Problema com queda de conexão [RESOLVIDO]

1. Problema com queda de conexão [RESOLVIDO]

forgottenn
(usa Debian)

Enviado em 21/01/2014 - 00:43h

Boa noite, primeiramente gostaria de agradecer todo conhecimento que vcs da VOL passam para quem esta começando, aprendi muito com vcs.
Gostaria de pedir ajuda de vc no seguinte, configurei um servidor DEBIAN 7 com iptables + squid não transparente mas quando estou navegando simplesmente para de funcionar a navegação WEB.
Já fiz vários testes e percebi que quando cai a navegação WEB o ping e conexão de área de trabalha remota continua a funcionar.. então presumindo que fosse o SQUID eu deixei as configurações básicas no squid mas mesmo assim persiste o problema.

O que vcs recomendam fazer nesse caso?

Meu ambiente de teste é um servidor físico com debian e estou em uma maquina com windows xp ligada na rede desse servidor onde emulo os teste em uma maquina virtual.

0 0

Quote

2. Re: Problema com queda de conexão [RESOLVIDO]

px
(usa Debian)

Enviado em 21/01/2014 - 01:50h

Já viu os logs do squid? tem algo lá?

Poste seus arquivos de configuração do firewall (iptables), squid (squid.conf), logs do squid...

PS: Lembre-se que não estamos ai, portanto poste as coisas para ententermos mais sobre esse problema!

0 0

Quote

3. Re: Problema com queda de conexão [RESOLVIDO]

forgottenn
(usa Debian)

Enviado em 21/01/2014 - 08:52h

Bom dia

Segue iptables

#!/bin/sh
###############################################################
###############################################################
############ Define Variaveis ########################################

echo "Definindo variaveis.................................[OK]"
EXT=eth0
INT=eth1

modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_string

echo "Ativando roteamento.................................[OK]"
echo "1" > /proc/sys/net/ipv4/ip_forward

echo "Limpando Regras.....................................[OK]"
### Limpando regras iptables ###
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -X
###############################################################
############ Politicas #############################################
###############################################################

echo "Dropando tudo.......................................[OK]"
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

#team viewer#
iptables -t filter -A FORWARD -p tcp --dport 5938 -j ACCEPT

# Libera Loopback
iptables -A FORWARD -s 0/0 -d 0/0 -j ACCEPT -i lo
iptables -A INPUT -s 0/0 -d 0/0 -j ACCEPT -i lo

###############################################################
############## NAT #############################################
###############################################################

iptables -A INPUT -p TCP -i eth1 --dport 3128 -j ACCEPT

## Mascarando internet ##
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o $EXT -j MASQUERADE

###############################################################
############ INPUT ##############################################
###############################################################

echo "Definindo INPUT......................................[OK]"
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
## Aceita conexao SSH qualquer lugar ##
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 7340 -j ACCEPT
## Aceita APACHE ##
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
## Aceita ping ##
iptables -A INPUT -p icmp -j ACCEPT
## Liberar FTP ##
iptables -A INPUT -p tcp --dport 21 -j LOG --log-prefix "**Conexao FTP IN**"
iptables -A INPUT -p tcp --dport 21 -j ACCEPT

echo Bloqueando spoofing vindos para a interface da internet
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP

#Faz logs dos pactoes que nao se encaixa nas regras acima
#iptables -A INPUT -j LOG .log-prefix .Pacote input descartado: .

###############################################################
############ OUTPUT #############################################
###############################################################

echo "Definindo OUTPUT.....................................[OK]"
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

###############################################################
############ FORWARD ############################################
###############################################################

echo "Definindo FORWARD.....................................[OK]"
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
## Liberando ( TCP ) DNS, smtp, pop, http e squid para rede interna ##
iptables -A FORWARD -p tcp -m multiport --dports 25,53,80,110,3128 -j ACCEPT
## Liberando DNS ( UDP ) para rede interna ##
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
## Liberando PING para rede interna ##
iptables -A FORWARD -p icmp -j ACCEPT
##Aceita conexao ao proxy dashboard##
iptables -t nat -A PREROUTING -p tcp -i $EXT --dport 8080 -j DNAT --to-destination 192.168.0.169:80

## Liberar FTP ##
#iptables -A FORWARD -p tcp --dport 21 -j LOG --log-prefix "**Conexao FTP FW**"
iptables -A FORWARD -p tcp --dport 21 -j ACCEPT

## Liberar TS rede ##
iptables -A FORWARD -p tcp -i $INT -m multiport --dports 3389,33891,33890,33892 -j LOG --log-prefix "**Conexao TS FW**"
iptables -A FORWARD -p tcp -i $INT --dport 3389 -j ACCEPT
iptables -A FORWARD -p tcp -i $INT --dport 33890 -j ACCEPT
iptables -A FORWARD -p tcp -i $INT --dport 33891 -j ACCEPT

## Liberar IPs para acessar Facebook ##

## gerando arquivo com IPs do facebook ##
whois -h whois.radb.net '!gAS32934' | tr ' ' '\n' | grep ^[0-9] > facebook.ip
for i in $(cat facebook.ip);
do
#iptables -I FORWARD -s 192.168.0.167 -d $i -j ACCEPT
iptables -I FORWARD -s $i -j LOG --log-prefix "** facebook **"
iptables -I FORWARD -s $i -j DROP
#route add -net $i reject

### Liberar IP Facebook ##
#FACEBOOK_ALLOW= $(cat /etc/squid/vipfacebook) #IP_LIBERADO
#for IP_LIBERADO in $FACEBOOK_ALLOW;
#do
#iptables -I FORWARD -s $IP_LIBERADO -d $i -j ACCEPT
done
#done
## Liberando portas altas
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.0/24 -p tcp --dport 1024:65535 -j ACCEPT

##Bloquear Whats Zap
iptables -A FORWARD -p tcp -m multiport --dports 5222,5223 -j LOG --log-prefix "**DROP Whats**" --log-level 5
iptables -A FORWARD -p tcp -m multiport --dports 5222,5223 -j DROP

## Bloqueia HTTPS ##
#iptables -A FORWARD -p tcp --dport 443 -j LOG --log-prefix "**Bloqueio HTTPS443 **" --log-level 4
iptables -A FORWARD -p tcp --dport 443 -j DROP

## teste ##
#iptables -I FORWARD -s 192.168.0.177 -m string --algo bm --string "youtube.com" -j ACCEPT #IP LIBERADO
#iptables -I FORWARD -i $INT -s 192.168.0.179 -m string --algo bm --string "twitter.com" -j ACCEPT #IP LIBERADO
#iptables -I FORWARD -i $INT -m string --algo bm --string "youtube.com" -j LOG --log-prefix " acesso facebook: " --log-level alert #LOG DE ACESSO
#iptables -I FORWARD -i $INT -m string --algo bm --string "twitter.com" -j LOG --log-prefix " acesso twitter: " --log-level alert #LOG DE ACESSO
#iptables -I FORWARD -i $INT -m string --algo bm --string "youtube.com" -j DROP #BLOQUEIA GERAL
#iptables -I FORWARD -i $INT -m string --algo bm --string "twitter.com" -j DROP #BLOQUEIA GERAL

# Log dropped packets
iptables -N LOGGING
#iptables -A INPUT -j LOGGING
iptables -A FORWARD -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP

Segue Squid.conf

### INICIO SQUID.CONF ###
#############################################################
#############################################################
#Recommended minimum configuration:
############## PORTA SQUID ##############
http_port 3128
visible_hostname proxyct.org

hierarchy_stoplist cgi-bin ?
#We recommend you to use the following two lines.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

## NAO FAZER CACHE REDE INTERNA ##
#acl nocache urlpath_regex 192.168.0.169/
#no_cache deny nocache

############## LOGS ##############
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log none

############## DESEMPENHO/DISCO ##############
cache_mem 512 MB
maximum_object_size_in_memory 8 KB
memory_replacement_policy lru
cache_replacement_policy lru
#cache_dir ufs /var/spool/squid 60000 16 256
cache_dir ufs /home/squid/cache 200000 16 256
dns_nameservers 8.8.8.8 8.8.4.4

### Tamanho maximo do arquivo que ira ser armazenado em cache ###
maximum_object_size 200000 KB

### Limpa cache ###
cache_swap_low 90
cache_swap_high 95

### Icones ###
icon_directory /usr/share/squid/icons
short_icon_urls on

### Errors configuracao ###
error_directory /usr/share/squid/errors/Portuguese

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255

############## ACL PORTAS ##############
acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 25 # SMTP
acl Safe_ports port 443 # https
acl Safe_ports port 8080 #
# acl Safe_ports port 70 # gopher
# acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
# acl Safe_ports port 488 # gss-http
# acl Safe_ports port 591 # filemaker
# acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

############## REDE LOCAL #########################
### Aqui ele libera a rede 192.168.0.0/24 para se conectar ao squid ####
acl localnet src 192.168.0.0/255.255.255.0
## Na linha a baixo, ficarao os ips que poderao
## Navegar sem passar pelo proxy
acl ips_sem_senha src 192.168.0.168
#acl ips_sem_senha src 192.168.0.167

acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
acl Skype_UA browser ^skype

http_access allow CONNECT localnet numeric_IPS Skype_UA

# // NEGA > DOWNLOADS
acl extensoes urlpath_regex -i "/var/www/fw/squid/files/bloqueados/extensoes/ext_bloqueadas"
#acl extensoes urlpath_regex -i \.mp3($|\?|\&)
http_access deny all extensoes

### Nao fazer cache extensoes ###
#acl extensoesdinamicas urlpath_regex scripts \.php$ \.asp$ \.action$ \.css$ \.dll$ \.do$ \.exe$ \.ftl$ \.js$ \.jsp$ \.lzx$ \.vm$ \.aspx$
#no_cache deny extensoesdinamicas

# ---- Sites diretos que nao passam pelo Cache ----
acl sites_diretos url_regex -i "/var/www/fw/squid/files/liberados/s_senha/s_senha"
http_access allow sites_diretos
#cache deny sites_diretos

# // LIBERADO TOTAL - COMPUTADORES POR MAC ADRESS
#acl mac_liberados arp "/var/www/squid/files/liberados/ip/ip"
acl ip_liberados src "/var/www/fw/squid/files/liberados/ip/ip"

# // Bloqueia IP
acl ip_bloqueados src "/var/www/fw/squid/files/bloqueados/ip/ip_bloqueados"
#http_access allow mac_liberados !sitesbloqueados

http_access allow ips_sem_senha
#http_access deny ips_sem_senha

# // LIBERADO > ALGUNS SITES A TODOS
acl sitesliberados dstdomain "/var/www/fw/squid/files/liberados/dominios/sites_liberados

# // LIBERA > ".gov.br"
acl governo dstdomain .gov.br
http_access allow governo

# // NEGA > SITES PROIBIDOS
acl sitesbloqueados dstdomain "/var/www/fw/squid/files/bloqueados/dominios/sites_bloqueados"

# // NEGA > PALAVRAS PROIBIDAS
acl palavrasbloqueadas url_regex -i "/var/www/fw/squid/files/bloqueados/palavras/pl_bloqueadas"

# //LIBERA > PALAVRAS LIBERADAS
acl palavrasliberadas url_regex -i "/var/www/fw/squid/files/liberados/palavras/pl_liberados"

###SKYPE
acl siteskype url_regex -i "/etc/squid/skype"

## Bloqueio o resto da rede
http_access allow manager localhost
#http_access allow manager admin
#http_access allow manager webserver
http_access deny manager
icp_access allow all
http_access allow localnet localhost
http_access allow localhost
http_access allow localnet sites_diretos siteskype
#http_access deny !localnet
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow siteskype
http_access allow sitesliberados
http_access deny sitesbloqueados
http_access deny palavrasbloqueadas
http_access allow palavrasliberadas

#// LIBERA >IP VIP exceto sites bloqueados
http_access allow ip_liberados !sitesbloqueados !palavrasbloqueadas

#// LIBERA > IP LIMITADO
http_access allow ip_bloqueados sitesliberados palavrasliberadas sites_diretos siteskype

#Cache windowsupdate
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern www.download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern www.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
refresh_pattern download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
refresh_pattern www.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320

#Cache atulizacao avira
refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43200 reload-into-ims

debug_options ALL,2

icp_port 3130
coredump_dir /var/spool/squid

## Nega tudo
http_access deny all
http_reply_access allow all

0 0

Quote

4. Re: Problema com queda de conexão [RESOLVIDO]

px
(usa Debian)

Enviado em 21/01/2014 - 22:33h

Aqui nesta linha o TCP é minusculo tcp

iptables -A INPUT -p TCP -i eth1 --dport 3128 -j ACCEPT

Troque por

iptables -A INPUT -p tcp -i eth1 --dport 3128 -j ACCEPT

Acho que essa cfg OUTPUT é desnecessária visto que sua politica padrão para OUTPUT é aberta (e assim deve ser em proxys)

pode comentar:

echo "Definindo OUTPUT.....................................[OK]"
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

OBS: se não navegar, descomente a OUTPUT novamente (mas acho que não será presciso).

comentários sobre squid.conf

Esta linha do dns deixa o squid lento, tente tira-lá, ou usar um DNS local.

dns_nameservers 8.8.8.8 8.8.4.4

Aqui no final troque:

## Nega tudo
http_access deny all
http_reply_access allow all

por

## Nega tudo

http_reply_access allow all

http_access deny all

Eu notei que você usa o squid para fazer alguns bloqueios, de uma olhada sobre o dansguard, ele age como um complemento para bloqueios no squid, excelente programa para bloquear ou liberar alguns sites.

Mas por enquanto vamos resolver esse problema do squid, aguardo feedback.

0 0

Quote

5. Re: Problema com queda de conexão [RESOLVIDO]

forgottenn
(usa Debian)

Enviado em 21/01/2014 - 23:01h

Realmente o problema era esse TCP maiúsculo na regra INPUT, hoje fiquei o dia todo e consegui achar a falha.
Obrigado pela ajuda e irei instalar o dansguardian para teste.

0 0

Quote

6. Re: Problema com queda de conexão [RESOLVIDO]

px
(usa Debian)

Enviado em 21/01/2014 - 23:39h

forgottenn escreveu:

Realmente o problema era esse TCP maiúsculo na regra INPUT, hoje fiquei o dia todo e consegui achar a falha.
Obrigado pela ajuda e irei instalar o dansguardian para teste.

Ok. De uma boa lida pois eu fiquei um tempinho pra pegar as manhas hehe

Esse artigo aqui do colega me tirou bastante as dúvidas:

http://www.vivaolinux.com.br/artigo/DansGuardian-Filtrando-o-acesso-a-Web

T+

0 0

Quote