Squid 3.1.20 não acessa DNS local

1. Squid 3.1.20 não acessa DNS local

Leandro Gabriel
leo150250

(usa Debian)

Enviado em 27/09/2013 - 12:00h

Olá a todos.

Primeira postagem minha aqui no site, pois procuro na internet há dias uma solução para o problema mas não estou encontrando. A situação é a seguinte:

Internet
|
|
|
| - XXX.XXX.XXX.230
Servidor principal
| - 10.64.0.1, 10.65.0.1, 10.66.0.1
|
|----- Servidor secundário - 10.64.0.2
|
|----- Rede administrativa - 10.64.0.0/12
|----- Rede academica (vlan) - 10.65.0.0/12 (não vem ao caso)
|----- Rede para visitantes (vlan) - 10.66.0.0/12 (não vem ao caso também!)

O servidor principal é um servidor Cisco, com o Debian 7 "wheezy" instalado, com os seguintes serviços:
* apache2
* squid 3.1.20
* bind9
* firewall (iptables)

O servidor secundário também é um servidor Cisco, também com o Debian 7 "wheezy", mas com os seguintes serviços:
* mysql
* apache2
* samba
* munin
* ...e outros serviços que não vem ao caso!

Mas o squid3 no servidor principal não está em pleno funcionando porque estou com um pequeno problema com ele: Ele NÃO ESTÁ resolvendo o DNS local.

Por exemplo: O BIND9 redireciona tranquilamente os hosts "servidor-2" e "intranet-minha" (NOMES ALTERADOS POR QUESTÕES DE SEGURANÇA) para o IP 10.64.0.2, mas quando os tais hosts são requisitados por um host que está acessando a rede com o proxy (10.64.0.1, porta 3128), vem a mensagem do proxy informando que o servidor DNS retornou:
"Name Error: The domain name does not exist."
MAS O BIND9 ESTÁ FUNCIONANDO CORRETAMENTE, a prova disso é que, se eu desabilitar o proxy e tentar acessar os hosts, a página da intranet abre tranquilamente, com todos os dados que devem ser exibidos, sem interrupção nenhuma!

Porém, se o problema parasse por aí, tudo bem! O detalhe é que o squid está ATRASANDO a resolução de nomes TAMBÉM. Se tento abrir o site www.baixaki.com.br sem utilizar o proxy, o site abre rapidamente. Porém, se tento acessá-lo por meio do proxy, a cada site que ele tenta conectar, demora cerca de 30 segundos até conseguir obter os dados do servidor requisitado, o que faz com que a página do baixaki inicialmente leve algo em torno de 3 minutos para abrir, o que normalmente ela abre totalmente em 5 segundos ou menos!

Vou postar as configurações que estão no squid3.conf, no bind e no script do firewall para ver se há algo de errado...

Squid3 (Boa parte dessas configurações não fui eu quem fez, tive que obtê-las como "padrão" da instituição [federal, por sinal!])
######################################################################################################################################
## IDENTIFICACAO DAS REDES
#acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl rede_administrativa src 10.64.0.0/16
acl dhcp_administrativa src 10.64.254.0/24
acl rede_academica src 10.65.0.0/16
#acl dhcp_academica src 10.65.254.0/24
acl rede_visitantes src 10.66.0.0/16
acl allow_mac arp "/etc/squid3/allow_mac"
acl block_mac arp "/etc/squid3/block_mac"
acl block_dom dstdom_regex -i "/etc/squid3/block_dom"
acl block_url url_regex -i "/etc/squid3/block_url"
acl lab_info src "/etc/squid3/lab_info"
deny_info ERR_BLOQUEADO block_mac
deny_info ERR_CADASTRO dhcp_administrativa
#deny_info ERR_CADASTRO_ACAD dhcp_academica

##ACLS CONTROLE POR HORÃRIOS
#acl manha time 08:00-11:59
#acl almoco time 12:00-13:59
#acl tarde time 14:00-17:59
#acl noite time 18:00-07:59

## ACLs PARA CONTROLE DE PORTAS
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 53 # DNS
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # swat
acl purge method PURGE
acl CONNECT method CONNECT

# Bloqueando os MACs
http_access deny block_mac

# Habilitando MACs

# Bloqueando DHCPs não autorizados
#http_access deny dhcp_administrativa
http_access allow dhcp_administrativa !block_dom
#http_access deny dhcp_academica

# Only allow cachemgr access from localhost
#http_access allow manager
http_access allow manager localhost
#http_access deny manager

# Only allow purge requests from localhost
#http_access allow purge
http_access allow purge localhost
#http_access deny purge

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

## POLÍTICA DAS ACL CONTROLE POR HORÁRIO
#delay_access 2 allow manha
#delay_access 2 deny almoco
#delay_access 2 allow tarde
#delay_access 2 deny noite

## LIBERANDO QUE AS REDES ACESSEM O PROXY DIRETAMENTE
http_access allow localhost
#http_access allow lab_info !block_dom
http_access allow rede_administrativa
http_access allow rede_academica
http_access allow rede_visitantes

# And finally deny all other access to this proxy
http_access deny all
http_reply_access allow all
icp_access deny all

# Squid normally listens to port 3128
#http_port 3128 intercept
http_port 3128 transparent
visible_hostname proxy.rede.lan
#tcp_outgoing_address 10.64.0.1
dns_nameservers 10.64.0.1 10.65.0.1 10.66.0.1

# REPASSAR IP DO CLIENT NOS LOGS
forwarded_for on
follow_x_forwarded_for allow all

#We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

## CONFIGURAÇÕES DO CACHE
cache_mem 128 MB
maximum_object_size_in_memory 1024 KB
minimum_object_size 512 bytes
maximum_object_size 1024 MB
cache_dir ufs /var/spool/squid3 30720 16 256
memory_replacement_policy lru
cache_replacement_policy lru
store_dir_select_algorithm least-load
cache_swap_low 90
cache_swap_high 95
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320

## LOGS
access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
logfile_rotate 0
emulate_httpd_log off
log_ip_on_direct on
pid_filename /var/run/squid3.pid
log_fqdn off

#visible_hostname austin
error_directory /usr/share/squid3/errors/Portuguese
coredump_dir /var/spool/squid3

## DELAY POOLS (http://www.squid-cache.org/Doc/config/delay_parameters/)
# # Nº DE DELAY POOL UTILIZADO
delay_pools 4

# Velocidade:
#delay_parameters 2 32000/32000 8000/8000
# Note that 8 x 64000 KByte/sec -> 512Kbit/sec. -> 64 KByte/sec.
# Note that 8 x 32000 KByte/sec -> 256Kbit/sec. -> 32 KByte/sec.
# 8 x 8000 KByte/sec -> 64Kbit/sec. -> 8 KByte/sec.
# 0 Byte/sec
# -1 Unlimited
# Class 1: host ilimitados
#acl unlimited src 10.64.0.1/32 10.64.3.1/32
acl unlimited src "/etc/squid3/ilimitados"
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_access 1 allow unlimited

# Class 2: limite de downlod de arquivos
acl downloads_adm url_regex -i ftp .exe .msi .mp3 .mp4 .vqf .zip .rar .avi .mpeg .mpe .mpg .qt .ram .$
delay_class 2 1
delay_parameters 2 512000/512000
delay_access 2 allow downloads_adm !rede_visitantes

# Class 3: limite de downlod de arquivos da rede de visita
acl downloads_vis url_regex -i ftp .exe .msi .mp3 .mp4 .vqf .zip .rar .avi .mpeg .mpe .mpg .qt .ram .$
delay_class 3 1
delay_parameters 2 128000/128000
delay_access 2 allow downloads_vis rede_visitantes

# Class 4:
delay_class 4 1
delay_parameters 3 128000/128000
delay_access 2 allow rede_visitantes
######################################################################################################################################

BIND (Esses fui eu quem fiz!)
named.conf.options
######################################################################################################################################
options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

// Servidores DNS externos
forwarders {
// Google Public servers
8.8.8.8;
8.8.4.4;
// OpenDNS servers
208.67.222.222;
208.67.220.220;
};

// Opcoes de seguranca
listen-on port 53 { 127.0.0.1; 10.64.0.1; 10.65.0.1; 10.66.0.1; };
allow-query { 127.0.0.1; 10.64.0.0/12; };
allow-recursion { 127.0.0.1; 10.64.0.0/12; };
allow-transfer { none; };

//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-enable no;
//dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035
// listen-on-v6 { any; };
};
######################################################################################################################################

named.conf.local
######################################################################################################################################
//
// Do any local configuration here
//

zone "rede.lan" {
type master;
file "/etc/bind/db.rede.lan";
};

zone "64.10.in-addr.arpa" {
type master;
file "/etc/bind/db.64.10";
};

zone "65.10.in-addr.arpa" {
type master;
file "/etc/bind/db.65.10";
};

zone "66.10.in-addr.arpa" {
type master;
file "/etc/bind/db.66.10";
};

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
######################################################################################################################################

db.rede.lan
######################################################################################################################################
; BIND para a zona rede.lan

$TTL 3D
@ IN SOA ns.rede.lan. root.rede.lan. (
2013092601 ; serial
8H ; refresh
2H ; retry
4W ; expire
1D ) ; minimum
;
@ IN NS ns ; Inet address of name server

ns IN A 10.64.0.1

; Principais
rede.lan. IN A 10.64.0.1
servidor-1 IN A 10.64.0.1
servidor-2 IN A 10.64.0.2

; Servicos
router IN A 10.64.0.1
gateway IN CNAME router
gw IN CNAME router
proxy IN CNAME servidor-1
www IN CNAME servidor-1
intranet-minha IN CNAME servidor-2
######################################################################################################################################

db.64.10
######################################################################################################################################
; Arquivo BIND para todos os enderecos 10.64.xxx.xxx

$TTL 3D
@ IN SOA ns.rede.lan. root.rede.lan. (
2013092602 ; serial
8H ; refresh
2H ; retry
4W ; expire
1D ) ; minimum
;
@ IN NS ns.rede.lan. ; Nameserver address

; Servicos
1.0 IN PTR servidor-1.rede.lan.
1.0 IN PTR ns.rede.lan.
1.0 IN PTR router.rede.lan.
2.0 IN PTR servidor-2.rede.lan.
2.0 IN PTR intranet-minha.rede.lan.
######################################################################################################################################

resolv.conf (resolvi postar também pra mostrar que tá configuradinho!)
######################################################################################################################################
domain rede.lan
search rede.lan
nameserver 127.0.0.1
######################################################################################################################################

política de firewall (Tem um outro arquivo que inclui este e chama as funções deste, somente isso!)
######################################################################################################################################
#!/bin/bash
#
# Script de Firewall
# ============================
# Autor: Leandro Gabriel
# Este script foi baseado no script de firewall de Cesar Augustus Silva (cesaraugustussilva@linuxmail.org)
#

#Carregando daemon de exibicao de log
#. /lib/lsb/init-functions

# Redes
network=10.64.0.0/12
net_rede=10.64.0.0/16
net_acad=10.65.0.0/16
net_visi=10.66.0.0/16

# Interface da lan
iflan_rede=eth3
iflan_acad=eth0
iflan_visi=eth1

# Interface de rede externa
ifnet=eth2

# O comando IPTABLES
ipt=/sbin/iptables

# O comando MODPROBE
mpb=/sbin/modprobe

$mpb iptable_filter
$mpb iptable_nat
$mpb iptable_mangle
$mpb ipt_LOG
$mpb ipt_REDIRECT
$mpb ipt_MASQUERADE

# O caminho da pasta ipv4
ipv4=/proc/sys/net/ipv4

# Listas
block_DOM=`cat /etc/firewall/block_DOM`
block_IP=`cat /etc/firewall/block_IP`
block_MAC=`cat /etc/firewall/block_MAC`

BLOQUEIO () {
log_progress_msg "b_sitesIP"
for i in $block_DOM
do
for j in $block_IP
do
$ipt -A INPUT -m string --algo bm --string $i -s $j -j REJECT
$ipt -A OUTPUT -m string --algo bm --string $i -s $j -j REJECT
$ipt -A FORWARD -m string --algo bm --string $i -s $j -j REJECT
done
done
log_progress_msg "b_MAC"
for i in $block_MAC
do
$ipt -t filter -A INPUT -m mac --mac-source $i -j DROP
#$ipt -t filter -A PREROUTING -m mac --mac-source $i -j DROP
$ipt -t filter -A FORWARD -m mac --mac-source $i -j DROP
done
}
PROXY () {
log_progress_msg "proxy"
# Redirecionar
$ipt -t nat -A PREROUTING -s $net_rede -p tcp --dport 80 -j REDIRECT --to-port 3128
$ipt -t nat -A PREROUTING -s $net_acad -p tcp --dport 80 -j REDIRECT --to-port 3128
$ipt -t nat -A PREROUTING -s $net_visi -p tcp --dport 80 -j REDIRECT --to-port 3128
}
INTERNET () {
log_progress_msg "net"
# Mascaramento
$ipt -t nat -A POSTROUTING -o $ifnet -s $network -j MASQUERADE
# Redirecionar pacotes
echo 1 > $ipv4/ip_forward
}

LIMPAR () {
log_progress_msg "clear"
# Remover regras
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F

# Apagar chains
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X

# Zerar contadores
$ipt -Z
$ipt -t nat -Z
$ipt -t mangle -Z
}

PARAR () {
# Limpar regras
LIMPAR

# Atribuir politica padrao
$ipt -P INPUT ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT

# Compartilhar a internet
INTERNET
}

INICIAR () {
# Limpar regras
LIMPAR

# Atribuir politica padrao
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD DROP

# Compartilhar a internet
INTERNET

##################################################################
##### SEGURANCA ##################################################
##################################################################
log_progress_msg "sec"

# Protecao para SYN Flood
echo 1 > $ipv4/tcp_syncookies

# Rejeitar requisicao de ICMP Echo destinado a Broadcasts e Multicasts
echo 1 > $ipv4/icmp_echo_ignore_broadcasts

# Ignorar mensagens falsas de icmp_error_responses
echo 1 > $ipv4/icmp_ignore_bogus_error_responses

for i in $ipv4/conf/*; do
# Nao redirecionar mensagens ICMP
echo 0 > $i/accept_redirects

# Protecao a Ataques IP Spoofing
echo 0 > $i/accept_source_route

# Permitir que pacotes forjados sejam logados pelo proprio kernel
echo 1 > $i/log_martians

# Verificar endereco de origem do pacote (protecao a ataques IP Spoofing)
echo 1 > $i/rp_filter
done

BLOQUEIO

##################################################################
##### ADICIONANDO REGRAS PARA SERVIDORES #########################
##################################################################
log_progress_msg "srvr"

# Apache - Servidor Web
$ipt -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

# Proxy
#$ipt -A INPUT -i eth2 -p tcp --dport 3128 -j ACCEPT
$ipt -A INPUT -i $iflan_rede -p tcp --dport 3128 -j ACCEPT
$ipt -A INPUT -i $iflan_acad -p tcp --dport 3128 -j ACCEPT
$ipt -A INPUT -i $iflan_visi -p tcp --dport 3128 -j ACCEPT

# Bind9 - Servidor DNS
$ipt -A INPUT -i $iflan_rede -p tcp --dport 53 -j ACCEPT
$ipt -A INPUT -i $iflan_acad -p tcp --dport 53 -j ACCEPT
$ipt -A INPUT -i $iflan_visi -p tcp --dport 53 -j ACCEPT
#$ipt -A INPUT -i $ifnet -p tcp --dport 53 -j ACCEPT
$ipt -A INPUT -i $iflan_rede -p udp --dport 53 -j ACCEPT
$ipt -A INPUT -i $iflan_acad -p udp --dport 53 -j ACCEPT
$ipt -A INPUT -i $iflan_visi -p udp --dport 53 -j ACCEPT
#$ipt -A INPUT -i $ifnet -p udp --dport 53 -j ACCEPT
#$ipt -A INPUT -s $network -p tcp --dport 53 -j ACCEPT
#$ipt -A INPUT -s $network -p udp --dport 53 -j ACCEPT

# DHCP - Servidor DHCP
$ipt -A INPUT -i $iflan_rede -p udp --sport 68 --dport 67 -j ACCEPT
$ipt -A INPUT -i $iflan_acad -p udp --sport 68 --dport 67 -j ACCEPT
$ipt -A INPUT -i $iflan_visi -p udp --sport 68 --dport 67 -j ACCEPT

# IPP - Protocolo de Impressao na Internet
$ipt -A INPUT -i $iflan_rede -p tcp --dport 631 -j ACCEPT
$ipt -A INPUT -i $iflan_rede -p udp -m multiport --dports 138,631 -j ACCEPT

# ProFTP - Servidor FTP
$ipt -A INPUT -i $iflan_rede -p tcp --dport 21 -j ACCEPT
$ipt -A INPUT -i $iflan_rede -p tcp -m multiport --dports 49152:49162 -j ACCEPT

# MySQL - Banco de Dados MySQL
$ipt -A INPUT -i $iflan_rede -p tcp --dport 3306 -j ACCEPT

# Samba - Servicos de Diretorio da Microsoft
$ipt -A INPUT -i $iflan_rede -p tcp -m multiport --dports 445,139 -j ACCEPT
$ipt -A INPUT -i $iflan_rede -p udp -m multiport --dports 137,138 -j ACCEPT
$ipt -t nat -A PREROUTING -i $iflan_rede -p tcp --dport 445 -j DNAT --to 10.64.0.2:445
$ipt -t nat -A PREROUTING -i $iflan_rede -p tcp --dport 139 -j DNAT --to 10.64.0.2:139
$ipt -t nat -A PREROUTING -i $iflan_rede -p udp --dport 137 -j DNAT --to 10.64.0.2:137
$ipt -t nat -A PREROUTING -i $iflan_rede -p udp --dport 138 -j DNAT --to 10.64.0.2:138

# SSH - Servidor SSH
$ipt -A INPUT -i $iflan_rede -p tcp --dport 22 -j ACCEPT

# VNC - Servidor de Acesso Remoto
$ipt -A INPUT -p tcp --dport 5900 -j ACCEPT

# Munin - Monitorizacao dos servidores
$ipt -A INPUT -p tcp --dport 4949 -j ACCEPT

# SIAPE
$ipt -A INPUT -p tcp --dport 8999 -j ACCEPT
$ipt -A INPUT -p tcp --dport 23000 -j ACCEPT

##################################################################
##### ADICIONANDO REGRAS PARA SERVICOS ###########################
##################################################################
log_progress_msg "srvc"

# DNS
$ipt -A FORWARD -o $ifnet -p udp -m multiport --dports 53,5353 -j ACCEPT
$ipt -A FORWARD -o $ifnet -p tcp -m multiport --dports 53,5353 -j ACCEPT
$ipt -A FORWARD -s $network -p tcp --dport 53 -j ACCEPT
$ipt -A FORWARD -s $network -p udp --dport 53 -j ACCEPT
$ipt -A FORWARD -s $network -p tcp --sport 53 -j ACCEPT
$ipt -A FORWARD -s $network -p udp --sport 53 -j ACCEPT

# FTP
$ipt -A FORWARD -o $ifnet -p tcp --dport 21 -j ACCEPT

# HTTP
$ipt -A FORWARD -o $ifnet -p tcp -m multiport --dports 80,8080 -j ACCEPT

# HTTPS
$ipt -A FORWARD -o $ifnet -p tcp --dport 443 -j ACCEPT

# NTP - Sincronizacao de relogios
$ipt -A FORWARD -o $ifnet -p udp --dport 123 -j ACCEPT

# Ping
$ipt -A INPUT -i $iflan_rede -p icmp --icmp-type 8 -j ACCEPT
$ipt -A INPUT -i $iflan_acad -p icmp --icmp-type 8 -j ACCEPT
#$ipt -A INPUT -i $iflan_visi -p icmp --icmp-type 8 -j ACCEPT
$ipt -A FORWARD -o $ifnet -p icmp --icmp-type 8 -j ACCEPT

# RDP - Area de trabalho remota
$ipt -A FORWARD -o $ifnet -p tcp --dport 3389 -j ACCEPT

# SSH
$ipt -A FORWARD -o $ifnet -p tcp --dport 22 -j ACCEPT

# VNC - Computacao em rede virtual
$ipt -A FORWARD -o $iflan_rede -p tcp --dport 5900 -j ACCEPT

# Munin - Monitorizacao dos servidores
$ipt -A FORWARD -o $iflan_rede -p tcp --dport 4949 -j ACCEPT

# Bloqueio de UltraSurf
$ipt -I FORWARD -m tcp -p tcp --tcp-flags SYN,ACK,FIN,RST,PSH ACK,PSH -m string --to 256 --hex-string "|1603000035010000310300|" --algo bm -j DROP
$ipt -I FORWARD -m tcp -p tcp --tcp-flags SYN,ACK,FIN,RST,PSH ACK,PSH -m string --to 256 --hex-string "|16030000610100005d0300|" --algo bm -j DROP
$ipt -I FORWARD -m tcp -p tcp --tcp-flags SYN,ACK,FIN,RST,PSH ACK,PSH -m string --to 256 --hex-string "|16030100410100003d0301|" --algo bm -j DROP
$ipt -I FORWARD -m tcp -p tcp --tcp-flags SYN,ACK,FIN,RST,PSH ACK,PSH -m string --to 256 --hex-string "|160301007d010000790301|" --algo bm -j DROP
$ipt -I FORWARD -m tcp -p tcp --tcp-flags SYN,ACK,FIN,RST,PSH ACK,PSH -m string --to 256 --hex-string "|16030100800100007c0301|" --algo bm -j DROP
$ipt -I FORWARD -m tcp -p tcp --tcp-flags SYN,ACK,FIN,RST,PSH ACK,PSH -m string --to 256 --hex-string "|1603010084010000800301|" --algo bm -j DROP
$ipt -I FORWARD -m tcp -p tcp --tcp-flags SYN,ACK,FIN,RST,PSH ACK,PSH -m string --to 256 --hex-string "|160301009d010000990301|" --algo bm -j DROP
$ipt -I FORWARD -m tcp -p tcp --tcp-flags SYN,ACK,FIN,RST,PSH ACK,PSH -m string --to 256 --hex-string "|16030100a00100009c0301|" --algo bm -j DROP
$ipt -I FORWARD -m tcp -p tcp --tcp-flags SYN,ACK,FIN,RST,PSH ACK,PSH -m string --to 256 --hex-string "|00040005000a00090064006200030006001300120063|" --algo bm -j DROP
$ipt -A FORWARD -d 65.49.14.0/24 -j LOG --log-prefix "=UltraSurf= "

#Proxy tá comentado porque não tá funcionando...
#PROXY

# Habilitando comunicacao entre as redes
$ipt -A FORWARD -d 10.64.0.0/16 -s 10.65.0.0/16 -j ACCEPT
$ipt -A FORWARD -d 10.65.0.0/16 -s 10.64.0.0/16 -j ACCEPT
$ipt -A FORWARD -d 10.64.0.0/16 -s 10.66.0.0/16 -j ACCEPT
$ipt -A FORWARD -d 10.66.0.0/16 -s 10.64.0.0/16 -j ACCEPT

# Manter conexoes estabelecidas
$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Liberando o trafego na interface loopack
$ipt -A INPUT -i lo -j ACCEPT

##################################################################
##### LOG ########################################################
##################################################################
$ipt -A INPUT -p tcp -m multiport ! --dports 0:1056 -j DROP
$ipt -A INPUT -p udp -j DROP
$ipt -A INPUT -p icmp -j DROP
$ipt -A INPUT -m limit --limit 3/m --limit-burst 3 -j LOG --log-prefix "LOG-FW: "
}
######################################################################################################################################

Acho que é isso, se faltou alguma informação, me avisem!

Considerações finais:

Quando se acessa o log do squid no momento que há a requisição para abrir o "http://intranet-minha/", retorna o seguinte:
1380294798.468 230 10.64.3.1 TCP_MISS/503 4304 GET http://intranet-minha/ - DIRECT/intranet-minha text/html
(10.64.3.1 é o IP da máquina que estou!)

O proxy realmente está comentado por causa desse problema, para que eu possa testá-lo e, assim que ele estiver realmente funcionando, aí sim eu coloco ele na rede como transparent... ou intercept... ou sei lá... Aliás, a partir da versão que estou utilizando, ouvi dizer algo na internet sobre o fato da função "transparent" ter caído e se transformado na função "intercept", é verdade ou não??

Para as configurações do bind9 eu peguei os exemplos do site www.servidordebian.org... E adaptei algumas coisas que alguns disseram que era pra fazer pra funcionar melhor!

Algumas coisas na política de firewall estão comentadas porque não são necessárias, mas se tiver alguma delas que está comentada mas que deveria não estar, me avisem!

Atualmente o proxy está como transparent... ou intercept... ou sei lá... Mas futuramente tenho planos de usar aquele negócio do wpad.dat pra não utilizá-lo como transparent... ou intercept... ou sei lá... e assim ele também gerenciar conexões via https!

Desde já, agradeço a atenção por ter lido até aqui embaixo, e já agradeço se vocês puderem me ajudar!


  






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts