problema com squid ou iptables?

seth_beto
(usa Debian)

Enviado em 14/11/2007 - 14:45h

Pessoal... eu estou com o debian e terminei de configurar o Squid... porém o outlook n funciona... gostaria de saber como corrigir.
utilizo tanto as portas padrões (25, 110) como as ssl do gmail (995,465)

Possuo um roteador ligado no servidor linux (proxy) e uma rede de pcs interna...
o roteador pega ip valido e repassa por DMZ para o servidor proxy por DHCP...

roteador(192.168.1.1) - proxy(eth1 dhcp / eth2 10.0.0.1) - rede interna (10.0.0.0/24)

segue abaixo a configuração do Squid:

################################################
##### Porta, Nome e Cache #####
################################################
#
http_port 3128 transparent
visible_hostname Teste
#
cache_mem 150 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 256 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
#
################################################
##### Log #####
################################################
#
cache_access_log /var/log/squid/access.log
cache_store_log /var/log/squid/store.log
cache_log /var/squid/logs/cache.log
cache_dir ufs /var/spool/squid 20000 16 256
#
################################################
##### ACLs #####
################################################
#
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
#
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 443 # https
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 1025-65535 # unregistered ports
#
acl SSL_ports port 443 # https
acl SSL_ports port 465 # YAHOO - SMTP (SSL)
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl SSL_ports port 995 # YAHOO - POP3 (SSL)
#
acl purge method PURGE
acl CONNECT method CONNECT
#
################################################
##### Direitos de Acessos #####
################################################
#
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow SSL_ports
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
http_access allow localhost
http_access deny to_localhost
#
################################################
## USANDO NCSA_AUTH ##
################################################
#
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
auth_param basic realm Servidor Proxy de Internet Proinco. Entre com seu Usuario e Senha.
#auth_param basic children 5
#
#
################################################
## AUTENTICAÃÃO ##
################################################
#
acl autenticados proxy_auth REQUIRED
#
################################################
## BLOQUEAR PALAVRAS ##
################################################
#
acl acesso_full proxy_auth "/etc/squid/acessos/acesso_full"
acl bloquear_palavras url_regex -i "/etc/squid/bloqueios/bloquear_palavras"
deny_info http://www.proinco.com.br bloquear_palavras
#
################################################
## BLOQUEIA O MESSENGER ##
################################################
#
acl bloquear_msn dstdomain "/etc/squid/bloqueios/bloquear_msn"
acl acesso_msn proxy_auth "/etc/squid/acessos/acesso_msn"
http_access allow acesso_msn bloquear_msn
http_access deny bloquear_msn
deny_info http://www.proinco.com.br bloquear_msn
################################################
## BLOQUEIA ORKUT ##
################################################
#
acl bloquear_orkut url_regex -i "/etc/squid/bloqueios/bloquear_orkut"
acl acesso_orkut proxy_auth "/etc/squid/acessos/acesso_orkut"
http_access allow acesso_orkut bloquear_orkut
http_access deny bloquear_orkut
deny_info http://www.proinco.com.br bloquear_orkut
#
################################################
## BLOQUEIA GOOGLE TALK ##
################################################
#
acl bloquear_googletalk url_regex -i "/etc/squid/bloqueios/bloquear_googletalk"
acl acesso_googletalk proxy_auth "/etc/squid/acessos/acesso_googletalk"
http_access allow acesso_googletalk bloquear_googletalk
http_access deny bloquear_googletalk
deny_info http://www.proinco.com.br bloquear_googletalk
#
################################################
## CONTROLE DE BANDA ##
################################################
#
acl livre proxy_auth "/etc/squid/acessos/acesso_banda"
acl block src 10.0.0.0/255.255.255.0
delay_pools 2
#
# Classe 1 - Acesso a Internet a 512k
#
delay_class 1 2
delay_parameters 1 -1/-1 69000/69000
#
# Classe 2 - Acesso a Internet a 180k
#
delay_class 2 2
delay_parameters 2 -1/-1 22500/22500
delay_access 1 allow livre
delay_access 2 allow block
#
http_access allow autenticados acesso_full
http_access allow acesso_full bloquear_palavras
http_access deny bloquear_palavras
#
acl redelocal src 10.0.0.0/255.255.255.0
http_access allow localhost
http_access allow redelocal
#
http_access deny all

seth_beto
(usa Debian)

Enviado em 23/11/2007 - 20:51h

se alguem puder me ajudar... eu ficaria grato!

msscesario
(usa Debian)

Enviado em 23/11/2007 - 21:06h

Seu fw posta ai ..

ou se naum libera as portas, para que eles posam sair ne fii

inte

malanga
(usa Debian)

Enviado em 23/11/2007 - 21:43h

as maquinas da tua rede conseguem resolver nomes

tipo ping www.uol.com.br????

le-unix
(usa Debian)

Enviado em 25/11/2007 - 23:54h

Caro amigo o problema , citado esta no firewall.
Libere-as no seu firewall a porta 25 e 110

lanes
(usa Debian)

Enviado em 29/11/2007 - 11:42h

Vc deve liberar as portas no firewall

#SMTP - IDA
$ipt -A FORWARD -p tcp -s 192.168.1.0/24 --sport 25 -d 0.0.0.0/0.0.0.0 -j ACCEPT
#SMTP - VOLTA
$ipt -A FORWARD -p tcp -s 192.168.1.0/24 --dport 25 -d 0.0.0.0/0.0.0.0 -j ACCEPT
#POP3 - IDA
$ipt -A FORWARD -p tcp -s 192.168.1.0/24 --sport 110 -d 0.0.0.0/0.0.0.0 -j ACCEPT
#POP3 - VOLTA
$ipt -A FORWARD -p tcp -s 192.168.1.0/24 --dport 110 -d 0.0.0.0/0.0.0.0 -j ACCEPT

Onde o IP 192.168.1.0 é tua rede ou seja tua faixa de IP da rede e o /24 e mascara da rede

O "0.0.0.0/0.0.0.0" e qualquer rede interna.

Espero que ajude!

elgio
(usa OpenSuSE)

Enviado em 29/11/2007 - 12:08h

Como?

Estás tentando usar o squid para ser proxy de SMTP/POP/

Não não...

Squid é proxy HTTP e FTP!
Para SMTP deves implementar um relay interno.

Para POP (POPS, por favor) nat resolve.