny all
http_access allow all
#############################################################################

o iptables-save está assim
# Generated by iptables-save v1.3.6 on Mon Mar 22 22:17:20 2010
*nat
:PREROUTING ACCEPT [3045:392159]
:POSTROUTING ACCEPT [164:10873]
:OUTPUT ACCEPT [1536:98261]
:keep_state - [0:0]
-A PREROUTING -p tcp -m tcp --dport 56452 -j DNAT --to-destination 192.168.1.5
-A PREROUTING -j keep_state
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -j keep_state
-A OUTPUT -j keep_state
-A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
-A keep_state -j RETURN
COMMIT
# Completed on Mon Mar 22 22:17:20 2010
# Generated by iptables-save v1.3.6 on Mon Mar 22 22:17:20 2010
*filter
:INPUT ACCEPT [6271:1135133]
:FORWARD ACCEPT [416:25843]
:OUTPUT ACCEPT [1623:103533]
:keep_state - [0:0]
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 113 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 113 -j DROP
-A INPUT -j keep_state
-A FORWARD -s 192.168.0.202 -j ACCEPT
-A FORWARD -s 192.168.1.5 -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP
-A FORWARD -s 192.168.0.100 -j ACCEPT
-A FORWARD -s 192.168.1.3 -j ACCEPT
-A FORWARD -s 192.168.1.13 -j ACCEPT
-A FORWARD -s 192.168.0.10 -j ACCEPT
-A FORWARD -d 192.168.1.100 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth2 -p tcp -m tcp --dport 80 -j REJECT --reject-with tcp-reset
-A FORWARD -i eth3 -p tcp -m tcp --dport 80 -j REJECT --reject-with tcp-reset
-A FORWARD -j keep_state
-A FORWARD -s 192.168.0.14 -j ACCEPT
-A OUTPUT -j keep_state
-A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
-A keep_state -j RETURN
COMMIT
# Completed on Mon Mar 22 22:17:20 2010

mas não tô conseguindo entra no site intranet.legiscenter.com.br

Tem alguma coisa que eu tenho que modificar?

e o que siginifica essas linhas
-A FORWARD -d 192.168.1.100 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth2 -p tcp -m tcp --dport 80 -j REJECT --reject-with tcp-reset
-A FORWARD -i eth3 -p tcp -m tcp --dport 80 -j REJECT --reject-with tcp-reset

??????

1 0

Quote

2. Re: Proxy e firewall

volcom
(usa Debian)

Enviado em 23/03/2010 - 11:19h

Use o seguinte comando para verificar onde exatamente esta sendo bloqueado:

tailf /var/log/squid/access.log | grep DENIED | grep IP_DA_ESTAÇAO

Assim vai listar tudo que esta sendo acessado pelo IP e sendo negado.

Se estiver sendo bloqueado pelo Squid, será exibido aí!

Caso não apareça nada, veja também se o site utiliza alguma porta diferenciada, que não seja a padrão 80. Se sim terá que libera-la também.

Bom, acho que podemos iniciar assim...nos passe os detalhes e resultados.

0 0

Quote