Internet Não Funciona com Squid [RESOLVIDO]

rick_G
(usa Debian)

Enviado em 07/07/2012 - 15:19h

Pessoal preciso da ajuda de vocês....
Fiz algumas mudanças no meu script de Firewall e depois disso a internet não funciona quando ativo o squid, se eu tirar a regra do iptables que redireciona para o squid tudo funciona normalmente, abaixo segue meu Firewall.sh:

--------------------------------------------------------------------------------------

#!/bin/bash

## SCRIPT DE FIREWALL ##

## DECLARAÇÂO DE VARIAVEIS ##

IPT=$(which iptables)
IP_LOCAL="192.168.0.1"
LO="127.0.0.1"
QQR_LUGAR="0/0"
PORTS_ALTAS="1024:65535"
REDE_LOCAL="192.168.0.0/24"
IFACE_LOCAL="eth0"
IFACE_EXTERNA="eth1"

## DECLARACAO DOS MODULOS ##
modprobe iptable_nat


#---------------------------------------------------------------------

politica_drop ()
{
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
}

limpa_regras ()
{
echo "### ABRINDO O FIREWALL ###"

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
}

compartilhando ()
{
echo "### COMPARTILHANDO ###"

echo 1 > /proc/sys/net/ipv4/ip_forward
$IPT -t nat -A POSTROUTING -o $IFACE_EXTERNA -j MASQUERADE
}

#proxy_transparent ()
#{
#
#$IPT -t nat -A PREROUTING -s $REDE_LOCAL -i $IFACE_LOCAL -p tcp --dport 80 -j REDIRECT --to-port 3128
#}

loop_back ()
{
echo "### LIBERANDO O LOOP BACK ###"

$IPT -A INPUT -i lo -d $LO -j ACCEPT
$IPT -A OUTPUT -o lo -d $LO -j ACCEPT
}

estabiliza_input ()
{
echo "### ESTABILIZANDO CONEXOES DE INPUT ###"

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

}

estabiliza_output ()
{
echo "### ESTABILIZANDO CONEXOES DE OUTPUT ###"

$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

}

estabiliza_forward ()
{
echo " ### ESTABILIZANDO CONEXOES DE FORWARD ### "

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
}

controle_de_icmp ()
{

echo " ### LIBERANDO ICMPS ###"

for TIPO in 0 3/0 3/1 3/2 3/3 3/4 4 5 11 12
do
$IPT -A INPUT -p icmp -s $QQR_LUGAR -i $IFACE_EXTERNA --icmp-type $TIPO -m limit --limit 1/s -j ACCEPT
done

$IPT -A OUTPUT -p icmp -d $QQR_LUGAR --icmp-type 8 -j ACCEPT

$IPT -A INPUT -p icmp -s $REDE_LOCAL --icmp-type 8 -m limit --limit 1/s -j ACCEPT
$IPT -A FORWARD -p icmp -s $REDE_LOCAL -d $QQR_LUGAR --icmp-type 8 -m limit --limit 1/s -j ACCEPT
}

portas_tcp ()
{

echo "### LIBERANDO CONEXOES EM PORTAS TCP ###"

for PORTAS in $(cat /etc/firewall/portas_tcp.txt | grep -v ^#)
do
$IPT -A OUTPUT -p tcp -m state --state NEW --sport $PORTS_ALTAS -d $QQR_LUGAR --dport $PORTAS -j ACCEPT
$IPT -A FORWARD -p tcp -m state --state NEW -s $REDE_LOCAL --sport $PORTS_ALTAS -d $QQR_LUGAR --dport $PORTAS -j ACCEPT
done
}


portas_udp ()
{

echo "### LIBERANDO CONEXOES EM PORTAS UDP ###"

for PORTAS in $(cat /etc/firewall/portas_udp.txt | grep -v ^#)
do
$IPT -A OUTPUT -p udp -m state --state NEW -s $IP_LOCAL --sport $PORTS_ALTAS -d $QQR_LUGAR --dport $PORTAS -j ACCEPT
$IPT -A FORWARD -p udp -m state --state NEW -s $REDE_LOCAL --sport $PORTS_ALTAS -d $QQR_LUGAR --dport $PORTAS -j ACCEPT
done
}

libera_pt_ip_seguros ()
{
echo "### ATIVANDO CONTROLE DE IPs REMOTO ###"

for IP in $(cat /etc/firewall/ips_seguros.txt | grep -v ^#)
do
for PORTAS in $(cat /etc/firewall/portas_adm.txt | grep -v ^#)
do
$IPT -A INPUT -p tcp -m state --state NEW -s $IP --sport $PORTS_ALTAS -d $IP_LOCAL --dport $PORTAS -j ACCEPT
done
done

for PORTAS in $(cat /etc/firewall/portas_adm.txt | grep -v ^#)
do
$IPT -A INPUT -p tcp -s $QQR_LUGAR --sport $PORTS_ALTAS -d $IP_LOCAL --dport $PORTAS -j REJECT --reject-with tcp-reset
done
}

flags_invalidas ()
{

echo "### BLOQUEANDO POSSIVEIS SCANNERS ###"

for FLAGS in $(cat /etc/firewall/flags.txt | grep -v ^#)
do
for CHAINS in INPUT FORWARD
do
$IPT -A $CHAINS -p tcp -d $IP_LOCAL -m state --state NEW --tcp-flags $FLAGS $FLAGS -j LOG --log-prefix "POSSIVEL_SCANNER"
$IPT -A $CHAINS -p tcp -d $IP_LOCAL -m state --state NEW --tcp-flags $FLAGS $FLAGS -j DROP
done
done
}

echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route


#-----------------------------------------------------------------------

case $1 in
start)
compartilhando
#proxy_transparent
politica_drop
loop_back
estabiliza_input
estabiliza_output
estabiliza_forward
controle_de_icmp
portas_tcp
portas_udp
libera_pt_ip_seguros
flags_invalidas


echo " ******* FIREWAL ATIVADO ******* "
;;
stop)
limpa_regras

echo " ******* FIREWALL DESATIVADO ******* "
;;
filter) $IPT -nL | more
;;
nat) $IPT -nL -t nat | more
;;
mangle) $IPT -nL -t mangle | more
;;
restart) $0 stop
$0 start
;;
*) echo "erro use $0 {start|stop|filter|nat|mangle|restart}"
exit 0
;;
esac
exit 1


-------------------------------------------------------------------------------------

Quando eu descomento as linhas do proxy transparente não consigo navegar mais, eu consigo pingar pra ip da internet, pra dominio, mas navegar não consigo......
Eu dei uma olhada com o tcpdump e pelo o que eu vi a requisição chega no destino mas não consegue voltar...
Obrigado pela ajuda desde já.

cristianovicosa
(usa Debian)

Enviado em 07/07/2012 - 15:58h

Olá amigo!
Seu squid deve estar parado, faça assim:

cat /var/log/squid3/cache.log

Poste aqui a saida.

rick_G
(usa Debian)

Enviado em 07/07/2012 - 16:04h

cristianovicosa o squid não esta parado, ele esta em execução....

cristianovicosa
(usa Debian)

Enviado em 07/07/2012 - 16:21h

Mas podemos ver o log?
E se for possivel o conf.

rick_G
(usa Debian)

Enviado em 07/07/2012 - 16:40h

2012/07/07 13:14:17| Starting Squid Cache version 2.7.STABLE9 for i386-debian-linux-gnu...
2012/07/07 13:14:17| Process ID 2523
2012/07/07 13:14:17| With 1024 file descriptors available
2012/07/07 13:14:17| Using epoll for the IO loop
2012/07/07 13:14:17| DNS Socket created at 0.0.0.0, port 33734, FD 7
2012/07/07 13:14:17| Adding domain lan from /etc/resolv.conf
2012/07/07 13:14:17| Adding domain lan from /etc/resolv.conf
2012/07/07 13:14:17| Adding nameserver 208.67.222.222 from /etc/resolv.conf
2012/07/07 13:14:17| User-Agent logging is disabled.
2012/07/07 13:14:17| Referer logging is disabled.
2012/07/07 13:14:17| logfileOpen: opening log /var/log/squid/access.log
2012/07/07 13:14:17| Unlinkd pipe opened on FD 12
2012/07/07 13:14:17| Swap maxSize 102400 + 8192 KB, estimated 8507 objects
2012/07/07 13:14:17| Target number of buckets: 425
2012/07/07 13:14:17| Using 8192 Store buckets
2012/07/07 13:14:17| Max Mem size: 8192 KB
2012/07/07 13:14:17| Max Swap size: 102400 KB
2012/07/07 13:14:17| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2012/07/07 13:14:17| logfileOpen: opening log /var/log/squid/store.log
2012/07/07 13:14:17| Rebuilding storage in /var/spool/squid (DIRTY)
2012/07/07 13:14:17| Using Least Load store dir selection
2012/07/07 13:14:17| Set Current Directory to /var/spool/squid
2012/07/07 13:14:17| Loaded Icons.
2012/07/07 13:14:17| Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 13.
2012/07/07 13:14:17| Accepting ICP messages at 0.0.0.0, port 3130, FD 14.
2012/07/07 13:14:17| HTCP Disabled.
2012/07/07 13:14:17| WCCP Disabled.
2012/07/07 13:14:17| Ready to serve requests.
2012/07/07 13:14:17| Done scanning /var/spool/squid (0 entries)
2012/07/07 13:14:17| Finished rebuilding storage from disk.
2012/07/07 13:14:17| 0 Entries scanned
2012/07/07 13:14:17| 0 Invalid entries.
2012/07/07 13:14:17| 0 With invalid flags.
2012/07/07 13:14:17| 0 Objects loaded.
2012/07/07 13:14:17| 0 Objects expired.
2012/07/07 13:14:17| 0 Objects cancelled.
2012/07/07 13:14:17| 0 Duplicate URLs purged.
2012/07/07 13:14:17| 0 Swapfile clashes avoided.
2012/07/07 13:14:17| Took 0.8 seconds ( 0.0 objects/sec).
2012/07/07 13:14:17| Beginning Validation Procedure
2012/07/07 13:14:17| Completed Validation Procedure
2012/07/07 13:14:17| Validated 0 Entries
2012/07/07 13:14:17| store_swap_size = 0k
2012/07/07 13:14:18| storeLateRelease: released 0 objects
2012/07/07 13:26:15| Preparing for shutdown after 0 requests
2012/07/07 13:26:15| Waiting 30 seconds for active connections to finish
2012/07/07 13:26:15| FD 13 Closing HTTP connection
2012/07/07 13:26:15| Shutting down...
2012/07/07 13:26:15| FD 14 Closing ICP connection
2012/07/07 13:26:15| Closing unlinkd pipe on FD 12
2012/07/07 13:26:15| storeDirWriteCleanLogs: Starting...
2012/07/07 13:26:15| Finished. Wrote 0 entries.
2012/07/07 13:26:15| Took 0.0 seconds ( 0.0 entries/sec).
CPU Usage: 0.064 seconds = 0.016 user + 0.048 sys
Maximum Resident Size: 18768 KB
Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
total space in arena: 2112 KB
Ordinary blocks: 2039 KB 5 blks
Small blocks: 0 KB 5 blks
Holding blocks: 280 KB 1 blks
Free Small blocks: 0 KB
Free Ordinary blocks: 72 KB
Total in use: 2319 KB 97%
Total free: 73 KB 3%
2012/07/07 13:26:15| logfileClose: closing log /var/log/squid/store.log
2012/07/07 13:26:15| logfileClose: closing log /var/log/squid/access.log
2012/07/07 13:26:15| Squid Cache (Version 2.7.STABLE9): Exiting normally.
2012/07/07 13:26:17| Starting Squid Cache version 2.7.STABLE9 for i386-debian-linux-gnu...
2012/07/07 13:26:17| Process ID 2682
2012/07/07 13:26:17| With 1024 file descriptors available
2012/07/07 13:26:17| Using epoll for the IO loop
2012/07/07 13:26:17| DNS Socket created at 0.0.0.0, port 50376, FD 6
2012/07/07 13:26:17| Adding domain lan from /etc/resolv.conf
2012/07/07 13:26:17| Adding domain lan from /etc/resolv.conf
2012/07/07 13:26:17| Adding nameserver 208.67.222.222 from /etc/resolv.conf
2012/07/07 13:26:17| User-Agent logging is disabled.
2012/07/07 13:26:17| Referer logging is disabled.
2012/07/07 13:26:17| logfileOpen: opening log /var/log/squid/access.log
2012/07/07 13:26:17| Unlinkd pipe opened on FD 11
2012/07/07 13:26:17| Swap maxSize 20971520 + 131072 KB, estimated 1623276 objects
2012/07/07 13:26:17| Target number of buckets: 81163
2012/07/07 13:26:17| Using 131072 Store buckets
2012/07/07 13:26:17| Max Mem size: 131072 KB
2012/07/07 13:26:17| Max Swap size: 20971520 KB
2012/07/07 13:26:17| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2012/07/07 13:26:17| logfileOpen: opening log /var/log/squid/store.log
2012/07/07 13:26:17| Rebuilding storage in /var/spool/squid (CLEAN)
2012/07/07 13:26:17| Using Least Load store dir selection
2012/07/07 13:26:17| Current Directory is /
2012/07/07 13:26:17| Loaded Icons.
2012/07/07 13:26:17| Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 13.
2012/07/07 13:26:17| Accepting ICP messages at 0.0.0.0, port 3130, FD 14.
2012/07/07 13:26:17| HTCP Disabled.
2012/07/07 13:26:17| WCCP Disabled.
2012/07/07 13:26:17| Ready to serve requests.
2012/07/07 13:26:17| Done reading /var/spool/squid swaplog (0 entries)
2012/07/07 13:26:17| Finished rebuilding storage from disk.
2012/07/07 13:26:17| 0 Entries scanned
2012/07/07 13:26:17| 0 Invalid entries.
2012/07/07 13:26:17| 0 With invalid flags.
2012/07/07 13:26:17| 0 Objects loaded.
2012/07/07 13:26:17| 0 Objects expired.
2012/07/07 13:26:17| 0 Objects cancelled.
2012/07/07 13:26:17| 0 Duplicate URLs purged.
2012/07/07 13:26:17| 0 Swapfile clashes avoided.
2012/07/07 13:26:17| Took 0.3 seconds ( 0.0 objects/sec).
2012/07/07 13:26:17| Beginning Validation Procedure
2012/07/07 13:26:17| Completed Validation Procedure
2012/07/07 13:26:17| Validated 0 Entries
2012/07/07 13:26:17| store_swap_size = 0k
2012/07/07 13:26:18| storeLateRelease: released 0 objects
2012/07/07 13:29:22| Preparing for shutdown after 0 requests
2012/07/07 13:29:22| Waiting 30 seconds for active connections to finish
2012/07/07 13:29:22| FD 13 Closing HTTP connection
2012/07/07 13:29:22| Shutting down...
2012/07/07 13:29:22| FD 14 Closing ICP connection
2012/07/07 13:29:22| Closing unlinkd pipe on FD 11
2012/07/07 13:29:22| storeDirWriteCleanLogs: Starting...


Squid.conf:


http_port 3128 transparent

visible_hostname TESTE



error_directory /usr/share/squid/errors/Portuguese/

cache_mem 128 MB

maximum_object_size_in_memory 128 KB

maximum_object_size 512 MB
minimum_object_size 0 KB

cache_swap_low 90
cache_swap_high 95

cache_dir ufs /var/spool/squid 20480 16 256

cache_access_log /var/log/squid/access.log

refresh_pattern ^ftp 15 20% 2280
refresh_pattern ^gother 15 0% 2280
refresh_pattern . 15 20% 2280

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 280 488 777
acl Safe_ports port 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT

acl rede_local src 192.168.0.0/24


http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow rede_local
http_access allow localhost
http_access deny all
--------------------------------------------------

cristianovicosa como deu pau no meu ambiente real, eu deixei como estava antes e simulei um ambiente para fazer os testes, por isso o squid.conf não tem nada....

cristianovicosa
(usa Debian)

Enviado em 07/07/2012 - 16:53h

Vamos analizar as regras
Faça assim:
#iptables -L

Poste a saida

#iptables -t nat -L

loirojones
(usa Debian)

Enviado em 07/07/2012 - 18:53h

cara faz o seguinte


squid -z sacou refaz o swap dele....


já restartou teu squid....???

mostra ai o teu squid.conf....


entendeu.... só assim podemos te ajudar.....

já viste se está tudo certo na placas de rede ( uma pra rede interna outra para internet)

compartilhaste a conexão da tua internet pra placa de rede interna???


são uma sério de perguntas e questionamentos sobre esse teu squid, e vc deve fazer esses testes ai...

blz...

T +....

rick_G
(usa Debian)

Enviado em 09/07/2012 - 01:13h

Vlw johnnyb...
Coloquei a seguinte regra e funcionou:

iptables -A INPUT -p tcp -i $IFACE_LOCAL -s $REDE_LOCAL --sport 1024:65535 --dport 3128 -j ACCEPT

johnnyb
(usa Fedora)

Enviado em 10/07/2012 - 11:37h

:D precisando tamo ai :D