problema squid e iptables com sub rede
-
Alexandre
Oct. 21, 2009, 4:45 p.m.estou com problema: tenho um servidor rodando o squid e o iptables que recebe o link da internet e repassa para os usuários o ip 192.168.1.0/24 mascara 255.255.255.0 gateway 192.168.1.1.
Aí dentro dessa rede tenho outro servidor que recebe o ip de entrada 192.168.1.10 e repassa para os usuários 192.168.2.0/24. Se eu desabilitar o iptables der aqueles 3 comandos somente para navegar funciona
estou quebrando a cabeça e não acho o erro segue meu iptables e meu squid, uso as mesmas regras nos dois somente ajustando os ips e interfaces.
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
#acl chefe src 192.168.2.10/255.255.255.255
#acl horario2 time SMTWHFA 00:00-24:00
#http_access allow chefe horario2
#acl funcionario src 192.168.2.0/24
#acl horario1 time SMTWHFA 7:30-12:00
#http_access deny funcionario horario1
#acl dpc2 src 192.168.2.10/255.255.255.255
#reply_body_max_size 9999999999 deny dpc2
#acl tamanho src 192.168.2.0/24
#reply_body_max_size 20971520 deny tamanho
acl REDE_CLIENTES src 192.168.1.0/24
acl DOWNLOADS url_regex -i .zip .exe .bz .bz2 .avi .iso .mp3 .dll .mpg .flv .mpeg .mov .asf .rmvb .rm .mpe$
acl PAGINAS url_regex -i .htm .html .xhtml .gif .jpeg .swf .js .jar .php .asp .ccs .jpg .png .ico .swf .aspx .jsp .bmp .cfg .ajs .txt .$
delay_pools 2
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_access 1 allow PAGINAS !DOWNLOADS
delay_class 2 2
delay_parameters 2 50000/50000 50000/50000
delay_access 2 allow DOWNLOADS
acl rede src 192.168.1.0/255.255.255.0
acl pc1 src 192.168.1.9/255.255.255.255
acl pc2 src 192.168.1.10/255.255.255.255
acl pc3 src 192.168.1.20/255.255.255.255
acl pc4 src 192.168.1.87/255.255.255.255
acl all src 192.168.1.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#windows update windows xp
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern www.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
#windows update windows vista
refresh_pattern download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
refresh_pattern update.microsoft.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
acl negado url_regex "/etc/squid/negado.txt"
acl liberado url_regex "/etc/squid/liberado.txt"
http_access allow pc1
http_access allow pc2
http_access allow pc3
http_access allow pc4
http_access allow liberado rede
http_access deny negado rede
http_access allow rede !negado
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow localhost
#icp_access deny all
icp_access allow all
http_port 192.168.1.1:3128 transparent
#zph_mode tos
#zph_local 0x02
#zph_parent 0
#zph_option 136
acl sem_cache url_regex "/etc/squid/sem_cache.txt" \?
no_cache deny sem_cache
hierarchy_stoplist cgi-bin ? .asp .aspx #.php
acl QUERY urlpath_regex cgi-bin \? .asp .aspx #.php
no_cache deny QUERY
cache_mem 128 MB
maximum_object_size_in_memory 64 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_dir ufs /var/spool/squid 4096 16 256
minimum_object_size 0 KB
maximum_object_size 200 MB
cache_swap_low 90
cache_swap_high 95
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
logfile_rotate 1
emulate_httpd_log on
client_netmask 255.255.255.255
ftp_list_width 32
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 0% 0
quick_abort_min 10 KB
quick_abort_max 10 KB
quick_abort_pct 2
negative_ttl 5 minutes
positive_dns_ttl 6 hours
negative_dns_ttl 1 minute
connect_timeout 2 minutes
read_timeout 15 minutes
request_timeout 2 minutes
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
collapsed_forwarding on
ie_refresh on
client_lifetime 1 day
cache_effective_user proxy
visible_hostname servidor camara municipal
detect_broken_pconn on
#icp_port 0
#htcp_port 0
http_port 3128
icp_port 3130
error_directory /usr/share/squid/errors/Portuguese
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
memory_pools on
offline_mode on
coredump_dir /var/spool/squid
pipeline_prefetch on
#dns_nameservers 208.67.222.222 208.67.220.220
dns_nameservers 189.42.142.75 200.255.212.201
___________________________________________________________________________________________
#!/bin/bash
iniciar(){
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p udp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p udp --dport 53 -j REDIRECT --to-port 53
#saida
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 80 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 443 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 53 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 3128 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 3128 -j TOS --set-tos 16
#entrada
iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 80 -j TOS --set-tos 0x10
iptables -t mangle -A PREROUTING -i eth1 -p udp --sport 53 -j TOS --set-tos 0x10
iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 443 -j TOS --set-tos 0x10
iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 3128 -j TOS --set-tos 0x10
iptables -t mangle -A PREROUTING -i eth1 -p udp --sport 3128 -j TOS --set-tos 0x10
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
iptables -A INPUT -p tcp --syn -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1935 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1863 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1437 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1126 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 5050 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 2559 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60139 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60692 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 3276 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60923 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 3442 -j DROP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to 192.168.1.29
}
parar(){
iptables -F
iptables -t nat -F
}
case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar ;;
*) echo "Use os parâtros start ou stop"
esac
__________ Informa� do ESET NOD32 Antivirus, vers�da vacina 4529 (20091021) __________
A mensagem foi verificada pelo ESET NOD32 Antivirus.
http://www.eset.com -
Oct. 21, 2009, 5:57 p.m.Alexandre,
Experimente desativar o firewall e o squid e tentar navegar em seu segundo
servidor.
Caso não navegue, tente setar DNS e Gateway.
Outro teste que você pode fazer é na sua segunda rede setar o proxy do seu
segundo servidor direto e ver se navega.
Fico no aguardo de repostas.
Att
Angelo Marcondes de Oliveira Neto.
http://uaigeek.blogspot.com
angelomarcondes@gmail.com
(34) 91414287 - Linux User: #417837
2009/10/21 alexandre> estou com problema: tenho um servidor rodando o squid e o iptables que
> recebe o link da internet e repassa para os usuários o ip 192.168.1.0/24mascara 255.255.255.0 gateway 192.168.1.1. Aí
> dentro dessa rede tenho outro servidor que recebe o ip de entrada
> 192.168.1.10 e repassa para os usuários 192.168.2.0/24. Se eu desabilitar
> o iptables der aqueles 3 comandos somente para navegar funciona
> estou quebrando a cabeça e não acho o erro segue meu iptables e meu squid,
> uso as mesmas regras nos dois somente ajustando os ips e interfaces.
>
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> #acl chefe src 192.168.2.10/255.255.255.255
> #acl horario2 time SMTWHFA 00:00-24:00
> #http_access allow chefe horario2
> #acl funcionario src 192.168.2.0/24
> #acl horario1 time SMTWHFA 7:30-12:00
> #http_access deny funcionario horario1
> #acl dpc2 src 192.168.2.10/255.255.255.255
> #reply_body_max_size 9999999999 deny dpc2
> #acl tamanho src 192.168.2.0/24
> #reply_body_max_size 20971520 deny tamanho
> acl REDE_CLIENTES src 192.168.1.0/24
> acl DOWNLOADS url_regex -i .zip .exe .bz .bz2 .avi .iso .mp3 .dll .mpg .flv
> .mpeg .mov .asf .rmvb .rm .mpe$
> acl PAGINAS url_regex -i .htm .html .xhtml .gif .jpeg .swf .js .jar .php
> .asp .ccs .jpg .png .ico .swf .aspx .jsp .bmp .cfg .ajs .txt .$
> delay_pools 2
> delay_class 1 2
> delay_parameters 1 -1/-1 -1/-1
> delay_access 1 allow PAGINAS !DOWNLOADS
> delay_class 2 2
> delay_parameters 2 50000/50000 50000/50000
> delay_access 2 allow DOWNLOADS
> acl rede src 192.168.1.0/255.255.255.0
> acl pc1 src 192.168.1.9/255.255.255.255
> acl pc2 src 192.168.1.10/255.255.255.255
> acl pc3 src 192.168.1.20/255.255.255.255
> acl pc4 src 192.168.1.87/255.255.255.255
> acl all src 192.168.1.0/255.255.255.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> #windows update windows xp
> refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200
> reload-into-ims
> refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100%
> 43200 reload-into-ims
> refresh_pattern www.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200
> reload-into-ims
> refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320
> 100% 43200 reload-into-ims
> #windows update windows vista
> refresh_pattern download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100%
> 43200 reload-into-ims
> refresh_pattern update.microsoft.com/.*\.(cab|exe|dll|msi) 4320 100% 43200
> reload-into-ims
> acl negado url_regex "/etc/squid/negado.txt"
> acl liberado url_regex "/etc/squid/liberado.txt"
> http_access allow pc1
> http_access allow pc2
> http_access allow pc3
> http_access allow pc4
> http_access allow liberado rede
> http_access deny negado rede
> http_access allow rede !negado
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny all
> http_reply_access allow all
> icp_access allow localhost
> #icp_access deny all
> icp_access allow all
> http_port 192.168.1.1:3128 transparent
> #zph_mode tos
> #zph_local 0x02
> #zph_parent 0
> #zph_option 136
> acl sem_cache url_regex "/etc/squid/sem_cache.txt" \?
> no_cache deny sem_cache
> hierarchy_stoplist cgi-bin ? .asp .aspx #.php
> acl QUERY urlpath_regex cgi-bin \? .asp .aspx #.php
> no_cache deny QUERY
> cache_mem 128 MB
> maximum_object_size_in_memory 64 KB
> cache_replacement_policy heap LFUDA
> memory_replacement_policy heap GDSF
> cache_dir ufs /var/spool/squid 4096 16 256
> minimum_object_size 0 KB
> maximum_object_size 200 MB
> cache_swap_low 90
> cache_swap_high 95
> access_log /var/log/squid/access.log squid
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log
> logfile_rotate 1
> emulate_httpd_log on
> client_netmask 255.255.255.255
> ftp_list_width 32
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
> refresh_pattern . 0 0% 0
> quick_abort_min 10 KB
> quick_abort_max 10 KB
> quick_abort_pct 2
> negative_ttl 5 minutes
> positive_dns_ttl 6 hours
> negative_dns_ttl 1 minute
> connect_timeout 2 minutes
> read_timeout 15 minutes
> request_timeout 2 minutes
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> collapsed_forwarding on
> ie_refresh on
> client_lifetime 1 day
> cache_effective_user proxy
> visible_hostname servidor camara municipal
> detect_broken_pconn on
> #icp_port 0
> #htcp_port 0
> http_port 3128
> icp_port 3130
> error_directory /usr/share/squid/errors/Portuguese
> ipcache_size 1024
> ipcache_low 90
> ipcache_high 95
> fqdncache_size 1024
> memory_pools on
> offline_mode on
> coredump_dir /var/spool/squid
> pipeline_prefetch on
> #dns_nameservers 208.67.222.222 208.67.220.220
> dns_nameservers 189.42.142.75 200.255.212.201
>
> ___________________________________________________________________________________________
>
>
> #!/bin/bash
>
> iniciar(){
>
> modprobe iptable_nat
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
> iptables -t nat -A PREROUTING -p udp --dport 80 -j REDIRECT --to-port 3128
> #iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p udp --dport 53 -j
> REDIRECT --to-port 53
> #saida
> iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 80 -j TOS --set-tos 16
> iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 443 -j TOS --set-tos 16
> iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 53 -j TOS --set-tos 16
> iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 3128 -j TOS --set-tos
> 16
> iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 3128 -j TOS --set-tos
> 16
> #entrada
> iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 80 -j TOS --set-tos
> 0x10
> iptables -t mangle -A PREROUTING -i eth1 -p udp --sport 53 -j TOS --set-tos
> 0x10
> iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 443 -j TOS
> --set-tos 0x10
> iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 3128 -j TOS
> --set-tos 0x10
> iptables -t mangle -A PREROUTING -i eth1 -p udp --sport 3128 -j TOS
> --set-tos 0x10
> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> iptables -A INPUT -p tcp --syn -s 192.168.1.0/24 -j ACCEPT
> iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s
> -j ACCEPT
> iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit
> 1/s -j ACCEPT
> iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1935 -j DROP
> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1863 -j DROP
> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1437 -j DROP
> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1126 -j DROP
> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 5050 -j DROP
> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 2559 -j DROP
> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60139 -j DROP
> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60692 -j DROP
> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 3276 -j DROP
> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60923 -j DROP
> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 3442 -j DROP
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to
> 192.168.1.29
> }
>
> parar(){
> iptables -F
> iptables -t nat -F
> }
>
> case "$1" in
> "start") iniciar ;;
> "stop") parar ;;
> "restart") parar; iniciar ;;
> *) echo "Use os parâtros start ou stop"
> esac
>
>
> __________ Informa�ão do ESET NOD32 Antivirus, versão da vacina 4529
> (20091021) __________
>
> A mensagem foi verificada pelo ESET NOD32 Antivirus.
>
>http://www.eset.com
>
> --
> Site da Comunidade GITEC
>http://colab.interlegis.gov.br
>
> Para pesquisar o histórico da lista visite:
>http://colab.interlegis.gov.br/wiki/PesquisaListas
>
> Para administrar sua conta visite:
>http://listas.interlegis.gov.br/mailman/listinfo/gitec
> -
Oct. 21, 2009, 6 p.m.Outra coisa interessante que me lembre.
A versão do squid utilizada nos 2 servidores é a mesma? Sobre qual sistema
operacional está configurado?
AbraçosAngelo Marcondes de Oliveira Neto.
http://uaigeek.blogspot.com
angelomarcondes@gmail.com
(34) 91414287 - Linux User: #4178372009/10/21 Angelo Marcondes de Oliveira Neto> Alexandre,
>
> Experimente desativar o firewall e o squid e tentar navegar em seu segundo
> servidor.
> Caso não navegue, tente setar DNS e Gateway.
> Outro teste que você pode fazer é na sua segunda rede setar o proxy do seu
> segundo servidor direto e ver se navega.
>
> Fico no aguardo de repostas.
>
> Att
>
>
> Angelo Marcondes de Oliveira Neto.
>http://uaigeek.blogspot.com
> angelomarcondes@gmail.com
> (34) 91414287 - Linux User: #417837
>
>
> 2009/10/21 alexandre
>
>> estou com problema: tenho um servidor rodando o squid e o iptables que
>> recebe o link da internet e repassa para os usuários o ip 192.168.1.0/24mascara 255.255.255.0 gateway 192.168.1.1. Aí
>> dentro dessa rede tenho outro servidor que recebe o ip de entrada
>> 192.168.1.10 e repassa para os usuários 192.168.2.0/24. Se eu desabilitar
>> o iptables der aqueles 3 comandos somente para navegar funciona
>> estou quebrando a cabeça e não acho o erro segue meu iptables e meu squid,
>> uso as mesmas regras nos dois somente ajustando os ips e interfaces.
>>
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>> #acl chefe src 192.168.2.10/255.255.255.255
>> #acl horario2 time SMTWHFA 00:00-24:00
>> #http_access allow chefe horario2
>> #acl funcionario src 192.168.2.0/24
>> #acl horario1 time SMTWHFA 7:30-12:00
>> #http_access deny funcionario horario1
>> #acl dpc2 src 192.168.2.10/255.255.255.255
>> #reply_body_max_size 9999999999 deny dpc2
>> #acl tamanho src 192.168.2.0/24
>> #reply_body_max_size 20971520 deny tamanho
>> acl REDE_CLIENTES src 192.168.1.0/24
>> acl DOWNLOADS url_regex -i .zip .exe .bz .bz2 .avi .iso .mp3 .dll .mpg
>> .flv .mpeg .mov .asf .rmvb .rm .mpe$
>> acl PAGINAS url_regex -i .htm .html .xhtml .gif .jpeg .swf .js .jar .php
>> .asp .ccs .jpg .png .ico .swf .aspx .jsp .bmp .cfg .ajs .txt .$
>> delay_pools 2
>> delay_class 1 2
>> delay_parameters 1 -1/-1 -1/-1
>> delay_access 1 allow PAGINAS !DOWNLOADS
>> delay_class 2 2
>> delay_parameters 2 50000/50000 50000/50000
>> delay_access 2 allow DOWNLOADS
>> acl rede src 192.168.1.0/255.255.255.0
>> acl pc1 src 192.168.1.9/255.255.255.255
>> acl pc2 src 192.168.1.10/255.255.255.255
>> acl pc3 src 192.168.1.20/255.255.255.255
>> acl pc4 src 192.168.1.87/255.255.255.255
>> acl all src 192.168.1.0/255.255.255.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> #windows update windows xp
>> refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200
>> reload-into-ims
>> refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100%
>> 43200 reload-into-ims
>> refresh_pattern www.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200
>> reload-into-ims
>> refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320
>> 100% 43200 reload-into-ims
>> #windows update windows vista
>> refresh_pattern download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320
>> 100% 43200 reload-into-ims
>> refresh_pattern update.microsoft.com/.*\.(cab|exe|dll|msi) 4320 100%
>> 43200 reload-into-ims
>> acl negado url_regex "/etc/squid/negado.txt"
>> acl liberado url_regex "/etc/squid/liberado.txt"
>> http_access allow pc1
>> http_access allow pc2
>> http_access allow pc3
>> http_access allow pc4
>> http_access allow liberado rede
>> http_access deny negado rede
>> http_access allow rede !negado
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost
>> http_access deny all
>> http_reply_access allow all
>> icp_access allow localhost
>> #icp_access deny all
>> icp_access allow all
>> http_port 192.168.1.1:3128 transparent
>> #zph_mode tos
>> #zph_local 0x02
>> #zph_parent 0
>> #zph_option 136
>> acl sem_cache url_regex "/etc/squid/sem_cache.txt" \?
>> no_cache deny sem_cache
>> hierarchy_stoplist cgi-bin ? .asp .aspx #.php
>> acl QUERY urlpath_regex cgi-bin \? .asp .aspx #.php
>> no_cache deny QUERY
>> cache_mem 128 MB
>> maximum_object_size_in_memory 64 KB
>> cache_replacement_policy heap LFUDA
>> memory_replacement_policy heap GDSF
>> cache_dir ufs /var/spool/squid 4096 16 256
>> minimum_object_size 0 KB
>> maximum_object_size 200 MB
>> cache_swap_low 90
>> cache_swap_high 95
>> access_log /var/log/squid/access.log squid
>> cache_log /var/log/squid/cache.log
>> cache_store_log /var/log/squid/store.log
>> logfile_rotate 1
>> emulate_httpd_log on
>> client_netmask 255.255.255.255
>> ftp_list_width 32
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
>> refresh_pattern . 0 0% 0
>> quick_abort_min 10 KB
>> quick_abort_max 10 KB
>> quick_abort_pct 2
>> negative_ttl 5 minutes
>> positive_dns_ttl 6 hours
>> negative_dns_ttl 1 minute
>> connect_timeout 2 minutes
>> read_timeout 15 minutes
>> request_timeout 2 minutes
>> acl apache rep_header Server ^Apache
>> broken_vary_encoding allow apache
>> collapsed_forwarding on
>> ie_refresh on
>> client_lifetime 1 day
>> cache_effective_user proxy
>> visible_hostname servidor camara municipal
>> detect_broken_pconn on
>> #icp_port 0
>> #htcp_port 0
>> http_port 3128
>> icp_port 3130
>> error_directory /usr/share/squid/errors/Portuguese
>> ipcache_size 1024
>> ipcache_low 90
>> ipcache_high 95
>> fqdncache_size 1024
>> memory_pools on
>> offline_mode on
>> coredump_dir /var/spool/squid
>> pipeline_prefetch on
>> #dns_nameservers 208.67.222.222 208.67.220.220
>> dns_nameservers 189.42.142.75 200.255.212.201
>>
>> ___________________________________________________________________________________________
>>
>>
>> #!/bin/bash
>>
>> iniciar(){
>>
>> modprobe iptable_nat
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
>> iptables -t nat -A PREROUTING -p udp --dport 80 -j REDIRECT --to-port 3128
>> #iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p udp --dport 53 -j
>> REDIRECT --to-port 53
>> #saida
>> iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 80 -j TOS --set-tos 16
>> iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 443 -j TOS --set-tos
>> 16
>> iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 53 -j TOS --set-tos 16
>> iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 3128 -j TOS --set-tos
>> 16
>> iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 3128 -j TOS --set-tos
>> 16
>> #entrada
>> iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 80 -j TOS
>> --set-tos 0x10
>> iptables -t mangle -A PREROUTING -i eth1 -p udp --sport 53 -j TOS
>> --set-tos 0x10
>> iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 443 -j TOS
>> --set-tos 0x10
>> iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 3128 -j TOS
>> --set-tos 0x10
>> iptables -t mangle -A PREROUTING -i eth1 -p udp --sport 3128 -j TOS
>> --set-tos 0x10
>> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>> iptables -A INPUT -p tcp --syn -s 192.168.1.0/24 -j ACCEPT
>> iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s
>> -j ACCEPT
>> iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
>> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
>> --limit 1/s -j ACCEPT
>> iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1935 -j DROP
>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1863 -j DROP
>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1437 -j DROP
>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1126 -j DROP
>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 5050 -j DROP
>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 2559 -j DROP
>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60139 -j DROP
>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60692 -j DROP
>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 3276 -j DROP
>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60923 -j DROP
>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 3442 -j DROP
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to
>> 192.168.1.29
>> }
>>
>> parar(){
>> iptables -F
>> iptables -t nat -F
>> }
>>
>> case "$1" in
>> "start") iniciar ;;
>> "stop") parar ;;
>> "restart") parar; iniciar ;;
>> *) echo "Use os parâtros start ou stop"
>> esac
>>
>>
>> __________ Informa�ão do ESET NOD32 Antivirus, versão da vacina 4529
>> (20091021) __________
>>
>> A mensagem foi verificada pelo ESET NOD32 Antivirus.
>>
>>http://www.eset.com
>>
>> --
>> Site da Comunidade GITEC
>>http://colab.interlegis.gov.br
>>
>> Para pesquisar o histórico da lista visite:
>>http://colab.interlegis.gov.br/wiki/PesquisaListas
>>
>> Para administrar sua conta visite:
>>http://listas.interlegis.gov.br/mailman/listinfo/gitec
>>
>
> -
Alexandre
Oct. 21, 2009, 6:42 p.m.uso debian 4 no servidor principal e debian 5 no segundo uso proxy transparente nos dois ainda não é esse o caminho
ATTalexandre
Outra coisa interessante que me lembre.A versão do squid utilizada nos 2 servidores é a mesma? Sobre qual sistema operacional está configurado?Abraços
Angelo Marcondes de Oliveira Neto.
http://uaigeek.blogspot.com
angelomarcondes@gmail.com
(34) 91414287 - Linux User: #417837
2009/10/21 Angelo Marcondes de Oliveira Neto
Alexandre,Experimente desativar o firewall e o squid e tentar navegar em seu segundo servidor.Caso não navegue, tente setar DNS e Gateway.Outro teste que você pode fazer é na sua segunda rede setar o proxy do seu segundo servidor direto e ver se navega.Fico no aguardo de repostas.
Att
Angelo Marcondes de Oliveira Neto.
http://uaigeek.blogspot.com
angelomarcondes@gmail.com
(34) 91414287 - Linux User: #417837
2009/10/21 alexandre
estou com problema: tenho um servidor rodando o squid e o iptables que recebe o link da internet e repassa para os usuários o ip 192.168.1.0/24 mascara 255.255.255.0 gateway 192.168.1.1.
Aí dentro dessa rede tenho outro servidor que recebe o ip de entrada 192.168.1.10 e repassa para os usuários 192.168.2.0/24. Se eu desabilitar o iptables der aqueles 3 comandos somente para navegar funciona
estou quebrando a cabeça e não acho o erro segue meu iptables e meu squid, uso as mesmas regras nos dois somente ajustando os ips e interfaces.
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
#acl chefe src 192.168.2.10/255.255.255.255
#acl horario2 time SMTWHFA 00:00-24:00
#http_access allow chefe horario2
#acl funcionario src 192.168.2.0/24
#acl horario1 time SMTWHFA 7:30-12:00
#http_access deny funcionario horario1#acl dpc2 src 192.168.2..10/255.255.255.255#reply_body_max_size 9999999999 deny dpc2
#acl tamanho src 192.168.2.0/24
#reply_body_max_size 20971520 deny tamanho
acl REDE_CLIENTES src 192.168.1.0/24acl DOWNLOADS url_regex -i ..zip .exe .bz .bz2 .avi .iso .mp3 .dll .mpg .flv .mpeg .mov .asf .rmvb .rm ..mpe$
acl PAGINAS url_regex -i .htm .html .xhtml .gif .jpeg .swf .js .jar ..php .asp .ccs .jpg .png .ico .swf .aspx .jsp .bmp .cfg .ajs .txt ..$delay_pools 2
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_access 1 allow PAGINAS !DOWNLOADS
delay_class 2 2
delay_parameters 2 50000/50000 50000/50000
delay_access 2 allow DOWNLOADS
acl rede src 192.168.1.0/255.255.255.0
acl pc1 src 192.168.1.9/255.255.255.255
acl pc2 src 192.168.1.10/255.255.255.255
acl pc3 src 192.168.1.20/255.255.255.255acl pc4 src 192.168.1..87/255.255.255.255acl all src 192.168.1.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#windows update windows xp
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern www.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
#windows update windows vistarefresh_pattern download..windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-imsrefresh_pattern update.microsoft.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
acl negado url_regex "/etc/squid/negado.txt"
acl liberado url_regex "/etc/squid/liberado.txt"
http_access allow pc1
http_access allow pc2
http_access allow pc3
http_access allow pc4
http_access allow liberado rede
http_access deny negado rede
http_access allow rede !negado
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow localhost
#icp_access deny all
icp_access allow all
http_port 192.168.1.1:3128 transparent
#zph_mode tos
#zph_local 0x02
#zph_parent 0
#zph_option 136
acl sem_cache url_regex "/etc/squid/sem_cache.txt" \?
no_cache deny sem_cache
hierarchy_stoplist cgi-bin ? .asp .aspx #.php
acl QUERY urlpath_regex cgi-bin \? .asp .aspx #.php
no_cache deny QUERY
cache_mem 128 MB
maximum_object_size_in_memory 64 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_dir ufs /var/spool/squid 4096 16 256
minimum_object_size 0 KB
maximum_object_size 200 MB
cache_swap_low 90
cache_swap_high 95
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
logfile_rotate 1
emulate_httpd_log on
client_netmask 255.255.255.255
ftp_list_width 32
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880refresh_pattern .. 0 0% 0quick_abort_min 10 KB
quick_abort_max 10 KB
quick_abort_pct 2
negative_ttl 5 minutes
positive_dns_ttl 6 hours
negative_dns_ttl 1 minute
connect_timeout 2 minutes
read_timeout 15 minutes
request_timeout 2 minutes
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
collapsed_forwarding on
ie_refresh on
client_lifetime 1 day
cache_effective_user proxy
visible_hostname servidor camara municipal
detect_broken_pconn on
#icp_port 0
#htcp_port 0
http_port 3128
icp_port 3130
error_directory /usr/share/squid/errors/Portuguese
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
memory_pools on
offline_mode on
coredump_dir /var/spool/squid
pipeline_prefetch on
#dns_nameservers 208.67.222.222 208.67.220.220
dns_nameservers 189.42.142.75 200.255.212.201
___________________________________________________________________________________________
#!/bin/bash
iniciar(){
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p udp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p udp --dport 53 -j REDIRECT --to-port 53
#saida
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 80 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 443 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 53 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 3128 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 3128 -j TOS --set-tos 16
#entrada
iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 80 -j TOS --set-tos 0x10
iptables -t mangle -A PREROUTING -i eth1 -p udp --sport 53 -j TOS --set-tos 0x10
iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 443 -j TOS --set-tos 0x10
iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 3128 -j TOS --set-tos 0x10
iptables -t mangle -A PREROUTING -i eth1 -p udp --sport 3128 -j TOS --set-tos 0x10
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
iptables -A INPUT -p tcp --syn -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1935 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1863 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1437 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1126 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 5050 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 2559 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60139 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60692 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 3276 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60923 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 3442 -j DROP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to 192.168.1.29
}
parar(){
iptables -F
iptables -t nat -F
}
case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar ;;
*) echo "Use os parâtros start ou stop"
esac__________ Informa�ão do ESET NOD32 Antivirus, versão da vacina 4529 (20091021) __________A mensagem foi verificada pelo ESET NOD32 Antivirus.
http://www.eset.com
--
Site da Comunidade GITEC
http://colab.interlegis.gov.br
Para pesquisar o histórico da lista visite:
http://colab.interlegis.gov.br/wiki/PesquisaListas
Para administrar sua conta visite:
http://listas.interlegis.gov.br/mailman/listinfo/gitec
------------------------------------------------------------------------------
--
Site da Comunidade GITEC
http://colab.interlegis.gov.br
Para pesquisar o histórico da lista visite:
http://colab.interlegis.gov.br/wiki/PesquisaListas
Para administrar sua conta visite:
http://listas.interlegis.gov.br/mailman/listinfo/gitec__________ Informação do ESET NOD32 Antivirus, versão da vacina 4530 (20091021) ____________________ Informa� do ESET NOD32 Antivirus, vers�da vacina 4530 (20091021) __________ -
Oct. 21, 2009, 7:02 p.m.Tá,
Me passa o retorno dos comandos ifconfig e route dos 2 servidores para eu
analisar.Abraços
Angelo Marcondes de Oliveira Neto.
http://uaigeek.blogspot.com
angelomarcondes@gmail.com
(34) 91414287 - Linux User: #417837
2009/10/21 alexandre
>
> uso debian 4 no servidor principal e debian 5 no segundo uso proxy
> transparente nos dois ainda não é esse o caminho
>
>
> ATT
>
> alexandre
>
>
> Outra coisa interessante que me lembre.
> A versão do squid utilizada nos 2 servidores é a mesma? Sobre qual sistema
> operacional está configurado?
>
> Abraços
>
> Angelo Marcondes de Oliveira Neto.
>http://uaigeek.blogspot.com
> angelomarcondes@gmail.com
> (34) 91414287 - Linux User: #417837
>
>
> 2009/10/21 Angelo Marcondes de Oliveira Neto
>
>> Alexandre,
>>
>> Experimente desativar o firewall e o squid e tentar navegar em seu segundo
>> servidor.
>> Caso não navegue, tente setar DNS e Gateway.
>> Outro teste que você pode fazer é na sua segunda rede setar o proxy do seu
>> segundo servidor direto e ver se navega.
>>
>> Fico no aguardo de repostas.
>>
>> Att
>>
>>
>> Angelo Marcondes de Oliveira Neto.
>>http://uaigeek.blogspot.com
>> angelomarcondes@gmail.com
>> (34) 91414287 - Linux User: #417837
>>
>>
>> 2009/10/21 alexandre
>>
>>> estou com problema: tenho um servidor rodando o squid e o iptables que
>>> recebe o link da internet e repassa para os usuários o ip 192.168.1.0/24mascara 255.255.255.0 gateway 192.168.1.1. Aí
>>> dentro dessa rede tenho outro servidor que recebe o ip de entrada
>>> 192.168.1.10 e repassa para os usuários 192.168.2.0/24. Se eu
>>> desabilitar o iptables der aqueles 3 comandos somente para navegar funciona
>>> estou quebrando a cabeça e não acho o erro segue meu iptables e meu
>>> squid, uso as mesmas regras nos dois somente ajustando os ips e interfaces.
>>>
>>> auth_param basic children 5
>>> auth_param basic realm Squid proxy-caching web server
>>> auth_param basic credentialsttl 2 hours
>>> #acl chefe src 192.168.2.10/255.255.255.255
>>> #acl horario2 time SMTWHFA 00:00-24:00
>>> #http_access allow chefe horario2
>>> #acl funcionario src 192.168.2.0/24
>>> #acl horario1 time SMTWHFA 7:30-12:00
>>> #http_access deny funcionario horario1
>>> #acl dpc2 src 192.168.2..10/255.255.255.255
>>> #reply_body_max_size 9999999999 deny dpc2
>>> #acl tamanho src 192.168.2.0/24
>>> #reply_body_max_size 20971520 deny tamanho
>>> acl REDE_CLIENTES src 192.168.1.0/24
>>> acl DOWNLOADS url_regex -i ..zip .exe .bz .bz2 .avi .iso .mp3 .dll .mpg
>>> .flv .mpeg .mov .asf .rmvb .rm ..mpe$
>>> acl PAGINAS url_regex -i .htm .html .xhtml .gif .jpeg .swf .js .jar ..php
>>> .asp .ccs .jpg .png .ico .swf .aspx .jsp .bmp .cfg .ajs .txt ..$
>>> delay_pools 2
>>> delay_class 1 2
>>> delay_parameters 1 -1/-1 -1/-1
>>> delay_access 1 allow PAGINAS !DOWNLOADS
>>> delay_class 2 2
>>> delay_parameters 2 50000/50000 50000/50000
>>> delay_access 2 allow DOWNLOADS
>>> acl rede src 192.168.1.0/255.255.255.0
>>> acl pc1 src 192.168.1.9/255.255.255.255
>>> acl pc2 src 192.168.1.10/255.255.255.255
>>> acl pc3 src 192.168.1.20/255.255.255.255
>>> acl pc4 src 192.168.1..87/255.255.255.255
>>> acl all src 192.168.1.0/255.255.255.0
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/255.255.255.255
>>> acl to_localhost dst 127.0.0.0/8
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 # https
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl CONNECT method CONNECT
>>> #windows update windows xp
>>> refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200
>>> reload-into-ims
>>> refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100%
>>> 43200 reload-into-ims
>>> refresh_pattern www.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200
>>> reload-into-ims
>>> refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320
>>> 100% 43200 reload-into-ims
>>> #windows update windows vista
>>> refresh_pattern download..windowsupdate.com/.*\.(cab|exe|dll|msi)
>>> 4320 100% 43200 reload-into-ims
>>> refresh_pattern update.microsoft.com/.*\.(cab|exe|dll|msi) 4320 100%
>>> 43200 reload-into-ims
>>> acl negado url_regex "/etc/squid/negado.txt"
>>> acl liberado url_regex "/etc/squid/liberado.txt"
>>> http_access allow pc1
>>> http_access allow pc2
>>> http_access allow pc3
>>> http_access allow pc4
>>> http_access allow liberado rede
>>> http_access deny negado rede
>>> http_access allow rede !negado
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access allow localhost
>>> http_access deny all
>>> http_reply_access allow all
>>> icp_access allow localhost
>>> #icp_access deny all
>>> icp_access allow all
>>> http_port 192.168.1.1:3128 transparent
>>> #zph_mode tos
>>> #zph_local 0x02
>>> #zph_parent 0
>>> #zph_option 136
>>> acl sem_cache url_regex "/etc/squid/sem_cache.txt" \?
>>> no_cache deny sem_cache
>>> hierarchy_stoplist cgi-bin ? .asp .aspx #.php
>>> acl QUERY urlpath_regex cgi-bin \? .asp .aspx #.php
>>> no_cache deny QUERY
>>> cache_mem 128 MB
>>> maximum_object_size_in_memory 64 KB
>>> cache_replacement_policy heap LFUDA
>>> memory_replacement_policy heap GDSF
>>> cache_dir ufs /var/spool/squid 4096 16 256
>>> minimum_object_size 0 KB
>>> maximum_object_size 200 MB
>>> cache_swap_low 90
>>> cache_swap_high 95
>>> access_log /var/log/squid/access.log squid
>>> cache_log /var/log/squid/cache.log
>>> cache_store_log /var/log/squid/store.log
>>> logfile_rotate 1
>>> emulate_httpd_log on
>>> client_netmask 255.255.255.255
>>> ftp_list_width 32
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>> refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
>>> refresh_pattern .. 0 0% 0
>>> quick_abort_min 10 KB
>>> quick_abort_max 10 KB
>>> quick_abort_pct 2
>>> negative_ttl 5 minutes
>>> positive_dns_ttl 6 hours
>>> negative_dns_ttl 1 minute
>>> connect_timeout 2 minutes
>>> read_timeout 15 minutes
>>> request_timeout 2 minutes
>>> acl apache rep_header Server ^Apache
>>> broken_vary_encoding allow apache
>>> collapsed_forwarding on
>>> ie_refresh on
>>> client_lifetime 1 day
>>> cache_effective_user proxy
>>> visible_hostname servidor camara municipal
>>> detect_broken_pconn on
>>> #icp_port 0
>>> #htcp_port 0
>>> http_port 3128
>>> icp_port 3130
>>> error_directory /usr/share/squid/errors/Portuguese
>>> ipcache_size 1024
>>> ipcache_low 90
>>> ipcache_high 95
>>> fqdncache_size 1024
>>> memory_pools on
>>> offline_mode on
>>> coredump_dir /var/spool/squid
>>> pipeline_prefetch on
>>> #dns_nameservers 208.67.222.222 208.67.220.220
>>> dns_nameservers 189.42.142.75 200.255.212.201
>>>
>>> ___________________________________________________________________________________________
>>>
>>>
>>> #!/bin/bash
>>>
>>> iniciar(){
>>>
>>> modprobe iptable_nat
>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
>>> 3128
>>> iptables -t nat -A PREROUTING -p udp --dport 80 -j REDIRECT --to-port
>>> 3128
>>> #iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p udp --dport 53 -j
>>> REDIRECT --to-port 53
>>> #saida
>>> iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 80 -j TOS --set-tos
>>> 16
>>> iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 443 -j TOS --set-tos
>>> 16
>>> iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 53 -j TOS --set-tos
>>> 16
>>> iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 3128 -j TOS --set-tos
>>> 16
>>> iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 3128 -j TOS --set-tos
>>> 16
>>> #entrada
>>> iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 80 -j TOS
>>> --set-tos 0x10
>>> iptables -t mangle -A PREROUTING -i eth1 -p udp --sport 53 -j TOS
>>> --set-tos 0x10
>>> iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 443 -j TOS
>>> --set-tos 0x10
>>> iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 3128 -j TOS
>>> --set-tos 0x10
>>> iptables -t mangle -A PREROUTING -i eth1 -p udp --sport 3128 -j TOS
>>> --set-tos 0x10
>>> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>>> iptables -A INPUT -p tcp --syn -s 192.168.1.0/24 -j ACCEPT
>>> iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s
>>> -j ACCEPT
>>> iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
>>> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
>>> --limit 1/s -j ACCEPT
>>> iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1935 -j DROP
>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1863 -j DROP
>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1437 -j DROP
>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1126 -j DROP
>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 5050 -j DROP
>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 2559 -j DROP
>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60139 -j DROP
>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60692 -j DROP
>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 3276 -j DROP
>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60923 -j DROP
>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 3442 -j DROP
>>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to
>>> 192.168.1.29
>>> }
>>>
>>> parar(){
>>> iptables -F
>>> iptables -t nat -F
>>> }
>>>
>>> case "$1" in
>>> "start") iniciar ;;
>>> "stop") parar ;;
>>> "restart") parar; iniciar ;;
>>> *) echo "Use os parâtros start ou stop"
>>> esac
>>>
>>>
>>> __________ Informa�ão do ESET NOD32 Antivirus, versão da vacina 4529
>>> (20091021) __________
>>>
>>> A mensagem foi verificada pelo ESET NOD32 Antivirus.
>>>
>>>http://www.eset.com
>>>
>>> --
>>> Site da Comunidade GITEC
>>>http://colab.interlegis.gov.br
>>>
>>> Para pesquisar o histórico da lista visite:
>>>http://colab.interlegis.gov.br/wiki/PesquisaListas
>>>
>>> Para administrar sua conta visite:
>>>http://listas.interlegis.gov.br/mailman/listinfo/gitec
>>>
>>
>>
> ------------------------------
>
> --
> Site da Comunidade GITEC
>http://colab.interlegis.gov.br
>
> Para pesquisar o histórico da lista visite:
>http://colab.interlegis.gov.br/wiki/PesquisaListas
>
> Para administrar sua conta visite:
>http://listas.interlegis.gov.br/mailman/listinfo/gitec
>
>
> __________ Informação do ESET NOD32 Antivirus, versão da vacina 4530
> (20091021) __________
>
> A mensagem foi verificada pelo ESET NOD32 Antivirus.
>
>http://www.eset.com
>
>
>
> __________ Informa�ão do ESET NOD32 Antivirus, versão da vacina 4530
> (20091021) __________
>
> A mensagem foi verificada pelo ESET NOD32 Antivirus.
>
>http://www.eset.com
>
> --
> Site da Comunidade GITEC
>http://colab.interlegis.gov.br
>
> Para pesquisar o histórico da lista visite:
>http://colab.interlegis.gov.br/wiki/PesquisaListas
>
> Para administrar sua conta visite:
>http://listas.interlegis.gov.br/mailman/listinfo/gitec
> -
Alexandre
Oct. 21, 2009, 7:22 p.m."server 2"
eth0 Link encap:Ethernet Endereço de HW 00:07:95:1a:79:43
inet end.: 192.168.2.1 Bcast:192.168.255.255 Masc:255.255.0.0
endereço inet6: fe80::207:95ff:fe1a:7943/64 Escopo:Link
UP BROADCASTMULTICAST MTU:1500 Métrica:1
RX packets:1122 errors:0 dropped:0 overruns:0 frame:0
TX packets:888 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:1000
RX bytes:109683 (107.1 KiB) TX bytes:132720 (129.6 KiB)
IRQ:10 Endereço de E/S:0xde00
eth1 Link encap:Ethernet Endereço de HW e2:20:03:32:03:ab
inet end.: 192.168.1.10 Bcast:192.168.1.255 Masc:255.255.255.0
endereço inet6: fe80::e020:3ff:fe32:3ab/64 Escopo:Link
UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
RX packets:1293 errors:0 dropped:0 overruns:0 frame:0
TX packets:400 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:1000
RX bytes:100394 (98.0 KiB) TX bytes:58887 (57.5 KiB)
IRQ:11 Endereço de E/S:0xdc00
lo Link encap:Loopback Local
inet end.: 127.0.0.1 Masc:255.0.0.0
endereço inet6: ::1/128 Escopo:Máquina
UP LOOPBACKRUNNING MTU:16436 Métrica:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:0
RX bytes:560 (560.0 B) TX bytes:560 (560.0 B)
Tabela de Roteamento IP do Kernel
Destino Roteador MáscaraGen. Opções Métrica Ref Uso Ifac e
localnet * 255.255.255.0 U 0 0 0 eth1
192.168.0.0 * 255.255.0.0 U 0 0 0 eth0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
___________________________________________________________________
"server 1"
Tabela de Roteamento IP do Kernel
Destino Roteador MáscaraGen. Opções Métrica Ref Uso Ifac e
192.168.100.0 * 255.255.255.0 U 0 0 0 eth0
localnet * 255.255.255.0 U 0 0 0 eth1
default 192.168.100.1 0.0.0.0 UG 0 0 0 eth0
eth0 Encapsulamento do Link: Ethernet Endereço de HW 00:07:95:13:D2:85
inet end.: 192.168.100.2 Bcast:192.168.100.255 Masc:255.255.255.0
UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
RX packets:11302356 errors:0 dropped:0 overruns:0 frame:0
TX packets:10172009 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:1000
RX bytes:1934587937 (1.8 GiB) TX bytes:1820926989 (1.6 GiB)
IRQ:9 Endereço de E/S:0xdc00
eth1 Encapsulamento do Link: Ethernet Endereço de HW 00:08:54:30:B2:5F
inet end.: 192.168.1.1 Bcast:192.168.1.255 Masc:255.255.255.0
UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
RX packets:9939934 errors:0 dropped:0 overruns:0 frame:0
TX packets:14244333 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:1000
RX bytes:1683452497 (1.5 GiB) TX bytes:2451200903 (2.2 GiB)
IRQ:5 Endereço de E/S:0xda00
lo Encapsulamento do Link: Loopback Local
inet end.: 127.0.0.1 Masc:255.0.0.0
UP LOOPBACKRUNNING MTU:16436 Métrica:1
RX packets:704 errors:0 dropped:0 overruns:0 frame:0
TX packets:704 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:0
RX bytes:674882 (659.0 KiB) TX bytes:674882 (659.0 KiB)
no server 2 placa de internet é a eth1 no server 1 é a eth0
----- Original Message -----
From: Angelo Marcondes de Oliveira Neto
To: Grupo Interlegis de Tecnologia
Sent: Wednesday, October 21, 2009 4:51 PM
Subject: Re: [gitec] problema squid e iptables com sub redeTá,Me passa o retorno dos comandos ifconfig e route dos 2 servidores para eu analisar.Abraços
Angelo Marcondes de Oliveira Neto.
http://uaigeek.blogspot.com
angelomarcondes@gmail.com
(34) 91414287 - Linux User: #417837
2009/10/21 alexandre
uso debian 4 no servidor principal e debian 5 no segundo uso proxy transparente nos dois ainda não é esse o caminho
ATT
alexandre
Outra coisa interessante que me lembre.
A versão do squid utilizada nos 2 servidores é a mesma? Sobre qual sistema operacional está configurado?
Abraços
Angelo Marcondes de Oliveira Neto.
http://uaigeek.blogspot.com
angelomarcondes@gmail.com
(34) 91414287 - Linux User: #417837
2009/10/21 Angelo Marcondes de Oliveira Neto
Alexandre,
Experimente desativar o firewall e o squid e tentar navegar em seu segundo servidor.
Caso não navegue, tente setar DNS e Gateway.
Outro teste que você pode fazer é na sua segunda rede setar o proxy do seu segundo servidor direto e ver se navega.
Fico no aguardo de repostas.
Att
Angelo Marcondes de Oliveira Neto.
http://uaigeek.blogspot.com
angelomarcondes@gmail.com
(34) 91414287 - Linux User: #417837
2009/10/21 alexandre
estou com problema: tenho um servidor rodando o squid e o iptables que recebe o link da internet e repassa para os usuários o ip 192.168.1.0/24 mascara 255.255.255.0 gateway 192.168.1.1.
Aí dentro dessa rede tenho outro servidor que recebe o ip de entrada 192.168.1.10 e repassa para os usuários 192.168.2.0/24. Se eu desabilitar o iptables der aqueles 3 comandos somente para navegar funciona
estou quebrando a cabeça e não acho o erro segue meu iptables e meu squid, uso as mesmas regras nos dois somente ajustando os ips e interfaces.
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
#acl chefe src 192.168.2.10/255.255.255.255
#acl horario2 time SMTWHFA 00:00-24:00
#http_access allow chefe horario2
#acl funcionario src 192.168.2.0/24
#acl horario1 time SMTWHFA 7:30-12:00
#http_access deny funcionario horario1
#acl dpc2 src 192.168.2..10/255.255.255.255
#reply_body_max_size 9999999999 deny dpc2
#acl tamanho src 192.168.2.0/24
#reply_body_max_size 20971520 deny tamanho
acl REDE_CLIENTES src 192.168.1.0/24
acl DOWNLOADS url_regex -i ..zip .exe .bz .bz2 .avi .iso .mp3 .dll .mpg .flv .mpeg .mov .asf .rmvb .rm ..mpe$acl PAGINAS url_regex -i .htm .html .xhtml .gif .jpeg .swf ..js .jar ..php .asp .ccs .jpg .png .ico .swf .aspx .jsp .bmp .cfg .ajs .txt ..$delay_pools 2
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_access 1 allow PAGINAS !DOWNLOADS
delay_class 2 2
delay_parameters 2 50000/50000 50000/50000
delay_access 2 allow DOWNLOADS
acl rede src 192.168.1.0/255.255.255.0
acl pc1 src 192.168.1.9/255.255.255.255
acl pc2 src 192.168.1.10/255.255.255.255
acl pc3 src 192.168.1.20/255.255.255.255
acl pc4 src 192.168.1..87/255.255.255.255
acl all src 192.168.1.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#windows update windows xp
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern www.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
#windows update windows vista
refresh_pattern download..windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
refresh_pattern update.microsoft.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
acl negado url_regex "/etc/squid/negado.txt"
acl liberado url_regex "/etc/squid/liberado.txt"
http_access allow pc1
http_access allow pc2
http_access allow pc3
http_access allow pc4
http_access allow liberado rede
http_access deny negado rede
http_access allow rede !negado
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow localhost
#icp_access deny all
icp_access allow all
http_port 192.168.1.1:3128 transparent
#zph_mode tos
#zph_local 0x02
#zph_parent 0
#zph_option 136
acl sem_cache url_regex "/etc/squid/sem_cache.txt" \?
no_cache deny sem_cache
hierarchy_stoplist cgi-bin ? .asp .aspx #.php
acl QUERY urlpath_regex cgi-bin \? .asp .aspx #.php
no_cache deny QUERY
cache_mem 128 MB
maximum_object_size_in_memory 64 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_dir ufs /var/spool/squid 4096 16 256
minimum_object_size 0 KB
maximum_object_size 200 MB
cache_swap_low 90
cache_swap_high 95
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
logfile_rotate 1
emulate_httpd_log on
client_netmask 255.255.255.255
ftp_list_width 32
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern .. 0 0% 0
quick_abort_min 10 KB
quick_abort_max 10 KB
quick_abort_pct 2
negative_ttl 5 minutes
positive_dns_ttl 6 hours
negative_dns_ttl 1 minute
connect_timeout 2 minutes
read_timeout 15 minutes
request_timeout 2 minutes
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
collapsed_forwarding on
ie_refresh on
client_lifetime 1 day
cache_effective_user proxy
visible_hostname servidor camara municipal
detect_broken_pconn on
#icp_port 0
#htcp_port 0
http_port 3128
icp_port 3130
error_directory /usr/share/squid/errors/Portuguese
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
memory_pools on
offline_mode on
coredump_dir /var/spool/squid
pipeline_prefetch on
#dns_nameservers 208.67.222.222 208.67.220.220
dns_nameservers 189.42.142.75 200.255.212.201
___________________________________________________________________________________________
#!/bin/bash
iniciar(){
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p udp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p udp --dport 53 -j REDIRECT --to-port 53
#saida
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 80 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 443 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 53 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 3128 -j TOS --set-tos 16
iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 3128 -j TOS --set-tos 16
#entrada
iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 80 -j TOS --set-tos 0x10
iptables -t mangle -A PREROUTING -i eth1 -p udp --sport 53 -j TOS --set-tos 0x10
iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 443 -j TOS --set-tos 0x10
iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 3128 -j TOS --set-tos 0x10
iptables -t mangle -A PREROUTING -i eth1 -p udp --sport 3128 -j TOS --set-tos 0x10
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
iptables -A INPUT -p tcp --syn -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1935 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1863 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1437 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1126 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 5050 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 2559 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60139 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60692 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 3276 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60923 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 3442 -j DROP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to 192.168.1.29
}
parar(){
iptables -F
iptables -t nat -F
}
case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar ;;
*) echo "Use os parâtros start ou stop"
esac
__________ Informa�ão do ESET NOD32 Antivirus, versão da vacina 4529 (20091021) __________
A mensagem foi verificada pelo ESET NOD32 Antivirus.
http://www.eset.com
--
Site da Comunidade GITEC
http://colab.interlegis.gov.br
Para pesquisar o histórico da lista visite:
http://colab.interlegis.gov.br/wiki/PesquisaListas
Para administrar sua conta visite:
http://listas.interlegis.gov.br/mailman/listinfo/gitec
--------------------------------------------------------------------------
--
Site da Comunidade GITEC
http://colab.interlegis.gov.br
Para pesquisar o histórico da lista visite:
http://colab.interlegis.gov.br/wiki/PesquisaListas
Para administrar sua conta visite:
http://listas.interlegis.gov.br/mailman/listinfo/gitec
__________ Informação do ESET NOD32 Antivirus, versão da vacina 4530 (20091021) __________
A mensagem foi verificada pelo ESET NOD32 Antivirus.
http://www.eset.com__________ Informa�ão do ESET NOD32 Antivirus, versão da vacina 4530 (20091021) __________A mensagem foi verificada pelo ESET NOD32 Antivirus.
http://www.eset.com
--
Site da Comunidade GITEC
http://colab.interlegis.gov.br
Para pesquisar o histórico da lista visite:
http://colab.interlegis.gov.br/wiki/PesquisaListas
Para administrar sua conta visite:
http://listas.interlegis.gov.br/mailman/listinfo/gitec
------------------------------------------------------------------------------
--
Site da Comunidade GITEC
http://colab.interlegis.gov.br
Para pesquisar o histórico da lista visite:
http://colab.interlegis.gov.br/wiki/PesquisaListas
Para administrar sua conta visite:
http://listas.interlegis.gov.br/mailman/listinfo/gitec
__________ Informação do ESET NOD32 Antivirus, versão da vacina 4530 (20091021) __________
A mensagem foi verificada pelo ESET NOD32 Antivirus.
http://www.eset.com
__________ Informa� do ESET NOD32 Antivirus, vers�da vacina 4530 (20091021) __________
A mensagem foi verificada pelo ESET NOD32 Antivirus.
http://www.eset.com -
Oct. 21, 2009, 7:38 p.m.Alexandre,Aparentemente está tudo OK.
Me responde uma coisa, o servidor 01 está navegando?
abraçosAngelo Marcondes de Oliveira Neto.
http://uaigeek.blogspot.com
angelomarcondes@gmail.com
(34) 91414287 - Linux User: #417837
2009/10/21 alexandre
> "server 2"
>
> eth0 Link encap:Ethernet Endereço de HW 00:07:95:1a:79:43
> inet end.: 192.168.2.1 Bcast:192.168.255.255 Masc:255.255.0.0
> endereço inet6: fe80::207:95ff:fe1a:7943/64 Escopo:Link
> UP BROADCASTMULTICAST MTU:1500 Métrica:1
> RX packets:1122 errors:0 dropped:0 overruns:0 frame:0
> TX packets:888 errors:0 dropped:0 overruns:0 carrier:0
> colisões:0 txqueuelen:1000
> RX bytes:109683 (107.1 KiB) TX bytes:132720 (129.6 KiB)
> IRQ:10 Endereço de E/S:0xde00
>
> eth1 Link encap:Ethernet Endereço de HW e2:20:03:32:03:ab
> inet end.: 192.168.1.10 Bcast:192.168.1.255 Masc:255.255.255.0
> endereço inet6: fe80::e020:3ff:fe32:3ab/64 Escopo:Link
> UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
> RX packets:1293 errors:0 dropped:0 overruns:0 frame:0
> TX packets:400 errors:0 dropped:0 overruns:0 carrier:0
> colisões:0 txqueuelen:1000
> RX bytes:100394 (98.0 KiB) TX bytes:58887 (57.5 KiB)
> IRQ:11 Endereço de E/S:0xdc00
>
> lo Link encap:Loopback Local
> inet end.: 127.0.0.1 Masc:255.0.0.0
> endereço inet6: ::1/128 Escopo:Máquina
> UP LOOPBACKRUNNING MTU:16436 Métrica:1
> RX packets:8 errors:0 dropped:0 overruns:0 frame:0
> TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
> colisões:0 txqueuelen:0
> RX bytes:560 (560.0 B) TX bytes:560 (560.0 B)
>
> Tabela de Roteamento IP do Kernel
> Destino Roteador MáscaraGen. Opções Métrica Ref Uso
> Ifac
> e
> localnet * 255.255.255.0 U 0 0 0
> eth1
> 192.168.0.0 * 255.255.0.0 U 0 0 0
> eth0
> default 192.168.1.1 0.0.0.0 UG 0 0 0
> eth1
> ___________________________________________________________________
>
>
> "server 1"
>
> Tabela de Roteamento IP do Kernel
> Destino Roteador MáscaraGen. Opções Métrica Ref Uso
> Ifac
> e
> 192.168.100.0 * 255.255.255.0 U 0 0 0
> eth0
> localnet * 255.255.255.0 U 0 0 0
> eth1
> default 192.168.100.1 0.0.0.0 UG 0 0 0
> eth0
> eth0 Encapsulamento do Link: Ethernet Endereço de HW
> 00:07:95:13:D2:85
> inet end.: 192.168.100.2 Bcast:192.168.100.255
> Masc:255.255.255.0
> UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
> RX packets:11302356 errors:0 dropped:0 overruns:0 frame:0
> TX packets:10172009 errors:0 dropped:0 overruns:0 carrier:0
> colisões:0 txqueuelen:1000
> RX bytes:1934587937 (1.8 GiB) TX bytes:1820926989 (1.6 GiB)
> IRQ:9 Endereço de E/S:0xdc00
>
> eth1 Encapsulamento do Link: Ethernet Endereço de HW
> 00:08:54:30:B2:5F
> inet end.: 192.168.1.1 Bcast:192.168.1.255 Masc:255.255.255.0
> UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
> RX packets:9939934 errors:0 dropped:0 overruns:0 frame:0
> TX packets:14244333 errors:0 dropped:0 overruns:0 carrier:0
> colisões:0 txqueuelen:1000
> RX bytes:1683452497 (1.5 GiB) TX bytes:2451200903 (2.2 GiB)
> IRQ:5 Endereço de E/S:0xda00
>
> lo Encapsulamento do Link: Loopback Local
> inet end.: 127.0.0.1 Masc:255.0.0.0
> UP LOOPBACKRUNNING MTU:16436 Métrica:1
> RX packets:704 errors:0 dropped:0 overruns:0 frame:0
> TX packets:704 errors:0 dropped:0 overruns:0 carrier:0
> colisões:0 txqueuelen:0
> RX bytes:674882 (659.0 KiB) TX bytes:674882 (659.0 KiB)
>
> no server 2 placa de internet é a eth1 no server 1 é a eth0
>
> ----- Original Message -----
> *From:* Angelo Marcondes de Oliveira Neto
> *To:* Grupo Interlegis de Tecnologia
> *Sent:* Wednesday, October 21, 2009 4:51 PM
> *Subject:* Re: [gitec] problema squid e iptables com sub rede
>
> Tá,
>
> Me passa o retorno dos comandos ifconfig e route dos 2 servidores para eu
> analisar.
>
> Abraços
>
> Angelo Marcondes de Oliveira Neto.
>http://uaigeek.blogspot.com
> angelomarcondes@gmail.com
> (34) 91414287 - Linux User: #417837
>
>
> 2009/10/21 alexandre
>
>>
>> uso debian 4 no servidor principal e debian 5 no segundo uso proxy
>> transparente nos dois ainda não é esse o caminho
>>
>>
>> ATT
>>
>> alexandre
>>
>>
>> Outra coisa interessante que me lembre.
>> A versão do squid utilizada nos 2 servidores é a mesma? Sobre qual sistema
>> operacional está configurado?
>>
>> Abraços
>>
>> Angelo Marcondes de Oliveira Neto.
>>http://uaigeek.blogspot.com
>> angelomarcondes@gmail.com
>> (34) 91414287 - Linux User: #417837
>>
>>
>> 2009/10/21 Angelo Marcondes de Oliveira Neto
>>
>>> Alexandre,
>>>
>>> Experimente desativar o firewall e o squid e tentar navegar em seu
>>> segundo servidor.
>>> Caso não navegue, tente setar DNS e Gateway.
>>> Outro teste que você pode fazer é na sua segunda rede setar o proxy do
>>> seu segundo servidor direto e ver se navega.
>>>
>>> Fico no aguardo de repostas.
>>>
>>> Att
>>>
>>>
>>> Angelo Marcondes de Oliveira Neto.
>>>http://uaigeek.blogspot.com
>>> angelomarcondes@gmail.com
>>> (34) 91414287 - Linux User: #417837
>>>
>>>
>>> 2009/10/21 alexandre
>>>
>>>> estou com problema: tenho um servidor rodando o squid e o iptables
>>>> que recebe o link da internet e repassa para os usuários o ip
>>>> 192.168.1.0/24 mascara 255.255.255.0 gateway 192.168.1.1. Aí dentro
>>>> dessa rede tenho outro servidor que recebe o ip de entrada 192.168.1.10 e
>>>> repassa para os usuários 192.168.2.0/24. Se eu desabilitar o iptables
>>>> der aqueles 3 comandos somente para navegar funciona
>>>> estou quebrando a cabeça e não acho o erro segue meu iptables e meu
>>>> squid, uso as mesmas regras nos dois somente ajustando os ips e interfaces.
>>>>
>>>> auth_param basic children 5
>>>> auth_param basic realm Squid proxy-caching web server
>>>> auth_param basic credentialsttl 2 hours
>>>> #acl chefe src 192.168.2.10/255.255.255.255
>>>> #acl horario2 time SMTWHFA 00:00-24:00
>>>> #http_access allow chefe horario2
>>>> #acl funcionario src 192.168.2.0/24
>>>> #acl horario1 time SMTWHFA 7:30-12:00
>>>> #http_access deny funcionario horario1
>>>> #acl dpc2 src 192.168.2..10/255.255.255.255
>>>> #reply_body_max_size 9999999999 deny dpc2
>>>> #acl tamanho src 192.168.2.0/24
>>>> #reply_body_max_size 20971520 deny tamanho
>>>> acl REDE_CLIENTES src 192.168.1.0/24
>>>> acl DOWNLOADS url_regex -i ..zip .exe .bz .bz2 .avi .iso .mp3 .dll .mpg
>>>> .flv .mpeg .mov .asf .rmvb .rm ..mpe$
>>>> acl PAGINAS url_regex -i .htm .html .xhtml .gif .jpeg .swf ..js .jar
>>>> ..php .asp .ccs .jpg .png .ico .swf .aspx .jsp .bmp .cfg .ajs .txt ..$
>>>> delay_pools 2
>>>> delay_class 1 2
>>>> delay_parameters 1 -1/-1 -1/-1
>>>> delay_access 1 allow PAGINAS !DOWNLOADS
>>>> delay_class 2 2
>>>> delay_parameters 2 50000/50000 50000/50000
>>>> delay_access 2 allow DOWNLOADS
>>>> acl rede src 192.168.1.0/255.255.255.0
>>>> acl pc1 src 192.168.1.9/255.255.255.255
>>>> acl pc2 src 192.168.1.10/255.255.255.255
>>>> acl pc3 src 192.168.1.20/255.255.255.255
>>>> acl pc4 src 192.168.1..87/255.255.255.255
>>>> acl all src 192.168.1.0/255.255.255.0
>>>> acl manager proto cache_object
>>>> acl localhost src 127.0.0.1/255.255.255.255
>>>> acl to_localhost dst 127.0.0.0/8
>>>> acl SSL_ports port 443
>>>> acl Safe_ports port 80 # http
>>>> acl Safe_ports port 21 # ftp
>>>> acl Safe_ports port 443 # https
>>>> acl Safe_ports port 70 # gopher
>>>> acl Safe_ports port 210 # wais
>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>> acl Safe_ports port 280 # http-mgmt
>>>> acl Safe_ports port 488 # gss-http
>>>> acl Safe_ports port 591 # filemaker
>>>> acl Safe_ports port 777 # multiling http
>>>> acl CONNECT method CONNECT
>>>> #windows update windows xp
>>>> refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi) 10080 100%
>>>> 43200 reload-into-ims
>>>> refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100%
>>>> 43200 reload-into-ims
>>>> refresh_pattern www.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100%
>>>> 43200 reload-into-ims
>>>> refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi)
>>>> 4320 100% 43200 reload-into-ims
>>>> #windows update windows vista
>>>> refresh_pattern download..windowsupdate.com/.*\.(cab|exe|dll|msi)
>>>> 4320 100% 43200 reload-into-ims
>>>> refresh_pattern update.microsoft.com/.*\.(cab|exe|dll|msi) 4320 100%
>>>> 43200 reload-into-ims
>>>> acl negado url_regex "/etc/squid/negado.txt"
>>>> acl liberado url_regex "/etc/squid/liberado.txt"
>>>> http_access allow pc1
>>>> http_access allow pc2
>>>> http_access allow pc3
>>>> http_access allow pc4
>>>> http_access allow liberado rede
>>>> http_access deny negado rede
>>>> http_access allow rede !negado
>>>> http_access allow manager localhost
>>>> http_access deny manager
>>>> http_access deny !Safe_ports
>>>> http_access deny CONNECT !SSL_ports
>>>> http_access allow localhost
>>>> http_access deny all
>>>> http_reply_access allow all
>>>> icp_access allow localhost
>>>> #icp_access deny all
>>>> icp_access allow all
>>>> http_port 192.168.1.1:3128 transparent
>>>> #zph_mode tos
>>>> #zph_local 0x02
>>>> #zph_parent 0
>>>> #zph_option 136
>>>> acl sem_cache url_regex "/etc/squid/sem_cache.txt" \?
>>>> no_cache deny sem_cache
>>>> hierarchy_stoplist cgi-bin ? .asp .aspx #.php
>>>> acl QUERY urlpath_regex cgi-bin \? .asp .aspx #.php
>>>> no_cache deny QUERY
>>>> cache_mem 128 MB
>>>> maximum_object_size_in_memory 64 KB
>>>> cache_replacement_policy heap LFUDA
>>>> memory_replacement_policy heap GDSF
>>>> cache_dir ufs /var/spool/squid 4096 16 256
>>>> minimum_object_size 0 KB
>>>> maximum_object_size 200 MB
>>>> cache_swap_low 90
>>>> cache_swap_high 95
>>>> access_log /var/log/squid/access.log squid
>>>> cache_log /var/log/squid/cache.log
>>>> cache_store_log /var/log/squid/store.log
>>>> logfile_rotate 1
>>>> emulate_httpd_log on
>>>> client_netmask 255.255.255.255
>>>> ftp_list_width 32
>>>> refresh_pattern ^ftp: 1440 20% 10080
>>>> refresh_pattern ^gopher: 1440 0% 1440
>>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>>> refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
>>>> refresh_pattern .. 0 0% 0
>>>> quick_abort_min 10 KB
>>>> quick_abort_max 10 KB
>>>> quick_abort_pct 2
>>>> negative_ttl 5 minutes
>>>> positive_dns_ttl 6 hours
>>>> negative_dns_ttl 1 minute
>>>> connect_timeout 2 minutes
>>>> read_timeout 15 minutes
>>>> request_timeout 2 minutes
>>>> acl apache rep_header Server ^Apache
>>>> broken_vary_encoding allow apache
>>>> collapsed_forwarding on
>>>> ie_refresh on
>>>> client_lifetime 1 day
>>>> cache_effective_user proxy
>>>> visible_hostname servidor camara municipal
>>>> detect_broken_pconn on
>>>> #icp_port 0
>>>> #htcp_port 0
>>>> http_port 3128
>>>> icp_port 3130
>>>> error_directory /usr/share/squid/errors/Portuguese
>>>> ipcache_size 1024
>>>> ipcache_low 90
>>>> ipcache_high 95
>>>> fqdncache_size 1024
>>>> memory_pools on
>>>> offline_mode on
>>>> coredump_dir /var/spool/squid
>>>> pipeline_prefetch on
>>>> #dns_nameservers 208.67.222.222 208.67.220.220
>>>> dns_nameservers 189.42.142.75 200.255.212.201
>>>>
>>>> ___________________________________________________________________________________________
>>>>
>>>>
>>>> #!/bin/bash
>>>>
>>>> iniciar(){
>>>>
>>>> modprobe iptable_nat
>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>>> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
>>>> 3128
>>>> iptables -t nat -A PREROUTING -p udp --dport 80 -j REDIRECT --to-port
>>>> 3128
>>>> #iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p udp --dport 53 -j
>>>> REDIRECT --to-port 53
>>>> #saida
>>>> iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 80 -j TOS --set-tos
>>>> 16
>>>> iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 443 -j TOS --set-tos
>>>> 16
>>>> iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 53 -j TOS --set-tos
>>>> 16
>>>> iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 3128 -j TOS
>>>> --set-tos 16
>>>> iptables -t mangle -A OUTPUT -o eth1 -p udp --dport 3128 -j TOS
>>>> --set-tos 16
>>>> #entrada
>>>> iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 80 -j TOS
>>>> --set-tos 0x10
>>>> iptables -t mangle -A PREROUTING -i eth1 -p udp --sport 53 -j TOS
>>>> --set-tos 0x10
>>>> iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 443 -j TOS
>>>> --set-tos 0x10
>>>> iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 3128 -j TOS
>>>> --set-tos 0x10
>>>> iptables -t mangle -A PREROUTING -i eth1 -p udp --sport 3128 -j TOS
>>>> --set-tos 0x10
>>>> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>>>> iptables -A INPUT -p tcp --syn -s 192.168.1.0/24 -j ACCEPT
>>>> iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
>>>> 1/s -j ACCEPT
>>>> iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
>>>> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
>>>> --limit 1/s -j ACCEPT
>>>> iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
>>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1935 -j DROP
>>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1863 -j DROP
>>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1437 -j DROP
>>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 1126 -j DROP
>>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 5050 -j DROP
>>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 2559 -j DROP
>>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60139 -j DROP
>>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp
>>>> --dport 60692 -j DROP
>>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp
>>>> --dport 3276 -j DROP
>>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 60923 -j DROP
>>>> iptables -I FORWARD -s 192.168.1.0/24 -p tcp
>>>> --dport 3442 -j DROP
>>>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to
>>>> 192.168.1.29
>>>> }
>>>>
>>>> parar(){
>>>> iptables -F
>>>> iptables -t nat -F
>>>> }
>>>>
>>>> case "$1" in
>>>> "start") iniciar ;;
>>>> "stop") parar ;;
>>>> "restart") parar; iniciar ;;
>>>> *) echo "Use os parâtros start ou stop"
>>>> esac
>>>>
>>>>
>>>> __________ Informa�ão do ESET NOD32 Antivirus, versão da vacina 4529
>>>> (20091021) __________
>>>>
>>>> A mensagem foi verificada pelo ESET NOD32 Antivirus.
>>>>
>>>>http://www.eset.com
>>>>
>>>> --
>>>> Site da Comunidade GITEC
>>>>http://colab.interlegis.gov.br
>>>>
>>>> Para pesquisar o histórico da lista visite:
>>>>http://colab.interlegis.gov.br/wiki/PesquisaListas
>>>>
>>>> Para administrar sua conta visite:
>>>>http://listas.interlegis.gov.br/mailman/listinfo/gitec
>>>>
>>>
>>>
>> ------------------------------
>>
>> --
>> Site da Comunidade GITEC
>>http://colab.interlegis.gov.br
>>
>> Para pesquisar o histórico da lista visite:
>>http://colab.interlegis.gov.br/wiki/PesquisaListas
>>
>> Para administrar sua conta visite:
>>http://listas.interlegis.gov.br/mailman/listinfo/gitec
>>
>>
>> __________ Informação do ESET NOD32 Antivirus, versão da vacina 4530
>> (20091021) __________
>>
>> A mensagem foi verificada pelo ESET NOD32 Antivirus.
>>
>>http://www.eset.com
>>
>>
>>
>> __________ Informa�ão do ESET NOD32 Antivirus, versão da vacina 4530
>> (20091021) __________
>>
>> A mensagem foi verificada pelo ESET NOD32 Antivirus.
>>
>>http://www.eset.com
>>
>> --
>> Site da Comunidade GITEC
>>http://colab.interlegis.gov.br
>>
>> Para pesquisar o histórico da lista visite:
>>http://colab.interlegis.gov.br/wiki/PesquisaListas
>>
>> Para administrar sua conta visite:
>>http://listas.interlegis.gov.br/mailman/listinfo/gitec
>>
>
> ------------------------------
>
> --
> Site da Comunidade GITEC
>http://colab.interlegis.gov.br
>
> Para pesquisar o histórico da lista visite:
>http://colab.interlegis.gov.br/wiki/PesquisaListas
>
> Para administrar sua conta visite:
>http://listas.interlegis.gov.br/mailman/listinfo/gitec
>
>
> __________ Informação do ESET NOD32 Antivirus, versão da vacina 4530
> (20091021) __________
>
> A mensagem foi verificada pelo ESET NOD32 Antivirus.
>
>http://www.eset.com
>
>
>
> __________ Informa�ão do ESET NOD32 Antivirus, versão da vacina 4530
> (20091021) __________
>
> A mensagem foi verificada pelo ESET NOD32 Antivirus.
>
>http://www.eset.com
>
> --
> Site da Comunidade GITEC
>http://colab.interlegis.gov.br
>
> Para pesquisar o histórico da lista visite:
>http://colab.interlegis.gov.br/wiki/PesquisaListas
>
> Para administrar sua conta visite:
>http://listas.interlegis.gov.br/mailman/listinfo/gitec
>