Proxy transparente [RESOLVIDO]

1. Proxy transparente [RESOLVIDO]

Ricardo Ramos Bastos de Castro
ricardo_bastos

(usa CentOS)

Enviado em 03/01/2009 - 14:28h

Preciso saber como faço para que os usuarios naveguem com o Gateway do IP do firewall?
Sim não me engano é o que é chamado de Proxy Transparente.



  


2. Re: Proxy transparente [RESOLVIDO]

Andre Fernando Dominguez
afdominguez

(usa Ubuntu)

Enviado em 03/01/2009 - 17:20h

Boa Tarde Colega.

Ainda nao testei, mas acredito que oque voce deseja esta neste artigo http://www.vivaolinux.com.br/dica/Iptables-e-proxy-transparente-(Squid)-definitivo

Se não der certo, posta ai.


3. Re: Proxy transparente [RESOLVIDO]

Ricardo Ramos Bastos de Castro
ricardo_bastos

(usa CentOS)

Enviado em 05/01/2009 - 18:31h

Velhinho,

Essa linha de commando já foi posta e nada adiantou, a navegação para os usuarios só navega se especificar o ip e a porta no inetrnet explorer.


4. Re: Proxy transparente [RESOLVIDO]

Ricardo Ramos Bastos de Castro
ricardo_bastos

(usa CentOS)

Enviado em 05/01/2009 - 20:46h

Velhinho,

Já fiz tudo isso e o meu Proxy não fica transparente a minha versão do Squid é 2.6, abaixo vai o meu script do Squid e Iptables;

http_port 8080 transparent
visible_hostname Firewall-Lauro

cache_mem 8 MB

maximum_object_size_in_memory 1 MB
maximum_object_size 1 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95



acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1
acl ip_liberado src "/etc/squid/ip_liberado.txt"
acl ip_restrito src "/etc/squid/ip_restrito.txt"
acl sites_liberados url_regex -i "/etc/squid/sites_liberados.txt"


http_access allow ip_liberado
http_access deny ip_restrito !sites_liberados
http_access deny all


IPTABLES;

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 10000 -j ACCEPT
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -p tcp --dport 80 -j REDIRECT --to-port 8080



5. Re: Proxy transparente [RESOLVIDO]

Matuzalém Guimarães
matux

(usa Ubuntu)

Enviado em 05/01/2009 - 21:06h

Amigo,

Faz o seguinte:
Digite aí no seu console este comando:
#squid -d 3 -F -N -X

E posta aí pra gente ver aí o que tá de errado no teu squid.


6. Proxy transparente não funciona

EMERSON SANTOS GUIMARAES
emerson2703

(usa CentOS)

Enviado em 06/01/2009 - 10:28h

Digetei este comando conforme você solicitou. squid -d 3 -F -N -X




2009/01/06 06:24:18| Memory pools are 'off'; limit: 0.00 MB
2009/01/06 06:24:18| cachemgrRegister: registered mem
2009/01/06 06:24:18| cbdataInit
2009/01/06 06:24:18| cachemgrRegister: registered cbdata
2009/01/06 06:24:18| cachemgrRegister: registered events
2009/01/06 06:24:18| cachemgrRegister: registered squidaio_counts
2009/01/06 06:24:18| cachemgrRegister: registered coss
2009/01/06 06:24:18| cachemgrRegister: registered diskd
2009/01/06 06:24:18| diskd started
2009/01/06 06:24:18| authSchemeAdd: adding basic
2009/01/06 06:24:18| authSchemeAdd: adding digest
2009/01/06 06:24:18| authSchemeAdd: adding ntlm
2009/01/06 06:24:18| parse_line: ssl_unclean_shutdown off
2009/01/06 06:24:18| parse_line: sslproxy_version 1
2009/01/06 06:24:18| parse_line: icp_port 3130
2009/01/06 06:24:18| parse_line: udp_incoming_address 0.0.0.0
2009/01/06 06:24:18| parse_line: udp_outgoing_address 255.255.255.255
2009/01/06 06:24:18| parse_line: icp_query_timeout 0
2009/01/06 06:24:18| parse_line: maximum_icp_query_timeout 2000
2009/01/06 06:24:18| parse_line: mcast_icp_query_timeout 2000
2009/01/06 06:24:18| parse_line: dead_peer_timeout 10 seconds
2009/01/06 06:24:18| parse_line: cache_vary on
2009/01/06 06:24:18| parse_line: cache_mem 8 MB
2009/01/06 06:24:18| parse_line: cache_swap_low 90
2009/01/06 06:24:18| parse_line: cache_swap_high 95
2009/01/06 06:24:18| parse_line: maximum_object_size 4096 KB
2009/01/06 06:24:18| parse_line: minimum_object_size 0 KB
2009/01/06 06:24:18| parse_line: maximum_object_size_in_memory 8 KB
2009/01/06 06:24:18| parse_line: ipcache_size 1024
2009/01/06 06:24:18| parse_line: ipcache_low 90
2009/01/06 06:24:18| parse_line: ipcache_high 95
2009/01/06 06:24:18| parse_line: fqdncache_size 1024
2009/01/06 06:24:18| parse_line: cache_replacement_policy lru
2009/01/06 06:24:18| parse_line: memory_replacement_policy lru
2009/01/06 06:24:18| parse_line: cache_log /var/log/squid/cache.log
2009/01/06 06:24:18| parse_line: cache_store_log /var/log/squid/store.log
2009/01/06 06:24:18| parse_line: emulate_httpd_log off
2009/01/06 06:24:18| parse_line: log_ip_on_direct on
2009/01/06 06:24:18| parse_line: mime_table /etc/squid/mime.conf
2009/01/06 06:24:18| parse_line: log_mime_hdrs off
2009/01/06 06:24:18| parse_line: pid_filename /var/run/squid.pid
2009/01/06 06:24:18| parse_line: debug_options ALL,1
2009/01/06 06:24:18| parse_line: log_fqdn off
2009/01/06 06:24:18| parse_line: client_netmask 255.255.255.255
2009/01/06 06:24:18| parse_line: ftp_user [email protected]
2009/01/06 06:24:18| parse_line: ftp_list_width 32
2009/01/06 06:24:18| parse_line: ftp_passive on
2009/01/06 06:24:18| parse_line: ftp_sanitycheck on
2009/01/06 06:24:18| parse_line: ftp_telnet_protocol on
2009/01/06 06:24:18| parse_line: check_hostnames on
2009/01/06 06:24:18| parse_line: allow_underscore on
2009/01/06 06:24:18| parse_line: dns_retransmit_interval 5 seconds
2009/01/06 06:24:18| parse_line: dns_timeout 2 minutes
2009/01/06 06:24:18| parse_line: dns_defnames off
2009/01/06 06:24:18| parse_line: hosts_file /etc/hosts
2009/01/06 06:24:18| parse_line: diskd_program /usr/lib/squid/diskd-daemon
2009/01/06 06:24:18| parse_line: unlinkd_program /usr/lib/squid/unlinkd
2009/01/06 06:24:18| parse_line: url_rewrite_children 5
2009/01/06 06:24:18| parse_line: url_rewrite_concurrency 0
2009/01/06 06:24:18| parse_line: url_rewrite_host_header on
2009/01/06 06:24:18| parse_line: location_rewrite_children 5
2009/01/06 06:24:18| parse_line: location_rewrite_concurrency 0
2009/01/06 06:24:18| parse_line: authenticate_cache_garbage_interval 1 hour
2009/01/06 06:24:18| parse_line: authenticate_ttl 1 hour
2009/01/06 06:24:18| parse_line: authenticate_ip_ttl 0 seconds
2009/01/06 06:24:18| parse_line: wais_relay_port 0
2009/01/06 06:24:18| parse_line: request_header_max_size 20 KB
2009/01/06 06:24:18| parse_line: request_body_max_size 0 KB
2009/01/06 06:24:18| parse_line: quick_abort_min 16 KB
2009/01/06 06:24:18| parse_line: quick_abort_max 16 KB
2009/01/06 06:24:18| parse_line: quick_abort_pct 95
2009/01/06 06:24:18| parse_line: read_ahead_gap 16 KB
2009/01/06 06:24:18| parse_line: negative_ttl 5 minutes
2009/01/06 06:24:18| parse_line: positive_dns_ttl 6 hours
2009/01/06 06:24:18| parse_line: negative_dns_ttl 1 minute
2009/01/06 06:24:18| parse_line: range_offset_limit 0 KB
2009/01/06 06:24:18| parse_line: collapsed_forwarding off
2009/01/06 06:24:18| parse_line: refresh_stale_hit 0 seconds
2009/01/06 06:24:18| parse_line: forward_timeout 4 minutes
2009/01/06 06:24:18| parse_line: connect_timeout 1 minute
2009/01/06 06:24:18| parse_line: peer_connect_timeout 30 seconds
2009/01/06 06:24:18| parse_line: read_timeout 15 minutes
2009/01/06 06:24:18| parse_line: request_timeout 5 minutes
2009/01/06 06:24:18| parse_line: persistent_request_timeout 1 minute
2009/01/06 06:24:18| parse_line: client_lifetime 1 day
2009/01/06 06:24:18| parse_line: half_closed_clients on
2009/01/06 06:24:18| parse_line: pconn_timeout 120 seconds
2009/01/06 06:24:18| parse_line: ident_timeout 10 seconds
2009/01/06 06:24:18| parse_line: shutdown_lifetime 30 seconds
2009/01/06 06:24:18| parse_line: acl_uses_indirect_client on
2009/01/06 06:24:18| parse_line: delay_pool_uses_indirect_client on
2009/01/06 06:24:18| parse_line: log_uses_indirect_client on
2009/01/06 06:24:18| parse_line: reply_header_max_size 20 KB
2009/01/06 06:24:18| parse_line: cache_mgr root
2009/01/06 06:24:18| parse_line: mail_program mail
2009/01/06 06:24:18| parse_line: cache_effective_user squid
2009/01/06 06:24:18| parse_line: cache_effective_group squid
2009/01/06 06:24:18| parse_line: httpd_suppress_version_string off
2009/01/06 06:24:18| parse_line: umask 027
2009/01/06 06:24:18| parse_line: announce_period 0
2009/01/06 06:24:18| parse_line: announce_host tracker.ircache.net
2009/01/06 06:24:18| parse_line: announce_port 3131
2009/01/06 06:24:18| parse_line: httpd_accel_no_pmtu_disc off
2009/01/06 06:24:18| parse_line: logfile_rotate 0
2009/01/06 06:24:18| parse_line: tcp_recv_bufsize 0 bytes
2009/01/06 06:24:18| parse_line: memory_pools on
2009/01/06 06:24:18| parse_line: memory_pools_limit 5 MB
2009/01/06 06:24:18| parse_line: via on
2009/01/06 06:24:18| parse_line: forwarded_for on
2009/01/06 06:24:18| parse_line: log_icp_queries on
2009/01/06 06:24:18| parse_line: icp_hit_stale off
2009/01/06 06:24:18| parse_line: minimum_direct_hops 4
2009/01/06 06:24:18| parse_line: minimum_direct_rtt 400
2009/01/06 06:24:18| parse_line: store_avg_object_size 13 KB
2009/01/06 06:24:18| parse_line: store_objects_per_bucket 20
2009/01/06 06:24:18| parse_line: client_db on
2009/01/06 06:24:18| parse_line: netdb_low 900
2009/01/06 06:24:18| parse_line: netdb_high 1000
2009/01/06 06:24:18| parse_line: netdb_ping_period 5 minutes
2009/01/06 06:24:18| parse_line: query_icmp off
2009/01/06 06:24:18| parse_line: test_reachability off
2009/01/06 06:24:18| parse_line: buffered_logs off
2009/01/06 06:24:18| parse_line: reload_into_ims off
2009/01/06 06:24:18| parse_line: icon_directory /usr/share/squid/icons
2009/01/06 06:24:18| parse_line: global_internal_static on
2009/01/06 06:24:18| parse_line: short_icon_urls off
2009/01/06 06:24:18| parse_line: error_directory /usr/share/squid/errors/English
2009/01/06 06:24:18| parse_line: maximum_single_addr_tries 1
2009/01/06 06:24:18| parse_line: retry_on_error off
2009/01/06 06:24:18| parse_line: snmp_port 0
2009/01/06 06:24:18| parse_line: snmp_incoming_address 0.0.0.0
2009/01/06 06:24:18| parse_line: snmp_outgoing_address 255.255.255.255
2009/01/06 06:24:18| parse_line: as_whois_server whois.ra.net
2009/01/06 06:24:18| parse_line: wccp_router 0.0.0.0
2009/01/06 06:24:18| parse_line: wccp_version 4
2009/01/06 06:24:18| parse_line: wccp2_rebuild_wait on
2009/01/06 06:24:18| parse_line: wccp2_forwarding_method 1
2009/01/06 06:24:18| parse_line: wccp2_return_method 1
2009/01/06 06:24:18| parse_line: wccp2_assignment_method 1
2009/01/06 06:24:18| parse_line: wccp2_weight 10000
2009/01/06 06:24:18| parse_line: wccp_address 0.0.0.0
2009/01/06 06:24:18| parse_line: wccp2_address 0.0.0.0
2009/01/06 06:24:18| parse_line: delay_pools 0
2009/01/06 06:24:18| parse_line: delay_initial_bucket_level 50
2009/01/06 06:24:18| parse_line: incoming_icp_average 6
2009/01/06 06:24:18| parse_line: incoming_http_average 4
2009/01/06 06:24:18| parse_line: incoming_dns_average 4
2009/01/06 06:24:18| parse_line: min_icp_poll_cnt 8
2009/01/06 06:24:18| parse_line: min_dns_poll_cnt 8
2009/01/06 06:24:18| parse_line: min_http_poll_cnt 8
2009/01/06 06:24:18| parse_line: max_open_disk_fds 0
2009/01/06 06:24:18| parse_line: offline_mode off
2009/01/06 06:24:18| parse_line: uri_whitespace strip
2009/01/06 06:24:18| parse_line: nonhierarchical_direct on
2009/01/06 06:24:18| parse_line: prefer_direct off
2009/01/06 06:24:18| parse_line: strip_query_terms on
2009/01/06 06:24:18| parse_line: redirector_bypass off
2009/01/06 06:24:18| parse_line: ignore_unknown_nameservers on
2009/01/06 06:24:18| parse_line: digest_generation on
2009/01/06 06:24:18| parse_line: digest_bits_per_entry 5
2009/01/06 06:24:18| parse_line: digest_rebuild_period 1 hour
2009/01/06 06:24:18| parse_line: digest_rewrite_period 1 hour
2009/01/06 06:24:18| parse_line: digest_swapout_chunk_size 4096 bytes
2009/01/06 06:24:18| parse_line: digest_rebuild_chunk_percentage 10
2009/01/06 06:24:18| parse_line: client_persistent_connections on
2009/01/06 06:24:18| parse_line: server_persistent_connections on
2009/01/06 06:24:18| parse_line: persistent_connection_after_error off
2009/01/06 06:24:18| parse_line: detect_broken_pconn off
2009/01/06 06:24:18| parse_line: balance_on_multiple_ip on
2009/01/06 06:24:18| parse_line: pipeline_prefetch off
2009/01/06 06:24:18| parse_line: request_entities off
2009/01/06 06:24:18| parse_line: high_response_time_warning 0
2009/01/06 06:24:18| parse_line: high_page_fault_warning 0
2009/01/06 06:24:18| parse_line: high_memory_warning 0
2009/01/06 06:24:18| parse_line: store_dir_select_algorithm least-load
2009/01/06 06:24:18| parse_line: ie_refresh off
2009/01/06 06:24:18| parse_line: vary_ignore_expire off
2009/01/06 06:24:18| parse_line: sleep_after_fork 0
2009/01/06 06:24:18| parse_line: minimum_expiry_time 60 seconds
2009/01/06 06:24:18| parse_line: relaxed_header_parser on
2009/01/06 06:24:18| parse_line: max_filedesc 1024
2009/01/06 06:24:18| Processing: 'http_port 8080 transparent'
2009/01/06 06:24:18| parse_line: http_port 8080 transparent
2009/01/06 06:24:18| Processing: 'visible_hostname Firewall-Lauro'
2009/01/06 06:24:18| parse_line: visible_hostname Firewall-Lauro
2009/01/06 06:24:18| Processing: 'acl all src 0.0.0.0/0.0.0.0'
2009/01/06 06:24:18| parse_line: acl all src 0.0.0.0/0.0.0.0
2009/01/06 06:24:18| aclParseAclLine: Creating ACL 'all'
2009/01/06 06:24:18| aclParseIpData: 0.0.0.0/0.0.0.0
2009/01/06 06:24:18| Processing: 'acl localhost src 127.0.0.1/255.255.255.255'
2009/01/06 06:24:18| parse_line: acl localhost src 127.0.0.1/255.255.255.255
2009/01/06 06:24:18| aclParseAclLine: Creating ACL 'localhost'
2009/01/06 06:24:18| aclParseIpData: 127.0.0.1/255.255.255.255
2009/01/06 06:24:18| Processing: 'acl to_localhost dst 127.0.0.0/8'
2009/01/06 06:24:18| parse_line: acl to_localhost dst 127.0.0.0/8
2009/01/06 06:24:18| aclParseAclLine: Creating ACL 'to_localhost'
2009/01/06 06:24:18| aclParseIpData: 127.0.0.0/8
2009/01/06 06:24:18| Processing: 'acl ip_liberado src "/etc/squid/ip_liberado.txt"'
2009/01/06 06:24:18| parse_line: acl ip_liberado src "/etc/squid/ip_liberado.txt"
2009/01/06 06:24:18| aclParseAclLine: Creating ACL 'ip_liberado'
2009/01/06 06:24:18| aclParseIpData: 192.168.0.80
2009/01/06 06:24:18| aclParseIpData: 192.168.0.81
2009/01/06 06:24:18| Processing: 'acl ip_restrito src "/etc/squid/ip_restrito.txt"'
2009/01/06 06:24:18| parse_line: acl ip_restrito src "/etc/squid/ip_restrito.txt"
2009/01/06 06:24:18| aclParseAclLine: Creating ACL 'ip_restrito'
2009/01/06 06:24:18| aclParseIpData: 192.168.0.52
2009/01/06 06:24:18| aclParseIpData: 192.168.0.50
2009/01/06 06:24:18| Processing: 'acl sites_liberados url_regex -i "/etc/squid/sites_liberados.txt"'
2009/01/06 06:24:18| parse_line: acl sites_liberados url_regex -i "/etc/squid/sites_liberados.txt"
2009/01/06 06:24:18| aclParseAclLine: Creating ACL 'sites_liberados'
2009/01/06 06:24:18| Processing: 'http_access allow ip_liberado'
2009/01/06 06:24:18| parse_line: http_access allow ip_liberado
2009/01/06 06:24:18| aclParseAccessLine: looking for ACL name 'ip_liberado'
2009/01/06 06:24:18| Processing: 'http_access deny ip_restrito !sites_liberados'
2009/01/06 06:24:18| parse_line: http_access deny ip_restrito !sites_liberados
2009/01/06 06:24:18| aclParseAccessLine: looking for ACL name 'ip_restrito'
2009/01/06 06:24:18| aclParseAccessLine: looking for ACL name 'sites_liberados'
2009/01/06 06:24:18| Processing: 'http_access deny all'
2009/01/06 06:24:18| parse_line: http_access deny all
2009/01/06 06:24:18| aclParseAccessLine: looking for ACL name 'all'
2009/01/06 06:24:18| parse_line: cache_dir ufs /var/spool/squid 100 16 256
2009/01/06 06:24:18| parse_line: follow_x_forwarded_for deny all
2009/01/06 06:24:18| aclParseAccessLine: looking for ACL name 'all'
2009/01/06 06:24:18| parse_line: http_reply_access allow all
2009/01/06 06:24:18| aclParseAccessLine: looking for ACL name 'all'
2009/01/06 06:24:18| parse_line: icp_access deny all
2009/01/06 06:24:18| aclParseAccessLine: looking for ACL name 'all'
2009/01/06 06:24:18| parse_line: ident_lookup_access deny all
2009/01/06 06:24:18| aclParseAccessLine: looking for ACL name 'all'
2009/01/06 06:24:18| parse_line: reply_body_max_size 0 allow all
2009/01/06 06:24:18| aclParseAccessLine: looking for ACL name 'all'
2009/01/06 06:24:18| parse_line: dns_testnames netscape.com internic.net nlanr.net microsoft.com
2009/01/06 06:24:18| parse_line: snmp_access deny all
2009/01/06 06:24:18| aclParseAccessLine: looking for ACL name 'all'
2009/01/06 06:24:18| parse_line: wccp2_service standard 0
2009/01/06 06:24:18| wccp2_add_service_list: added service id 0
2009/01/06 06:24:18| parse_line: coredump_dir none
2009/01/06 06:24:18| Initialising SSL.
2009/01/06 06:24:18| Using SSLv2/SSLv3.
2009/01/06 06:24:18| Setting RSA key generation callback.
2009/01/06 06:24:18| Setting certificate verification callback.
2009/01/06 06:24:18| Setting CA certificate locations.
2009/01/06 06:24:18| cachemgrRegister: registered config
2009/01/06 06:24:18| Squid is already running! Process ID 13902



7. Re: Proxy transparente [RESOLVIDO]

Ricardo Ramos Bastos de Castro
ricardo_bastos

(usa CentOS)

Enviado em 06/01/2009 - 18:24h

velhinho o Emerson também estar comigo nessa missão, o mesmo que ele postou ai é o mesmo que o meu.


8. Re: Proxy transparente [RESOLVIDO]

Andre Fernando Dominguez
afdominguez

(usa Ubuntu)

Enviado em 07/01/2009 - 10:41h

Bom dia Colega.
Acredito que seu squid esteja rodando beleza, mas vamos ao basico.
Quando vc seta o proxy no navegador web, vc consegue navegar numa boa?


9. Não funciona

EMERSON SANTOS GUIMARAES
emerson2703

(usa CentOS)

Enviado em 07/01/2009 - 19:29h

boa noite

Quando eu configuro manualmente o proxy nas estações funciona a internet, mas quando desabilito não funciona.



10. Re: Proxy transparente [RESOLVIDO]

Richard Andrade
richardandrade

(usa Debian)

Enviado em 07/01/2009 - 19:38h

ps ax | grep squid

kill -9 PID_DO_SQUID


invoke-rc.d squid start

ou

/etc/init.d/squid start

valeu :D


11. Re: Proxy transparente [RESOLVIDO]

Andre Fernando Dominguez
afdominguez

(usa Ubuntu)

Enviado em 07/01/2009 - 20:33h

Colega, da uma olhadinha nesse artigo aqui. Montei meu squid baseado nele, so num coloque o bind nem o fiz o proxy transparente.

http://www.vivaolinux.com.br/artigo/Instalando-servidor-Debian-Memento/?pagina=6

Mas antes de colocar ele para rodar automaticamente como ele dis, no artigo, esperimente apenas inicializar o serviço de iptables e faz um teste se der certo, dai vc coloca pra inicializar automatico.


Andei lendo alguns artigos e o pessoal num recomenda este tipo de coisa, pois vc tera que fazer um proxy bem porreta, pois tera que tratar todas as possibilidades de trafego.

Mas ta ai, qualquer coisa da um alo, se conseguiu ou nao.


12. Proxy Transparente

STARCK
[email protected]

(usa Ubuntu)

Enviado em 05/01/2011 - 21:22h

Nessa versão é bem diferente as configurações de proxy transparente, não é necessário mais acrescentar essas linhas no arquivo squid.conf:



# httpd_accel_port 80

# httpd_accel_host virtual

# httpd_accel_with_proxy on

# httpd_accel_uses_host_header on



# >> Agora só precisa colocar:



http_port 3128 transparent vhost vport



always_direct allow all



# >> O restante da configuração é o padrão do Squid.




Valeu amigo.. faça o teste e me responda assim que puder ok...