Perguntas & Respostas

Olá Pessoal !!

Sou novo aqui na lista e leigo em linux !!
Estou tentando configurar o meu servidor linux para que rode o proxy transparente e o firewall na mesma maquina, mas não estou conseguindo. Agluém pode me ajudar?

http_port 192.168.0.156:8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin ?
no_cache deny QUERY
ftp_user Squid@
ftp_passive on
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl manager proto cache_object
acl SSL_ports port 443 563
acl SSL_ports port 873
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 631
acl Safe_ports port 873
acl Safe_ports port 901
acl purge method PURGE
acl CONNECT method CONNECT
#########################
cache_dir ufs /var/spool/squid 128 16 256
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl rede src 192.168.0.0/255.255.255.0
acl Safe_ports port 8080
acl CONNECT method CONNECT
acl liberadominio dstdomain "/etc/tupiserver/regras_acesso"
acl tupiacesso url_regex -i "/etc/tupiserver/tupiacesso"
#########################
acl bloq_extensao url_regex "/etc/tupiserver/extensao"
#########################
acl palavra url_regex -i "/etc/tupiserver/regras_palavras"
acl tupipalavra url_regex -i "/etc/tupiserver/tupipalavras"
#########################
acl bloq_sites dstdomain "/etc/tupiserver/regras_url"
acl tupisites dstdomain "/etc/tupiserver/tupiurl"
acl malware_block_list url_regex -i "/etc/tupiserver/malware"
#########################
acl bloqueioip src "/etc/tupiserver/ip"
########### REGRAS ##############
http_access deny bloqueioip
http_access allow rede tupiacesso
http_access allow rede liberadominio
http_access deny all malware_block_list
http_access deny all bloq_sites
http_access deny all tupisites
#########################
http_access deny all palavra
http_access deny all tupipalavra
#########################
http_access deny all bloq_extensao
#########################
http_access allow manager localhost
http_access allow rede
http_access deny !Safe_ports
http_access deny all
#########################
cache_effective_user proxy
cache_effective_group proxy
visible_hostname Jerry

#########################
deny_info ERR_ACCESS_IP bloqueioip
deny_info ERR_ACCESS_URL bloq_sites
deny_info ERR_ACCESS_TURL tupisites
deny_info ERR_ACCESS_MALWARE malware_block_list
#########################
deny_info ERR_ACCESS_FILE palavra
deny_info ERR_ACCESS_TFILE tupipalavra
#########################
deny_info ERR_ACCESS_DOWN bloq_extensao
#########################
error_directory /usr/share/squid/errors/Portuguese/
#########################
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
#########################




#############firewall#############

#!/bin/sh
#
# Versão 2.6
############ Configuracoes ##############################
[ -f /etc/tupiserver/tupidef ] && . /etc/tupiserver/tupidef
#########################################################

# Localhost
LO_IFACE="lo"
LO_IP="127.0.0.1"

IPTABLES="iptables"
######### Carregando Modulos ###################################
#depmod -a
modprobe ip_tables
modprobe ip_conntrack
modprobe iptable_filter
modprobe iptable_mangle
modprobe ipt_LOG
modprobe ipt_limit
modprobe ipt_state
modprobe ipt_multiport
modprobe ip_conntrack_ftp

###### Setando /proc ############################################

echo "0" > /proc/sys/net/ipv4/conf/all/proxy_arp
echo "0" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward
####### Politicas ################################################

$IPTABLES -F
$IPTABLES -F -t nat

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# Pacotes defeituosos

$IPTABLES -N bad_tcp_packets
# Chains separadas para ICMP, TCP e UDP

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

####### Regras Basicas #############################################
# chain para pacotes TCP defeituosos
#$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW j LOG --log-prefix "PACOTE nao SYN:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW --dport ! 8080 -j LOG --log-prefix "PACOTE nao SYN:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

############################ INPUT CHAIN ############################
# Pacotes defeituosos
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#### virus W32.Blaster.Worm
$IPTABLES -A INPUT -p tcp --dport 4444 -j DROP
$IPTABLES -A INPUT -p tcp --dport 135 -j DROP
$IPTABLES -A INPUT -p udp --dport 69 -j DROP

# Pacotes da Internet
$IPTABLES -A INPUT -p ICMP -i $WAN -j icmp_packets

# Acesso SSH
#$IPTABLES -A INPUT -p tcp -s $REDE -d $LAN_IP --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT

# Acesso WWW Server
$IPTABLES -A INPUT -p tcp -d $WAN_IP --dport 80 -j ACCEPT
# Acesso SMTP
$IPTABLES -A INPUT -p tcp -d $WAN_IP --dport 25 -j ACCEPT
# Acesso POP3
$IPTABLES -A INPUT -p tcp -d $WAN_IP --dport 110 -j ACCEPT
# Acesso DNS Server
$IPTABLES -A INPUT -p udp -d $WAN_IP --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp -d $WAN_IP --dport 53 -j ACCEPT

# Da interface LAN para LAN firewall IP
$IPTABLES -A INPUT -p ALL -i $LAN -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN -d $LAN_BROD -j ACCEPT

# From Localhost interface to Localhost IP's
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $WAN_IP -j ACCEPT

# Regra para DHCP
#$IPTABLES -A INPUT -p UDP -i $LAN --dport 67 --sport 68 -j ACCEPT

# Entrada de todos os pacotes estaveis
$IPTABLES -A INPUT -p ALL -d $WAN_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

# Logar todos os pacotes mortos
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died:"
############################ FORWARD CHAIN #########################
# Pacotes defeituosos
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

# LAN section
$IPTABLES -A FORWARD -i $LAN -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log weird packets that don't match the above.
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

############################ OUTPUT CHAIN ##########################

# Bad TCP packets we don't want.
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

# Special OUTPUT rules to decide which IP's to allow.
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $WAN_IP -j ACCEPT

# Log weird packets that don't match the above.
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died:"

###########################Redirecionando acesso site da Caixa ###########################


$IPTABLES -A FORWARD -p tcp -s 192.168.0.23/24 -d 200.201.173.68 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s 192.168.0.23/24 -d 200.201.166.200 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s 192.168.0.23/24 -d 200.201.174.204 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s 192.168.0.23/24 -d 200.201.174.207 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.23/24 -d 200.201.173.68 -j SNAT --to 200.225.XXX.XX
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.23/24 -d 200.201.166.200 -j SNAT --to 200.225.XXX.XX
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.23/24 -d 200.201.174.204 -j SNAT --to 200.225.XXX.XX
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.23/24 -d 200.201.174.207 -j SNAT --to 200.225.XXX.XX


################PROXY TRANSPARENTE ###########################

$IPTABLES -A INPUT -p tcp --destination-port 80 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -d ! 200.201.174.207 --dport 80 -j REDIRECT --to-port 8080
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080


################################### NAT #############################

## Generico
$IPTABLES -t nat -A POSTROUTING -s $REDE -o $WAN -j MASQUERADE
################################### FIM ############################
/sbin/iptables-save > /etc/sysconfig/iptables