01 02

Squid bloqueando tudo [RESOLVIDO]

1. Squid bloqueando tudo [RESOLVIDO]

guilhermealano
(usa CentOS)

Enviado em 26/01/2013 - 14:16h

Caros amigos, tenho um firewall, que tem rodando o dansguardian e o squid. Mas toda vez que reinicio ele, o squid bloquea toda a navegação.

0 0

Quote

2. Re: Squid bloqueando tudo [RESOLVIDO]

danniel-lara
(usa Fedora)

Enviado em 26/01/2013 - 15:06h

posta ai o seu squid.conf e as regras de firewall

0 0

Quote

3. Re: Squid bloqueando tudo [RESOLVIDO]

guilhermealano
(usa CentOS)

Enviado em 26/01/2013 - 15:19h



#Carrega Modulos

modprobe iptable_filter

modprobe iptable_mangle

modprobe iptable_nat

modprobe ip_conntrack

modprobe ip_conntrack_ftp

modprobe ip_nat_ftp

modprobe ipt_MASQUERADE

modprobe ipt_LOG 

modprobe ip_gre



iptables -F

iptables -t nat -F

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward



#Teste Dansguardian

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to 8080

#iptables -A INPUT -m tcp -p tcp ! -s 127.0.0.1 --dport 3128 -j DROP



#Passar por fora 

#iptables -t nat -A PREROUTING -m mac --mac-source 00:19:5B:FC:34:F8 -j ACCEPT

#iptables -t nat -A PREROUTING -s 192.168.1.11 -d 0.0.0.0/0 -j ACCEPT    



iptables -I INPUT -p tcp --dport 8080 -j ACCEPT

iptables -I INPUT -p tcp --dport 10000 -j ACCEPT

iptables -I INPUT -p udp --dport 10000 -j ACCEPT

#Seguranca no Squid

#iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to 3128

 

#iptables -A FORWARD -p tcp -d 65.49.2.0/24 -j DROP

#iptables -A FORWARD -p tcp -d 65.49.14.0/24 -j DROP

#iptables -A FORWARD -p tcp --dport 19769 -j DROP



#Liberar DNS

iptables -A INPUT -p udp --dport 53 -j ACCEPT

iptables -A INPUT -p tcp --dport 53 -j ACCEPT



#Avira

iptables -t nat -I PREROUTING -d 62.146.210/24 -j ACCEPT

iptables -t nat -I PREROUTING -d 62.146.66/24 -j ACCEPT

iptables -t nat -I PREROUTING -d 80.190.130/24 -j ACCEPT

iptables -t nat -I PREROUTING -d 80.190.154/24 -j ACCEPT

iptables -t nat -I PREROUTING -d 80.190.143/24 -j ACCEPT



#Ips msn9

#iptables -t nat -I PREROUTING -d 65.55.7.141 -j ACCEPT                                      

#iptables -t nat -I PREROUTING -d 65.54.52.62 -j ACCEPT               

#iptables -t nat -I PREROUTING -d 65.54.50.225 -j ACCEPT



#Bloquear Msn

#iptables -t nat -A PREROUTING -p tcp --dport 1863 -j DROP   

#iptables -A FORWARD -d 64.4.13.0/24 -j REJECT



#Vpn

#iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 1723 -j DNAT --to 192.168.1.65:1723

#iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 47 -j DNAT --to 192.168.1.65:47

 

#Vnc

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 5900 -j DNAT --to 192.168.1.13:5900



#liberar FTP

#iptables -A INPUT -p tcp --dport 21 -j ACCEPT

#iptables -A FORWARD -p tcp --dport 21 -j ACCEPT

#iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 21 -j DNAT --to 192.168.1.65:21



#Liberar FTP TESTE

iptables -A INPUT -s 0/0 -p tcp --dport 21 -j ACCEPT

iptables -A OUTPUT -d 0/0 -p tcp --sport 21 -j ACCEPT



#Liberar SSh

iptables -A INPUT -s 0/0 -p tcp --dport 22 -j ACCEPT 



#liberar outlook

iptables -A FORWARD -p udp -s 172.16.5.0/16 -d 200.175.89.139 --dport 53 -j ACCEPT

iptables -A FORWARD -p udp -s 200.175.89.139 --sport 53 -d 172.16.5.0/16 -j ACCEPT 

iptables -A FORWARD -p TCP -s 172.16.5.0/16 --dport 25 -j ACCEPT

iptables -A FORWARD -p TCP -s 172.16.5.0/16 --dport 110 -j ACCEPT

iptables -A FORWARD -p tcp --sport 25 -j ACCEPT

iptables -A FORWARD -p tcp --sport 110 -j ACCEPT

iptables -t nat -A POSTROUTING -j MASQUERADE





echo firewall carregado

0 0

Quote

4. Re: Squid bloqueando tudo [RESOLVIDO]

guilhermealano
(usa CentOS)

Enviado em 26/01/2013 - 15:21h



hierarchy_stoplist cgi-bin ?

cache_mem 128 MB

maximum_object_size 128 MB

minimum_object_size 0 MB

cache_dir ufs /usr/local/squid/var/cache 10000 16 256

cache_access_log /usr/local/squid/var/logs/access.log

cache_log /usr/local/squid/var/logs/cache.log

cache_store_log /usr/local/squid/var/logs/store.log

ftp_user Squid@

error_directory /usr/local/squid/share/errors/Portuguese

visible_hostname goesnicoladelli.com.br

http_port 127.0.0.1:3128 transparent



dns_nameservers 192.168.1.1 



acl wpad src 172.16.5.1

http_access allow wpad

#refresh_pattern ^ftp:           1440    20%     10080

#refresh_pattern ^gopher:        1440    0%      1440

#refresh_pattern .               0       20%     4320

acl manager proto cache_object

acl localhost src 172.16.0.0/12

acl all src 172.16.0.0/12 

acl SSL_ports port 443 563

acl Safe_ports port 80 # http

acl Safe_ports port 21 2121 # ftp

acl Safe_ports port 443 563 # https, snews

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT



#Bloquear todos sites estranhos

acl bloquearsites url_regex -i "/usr/local/squid/etc/bloqueados"

http_access deny bloquearsites 



http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny all

http_reply_access allow all

#icp_access allow all

#cache_effective_user squid

#cache_effective_group squid

#coredump_dir /usr/local/squid/var/cache

0 0

Quote

5. Re: Squid bloqueando tudo [RESOLVIDO]

guilhermealano
(usa CentOS)

Enviado em 28/01/2013 - 20:06h

Algo?

0 0

Quote

6. Re: Squid bloqueando tudo [RESOLVIDO]

andrecanhadas
(usa Debian)

Enviado em 28/01/2013 - 20:42h

guilhermealano escreveu:

Algo?

Você não liberou nenhum site no seu squid.conf:

troque:



http_access deny all

por:



http_access allow all

Se precisar bloquear algo crie as regras e acls com os site que quer bloquear

1 0

Quote

7. Re: Squid bloqueando tudo [RESOLVIDO]

guilhermealano
(usa CentOS)

Enviado em 31/01/2013 - 23:14h

alterei e nao funcionou e tambem criei uma acl para liberar tais sites, mas nao obtive exito.

0 0

Quote

8. Re: Squid bloqueando tudo [RESOLVIDO]

andrecanhadas
(usa Debian)

Enviado em 31/01/2013 - 23:21h

guilhermealano escreveu:

alterei e nao funcionou e tambem criei uma acl para liberar tais sites, mas nao obtive exito.

poste o seu squid.conf com as alterações que fez

0 0

Quote

9. Re: Squid bloqueando tudo [RESOLVIDO]

guilhermealano
(usa CentOS)

Enviado em 31/01/2013 - 23:27h

hierarchy_stoplist cgi-bin ?
cache_mem 128 MB
maximum_object_size 128 MB
minimum_object_size 0 MB
cache_dir ufs /usr/local/squid/var/cache 10000 16 256
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log /usr/local/squid/var/logs/store.log
ftp_user Squid@
error_directory /usr/local/squid/share/errors/Portuguese
visible_hostname goesnicoladelli.com.br
http_port 127.0.0.1:3128 transparent

dns_nameservers 192.168.1.1

#auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/etc/passwd
#auth_param basic children 10
#auth_param basic realm Art Stylo
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off

#acl wpad src 172.16.5.1
#http_access allow wpad
#refresh_pattern ^ftp: 1440 20% 10080
#refresh_pattern ^gopher: 1440 0% 1440
#refresh_pattern . 0 20% 4320
acl manager proto cache_object
acl localhost src 172.16.0.0/12
acl all src 172.16.0.0/12
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 2121 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#Liberar sites
acl sites_liberados dstdomain "/usr/local/squid/etc/liberados"
http_access allow sites_liberados

#Bloquear todos sites estranhos
acl bloquearsites url_regex -i "/usr/local/squid/etc/bloqueados"
http_access deny bloquearsites

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_reply_access allow all

0 0

Quote

10. Re: Squid bloqueando tudo [RESOLVIDO]

andrecanhadas
(usa Debian)

Enviado em 31/01/2013 - 23:39h

Uma coisa que notei de cara foi a acl localhost que esta errada mas não sei se é isso arrume ela e teste de novo vou dar uma olhada com mais atençaõ:



acl localhost src 172.16.0.0/12



# fica:

acl localhost src 127.0.0.1/255.255.255.255

0 0

Quote

11. Re: Squid bloqueando tudo [RESOLVIDO]

guilhermealano
(usa CentOS)

Enviado em 31/01/2013 - 23:46h

Segue o meu access.log

1359683168.412 2 192.168.1.3 TCP_DENIED/403 1356 GET http://172.16.5.1:8080/wpad.dat - NONE/- text/html
1359683168.420 4 192.168.1.3 TCP_DENIED/403 1452 GET http://mscrl.microsoft.com/pki/mscorp/crl/MSIT%20Machine%20Auth%20CA%202(1).crl - NONE/- text/html
1359683168.458 2 192.168.1.3 TCP_DENIED/403 1356 GET http://172.16.5.1:8080/wpad.dat - NONE/- text/html
1359683168.491 2 192.168.1.3 TCP_DENIED/403 1356 GET http://172.16.5.1:8080/wpad.dat - NONE/- text/html
1359683168.498 3 192.168.1.3 TCP_DENIED/403 1398 GET http://crl.microsoft.com/pki/crl/products/WinPCA.crl - NONE/- text/html
1359683168.537 2 192.168.1.3 TCP_DENIED/403 1356 GET http://172.16.5.1:8080/wpad.dat - NONE/- text/html
1359683168.570 2 192.168.1.3 TCP_DENIED/403 1356 GET http://172.16.5.1:8080/wpad.dat - NONE/- text/html
1359683168.577 3 192.168.1.3 TCP_DENIED/403 1402 GET http://mscrl.microsoft.com/pki/mscorp/crl/mswww(5).crl - NONE/- text/html
1359683168.617 2 192.168.1.3 TCP_DENIED/403 1356 GET http://172.16.5.1:8080/wpad.dat - NONE/- text/html
1359683168.650 2 192.168.1.3 TCP_DENIED/403 1356 GET http://172.16.5.1:8080/wpad.dat - NONE/- text/html
1359683168.657 3 192.168.1.3 TCP_DENIED/403 1470 GET http://mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20Secure%20Server%20Authority(8).crl - NONE/- text/html

0 0

Quote

12. Re: Squid bloqueando tudo [RESOLVIDO]

andrecanhadas
(usa Debian)

Enviado em 31/01/2013 - 23:51h

Adicione a linha nas acls das portas:



acl Safe_ports port 8080 # wpad

E mude :



http_port 127.0.0.1:3128 transparent

# para:

http_port 3128 transparent

Reinicie o squid após isso

0 0

Quote

01 02

Patrocínio

Site hospedado pelo provedor RedeHost.

Top 10 do mês

Xerxes
1° lugar - 73.420 pts
Fábio Berbert de Paula
2° lugar - 58.650 pts
Clodoaldo Santos
3° lugar - 46.196 pts
Buckminster
4° lugar - 26.633 pts
Sidnei Serra
5° lugar - 26.550 pts
Daniel Lara Souza
6° lugar - 18.016 pts
Mauricio Ferrari
7° lugar - 17.641 pts
Alberto Federman Neto.
8° lugar - 17.631 pts
Diego Mendes Rodrigues
9° lugar - 15.710 pts
edps
10° lugar - 14.903 pts

Scripts

[Shell Script] Script para desinstalar pacotes desnecessários no OpenSuse

[Shell Script] Script para criar certificados de forma automatizada no OpenVpn

[Shell Script] Conversor de vídeo com opção de legenda

[C/C++] BRT - Bulk Renaming Tool

[Shell Script] Criação de Usuarios , Grupo e instalação do servidor de arquivos samba

Squid bloqueando tudo [RESOLVIDO]

1. Squid bloqueando tudo [RESOLVIDO]

2. Re: Squid bloqueando tudo [RESOLVIDO]

3. Re: Squid bloqueando tudo [RESOLVIDO]

4. Re: Squid bloqueando tudo [RESOLVIDO]

5. Re: Squid bloqueando tudo [RESOLVIDO]

6. Re: Squid bloqueando tudo [RESOLVIDO]

7. Re: Squid bloqueando tudo [RESOLVIDO]

8. Re: Squid bloqueando tudo [RESOLVIDO]

9. Re: Squid bloqueando tudo [RESOLVIDO]

10. Re: Squid bloqueando tudo [RESOLVIDO]

11. Re: Squid bloqueando tudo [RESOLVIDO]

12. Re: Squid bloqueando tudo [RESOLVIDO]

Patrocínio

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts