Enviado em 28/03/2016 - 23:37h
Olá,http_port 3128 intercept
visible_hostname faztudo
#CACHE PARA DOWNLOADS
cache_mem 32 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
#LOCALIZAÇO DO ARQUIVO DE LOG DO SQUI
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 15 20% 4320
acl localnet src 192.168.0.0/24 # RFC 1918 possible internal network
acl SSL_ports port 443 # https
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
#!/bin/bash
############ Variaveis #############
IPT=/sbin/iptables
####################################
IF_WAN=enp0s3
IF_LAN=enp0s8
#IP_WAN=""
IP_LAN=192.168.0.200/24
IP_GW=192.168.1.1
####### rede e seus ranges #########
REDE_INTERNA=192.168.0.0/24
####### conf squid #########
# your proxy IP
SQUIDIP=192.168.0.200/24
# your proxy listening port
SQUIDPORT=3128
############## Portas ##############
HTTP=80
HTTPS=443
SSH=22
DNS=53
POP3=110
SMTP=587
function IniciaFirewall(){
#### politica padrao - NEGA TUDO ####
echo "politica por omissao - negar TUDO"
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
##### configurando interfaces #######
ifconfig $IF_LAN $IP_LAN
route del default
route add default gw $IP_GW
echo "apaga as regras ja existentes"
$IPT -F
$IPT -X
$IPT -Z
$IPT -t nat -F
$IPT -t nat -X
$IPT -t nat -Z
$IPT -F POSTROUTING -t nat
$IPT -F PREROUTING -t nat
$IPT -F OUTPUT -t nat
############ stateless ###############
echo "permite loopbak"
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
########### statefull ################
echo "descarta pacotes invalidos"
$IPT -A INPUT -m state --state INVALID -j DROP
echo "regras STATEFULL genericas"
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
########### DHCP ################
$IPT -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT
echo "permitir DNS [ok]"
$IPT -A OUTPUT -p udp --sport 1024:65535 --dport $DNS -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p udp -i $IF_LAN -o $IF_WAN --dport $DNS -j ACCEPT
echo "permite HTTP [ok]"
#$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport $HTTP -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $HTTP -j ACCEPT
echo "permite HTTPS [ok]"
#$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport $HTTPS -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $HTTPS -j ACCEPT
echo "libera portas para e-mail [ok]"
$IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $POP3 -j ACCEPT
$IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $POP3 -j ACCEPT
$IPT -A FORWARD -p tcp -i $IF_LAN -o $IF_WAN --dport $SMTP -j ACCEPT
echo "libera SSH [ok]"
$IPT -A INPUT -p tcp --dport $SSH -j LOG --log-level 4 --log-prefix 'SSH_WAN > '
$IPT -A INPUT -p tcp -i $IF_WAN --dport $SSH -j ACCEPT
########## seguranca da rede ##############
echo "Impedindo ataque Ping of Death e ping flood no Firewall vindo da rede interna"
#A regra abaixo limita em 1 vez por segundo (--limit 1/s) a passagem de pings (echo requests) para o Firewall
$IPT -A INPUT -p icmp --icmp-type echo-request -i $IF_LAN -j LOG --log-level 4 --log-prefix 'PING_INERNO > '
$IPT -A INPUT -p icmp --icmp-type echo-request -i $IF_LAN -m limit --limit 1/s -j ACCEPT
echo "Descarte de pacotes nao identificados ICMP"
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A INPUT -m state -p icmp --state INVALID -j DROP
$IPT -A FORWARD -m state -p icmp --state INVALID -j DROP
echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
############ regras intercept squid cache #############
$IPT -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
$IPT -t nat -A POSTROUTING -j MASQUERADE
$IPT -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP
############ compartilha link #############
echo "compartilha link de internet [ok]"
$IPT -t nat -A POSTROUTING -o $IF_WAN -j MASQUERADE
echo "habilitando encaminhamento de pacotes [ok]"
echo 1 > /proc/sys/net/ipv4/ip_forward
}
function LiberaFirewall(){
echo "politica Libera TUDO"
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#########################################
# configurando interfaces
#########################################
ifconfig $IF_LAN $IP_LAN
route del default
route add default gw $IP_GW
echo "apaga as regras ja existentes"
$IPT -F
$IPT -X
$IPT -Z
$IPT -t nat -F
$IPT -t nat -X
$IPT -t nat -Z
########## compartilha link ###############
echo "compartilha link de internet [ok]"
$IPT -t nat -A POSTROUTING -o $IF_WAN -j MASQUERADE
echo "habilitando encaminhamento de pacotes [ok]"
echo 1 > /proc/sys/net/ipv4/ip_forward
}
case $1 in
start)
IniciaFirewall
exit 0
;;
stop)
LiberaFirewall
exit 1
;;
restart)
LiberaFirewall;IniciaFirewall
exit 2
;;
*)
echo
echo "Use ||start|| para iniciar as regras desse Firewall, ||restart|| para reiniciar e ||stop|| para descartar todas as politicas de seguranca, NAO FACA ISSO!"
echo
exit 3
;;
esac
# FIM: tudo que não for explicitamente permitido será negado!
ls -l /var/log/squid/
total 88
-rw-r-----. 1 squid squid 0 Mar 28 22:56 access.log
-rw-r-----. 1 squid squid 88409 Mar 28 23:02 cache.log
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Como renomear arquivos de letras maiúsculas para minúsculas
Imprimindo no formato livreto no Linux
Vim - incrementando números em substituição
Efeito "livro" em arquivos PDF
Como resolver o erro no CUPS: Unable to get list of printer drivers
SysAdmin ou DevOps: Qual curso inicial pra essa área? (3)
É cada coisa que me aparece! - não é só 3% (3)
Melhorando a precisão de valores flutuantes em python[AJUDA] (5)
[Python] Automação de scan de vulnerabilidades
[Python] Script para analise de superficie de ataque
[Shell Script] Novo script para redimensionar, rotacionar, converter e espelhar arquivos de imagem
[Shell Script] Iniciador de DOOM (DSDA-DOOM, Doom Retro ou Woof!)
[Shell Script] Script para adicionar bordas às imagens de uma pasta