Proxy Squid Version 5.5 + Alma Linux 9.4

maoflaric
(usa CentOS)

Enviado em 24/09/2024 - 16:19h

Bom dia, tarde, noite,


Estou querendo subir um firewall iptables com serviço de proxy squid e dhcpd-server no SO Alma Linux 9.4. Todos os serviços estão funcionando normalmente, porém não consigo setar o proxy transparente o que seria bem melhor.
Alguém poderia me ajudar?
Vou por aqui o que já fiz no squid e no iptables.

#SQUID.CONF

#### Cabeçalho ####

http_port 172.17.10.1:3128
http_port 127.0.0.1:3128
visible_hostname fw-upa-cidoperaia-01

dns_nameservers 192.166.254.60
dns_nameservers 192.166.254.70

cache_mem 2048 MB
maximum_object_size_in_memory 512 MB
maximum_object_size 512 MB
minimum_object_size 0 MB
cache_swap_high 95
cache_swap_low 90
httpd_suppress_version_string on

cache_dir ufs /var/spool/squid 2048 16 256
error_directory /usr/share/squid/errors/pt-br
cache_log /var/log/squid/cache.log
access_log /var/log/squid/access.log

refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 20% 2280
refresh_pattern . 15 20% 2280

#### Regras ACLs de bloqueio de sites ####

# sites liberados
acl sites_liberados url_regex -i "/etc/squid/sites_liberados"
http_access allow sites_liberados

acl SitesBloqueados url_regex -i "/etc/squid/SitesBloqueados"
http_access deny SitesBloqueados

acl SitesImproprios url_regex -i "/etc/squid/SitesImproprios"
http_access deny SitesImproprios

#### ACLs Portas ####

acl SSL_ports port 5938 # teamviewer
acl SSL_ports port 3389 # teamviewer
acl SSL_ports port 2200 # ssh
acl SSL_ports port 443 # https
acl SSL_ports port 444 # https
acl SSL_ports port 3001 # https
acl SSL_ports port 3002 # https
acl SSL_ports port 3003 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl SSL_ports port 8059 #
acl SSL_ports port 8050 #
acl SSL_ports port 8058 #
acl SSL_ports port 8061 # Sistema Ponto
acl SSL_ports port 2021 # Sistema Ponto
acl SSL_ports port 2022 # Sistema Ponto
acl SSL_ports port 3000 # Sistema Ponto
acl SSL_ports port 3001 # node socket sisupa
acl SSL_ports port 3002 # node socket sisupa
acl SSL_ports port 3003 # node socket sisupa
acl SSL_ports port 3005 # node socket sisupa
acl safe_ports port 5938 # teamviewer
acl Safe_ports port 3389 # teamviewer
acl Safe_ports port 2200 # ssh
acl Safe_ports port 80 # http
acl Safe_ports port 83 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 444 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 8050 # Sistema Ponto
acl Safe_ports port 8058 # Sistema Ponto
acl Safe_ports port 8059 # Sistema Ponto
acl Safe_ports port 8061 # Sistema Ponto
acl Safe_ports port 2021 # Sistema Ponto
acl Safe_ports port 2022 # Sistema Ponto
acl Safe_ports port 3000 # Sistema Ponto
acl Safe_ports port 3001 # Sistema Ponto

acl porge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
#http_access allow purge localhost
#http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

########## HIERARQUIA DE PROXY ###########

#SEATI PROXY
cache_peer 192.166.254.2 parent 3128 3130 no-query no-digest

#### Regra de acesso local ####

acl redelan src 172.17.10.0/24
http_access allow localhost
http_access allow redelan


http_access deny all


## Agora o script que fiz para o iptables

#!/bin/bash
# chkconfig: 2345 25 98

# SCRIPT DE FIREWALL COM GATEWAY NA REDE!

# DECLARANDO VARIAVEIS
IF_LOCAL="enp3s0" # interface local network
INTERNET="enp2s0" # external interface
LOCAL_NETWORK="172.17.10.0/24"
LOOPBACK="lo" # loopback interface

IPTABLES="/sbin/iptables" # Daemon of firewall

begin(){

# LIMPA (FLUSH) TODAS AS REGRAS DA TABELA DE FILTRAGEM
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X
$IPTABLES -F -t nat
$IPTABLES -X

# POLICIES DEFAULT
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# COMPARTILHANDO CONEXÃO
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward

# INICIO DE REGRAS APLICADAS COM DESTINO AO FIREWALL
$IPTABLES -A INPUT -i $LOOPBACK -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p tcp --dport 2200 -j ACCEPT
$IPTABLES -A INPUT -i $IF_LOCAL -p tcp --dport 2200 -j ACCEPT
$IPTABLES -A INPUT -i $IF_LOCAL -p tcp --dport 3128 -s $LOCAL_NETWORK -d 172.17.10.1 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p udp --dport 161 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p icmp -j ACCEPT


# INICIO DE REGRAS PARA REDE LOCAL
$IPTABLES -A FORWARD -i $IF_LOCAL -p udp --dport 53 -s $LOCAL_NETWORK -j ACCEPT
$IPTABLES -A FORWARD -i $IF_LOCAL -p icmp -j ACCEPT

# RULES FOR SNAT
$IPTABLES -t nat -A POSTROUTING -o $INTERNET -s $LOCAL_NETWORK -j SNAT --to-source 10.70.7.5
$IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 53,389,636,135,139,445,110,995,25,465,587 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m udp -m multiport --dports 53,389,636 -j ACCEPT

# TERMINO REGRAS PARA REDE LOCAL
# ESTABILIZANDO CONEXÕES
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

echo "INICIANDO O FIREWALL..."
}
stop(){
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -t mangle -F
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -X
echo "FIREWALL PARADO, REDE DESPROTEGIDA"
}

case "$1" in
"start") begin ;;
"stop") stop ;;
"restart") stop; begin ;;
*) echo "Use os parametros start ou stop"
esac


### Alguma dica de regra que eu possa aplicar para o proxy transparent?

Desde já agradeço.

danniel-lara
(usa Fedora)

Enviado em 25/09/2024 - 17:52h

add essa linha no seu squid.conf

http_port 3128 intercept   # TRANSPARENT PROXY

 

maoflaric
(usa CentOS)

Enviado em 01/10/2024 - 17:49h

Olá!!!

Não deu certo, já tinha testado antes e testei novamente. Ainda tem que setar o proxy no PC para navegar ainda.

Buckminster
(usa Debian)

Enviado em 03/10/2024 - 08:50h

No Squid
http_port 172.17.10.1:3128 intercept
http_port 127.0.0.1:3128 intercept

No Iptables
Faça as alterações abaixo e teste.

Acrescente a linha na seguinte posição:
$IPTABLES -A INPUT -i $LOOPBACK -j ACCEPT
$IPTABLES -A OUTPUT -i $LOOPBACK -j ACCEPT <<< essa linha

Comente as linhas abaixo:
# RULES FOR SNAT
$IPTABLES -t nat -A POSTROUTING -o $INTERNET -s $LOCAL_NETWORK -j SNAT --to-source 10.70.7.5
$IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 53,389,636,135,139,445,110,995,25,465,587 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m udp -m multiport --dports 53,389,636 -j ACCEPT

# TERMINO REGRAS PARA REDE LOCAL
# ESTABILIZANDO CONEXÕES
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT


E coloque essas no lugar:
# PERMITIR TRÁFEGO HTTP E REDIRECIONÁ-LO PARA O PROXY
$IPTABLES -t nat -A PREROUTING -i $IF_LOCAL -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -t nat -A PREROUTING -i $IF_LOCAL -p tcp --dport 443 -j REDIRECT --to-port 3128

# Permitir o tráfego do Squid para a internet
$IPTABLES -t nat -A POSTROUTING -s 172.17.10.0/24 -o $IF_LOCAL -j MASQUERADE

# Bloquear acesso ao Squid para IPs externos (esta regra é opcional no teu caso, é somente uma segurança adicional)
$IPTABLES -A INPUT -p tcp --dport 3128 -s ! 127.0.0.1 -j DROP

# PERMITIR ACESSO AO SQUID
$IPTABLES -A INPUT -p tcp --dport 3128 -j ACCEPT

# PERMITIR ENCAMINHAMENTO
$IPTABLES -A FORWARD -i $IF_LOCAL -o $INTERNET -j ACCEPT
$IPTABLES -A FORWARD -i $INTERNET -o $IF_LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT

Faça as alterações e reinicie e teste.
Tenha o cuidado de não se perder nas alterações. Sugiro fazer um backup do teu script, fazer um novo com as alterações e testar, mas fica a seu critério.


_________________________________________________________
Always listen the Buck!
Enquanto o cursor estiver pulsando, há vida!

maoflaric
(usa CentOS)

Enviado em 03/10/2024 - 09:15h

Bom dia, vou realizar e testar e volto para confirmar para sim ou para não, mesmo assim agradeço o tempo.

maoflaric
(usa CentOS)

Enviado em 03/10/2024 - 14:55h

Boa tarde, realizei as mudanças como mostrou porém há alguns erros do squid e do iptables:

### Mensagem do journalctl -xeu squid.service

The unit squid.service has entered the 'failed' state with result 'exit-code'.
out 03 14:33:40 fw systemd[1]: Failed to start Squid caching proxy.
&#9617;&#9617; Subject: A unidade squid.service falhou
&#9617;&#9617; Defined-By: systemd
&#9617;&#9617; Support: https://support.oracle.com
&#9617;&#9617;
&#9617;&#9617; A unidade squid.service falhou.
&#9617;&#9617;
&#9617;&#9617; O resultado é failed.
out 03 14:46:22 fw systemd[1]: Starting Squid caching proxy...
&#9617;&#9617; Subject: Unidade squid.service sendo iniciado
&#9617;&#9617; Defined-By: systemd
&#9617;&#9617; Support: https://support.oracle.com
&#9617;&#9617;
&#9617;&#9617; A unidade squid.service está sendo iniciada.
out 03 14:46:22 fw squid[1933]: 2024/10/03 14:46:22| Warning: empty ACL: acl SitesPermitidos url_regex -i "/etc/squid/SitesPermitidos"
out 03 14:46:22 fw squid[1933]: 2024/10/03 14:46:22| Warning: empty ACL: acl SitesBloqueados url_regex -i "/etc/squid/SitesBloqueados"
out 03 14:46:22 fw squid[1933]: 2024/10/03 14:46:22| Warning: empty ACL: acl SitesImproprios url_regex -i "/etc/squid/SitesImproprios"
out 03 14:46:22 fw squid[1933]: Squid Parent: will start 1 kids
out 03 14:46:22 fw squid[1933]: Squid Parent: (squid-1) process 1936 started
out 03 14:46:22 fw (squid-1)[1936]: FATAL: mimeLoadIcon: cannot parse internal URL: http://fw:0/squid-internal-static/icons/silk/image.png
out 03 14:46:22 fw squid[1933]: Squid Parent: squid-1 process 1936 exited with status 1
out 03 14:46:22 fw squid[1933]: Squid Parent: (squid-1) process 1939 started
out 03 14:46:23 fw (squid-1)[1939]: FATAL: mimeLoadIcon: cannot parse internal URL: http://fw:0/squid-internal-static/icons/silk/image.png
out 03 14:46:23 fw squid[1933]: Squid Parent: squid-1 process 1939 exited with status 1
out 03 14:46:23 fw squid[1933]: Squid Parent: (squid-1) process 1942 started
out 03 14:46:23 fw (squid-1)[1942]: FATAL: mimeLoadIcon: cannot parse internal URL: http://fw:0/squid-internal-static/icons/silk/image.png
out 03 14:46:23 fw squid[1933]: Squid Parent: squid-1 process 1942 exited with status 1
out 03 14:46:23 fw squid[1933]: Squid Parent: (squid-1) process 1945 started
out 03 14:46:23 fw (squid-1)[1945]: FATAL: mimeLoadIcon: cannot parse internal URL: http://fw:0/squid-internal-static/icons/silk/image.png
out 03 14:46:23 fw squid[1933]: Squid Parent: squid-1 process 1945 exited with status 1
out 03 14:46:23 fw squid[1933]: Squid Parent: (squid-1) process 1948 started
out 03 14:46:24 fw (squid-1)[1948]: FATAL: mimeLoadIcon: cannot parse internal URL: http://fw:0/squid-internal-static/icons/silk/image.png
out 03 14:46:24 fw squid[1933]: Squid Parent: squid-1 process 1948 exited with status 1
out 03 14:46:24 fw squid[1933]: Squid Parent: squid-1 process 1948 will not be restarted for 3600 seconds due to repeated, frequent failures
out 03 14:46:24 fw squid[1933]: Exiting due to repeated, frequent failures
out 03 14:46:24 fw systemd[1]: squid.service: Main process exited, code=exited, status=1/FAILURE
&#9617;&#9617; Subject: Unit process exited
&#9617;&#9617; Defined-By: systemd
&#9617;&#9617; Support: https://support.oracle.com
&#9617;&#9617;
&#9617;&#9617; An ExecStart= process belonging to unit squid.service has exited.
&#9617;&#9617;
&#9617;&#9617; The process' exit code is 'exited' and its exit status is 1.
out 03 14:46:24 fw systemd[1]: squid.service: Failed with result 'exit-code'.
&#9617;&#9617; Subject: Unit failed
&#9617;&#9617; Defined-By: systemd
&#9617;&#9617; Support: https://support.oracle.com
&#9617;&#9617;
&#9617;&#9617; The unit squid.service has entered the 'failed' state with result 'exit-code'.
out 03 14:46:24 fw systemd[1]: Failed to start Squid caching proxy.
&#9617;&#9617; Subject: A unidade squid.service falhou
&#9617;&#9617; Defined-By: systemd
&#9617;&#9617; Support: https://support.oracle.com
&#9617;&#9617;
&#9617;&#9617; A unidade squid.service falhou.
&#9617;&#9617;
&#9617;&#9617; O resultado é failed.


OBS: Eu já tinha tentado setar intercept na linha recomendada, mas sempre o serviço do squid dá esse erro. Eu tirando intercept o squid funciona normal.


### Fim da mensagem de err squid ###

### Erro iptables ###
Ao executar o script aparece o seguinte erro

ptables v1.8.10 (nf_tables): Can't use -i with OUTPUT

Try `iptables -h' or 'iptables --help' for more information.
Bad argument `127.0.0.1'
Try `iptables -h' or 'iptables --help' for more information.
INICIANDO O FIREWALL...

Buckminster
(usa Debian)

Enviado em 03/10/2024 - 16:30h

Pode tirar essa linha:
IPTABLES -A OUTPUT -o $LOOPBACK -j ACCEPT

out 03 14:46:22 fw squid[1933]: 2024/10/03 14:46:22| Warning: empty ACL: acl SitesPermitidos url_regex -i "/etc/squid/SitesPermitidos"
Aí está dizendo que as ACLs estão vazias, provavelmente tem nada dentro dos arquivos ou a sintaxe está errada.

out 03 14:46:22 fw (squid-1)[1936]: FATAL: mimeLoadIcon: cannot parse internal URL: http://fw:0/squid-internal-static/icons/silk/image.png
out 03 14:46:22 fw squid[1933]: Squid Parent: squid-1 process 1936 exited with status 1
Esse erro aí em cima é da porta, estranho.

Testa assim no Squid:
http_port 172.17.10.1:3128 intercept

e depois
http_port 172.17.10.1:3129 intercept
Comenta a linha com 127.0.0.1, deixa só uma com intercept.


O Iptables desfaça as alterações e deixa tuas configurações.
Reinicie os dois e teste.

Caso persistir o erro, execute:
# squid -NCd1

E posta a saída aqui.

Segue exemplo tirado do squid-cache:
iptables -t nat -A OUTPUT --match owner --uid-owner squid -p tcp --dport 80 -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination SQUIDIP:3129

http_port 3129 intercept

https://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource">https://wiki.squid-cache.org/ConfigExamples/Intercept/AtSource
https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect">https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
https://wiki.squid-cache.org/ConfigExamples/

Os links estão indo quebrados, é problema no VOL.

_________________________________________________________
Always listen the Buck!
Enquanto o cursor estiver pulsando, há vida!

maoflaric
(usa CentOS)

Enviado em 03/10/2024 - 16:55h

2024/10/03 16:54:55| Warning: empty ACL: acl SitesPermitidos url_regex -i "/etc/squid/SitesPermitidos"
2024/10/03 16:54:55| Warning: empty ACL: acl SitesBloqueados url_regex -i "/etc/squid/SitesBloqueados"
2024/10/03 16:54:55| Warning: empty ACL: acl SitesImproprios url_regex -i "/etc/squid/SitesImproprios"
2024/10/03 16:54:55| Current Directory is /root
2024/10/03 16:54:55| Starting Squid Cache version 5.5 for x86_64-redhat-linux-gnu...
2024/10/03 16:54:55| Service Name: squid
2024/10/03 16:54:55| Process ID 1832
2024/10/03 16:54:55| Process Roles: master worker
2024/10/03 16:54:55| With 1024 file descriptors available
2024/10/03 16:54:55| Initializing IP Cache...
2024/10/03 16:54:55| DNS Socket created at [::], FD 8
2024/10/03 16:54:55| DNS Socket created at 0.0.0.0, FD 9
2024/10/03 16:54:55| Adding nameserver 192.166.254.60 from squid.conf
2024/10/03 16:54:55| Adding nameserver 192.166.254.70 from squid.conf
2024/10/03 16:54:55| Logfile: opening log /var/log/squid/access.log
2024/10/03 16:54:55| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid/access.log'
2024/10/03 16:54:55| Unlinkd pipe opened on FD 14
2024/10/03 16:54:55| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2024/10/03 16:54:55| Store logging disabled
2024/10/03 16:54:55| Swap maxSize 2097152 + 2097152 KB, estimated 322638 objects
2024/10/03 16:54:55| Target number of buckets: 16131
2024/10/03 16:54:55| Using 16384 Store buckets
2024/10/03 16:54:55| Max Mem size: 2097152 KB
2024/10/03 16:54:55| Max Swap size: 2097152 KB
2024/10/03 16:54:55| Rebuilding storage in /var/spool/squid (dirty log)
2024/10/03 16:54:55| Using Least Load store dir selection
2024/10/03 16:54:55| Current Directory is /root
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| ERROR: No forward-proxy ports configured.
2024/10/03 16:54:55| Not currently OK to rewrite swap log.
2024/10/03 16:54:55| storeDirWriteCleanLogs: Operation aborted.
2024/10/03 16:54:55| FATAL: mimeLoadIcon: cannot parse internal URL: http://fw:0/squid-internal-static/icons/silk/image.png
2024/10/03 16:54:55| Squid Cache (Version 5.5): Terminated abnormally.
2024/10/03 16:54:55| Removing PID file (/run/squid.pid)

maoflaric
(usa CentOS)

Enviado em 03/10/2024 - 17:14h

Fiz umas mudanças.

e ficou assim


### Script iptables ###


#!/bin/bash
# chkconfig: 2345 25 98

# SCRIPT DE FIREWALL COM GATEWAY NA REDE!

# DECLARANDO VARIAVEIS
IF_LOCAL="enp1s0" # interface local network
INTERNET="enp4s0f0" # external interface
LOCAL_NETWORK="172.20.90.0/24"
LOOPBACK="lo" # loopback interface

IPTABLES="/sbin/iptables" # Daemon of firewall

begin(){

# LIMPA (FLUSH) TODAS AS REGRAS DA TABELA DE FILTRAGEM
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X
$IPTABLES -F -t nat
$IPTABLES -X

# POLICIES DEFAULT
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# COMPARTILHANDO CONEXÃO
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward

# INICIO DE REGRAS APLICADAS COM DESTINO AO FIREWALL
$IPTABLES -A INPUT -i $LOOPBACK -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p tcp --dport 2200 -j ACCEPT
$IPTABLES -A INPUT -i $IF_LOCAL -p tcp --dport 2200 -j ACCEPT
$IPTABLES -A INPUT -i $IF_LOCAL -p tcp --dport 3128 -s $LOCAL_NETWORK -d 172.20.90.1 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p udp --dport 161 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNET -p icmp -j ACCEPT

# TERMINO DE REGRAS APLICADAS COM DESTINO AO FIREWALL

# INICIO DE REGRAS PARA REDE LOCAL
$IPTABLES -A FORWARD -i $IF_LOCAL -p udp --dport 53 -s $LOCAL_NETWORK -j ACCEPT
$IPTABLES -A FORWARD -i $IF_LOCAL -p icmp -j ACCEPT

# RULES FOR SNAT
$IPTABLES -t nat -A POSTROUTING -o $INTERNET -s $LOCAL_NETWORK -j SNAT --to-source 172.19.4.234

$IPTABLES -A FORWARD -p tcp -m tcp -m multiport --dports 53,389,636,135,139,445,110,995,25,465,587 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m udp -m multiport --dports 53,389,636 -j ACCEPT

# TERMINO REGRAS PARA REDE LOCAL

# ESTABILIZANDO CONEXÕES
$IPTABLES -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# REGRAS PARA O PROXY SQUID TRANSPARENTE
$IPTABLES -t nat -A PREROUTING -i $IF_LOCAL -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -t nat -A PREROUTING -i $IF_LOCAL -p tcp --dport 443:wq -j REDIRECT --to-port 3128

echo "INICIANDO O FIREWALL..."
}

stop(){
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -t mangle -F
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -X
echo "FIREWALL PARADO, REDE DESPROTEGIDA"
}

case "$1" in
"start") begin ;;
"stop") stop ;;
"restart") stop; begin ;;
*) echo "Use os parametros start ou stop"
esac

### squid.conf ###

#### Cabeçalho ####
# Squid Cache: Version 5.5 #

# Alterar a porta para escutar no tráfego transparente (apenas uma porta)
http_port 172.20.90.1:3128 intercept
http_port 127.0.0.1:3128

visible_hostname fw

dns_nameservers 192.166.254.60 192.166.254.70

cache_mem 2048 MB
maximum_object_size_in_memory 512 MB
maximum_object_size 512 MB
minimum_object_size 0 MB
cache_swap_high 95
cache_swap_low 90
httpd_suppress_version_string on

cache_dir ufs /var/spool/squid 2048 16 256
error_directory /usr/share/squid/errors/pt-br
cache_log /var/log/squid/cache.log
access_log /var/log/squid/access.log

refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 20% 2280
refresh_pattern . 15 20% 2280

#### Regras ACLs de bloqueio de sites ####

acl SitesPermitidos url_regex -i "/etc/squid/SitesPermitidos"
http_access allow SitesPermitidos

acl SitesBloqueados url_regex -i "/etc/squid/SitesBloqueados"
http_access deny SitesBloqueados

acl SitesImproprios url_regex -i "/etc/squid/SitesImproprios"
http_access deny SitesImproprios

#### ACLs Portas ####

acl SSL_ports port 443 # https
acl SSL_ports port 444 # https
acl SSL_ports port 3001 # https
acl SSL_ports port 3002 # https
acl SSL_ports port 3003 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl SSL_ports port 8059 #
acl SSL_ports port 8050 #
acl SSL_ports port 8058 #
acl SSL_ports port 8061 # Sistema Ponto
acl SSL_ports port 2021 # Sistema Ponto
acl SSL_ports port 2022 # Sistema Ponto
acl SSL_ports port 3000 # Sistema Ponto
acl Safe_ports port 80 # http
acl Safe_ports port 83 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 444 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 8050 # Sistema Ponto
acl Safe_ports port 8058 # Sistema Ponto
acl Safe_ports port 8059 # Sistema Ponto
acl Safe_ports port 8061 # Sistema Ponto
acl Safe_ports port 2021 # Sistema Ponto
acl Safe_ports port 2022 # Sistema Ponto
acl Safe_ports port 3000 # Sistema Ponto
acl Safe_ports port 3001 # Sistema Ponto
acl porge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
#http_access allow purge localhost
#http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

#### Regra de acesso local ####

acl redelan src 172.20.90.0/24
http_access allow localhost
http_access allow redelan

http_access deny all

### tentei acessar de uma maquina sem proxy setado e vi esses erros aqui no access.log ###
1727985974.998 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.002 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.007 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.009 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.011 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.068 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.071 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.071 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.072 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.077 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.085 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.085 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.085 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.176 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.177 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.180 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.182 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.186 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.189 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.191 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.192 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.305 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.307 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.307 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.309 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.316 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.318 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.319 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.322 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.411 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.414 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.416 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.416 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.423 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.423 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.427 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.429 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.516 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.518 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.519 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.519 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.524 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.530 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.532 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.532 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.561 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.564 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.564 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.564 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.569 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.572 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.573 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.573 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.652 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.653 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.653 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.653 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.658 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.662 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html
1727985975.662 0 172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html

maoflaric
(usa CentOS)

Enviado em 03/10/2024 - 17:15h

Buckminster
(usa Debian)

Enviado em 03/10/2024 - 21:58h

172.20.90.50 NONE_NONE/400 3582 - error:invalid-request - HIER_NONE/- text/html

O IP 172.20.90.50 fez uma requisição inválida, resultando em um código de status HTTP 400 (Bad Request). O erro "invalid-request" geralmente significa que a requisição que o cliente (o IP 172.20.90.50) fez não estava formatada corretamente ou não estava de acordo com o que o Squid ou o protocolo HTTP esperavam.
Pode significar também que o protocolo/porta/servidor específico ou URL está sendo bloqueado. Isso significa que provavelmente portas SSL estão negadas ou tem portas SSL não padrão, etc.
Essa porta aqui
acl Safe_ports port 444 # https
Você está usando para quê?

Faça mais um teste.
Comente a linha
dns_nameservers 192.166.254.60 192.166.254.70
Reinicie e acesse dessa mesma máquina sem o proxy setado e veja se esses erros continuam aparecendo no access.log.

E depois comente a linha
http_access deny CONNECT !SSL_ports
Reinicie e acesse dessa mesma máquina sem o proxy setado e veja se esses erros continuam aparecendo no access.log.

Faça um ping desse IP 172.20.90.50 para a máquina do proxy e veja se o proxy responde.
E execute dig ou nslookup para os DNSs a fim de garantir que os nomes de domínio estão sendo resolvidos corretamente.

Não vi erro nenhum nas configurações do Squid e do Iptables, aparentemente estão corretas.

Verifique as configurações das placas de rede também.
Veja que de um script para o outro você mudou as interfaces:
IF_LOCAL="enp3s0" # interface local network
INTERNET="enp2s0" # external interface

IF_LOCAL="enp1s0" # interface local network
INTERNET="enp4s0f0" # external interface


_________________________________________________________
Always listen the Buck!
Enquanto o cursor estiver pulsando, há vida!

maoflaric
(usa CentOS)

Enviado em 10/10/2024 - 10:13h

Bom dia amigo Buckminster, Rapaz não vai de jeito nenhum, Não sei se é a distro que estou usando Oracle Linux 9.4, para mim melhor para serviços de FW Iptables entre outros. Vejo muitos howto proxysquid transparent antigo até, o mais novo é de 2019, mas utilizando distro Debian ou Ubuntu server. Te pergunto, Teria uma oportunidade da gente fazer uma vídeo conferencia pra gente montar esse proxysquid transparent no SO Oracle Linux 9 e ai sim funcionando poderíamos divulgar aqui para os que estão no mesmo cenário que eu :-) ? Caso a resposta seja sim, eu monto o cenário que estou no momento e marcamos para vermos juntos. de qualquer modo, desde já agradeço todo o seu tempo.