Erro proxy transparente

1. Erro proxy transparente

Guilherme
guitgomes10

(usa Outra)

Enviado em 03/08/2010 - 14:04h

Boa tarde pessoal,

Estou com o seguinte problema na empresa em que eu trabalho e gostaria muito de contar com a ajuda de vcs. Temos um servidor linux (ubuntu server 8.04.1) funcionando normal só que o mesmo foi configurado por uma pessoa que não trabalha mais aqui na empresa e então tenho de colocar um no seu lugar. Baixei o ubuntu 8.04.3 Lts e fui fazendo conforme o servidor antigo. Aparentemente funcionou tudo mas o proxy transparente só funciona se eu configurar os navegadores. Alguém consegue me dar alguma dica? Abaixo os arquivos de configuração:

rc.local
echo 1 > /proc/sys/net/ipv4/ip_forward
/opt/firewall.sh
exit 0



firewall.sh
#!/bin/bash
# Firewall
# Reset
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -F
iptables -X
iptables -Z

# fecha a porta 80 para internet
iptables -A INPUT -p tcp --dport 3128 -j DROP -i eth0

# compartilha a internet
iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 20.20.20.0/24 -o eth0 -j MASQUERADE

# espaco para conceder servicos de rede entre clientes
iptables -A FORWARD -s 10.0.1.0/24 -d server -j ACCEPT
iptables -A FORWARD -d 10.0.1.0/24 -s server -j ACCEPT

# corta acesso inter clientes restantes
iptables -A FORWARD -s 10.0.1.0/24 -d 10.0.1.0/24 -j DROP

# clientes totalmente bloqueados
cat /etc/squid/bloqueados.txt | while read -e line2; do
iptables -A FORWARD -s $line2 -p tcp --dport 80 -j DROP
iptables -t nat -A PREROUTING -s $line2 -j DROP
done

# clientes que nao tem restricoes para internet
cat /etc/squid/liberados.txt | while read -e line2; do
iptables -A FORWARD -s $line2 -j ACCEPT
iptables -t nat -A PREROUTING -s $line2 -j ACCEPT
done

# liberacao de msn
cat /etc/squid/msn.txt | while read -e line1; do
iptables -A FORWARD -s $line1 -p tcp --dport 1863 -i eth1 -j ACCEPT
done


# proxy transparente
iptables -t nat -A PREROUTING -s 10.0.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128

# bloqueio de MSN
iptables -A FORWARD -s 10.0.1.0/24 -p tcp --dport 1863 -j DROP

### FIM!

#squid.conf
error_directory /usr/share/squid/errors/Portuguese
visible_hostname firewall.local
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

# ACLS PERSONALIZADAS

acl msnmessenger url_regex -i gateway.dll
acl proibidos dstdomain "/etc/squid/proibidos.txt"
acl palavras url_regex -i "/etc/squid/palavras.txt"
acl rede_interna src 10.0.1.0/24

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost

# HTTP_ACCESS PERSONALIZADOS
http_access deny msnmessenger
http_access deny proibidos
http_access deny palavras
http_access allow rede_interna

http_access deny all
icp_access allow all
http_port 3128 transparent

hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts


Interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

# Lan
auto eth1
iface eth1 inet static
address xx.xx.xx.x
netmask 255.255.255.0
network x0.x0.x0.0
broadcast x0.x0.x0.255

# Configuracao das placas virtuais

auto eth1:1
iface eth1:1 inet static
address 10.0.1.1
netmask 255.255.255.252
network 10.0.1.0
broadcast 10.0.1.3

auto eth1:2
iface eth1:2 inet static
address 10.0.1.5
netmask 255.255.255.252
network 10.0.1.4
broadcast 10.0.1.7

auto eth1:3
iface eth1:3 inet static
address 10.0.1.9
netmask 255.255.255.252
network 10.0.1.8
broadcast 10.0.1.11

auto eth1:4
iface eth1:4 inet static
address 10.0.1.13
netmask 255.255.255.252
network 10.0.1.12
broadcast 10.0.1.15

auto eth1:5
iface eth1:5 inet static
address 10.0.1.17
netmask 255.255.255.252
network 10.0.1.16
broadcast 10.0.1.19

auto eth1:6
iface eth1:6 inet static
address 10.0.1.21
netmask 255.255.255.252
network 10.0.1.20
broadcast 10.0.1.23

auto eth1:7
iface eth1:7 inet static
address 10.0.1.25
netmask 255.255.255.252
network 10.0.1.24
broadcast 10.0.1.27

auto eth1:8
iface eth1:8 inet static
address 10.0.1.29
netmask 255.255.255.252
network 10.0.1.28
broadcast 10.0.1.31

auto eth1:9
iface eth1:9 inet static
address 10.0.1.33
netmask 255.255.255.252
network 10.0.1.32
broadcast 10.0.1.35

auto eth1:10
iface eth1:10 inet static
address 10.0.1.37
netmask 255.255.255.252
network 10.0.1.36
broadcast 10.0.1.39

auto eth1:11
iface eth1:11 inet static
address 10.0.1.41
netmask 255.255.255.252
network 10.0.1.40
broadcast 10.0.1.43

auto eth1:12
iface eth1:12 inet static
address 10.0.1.45
netmask 255.255.255.252
network 10.0.1.44
broadcast 10.0.1.47

auto eth1:13
iface eth1:13 inet static
address 10.0.1.49
netmask 255.255.255.252
network 10.0.1.48
broadcast 10.0.1.51

auto eth1:14
iface eth1:14 inet static
address 10.0.1.53
netmask 255.255.255.252
network 10.0.1.52
broadcast 10.0.1.55

auto eth1:15
iface eth1:15 inet static
address 10.0.1.57
netmask 255.255.255.252
network 10.0.1.56
broadcast 10.0.1.59

auto eth1:16
iface eth1:16 inet static
address 10.0.1.61
netmask 255.255.255.252
network 10.0.1.60
broadcast 10.0.1.63

auto eth1:17
iface eth1:17 inet static
address 10.0.1.65
netmask 255.255.255.252
network 10.0.1.64
broadcast 10.0.1.67

auto eth1:18
iface eth1:18 inet static
address 10.0.1.69
netmask 255.255.255.252
network 10.0.1.68
broadcast 10.0.1.71

auto eth1:19
iface eth1:19 inet static
address 10.0.1.73
netmask 255.255.255.252
network 10.0.1.72
broadcast 10.0.1.75

auto eth1:20
iface eth1:20 inet static
address 10.0.1.77
netmask 255.255.255.252
network 10.0.1.76
broadcast 10.0.1.79

auto eth1:21
iface eth1:21 inet static
address 10.0.1.81
netmask 255.255.255.252
network 10.0.1.80
broadcast 10.0.1.83

auto eth1:22
iface eth1:22 inet static
address 10.0.1.85
netmask 255.255.255.252
network 10.0.1.84
broadcast 10.0.1.87

auto eth1:23
iface eth1:23 inet static
address 10.0.1.89
netmask 255.255.255.252
network 10.0.1.88
broadcast 10.0.1.91

auto eth1:24
iface eth1:24 inet static
address 10.0.1.93
netmask 255.255.255.252
network 10.0.1.92
broadcast 10.0.1.95


Dhcpd.conf

ddns-update-style none;
option domain-name "xxxxxxx.local";
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
authoritative;

subnet 10.0.1.0 netmask 255.255.255.0 {
host estacao01 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 10.0.1.2;
option subnet-mask 255.255.255.252;
option routers 10.0.1.1;
option domain-name-servers 10.0.1.1;
option broadcast-address 10.0.1.3;
option netbios-name-servers 10.0.1.1;
}


host estacao02 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 10.0.1.6;
option subnet-mask 255.255.255.252;
option routers 10.0.1.5;
option domain-name-servers 10.0.1.5;
option broadcast-address 10.0.1.7;
}


host estacao03 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 10.0.1.10;
option subnet-mask 255.255.255.252;
option routers 10.0.1.9;
option domain-name-servers 10.0.1.9;
option broadcast-address 10.0.1.11;
}


host estacao04 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 10.0.1.14;
option subnet-mask 255.255.255.252;
option routers 10.0.1.13;
option domain-name-servers 10.0.1.13;
option broadcast-address 10.0.1.15;
}


host estacao05 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 10.0.1.18;
option subnet-mask 255.255.255.252;
option routers 10.0.1.17;
option domain-name-servers 10.0.1.17;
option broadcast-address 10.0.1.19;
}


host estacao06 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 10.0.1.22;
option subnet-mask 255.255.255.252;
option routers 10.0.1.21;
option domain-name-servers 10.0.1.21;
option broadcast-address 10.0.1.23;
}


host estacao07 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 10.0.1.26;
option subnet-mask 255.255.255.252;
option routers 10.0.1.25;
option domain-name-servers 10.0.1.25;
option broadcast-address 10.0.1.27;
}


host estacao08 {

hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 10.0.1.30;
option subnet-mask 255.255.255.252;
option routers 10.0.1.29;
option domain-name-servers 10.0.1.29;
option broadcast-address 10.0.1.31;
}


host estacao09 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 10.0.1.34;
option subnet-mask 255.255.255.252;
option routers 10.0.1.33;
option domain-name-servers 10.0.1.33;
option broadcast-address 10.0.1.35;
}


host estacao10 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 10.0.1.38;
option subnet-mask 255.255.255.252;
option routers 10.0.1.37;
option domain-name-servers 10.0.1.37;
option broadcast-address 10.0.1.39;
}


host estacao11 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 10.0.1.42;
option subnet-mask 255.255.255.252;
option routers 10.0.1.41;
option domain-name-servers 10.0.1.41;
option broadcast-address 10.0.1.43;
}


host estacao12 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 10.0.1.46;
option subnet-mask 255.255.255.252;
option routers 10.0.1.45;
option domain-name-servers 10.0.1.45;
option broadcast-address 10.0.1.47;
}


host estacao13 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 10.0.1.50;
option subnet-mask 255.255.255.252;
option routers 10.0.1.49;
option domain-name-servers 10.0.1.49;
option broadcast-address 10.0.1.51;
}


host estacao14 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 10.0.1.54;
option subnet-mask 255.255.255.252;
option routers 10.0.1.53;
option domain-name-servers 10.0.1.53;
option broadcast-address 10.0.1.55;
}


host estacao15 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 10.0.1.58;
option subnet-mask 255.255.255.252;
option routers 10.0.1.57;
option domain-name-servers 10.0.1.57;
option broadcast-address 10.0.1.59;
}


host estacao16 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 10.0.1.62;
option subnet-mask 255.255.255.252;
option routers 10.0.1.61;
option domain-name-servers 10.0.1.61;
option broadcast-address 10.0.1.63;
}


}

Desde já agradeço pela força.



  


2. Re: Erro proxy transparente

wesley alves pereira
wesleya2

(usa Debian)

Enviado em 04/08/2010 - 13:30h

huahuhuauha
ta irado mesmo hem rsrs


3. Re: Erro proxy transparente

Guilherme
guitgomes10

(usa Outra)

Enviado em 05/08/2010 - 16:59h

Cara o servidor antigo está funcionando com estas configurações e roda beleza aki na empresa. Estou usando os arquivos de configuração do outro servidor e não funciona.


4. acha mesmo?

irado furioso com tudo
irado

(usa XUbuntu)

Enviado em 05/08/2010 - 17:23h

vc acha MESMO que esta resposta:

"Cara o servidor antigo está funcionando com estas configurações e roda beleza aki na empresa. Estou usando os arquivos de configuração do outro servidor e não funciona."

informa pra nós alguma coisa de útil? isso indica que vc gosta de fazer tudo sozinho, então, divirta-se :)

flames > /dev/null


5. Re: Erro proxy transparente

Davi Ribeiro
dastyler

(usa Fedora)

Enviado em 05/08/2010 - 17:31h

olhando seu dhcp, seu squid esta nesta maquina ou em outra:

option routers 10.0.1.1;

?

E para que essa penca de placas virtuais sendo que para se conectar só é necessário 1 placa?

[]´s