Ola pessoal, volto eu com mais problemas pedidno ajuda =] O sinal de internet xega via radio pela eth1 configurada como 192.168.4.3, e atraves do firewall compartilhando para minha rede 192.168.0.0/24. A intensão é rodar squid transparente e até funciona, porem a rede ta lenta, o acesso a sites e download ta lento, qdo acesso direto com o AP que recebe o sinal de fora no meu pc, a net voa kkkkk. O msn principalmente, qdo conecta, fica uns 2 minutos conectado e dp cai. Enfim, segue abaixo meu firewall.sh e meu squid.conf gostaria de saber se há como melhorar o desempenho, se ha algo errado. Procurei comentar minha intensao em cada linha abaixo:
==============firewall==================== #!/bin/bash ## Apaga quaisquer regras que por ventura existam iptables -F iptables -X iptables -t nat -F iptables -t nat -X #### Regras de policiamento #### ## bloqueia qualquer pacote que não seja explicitament permitio iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP ## Permite acesso a interface loopback iptables -A INPUT -i lo -j ACCEPT ## Permite apenas entrada das respostas as conexões desaida iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #protecao contra port scanners ocultos iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT iptables -t filter -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT #Protecao contra ataques iptables -A INPUT -m state --state INVALID -j DROP #setando delay minimo iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 53 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 80 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 443 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -o ppp0 -p tcp --dport 10000 -j TOS --set-tos Minimize-Delay #### OUTPUT #### # Permite que o servidor acesse outras maquinas iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ### PREROUTING ### iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p udp --dport 80 -j REDIRECT --to-port 3128 ### FORWARD ### # Connection tracking (aceita pacotes para conexoes já estabelecidas) iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ## Redireciona dados dos administradores /etc/firewall/admin/adminporta.sh /etc/firewall/admin/adminssh.sh ## Redireciona dados dos usuarios squid e outro barramento #exemplo: # iptables -I INPUT -s 192.168.0.106 -p tcp --dport 3128 -j ACCEPT # iptables -A FORWARD -s 192.168.0.106 -o eth1 -j ACCEPT /etc/firewall/liberados/liberados.sh #### POSTROUTING #### ## Compartilhamento da internet iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p udp -j SNAT --to 192.168.4.3 iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -p tcp -j SNAT --to 192.168.4.3 iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j MASQUERADE iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS -o eth1 --set-mss 1412 ### Ativa o modulo responsavel pelo encaminhamento de pacotes ### echo 1 > /proc/sys/net/ipv4/ip_forward ======================================================================== ====================squid.conf=========================== http_port 3128 transparent visible_hostname INTERNET cache_mem 512 MB maximum_object_size_in_memory 64 KB maximum_object_size 700 MB minimum_object_size 0 KB cache_swap_low 90 cache_swap_high 95 cache_dir ufs /var/spool/squid 50000 16 256 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache access_log /var/log/squid/access.log squid hosts_file /etc/hosts refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 # https acl SSL_ports port 563 # snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl Safe_ports port 6881 acl purge method PURGE acl CONNECT method CONNECT acl servidor src 192.168.0.1 acl horario time 00:30-06:00 acl proibir_dominio dstdomain "/etc/squid/bloqueio" acl proibir_url url_regex -i "/etc/squid/bloqurl" acl aceitar_dom dstdomain "/etc/squid/aceitar" http_access deny proibir_dominio !horario http_access deny proibir_url !horario http_access allow aceitar_dom http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow servidor http_access allow all http_reply_access allow all icp_access allow all coredump_dir /var/spool/squid =========================================================== Espero ter sido claro, no aguardo, gde abraço. Yours Truly Carlos Beltrame - Eletrical Engineer IEEE - HTC Brazilian Representative Mobile: +55 18-9795-5271 MSN : [email protected] Skype : zebacking UNESP - Campus of Ilha Solteira
