Perguntas & Respostas

Bom dia pessoal.
Seguinte, logo abaixo está meu arquivo de firewall e meu squid.conf respectivamente...
Preciso de uma ajuda pra saber, pq ele naum autentica... aliás, ele naum navega com e nem sem autenticação...
alguém pode me dar uma luz?! naum aguento mais quebrar a cabeça e naum achar meu erro...

Me ajudem pelo amor de deus...

[]'s

#!/bin/bash

iptables -F
iptables -t nat -F
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

################## Proxy Transparente
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

################### Libera acesso total em algumas máquinas
iptables -A FORWARD -p tcp -s 192.168.0.4/32 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.5/32 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.95/32 -j ACCEPT

################### Bloqueia Almoxarifado
iptables -A FORWARD -p tcp -s 192.168.0.7/32 -j REJECT
iptables -A FORWARD -p tcp -s 192.168.0.7/32 --dport 19557 -j ACCEPT

#################### Bloqueia MSN Messenger
iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 1863 -j REJECT

################### Bloqueia ORKUT
iptables -A FORWARD -p tcp -d 72.14.0.0/16 --dport 443 -j REJECT
iptables -A FORWARD -p tcp -d 72.14.209.87 --dport 80 -j REJECT
iptables -A FORWARD -p tcp -d 72.14.209.87 --dport 443 -j REJECT
iptables -A FORWARD -p tcp -d 216.239.51.86 --dport 80 -j REJECT
iptables -A FORWARD -p tcp -d 216.239.51.86 --dport 443 -j REJECT

###################Libera Telextreme
iptables -t nat -A PREROUTING -i eth1 -p tcp -s 192.168.0.0/24 --dport 5060 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -s 192.168.0.0/24 --dport 8000 -j REDIRECT --to-port 3128

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5060 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5060 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8000 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 8000 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8001 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 8001 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1059:1114 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 1059:1114 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2600:3300 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 2600:3300 -j REDIRECT --to-port 3128

iptables -A FORWARD -p tcp -d 63.123.133.39 --dport 5060 -j ACCEPT
iptables -A FORWARD -p udp -d 63.123.133.39 --dport 5060 -j ACCEPT
iptables -A FORWARD -p tcp -d 209.245.92.39 --dport 5060 -j ACCEPT
iptables -A FORWARD -p udp -d 209.245.92.39 --dport 5060 -j ACCEPT
iptables -A FORWARD -p tcp -d 64.69.76.10 --dport 1059:1114 -j ACCEPT
iptables -A FORWARD -p udp -d 64.69.76.10 --dport 1059:1114 -j ACCEPT
iptables -A FORWARD -p tcp -d 64.69.76.10 --dport 2600:3300 -j ACCEPT
iptables -A FORWARD -p udp -d 64.69.76.10 --dport 2600:3300 -j ACCEPT
iptables -A FORWARD -p tcp -d 63.123.133.39 --dport 8000 -j ACCEPT
iptables -A FORWARD -p udp -d 63.123.133.39 --dport 8000 -j ACCEPT
iptables -A FORWARD -p tcp -d 63.123.133.39 --dport 8001 -j ACCEPT
iptables -A FORWARD -p udp -d 63.123.133.39 --dport 8001 -j ACCEPT

################# Fecha porta externa ao proxy
#iptables -A INPUT -p tcp -i eth0 --dport 3128 -j DROP

################ Proxy OBJ
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 0/0 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -s ! 192.168.0.213/32 -d 0/0 --dport 80 -j REDIRECT --to-port 3128

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

////////////////////////////////////////////////////////////////////////////////////////////

http_port 3128
icp_port 3130
hierarchy_stoplist cgi-bin ?
error_directory /usr/share/squid/errors/Portuguese
cache_mgr pes@unimarcas.com.br
# TAG: no_cache
# A list of ACL elements which, if matched, cause the reply to
# immediately removed from the cache. In other words, use this
# to force certain objects to never be cached.
#
# You must use the word 'DENY' to indicate the ACL names which should
# NOT be cached.
#
#We recommend you to use the following two lines.
#acl download url_regex "/etc/squid/extensoes"
#acl extensoes url_regex .mp3 .vqf .rpm .rar .avi .mpeg .mpe .mpg .qt .ram .rm .wav .mov .wmv .wma
acl QUERY urlpath_regex cgi-bin ?
ftp_user Squid@unicoc.com.br
ftp_list_width 32
ftp_passive on
# ftp_sanitycheck on

# Inicia processo de configuracao da autenticacao
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Unimarcas: Indentifique-se
auth_param basic credentialsttl 1 hours

#Recommended minimum configuration:
acl all src 192.168.0.0/255.255.255.0
acl server dst 200.161.24.117/255.255.255.255
#acl server_morumbi dst 200.210.29.207/255.255.255.255
#acl coc dstdomain *.cocararaquara.com.br
#acl obj dstdomain *.objetivoararaquara.com.br
acl porn url_regex "/home/pes/porn"
acl noporn url_regex "/etc/squid/noporn"
acl senha proxy_auth REQUIRED

# Barra MSN por MIME Type
acl msn2 dstdomain loginnet.passport.com
acl msnmessenger url_regex -i gateway.dll
acl MSN req_mime_type -i ^application/x-msn-messenger$

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

no_cache deny server
#no_cache deny server_morumbi
#no_cache deny coc
#no_cache deny obj


#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Detona Messenger
http_access deny msn2
http_access deny msnmessenger
http_access deny MSN

#http_access deny extensoes
#http_access allow coc
#http_access deny extensoes all
#http_access allow all

http_access allow senha all
http_access allow noporn all
http_access deny porn all

# And finally deny all other access to this proxy
http_access deny all

# HTTPD-ACCELERATOR OPTIONS
# -----------------------------------------------------------------------------

# TAG: httpd_accel_host
# TAG: httpd_accel_port
# If you want to run Squid as an httpd accelerator, define the
# host name and port number where the real HTTP server is.
#
# If you want virtual host support then specify the hostname
# as "virtual".
#
# If you want virtual port support then specify the port as "0".
#
# NOTE: enabling httpd_accel_host disables proxy-caching and
# ICP. If you want these features enabled also, then set
# the 'httpd_accel_with_proxy' option.
#
#Default:

### Mexi aqui
#httpd_accel_port 80
#httpd_accel_host virtual

# TAG: httpd_accel_single_host on|off
# If you are running Squid as a accelerator and have a single backend
# server then set this to on. This causes Squid to forward the request
# to this server irregardles of what any redirectors or Host headers
# says.
#
# Leave this at off if you have multiple backend servers, and use a
# redirector (or host table or private DNS) to map the requests to the
# appropriate backend servers. Note that the mapping needs to be a
# 1-1 mapping between requested and backend (from redirector) domain
# names or caching will fail, as cacing is performed using the
# URL returned from the redirector.
#
# See also redirect_rewrites_host_header.
#
#Default:

# MEXI AQUI
#httpd_accel_single_host off

# TAG: httpd_accel_with_proxy on|off
# If you want to use Squid as both a local httpd accelerator
# and as a proxy, change this to 'on'. Note however that your
# proxy users may have trouble to reach the accelerated domains
# unless their browsers are configured not to use this proxy for
# those domains (for example via the no_proxy browser configuration
# setting)
#
#
#Default:

# MEXI AQUI
#httpd_accel_with_proxy on

# TAG: httpd_accel_uses_host_header on|off
# HTTP/1.1 requests include a Host: header which is basically the
# hostname from the URL. Squid can be an accelerator for
# different HTTP servers by looking at this header. However,
# Squid does NOT check the value of the Host header, so it opens
# a big security hole. We recommend that this option remain
# disabled unless you are sure of what you are doing.
#
# However, you will need to enable this option if you run Squid
# as a transparent proxy. Otherwise, virtual servers which
# require the Host: header will not be properly cached.
#
#Default:

# MEXI AQUI
#httpd_accel_uses_host_header on

#forwarded_for on
log_fqdn on
maximum_object_size 4 MB

cache_replacement_policy lru
memory_replacement_policy lru

cache_dir ufs /var/spool/squid 8192 48 256
cache_mgr pes@unimarcas.com.br
cache_mem 64 MB

#request_body_max_size 0
#reply_body_max_size 0

client_persistent_connections off
server_persistent_connections off
request_timeout 30 seconds
pconn_timeout 120 seconds