Pessoal, desculpe pelo tamanho do email, � que eu estou quebrando a cabe�a
com algumas coisas, j� liga muitas documenta��es(inclusive a do nosso amigo
ZAGO, que foi mto boa.. historico da lista.... j� li o site iptablesbr,
entre outros) mas nao consigo resolver os seguintes problemas:
- Direcionar conex�es para a porta 80(vindas da rede interna) para o
firewall na porta 3128(squid);
- Compartilhar o resto da conex�o(permitir portas 110, 25... etc, com o
MASQUERADE.... a intranet n�o consegue NEM pingar rede externa);
- Separar DHCP por dispositivo de rede, para que eu possa criar ACLs
distintas no squid para cada faixa de ips(ex.: eth1=tecninos(sem
restricoes), eth2 usarios(mtas restricoes).... a eth0 � um dns secund�rio,
sem problemas );
Podem me ajudar???
Grato,
Fernando
TEM ALGUM ERRO NO DHCPD.CONF???? Existe como eu especificar o dhcpd para o
dispositivo de rede eth0 e outro para o eth1???
##
## DHCPD.CONF -> INICIO
##
ddns-update-style none;
default-lease-time 43200;
max-lease-time 43200;
option subnet-mask 255.255.0.0;
option domain-name-servers 192.168.0.1;
option broadcast-address 192.168.0.255;
option routers 192.168.0.254;
subnet 192.168.0.0 netmask 255.255.0.0 {
option domain-name "proxy.dominio";
range 192.168.0.10 192.168.0.200;
}
##
## DHCPD.CONF -> INICIO
##
TEM ALGUM ERRO NO SQUID.CONF???? Existe como eu especificar regras para o
dispositivo de rede eth0 e outro para o eth1??? ou s� regras por faixas de
ip????
##
## SQUID.CONF -> INICIO
##
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_port 3128
cache_mem 10 MB
maximum_object_size 30000 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
ache_dir ufs /var/spool/squid 8000 16 256
cache_access_log /var/spool/squid/access.log
cache_log /var/spool/squid/cache.log
cache_store_log /var/spool/squid/store.log
cache_swap_log /var/spool/squid/swap.log
pid_filename /var/run/squid.pid
ftp_list_width 32
cache_dns_program /usr/bin/dnsserver
dns_defnames on
dns_nameservers 200.215.73.98 200.215.73.99
acl intranet src 192.168.0.0
acl all src 0/0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow intranet
http_access deny all
icp_access allow all
miss_access allow all
cache_effective_user nobody
cache_effective_group nobody
##
## SQUID.CONF -> INICIO
##
TEM ALGUM ERRO NO SHELL SCRIPT DO IPTABLES???? Essas regras parecem n�o
estar ativas, pois n�o direciona a porta 80 para o squid(3128) e muito menos
mascara o resto da conex�o, pra falar a verdade os ips internos(192.168) nem
conseguem pingar a internet(ips do proprio servidor proxy na net)
#!/bin/sh
##
## IPTABLES -> INICIO
##
/bin/echo "Carregando mascaramento"
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/usr/sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 200.215.73.101
/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -s
192.168.0.0/255.255.0.0 -j REDIRECT --to-port 3128
/usr/sbin/iptables -N block
/usr/sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A block -m state --state NEW -i ! eth1 -j ACCEPT
#/usr/sbin/iptables -A block -m state --state NEW -i eth0 -j ACCEPT -p
tcp --dport 80
/usr/sbin/iptables -A block -m state --state NEW -i eth1 -j ACCEPT -p
tcp --dport 80
/usr/sbin/iptables -A block -m state --state NEW -i eth1 -j ACCEPT -p
tcp --dport 22
/usr/sbin/iptables -A block -m state --state NEW -i eth1 -j ACCEPT -p
tcp --dport 3128
/usr/sbin/iptables -A block -m state --state NEW -i eth1 -j ACCEPT -p
tcp --sport 20
/usr/sbin/iptables -A block -m state --state NEW -i eth1 -j ACCEPT -p
tcp --sport 21
/usr/sbin/iptables -A block -i eth1 -p udp --destination-port 161 -j ACCEPT
/usr/sbin/iptables -A block -o eth1 -p udp --source-port 161 -j ACCEPT
/usr/sbin/iptables -A block -j block
/usr/sbin/iptables -A INPUT -j block
/usr/sbin/iptables -A FORWARD -j block
# Red de Audio Galaxy
/usr/sbin/iptables -A FORWARD -d 64.245.58.0/23 -j REJECT
# GNUtella, Bearshare y ToadNode
/usr/sbin/iptables -A FORWARD -p tcp --dport 6346 -j REJECT
# eDonkey
/usr/sbin/iptables -A FORWARD -p tcp --dport 4661:4662 -j REJECT
/usr/sbin/iptables -A FORWARD -p udp --dport 4665 -j REJECT
# Puertos y redes de Kazaa y Morpheus
/usr/sbin/iptables -A FORWARD -p tcp --dport 1214 -j REJECT
/usr/sbin/iptables -A FORWARD -d 213.248.112.0/24 -j REJECT
/usr/sbin/iptables -A FORWARD -d 206.142.53.0/24 -j REJECT
# Red de Napigator
/usr/sbin/iptables -A FORWARD -d 209.25.178.0/24 -j REJECT
# Red de Napster
/usr/sbin/iptables -A FORWARD -d 64.124.41.0/24 -j REJECT
# Redes de WinMX
/usr/sbin/iptables -A FORWARD -d 209.61.186.0/24 -j REJECT
/usr/sbin/iptables -A FORWARD -d 64.49.201.0/24 -j REJECT
# Red de IMesh
/usr/sbin/iptables -A FORWARD -d 216.35.208.0/24 -j REJECT
# AIM e ICQ
/usr/sbin/iptables -A FORWARD -p tcp --dport 9898 -j REJECT
/usr/sbin/iptables -A FORWARD -p tcp --dport 5190:5193 -j REJECT
/usr/sbin/iptables -A FORWARD -d login.oscar.aol.com -j REJECT
/usr/sbin/iptables -A FORWARD -d login.icq.com -j REJECT
# Jabber
/usr/sbin/iptables -A FORWARD -p tcp --dport 5222:5223 -j REJECT
# MSN Messenger
/usr/sbin/iptables -A FORWARD -p tcp --dport 1863 -j REJECT
/usr/sbin/iptables -A FORWARD -d 64.4.13.0/24 -j REJECT
# Yahoo! Messenger
/usr/sbin/iptables -A FORWARD -p tcp --dport 5000:5010 -j REJECT
/usr/sbin/iptables -A FORWARD -d cs.yahoo.com -j REJECT
/usr/sbin/iptables -A FORWARD -d scsa.yahoo.com -j REJECT
# mIRC
/usr/sbin/iptables -A FORWARD -p tcp --dport 6660:7002 -j REJECT
##
## IPTABLES -> FIM
##
Assinantes em 13/03/2003: 2226
Mensagens recebidas desde 07/01/1999: 204086
Historico e [des]cadastramento: http://linux-br.conectiva.com.br
Assuntos administrativos e problemas com a lista:
mailto:[EMAIL PROTECTED]
