[slack-users] Fwd: Problema com Iptables e Squid

Tue, 08 Jan 2008 07:01:53 -0800 

Boa noite!

Gostaria de uma ajuda.

Estou tentando rodar a nível de testes o Iptables juntamente com Squid em
minha máquina, uma estação e não servidor.

Seto todas as regras no Iptables e tenho o Squid instalado rodando como proxy
transparente.

Mas infelizmente meu Squid parece não estar aplicando nenhuma regra.

Alguém pode me ajudar?

Segue abaixo configurações do Squid e do Iptables:

IPTABLES 1.3.7
==========================
#!/bin/sh
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

echo "0" > /proc/sys/net/ipv4/ip_forward

for spoofing in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo "1" > $spoofing
done

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

modprobe ip_tables
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ipt_MASQUERADE

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -p tcp --dport 3128 -j ACCEPT
iptables -A FORWARD -i eth0 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 6667 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 6668 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
echo "Setando regras para FOWARD ...............[ OK ]"

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Setando ip_foward: ON ....................[ OK ]"
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port
3128
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 80 -j REDIRECT --to-port
3128


SQUID 2.6.STABLE16
================================
http_port 80 transparent
visible_hostname Proxy.SQUID

cache_mem 64 MB
maximum_object_size_in_memory 128 KB
maximum_object_size 300 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/cache/squid 2048 16 256
cache_effective_user nobody

cache_access_log /var/log/access.log

refresh_pattern ^ftp:  15 20% 2280
refresh_pattern ^gopher:  15 20% 2280
refresh_pattern .  15 20% 22820

pid_filename /var/run/squid.pid

acl ip_liberado src "/etc/squid/ip_liberado"
http_access allow ip_liberado

acl site_restrito dstdomain "/etc/squid/site_restrito"
acl ip_restrito src "/etc/squid/ip_restrito"
http_access deny ip_restrito !site_restrito

acl ip_negado src "/etc/squid/ip_negado
http_access deny ip_negado

acl palavra dstdom_regex "/etc/squid/palavras_negadas"
http_access deny palavra

acl site url_regex -i "/etc/squid/sites_negados"
http_access deny site

acl video1 url_regex -i \.avi
http_access deny video1

acl video2 url_regex -i \.wmv
http_access deny video2

acl video3 url_regex -i \.mpg
http_access deny video3

acl video4 url_regex -i \.rmvb
http_access deny video4

acl video5 url_regex -i \.mpeg
http_access deny video5

acl video6 url_regex -i \.mpe
http_access deny video6

acl video7 url_regex -i \.mov
http_access deny video7

acl video8 url_regex -i \.flv
http_access deny video8

acl mp3 url_regex -i \.mp3
http_access deny mp3

acl wav url_regex -i \.wav
http_access deny wav

acl all src 0.0.0.0/0.0.0.0
http_access allow all
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 #http
acl Safe_ports port 21 #ftp
acl Safe_ports port 443 563 #https, news
acl Safe_ports port 70 #gopher
acl Safe_ports port 210 #wais
acl Safe_ports port 1025-65535 #unregistred ports
acl Safe_ports port 280 #http-mgmt
acl Safe_ports port 488 #gss-http
acl Safe_ports port 591 #filemaker
acl Safe_ports port 777 #multiling http
acl Safe_ports port 901 #swat
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

always_direct allow all

http_access deny all

--
  _       Eduardo Vieira Mendes
 °v°      E-Mail: [EMAIL PROTECTED]
/(_)\     Homepage: http://eduardovm.t35.com
 ^ ^      LUSER: 298813
          Linux Slackware 11.0

--~--~---------~--~----~------------~-------~--~----~
GUS-BR - Grupo de Usuários de Slackware Brasil
http://www.slackwarebrasil.org/
http://groups.google.com/group/slack-users-br
-~----------~----~----~----~------~----~------~--~---

Responder a