Proxy não transparente navegando sites https em maquinas sem proxy.

wandersonlm
(usa Debian)

Enviado em 22/04/2017 - 00:44h

Galera bom dia a todos.
O problema é o seguinte!!!! implementei proxy não transparente com redirecionamento para porta 3128. Porém se eu colocar o proxy nas maquinas blz ele bloqueia e funciona de boa, mas se eu tirar o proxy os computadores estão navegando nos sites que são https exemplo youtube. O que quero na verdade com a ajuda de vcs, que quando tirar o proxy não navegue em nada e quando colocar navegar com seus devidos bloqueios, segue squid e fw. obrigados a todos.

squid:
#
# Proxy configuration file autogenerated for GatePro - DO *NOT* EDIT THIS FILE!
#
# Configuration file updated in: Tue 03 Jul 2012 06:36:05 PM BRT
#
# $Id: generic-lib.pm 5695 2010-09-29 18:57:36Z cleber $
#

###
### proxy tags unknown for GatePRO API
###

error_default_language pt-br

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

icp_port 0

cache_peer 127.0.0.1 parent 8181 0 no-query no-digest no-netdb-exchange default

hierarchy_stoplist cgi-bin ?

append_domain


###
### General proxy settings:
###
# outgoing TCP address

# listen address
http_port 192.168.30.252:3128

# hostname used for HTTP requests
visible_hostname

# email address of proxy administrator used in error messages
cache_mgr heldesk@profarma.com.br

# log settings
access_log /var/log/squid/access.log squid


###
### Proxy objects:
###
#
# Object type: 'source objects'
#
# @comment: Localhost
acl LocalHost src 127.0.0.1

# @comment: Redes locais privadas
# Tem que apontar para rede da loja
acl LocalNetwork src 192.168.30.0/24

# @comment: Bloqueados
#acl Ips_Bloqueados src "/etc/squid/objects/Ips_Bloqueados"

# @comment: Equipamentos sem restricao
#acl Liberados src "/etc/squid/objects/Liberados"

# Safe Ports
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 8080 # GlASSfISH
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https

#
# Object type: 'destination objects'
#
# @comment: Todos Sites
#acl Todos url_regex -i "/etc/squid/objects/Todos"

# @comment: Sites Liberados
acl site url_regex -i "/etc/squid/objects/site"

#
# Object type: 'time objects'
#
# @comment: Horario Comercial
#acl hc time SMTWHFA 00:01-23:59

###
### Proxy rules:
###
# @comment: Liberados Especiais
#http_access allow Liberados

# @comment: Ips Bloqueados
#http_access deny Ips_Bloqueados Todos
#http_access deny Ips_Bloqueados all

# @comment: Bloquear acesso a partir de redes locais privadas
http_access allow LocalNetwork site
http_access deny LocalNetwork

# @comment: Regra Padrao
#http_access allow ips site
#http_access allow ips

# EOF


Firewall:
# Generated by iptables-save v1.3.5 on Mon Aug 17 09:05:09 2015
*raw
:PREROUTING ACCEPT [415369:117114840]
:OUTPUT ACCEPT [265272:48349122]
COMMIT
# Completed on Mon Aug 17 09:05:09 2015
# Generated by iptables-save v1.3.5 on Mon Aug 17 09:05:09 2015
*nat
:PREROUTING ACCEPT [83037:6474652]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [10946:791256]
:VPNSSL@POSTROUTING - [0:0]
:VPNSSL@PREROUTING - [0:0]
-A PREROUTING -s 192.168.30.0/255.255.255.0 -d ! 192.168.250.40 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -j VPNSSL@PREROUTING
-A POSTROUTING -j VPNSSL@POSTROUTING
-A POSTROUTING -j MASQUERADE
-A VPNSSL@POSTROUTING -s 192.168.30.0/255.255.255.0 -d 192.168.253.0/255.255.255.0 -j ACCEPT
-A VPNSSL@POSTROUTING -s 192.168.30.0/255.255.255.0 -d 192.168.250.0/255.255.254.0 -j ACCEPT
-A VPNSSL@POSTROUTING -s 192.168.30.0/255.255.255.0 -d 180.0.0.0/255.255.0.0 -j ACCEPT
-A VPNSSL@POSTROUTING -s 192.168.30.0/255.255.255.0 -d 172.16.100.0/255.255.255.0 -j ACCEPT
COMMIT
# Completed on Mon Aug 17 09:05:09 2015
# Generated by iptables-save v1.3.5 on Mon Aug 17 09:05:09 2015
*mangle
:PREROUTING ACCEPT [415369:117114840]
:INPUT ACCEPT [272383:64975320]
:FORWARD ACCEPT [142980:52139096]
:OUTPUT ACCEPT [265272:48349122]
:POSTROUTING ACCEPT [408252:100488218]
:LOADBALANCE - [0:0]
:VPNSSL@ROUTE - [0:0]
-A PREROUTING -j LOADBALANCE
-A OUTPUT -j LOADBALANCE
-A POSTROUTING -j VPNSSL@ROUTE
COMMIT
# Completed on Mon Aug 17 09:05:09 2015
# Generated by iptables-save v1.3.5 on Mon Aug 17 09:05:09 2015
*filter
:INPUT DROP [11703:709071]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [238105:45667206]
:ATIVA_STATEFUL - [0:0]
:BLOQUEIOS@FORWARD - [0:0]
:LIBERA_DNAT - [0:0]
:LIBERA_SNAT - [0:0]
:LOGDROP - [0:0]
:LOGDROPBLOQUEIOS - [0:0]
:VPNSSL@FORWARD - [0:0]
:VPNSSL@INPUT - [0:0]
:VPNSSL@OUTPUT - [0:0]
-A INPUT -j ATIVA_STATEFUL
-A INPUT -j VPNSSL@INPUT
-A INPUT -p tcp -m multiport --dports 22,12344 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10842 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1080 -j ACCEPT
-A INPUT -p udp -m multiport --dports 67,68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.30.0/255.255.255.0 -d 192.168.30.252 -i eth1 -p tcp -m tcp --dport 3128 -j ACCEPT
-A FORWARD -s 192.168.30.0/0 -p tcp --dport 80 -j DROP
-A FORWARD -j ATIVA_STATEFUL
-A FORWARD -j VPNSSL@FORWARD
-A FORWARD -j BLOQUEIOS@FORWARD
-A FORWARD -j LIBERA_SNAT
-A OUTPUT -j VPNSSL@OUTPUT
-A OUTPUT -o lo -j ACCEPT
-A ATIVA_STATEFUL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A LIBERA_DNAT -j ACCEPT
-A LIBERA_SNAT -j ACCEPT
-A LOGDROP -j LOG --log-prefix "logfirewall (logdrop): " --log-level 7
-A LOGDROP -j DROP
-A LOGDROPBLOQUEIOS -j LOG --log-prefix "logfirewall (Bloqueios): " --log-level 7
-A LOGDROPBLOQUEIOS -j DROP
-A VPNSSL@FORWARD -s 192.168.30.0/255.255.255.0 -d 192.168.253.0/255.255.255.0 -j LIBERA_SNAT
-A VPNSSL@FORWARD -s 192.168.30.0/255.255.255.0 -d 192.168.250.0/255.255.254.0 -j LIBERA_SNAT
-A VPNSSL@FORWARD -s 192.168.30.0/255.255.255.0 -d 180.0.0.0/255.255.0.0 -j LIBERA_SNAT
-A VPNSSL@FORWARD -s 192.168.30.0/255.255.255.0 -d 172.16.100.0/255.255.255.0 -j LIBERA_SNAT
-A VPNSSL@FORWARD -s 192.168.30.0/255.255.255.0 -d 192.168.253.0/255.255.255.0 -j ACCEPT
-A VPNSSL@FORWARD -s 192.168.253.0/255.255.255.0 -d 192.168.30.0/255.255.255.0 -j ACCEPT
-A VPNSSL@FORWARD -s 192.168.30.0/255.255.255.0 -d 192.168.250.0/255.255.254.0 -j ACCEPT
-A VPNSSL@FORWARD -s 192.168.250.0/255.255.254.0 -d 192.168.30.0/255.255.255.0 -j ACCEPT
-A VPNSSL@FORWARD -s 192.168.30.0/255.255.255.0 -d 180.0.0.0/255.255.0.0 -j ACCEPT
-A VPNSSL@FORWARD -s 180.0.0.0/255.255.0.0 -d 192.168.30.0/255.255.255.0 -j ACCEPT
-A VPNSSL@FORWARD -s 192.168.30.0/255.255.255.0 -d 172.16.100.0/255.255.255.0 -j ACCEPT
-A VPNSSL@FORWARD -s 172.16.100.0/255.255.255.0 -d 192.168.30.0/255.255.255.0 -j ACCEPT
-A VPNSSL@INPUT -p udp -m udp --dport 7030 -j ACCEPT
-A VPNSSL@INPUT -p tcp -m tcp --dport 8030 -j ACCEPT
-A VPNSSL@INPUT -p udp -m udp --dport 9030 -j ACCEPT
-A VPNSSL@INPUT -p udp -m udp --dport 161 -j ACCEPT
-A VPNSSL@INPUT -p tcp -m tcp --dport 161 -j ACCEPT
-A VPNSSL@OUTPUT -p udp -m udp --sport 161 -j ACCEPT
-A VPNSSL@OUTPUT -p tcp -m tcp --sport 161 -j ACCEPT
COMMIT
# Completed on Mon Aug 17 09:05:09 2015