Centos 6.4 i386 + Squid

reiner
(usa RedHat)

Enviado em 09/04/2013 - 17:50h

Galera não entendo nada de Linux, apenas umas regras minhas aqui que fui colocando num Linux que eu tinha aqui de teste, porém tive que reinstalar pois, no final das contas não estava funcionando mais nada.

Instalei Centos 6.4 + Squid + Bind para compartilhar internet, porém não está funcionando. No Linux a internet funciona perfeitamente. Não é gerado nenhum erro quando carrego os módulos porém a internet não é compartilhada. Se alguém puder me ajudar agradeceria bastante!

Tenho duas interfaces

eth0 LIGANDO AO MODEM ROTEADO
IP 192.168.1.10
GATEWAY 192.168.1.1

eth1 LIGANDO NA REDE GERAL
IP 192.168.0.10

>>>>>>>> Meu SQUI.CONF está assim:

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 transparent

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

-----------------------------------------------------------------------------------------

>>>>>>>> Meu IPTABLES está assim:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 22 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state -i eth1 --dport 10000 --state NEW -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:PREROUTING ACCEPT [35:3059]
:INPUT ACCEPT [35:3059]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24:6126]
:POSTROUTING ACCEPT [24:6126]
COMMIT
# Completed
# Generated by webmin
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
# Forward HTTP connections to Squid proxy
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-ports 3128
COMMIT
# Completed

renato_pacheco
(usa Debian)

Enviado em 09/04/2013 - 17:59h

Vc liberou o forward desse gateway? Coloque o comando abaixo dentro do /etc/rc.local:

echo 1 > /proc/sys/net/ipv4/ip_forward

 

reiner
(usa RedHat)

Enviado em 10/04/2013 - 08:00h

Bom dia Renato,

este arquivo meu ficou assim, veja se está certo por favor.


#/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
touch /proc/sys/net/ipv4/ip_forward




Detalhe nas maquinas da rede onde coloco gateway e dns o servidor linux, nem ping na internet.

saitam
(usa Slackware)

Enviado em 10/04/2013 - 09:09h

"acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network"


As ACLs acima não corresponde com sua rede. Deve usar de acordo com sua rede para funcionar.

Essas regras do iptables que postou não esta completa. Posta se possível o script firewall que fizeste.

reiner
(usa RedHat)

Enviado em 10/04/2013 - 09:25h

Olá Saitam bom dia

rapaz, este aqui abaixo é meu iptables ahahaha, por favor, pode me corrigir no que for

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 22 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m state -i eth1 --dport 10000 --state NEW -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:PREROUTING ACCEPT [35:3059]
:INPUT ACCEPT [35:3059]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24:6126]
:POSTROUTING ACCEPT [24:6126]
COMMIT
# Completed
# Generated by webmin
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
# Forward HTTP connections to Squid proxy
-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-ports 3128
COMMIT
# Completed




Quanto aquelas acls, tb é padrão do Squid.

A minha rede interna aqui vai da IP 192.168.0.1 até 192.168.0.253 só isso, tentei colocar estes número mas fala que o novo padrão do squid é algo com /16 ou /32 e não entendo, como devo usar?

renato_pacheco
(usa Debian)

Enviado em 10/04/2013 - 09:26h

Preste atenção no meu post anterior. Eu não escrevi "touch"!

reiner
(usa RedHat)

Enviado em 10/04/2013 - 09:39h

Olá Renato

eu escrevi pq vi um com touch ai pensei que era para colocar.

agora fiz sem touch, mas deu na mesma, nem ping.


valeu

renato_pacheco
(usa Debian)

Enviado em 10/04/2013 - 09:46h

Tem q reiniciar a máquina. Caso não queira, execute esse comando manualmente.

reiner
(usa RedHat)

Enviado em 10/04/2013 - 09:53h

Sim dei reboot e nada.

saitam
(usa Slackware)

Enviado em 10/04/2013 - 10:01h

segue howtos sobre firewall com iptables e proxy squid

http://mundodacomputacaointegral.blogspot.com.br/2012/05/entendendo-o-funcionamento-de-um.html

http://mundodacomputacaointegral.blogspot.com.br/2011/12/configurando-servidor-proxy-autenticado.htm...