Squid3 no Debian 8 (Jessie) com suporte a filtro de páginas HTTPS

Muito bom artigo! Favoritado. Vou usar como guia essa semana.

Obrigado Fábio!

Opa, muito bacana! E veio em uma hora muito oportuna pra mim! Obrigado!! Só uma questão didática: essa troca de certificado, é feita com qual objetivo? Enfim, vi que dá o erro de certificado nos navegadores, só não entendi pq isso acontece e a necessidade de "enganá-los" com um certificado intermediário. Isso não pode gerar uma possível brecha na segurança? Um abraço, e novamente, obrigado!

Olá Leonardo,
Como o tráfego https é criptografado, precisamos interceptá-lo para conseguir abrir o conteúdo e tomar as ações de bloqueios e liberações.
Assim precisamos regenerar os certificados para os usuários.
Leia essa referência do artigo http://wiki.squid-cache.org/Features/DynamicSslCert e sobre o tema.

Até!

Sérgio Abrantes

Leonardo,

Quanto a questão da segurança, o funcionamento é semelhante ao ataque man-in-the-middle onde você acha que está acessando o site diretamente, mas na verdade há uma outra pessoa no caminha vendo tudo que se passa.
O arquivo /etc/squid3/certificado/empresa.pem não deve ser exposto para não comprometer a segurança.
Apenas o arquivo /etc/squid3/certificado/empresa.der deve ser divulgado.
Caso divulgue por engano o arquivo, pode gerar novos certificados para o servidor e desktop.
Um outro detalhe é que o uso do proxy geralmente é interno. Então não está exposto diretamente na internet.
Nunca encontrei nada sobre um exploração nesse sentido.
Um outro fator importante é que todos os pacotes utilizados pertencem a sessão main do Debian, onde há um rígido controle e verificação de segurança.
Na minha visão o que potencializaria essa situação é a exposição do arquivo citado acima.

Até!

Sérgio Abrantes

Bom dia, me desculpe pela pergunta pois ainda sou um pouco inexperiente quando o assunto é linux mas, quando se usa proxy transparente essa solução funciona ?

Muito bom o artigo parabéns, o unico problema que vejo é que a maioria dos artigos não utiliza autenticação de usuários e acho que não é o que acontece na maioria dos lugares onde será utilizado, é sempre legal tratar artigos relacionados a segurança/servidores com algum tipo de autenticação e controle de usuários.
PS. este artigo poderia se tornar um e-book bem legal se complementar com a configuração do squidguard, criação de grupos de bloqueio e usuários e talvez o sarg.

Felipe,

Essa solução é baseada em proxy transparente como pode observar depois nas configurações do squid.conf:

http_port 3128 transparent
https_port 3129 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/certificado/empresa.pem

Até!

Sérgio Abrantes

Willian,

Legal a sugestão, caso tenha interesse em compilar um ebook, podemos conversar melhor.
Esse artigo é baseado em proxy transparente.
A compilação que é realizada aqui já suporta autenticações como pode ver no arquivo /var/cache/apt-build/build/squid3-3.4.8/debian/rules :
--enable-auth-basic="DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB"

Voce pode remover o transparent em http_port e https_port e adicionar o método que você preferir.

Até!

Parabens, excelente trabalho!!!

Aqui tive o seguinte erro ao compilar:
debian/rules: 1: debian/rules: DEB_CONFIGURE_EXTRA_FLAGS: not found
debuild: fatal error at line 1352:
couldn't exec debian/rules:
Error while building squid3!
Sorry, no package to install.

Você também passou por isso? Estou usando o debian 8 virtualizado.

Um abraço!

leorocco,

Quais passos você fez e o que fez para chegar nesse erro?

Até!

Sérgio Abrantes

Muito bom o artigo. Sempre utilizei CentOS com squid 2.7.

Estou tentando essa versão do squid3 no Debian como mencionado, mas na hora de compilar, aparece um erro:

make[1]: Leaving directory '/var/cache/apt-build/build/squid3-3.4.8'
rm -f debian/stamp-autotools
rmdir --ignore-fail-on-non-empty .
rmdir: falhou em remover “.”: Argumento inválido
/usr/share/cdbs/1/class/autotools.mk:52: recipe for target 'makefile-clean' failed
make: [makefile-clean] Error 1 (ignored)
for i in ./libltdl/config/config.guess ./cfgaux/config.guess ./libltdl/config/config.sub ./cfgaux/config.sub ; do \
if test -e $i.cdbs-orig ; then \
mv $i.cdbs-orig $i ; \
fi ; \
done
dh_clean
rm -f debian/stamp-autotools-files

# nothing to do
Error while building squid3!
Sorry, no package to install.

Linux version 3.16.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.7-ckt20-1+deb8u3 (2016-01-17)


-----------------------------------------------------------------

Reiniciei a máquina e deu certo. Que estranho, algum processo deve ter travado, mas enfim, tudo ok!

Que bom bkammers!

Muito legal o artigo irmão, uma vez fiz isso no Pfsense, gerando o certificado e tudo mais e funcionou tranquilo, embora eu não seja fã de proxy transparente. Geralmente quando uso o squid, prefiro o proxy nos navegadores, assim tenho um controle muito melhor sobre o acesso, mas é apenas uma questão de gosto. Mas o artigo está show...

Obrigado WBaluz !

Sérgio Abrantes, fiz exatamente os passo como no tutorial. Os erros aconteceram na compilação, executando o "apt-get build-dep squid3".

WBaluz, também prefiro o proxy no navegador. Faço a distribuição via WPAD e acho mais interessante o controle... Vou testar esse tutorial sendo não transparente =)

Um abraço, pessoal!

Bom dia leorocco,

A etapa citada "apt-get build-dep squid3" não é a compilação, mas sim baixar as dependências do pacote do squid3.

Segue o comando do meu desktop:

root@abrantes:/etc/network# apt-get build-dep squid3
Lendo listas de pacotes... Pronto
Construindo árvore de dependências
Lendo informação de estado... Pronto
Note, selecting 'libcap-dev' instead of 'libcap2-dev'
Os NOVOS pacotes a seguir serão instalados:
cdbs comerr-dev krb5-multidev libcap-dev libcppunit-1.13-0 libcppunit-dev libdb-dev libdb5.3-dev libecap2 libecap2-dev
libexpat1-dev libgmp-dev libgmpxx4ldbl libgssrpc4 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-dev libldap2-dev libltdl-dev
libnetfilter-conntrack-dev libnfnetlink-dev libpam0g-dev libsasl2-dev libxml2-dev nettle-dev pkg-config
0 pacotes atualizados, 27 pacotes novos instalados, 0 a serem removidos e 2 não atualizados.
É preciso baixar 5.058 kB de arquivos.
Depois desta operação, 18,3 MB adicionais de espaço em disco serão usados.
Você quer continuar? [S/n]

Revise seu /etc/apt/source.list. Segue o meu.

deb http://ftp.br.debian.org/debian/ jessie main contrib non-free
deb-src http://ftp.br.debian.org/debian/ jessie main contrib non-free

deb http://security.debian.org/ jessie/updates main contrib non-free
deb-src http://security.debian.org/ jessie/updates main contrib non-free

# jessie-updates, previously known as 'volatile'
deb http://ftp.br.debian.org/debian/ jessie-updates main contrib non-free
deb-src http://ftp.br.debian.org/debian/ jessie-updates main contrib non-free

Leorocco, tb acho mais interessante fazer assim, pois você tem mais controle sobre tudo que passa por ele, além de matar tanto http quanto https. O WPAD funciona muito bem, principalmente para quem gosta de trabalhar (não só) com o PFsense+proxy transparente, habilitando a tag "intecept" para ele ler as págs https.. Eu gosto de configurar o iptables para fazer o redirecionamento automático, para a porta do squid, caso um experto tente tirar o proxy do navegador kkkkkk.

WBaluz,

Mas esse artigo aborda tanto http como https (esse em especial que não vem habilitado por padrão no pacote pré-compilado). Faço o redirecionamento pelo iptables das portas para o squid tratar.
Assim não há como navegar sem passar pelo proxy. E se quiser também, pode adicionar o proxy manualmente no navegador.

Até!

Pelo,

Exato, isso mesmo q falei, pois caso o squid não seja compilado da maneira do artigo, o redirecionamento só funciona para a porta 80, caso faça pela 443, ele vai apresentar erro de certificado.. No caso do WPAD, ele deixa o Servidor DNS passar as confs automáticas em relação ao proxy, Assim seria uma solução para quem quer usar o proxy transparente + tratamento de paginas https.

Bom dia pessoal, gostaria de parabenizar ao Sergio pelo tutorial que foi o primeiro que vi funcionar , antes so conseguia filtrar https usando o pfsense. Gostaria de saber se alguém resolveu um problema que aconteceu comigo, por ex o aplicativo do banco itau e do Bradesco não funcionam por conta do certificado importado pro navegador, tentei colocar eles tanto ip como dominio numa whitelist do squid e também com o iptables para não passar pelo proxy, porem não deu certo. Alguém passou por isso e resolveu? Obrigado

Parabéns Sergio!! Ótimo trabalho! Precisamos de mais contribuições como a sua! obrigado

Opa! Exatamente, Sérgio! Meu source.list devia estar diferente. Agora foi!

Agora tenho o seguinte erro:
2016/03/21 15:05:58| FATAL: ssl-bump on https_port requires tproxy/intercept which is missing.

Obs.: fiz uma única alteração: retirei a configuração de transparente do squid.conf.

Nos falamos :)

Um grande abraço e obrigado pela ajuda!

Boa tarde, excelente artigo, fiz todo o procedimento, funcionou blz, porém, estou com problema na atualização do Windows, no meu caso o 10, quando mando atualizar, me aparece o erro: (0x800946004), se eu tiro a linha de captura da porta 443, funciona normalmente, teria alguma solução pratica no próprio proxy sem ter que mexer nas estações?

Clayton,

Que bom que deu certo.
Erros de certificado o Squid bloqueia com uma tela parecida com a tela de bloqueio de site. Podemos transferir para o usuário a responsabilidade de, por exemplo, adicionar como execeção de segurança.
Para isso, adicione a seguinte linha: "sslproxy_cert_error allow all".

Uma outra alternativa é fazer com que o Squid não faça a regeneração dos certificados para sites ou IPs.
Adicione duas ACLs.
acl ssl-ignore-hosts dstdomain "/etc/squid3/ssl-ignore-hosts"
acl ssl-ignore-ips dst "/etc/squid3/ssl-ignore-ips"

Depois coloque-as antes de "ssl_bump server-first all" como abaixo:

ssl_bump none ssl-ignore-hosts
ssl_bump none ssl-ignore-ips
ssl_bump server-first all

Dentro de "/etc/squid3/ssl-ignore-hosts" coloque microsoft.com por exemplo.
Esses passos devem resolver.

Até!

Sérgio Abrantes

Boa tarde Sérgio, ótimo artigo, implementei sem problemas. O incrível é que estou com um problema básico, mas está me tirando o sono. Nesta versão nova do Debian (na versão anterior, não tinha o problema), como efetuar o reload (por exemplo squid3 -k reconfigure, service squid3 reload) o comando não funciona, tenho que dar um kill -9 processo do squid, para parar e depois reiniciar o squid. Aguardo, muito obrigado, grande abraço!

Olá Diter,

Enviei uma mensagem pra você pelo VOL com o meu squip em /etc/init.d/squid3.
Ele está padrão da instalação e está funcionando.

Até!

Sérgio Abrantes

Excelente artigo e obrigado por compartilhar. Nos computadores e notebooks funcionou muito bem, porém em celulares não consegui acessar sites https, ou até mesmo aplicativos bancários. Vi que nos celulares Android existe uma opção de instalar certificados, porém não lê certificados .der. Sabe qual pode ser a solução? Obrigado

Nelson,

Infelizmente não tenho esse cenário para poder ajudar.

Até!

Sérgio Abrantes

Excelente artigo muito bom mesmo. Mas estou com problemas na hora de rodar o comando:

/usr/lib/squid3/ssl_crtd -c -s /etc/squid3/certificado/ssl_db -M 4MB

ele responde:

bash: /usr/lib/squid3/ssl_crtd: Arquivo ou diretório não encontrado

Alguém pode me ajudar por favor.

Cara show! um dos melhores artigos aqui do VOL. bem didatico e direto. fico muito agradecido pela sua disponibilidade em semear conhecimentos...

Fiz todo o processo nenhum erro ocorreu! proxy funcionando. porem soh funcionar se eu setar a configuração do proxy
no navegador...! naum eh um Proxy transparente?? fiz a regra de iptables pra minha rede como manda o figurino mais é como-se ele nao obedecesse. que estranho.

~~~~~~~~===~~~~~~~~===~~~~~~~~===~~~~~~~===
{ Papai..., o que é Software?
meu filho..., Software é a parte que você xinga...
...mais Pai! então o que é Hardware ?
meu guri..., Hardware é a parte que você chuta! ...
... hhha tá.. }

Que legal chaplinux!
Me mande via VOL uma mensagem com o teu firewall.
Alguma regra deve estar invalidando a regra pra fazer transparente.
Até!

Sérgio Abrantes

Sérgio, muito bom o artigo, só acredito que nessa versão do Squid, deve ser substítuido o transparent por intercept no squid.conf

Tudo certo itsl3v1s?

Aqui está funcionando como está e outras pessoas replicaram sem problemas.
Como ficaria a configuração e o que muraria?

Até!

Sérgio Abrantes

Fiz exatamente conforme o artigo:

root@proxy01:~# uname -a
Linux proxy01 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u1 (2016-09-03) x86_64 GNU/Linux

root@proxy01:~# apt-build install squid3
-----> Installing build dependencies (for squid3=3.4.8-6+deb8u3) <-----
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
-----> Updating package lists <-----
Ign file: apt-build InRelease
Ign file: apt-build Release.gpg
Get:1 file: apt-build Release [107 B]
Hit http://security.debian.org jessie/updates InRelease
Ign file: apt-build/main Translation-en_US
Ign file: apt-build/main Translation-en
Hit http://security.debian.org jessie/updates/main Sources
Hit http://security.debian.org jessie/updates/contrib Sources
Hit http://security.debian.org jessie/updates/non-free Sources
Hit http://security.debian.org jessie/updates/main amd64 Packages
Hit http://security.debian.org jessie/updates/contrib amd64 Packages
Hit http://security.debian.org jessie/updates/non-free amd64 Packages
Hit http://security.debian.org jessie/updates/contrib Translation-en
Hit http://security.debian.org jessie/updates/main Translation-en
Hit http://security.debian.org jessie/updates/non-free Translation-en
Hit http://ftp.debian.org jessie-updates InRelease
Hit http://ftp.debian.org jessie-updates/main Sources
Hit http://ftp.debian.org jessie-updates/contrib Sources
Hit http://ftp.debian.org jessie-updates/non-free Sources
Get:2 http://ftp.debian.org jessie-updates/main amd64 Packages/DiffIndex [5,440 B]
Hit http://ftp.debian.org jessie-updates/contrib amd64 Packages
Get:3 http://ftp.debian.org jessie-updates/non-free amd64 Packages/DiffIndex [736 B]
Hit http://ftp.debian.org jessie-updates/contrib Translation-en
Get:4 http://ftp.debian.org jessie-updates/main Translation-en/DiffIndex [2,704 B]
Get:5 http://ftp.debian.org jessie-updates/non-free Translation-en/DiffIndex [736 B]
Ign http://http.debian.net jessie InRelease
Hit http://http.debian.net jessie Release.gpg
Hit http://http.debian.net jessie Release
Hit http://http.debian.net jessie/main amd64 Packages
Hit http://http.debian.net jessie/non-free amd64 Packages
Hit http://http.debian.net jessie/contrib amd64 Packages
Hit http://http.debian.net jessie/contrib Translation-en
Hit http://http.debian.net jessie/main Translation-en
Hit http://http.debian.net jessie/non-free Translation-en
Fetched 9,616 B in 7s (1,219 B/s)
Reading package lists... Done
-----> Downloading source squid3 (3.4.8-6+deb8u3) <-----
Reading package lists... Done
Building dependency tree
Reading state information... Done
NOTICE: 'squid3' packaging is maintained in the 'Git' version control system at:
git://anonscm.debian.org/pkg-squid/pkg-squid3.git/
Skipping already downloaded file 'squid3_3.4.8-6+deb8u3.dsc'
Skipping already downloaded file 'squid3_3.4.8.orig.tar.bz2'
Skipping already downloaded file 'squid3_3.4.8-6+deb8u3.debian.tar.xz'
Need to get 0 B of source archives.
Skipping unpack of already unpacked source in squid3-3.4.8
-----> Building squid3 <-----
dpkg-buildpackage: source package squid3
dpkg-buildpackage: source version 3.4.8-6+deb8u3+aptbuild3
dpkg-buildpackage: source distribution UNRELEASED
dpkg-buildpackage: source changed by root <root@proxy01.securitybox.com.br>
dpkg-buildpackage: host architecture amd64
dpkg-source --before-build squid3-3.4.8
debian/rules clean
debian/rules:44: *** recipe commences before first target. Stop.
dpkg-buildpackage: error: debian/rules clean gave error exit status 2
----> Cleaning up object files <-----
Cleaning in directory .
debian/rules:44: *** recipe commences before first target. Stop.
debuild: fatal error at line 1352:
couldn't exec debian/rules:
Error while building squid3!
Sorry, no package to install.

Achei o erro, acabou ficando um espaço depois de uma das '\" no rules

valeu

Parabéns pelo artigo Sergio Abrantes.

Segui todos os passos do artigo, funcionou quase que perfeitamente, só estou com um problema com o outlook, acessando pelo navegador, tem hora que abre, tem hora que não, fica uma página em branco após fazer o login, e não consegui descobrir onde está o erro, não sei se está no squid.conf ou se está no firewall, quando coloco para passar direto sem ser pelo squid funciona normal.

Gostaria de ter ajuda para conseguir resolver esse problema pois já bati demais a cabeça e não consegui.

Segue o firewall e o squid.conf:

FIREWALL
########################################################################################################################
#POLITICA PADRAO DROP
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
#######################################################################################################################

##############################################################################
#HABILITANDO MODULOS HTB
#iptables -A OUTPUT -t mangle -m tos --tos 0x04 -j MARK --set-mark 0x04
#modprobe sch_htb
#modprobe sch_sfq
#modprobe cls_u32
##############################################################################

########################################################################################################################
#Compartilhando Internet
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
########################################################################################################################

########################################################################################################################
#REDIRECIONAMENTO PORTAL DA TRANSPARENCIA
iptables -t nat -A PREROUTING -d $ETH2 -p tcp --dport 5660 -j DNAT --to 192.168.1.2:5660
iptables -t nat -A POSTROUTING -d 192.168.1.2 -p tcp --dport 5660 -j SNAT --to $ETH2
iptables -A FORWARD -p tcp -s 0/0 --sport 1024:65535 -d 192.168.1.2 --dport 5660 -j ACCEPT
iptables -A FORWARD -p tcp -d 0/0 --dport 1024:65535 -s 192.168.1.2 --sport 5660 -j ACCEPT
iptables -A INPUT -p tcp --dport 5660 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 5660 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 5660 -j ACCEPT
iptables -A INPUT -p tcp --sport 5660 -j ACCEPT
iptables -t nat -A PREROUTING -d $ETH2 -p tcp --dport 5659 -j DNAT --to 192.168.1.2:5659
iptables -t nat -A POSTROUTING -d 192.168.1.2 -p tcp --dport 5659 -j SNAT --to $ETH2
iptables -A FORWARD -p tcp -s 0/0 --sport 1024:65535 -d 192.168.1.2 --dport 5659 -j ACCEPT
iptables -A FORWARD -p tcp -d 0/0 --dport 1024:65535 -s 192.168.1.2 --sport 5659 -j ACCEPT
iptables -A INPUT -p tcp --dport 5659 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 5659 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 5659 -j ACCEPT
iptables -A INPUT -p tcp --sport 5659 -j ACCEPT
iptables -t nat -A PREROUTING -d $ETH2 -p tcp --dport 5658 -j DNAT --to 192.168.1.2:5658
iptables -t nat -A POSTROUTING -d 192.168.1.2 -p tcp --dport 5658 -j SNAT --to $ETH2
iptables -A FORWARD -p tcp -s 0/0 --sport 1024:65535 -d 192.168.1.2 --dport 5658 -j ACCEPT
iptables -A FORWARD -p tcp -d 0/0 --dport 1024:65535 -s 192.168.1.2 --sport 5658 -j ACCEPT
iptables -A INPUT -p tcp --dport 5658 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 5658 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 5658 -j ACCEPT
iptables -A INPUT -p tcp --sport 5658 -j ACCEPT
########################################################################################################################

########################################################################################################################
#REDIRECIONAMENTO AREA DE TRABALHO REMOTA
iptables -t nat -A PREROUTING -d $ETH2 -p tcp --dport 3389 -j DNAT --to 192.168.1.2:3389
iptables -t nat -A POSTROUTING -d 192.168.1.2 -p tcp --dport 3389 -j SNAT --to $ETH2
iptables -A FORWARD -p tcp -s 0/0 --sport 1024:65535 -d 192.168.1.2 --dport 3389 -j ACCEPT
iptables -A FORWARD -p tcp -d 0/0 --dport 1024:65535 -s 192.168.1.2 --sport 3389 -j ACCEPT
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3389 -j ACCEPT
########################################################################################################################


#SERVIDOR
#iptables -t nat -A PREROUTING -p tcp -s 192.168.1.2 -d 0/0 -j ACCEPT
#iptables -t nat -A PREROUTING -p tcp -d 192.168.1.2 -s 0/0 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.2 -d 0/0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.2 -s 0/0 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.2 -j ACCEPT
iptables -A OUTPUT -p tcp -d 192.168.1.2 -j ACCEPT
#iptables -t nat -A PREROUTING -p udp -s 192.168.1.2 -d 0/0 -j ACCEPT
#iptables -t nat -A PREROUTING -p udp -d 192.168.1.2 -s 0/0 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.1.2 -d 0/0 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.1.2 -s 0/0 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.2 -j ACCEPT
iptables -A OUTPUT -p udp -d 192.168.1.2 -j ACCEPT


#CONTABILIDADE1
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.200 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.200 -s 0/0 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.200 -d 0/0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.200 -s 0/0 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.200 -j ACCEPT
iptables -A OUTPUT -p tcp -d 192.168.1.200 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -s 192.168.1.200 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -d 192.168.1.200 -s 0/0 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.1.200 -d 0/0 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.1.200 -s 0/0 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.200 -j ACCEPT
iptables -A OUTPUT -p udp -d 192.168.1.200 -j ACCEPT

#CONTABILIDADE2
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.201 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 -s 0/0 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.201 -d 0/0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.201 -s 0/0 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.201 -j ACCEPT
iptables -A OUTPUT -p tcp -d 192.168.1.201 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -s 192.168.1.201 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -d 192.168.1.201 -s 0/0 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.1.201 -d 0/0 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.1.201 -s 0/0 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.201 -j ACCEPT
iptables -A OUTPUT -p udp -d 192.168.1.201 -j ACCEPT

#ARRECADAÇÃO
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.178 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.178 -s 0/0 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.178 -d 0/0 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.178 -s 0/0 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.178 -j ACCEPT
iptables -A OUTPUT -p tcp -d 192.168.1.178 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -s 192.168.1.178 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -d 192.168.1.178 -s 0/0 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.1.178 -d 0/0 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.1.178 -s 0/0 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.178 -j ACCEPT
iptables -A OUTPUT -p udp -d 192.168.1.178 -j ACCEPT

########################################################################################################################
#LIBERANDO E-MAIL
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --sport 110 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 587 -j ACCEPT
iptables -A FORWARD -p tcp --sport 587 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -A INPUT -p tcp --sport 587 -j ACCEPT
########################################################################################################################

#HABILITANDO FTP
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 --sport 1024:65535 -d 0/0 --dport 20 -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 --dport 1024:65535 -d 0/0 --sport 20 -j ACCEPT

iptables -A FORWARD -p tcp -s 0/0 --sport 1024:65535 -d 0/0 --dport 21 -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 --dport 1024:65535 -d 0/0 --sport 21 -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 0/0 --sport 1024:65535 -d 0/0 --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 1024:65535 -d 0/0 --sport 20 -j ACCEPT

iptables -A OUTPUT -p tcp -s 0/0 --sport 1024:65535 -d 0/0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 1024:65535 -d 0/0 --sport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 -j ACCEPT
########################################################################################################################

########################################################################################################################
#CONECTIVIDADE SOCIAL
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 200.201.174.207 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 200.201.174.207 --sport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 200.201.174.207 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 200.201.174.207 --sport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 200.201.174.204 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 200.201.174.204 --sport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 200.201.174.204 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 200.201.174.204 --sport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 200.201.174.204 --dport 2631 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 200.201.174.204 --sport 2631 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 200.201.174.204 --dport 2631 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 200.201.174.204 --sport 2631 -j ACCEPT
#########################################################################################################################

#########################################################################################################################
#SKYLINE
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 189.124.60.100 --dport 8800 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 189.124.60.100 --sport 8800 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 189.124.60.100 --dport 8800 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 189.124.60.100 --sport 8800 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 199.36.100.106 --dport 8800 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 199.36.100.106 --sport 8800 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 199.36.100.106 --dport 8800 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 199.36.100.106 --sport 8800 -j ACCEPT
#########################################################################################################################

#########################################################################################################################
#RAIS
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 161.148.174.239 --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 161.148.174.239 --sport 443 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 161.148.174.239 --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 161.148.174.239 --sport 443 -j ACCEPT
#########################################################################################################################


#########################################################################################################################
#DATASUS
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 189.28.143.47 --dport 43962 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 189.28.143.47 --sport 43962 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 189.28.143.47 --dport 43962 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 189.28.143.47 --sport 43962 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 200.214.44.204 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 200.214.44.204 --sport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 200.214.44.204 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 200.214.44.204 --sport 80 -j ACCEPT

#########################################################################################################################

#########################################################################################################################
#RECEITANET
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 200.198.239.21 --dport 3443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 200.198.239.21 --sport 3443 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 200.198.239.21 --dport 3443 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 200.198.239.21 --sport 3443 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 189.9.71.11 --dport 3456 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 189.9.71.11 --sport 3456 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 189.9.71.11 --dport 3456 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 189.9.71.11 --sport 3456 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 161.148.185.11 --dport 3456 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 161.148.185.11 --sport 3456 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 161.148.185.11 --dport 3456 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 161.148.185.11 --sport 3456 -j ACCEPT
#########################################################################################################################

#########################################################################################################################
#PUBLICA
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 200.170.93.20 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 200.170.93.20 --sport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 200.170.93.20 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 200.170.93.20 --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ETH2 --sport 1024:65535 -d 187.55.134.145 --dport 8887 -j ACCEPT
iptables -A INPUT -p tcp -s 187.55.134.145 --dport 1024:65535 -d $ETH2 --sport 8887 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 187.4.67.156 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 187.4.67.156 --sport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 187.4.67.156 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 187.4.67.156 --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ETH2 --sport 1024:65535 -d 191.223.9.204 --dport 8887 -j ACCEPT
iptables -A INPUT -p tcp -s 191.223.9.204 --dport 1024:65535 -d $ETH2 --sport 8887 -j ACCEPT
#########################################################################################################################

#########################################################################################################################
#INCom
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 200.198.216.8 --dport 3001 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 200.198.216.8 --sport 3001 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 200.198.216.8 --dport 3001 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 200.198.216.8 --sport 3001 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ETH2 --sport 1024:65535 -d 200.198.216.8 --dport 3001 -j ACCEPT
iptables -A INPUT -p tcp -s 200.198.216.8 --dport 1024:65535 -d $ETH2 --sport 3001 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ETH2 --sport 1024:65535 -d 187.55.134.145 --dport 8887 -j ACCEPT
iptables -A INPUT -p tcp -s 187.55.134.145 --dport 1024:65535 -d $ETH2 --sport 8887 -j ACCEPT
#########################################################################################################################

#########################################################################################################################
#SOMASAUDE
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 189.28.128.185 --dport 9443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 189.28.128.185 --sport 9443 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 189.28.128.185 --dport 9443 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 189.28.128.185 --sport 9443 -j ACCEPT
#iptables -A OUTPUT -p tcp -s $ETH2 --sport 1024:65535 -d 189.28.128.185 --dport 9443 -j ACCEPT
iptables -A INPUT -p tcp -s 189.28.128.185 --dport 1024:65535 -d $ETH2 --sport 9443 -j ACCEPT
#########################################################################################################################

#########################################################################################################################
#SIGA FUNASA
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 200.252.231.87 --dport 8443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 200.252.231.87 --sport 8443 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 200.252.231.87 --dport 8443 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 200.252.231.87 --sport 8443 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ETH2 --sport 1024:65535 -d 200.252.231.87 --dport 8443 -j ACCEPT
iptables -A INPUT -p tcp -s 200.252.231.87 --dport 1024:65535 -d $ETH2 --sport 8443 -j ACCEPT
#########################################################################################################################


#########################################################################################################################
#SIGAP
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 187.4.67.144/28 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 187.4.67.144/28 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 187.4.67.144/28 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 187.4.67.144/28 -j ACCEPT
iptables -A OUTPUT -p tcp -d 187.4.67.144/28 -j ACCEPT
iptables -A INPUT -p tcp -s 187.4.67.144/28 -j ACCEPT
#########################################################################################################################

#########################################################################################################################
#SIOPS
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 189.28.143.66 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 189.28.143.66 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 189.28.143.66 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 189.28.143.66 -j ACCEPT
iptables -A OUTPUT -p tcp -d 189.28.143.66 -j ACCEPT
iptables -A INPUT -p tcp -s 189.28.143.66 -j ACCEPT
#########################################################################################################################

#########################################################################################################################
#PJE
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 201.49.153.209 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 201.49.153.209 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 201.49.153.209 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 201.49.153.209 -j ACCEPT
iptables -A OUTPUT -p tcp -d 201.49.153.209 -j ACCEPT
iptables -A INPUT -p tcp -s 201.49.153.209 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 104.192.108.78 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 104.192.108.78 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 104.192.108.78 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 1024:65535 -s 104.192.108.78 -j ACCEPT
iptables -A OUTPUT -p tcp -d 104.192.108.78 -j ACCEPT
iptables -A INPUT -p tcp -s 104.192.108.78 -j ACCEPT
#########################################################################################################################

#PREVIDENCIA ARIQUEMES
#iptables -A OUTPUT -p tcp --sport 1024:65535 -d 179.254.5.2 --dport 5659 -j ACCEPT
#iptables -A INPUT -p tcp --dport 1024:65535 -s 179.254.5.2 --sport 5659 -j ACCEPT

########################################################################################################################
#PROXY TRANSPARENTE
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 443 -j REDIRECT --to-port 3129
########################################################################################################################

#######################################################################################################################
#LIBERANDO PING para a INTERNET
#iptables -A OUTPUT -p icmp --icmp-type 8 -s $ETH2 -d 0/0 -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $ETH2 -j ACCEPT

#LIBERANDO PING PARA A REDE 192.168.1.0
#iptables -A OUTPUT -p icmp --icmp-type 8 -s $ETH0 -d $REDE0 -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type 0 -s $REDE0 -d $ETH0 -j ACCEPT

#LIBERANDO PING PARA A REDE 192.168.1.128
#iptables -A OUTPUT -p icmp --icmp-type 8 -s $ETH1 -d $REDE1 -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type 0 -s $REDE1 -d $ETH1 -j ACCEPT

#LIBERANDO ACESSO LOOPBACK
iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -d 127.0.0.1 -j ACCEPT

#LIBERANDO CONSULTAS DNS
iptables -A OUTPUT -p udp -s $ETH2 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --sport 53 -d $ETH2 --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.1.2 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 0/0 --sport 53 -d 192.168.1.2 --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.1.3 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 0/0 --sport 53 -d 192.168.1.3 --dport 1024:65535 -j ACCEPT

#LIBERANDO ACESSO HTTP
iptables -A OUTPUT -p tcp -s $ETH2 --sport 1024:65535 -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 80 -d $ETH2 --dport 1024:65535 -j ACCEPT
#iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 0/0 --dport 80 -j ACCEPT
#iptables -A FORWARD -p tcp -s 0/0 --sport 80 -d 192.168.1.0/24 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 80 -j ACCEPT
#iptables -A OUTPUT -p tcp --sport 80 -d 0/0 --dport 1024:65535 -j ACCEPT

#LIBERANDO ACESSO MYSQL
iptables -A OUTPUT -p tcp -s $ETH2 --sport 1024:65535 -d 0/0 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 3306 -d $ETH2 --dport 1024:65535 -j ACCEPT
#iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 0/0 --dport 3306 -j ACCEPT
#iptables -A FORWARD -p tcp -s 0/0 --sport 3306 -d 192.168.1.0/24 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 3306 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3306 -d 0/0 --dport 1024:65535 -j ACCEPT

#LIBERANDO ACESSO HTTPS
iptables -A OUTPUT -p tcp -s $ETH2 --sport 1024:65535 -d 0/0 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 443 -d $ETH2 --dport 1024:65535 -j ACCEPT
#iptables -A FORWARD -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 0/0 --dport 443 -j ACCEPT
#iptables -A FORWARD -p tcp -s 0/0 --sport 443 -d 192.168.1.0/24 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -d 0/0 --dport 1024:65535 -j ACCEPT

#LIBERANDO ACESSO SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 10 -j DROP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 10 -j DROP
iptables -A OUTPUT -p tcp --sport 22 -m state --state NEW -m recent --set
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT


#liberando acesso ao Squid
iptables -A INPUT -i eth0 -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3128 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport 3128 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 3129 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3129 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 3129 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport 3129 -j ACCEPT

#liberando acesso ao FTP
iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 21 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport 21 -j ACCEPT

########################################################################################################################


SQUID

acl localnet src 192.168.1.0/24

acl tce url_regex tce.ro.gov.br
acl sigap url_regex sigap.tce.ro.gov.br
acl funasa url_regex funasa.gov.br

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow tce sigap funasa

http_access deny !Safe_ports !tce !sigap !funasa
http_access deny CONNECT !SSL_ports !tce !sigap !funasa
http_access allow localhost manager
http_access deny manager

#acl liberados src "/etc/squid3/liberados"
#http_access allow liberados
acl video_liberados url_regex "/etc/squid3/video_liberados"
http_access allow video_liberados
acl ip_liberados url_regex "/etc/squid3/ip_liberados"
http_access allow ip_liberados
acl site_liberados url_regex "/etc/squid3/site_liberados"
http_access allow site_liberados
acl Skype_UA browser ^skype
http_access deny Skype_UA
acl ipacl url_regex http://[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*
http_access deny ipacl !ip_liberados
acl numeric_IPs url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+
http_access deny numeric_IPs !ip_liberados
acl acessaryoutube src "/etc/squid3/acessaryoutube"
acl youtube url_regex youtube
http_access deny youtube !acessaryoutube
acl facebook url_regex facebook
#acl acessarfacebook src "/etc/squid3/acessarfacebook"
#http_access deny facebook !acessarfacebook
http_access deny facebook
acl proibidos url_regex "/etc/squid3/bloqueados"
http_access deny proibidos
acl streaming rep_mime_type -i "/etc/squid3/mimeaplicativo"
acl proibir_musica urlpath_regex -i "/etc/squid3/audioextension"
#http_access deny proibir_musica !video_liberados
#http_reply_access deny streaming !video_liberados
http_access deny proibir_musica
http_access deny streaming

http_access allow localnet
http_access allow localhost
http_access deny all

http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/certificado/empresa.pem
ssl_bump server-first all
always_direct allow all
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /etc/squid3/certificado/ssl_db -M 4MB

#cache_mem 256 MB
#maximum_object_size_in_memory 512 KB
#cache_dir aufs /var/spool/squid3 5120 16 256
#minimum_object_size 0 KB
#maximum_object_size 4 MB
#cache_swap_low 90
#cache_swap_high 95

ta, muito bom mesmo, qual versão do squid3 tamo falando aqui?

Que versão do squid tamo falando aqui ?

/usr/lib/squid3/ssl_crtd -c -s /etc/squid3/certificado/ssl_db -M 4MB
erro:
bash: /usr/lib/squid3/ssl_crtd: Arquivo ou diretório não encontrado

Alguém pode me ajudar por favor

Parabéns pelo artigo, Sérgio e muito obrigado por compartilhá-lo !! ;)
Em breve o colocarei em prática. Atualmente tenho um cenário similar com o debian 7 squid3 (http) e auxilio do dansguardian ,e, como o servidor está em produção, criarei um nova máquina como Jessie.

Obrigado !!!

Pessoal,

Google Chrome não aceita mais certificados do tipo sha1 como o utilizado nesse artigo. Mozilla em breve também não aceitará.
Fiz uma dica explicando o que precisa mudar pra funcionar.
O link é:
https://www.vivaolinux.com.br/dica/Squid3-Debian-Erro-Google-Chrome-NETERR-CERT-WEAK-SIGNATURE-ALGOR...

Boa tarde
Meu Firewall e em servidor separado do squid3, ent coloquei a regra no meu firewall,
iptables -t nat -A PREROUTING -i ### -p tcp --dport 80 -j DNAT --to-destination ###.###.###.###:3128
liberei o Mascaramento no servidor squid, mas toda a regra do squid de acesso liberado fala que não tem permissão e os sites bloqueados fala que esta sem conexão com a internet.

Cara na hora de compilar e instalar da erro
eu acho que sao aquelas linhas acrecidas
/squid3-3.5.23=. -fstack-protector-strong -Wformat -Werror=format-security -c PortCfg.cc -fPIC -DPIC -o .libs/PortCfg.o
In file included from ../../src/anyp/PortCfg.h:18:0,
from PortCfg.cc:10:
../../src/ssl/gadgets.h:83:45: error: ‘CRYPTO_LOCK_X509’ was not declared in this scope
typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> X509_Pointer;
^~~~~~~~~~~~~~~~
../../src/ssl/gadgets.h:83:61: error: template argument 3 is invalid
typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> X509_Pointer;
^
../../src/ssl/gadgets.h:89:53: error: ‘CRYPTO_LOCK_EVP_PKEY’ was not declared in this scope
typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;
^~~~~~~~~~~~~~~~~~~~
../../src/ssl/gadgets.h:89:73: error: template argument 3 is invalid
def LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;
^
../../src/ssl/gadgets.h:116:43: error: ‘CRYPTO_LOCK_SSL’ was not declared in this scope
typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> SSL_Pointer;
^~~~~~~~~~~~~~~
../../src/ssl/gadgets.h:116:58: error: template argument 3 is invalid
typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> SSL_Pointer;
^
Makefile:796: recipe for target 'PortCfg.lo' failed
make[4]: *** [PortCfg.lo] Error 1
make[4]: Leaving directory '/var/cache/apt-build/build/squid3-3.5.23/src/anyp'
Makefile:7291: recipe for target 'all-recursive' failed
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory '/var/cache/apt-build/build/squid3-3.5.23/src'
Makefile:6152: recipe for target 'all' failed
make[2]: *** [all] Error 2
make[2]: Leaving directory '/var/cache/apt-build/build/squid3-3.5.23/src'
Makefile:581: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/var/cache/apt-build/build/squid3-3.5.23'
/usr/share/cdbs/1/class/makefile.mk:77: recipe for target 'debian/stamp-makefile-build' failed
make: *** [debian/stamp-makefile-build] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2
----> Cleaning up object files <-----
Cleaning in directory .
dpkg-buildpackage --rules-target clean -rfakeroot -us -uc
dpkg-buildpackage: warning: using a gain-root-command while being root
dpkg-buildpackage: info: source package squid3
dpkg-buildpackage: info: source version 3.5.23-5+aptbuild6
dpkg-buildpackage: info: source distribution UNRELEASED
dpkg-buildpackage: info: source changed by root <root@servidor>
dpkg-buildpackage: info: host architecture amd64
fakeroot debian/rules clean
test -x debian/rules
rm -f debian/stamp-makefile-build debia

resolvi assim debian 9

Rules patch file adds specific compilation arguments to make SSL bump capable Squid.

--- build/squid3/squid3-3.5.15/debian/rules 2016-02-17 01:13:33.000000000 +0100
+++ build/squid3/squid3-3.5.15/debian/rules.new 2016-02-22 22:50:04.079470555 +0100
@@ -45,7 +45,10 @@
--with-pidfile=/var/run/squid.pid \
--with-filedescriptors=65536 \
--with-large-files \
- --with-default-user=proxy
+ --with-default-user=proxy \
+ --with-openssl \
+ --enable-ssl \
+ --enable-ssl-crtd

BUILDINFO := $(shell lsb_release -si 2>/dev/null)

E ai blz! Fiz igual o tutorial, mas dou o comando seguinte; Ele criou o diretorio na instalação! o pode ser?
/usr/lib/squid3/ssl_crtd -c -s /etc/squid3/certificado/ssl_db -M 4MB
bash: /usr/lib/squid3/ssl_crtd: Arquivo ou diretório não encontrado