Squid SSL_ports

13. Re: Squid SSL_ports

Fernando Castanho Morini
fcmorini

(usa Debian)

Enviado em 10/09/2013 - 16:57h

Buckminster escreveu:

acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
acl Skype_UA browser ^skype
http_access allow CONNECT localnet numeric_IPs Skype_UA << veja bem, tem um erro aqui... o 's' de IPs deve ser minúsculo, pois a acl criada é numeric_IPs. O erro é do próprio site do Squid, esqueci de falar.
#
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

Tu tem 3 redes locais?
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

Veja bem, no Iptables tua rede local está 192.168.1.0/24 e no Squid está 192.168.0.0/16.

Coloque assim no Squid:
acl localnet src 192.168.1.0/24 e comente as outras duas.
Não esqueça de reiniciar o Squid após cada alteração no squid.conf


Cara, não consegui fazer funcionar com essa configuração!
Mas passei a tarde toda minerando url's e ip's no log do iptables e access.log do squid, em fim, fiz funcionar!
mas acredito ter uma forma mais inteligente para isso, pois acabei liberando cerca de 140 urls/ips para que pudesse fazer o skype passar pelo proxy... detalhe: foi muito mais dificil fazer funcionar utilizando uma conta microsoft
fiz as modificações sugeridas... vou postar aqui o resultado! No arquivo squid.conf deixei comentado sua sugestão para você poder ver que tentei utilizar!
peço desculpas pelo tamanho do post!
obrigado a todos pela ajuda!


#arquivo firewall
#!/bin/bash

##### DECLARACAO DE VARIAVEIS #####
IPTABLES="/sbin/iptables"
################################################################################

##### LIMPAR TODAS AS REGRAS #####
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F -t nat
$IPTABLES -X -t nat
$IPTABLES -Z -t nat
################################################################################

##### ALTERA POLITICAS PARA DROP #####
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
################################################################################

##### REGRAS DE INPUT #####
# LOGAR TODAS AS ENTRADAS
$IPTABLES -A INPUT -j LOG --log-prefix "INPUT: " -m limit --limit 5/m --limit-burst 5
# LIBERAR PORTAS
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -i eth1 -s 10.1.1.0/24 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -i eth1 -s 10.1.1.0/24 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 3128 -i eth1 -s 10.1.1.0/24 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 5351 -i eth1 -s 10.1.1.0/24 -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
################################################################################

##### REGRAS DE FORWARD #####
# LOGAR CONEXOES QUE PASSAM PELO FIREWALL
$IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD: " -m limit --limit 5/m --limit-burst 5
################################################################################

##### REGRAS DE NAT #####
## LOGAR CONEXOES NA TABELA NAT CHAIN PREROUTING
$IPTABLES -t nat -A PREROUTING -j LOG --log-prefix "NAT-PREROUTING: " -m limit --limit 5/m --limit-burst 5
# LOGAR CONEXOES NA TABELA NAT CHAIN POSTROUTING
$IPTABLES -t nat -A POSTROUTING -j LOG --log-prefix "NAT-POSTROUTING: " -m limit --limit 5/m --limit-burst 5
# REDIRECIONAR CONEXOES PARA O PROXY
$IPTABLES -t nat -A PREROUTING -p tcp -m multiport --dport 80,443 -i eth1 -s 10.1.1.0/24 -j REDIRECT --to-port 3128
# LIBERAR ACESSO A INTERNET
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 10.1.1.0/24 -j MASQUERADE
################################################################################

#####arquivo squid.conf#####

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.1.1.0/24 # RFC1918 possible internal network
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

#####Regras para liberar skype
#acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443
#acl Skype_UA browser ^skype
#http_access allow CONNECT localnet numeric_IPs Skype_UA
#################################################################

#liberar ips do skype
acl ips_skype url_regex "/root/ips_skype.txt"
http_access allow localnet ips_skype
##################################################

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny localnet
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid
########################################################################
#####arquivo ips_skype.txt#####

1.172.231.200
128.69.34.19
128.72.42.189
129.15.115.137
129.21.131.77
129.2.217.220
129.241.137.174
131.151.159.126
131.253.61.102
131.253.61.80
131.253.61.82
131.253.61.96
131.253.61.98
134.170.19.113
134.170.24.140
134.170.24.142
134.170.24.175
134.170.24.224
149.13.32.15
149.169.162.237
152.3.242.59
157.55.130.142
157.55.130.162
157.55.130.175
157.55.235.149
157.56.106.210
157.56.108.82
157.56.194.23
165.123.132.204
177.84.106.134
186.205.111.111
186.210.249.128
186.218.176.81
186.218.37.56
187.126.210.65
187.14.23.223
187.38.121.230
187.61.201.237
187.6.140.217
188.115.233.44
188.50.90.102
189.0.123.137
189.26.123.15
189.41.35.124
189.70.13.230
193.120.199.14
193.120.199.16
193.120.199.17
193.95.154.38
193.95.154.39
195.114.250.233
200.144.116.143
201.27.70.176
201.63.213.170
201.79.150.214
204.9.163.184
212.142.69.228
212.161.8.36
212.187.172.78
212.8.166.35
212.8.166.36
213.166.51.4
216.46.46.145
37.208.199.151
46.233.214.16
64.4.23.174
64.4.25.230
65.184.50.78
65.55.142.165
65.55.142.37
65.55.223.16
65.55.223.21
65.55.246.20
65.55.246.22
67.249.88.141
68.183.50.93
70.27.221.28
71.197.47.114
71.47.255.237
72.39.188.10
75.70.214.2
76.120.161.202
76.170.29.203
76.211.208.94
76.235.182.180
77.122.114.101
77.98.186.52
78.141.179.11
78.141.179.12
78.141.179.13
78.141.179.16
78.141.179.17
78.141.179.18
83.10.196.218
83.25.226.190
8.8.8.8
89.133.142.43
90.33.124.119
91.152.217.9
91.190.216.38
91.190.216.66
91.190.218.20
91.190.218.52
91.190.218.56
91.190.218.59
91.190.218.60
91.190.218.62
91.190.218.64
91.190.218.65
92.155.15.234
95.58.75.53
96.16.95.139
96.224.32.247
97.75.251.5
98.103.19.82
98.218.120.32
ads1.msads.net
aidps.atdmt.com
ajax.aspnetcdn.com
api.skype.com
apps.skypeassets.com
apps.skype.com
auth.gfx.ms
az361816.vo.msecnd.net
c.msn.com
connect.facebook.net
flex.msn.com
login.live.com
m.hotmail.com
secure.skypeassets.com
skype.com
s-static.ak.facebook.com
static.skypeassets.com
text/html
ui.skype.com
www.facebook.com



  


14. Re: Squid SSL_ports

Fernando Castanho Morini
fcmorini

(usa Debian)

Enviado em 10/09/2013 - 17:43h

Já entendi que estou errando em não liberar as portas 80 e 443 no forward (firewall), mas mesmo com uma politica DROP nessa chain e com o http_access allow localnet no squid o danado do skype funciona!


15. Proxy transparente com https

Marcio
mschmidt

(usa CentOS)

Enviado em 11/09/2013 - 00:52h

Proxy transparente com https ?? Pra mim é novidade. O que mudou... alguem tem alguma dica ?


16. Re: Squid SSL_ports

Fernando Castanho Morini
fcmorini

(usa Debian)

Enviado em 11/09/2013 - 08:20h

mschmidt escreveu:

Proxy transparente com https ?? Pra mim é novidade. O que mudou... alguem tem alguma dica ?


????
acho que vc está no tópico errado, amigo!


17. Re: Squid SSL_ports

Buckminster
Buckminster

(usa Debian)

Enviado em 11/09/2013 - 23:51h

Coloque esta regra ANTES das regras do redirecionamento e teste se bloqueia:

iptables -A FORWARD -i eth1 -m string --algo bm --string "facebook.com" -j DROP


18. Re: Squid SSL_ports

Alcimar
arc

(usa Slackware)

Enviado em 12/09/2013 - 00:39h

fcmorini escreveu:

mschmidt escreveu:

Proxy transparente com https ?? Pra mim é novidade. O que mudou... alguem tem alguma dica ?


????
acho que vc está no tópico errado, amigo!


fcmorini você não entendeu o que o mschimidt disse? Não funciona proxy transparente com https. A não ser que use certificados para isso.


19. Re: Squid SSL_ports

Fernando Castanho Morini
fcmorini

(usa Debian)

Enviado em 12/09/2013 - 08:38h

Buckminster escreveu:

Coloque esta regra ANTES das regras do redirecionamento e teste se bloqueia:

iptables -A FORWARD -i eth1 -m string --algo bm --string "facebook.com" -j DROP


sim, essa regra funciona!




20. Re: Squid SSL_ports

Fernando Castanho Morini
fcmorini

(usa Debian)

Enviado em 12/09/2013 - 12:05h

Iniciando do começo... (heheh)
consegui utilizar algumas regras para funcionar o skype...
a idéia é deixar o FORWARD com a politica DROP e liberar as conexões nas portas necessárias...
fixei no skype a porta 9965 para fazer as conexões
liberei o FORWARD para essa porta, para a porta 443 e tbm para as portas de 1024:10000
os testes foram bem sucedidos, agora vou continuar a implementar esse firewall para verificar os riscos...
pois ainda falta deixar INPUT com politica DROP e fazer todas as conexões passarem pelo proxy!
obrigado a todos que ajudaram, continuo postando aqui, pois o topico não está resolvido... (ainda)!!!
a ferramenta que mais me ajudou foi tcpdump....

FIREWALL

# Generated by iptables-save v1.4.8 on Thu Sep 12 11:57:05 2013
*mangle
:PREROUTING ACCEPT [14623:5689077]
:INPUT ACCEPT [443:48124]
:FORWARD ACCEPT [14180:5640953]
:OUTPUT ACCEPT [495:72010]
:POSTROUTING ACCEPT [14134:5689129]
COMMIT
# Completed on Thu Sep 12 11:57:05 2013
# Generated by iptables-save v1.4.8 on Thu Sep 12 11:57:05 2013
*nat
:PREROUTING ACCEPT [751:75136]
:POSTROUTING ACCEPT [333:25683]
:OUTPUT ACCEPT [333:25683]
-A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Sep 12 11:57:05 2013
# Generated by iptables-save v1.4.8 on Thu Sep 12 11:57:05 2013
*filter
:INPUT ACCEPT [126:12624]
:FORWARD DROP [116:5606]
:OUTPUT ACCEPT [122:20806]
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "FORWARD: "
-A FORWARD -s 10.1.1.1/32 -p udp -m udp --sport 9965 -j ACCEPT
-A FORWARD -d 10.1.1.1/32 -p udp -m udp --dport 9965 -j ACCEPT
-A FORWARD -s 10.1.1.1/32 -p udp -m udp --dport 443 -j ACCEPT
-A FORWARD -s 10.1.1.1/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -d 10.1.1.1/32 -p tcp -m tcp --dport 1024:10000 -j ACCEPT
COMMIT
# Completed on Thu Sep 12 11:57:05 2013




01 02



Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts