TioRoni
(usa Debian)
Enviado em 23/05/2013 - 16:05h
Acrescentei mas só dos arquivos de bloqueios:
Meu iptables:
###############################################################################################
#!/bin/bash
#Adicionando módulos ao Kernel
clear
echo " "
echo " "
echo " Ativando Modulos"
modprobe ip_tables
modprobe iptable_nat
echo "...............................................................................................[ OK ]"
echo " "
echo " "
#Liberando encaminhamento de Pacotes
echo " Ativando o IP_FORWARD"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "...............................................................................................[ OK ]"
echo " "
echo " "
# Limpando tabelas
echo " limpando Regras"
iptables -F
#iptables -t nat -F
#iptables -t mangle - F
echo "...............................................................................................[ OK ]"
echo " "
echo " "
echo " Mascarando Conexoes - Compartilhando a internet"
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 200.241.38.28
echo "...............................................................................................[ OK ]"
echo " "
echo " "
#liberando a porta do TS
iptables -t nat -A PREROUTING -d 200.241.38.28 -p tcp --dport 3389 -j DNAT --to 192.168.1.253:3389
echo "...............................................................................................[ OK]"
#Proxy transparente, tratanto protocolos UDP e TCP. e movendo o tráfego das portas 80, 443 para porta 3128
echo " redirecionando trafego da porta 80 para porta 3128"
echo " "
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i eth0 -p udp --dport 443 -j REDIRECT --to-port 3128
echo "...............................................................................................[ OK ]"
echo " "
echo " "
echo " Bloqueia sites - facebook e youtube"
iptables -I FORWARD -m string --algo bm --string "facebook.com" -j DROP
iptables -I FORWARD -m string --algo bm --string "youtube.com" -j DROP
iptables -I OUTPUT -m string --algo bm --string "facebook.com" -j DROP
iptables -I OUTPUT -m string --algo bm --string "youtube.com" -j DROP
echo "...............................................................................................[ OK ]"
echo " "
echo " "
echo "...............................................................................................[ FIM ]"
#iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3130
#iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p udp --dport 80 -j REDIRECT --to-port 3130
#iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 443 -j REDIRECT --to-port 3130
#iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p udp --dport 443 -j REDIRECT --to-port 3130
#echo ...............................................................................................[ OK ]"
Meu squid.conf
###############################################################################################
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 192.168.1.0/24
acl chefes src 192.168.1.253 192.168.1.152
acl palavrasliberadas url_regex -i "/etc/squid/palavrasliberadas"
acl sitesliberados url_regex -i "/etc/squid/sitesliberados"
acl palavrasbloqueadas url_regex -i "/etc/squid/palavrasbloqueadas"
acl sitesbloqueados url_regex -i "/etc/squid/sitesbloqueados"
acl radiosonline urlpath_regex -i "/etc/squid/radiosonline"
acl streaming rep_mime_type ^video/x-ms-asf
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Recommended minimum Access Permission configuration:
http_access allow chefes
http_access allow palavrasliberadas
http_access allow sitesliberados
http_access deny palavrasbloqueadas
http_access deny sitesbloqueados
http_access deny radiosonline
http_reply_access deny radiosonline
http_access deny streaming
http_reply_access deny streaming
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
#http_port 3130 intercept
http_port 3128 intercept
#Especifica a quantidade ideal de memoria a ser utilizada
cache_mem 2048 MB
maximum_object_size_in_memory 32 MB
#diretorio de Cache. Numero em MB de quanto o Squid pode usar do disco
cache_dir aufs /var/cache/squid 5120 16 256
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
minimum_object_size 0 KB
maximum_object_size 256 MB
cache_swap_low 90
cache_swap_high 95
cache_mgr roni@grupomastermt.com.br
#Suprime a versao do Squid
httpd_suppress_version_string off
#Cria um nome para o Squid
visible_hostname grupomastermt
error_directory /usr/share/squid/errors/pt-br
access_log /var/log/squid/access.log squid
# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320