nao funciona meu squid+iptables

alexsp
(usa Arch Linux)

Enviado em 27/08/2008 - 13:06h

to tentando botar pra funcionar o squid pra fazer cache das paginas e downloads
mas nem com a config basica está funcionando
instalei o squid compilando pelo source ./configure, make e make install

----------------------------------------------
meu firewall
----------------------------------------------

echo "carregando firewall..............."

#limpando cadeias
iptables -t nat -F
iptables -t filter -F
iptables -t mangle -F

#politica padrao
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#liberando loopback
iptables -A INPUT -i lo -j ACCEPT

#ativando mascaramento e compartilhamento de conexao
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

#direcionando trafego oriundo na porta 80 para squid 3128
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j REDIRECT --to-port 3128


################ REGRAS INPUT
################

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Permite icmp 0 (resposta de Echo)
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT

# Permite icmp 8 (Pedido de Echo)
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

#Liberando algumas portas no servidor
iptables -A INPUT -p tcp --dport 22 -j ACCEPT ################## SSH
iptables -A INPUT -p tcp --dport 9000 -j ACCEPT ############### WebUI Deluge
iptables -A INPUT -p tcp --dport 7500:7510 -j ACCEPT ########### deluge
iptables -A INPUT -p tcp --dport 8000 -j ACCEPT ############### Apache
iptables -A INPUT -p tcp --dport 8245 -j ACCEPT ############### Noip
iptables -A INPUT -p udp --dport 8767 -j ACCEPT ############### teamspeak
iptables -A INPUT -s 10.1.1.2 -p tcp --dport 80 -j ACCEPT ###### Apache alex
iptables -A INPUT -s 10.1.1.0/24 -p tcp --dport 3128 -j ACCEPT ######## libera squid WLAN
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 3128 -j ACCEPT ##### libera squid LAN


#libera algumas portas para WLAN
iptables -A INPUT -s 10.1.1.0/24 -p udp --dport 137 -j ACCEPT
iptables -A INPUT -s 10.1.1.0/24 -p udp --dport 138 -j ACCEPT
iptables -A INPUT -s 10.1.1.0/24 -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 10.1.1.0/24 -p tcp --dport 445 -j ACCEPT

#abre tudo para alguns ips da LAN mas com enlace IP-MAC
iptables -A INPUT -s 192.168.1.2 -m mac --mac-source 00:E0:06:F4:0F:37 -j ACCEPT ###### ALEX
iptables -A INPUT -s 192.168.1.3 -m mac --mac-source 00:0E:A6:0F:55:A5 -j ACCEPT ###### MAE
iptables -A INPUT -s 192.168.1.4 -m mac --mac-source 00:E0:7D:E5:C5:59 -j ACCEPT ###### PAI
iptables -A INPUT -s 192.168.1.5 -m mac --mac-source 00:08:54:01:58:32 -j ACCEPT ###### PRENSA
############## REGRAS FORWARD
################

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#ips da LAN com acesso total
iptables -A FORWARD -s 192.168.1.2 -j ACCEPT
iptables -A FORWARD -s 192.168.1.3 -j ACCEPT
iptables -A FORWARD -s 192.168.1.4 -j ACCEPT


#controle de acessos WLAN
iptables -A FORWARD -s 10.1.1.0/24 -d ! 192.168.1.0/24 -j ACCEPT ######## WLAN nao tem acesso a maquinas da LAN
iptables -A FORWARD -s 10.1.1.0/24 -d 192.168.1.2 -p udp --dport 12203 -j ACCEPT ######## todos clientes wireless acessam medal
iptables -A FORWARD -s 10.1.1.0/24 -d 10.1.1.0/24 -j DROP ######## clientes da WLAN nao se enchergam
iptables -A FORWARD -s 10.1.1.2 -m mac --mac-source 00:19:5B:D2:49:9A -j ACCEPT ######## alex desktop acesso total com controle de MAC

#ips com acesso controlado LAN
iptables -A FORWARD -s 192.168.1.5 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -s 192.168.1.5 -d www.spenassatto.com.br -j ACCEPT
iptables -A FORWARD -s 192.168.1.5 -d www.google-analytics.com -j ACCEPT

################ FORWARD DE PORTAS PARA LAN
################

iptables -t nat -A PREROUTING -p udp --dport 7000 -j DNAT --to-dest 10.1.1.3
iptables -A FORWARD -p udp --dport 7000 -d 10.1.1.3 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 7000 -j DNAT --to-dest 10.1.1.3
iptables -A FORWARD -p tcp --dport 7000 -d 10.1.1.3 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 6881 -j DNAT --to-dest 192.168.1.3
iptables -A FORWARD -p tcp --dport 6881 -d 192.168.1.3 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 6891 -j DNAT --to-dest 192.168.1.2
iptables -A FORWARD -p tcp --dport 6891 -d 192.168.1.2 -j ACCEPT

----------------------------------------------
squid.conf
----------------------------------------------
http_port 3128
visible_hostname servidor
acl interna src 192.168.1.0/24
http_access allow interna

-______________________________________________
configuro meu navegador para usar proxy em 192.168.1.1:3128
mas nao funciona
nao sei se coloquei a regra certa no iptables

pelo
(usa Debian)

Enviado em 27/08/2008 - 14:59h

De uma olhada no script que eu fiz

http://www.vivaolinux.com.br/etc/rc.firewall-pelo

[]'s

alexsp
(usa Arch Linux)

Enviado em 27/08/2008 - 15:03h

legal teu firewall
mas por enquando quero q meu squid funcione com o basico
depois modifico ele pra ser meu cache de internet