Squid Transparent + iptables (urgente)

ncampos
(usa Debian)

Enviado em 22/10/2015 - 08:56h

Bom dia,estamos com uma rede onde a necessidade é Squid modo Transparente. existe alguns IP's que sao liberados via iptables por fora do proxy e o restante da rede com as restrições via squid transparente.
atualmente o squid.conf e meu firewall esta como abaixo,oque acontece:
- IP's livres nao conectam a sites bloqueados.
- Navegação lenta,demora para carregar paginas,as vezes da erro de " limite esgotou".
- preciso de ums acl para liberação de sites (em caso do mesmo ser barrado no proxy "involuntariamente" )

tive que deixar a rede "aberta" até ajustar correção, alguem poderia me ajudar a corrigir ou passar outro modo de bloquei (com squid transparente)

segue arquivos:

FIREWALL:

#!/bin/bash
iniciar()
{
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ip_tables
#
#Interfaces de Rede
LAN=eth1
WAN=eth0
REDE="10.1.1.0/24"
#
############################################################################################################################################
########################################## ######################################################

iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu

##################################################### #########################################################

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


############################################## IP LIBERADO DO PROXY #########################################################################

iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.172 -j RETURN
iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.210 -j RETURN
iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.208 -j RETURN
iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.211 -j RETURN
iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.213 -j RETURN
iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.228 -j RETURN

#############################################################################################################################################
############################################ PORTAS LIBERADAS ###############################################################################

iptables -A INPUT -m multiport -p tcp --dport 22,21,53,80,81,443,8484,6000,3389 -j ACCEPT

############################################# SITES LIBERADOS ########################

iptables -A FORWARD -s $REDE -d bb.com.br -j ACCEPT
iptables -A FORWARD -s $REDE -d itau.com.br -j ACCEPT
iptables -A FORWARD -s $REDE -d bradesco.com -j ACCEPT
iptables -A FORWARD -s $REDE -d sicred.com.br -j ACCEPT

############################################# BLOQUEIO DE REDES SOCIAS #####################################################################

iptables -I FORWARD -s $REDE -m string --string 'facebook' --algo bm -j DROP
iptables -I FORWARD -s $REDE -m string --string 'youtube' --algo bm -j DROP
iptables -I FORWARD -s $REDE -m string --string 'twitter' --algo bm -j DROP
iptables -I FORWARD -s $REDE -m string --string 'instagram' --algo bm -j DROP
iptables -I FORWARD -s $REDE -m string --string 'linkedin' --algo bm -j DROP
iptables -I FORWARD -s $REDE -m string --string 'imo' --algo bm -j DROP

############################################## REDIRECIONAMENTO DE PORTAS ###################################################################


iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 6000 -j DNAT --to-destination 10.1.1.100:6000 # SSH Firewall
iptables -t nat -A PREROUTING -i $WAN -p udp --dport 6000 -j DNAT --to-destination 10.1.1.100:6000 # SSH Firewall

############################################# REDIRECIONAMENTO DE PORTAS CAMERAS #######################################################

iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 3550 -j DNAT --to-destination 10.1.1.252:3550 # cameras
iptables -t nat -A PREROUTING -i $WAN -p udp --dport 3550 -j DNAT --to-destination 10.1.1.252:3550 # cameras

iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT --to-destination 10.1.1.252:80 # cameras
iptables -t nat -A PREROUTING -i $WAN -p udp --dport 80 -j DNAT --to-destination 10.1.1.252:80 # cameras

#############################################################################################################################################
############################################# PROXY DESABILITADO/HABILITADO ##################################################################

############################################# MODO TRANSPARENTE ############################################################################
# Jogando trafego da porta 80 para o SQUID TRANSPARENT
#iptables -t nat -A PREROUTING -s $REDE -p tcp --dport 80 -j REDIRECT --to-port 3128

############################################# MODO AUTENTICACAO ############################################################################
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT --to-destination 10.1.1.250:80 # comentada = USAR SQUID
#iptables -t nat -A PREROUTING -s $REDE -p tcp --dport 80 -j REDIRECT --to-port 3128 # comentada = NAO USAR SQUID

#############################################################################################################################################
##############################################################################################################################################
##############################################################################################################################################
echo "iniciando servico"
}
parar(){
iptables -F -t nat
echo "parando servico"
}
case "$1" in
"start") iniciar;;
"stop") parar;;
"restart")parar;iniciar;;
*)echo "Use os parametros start,stop ou restart"
esac


SQUID.CONF:

##################DETERMINA A PORTA USADA PELO SERVIDOR#############

http_port 3128 transparent

##################NOME DO SERVIDOR#######################

#visible_hostname srv-internet

###################DEFINE IDIOMA DE MENSAGENS DE ERROS################

error_directory /usr/share/squid/errors/Portuguese

###########################CONFIGURACOES DE CACHE######################

#CAMINHO DE LOG DE ACESSO DO SQUID E CAMINHO DE CACHE
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log

#DIRETORIO DO CACHE
cache_dir ufs /var/spool/squid 2048 16 256

#DEFINE QUANTIDADE EM MEMORIA RAM
cache_mem 300 MB
maximum_object_size_in_memory 20 KB
maximum_object_size 16384 KB
#DEFINE QUANTIDADE EM DISCO RIGIDO
maximum_object_size 512 MB
minimum_object_size 0 KB

#DESCARTE DE ARQUIVOS ANTIGOS DE ARMAZENAMENTO PELO SQUID

cache_swap_low 90
cache_swap_high 95

#TEMPO DE VIDA DOS OBJETOS NO CACHE
refresh_pattern ^ftp: 360 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
################################################################################################################################################################
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
#acl localhost src 127.0.0.1/24
acl SSL_ports port 443 563
acl Safe_ports port 21 80 443 563 70 210 280 488 59 777 8080 8484 901 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT


http_access deny manager

http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

#################################################### SITES LIBERADOS ################################
acl url_liberado url_regex -i "/etc/squid/sites_liberados"
http_access allow url_liberado
################################################### IP LIBERADO NO SQUID ######################
acl liberado src 10.1.1.208 10.1.1.210 10.1.1.172 10.1.1.211 10.1.1.213 10.1.1.218
http_access allow liberado
#################################################### bloqueio de acesso facebook ######################################################################
#bloqueio de acesso facebook
acl bloqueio_facebook_2 dstdomain "/etc/squid/bloqueio_facebook_2.cf"
http_access deny bloqueio_facebook_2
#################################################### Bloqueio de sites por URL ######################################################################
# Bloqueio de sites por URL
acl bloqueados url_regex -i "/etc/squid/bloqueados"
http_access deny bloqueados
#################################################### downloads_bloqueados ######################################################################
# Bloqueio por download de arquivo
acl downloads_bloqueados url_regex -i "/etc/squid/downloads_bloqueados"
http_access deny downloads_bloqueados

#################################################### palavras_proibidas ######################################################################
# Bloqueio por palavras
acl palavras_proibidas url_regex -i "/etc/squid/palavras_proibidas"
http_access deny palavras_proibidas


acl redelocal src 10.1.1.0/24

http_access allow redelocal
http_access deny all

Buckminster
(usa Debian)

Enviado em 22/10/2015 - 09:17h

Aqui

#Interfaces de Rede
LAN=eth1
WAN=eth0
REDE="10.1.1.0/24"

deixe assim

#Interfaces de Rede
LAN="eth1"
WAN="eth0"
REDE="10.1.1.0/24"

Aqui

iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.172 -j RETURN
iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.210 -j RETURN
iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.208 -j RETURN
iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.211 -j RETURN
iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.213 -j RETURN
iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.228 -j RETURN

deixe assim

iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.172 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.210 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.208 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.211 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.213 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.228 -j ACCEPT

Reinicie o Iptables e teste.

Quanto ao Squid, execute squid -v ou squid3 -v ou squid --version ou squid3 --version e poste aqui.

ncampos
(usa Debian)

Enviado em 22/10/2015 - 11:36h

Muito Obrigado pela resposta!
Funcionou parceiro quase tudo!

- Navegação "aparentemente" normalizou conforme a velocidade.
- Sites Bloqueados via Iptables estão sendo devidamente bloqueados.

ERRO PERSISTENTE:
- IP's LIBERADOS VIA IPTABLES AINDA NAO NAVEGAM SEM RESTRICAO ,os sites bloqueados no Iptables nao acessam.


SQUID:

Squid Cache: Version 2.7.STABLE9
configure options: '--prefix=/usr' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--sysconfdir=/etc/squid' '--localstatedir=/var/spool/squid' '--datadir=/usr/share/squid' '--with-pthreads' '--enable-async-io' '--enable-storeio=ufs,aufs,coss,diskd,null' '--enable-linux-netfilter' '--enable-arp-acl' '--enable-epoll' '--enable-removal-policies=lru,heap' '--enable-snmp' '--enable-delay-pools' '--enable-htcp' '--enable-cache-digests' '--enable-referer-log' '--enable-useragent-log' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-carp' '--enable-follow-x-forwarded-for' '--with-large-files' '--with-maxfd=65536' '--build' 'x86_64-linux-gnu' 'build_alias=x86_64-linux-gnu'

Buckminster
(usa Debian)

Enviado em 22/10/2015 - 14:01h

Cara, me desculpa, mas não vou sugerir nada no teu squid.conf porque o Squid 2.7 é muuuito desatualizado.
Aconselho a fazer um backup do squid.conf, desinstalar o 2.7 e instalar uma versão mais atualizada.
O Squid está na versão 4, recém lançada.

http://www.squid-cache.org/Versions/

E aqui:
"- IP's LIBERADOS VIA IPTABLES AINDA NAO NAVEGAM SEM RESTRICAO ,os sites bloqueados no Iptables nao acessam."

Não entendi a primeira parte e a segunda parte também não entendi pois os sites bloqueados no Iptables não devem acessar mesmo, é por isso que se coloca bloqueio.

ncampos
(usa Debian)

Enviado em 22/10/2015 - 14:12h

Vou fazer isso já,vou testar... a versao 4? ate entao localizei somente a 3 via apt.
Estou utilizando essa versao porque ate então nãoo me incomodava,me atrasou somente agora no modo transparente.
Obrigado!

Buckminster
(usa Debian)

Enviado em 22/10/2015 - 14:14h

E aqui:
"- IP's LIBERADOS VIA IPTABLES AINDA NAO NAVEGAM SEM RESTRICAO ,os sites bloqueados no Iptables nao acessam."

Não entendi a primeira parte, precisa colocar restrição nos IPs para navegar?!?!?
E a segunda parte também não entendi pois os sites bloqueados no Iptables não devem acessar mesmo, é por isso que se coloca bloqueio.


E se tu quer liberar completamente os IPs, faça assim:

iptables -I 1 FORWARD -p tcp --dport 80 -s 10.1.1.172 -j ACCEPT <<< é I de Índia, de Indignado.
iptables -I 2 FORWARD -p tcp --dport 80 -s 10.1.1.210 -j ACCEPT
iptables -I 3 FORWARD -p tcp --dport 80 -s 10.1.1.208 -j ACCEPT
iptables -I 4 FORWARD -p tcp --dport 80 -s 10.1.1.211 -j ACCEPT
iptables -I 5 FORWARD -p tcp --dport 80 -s 10.1.1.213 -j ACCEPT
iptables -I 6 FORWARD -p tcp --dport 80 -s 10.1.1.228 -j ACCEPT


Geralmente nos gerenciadores de pacote dos repositórios nunca tem a versão mais atual.
Se tu quer a versão 4 do Squid terá que baixar e compilar manualmente.
Caso não queira ou não saiba como fazer, pode instalar a versão do apt mesmo que está de bom tamanho.

ncampos
(usa Debian)

Enviado em 22/10/2015 - 17:57h

Mano,seguinte atualizei meu squid para versão 3.4.8.Não tive total conhecimento para instalar a versão 4. até tentei porem mesmo compilando nao iniciou e por apt nao consegui tbm.(versao 3 me atendeu)
Após seus ajustes do IPTABLES ficou 90% do que preciso, O squid esta bloqueando os sites que eu determinei tudo certinho.Porem tenho os seguintes IP's ( 10.1.1.208,10.1.1.209,10.1.1.210). se conferir la no "firewall" IPTABLES barrei o acesso a determinados sites,preciso que os Ip's mencionados nao sejam bloqueados nesses sites. "naveguem livre sem nenhum bloqueio"

- ja tentei criar ACL no squid
- ja tentei suas dicas acima. (ultima dica que mandou "iptables -I 3 FORWARD -p tcp --dport 80 -s 10.1.1.208 -j ACCEPT " da erro iptables v1.4.14: Invalid rule number `FORWARD'
Try `iptables -h' or 'iptables --help' for more information. )

SQUID APOS ATUALIZACAO DEIXEI ASSIM:

http_port 3128 intercept

cache_mem 128 MB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid3 2048 16 256
cache_access_log /var/log/squid3/cache.log

visible_hostname proxy
cache_mgr email@email

coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320


error_directory /usr/share/squid3/errors/pt-br


################################################################################

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

############################ ACL #################################################

# Acls Personalizadas
acl redelocal src 10.1.1.0/24

acl ips_liberado src "/etc/squid3/ips_liberado"
http_access allow ips_liberado

# ACLs PARA SITES LIBERADOS
acl sites_liberados url_regex -i "/etc/squid3/sites_liberados"
http_access allow sites_liberados

# ACLs PARA LIBERACAO SITES POR IP
acl ip_liberacao_porsite src "/etc/squid3/ip_liberacao_porsite"
acl site_liberacao_porsite url_regex "/etc/squid3/site_liberacao_porsite"
http_access deny site_liberacao_porsite !ip_liberacao_porsite

# ACls SITES BLOQUEADOS PARA TODA REDE
acl bloqueados url_regex -i "/etc/squid3/bloqueados"


##################################################################################
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost



http_access deny bloqueados
http_access allow redelocal
http_access deny all

Giovanni_Menezes
(usa Devuan)

Enviado em 23/10/2015 - 00:14h

Eu não consigo ver erro no seu squid.conf, teoricamente esta certo, os ips eram para estar liberados.

O que eu acho que pode dar uma luz é você tentar fazer de novo o acesso em alguns dos host com os tais ips liberados e logo depois ir nos logs do squid e ver quem fez o pedido, pq ta funcionando como se o squid estive recebendo a requisição de outro ip.

ncampos
(usa Debian)

Enviado em 23/10/2015 - 08:55h

Após Varios testes,enfim cheguei ao ponto final.
Squid (modo transpante ) totalmente funcional com as acls abaixo 100%

# Liberacao de sites ( caso site esteja sendo barrado pela acl "bloqueio de sites) ,essa acl libera como "complemento")
# Liberacao de sites por IP ( caso algum ip precise acessar sites que esteja na lista de "bloqueio de sites" essa acl libera o site )
# bloqueio de Sites (sites bloqueados com as exceções acima)

DIFICULDADE:

tenho em meu firewall as seguintes linha abaixo para bloqueio de redes socias (NAO CONSEGUI BLOQUEAR PELO SQUID):
mesmo utilizando ( iptables -t nat -A PREROUTING -p tcp --dport 80 -s 10.1.1.208 -j ACCEPT) as redes sociais continuam bloqueadas ao IP LIVRE.

iptables -I FORWARD -s $REDE -m string --string 'facebook' --algo bm -j DROP
iptables -I FORWARD -s $REDE -m string --string 'youtube' --algo bm -j DROP
iptables -I FORWARD -s $REDE -m string --string 'twitter' --algo bm -j DROP
iptables -I FORWARD -s $REDE -m string --string 'instagram' --algo bm -j DROP
iptables -I FORWARD -s $REDE -m string --string 'linkedin' --algo bm -j DROP
iptables -I FORWARD -s $REDE -m string --string 'imo' --algo bm -j DROP


testamos todas soluções e nao deu certo, acredito que terei que colocar como exceção o IP vinculando a regras acima...

Buckminster
(usa Debian)

Enviado em 25/10/2015 - 09:48h

Foi mal, fiz na pressa:

iptables -I 1 FORWARD -p tcp --dport 80 -s 10.1.1.172 -j ACCEPT

o certo é assim

iptables -I FORWARD 1 -p tcp --dport 80 -s 10.1.1.172 -j ACCEPT <<< a numeração deve vir depois do nome.
iptables -I FORWARD 2 -p tcp --dport 80 -s 10.1.1.173 -j ACCEPT

e assim por diante.

ncampos
(usa Debian)

Enviado em 26/10/2015 - 13:01h

Obrigado pelo retorno!!! vou testar essa regra,porem implantei no cliente os acertos. removi o Squid2 e instalei o squid 3.
quando vai iniciar gerar "erros" ,o mesmo SQUID.CONF esta funcionando em meu servidor de testes.
unica difença que em meu cliente o ambiente é UBUNTU12, meu server é Debian7
abaixo os erros que geram:

# SE EU TENTAR PARAR
service squid3 stop
stop: Unknown instance:


# SE EU TENTAR INICIAR
root@server-bgp:~# service squid3 start
squid3 start/pre-start, process 2316


# SE EU TENTAR REINICIAR
root@server-bgp:~# squid3 restart
2015/10/26 12:59:16| aclParseAclList: ACL name 'manager' not found.
FATAL: Bungled squid.conf line 61: http_access allow manager localhost
Squid Cache (Version 3.1.19): Terminated abnormally.
CPU Usage: 0.004 seconds = 0.004 user + 0.000 sys
Maximum Resident Size: 17904 KB
Page faults with physical i/o: 0

####SQUID.CONF QUE ESTOU UTILIZANDO:

http_port 3128 intercept

cache_mem 128 MB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid3 2048 16 256
cache_access_log /var/log/squid3/cache.log

visible_hostname proxy
cache_mgr email@email

coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320


error_directory /usr/share/squid3/errors/pt-br


################################################################################

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

############################ ACL #################################################

# Acls Personalizadas
acl redelocal src 10.1.1.0/24

acl ips_liberado src "/etc/squid3/ips_liberado"
http_access allow ips_liberado

# ACLs PARA SITES LIBERADOS
acl sites_liberados url_regex -i "/etc/squid3/sites_liberados"
http_access allow sites_liberados

# ACLs PARA LIBERACAO SITES POR IP
acl ip_liberacao_porsite src "/etc/squid3/ip_liberacao_porsite"
acl site_liberacao_porsite url_regex "/etc/squid3/site_liberacao_porsite"
http_access deny site_liberacao_porsite !ip_liberacao_porsite

# ACls SITES BLOQUEADOS PARA TODA REDE
acl bloqueados url_regex -i "/etc/squid3/bloqueados"


##################################################################################
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost



http_access deny bloqueados
http_access allow redelocal
http_access deny all

Buckminster
(usa Debian)

Enviado em 28/10/2015 - 09:52h

2015/10/26 12:59:16| aclParseAclList: ACL name 'manager' not found.
FATAL: Bungled squid.conf line 61: http_access allow manager localhost

2015/10/26 12:59:16| aclParseAclList: ACL de nome 'manager' não encontrada.
FATAL: squid.conf estragado na linha 61: http_access allow manager localhost


Comente essas duas linhas

http_access allow manager localhost
http_access deny manager

Altere, reinicie o Squid e teste.