Squid proibindo acesso a todos os sites [RESOLVIDO]

1. Squid proibindo acesso a todos os sites [RESOLVIDO]

leandrofv
(usa Debian)

Enviado em 24/10/2012 - 09:04h

Pessoal, acabei de instalar no Ubuntu 10 DHCP, SQUID e IPTABLES para fazer com que seja um servidor na minha rede.
Depois de várias tentativas e erros eu consegui fazer com que um micro na rede encontrasse o proxy, porém, toda vez que tento abrir um site recebo uma mensagem do squid dizendo: PROIBIDO ACESSO.
Por favor me ajudem, sou iniciante mais preciso muito deste servidor funcionando corretamente.
Vou mandar abaixo o meu arquivo de configuração do squid e do iptables:

Squid.conf



#squid.conf by Multiperfil

#24/10/2012



http_port 3128 transparent

visible_hostname srvpredios

error_directory /usr/share/squid/errors/Portuguese

hierarchy_stoplist cgi-bin?

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

cache_mem 512 MB

maximum_object_size_in_memory 200 KB

maximum_object_size 1 GB

minimum_object_size 0 KB

ipcache_size 1024

ipcache_low 90

ipcache_high 95

cache_replacement_policy lru

memory_replacement_policy lru

logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt

access_log /var/log/squid/access.log squid

cache_swap_low 90

cache_swap_high 95

cache_dir ufs /var/spool/squid 5048 16 256

cache_access_log /var/log/squid/access.log

cache_log /var/log/squid/cache.log

cache_swap_log /var/spool/squid/swap.log

cache_mgr leandro.vieira@multiperfil.co.ao

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 10 20% 2280

refresh_pattern ^gopher: 10 0% 1440

refresh_pattern . 15 20% 2280



# Definicao das ACLs # ACLs sÃ£responsÃ¡is por limitar as portas que o proxy irÃ¡sar

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl SSL_ports port 443 563

acl Safe_ports port 80

acl Safe_ports port 21      # ftp

acl Safe_ports port 443     # https, snews



# Travando micros locais para usaram o proxy

http_access allow localhost

http_access allow manager localhost



http_access deny all

Iptables



EXTIF="eth0"

INTIF="eth1"

IPT="iptables"

echo "   Interface Externa:  $EXTIF"

echo "   Interface Interna:  $INTIF"



echo "   Habilitando o encaminhamento IP.."

echo "1" > /proc/sys/net/ipv4/ip_forward



echo "   Habilitando protecao contra IP spoofing.."

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter



echo "   Habilitando IP dinamico.."

echo "1" > /proc/sys/net/ipv4/ip_dynaddr



echo "   Apagando qualquer regra existente e definindo as politicas.."

$IPT -F

$IPT -X

$IPT -F -t nat

$IPT -X -t nat

$IPT -F -t mangle

$IPT -X -t mangle



# Determina a politica padrao

echo "   Carrega politica padrao.."

$IPT -P INPUT DROP

$IPT -P OUTPUT DROP

$IPT -P FORWARD DROP



echo "   Carregando Bloqueio do Google Talk / Jabber"

$IPT -A FORWARD -d 216.239.37.125 -p tcp --dport 5222 -j REJECT

$IPT -A FORWARD -d 216.239.59.124 -p tcp --dport 5222 -j REJECT

$IPT -A FORWARD -d 216.239.63.91 -p tcp --dport 5222 -j REJECT

$IPT -A FORWARD -d 216.239.63.93 -p tcp --dport 5222 -j REJECT

$IPT -A FORWARD -d 64.233.167.124 -p tcp --dport 5222 -j REJECT

$IPT -A FORWARD -d 64.233.183.124 -p tcp --dport 5222 -j REJECT

$IPT -A FORWARD -d 216.239.37.125 -p tcp --dport 443 -j REJECT

$IPT -A FORWARD -d 216.239.59.124 -p tcp --dport 443 -j REJECT

$IPT -A FORWARD -d 64.233.183.124 -p tcp --dport 443 -j REJECT

$IPT -A FORWARD -d 72.232.16.77 -p tcp --dport 80 -j REJECT

$IPT -A FORWARD -p tcp --dport 5222 -j REJECT

$IPT -A FORWARD -p tcp --dport 5223 -j REJECT

$IPT -A FORWARD -p udp --dport 5222 -j REJECT

$IPT -A FORWARD -p udp --dport 5223 -j REJECT



echo " Aceita os pacotes que realmente devem entrar"

# -------------------------------------------------------

$IPT -A INPUT -i ! $EXTIF -j ACCEPT

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT





echo " Protecao contra worms"

# -------------------------------------------------------

$IPT -A FORWARD -p tcp --dport 135 -i $EXTIF -j REJECT



# Protecao contra syn-flood

# -------------------------------------------------------

$IPT -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT



echo " Protecao contra ping da morte"

# -------------------------------------------------------





echo " Protecao contra port scanners"

# -------------------------------------------------------

$IPT -N SCANNER

$IPT -A SCANNER -j DROP

$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i $EXTIF -j SCANNER

$IPT -A INPUT -p tcp --tcp-flags ALL NONE -i $EXTIF -j SCANNER

$IPT -A INPUT -p tcp --tcp-flags ALL ALL -i $EXTIF -j SCANNER

$IPT -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i $EXTIF -j SCANNER

$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i $EXTIF -j SCANNER

$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i $EXTIF -j SCANNER

$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i $EXTIF -j SCANNER

echo " Libera acesso externo a determinadas portas"

# -------------------------------------------------------



$IPT -A INPUT -p tcp -s 0.0.0.0/0 --dport 4422 -j ACCEPT #SSH



$IPT -A INPUT -p udp -j ACCEPT



#----------------------------------------------------------------------------------------



#echo "    Redirecionamento de porta para TS "



#$IPT -A FORWARD -p tcp --dport 3389 -j ACCEPT # Serv. Rwindows 2000TS

#$IPT -A PREROUTING -t nat -i $EXTIF -p tcp --dport 3389 -j DNAT --to 192.168.10.4:3389



#----------------------------------------------------------------------------------------



echo "REDIRECIONAMENTO DE PORTAS VNC PARA PC INFORMATICA"



$IPT -A INPUT -i $EXTIF -p tcp --dport 5900 -j ACCEPT

$IPT -A PREROUTING -t nat -i $EXTIF -p tcp --dport 5900 -j DNAT --to 172.16.1.227:5900



#----------------------------------------------------------------------------------------



echo "Ativando proxy"

$IPT -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 3128

$IPT -t nat -A PREROUTING -i $INTIF -p tcp --dport 443 -j REDIRECT --to-port 3128



$IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 443 -j ACCEPT



echo "Ativando entrada de requisicoes ao proxy"

#$IPT -A INPUT -i $EXTIF -p tcp --dport 3128 --syn -j ACCEPT



echo "Permitindo o retorno dos pacotes do redirecionamento"



echo "   FWD: Permite a saida de todas as conexoes e entrada de estabelecidas e relacionadas"

$IPT -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$IPT -A FORWARD -j LOG

echo "   Habilitando SNAT (MASCARAMENTO) em $EXTIF"



#echo " Regras especiais para o RH"



##$IPT -t nat -A POSTROUTING  -s 192.168.10.33 -p tcp -d 200.201.174.0/24 -o $EXTIF -j MASQUERADE

#$IPT -t nat -A POSTROUTING  -s 192.168.10.33 -p tcp -d www.caixa.gov.br -o $EXTIF -j MASQUERADE



#echo " Liberando acesso para utilizaÃ§Ã£o do RDESKTOP "

#$IPT -t nat -A POSTROUTING -p tcp --dport 3389 -o $EXTIF -j MASQUERADE



echo " Liberando acesso para utilizaÃ§Ã£o do OUTLOOK "

$IPT -t nat -A POSTROUTING -p tcp --dport 995 -o $EXTIF -j MASQUERADE

$IPT -t nat -A POSTROUTING -p tcp --dport 465 -o $EXTIF -j MASQUERADE



echo " LiberaÃ§Ã£o total para algumas maquinas"

$IPT -t nat -A POSTROUTING -s 172.17.0.254 -o $EXTIF -j MASQUERADE #Leandro

$IPT -t nat -A POSTROUTING -s 172.16.1.227 -o $EXTIF -j MASQUERADE #Luciana

$IPT -t nat -A POSTROUTING -s 172.16.1.13 -o $EXTIF -j MASQUERADE #Wireless Info

$IPT -t nat -A POSTROUTING -s 172.16.1.5 -o $EXTIF -j MASQUERADE #SRV Antivirus

$IPT -t nat -A POSTROUTING -s 172.16.1.135 -o $EXTIF -j MASQUERADE #Helena

$IPT -t nat -A POSTROUTING -s 172.16.1.12 -o $EXTIF -j MASQUERADE #Wireless Adm

$IPT -t nat -A POSTROUTING -s 172.16.1.46 -o $EXTIF -j MASQUERADE #Castilho





echo "   Priorizando Trafego de voz em $EXTIF"



#/etc/qos/SuperShaper-SOHO

#/etc/qos/SuperShaper-SOHO2



echo "   Fecha o Resto!!!"

$IPT -A INPUT -p tcp --syn -j DROP