Squid SSL_ports

1. Squid SSL_ports

Fernando Castanho Morini
fcmorini

(usa Debian)

Enviado em 26/08/2013 - 15:31h

Boa tarde pessoal. Sou iniciante em servidores proxy e tenho uma duvida! Apanhei muito para fazer o novo skype/outlook/messenger funcionar através do proxy. Estou implementando um servidor firewall onde as politicas são as seguintes:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT

habilitei a porta do squid para a rede interna...
-A INPUT -i eth1 -s 192.168.1.0/24 -p tcp --dport 3128 -j ACCEPT

tudo funcionou perfeitamente, mas a porcaria do skype acessando com uma conta microsoft não... lutei fazendo dump das conexões e procurando todas as url's que apareciam para tentar fazer o skype conectar. Quando estava a ponto de desistir, tentei uma ultima alternativa.
No squid.conf eu modifiquei a linha:
http_access deny CONNECT !SSL_ports para http_access allow CONNECT SSL_ports
depois dessa modificação o squid permitiu finalmente a conexão do skype...
agora fiquei com uma duvida cruel, quais as consequencias em modificar essa "acl" tendo em vista que ao meu entendimento a primeira regra diz ao squid: bloquear as conexões exceto (!) SSL_ports enquanto a segunda permitir as conexões SSL_ports, não seriam equivalentes?
Grato a todos que participarem, e qualquer explicação é muito bem vinda!
Obrigado...
Fernando C. Morini


  


2. Re: Squid SSL_ports

Carlos Alberto de Souza Barbosa
souzacarlos

(usa Outra)

Enviado em 02/09/2013 - 22:40h

Boa noite, o teu problema não está nesta acl, o que vc fez foi liberar todas as portas para conexão, vc reparou que definiu a POLICE FORWARD como DROP? isso significa que ta barrando tudo que vai atravessar o router, o que vc precisa fazer é liberar as portas que o skype precisa pra conectar na CHAIN FORWARD, da uma olhada aqui no VOL que tem bastante material pra isso.


3. Re: Squid SSL_ports

Roberto Costa
asparion

(usa Ubuntu)

Enviado em 02/09/2013 - 23:49h

Boa Noite....
tem essa regra ai no seu iptables

iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

?????????????????????


4. Re: Squid SSL_ports

Fernando Castanho Morini
fcmorini

(usa Debian)

Enviado em 03/09/2013 - 08:08h

souzacarlos escreveu:

Boa noite, o teu problema não está nesta acl, o que vc fez foi liberar todas as portas para conexão, vc reparou que definiu a POLICE FORWARD como DROP? isso significa que ta barrando tudo que vai atravessar o router, o que vc precisa fazer é liberar as portas que o skype precisa pra conectar na CHAIN FORWARD, da uma olhada aqui no VOL que tem bastante material pra isso.


Sim, reparei, pois essa é justamente a minha intensão, barrar as conexões que atravessam o proxy, evitando assim que alguns espertalhões utilizem o tal ULTRASURF (antiproxy chines.. ah esses chineses!)
Quanto as portas do skype, ele usa preferencialmente 443 ou 80 (as que são redirecionadas para o proxy) iptables -t nat -A PREROUTING -p tcp -m multiport --dport 80,443 -s $IPLAN -i $IFLAN -j REDIRECT --to 3128
tbm fiz a liberação de portas altas de 25000:65535
estou fazendo teste por aqui, obrigado pela resposta


5. Re: Squid SSL_ports

Fernando Castanho Morini
fcmorini

(usa Debian)

Enviado em 03/09/2013 - 08:09h

asparion escreveu:

Boa Noite....
tem essa regra ai no seu iptables

iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

?????????????????????


Sim, já fiz essa (regra basica para compartilhamento né)...


6. Skype via Proxy

Fernando Castanho Morini
fcmorini

(usa Debian)

Enviado em 09/09/2013 - 11:04h

Galera estou quebrando a cabeça a algumas semanas e não consegui resolver o problema com o skype acessando através do proxy... vou postar aqui as confs e logs para ver se alguem pode me ajudar...
FIREWALL

#!/bin/bash

# DECLARACAO DE VARIAVEIS
IPTABLES="/sbin/iptables"

# LIMPAR TODAS AS REGRAS
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F -t nat
$IPTABLES -X -t nat
$IPTABLES -Z -t nat
$IPTABLES -F -t mangle
$IPTABLES -X -t mangle
$IPTABLES -Z -t mangle

# ALTERA POLITICAS PARA DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

##### REGRAS DE INPUT #####
# LOGAR TODAS AS ENTRADAS
$IPTABLES -A INPUT -j LOG --log-prefix "INPUT: "
# LIBERAR PORTAS
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -i eth1 -s 10.1.1.0/24 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -i eth1 -s 10.1.1.0/24 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 3128 -i eth1 -s 10.1.1.0/24 -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

##### REGRAS DE FORWARD #####
# LOGAR CONEXOES QUE PASSAM PELO FIREWALL
$IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD: "
# LIBERAR CONEXOES PARA OUTRAS REDES
IPS="10.1.1.2"
for IP in $IPS; do
$IPTABLES -A FORWARD -s $IP -j ACCEPT
$IPTABLES -A FORWARD -d $IP -j ACCEPT
done

##### REGRAS DE NAT #####
## LOGAR CONEXOES NA TABELA NAT CHAIN PREROUTING
$IPTABLES -t nat -A PREROUTING -j LOG --log-prefix "NAT-PREROUTING: "
# LOGAR CONEXOES NA TABELA NAT CHAIN POSTROUTING
$IPTABLES -t nat -A POSTROUTING -j LOG --log-prefix "NAT-POSTROUTING: "
# PERMITIR PASSAR FORA DO PROXY
for IP in $IPS; do
$IPTABLES -t nat -A PREROUTING -p tcp -m multiport --dport 80,443 -s 10.1.1.1/32 -i eth1 -j ACCEPT
done
# REDIRECIONAR CONEXOES PARA O PROXY
$IPTABLES -t nat -A PREROUTING -p tcp -m multiport --dport 80,443 -i eth1 -s 10.1.1.0/24 -j REDIRECT --to-port 3128
# LIBERAR ACESSO A INTERNET
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 10.1.1.0/24 -j MASQUERADE

SQUID.CONF COM HTTP_ACESS ALLOW LOCALNET

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid

LOG DE ACESSOS VIA PROXY COM A CONFIGURAÇÃO ALLOW

1378732423.214 1241 10.1.1.1 TCP_MISS/200 7214 CONNECT login.live.com:443 - DIRECT/131.253.61.80 -
1378732424.413 1194 10.1.1.1 TCP_MISS/200 5851 CONNECT login.live.com:443 - DIRECT/131.253.61.100 -
1378732425.636 1165 10.1.1.1 TCP_MISS/200 11439 CONNECT login.live.com:443 - DIRECT/131.253.61.82 -
1378732432.015 6363 10.1.1.1 TCP_MISS/200 22075 CONNECT auth.gfx.ms:443 - DIRECT/23.4.184.70 -
1378732451.950 7332 10.1.1.1 TCP_MISS/200 11743 CONNECT login.live.com:443 - DIRECT/131.253.61.82 -
1378732453.409 1440 10.1.1.1 TCP_MISS/200 9276 CONNECT login.live.com:443 - DIRECT/131.253.61.84 -
1378732464.920 1765 10.1.1.1 TCP_MISS/200 6921 CONNECT 131.253.61.80:443 - DIRECT/131.253.61.80 -
1378732471.614 49889 10.1.1.1 TCP_MISS/200 5226 CONNECT apps.skypeassets.com:443 - DIRECT/23.62.51.240 -
1378732472.226 959 10.1.1.1 TCP_MISS/200 5531 GET http://api.skype.com/users/live:billmusic/profile/avatar - DIRECT/91.190.218.17 image/jpeg
1378732472.560 1567 10.1.1.1 TCP_MISS/200 1513 CONNECT 149.13.32.15:443 - DIRECT/149.13.32.15 -
1378732472.778 541 10.1.1.1 TCP_MISS/200 3934 GET http://api.skype.com/users/live:welingtonmuniz/profile/avatar - DIRECT/91.190.218.17 image/jpeg
1378732472.806 19124 10.1.1.1 TCP_MISS/200 8854 CONNECT api.skype.com:443 - DIRECT/91.190.218.17 -
1378732475.170 1582 10.1.1.1 TCP_MISS/200 6937 CONNECT 131.253.61.80:443 - DIRECT/131.253.61.80 -
1378732475.370 1666 10.1.1.1 TCP_MISS/200 6761 CONNECT 131.253.61.80:443 - DIRECT/131.253.61.80 -
1378732476.091 2500 10.1.1.1 TCP_MISS/200 6761 CONNECT 131.253.61.80:443 - DIRECT/131.253.61.80 -
1378732476.487 4870 10.1.1.1 TCP_MISS/302 587 GET http://ui.skype.com/ui/0/6.5.0.158./pt-BR/upgrade - DIRECT/157.56.109.8 text/html
1378732476.524 5503 10.1.1.1 TCP_CLIENT_REFRESH_MISS/200 414 GET http://ui.skype.com/ui/0/6.5.0.158./pt-BR/getlatestversion? - DIRECT/157.56.109.8 text/plain
1378732480.140 2138 10.1.1.1 TCP_MISS/200 7620 CONNECT 65.55.142.165:443 - DIRECT/65.55.142.165 -
1378732480.195 1664 10.1.1.1 TCP_MISS/200 5478 CONNECT 157.56.108.82:443 - DIRECT/157.56.108.82 -
1378732480.808 1279 10.1.1.1 TCP_MISS/200 4234 CONNECT 157.55.102.249:443 - DIRECT/157.55.102.249 -
1378732480.872 11090 10.1.1.1 TCP_MISS/200 1514 CONNECT 213.166.51.4:443 - DIRECT/213.166.51.4 -
1378732482.534 1549 10.1.1.1 TCP_MISS/200 1120 CONNECT 212.161.8.36:443 - DIRECT/212.161.8.36 -
1378732482.537 6022 10.1.1.1 TCP_MISS/302 626 GET http://www.skype.com/go/getskype-full-last - DIRECT/157.56.109.9 text/html
1378732485.702 7261 10.1.1.1 TCP_MISS/200 176716 CONNECT connect.facebook.net:443 - DIRECT/23.196.31.139 -
1378732486.012 2161 10.1.1.1 TCP_MISS/200 4746 CONNECT 157.56.194.23:443 - DIRECT/157.56.194.23 -
1378732488.933 6388 10.1.1.1 TCP_MISS/200 66922 GET http://download.skype.com/8cb1db0f1525077c8e684e4d8ec63eb0/SkypeSetupFull.exe - DIRECT/72.164.252.83 application/octet-stream
1378732490.584 1946 10.1.1.1 TCP_MISS/200 5994 CONNECT 157.56.194.23:443 - DIRECT/157.56.194.23 -
1378732491.802 18986 10.1.1.1 TCP_MISS/200 6846 CONNECT apps.skype.com:443 - DIRECT/23.62.50.161 -
1378732491.817 6056 10.1.1.1 TCP_MISS/200 101648 CONNECT ajax.aspnetcdn.com:443 - DIRECT/65.54.85.57 -
1378732493.608 1599 10.1.1.1 TCP_MISS/200 1006 CONNECT 212.161.8.36:443 - DIRECT/212.161.8.36 -
1378732495.177 1925 10.1.1.1 TCP_MISS/200 6026 CONNECT 157.56.194.23:443 - DIRECT/157.56.194.23 -
1378732497.643 6026 10.1.1.1 TCP_MISS/200 4899 CONNECT secure.skypeassets.com:443 - DIRECT/23.62.49.195 -
1378732497.942 6136 10.1.1.1 TCP_MISS/200 6060 CONNECT www.facebook.com:443">www.facebook.com:443 - DIRECT/31.13.73.49 -
1378732498.140 6448 10.1.1.1 TCP_MISS/200 3577 CONNECT m.hotmail.com:443 - DIRECT/65.54.225.167 -
1378732498.208 265 10.1.1.1 TCP_MISS/200 1312 CONNECT apps.skype.com:443 - DIRECT/23.62.50.161 -
1378732498.278 66 10.1.1.1 TCP_MISS/200 39 CONNECT apps.skype.com:443 - DIRECT/23.62.50.161 -
1378732498.347 67 10.1.1.1 TCP_MISS/200 39 CONNECT apps.skype.com:443 - DIRECT/23.62.50.161 -
1378732498.371 6544 10.1.1.1 TCP_MISS/200 6045 CONNECT c.msn.com:443 - DIRECT/65.52.108.11 -
1378732498.382 238 10.1.1.1 TCP_MISS/200 1312 CONNECT apps.skype.com:443 - DIRECT/23.62.50.161 -
1378732498.598 248 10.1.1.1 TCP_MISS/200 39 CONNECT api.skype.com:443 - DIRECT/91.190.218.17 -
1378732499.166 568 10.1.1.1 TCP_MISS/200 20496 CONNECT secure.skypeassets.com:443 - DIRECT/23.62.49.195 -
1378732505.321 6151 10.1.1.1 TCP_MISS/200 20496 CONNECT secure.skypeassets.com:443 - DIRECT/23.62.49.195 -
1378732505.341 6969 10.1.1.1 TCP_MISS/200 31407 CONNECT s-static.ak.facebook.com:443 - DIRECT/96.16.82.110 -
1378732505.591 248 10.1.1.1 TCP_MISS/200 1383 CONNECT apps.skype.com:443 - DIRECT/23.62.50.161 -
1378732505.592 268 10.1.1.1 TCP_MISS/200 1383 CONNECT apps.skype.com:443 - DIRECT/23.62.50.161 -
1378732505.647 7262 10.1.1.1 TCP_MISS/200 5924 CONNECT aidps.atdmt.com:443 - DIRECT/131.253.40.44 -
1378732506.776 1125 10.1.1.1 TCP_REFRESH_MISS/200 172457 GET http://connect.facebook.net/en_US/all.js - DIRECT/23.196.31.139 application/x-javascript
1378732506.847 1202 10.1.1.1 TCP_REFRESH_MISS/200 172457 GET http://connect.facebook.net/en_US/all.js - DIRECT/23.196.31.139 application/x-javascript
1378732521.153 46385 10.1.1.1 TCP_MISS/200 5684 CONNECT 78.141.179.13:443 - DIRECT/78.141.179.13 -
1378732521.154 38022 10.1.1.1 TCP_MISS/200 12628 CONNECT 134.170.19.35:443 - DIRECT/134.170.19.35 -
1378732521.154 23342 10.1.1.1 TCP_MISS/200 4117 CONNECT 157.56.194.23:443 - DIRECT/157.56.194.23 -
1378732521.154 49954 10.1.1.1 TCP_MISS/200 2072 CONNECT 91.190.218.20:443 - DIRECT/91.190.218.20 -
1378732521.154 142 10.1.1.1 TCP_MISS/000 0 CONNECT 212.161.8.36:443 - NONE/- -
1378732521.159 57707 10.1.1.1 TCP_MISS/200 20760 CONNECT 65.55.223.21:443 - DIRECT/65.55.223.21 -
1378732527.954 6490 10.1.1.1 TCP_MISS/200 9138 CONNECT login.live.com:443 - DIRECT/131.253.61.82 -
1378732528.592 7129 10.1.1.1 TCP_MISS/200 9138 CONNECT login.live.com:443 - DIRECT/131.253.61.82 -
1378732529.116 1155 10.1.1.1 TCP_MISS/200 5851 CONNECT login.live.com:443 - DIRECT/131.253.61.100 -
1378732529.804 1204 10.1.1.1 TCP_MISS/200 5827 CONNECT login.live.com:443 - DIRECT/131.253.61.80 -
1378732531.971 2153 10.1.1.1 TCP_MISS/200 11431 CONNECT login.live.com:443 - DIRECT/131.253.61.86 -
1378732537.898 5883 10.1.1.1 TCP_MISS/200 4567 CONNECT auth.gfx.ms:443 - DIRECT/23.4.184.70 -
1378732538.679 759 10.1.1.1 TCP_MISS/200 1108 CONNECT auth.gfx.ms:443 - DIRECT/23.4.184.70 -

SQUID.CONF COM HTTP_ACESS DENY LOCALNET

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#####Regras para liberar o skype
acl skype url_regex -i "/root/skype_urls.txt"
http_access allow localnet skype
################################
http_access deny localnet
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid

LOG DE ACESSO VIA PROXY COM A CONFIGURAÇÃO DENY

1378733853.979 6385 10.1.1.1 TCP_MISS/200 11407 CONNECT login.live.com:443 - DIRECT/131.253.61.82 -
1378733889.865 2122 10.1.1.1 TCP_MISS/200 11729 CONNECT login.live.com:443 - DIRECT/131.253.61.102 -
1378733891.318 1430 10.1.1.1 TCP_MISS/200 9268 CONNECT login.live.com:443 - DIRECT/131.253.61.98 -
1378733898.591 6997 10.1.1.1 TCP_MISS/200 6776 CONNECT api.skype.com:443 - DIRECT/91.190.218.17 -
1378733902.940 0 10.1.1.1 TCP_DENIED/403 1492 CONNECT 131.253.61.82:443 - NONE/- text/html
1378733923.987 0 10.1.1.1 TCP_DENIED/403 1492 CONNECT 131.253.61.82:443 - NONE/- text/html
1378733924.984 70966 10.1.1.1 TCP_MISS/200 22052 CONNECT auth.gfx.ms:443 - DIRECT/23.13.168.70 -
1378733945.117 0 10.1.1.1 TCP_DENIED/403 1492 CONNECT 131.253.61.82:443 - NONE/- text/html
1378733960.035 68638 10.1.1.1 TCP_MISS/200 5226 CONNECT apps.skypeassets.com:443 - DIRECT/23.62.51.240 -
1378733960.036 61416 10.1.1.1 TCP_MISS/200 3482 CONNECT api.skype.com:443 - DIRECT/91.190.218.17 -
1378733966.145 0 10.1.1.1 TCP_DENIED/403 1492 CONNECT 131.253.61.82:443 - NONE/- text/html
1378733984.462 81237 10.1.1.1 TCP_MISS/200 2455 CONNECT 65.55.223.21:443 - DIRECT/65.55.223.21 -

ARQUIVO SKYPE_URLS.TXT COM AS URL's DE LIBERAÇÃO

131.253.61.80
131.253.61.82
134.170.19.35
149.13.32.15
157.55.102.249
157.56.108.82
157.56.194.23
212.161.8.36
213.166.51.4
65.55.142.165
65.55.223.21
78.141.179.13
91.190.218.20
aidps.atdmt.com
ajax.aspnetcdn.com
api.skype.com
apps.skypeassets.com
apps.skype.com
auth.gfx.ms
c.msn.com
connect.facebook.net
http://connect.facebook.net/en_US/all.js
http://connect.facebook.net/en_US/all.js
http://download.skype.com/8cb1db0f1525077c8e684e4d8ec63eb0/SkypeSetupFull.exe
http://ui.skype.com/ui/0/6.5.0.158./pt-BR/getlatestversion?
http://ui.skype.com/ui/0/6.5.0.158./pt-BR/upgrade
http://www.skype.com/go/getskype-full-last
login.live.com
m.hotmail.com
secure.skypeassets.com
s-static.ak.facebook.com
www.facebook.com

Se alguem com disposição puder me ajudar, já não sei mais oq fazer, pois através do proxy permitindo acesso total o skype funciona, já com negação e liberação das url's não...
Muito obrigado a todos que puderem ajudar!


7. Re: Squid SSL_ports

Buckminster
Buckminster

(usa Debian)

Enviado em 09/09/2013 - 11:07h

Faça assim:
acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
acl Skype_UA browser ^skype
http_access allow CONNECT localnet numeric_IPS Skype_UA
#
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

A regra de liberação do Skype precisa vir ANTES da ACL http_access deny CONNECT !SSL_ports.


Para maiores informações, veja isto:
http://wiki.squid-cache.org/ConfigExamples/Chat/Skype


8. Re: Squid SSL_ports

Fernando Castanho Morini
fcmorini

(usa Debian)

Enviado em 09/09/2013 - 11:44h

Buckminster escreveu:

Faça assim:
acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
acl Skype_UA browser ^skype
http_access allow CONNECT localnet numeric_IPS Skype_UA
#
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

A regra de liberação do Skype precisa vir ANTES da ACL http_access deny CONNECT !SSL_ports.


Para maiores informações, veja isto:
http://wiki.squid-cache.org/ConfigExamples/Chat/Skype


Já havia feito isso tbm, mas por via das duvidas fiz denovo e não funcionou.... detalhe, quando tento usar o login microsoft tbm não vai nem a pau... na outra forma ele conecta as vezes e outras não!

deixei o squid.conf dessa forma:
/etc/squid/squid.conf
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

#####Regras para liberar o skype
acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
acl Skype_UA browser ^skype
http_access allow CONNECT localnet numeric_IPS Skype_UA
#############################################################################

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

#####Regras para liberar o skype
#acl skype url_regex -i "/root/skype_urls.txt"
#http_access allow localnet skype
################################
http_access deny localnet
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid

LOG APÓS MUDANÇA

1378737622.422 0 10.1.1.1 TCP_DENIED/403 1494 CONNECT login.live.com:443 - NONE/- text/html
1378737622.428 0 10.1.1.1 TCP_DENIED/403 1494 CONNECT login.live.com:443 - NONE/- text/html
1378737622.469 0 10.1.1.1 TCP_DENIED/403 1506 CONNECT apps.skypeassets.com:443 - NONE/- text/html
1378737628.677 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737633.778 5092 10.1.1.1 TCP_DENIED/403 1490 CONNECT 65.55.223.21:443 - NONE/- text/html
1378737638.241 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737639.258 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737640.248 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737641.281 1 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737642.313 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737643.357 5112 10.1.1.1 TCP_DENIED/403 1490 CONNECT 65.55.223.33:443 - NONE/- text/html
1378737644.284 1 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737645.322 6056 10.1.1.1 TCP_DENIED/403 1490 CONNECT 157.56.52.47:443 - NONE/- text/html
1378737645.324 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737645.333 5081 10.1.1.1 TCP_DENIED/403 1494 CONNECT 157.55.235.176:443 - NONE/- text/html
1378737646.358 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737647.337 6046 10.1.1.1 TCP_DENIED/403 1490 CONNECT 157.56.52.45:443 - NONE/- text/html
1378737648.341 6021 10.1.1.1 TCP_DENIED/403 1494 CONNECT 157.55.235.142:443 - NONE/- text/html
1378737651.335 6009 10.1.1.1 TCP_DENIED/403 1492 CONNECT 157.55.56.156:443 - NONE/- text/html
1378737652.362 6001 10.1.1.1 TCP_DENIED/403 1496 CONNECT 213.199.179.173:443 - NONE/- text/html
1378737665.385 21093 10.1.1.1 TCP_DENIED/403 1494 CONNECT 157.55.130.143:443 - NONE/- text/html
1378737731.703 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737736.772 5066 10.1.1.1 TCP_DENIED/403 1490 CONNECT 65.55.223.21:443 - NONE/- text/html
1378737740.257 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737741.276 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737742.281 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737744.273 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737745.285 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737745.325 5061 10.1.1.1 TCP_DENIED/403 1494 CONNECT 157.55.235.147:443 - NONE/- text/html
1378737746.296 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737747.337 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737747.356 6075 10.1.1.1 TCP_DENIED/403 1494 CONNECT 157.55.235.143:443 - NONE/- text/html
1378737748.360 6068 10.1.1.1 TCP_DENIED/403 1494 CONNECT 157.55.130.160:443 - NONE/- text/html
1378737748.363 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737750.365 6084 10.1.1.1 TCP_DENIED/403 1492 CONNECT 157.55.56.172:443 - NONE/- text/html
1378737751.330 6042 10.1.1.1 TCP_DENIED/403 1490 CONNECT 65.55.223.20:443 - NONE/- text/html
1378737752.374 6074 10.1.1.1 TCP_DENIED/403 1496 CONNECT 213.199.179.159:443 - NONE/- text/html
1378737753.367 6026 10.1.1.1 TCP_DENIED/403 1494 CONNECT 157.55.235.176:443 - NONE/- text/html
1378737754.368 6001 10.1.1.1 TCP_DENIED/403 1494 CONNECT 157.55.130.142:443 - NONE/- text/html
1378737917.748 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737922.857 5105 10.1.1.1 TCP_DENIED/403 1490 CONNECT 65.55.223.21:443 - NONE/- text/html
1378737927.334 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737928.405 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737929.406 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737930.430 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737931.441 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737932.412 5072 10.1.1.1 TCP_DENIED/403 1492 CONNECT 157.55.56.173:443 - NONE/- text/html
1378737933.364 1 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737934.439 6027 10.1.1.1 TCP_DENIED/403 1494 CONNECT 111.221.77.167:443 - NONE/- text/html
1378737934.443 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737935.406 5973 10.1.1.1 TCP_DENIED/403 1492 CONNECT 111.221.74.17:443 - NONE/- text/html
1378737935.474 0 10.1.1.1 TCP_DENIED/400 1728 NONE NONE:// - NONE/- text/html
1378737936.428 5995 10.1.1.1 TCP_DENIED/403 1490 CONNECT 157.56.52.25:443 - NONE/- text/html
1378737937.431 5983 10.1.1.1 TCP_DENIED/403 1494 CONNECT 157.55.235.151:443 - NONE/- text/html
1378737939.416 6043 10.1.1.1 TCP_DENIED/403 1494 CONNECT 157.55.130.149:443 - NONE/- text/html
1378737940.429 5983 10.1.1.1 TCP_DENIED/403 1494 CONNECT 157.55.130.142:443 - NONE/- text/html
1378737941.463 5988 10.1.1.1 TCP_DENIED/403 1492 CONNECT 157.55.56.147:443 - NONE/- text/html



9. skype via proxy

Fernando Castanho Morini
fcmorini

(usa Debian)

Enviado em 09/09/2013 - 14:57h

Desisto.... Essa porcaria não funciona em cima de proxy restritivo, acho que vou ter que fazer uma regra no iptables mesmo, liberando tudo que for do skype para fora do proxy!


10. Re: Squid SSL_ports

Roberto Costa
asparion

(usa Ubuntu)

Enviado em 09/09/2013 - 16:44h

i mano desiste nao kkkkkk
da uma olha no ma minha configuração com essa configuração esta funcionando




squid

# CONFIGURACAO INICIAL DO SQUID
http_port 3128
visible_hostname automacaomga
cache_mgr webmaster@localhost
error_directory /usr/share/squid/errors/Portuguese

# CONFIGURACOES DE CACHE
hierarchy_stoplist cgi-bin ?
cache_mem 32 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 100 MB
cache_dir ufs /var/spool/squid 2048 16 256

refresh_pattern ^ftp: 360 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

access_log /var/log/squid/access.log

# ACLs PARA A REDE LOCAL
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/32
acl rede1 src 192.168.1.0/24
acl rede2 src 192.168.2.0/24

acl manager proto cache_object
http_access allow manager localhost
http_access deny manager

acl purge method PURGE
http_access allow purge localhost
http_access deny purge

# ACLs PARA LIBERACAO DE PORTAS
acl Safe_ports port 20 # caixa
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 443 # https
acl Safe_ports port 465 # outlook smtp
acl Safe_ports port 488 # gss-http
acl Safe_ports port 563 # nntps-outlook
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # swat
acl Safe_ports port 995 # outlook pop
acl Safe_ports port 4004 # caixa
acl Safe_ports port 7878 # caixa
acl Safe_ports port 8081 # localhost
acl Safe_ports port 9099 # localhost
acl Safe_ports port 1025-65535 # unregistered ports
http_access deny !Safe_ports

# ACLs PARA LIBERACAO DE PORTAS SSL
acl connect method CONNECT
acl SSL_ports port 443 # https
acl SSL_ports port 563 # nntps
acl SSL_ports port 873 # rsync
acl SSL_ports port 4004 # caixa
acl SSL_ports port 30000 # Bradesco
http_access deny connect !SSL_ports

# ACLs PARA LIBERACAO TOTAL POR MAC
acl liberados_mac arp "/etc/squid/rules/liberados_mac"
http_access allow liberados_mac

# ACLs LIBERACAO TOTAL NA HORA DESEJADA
acl LAUNCH_TIME time S M T W H F A 12:00-13:12
http_access allow LAUNCH_TIME

# ACLs PARA LIBERACAO DO SKYPE POR IP
acl skype_users src "/etc/squid/rules/liberado_skype"
acl skype_url url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
http_access allow CONNECT skype_users skype_url
http_access deny CONNECT skype_url

# ACLs PARA SITES BLOQUEADOS
acl sites_bloqueados url_regex -i "/etc/squid/rules/sites_bloqueados"
http_access deny sites_bloqueados

# ACLs PARA BLOQUEIO DE DOMINIOS
acl dominios dstdomain "/etc/squid/rules/dominios"
http_access deny dominios

# ACLs PARA PALAVRAS
acl palavras_bloqueadas url_regex -i "/etc/squid/rules/palavras_bloqueadas"
http_access deny palavras_bloqueadas

# LIBERACAO POR IP PARA BAIXAR EXTENCOES
acl ip_liberado src 192.168.1.66 -i "/etc/squid/rules/extencoes"
http_access allow ip_liberado

# ACLs PARA EXTENCOES
acl extencoes url_regex -i "/etc/squid/rules/extencoes"
http_access deny extencoes

# CONFIGURACOES GERAIS PARA A REDE LOCAL E DEMAIS
http_access allow localhost
http_access allow rede1
http_access allow rede2
http_access deny all


iptables

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
################################################################################
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]


#REGRAS INPUT
-A INPUT -j RH-Firewall-1-INPUT

#REGRAS FORWARD
-A FORWARD -j RH-Firewall-1-INPUT
-A FORWARD -d 200.138.157.4 -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -d 200.155.86.35 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -d 200.201.0.0 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A FORWARD -d 200.143.5.68 -p tcp -m multiport --dports 20,7878,4004 -j ACCEPT
-A FORWARD -d 200.143.5.69 -p tcp -m multiport --dports 20,7878,4004 -j ACCEPT

#REGRAS OUTPUT
-A OUTPUT -j RH-Firewall-1-INPUT

#REGRAS RH-FIREWALL (LIBERACAO DE PORTAS)
# CAIXA
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 4004 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 7878 -j ACCEPT
# CAMERAS
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8888 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8081 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 37777 -j ACCEPT
# OUTLOOK - SMTP - POP - IMAP
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 995 -j ACCEPT
# TERMINAL SERVER
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3387 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3388 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3389 -j ACCEPT
# MONITORAMENTOS - XYMON - WEBMIN - USERMIN
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1984 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
# SAMBA - SSH - TELNET - DNS - SSL
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 445 -j ACCEPT
# PROXY - SQUID
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.2.0/24 --dport 3128 -j ACCEPT
# BB PLUS BRADESCO
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 30000 -j ACCEPT
# OUTRAS PORTAS
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5938 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 9099 -j ACCEPT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

# Completed on Tue May 21 13:09:34 2013
# Generated by iptables-save v1.3.5 on Tue May 21 13:09:34 2013
######################################################################################
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# REGRAS PREROUTING
# REDIRECIONAMENTOS DAS REDE 1 E REDE 2 PARA O SQUID
-A PREROUTING -i eth0 -s 192.168.1.0/24 -p tcp -m multiport --dport 80,443 -j REDIRECT --to-port 3128
-A PREROUTING -i eth2 -s 192.168.2.0/24 -p tcp -m multiport --dport 80,443 -j REDIRECT --to-port 3128
# PACOTES VINDOS PELO LINK1
-A PREROUTING -p tcp -m tcp -d 192.168.25.254 --dport 3389 -j DNAT --to-destination 192.168.1.101:3389
-A PREROUTING -p tcp -m tcp -d 192.168.25.254 --dport 8080 -j DNAT --to-destination 192.168.1.103:8080
-A PREROUTING -p tcp -m tcp -d 192.168.25.254 --dport 8081 -j DNAT --to-destination 192.168.1.102:80
-A PREROUTING -p tcp -m tcp -d 192.168.25.254 --dport 8888 -j DNAT --to-destination 192.168.1.100:8888
-A PREROUTING -p tcp -m tcp -d 192.168.25.254 --dport 3388 -j DNAT --to-destination 192.168.1.190:3389
-A PREROUTING -p tcp -m tcp -d 192.168.25.254 --dport 3387 -j DNAT --to-destination 192.168.1.9:3389
# PACOTES VINDOS PELO LINK2
-A PREROUTING -p tcp -m tcp -d 192.168.24.254 --dport 3389 -j DNAT --to-destination 192.168.1.101:3389
-A PREROUTING -p tcp -m tcp -d 192.168.24.254 --dport 8080 -j DNAT --to-destination 192.168.1.103:8080
-A PREROUTING -p tcp -m tcp -d 192.168.24.254 --dport 8081 -j DNAT --to-destination 192.168.1.102:80
-A PREROUTING -p tcp -m tcp -d 192.168.24.254 --dport 8888 -j DNAT --to-destination 192.168.1.100:8888
-A PREROUTING -p tcp -m tcp -d 192.168.24.254 --dport 3388 -j DNAT --to-destination 192.168.1.190:3389
-A PREROUTING -p tcp -m tcp -d 192.168.24.254 --dport 3387 -j DNAT --to-destination 192.168.1.9:3389

# REGRAS POSTROUTING
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth2 -j MASQUERADE
-A POSTROUTING -o eth3 -j MASQUERADE

# REGRAS OUTPUP

COMMIT
# Completed on Tue May 21 13:09:34 2013
######################################################################################

# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed


Ve o que ta diferente no seu..
abraçosss



11. Re: Squid SSL_ports

Buckminster
Buckminster

(usa Debian)

Enviado em 09/09/2013 - 16:45h

acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
acl Skype_UA browser ^skype
http_access allow CONNECT localnet numeric_IPs Skype_UA << veja bem, tem um erro aqui... o 's' de IPs deve ser minúsculo, pois a acl criada é numeric_IPs. O erro é do próprio site do Squid, esqueci de falar.
#
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

Tu tem 3 redes locais?
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

Veja bem, no Iptables tua rede local está 192.168.1.0/24 e no Squid está 192.168.0.0/16.

Coloque assim no Squid:
acl localnet src 192.168.1.0/24 e comente as outras duas.
Não esqueça de reiniciar o Squid após cada alteração no squid.conf


12. Re: Squid SSL_ports

Fernando Castanho Morini
fcmorini

(usa Debian)

Enviado em 10/09/2013 - 16:35h

Obrigado pela ajuda, estou verificando isso!

asparion escreveu:

i mano desiste nao kkkkkk
da uma olha no ma minha configuração com essa configuração esta funcionando




squid

# CONFIGURACAO INICIAL DO SQUID
http_port 3128
visible_hostname automacaomga
cache_mgr webmaster@localhost
error_directory /usr/share/squid/errors/Portuguese

# CONFIGURACOES DE CACHE
hierarchy_stoplist cgi-bin ?
cache_mem 32 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 100 MB
cache_dir ufs /var/spool/squid 2048 16 256

refresh_pattern ^ftp: 360 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

access_log /var/log/squid/access.log

# ACLs PARA A REDE LOCAL
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/32
acl rede1 src 192.168.1.0/24
acl rede2 src 192.168.2.0/24

acl manager proto cache_object
http_access allow manager localhost
http_access deny manager

acl purge method PURGE
http_access allow purge localhost
http_access deny purge

# ACLs PARA LIBERACAO DE PORTAS
acl Safe_ports port 20 # caixa
acl Safe_ports port 21 # ftp
acl Safe_ports port 70 # gopher
acl Safe_ports port 80 # http
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 443 # https
acl Safe_ports port 465 # outlook smtp
acl Safe_ports port 488 # gss-http
acl Safe_ports port 563 # nntps-outlook
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # swat
acl Safe_ports port 995 # outlook pop
acl Safe_ports port 4004 # caixa
acl Safe_ports port 7878 # caixa
acl Safe_ports port 8081 # localhost
acl Safe_ports port 9099 # localhost
acl Safe_ports port 1025-65535 # unregistered ports
http_access deny !Safe_ports

# ACLs PARA LIBERACAO DE PORTAS SSL
acl connect method CONNECT
acl SSL_ports port 443 # https
acl SSL_ports port 563 # nntps
acl SSL_ports port 873 # rsync
acl SSL_ports port 4004 # caixa
acl SSL_ports port 30000 # Bradesco
http_access deny connect !SSL_ports

# ACLs PARA LIBERACAO TOTAL POR MAC
acl liberados_mac arp "/etc/squid/rules/liberados_mac"
http_access allow liberados_mac

# ACLs LIBERACAO TOTAL NA HORA DESEJADA
acl LAUNCH_TIME time S M T W H F A 12:00-13:12
http_access allow LAUNCH_TIME

# ACLs PARA LIBERACAO DO SKYPE POR IP
acl skype_users src "/etc/squid/rules/liberado_skype"
acl skype_url url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
http_access allow CONNECT skype_users skype_url
http_access deny CONNECT skype_url

# ACLs PARA SITES BLOQUEADOS
acl sites_bloqueados url_regex -i "/etc/squid/rules/sites_bloqueados"
http_access deny sites_bloqueados

# ACLs PARA BLOQUEIO DE DOMINIOS
acl dominios dstdomain "/etc/squid/rules/dominios"
http_access deny dominios

# ACLs PARA PALAVRAS
acl palavras_bloqueadas url_regex -i "/etc/squid/rules/palavras_bloqueadas"
http_access deny palavras_bloqueadas

# LIBERACAO POR IP PARA BAIXAR EXTENCOES
acl ip_liberado src 192.168.1.66 -i "/etc/squid/rules/extencoes"
http_access allow ip_liberado

# ACLs PARA EXTENCOES
acl extencoes url_regex -i "/etc/squid/rules/extencoes"
http_access deny extencoes

# CONFIGURACOES GERAIS PARA A REDE LOCAL E DEMAIS
http_access allow localhost
http_access allow rede1
http_access allow rede2
http_access deny all


iptables

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
################################################################################
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]


#REGRAS INPUT
-A INPUT -j RH-Firewall-1-INPUT

#REGRAS FORWARD
-A FORWARD -j RH-Firewall-1-INPUT
-A FORWARD -d 200.138.157.4 -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -d 200.155.86.35 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -d 200.201.0.0 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A FORWARD -d 200.143.5.68 -p tcp -m multiport --dports 20,7878,4004 -j ACCEPT
-A FORWARD -d 200.143.5.69 -p tcp -m multiport --dports 20,7878,4004 -j ACCEPT

#REGRAS OUTPUT
-A OUTPUT -j RH-Firewall-1-INPUT

#REGRAS RH-FIREWALL (LIBERACAO DE PORTAS)
# CAIXA
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 4004 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 7878 -j ACCEPT
# CAMERAS
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8888 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8081 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 37777 -j ACCEPT
# OUTLOOK - SMTP - POP - IMAP
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 995 -j ACCEPT
# TERMINAL SERVER
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3387 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3388 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3389 -j ACCEPT
# MONITORAMENTOS - XYMON - WEBMIN - USERMIN
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1984 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
# SAMBA - SSH - TELNET - DNS - SSL
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 445 -j ACCEPT
# PROXY - SQUID
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.2.0/24 --dport 3128 -j ACCEPT
# BB PLUS BRADESCO
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 30000 -j ACCEPT
# OUTRAS PORTAS
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5938 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 9099 -j ACCEPT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

# Completed on Tue May 21 13:09:34 2013
# Generated by iptables-save v1.3.5 on Tue May 21 13:09:34 2013
######################################################################################
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# REGRAS PREROUTING
# REDIRECIONAMENTOS DAS REDE 1 E REDE 2 PARA O SQUID
-A PREROUTING -i eth0 -s 192.168.1.0/24 -p tcp -m multiport --dport 80,443 -j REDIRECT --to-port 3128
-A PREROUTING -i eth2 -s 192.168.2.0/24 -p tcp -m multiport --dport 80,443 -j REDIRECT --to-port 3128
# PACOTES VINDOS PELO LINK1
-A PREROUTING -p tcp -m tcp -d 192.168.25.254 --dport 3389 -j DNAT --to-destination 192.168.1.101:3389
-A PREROUTING -p tcp -m tcp -d 192.168.25.254 --dport 8080 -j DNAT --to-destination 192.168.1.103:8080
-A PREROUTING -p tcp -m tcp -d 192.168.25.254 --dport 8081 -j DNAT --to-destination 192.168.1.102:80
-A PREROUTING -p tcp -m tcp -d 192.168.25.254 --dport 8888 -j DNAT --to-destination 192.168.1.100:8888
-A PREROUTING -p tcp -m tcp -d 192.168.25.254 --dport 3388 -j DNAT --to-destination 192.168.1.190:3389
-A PREROUTING -p tcp -m tcp -d 192.168.25.254 --dport 3387 -j DNAT --to-destination 192.168.1.9:3389
# PACOTES VINDOS PELO LINK2
-A PREROUTING -p tcp -m tcp -d 192.168.24.254 --dport 3389 -j DNAT --to-destination 192.168.1.101:3389
-A PREROUTING -p tcp -m tcp -d 192.168.24.254 --dport 8080 -j DNAT --to-destination 192.168.1.103:8080
-A PREROUTING -p tcp -m tcp -d 192.168.24.254 --dport 8081 -j DNAT --to-destination 192.168.1.102:80
-A PREROUTING -p tcp -m tcp -d 192.168.24.254 --dport 8888 -j DNAT --to-destination 192.168.1.100:8888
-A PREROUTING -p tcp -m tcp -d 192.168.24.254 --dport 3388 -j DNAT --to-destination 192.168.1.190:3389
-A PREROUTING -p tcp -m tcp -d 192.168.24.254 --dport 3387 -j DNAT --to-destination 192.168.1.9:3389

# REGRAS POSTROUTING
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth2 -j MASQUERADE
-A POSTROUTING -o eth3 -j MASQUERADE

# REGRAS OUTPUP

COMMIT
# Completed on Tue May 21 13:09:34 2013
######################################################################################

# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed


Ve o que ta diferente no seu..
abraçosss






01 02



Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts