Problema Proxy

michelrbc
(usa Red Hat)

Enviado em 09/08/2011 - 08:58h

Bom dia pessoal,
Realizei a Implantação do Centos 5.6 x86_64 em um cliente, porém após a ativação alguns sites somente funcionam se reiniciado o micro.
Imaginei que pudesse ser algum problema de DNS, porém já alterei e também não houve sucesso.
O problema ocorre tanto quando coloco o redirecionamento da porta 80 para 3128 como se estiver navegando por NAT. Pelo que parece, principalmente máquinas com o Windows XP apresentam este problema, já que páginas e e-mails não funciona.
A versão do Squid instalada é a 2.6.

Desde já agradeço a ajuda de todos.

Att.

Michel Rodrigo

renato_pacheco
(usa Debian)

Enviado em 09/08/2011 - 11:06h

O proxy é transparente? Se sim, o problema pode estar sendo na porta 443, q o proxy transparente não gerencia. Neste caso, vc deve liberar no firewall a porta 443 ou configurar no navegador o endereço proxy (algo q deixaria d ser transparente).

michelrbc
(usa Red Hat)

Enviado em 09/08/2011 - 11:38h

É transparente sim e no meu firewall já está liberada a porta 443.
Esses procedimentos já realizei.
Mesmo sites que não são https não funcionam.

Att.

Michel Rodrigo

renato_pacheco
(usa Debian)

Enviado em 09/08/2011 - 11:46h

Então faça um teste com o seu DNS. Pegue os sites q estão dando problemas e tente resolvê-los na linha d comando (dig ou nslookup).

dolivervl
(usa Slackware)

Enviado em 09/08/2011 - 11:46h

Posta o script do firewall e o squid.conf

michelrbc
(usa Red Hat)

Enviado em 18/08/2011 - 09:50h

Segue meus arquivos.
Outra coisa que pude perceber, é que alguns sites (banco principalmente) só funciona do https de estiver com o proxy configurado no IE.

##########Firewall#############


#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

# Acerta hora do servidor
ntpdate -u pool.ntp.org

iptables -X
iptables -F
iptables -t nat -F

#==========================PROTECOES=============================
#Contra pactoes danificados ou suspeitos
iptables -A FORWARD -m unclean -j DROP

#Contra Ping
iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP

#Contra Ping da Morte
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#Contra ataque SMURF
iptables -A INPUT -p icmp --icmp-type 8 -j REJECT

#Contra Ataques SYN-FLOOD
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT

#Contra Scanners avancados (namp)
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe ip_conntrack

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

# Aceita conexões da Conectividade Social
iptables -A FORWARD -s 192.168.0.0/24 -d obsupgdp.caixa.gov.br -j ACCEPT
iptables -A FORWARD -s obsupgdp.caixa.gov.br -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -d cmt.caixa.gov.br -j ACCEPT
iptables -A FORWARD -s cmt.caixa.gov.br -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.160/20 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT

#Redireciona trafego www para squid

iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p udp --dport 80 -j REDIRECT --to-port 3128


#Bloqueando acessos externos ao squid
iptables -A INPUT -i eth0 -p tcp --dport 3128 -j DROP

######Redireciona acesso remoto para computadores da rede

#Redireciona Acesso ao micro Braz
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8000 -j DNAT --to-destination 192.168.0.53:3389

#Redireciona Acesso ao micro Alberto
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8001 -j DNAT --to-destination 192.168.0.29:3389



#BLOQUEAR ACESSO AO ORKUT POR HTTPS

iptables -t filter -A INPUT -d 216.239.51.85 -p tcp --dport 443 -j DROP
iptables -t filter -A OUTPUT -d 216.239.51.85 -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d 216.239.51.85 -p tcp --dport 443 -j DROP
iptables -t filter -A INPUT -d 216.239.37.85 -p tcp --dport 443 -j DROP
iptables -t filter -A OUTPUT -d 216.239.37.85 -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d 216.239.37.85 -p tcp --dport 443 -j DROP
iptables -t filter -A INPUT -d images.orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A OUTPUT -d images.orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d images.orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A INPUT -d www.orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A OUTPUT -d www.orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d www.orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A INPUT -d orkut.com -p tcp --dport 433 -j DROP
iptables -t filter -A OUTPUT -d orkut.com -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d orkut.com -p tcp --dport 443 -j DROP

#BLOQUEAR ACESSO AO YAHOO POR HTTPS

iptables -t filter -A INPUT -d login.yahoo.com -p tcp --dport 443 -j DROP
iptables -t filter -A OUTPUT -d login.yahoo.com -p tcp --dport 443 -j DROP
iptables -t filter -A FORWARD -d login.yahoo.com -p tcp --dport 443 -j DROP

#BLOQUEIA FACEBOOK POR HTTPS

FACEBOOK_ALLOW="192.168.0.1"
iptables -N FACEBOOK

iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 80 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 80 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 80 -j FACEBOOK

## FACEBOOK ALLOW
for face in $FACEBOOK_ALLOW; do
iptables -A FACEBOOK -s $face -j ACCEPT
done
iptables -A FACEBOOK -j REJECT

##########################################
# ULTRASURF BLOQUEADO ATE A VERSAO 10.10 #
##########################################

iptables -I FORWARD -p tcp --dport 19769 -j DROP
iptables -I FORWARD -p tcp --dport 55433 -j DROP
iptables -I FORWARD -p tcp --dport 33190 -j DROP
iptables -I FORWARD -p tcp --dport 19769 -j DROP
iptables -I FORWARD -p tcp --dport 23620 -j DROP
iptables -I FORWARD -p tcp --dport 3103 -j DROP
iptables -I FORWARD -p tcp --dport 3162 -j DROP
iptables -I FORWARD -p tcp --dport 2000:3000 -j DROP

iptables -I FORWARD -p tcp -d 65.49.2.0/24 -j DROP
iptables -I FORWARD -p tcp -s 65.49.2.0/24 -j DROP
iptables -I FORWARD -p tcp -d 65.49.14.0/24 -j DROP
iptables -I FORWARD -p tcp -s 65.49.14.0/24 -j DROP
iptables -I FORWARD -p tcp -d 208.43.202.0/24 -j DROP
iptables -I FORWARD -p tcp -s 208.43.202.0/24 -j DROP
iptables -I FORWARD -d 114.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -s 114.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -d 112.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -s 112.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -d 59.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -s 59.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -d 118.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -s 118.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -d 61.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -s 61.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -d 1.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -s 1.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -s 122.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -d 122.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -s 124.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -d 124.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -s 111.0.0.0/8 -p tcp --destination-port 443 -j DROP
iptables -I FORWARD -d 111.0.0.0/8 -p tcp --destination-port 443 -j DROP

#BLOQUEAR MSN

#Essa regra libera host especifico ao acesso

#Usuário

# Tmax Michel
iptables -A FORWARD -s 192.168.0.3/32 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.0.3/32 -d loginnet.passport.com -j ACCEPT

# Tmax Michel
iptables -A FORWARD -s 192.168.0.10/32 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s 192.168.0.10/32 -d loginnet.passport.com -j ACCEPT


# Esta regra bloqueia qualquer host da rede ao conectar no MSN:

#iptables -t filter -A FORWARD -d col110.mail.live.com -p tcp --dport 443 -j DROP
#iptables -A Filter -d gateway.messenger.hotmail.com -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d loginnet.passport.com -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 1863 -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 5223 -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d loginnet.passport.com -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d config.messenger.msn.com -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d messenger.msn.com -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d 200.46.110.0/24 -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d 64.4.13.0/24 -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d messenger.msn.ca -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d webmessenger.msn.com -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d c.msn.com -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -d tkfiles.storage.msn.com -j REJECT

#iptables -A filter -d gateway.messenger.hotmail.com -j REJECT
#iptables -A filter -d gw.msnmessenger.akadns.net -j REJECT
#iptables -t filter -A INPUT -d by2.omega.contacts.msn.com -p tcp --dport 443 -j DROP
#iptables -t filter -A OUPUT -d by2.omega.contacts.msn.com -p tcp --dport 443 -j DROP
#iptables -t filter -A FORWARD -d by2.omega.contacts.msn.com -p tcp --dport 443 -j DROP
#iptables -t filter -A INPUT -d urs.microsoft.com -p tcp --dport 443 -j DROP
#iptables -t filter -A OUPUT -d urs.microsoft.com -p tcp --dport 443 -j DROP
#iptables -t filter -A FORWARD -d urs.microsoft.com -p tcp --dport 443 -j DROP


############Squid 3.1.4#################
http_port 3128 transparent
visible_hostname proxyserver

dns_nameservers 8.8.8.8

# Configuração do cache
cache_mem 32 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256

# Localização do log de acessos do Squid
cache_access_log /var/log/squid/access.log

refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280


acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Libera acessos na hora do almoço
acl almoco time 11:45-12:45
http_access allow almoco

# Filtros por palavras, dominios, MSN e download
acl sites_bloqueados dstdom_regex "/etc/squid/sites_proibidos.txt"
acl bloqueia_msn dstdom_regex "/etc/squid/bloqueia_msn.txt"
acl palavras_bloqueadas url_regex -i "/etc/squid/palavras_block.txt"
acl bloqueia_downloads url_regex -i .exe$ .iso$ .mp3$ .msi$ .mjpg$ .mpeg$ .mp4$ .rom$

#Libera micro para acesso a sites bloqueados e MSN
acl ips_liberados src "/etc/squid/ips_liberados.txt"
acl ips_msn_liberado src "/etc/squid/ips_msn_liberado.txt"

# Libera para a rede local
acl rede_local src 192.168.0.0/24

#Controla acesso a usuários com acesso restrito
acl ips_restritos src "/etc/squid/ips_restritos.txt"
acl restricoes_adicionais dstdom_regex "/etc/squid/restricoes_adicionais.txt"


#http_access deny sites_bloqueados !ips_liberados
#http_access deny bloqueia_msn !ips_liberados !ips_msn_liberado
#http_access deny palavras_bloqueadas !ips_liberados
#http_access deny bloqueia_downloads !ips_liberados
http_access allow localhost
http_access allow rede_local !ips_restritos
http_access allow ips_restritos !restricoes_adicionais !sites_bloqueados !palavras_bloqueadas !bloqueia_downloads

# Bloqueia acessos externos
http_access deny all