>Ola marcio. Sim se trata de NAT a regra e: >#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>obs: eth1 <-- placa da internet Ol� Celso. Esta regra n�o funcionou. E tem mais: Eu tente configurar o squid como proxy transparente e tamb�m n�o funcionou. Estou usando o Fedora 2. Segue abaixo o meu squid.conf e o arquivo que estou usando como firewall http_port 3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 32 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size 4096 KB minimum_object_size 0 KB maximum_object_size_in_memory 8 KB cache_dir ufs /var/spool/squid 100 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log debug_options ALL,1 client_netmask 255.255.255.0 hosts_file /etc/hosts auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl empresa src 192.168.0.0/255.255.255.0 acl sites_negados dstdomain -i "/etc/squid/sites_proibidos.txt" acl palavras_negadas url_regex -i "/etc/squid/palavras_proibidas.txt" http_access deny sites_negados all http_access deny palavras_negadas all http_access allow empresa all http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all cache_effective_user squid cache_effective_group squid httpd_accel_host virtual httpd_accel_port 80 httpd_accel_single_host on httpd_accel_with_proxy on httpd_accel_uses_host_header on client_db on netdb_low 900 netdb_high 1000 coredump_dir /var/spool/squid ########################################################################## firewall /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_tables /sbin/modprobe ipt_state /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp /sbin/modprobe ipt_LOG /sbin/modprobe ipt_REJECT /sbin/modprobe ipt_MASQUERADE /bin/echo "1" > /proc/sys/net/ipv4/ip_forward /bin/echo "1" > /proc/sys/net/ipv4/ip_dynaddr /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all /sbin/iptables -F /sbin/iptables -F -t nat /sbin/iptables -X /sbin/iptables -X -t nat /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW -j ACCEPT /sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT /sbin/iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT /sbin/iptables -A FORWARD -s 127.0.0.1 -j ACCEPT # # Liberando o DHCP para a rede interna # /sbin/iptables -A INPUT -p tcp --dport 67 -i eth1 -s 192.168.0.0/24 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 67 -i eth1 -s 192.168.0.0/24 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 68 -i eth1 -s 192.168.0.0/24 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 68 -i eth1 -s 192.168.0.0/24 -j ACCEPT # # Redirecionando trafego web para o SQUID # #/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128 /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 3128 /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128 # # Mascaramento e forwarding... # /sbin/iptables -t nat -A POSTROUTING -d 0/0 -o eth0 -j MASQUERADE /sbin/iptables -A FORWARD -o eth0 -d 0/0 -j ACCEPT --------------------------------------------------------------------------- Esta lista � patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br Regras de utiliza��o da lista: http://linux-br.conectiva.com.br FAQ: http://www.zago.eti.br/menu.html
