(linux-br)Squid + IPtables + E-mail

Roberto - Informï¿½tica Mon, 07 Jun 2004 08:24:33 -0700

Pessoal, bom dia

Seguinte, esta semana implantei um servidor rodando squid, atï¿½ aï¿½ nota 10, o 
squid funcionou perfeitamente. O grande problema ï¿½ que eu nï¿½o consigo acesso 
de forma nenhuma, para qualquer estaï¿½ï¿½o pegar e-mail.


Assim, o server tem 2 placas de rede. Uma ligada no modem ADSL e uma na rede 
interna. A placa de rede interna tem 2 classes de IP. Mas o que me chamou 
mais a atenï¿½ï¿½o nï¿½o ï¿½ exatamente o e-mail, ï¿½ que nem o ping responde. E jï¿½ nï¿½o 
tenho idï¿½ia do que fazer.

Qualquer ajuda serï¿½ bem vinda...

O esquema estï¿½ assim configurado:

IP da placa da rede local: 192.168.0.2 e 192.168.1.2
IP da placa ligada no modem: 192.168.200.2

Primeiro adicionei as rotas:

route add default gw 192.168.200.254
route add 192.168.0.2 gw 192.168.200.2
route add 192.168.1.2 gw 192.168.200.2

Arquivo IPTABLES
---------------------------//-----------------------------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
iptables -t nat -A PREROUTING -s 0/0 -p tcp --dport 80 -j REDIRECT --to-port 
3128
iptables -t nat -A PREROUTING -s 0/0 -p udp --dport 80 -j REDIRECT --to-port 
3128
iptables -t nat -A POSTROUTING -s 0/0 -o eth1 -j MASQUERADE
---------------------------//-----------------------------------------------------

Depois de tentado essa configuraï¿½ï¿½o, sem sucesso, adicionei estas linhas:

---------------------------//-----------------------------------------------------
iptables -A INPUT -j ACCEPT -p tcp --dport 80
iptables -A INPUT -j ACCEPT -p tcp --dport 21
iptables -A INPUT -j ACCEPT -p tcp --dport 110
iptables -A INPUT -j ACCEPT -p tcp --dport 25
iptables -A INPUT -j ACCEPT -p tcp --dport 22
iptables -A INPUT -j ACCEPT -p tcp --dport 53
iptables -A INPUT -j ACCEPT -p udp --dport 80
iptables -A INPUT -j ACCEPT -p udp --dport 21
iptables -A INPUT -j ACCEPT -p udp --dport 110
iptables -A INPUT -j ACCEPT -p udp --dport 25
iptables -A INPUT -j ACCEPT -p udp --dport 22
iptables -A INPUT -j ACCEPT -p udp --dport 53
---------------------------//-----------------------------------------------------

E ainda nï¿½o funcionou...

Arquivo SQUID
---------------------------//-----------------------------------------------------
icp_port 3130
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

cache_mem 100 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
maximum_object_size_in_memory 24 KB
ipcache_low 95

cache_dir diskd /usr/local/squid/cache 256 16 256 Q1=64 Q2=72
http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
pid_filename /var/run/squid.pid

acl blockedsites url_regex -i "/usr/local/squid/etc/bloqueados.txt"
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 21
acl Safe_ports port 25
acl Safe_ports port 53
acl Safe_ports port 70
acl Safe_ports port 80
acl Safe_ports port 110
acl Safe_ports port 210
acl Safe_ports port 280
acl Safe_ports port 443
acl Safe_ports port 563
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 3126
acl Safe_ports port 1025-65535
acl meu_pc src 192.168.200.2  
acl rede_interna src 192.168.0.0/24
acl rede_laboratorio src 192.168.1.0/24         
acl no_download urlpath_regex -i 
ftp .mov .mpeg .wav .tar .mp3 .bat .pif .zip .scr .gz .com
acl ip_kazaa src 213.248.112.0/24                  
acl porta_Kazaa port 1214
acl ip_msn src 207.46.104.20                    
acl porta_msn port 1863
acl portas_irc port 531 6666 6667 7000 7001             
acl CONNECT method CONNECT

http_access deny porta_kazaa
http_access deny ip_kazaa                          
http_access deny ip_msn
http_access deny porta_msn                   
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny blockedsites
http_access allow localhost
http_access allow rede_interna
http_access allow meu_pc                  
http_access allow 
rede_laboratorio !no_download !ip_msn !porta_msn !portas_irc !ip_kazaa !porta_kazaa
http_access allow all 
http_reply_access allow all

icp_access allow all
cache_mgr [EMAIL PROTECTED]

coredump_dir /var/cache/squid
---------------------------//-----------------------------------------------------

---------------------------------------------------------------------------
Esta lista ï¿½ patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br

Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br
Regras de utilizaï¿½ï¿½o da lista: http://linux-br.conectiva.com.br
FAQ: http://www.zago.eti.br/menu.html

(linux-br)Squid + IPtables + E-mail

Responder a