OUTLOOK + VNC REVERSO help.... [RESOLVIDO]

maraleman
(usa Debian)

Enviado em 21/01/2011 - 11:09h

Ola amigos preciso de um help para o squid e iptables pois estou aprendendo, o problema é que depois que implantei o squid+iptables, busquei varios tutoriais na net mas ainda não resolvi se puderem analisar meu squid e iptables e me apontarem onde estou errando agradeço muito...

FIREWALL
#!/bin/bash
clear

#############################################
# limpando regras #
#############################################
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F

### Exclui cadeias customizadas
iptables -X

### Zera contadores das cadeias
iptables -t nat -Z
iptables -t mangle -Z
iptables -t filter -Z


############################################
# CAT - CAIXA ECONOMICA SEFIP #
############################################
iptables -t nat -A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT


############################################
# ativando Roteamento de pacote #
############################################
echo 1 > /proc/sys/net/ipv4/ip_forward


############################################
# LIBERAR PORTAS 25 E 110 - OUTLOOK #
############################################
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT # PING
iptables -A FORWARD -o eth0 -p tcp --dport 21 -j ACCEPT # FTP
iptables -A FORWARD -o eth0 -p tcp --dport 25 -j ACCEPT # SMTP
iptables -A FORWARD -o eth0 -p tcp --dport 465 -j ACCEPT # SMTP
iptables -A FORWARD -o etho -p tcp --dport 110 -j ACCEPT # POP
iptables -A FORWARD -o eth0 -p tcp --dport 995 -j ACCEPT # POP3


######## NAT E REDIRECIONAMENTO DE PORT 80->3128 #########################
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128


##########SERVIDOR SSH
#$IPT -A INPUT -p tcp --dport 22 -m state NEW -m recent --update --seconds 300 --hitcount 3 -j DROP
#$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
#$IPT -A INPUT -p tcp --dport 22 -j ACCEPT

############# VNC reverso
iptables -I FORWARD -p tcp --dport 5500:5700 -s 192.168.70.126 -j ACCEPT
iptables -I FORWARD -p tcp --sport 5500:5700 -d 192.168.70.126 -j ACCEPT


######## LIBERAR PORTA 53 DE AUTENTICAÇÃO ################################
iptables -A FORWARD -p udp -s 192.168.70.0/24 -d 200.204.0.10 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.70.0/24 -d 200.204.0.138 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 200.204.0.10 --sport 53 -d 192.168.70.0/24 -j ACCEPT
iptables -A FORWARD -p udp -s 200.204.0.138 --sport 53 -d 192.168.70.0/24 -j ACCEPT


################ IMAP
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 189.19.33.100 --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 189.19.33.100 --sport 143 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT


echo""
echo "======= restartando Squid ==========="
echo""
/etc/init.d/squid restart
echo""
echo "======= restartando placas eth0 e eth1 =============="
echo""
/etc/init.d/networking restart
echo""
echo "======= Ativando Compartilhamento de Internet======="
echo""
echo""
echo""
echo""
echo "================ fim ================="





SQUID
############# Squid configurado por Marcelo (11)9126-5465
http_port 3128 transparent
icp_port 0

################# EXIGE DIGITAÇÃO DE SENHA
visible_hostname Srv_Squid
auth_param basic program /usr/bin/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Digite sua senha
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off


#########TAMANHO MAXIMO DO CACHE
cache_mem 10 GB

########TAMANHO MAXIMO DO ARQUIVO EM MEMÓRIA
maximum_object_size_in_memory 5 MB

########TAMANHO MAXIMO DO ARQUIVO EM CACHE
maximum_object_size 900 MB

########CONFIGURAÇÃO DO ARQUIVO DE LOGS
cache_dir ufs /var/cache/squid 30000 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none

########## Gravar mensagens de erro em Portugues
error_directory /usr/share/squid/errors/Portuguese

################# Atualizar o cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

#DNS
#dns_nameservers 192.168.70.1 200.205.125.57 200.205.125.58
#emulate_httpd_log off
#connect_timeout 180 seconds

############## ACL PARA BLOQUEIOS E LIBERAÇÃO POR GRUPOS
acl ip_liberados src "/etc/squid/ips_liberados"
acl users_suporte proxy_auth "etc/squid/users_suporte"
acl users_diretoria proxy_auth "/etc/squid/users_diretoria"
acl palavras_bloqueadas url_regex -i "/etc/squid/palavras_bloqueadas"
acl block_downloads url_regex -i "/etc/squid/block_downloads"
acl block_orkut url_regex -i "/etc/squid/block_orkut"
acl sites_bloqueados dstdomain i "/etc/squid/sites_bloqueados"
acl msnmessenger url_regex -i /gateway/gateway.dll
acl all src 192.168.70.0/24
acl autenticacao proxy_auth REQUIRED
http_access allow ip_liberados
http_access allow users_suporte
http_access allow users_diretoria
http_access deny palavras_bloqueadas
http_access deny msnmessenger
http_access deny block_downloads
http_access deny block_orkut
http_access deny sites_bloqueados

###########ACL'S PADRAO
acl localhost src 127.0.0.1/32
acl rede src 192.168.70.0/24
acl manager proto cache_object
acl SSL_ports port 443 563
acl Safe_ports port 70 # gopher
acl Safe_ports port 25 # smtp
acl Safe_ports port 110 # pop
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl Safe_ports port 1025-65535 # unregistered ports
acl purge method PURGE
acl CONNECT method CONNECT
acl msnmessenger url_regex -i /gateway/gateway.dll

#################### libera a maquina local
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow autenticacao
http_access allow rede
#http_access deny all
http_reply_access allow all
icp_access allow all

############# Squid configurado por Marcelo (11)9126-5465
http_port 3128 transparent
icp_port 0

################# EXIGE DIGITAÇÃO DE SENHA
visible_hostname Srv_Squid
auth_param basic program /usr/bin/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Digite sua senha
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off


#########TAMANHO MAXIMO DO CACHE
cache_mem 10 GB

########TAMANHO MAXIMO DO ARQUIVO EM MEMÓRIA
maximum_object_size_in_memory 5 MB

########TAMANHO MAXIMO DO ARQUIVO EM CACHE
maximum_object_size 900 MB

########CONFIGURAÇÃO DO ARQUIVO DE LOGS
cache_dir ufs /var/cache/squid 30000 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none

########## Gravar mensagens de erro em Portugues
error_directory /usr/share/squid/errors/Portuguese

################# Atualizar o cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

#DNS
#dns_nameservers 192.168.70.1 200.205.125.57 200.205.125.58
#emulate_httpd_log off
#connect_timeout 180 seconds

############## ACL PARA BLOQUEIOS E LIBERAÇÃO POR GRUPOS
acl ip_liberados src "/etc/squid/ips_liberados"
acl users_suporte proxy_auth "etc/squid/users_suporte"
acl users_diretoria proxy_auth "/etc/squid/users_diretoria"
acl palavras_bloqueadas url_regex -i "/etc/squid/palavras_bloqueadas"
acl block_downloads url_regex -i "/etc/squid/block_downloads"
acl block_orkut url_regex -i "/etc/squid/block_orkut"
acl sites_bloqueados dstdomain i "/etc/squid/sites_bloqueados"
acl msnmessenger url_regex -i /gateway/gateway.dll
acl all src 192.168.70.0/24
acl autenticacao proxy_auth REQUIRED
http_access allow ip_liberados
http_access allow users_suporte
http_access allow users_diretoria
http_access deny palavras_bloqueadas
http_access deny msnmessenger
http_access deny block_downloads
http_access deny block_orkut
http_access deny sites_bloqueados

###########ACL'S PADRAO
acl localhost src 127.0.0.1/32
acl rede src 192.168.70.0/24
acl manager proto cache_object
acl SSL_ports port 443 563
acl Safe_ports port 70 # gopher
acl Safe_ports port 25 # smtp
acl Safe_ports port 110 # pop
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl Safe_ports port 1025-65535 # unregistered ports
acl purge method PURGE
acl CONNECT method CONNECT
acl msnmessenger url_regex -i /gateway/gateway.dll

#################### libera a maquina local
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow autenticacao
http_access allow rede
#http_access deny all
http_reply_access allow all
icp_access allow all

fs.schmidt
(usa CentOS)

Enviado em 21/01/2011 - 22:01h

Bom, vamos por partes:

"iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" - Aqui você está habilitando o masquerade para a interface eth0, essa é a sua interface de internet?

cache_mem 10 GB - Esse parametro seta a quantidade de memória RAM que o squid pode utilizar para cache, e não espaço como está comentado na sua configuração. Exceto que você tenha mais de 10gb de memória ram na sua maquina isso irá causar problemas.

maximum_object_size 900 MB - Tem necessidade MESMO de fazer o squid armazenar todos os arquivos de até 900mb que puderem ser feito o cache?

cache_dir ufs /var/cache/squid 30000 16 256 - Um diretorio so, com 30gb e 16 diretórios no 1º nivel irá causar muito problema assim que o cache começar a aumentar, eu faria desta forma (3 diretórios de cache com 64 diretórios no primeiro nivel):

cache_dir aufs /var/spool/squid/cache1 10000 64 256
cache_dir aufs /var/spool/squid/cache2 10000 64 256
cache_dir aufs /var/spool/squid/cache3 10000 64 256