edgarfilho
(usa Debian)
Enviado em 06/08/2012 - 15:41h
Boa tarde a todos,
Pessoal tenho na empresa um debian 5.0 com squid e firewall, atualmente tenho tido problemas no gerenciamento do acesso a internet com algums ips ligadões o dia todo no facebook e no youtube...bem, gostaria de uma ajuda na reformulação dos serviços de proxy e firewall para
bloquear:
Facebook;
MSN;
Youtube - e bloquer o carregamento de vídeo em páginas;
Vimeo;
Permitir:
Somente acesso ao email da hotmail e google, e também o google earth.
Segue o conf do squid e do firewall abaixo:
Squid:
#!/bin/bash
http_port 3128 transparent
visible_hostname servidor
cache_mem 64 MB
maximum_object_size_in_memory 512 KB
maximum_object_size 512 MB
minimum_object_size 2 KB
cache_swap_low 50
cache_swap_high 75
cache_dir ufs /var/spool/squid 256 8 128
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 60 20% 2280
refresh_pattern ^gopher: 60 0% 2280
refresh_pattern . 60 20% 2280
########## Acls ###########################
acl all src 192.168.0.0/24
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl safe_ports port 80 443 563 8080 3128
acl purge method PURGE
acl CONNECT method CONNECT
acl acesso_total src "/etc/squid/listas/acesso_total.txt"
acl prioridades url_regex -i "/etc/squid/listas/prioridades.txt"
acl horario_manha time 07:00-12:00
acl horario_tarde time 13:30-17:30
acl horario_livre1 time 00:00-06:59
acl horario_livre2 time 12:01-13:29
acl horario_livre3 time 17:31-23:59
acl libera_almoco src "/etc/squid/listas/libera_almoco.txt"
acl bloqueio_video src "/etc/squid/listas/bloqueio_video.txt"
# Regra para bloqueio de extensões de rádios online / arquivos de streaming:
acl streaming rep_mime_type -i "/etc/squid/listas/blockmime"
acl videomusic urlpath_regex -i \.aif$ \.aifc$ \.aiff$ \.asf$ \.asx$ \.avi$ \.au$ \.m3u$ \.med$ \.mp3$ \.m1v$ \.mp2$ \.mp2v$ \.mpa$ \.mov$ \.mpe$ \.mpg$ \.mpeg$ \.ogg$ \.pls$ \$
########## Controle de acesso ##################
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
# Bloqueia conteudo multimidia para os ip listados em /etc/squid/listas/bloqueio_video.txt
##########################################################################################
http_access deny bloqueio_video videomusic
http_reply_access deny bloqueio_video streaming
# Regras gerais
###############
http_access allow prioridades
http_access allow acesso_total
http_access allow libera_almoco horario_livre1
http_access allow libera_almoco horario_livre2
http_access allow libera_almoco horario_livre3
http_access deny libera_almoco horario_manha
http_access deny libera_almoco horario_tarde
http_access deny all
Firewall:
#!/bin/sh -e
# ETH0=INTERNET
# ETH1=REDELOCAL
iniciar (){
modprobe iptable_nat
iptables -F
iptables -t nat -F
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --sport 9010 -j ACCEPT
iptables -A INPUT -p tcp --dport 9010 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9010 -j DNAT --to-destination 192.168.0.111
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 9010 -j DNAT --to-destination 192.168.0.111
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 56000:65535 -j DNAT --to-destination 192.168.0.108
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 56000:65535 -j DNAT --to-destination 192.168.0.108
iptables -A INPUT -p tcp --dport 666 -j ACCEPT
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -p tcp --dport 5800 -j ACCEPT
iptables -A INPUT -p tcp --dport 5900 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.108:3389
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 5800 -j DNAT --to-destination 192.168.0.108:5800
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.0.108:5900
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp --syn -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo " * Internet compartilhada com a rede local via proxy transparente"
hora=$(date +%H)
case $hora in
07|08|09|10|11) iptables -A FORWARD -s 192.168.0.101 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.102 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.103 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.103 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.105 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.114 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.156 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.164 -p tcp --dport 1863 -j REJECT;
#iptables -A FORWARD -s 192.168.0.166 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.167 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.168 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.169 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.172 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.175 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.181 -p tcp --dport 1863 -j REJECT;;
14|15|16|17) iptables -A FORWARD -s 192.168.0.101 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.102 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.103 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.103 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.105 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.114 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.156 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.164 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.166 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.167 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.168 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.169 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.172 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.175 -p tcp --dport 1863 -j REJECT;
iptables -A FORWARD -s 192.168.0.181 -p tcp --dport 1863 -j REJECT;;
esac
echo " * HTTPS e MSN bloqueados para a tecnica, de 8 as 12 e 14 as 18"
echo " * Firewall ativado"
}
parar(){
iptables -F
iptables -t nat -F
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -P INPUT ACCEPT
iptables -P FORWARD A
CCEPT
iptables -P OUTPUT ACCEPT
echo " * Firewall desativado e internet liberada"
}
case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar;;
*) echo "Use apenas start, stop ou restart"
esac