Squid.Conf

http_port 3128 transparent
visible_hostname GSPROXY # Definir nome servidor

# Esta opção manda o Squid buscar os dados diretamente na origem, ela é referente ao conteúdo dinâmico, se a URL conter algum padrão aqui especificado ela irá direto a origem buscar o conteúdo.
#hierarchy_stoplist CGI-bin ?

# Define o caminho das páginas de erro do squid.
error_directory /usr/share/squid3/errors/pt-br

# Define o e-mail que vai aparecer na página de erro do Squid, assim o usuário terá mais informações para interagir com o responsável.
cache_mgr alex.oliveira@globalservice-am.com.br

# Esta ACL é responsável por não armazenar conteúdo CGI em cache.
#acl QUERY urlpath_regex cgi-bin ?
#no_cache deny QUERY

# Define a quantidade de memória RAM reservada para o uso do Squid.
cache_mem 2000 MB

# Esta linha é responsável por limitar o tamanho dos arquivos que serão armazenados no cache da memória RAM.
maximum_object_size_in_memory 64 KB

# Aqui definimos o tamanho máximo e mínimo respectivamente dos arquivos que serão armazenados no cache do HD.
maximum_object_size 30000 MB
minimum_object_size 40 KB

# Com essas duas linhas podemos definir a porcentagem de atualização do cache, estamos dizendo que quando o cache chegar em 95% o Squid irá apagar os arquivos mais antigos até chegar a 90%.
cache_swap_low 90
cache_swap_high 95

# Nessa linha conseguimos definir o tamanho e alguns parâmetros do cache feito em HD, a linha é composta por quatro valores, o 1º define o caminho do cache (/var/spool/squid), o 2º o tamanho que será alocado em MB para o cache (2Gb), o 3º a quantidade de diretórios criados para o cache (16) e o 4º é o numero de subdiretórios que serão criados. Se você possuir bastante espaço em disco e quiser armazenar os arquivos por mais tempo, aumente a opção do tamanha do cache.
cache_dir ufs /var/spool/squid3 45000 16 256

# Define onde serão armazenados os registros de log do Squid.
cache_access_log /var/log/squid3/access.log

acl manager proto cache_object
acl redelocal src 192.168.0.0/24
#acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563 81 2087 10000
acl Safe_ports port 80 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 25 587 # smtp
acl Safe_ports port 110 # pop3
acl CONNECT method CONNECT

#acl acesso_total src "/etc/squid3/acesso_total.conf"
acl sitesproibidos url_regex -i "/etc/squid3/sitesproibidos.conf"
#acl sitespermitidos url_regex -i "/etc/squid3/sitespermitidos.conf"
acl blockvideos rep_mime_type -i "/etc/squid3/blockvideos.conf"
acl blockaudios urlpath_regex -i "/etc/squid3/blockaudios.conf"

http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

#http_access allow localhost
#http_access allow sitespermitidos
#http_access allow acesso_total

http_access deny sitesproibidos
http_access deny blockvideos
http_access deny blockaudios

http_access allow redelocal
http_access deny all

dns_nameservers 8.8.8.8
dns_nameservers 8.8.4.4
refresh_pattern ^tp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880

refresh_pattern . 0 20% 4320

cache_effective_user proxy

cache_effective_group proxy

Firewall

#!bin/bash

################################################################################
#################### Inicio Firewall ###########################################
################################################################################
# Variaveis:
rede_mask=192.168.0.0/24
iface_int=eth0
iface_ext=eth1

echo “Carregando Modulos”
/sbin/modprobe ip_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_queue
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_mangle
/sbin/modprobe ipt_state
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_multiport
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_string

echo “Limpando as Regras existentes”
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -t filter -F
/sbin/iptables -X
/sbin/iptables -Z

## Definindo politica padr..o (Nega entrada e permite saida)
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

################################################################################
######################## Protege contra ataques diversos #######################
################################################################################
echo “Ativando Proteção contra ataques”
###### Protege contra synflood
/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

###### Protecao contra ICMP Broadcasting
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
###### Prote.. Contra IP Spoofing
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

###### Protecao diversas contra portscanners, ping of death, ataques DoS, pacotes danificados e etc.
#/sbin/iptables -A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
#/sbin/iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
#/sbin/iptables -A INPUT -i $iface_ext -p icmp –icmp-type echo-reply -m limit –limit 1/s -j DROP
/sbin/iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -N VALID_CHECK
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP

################################################################################

######################### Fim da regras de contra ataques ######################
################################################################################

## Impede navega….o sem proxy definido no navegador ##########
/sbin/iptables -t nat -A PREROUTING -i $iface_int -p tcp --dport 80 -j REDIRECT --to-port 3128

## Impede o uso de outro proxy externo que use a porta 8080
/sbin/iptables -t nat -A PREROUTING -i $iface_int -p tcp --dport 8080 -j REDIRECT --to-port 3128

## Estabelece rela….o de confian..a entre maquinas da rede local $iface_int(rede local)
/sbin/iptables -A INPUT -i $iface_int -s $rede_mask -j ACCEPT
/sbin/iptables -A INPUT -i $iface_int -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## liberando o INPUT externo para o firewall ##

## Portas ##

# SSH – HTTP – SSL – RDP
/sbin/iptables -A INPUT -i $iface_ext -p tcp -m multiport --dport 22,3389 -j ACCEPT

# VPN Windows Server
#/sbin/iptables -A FORWARD -p tcp -i $iface_ext –dport 1723 -j ACCEPT
#/sbin/iptables -A FORWARD -p 47 -i $iface_ext -j ACCEPT

################################################################################

################# Redirecionamento para maquinas de rede interna ###############
################################################################################

## VPN

#/sbin/iptables -A PREROUTING -t nat -p tcp -i $iface_ext –dport 1723 -j DNAT –to 192.168.0.x:1723
#/sbin/iptables -A PREROUTING -t nat -p 47 -i $iface_ext -j DNAT –to 192.168.0.x
## SSH Outra maquina

## RDP
#/sbin/iptables -t nat -A PREROUTING -i $iface_ext -p tcp -m tcp –dport 3389 -j DNAT –to-destination 192.168.0.x:3389
############## Testes ##########################################################
######################################################################################
###################### Bloqueio de HTTPS #############################################
######################################################################################

# Youtube / Facebook
/sbin/iptables -I FORWARD -m string --algo bm --string “facebook.com” -j DROP
/sbin/iptables -I FORWARD -m string --algo bm --string “youtube.com” -j DROP
/sbin/iptables -I OUTPUT -m string --algo bm --string “facebook.com” -j DROP
/sbin/iptables -I OUTPUT -m string --algo bm --string “youtube.com” -j DROP

################################################################################
################################# Bloqueio de entrada ##########################
################################################################################
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $iface_int -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
#/sbin/iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
/sbin/iptables -A INPUT -i $iface_ext -j REJECT
## Liberar ping ## 0=on 1=off
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

################################################################################
############################ Compartilhamento Internet #########################
################################################################################

/sbin/iptables -t nat -A POSTROUTING -o $iface_ext -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o $iface_int -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward

echo “Firewall Ativado”
################################################################################
######################################## Fim ###################################
################################################################################

0 0

Quote

4. Re: Squid3 nao bloquear sites [RESOLVIDO]

lirocat
(usa Outra)

Enviado em 12/12/2012 - 18:33h

0 0

Quote

5. Re: Squid3 nao bloquear sites [RESOLVIDO]

nanatinho
(usa Debian)

Enviado em 18/12/2012 - 12:23h

Boa tarde.

Primeiramente me desculpe a delonga em responder...

Bom, o que está faltando é apenas informar o que ele deve negar. Pois você delcarou acl “redelocal”, e em seguida liberou tudo em “http_access allow redelocal”, e as demais acls não foi informado o que é para ser bloqueado. Vamos lá...

Como vc utiliza proxy transparente, terá que criar acls para os Ips ou mesmo para os mac address (eu particularmente prefiro esta) que terão ou não permissão de acessar.

Lembrando que o squid lê as acls conforme dispostos no squid.conf, ou seja, de cima para baixo. Então declare todas as tuas ACLS seguindo este entendimento, por exemplo por departamentos.

Exemplo:

# ACL Gerência
# Declara a acl, e no ma_manager, insira os mac-address, neste exemplo dos equipamentos da gerência.
acl ma_manager arp "/etc/squid3/acl/ma_manager"
# Insira os domínios que serão permitidos acesso pela gerência.
acl domain_ma_manager dstdomain -i "/etc/squid3/acl/domain_ma_manager"
# Insira as urls que serão permitidos acesso pela gerência.
acl url_ma_manager url_regex -i "/etc/squid3/acl/url_ma_manager"
# Permite os acessos dos domínios que estão no arquivo “domain_ma_manager” para os mac-address que estão em “ma_manager”
http_access allow domain_ma_manager ma_manager
# Permite os acessos das urls que estão no arquivo “url_ma_manager” para os mac-address que estão em “ma_manager”
http_access allow url_ma_manager ma_manager

# A última acl seria
htcp_access deny all

Abraço e fq com DEUS!!!

0 0

Quote