Pesquisa Google
Assine nosso Feed
Qui, 03 de Junho de 2010 18:49 | Última atualização em Qui, 03 de Junho de 2010 19:25 | 
Escrito por Geovane Santos | 
| 
| 
#autor: Geovane Santos
#contato: hunter_maraba01@hotmail.com
#local: maraba
#data:03-06-2010
#
#esse tutorial e destinado a quem gostaria de montar um pequeno servidor de internert ou comprtilhar no trabalho ou entre vizinhos
#bastando apenas descomentar certas linhas e comentar outras muito simples nao
#considero nesse tutorial que vc tenha algum conhecimento em linux
#squid + proxy transparent ou default(squid) + controle de banda
#
#baixe a autima distribuição estavel do squid em:
#
#http://www.squid-cache.org/Versions/v3/3.0/
#http://www.squid-cache.org/Versions/v3/3.0/squid-3.0.STABLE19.tar.gz
#
#squid-3.0.STABLE19
#
#sempre usar uma distribuição estável(testada e funcional)
#pra não correr riscos de instalar com algumas falhas
#
#instalção no debian 4.0r3 full em dvd de preferencia por conter varios pacotes
#sem precisar baixar da internet conexoes lentas aki no sul do para
#abrir o shell
#
#o squid vai rodar sob esse usuario squid pra ter uma melhor segurança
#
# groupadd squid #adicionar o grupo squid
# useradd -g squid squid #adicionar uma conta para o squid
# wget http://www.squid-cache.org/Versions/v3/3.0/squid-3.0.STABLE19.tar.gz #baixar o squid
# tar -xvf squid-3.0.STABLE19.tar.gz #descompactar o squid
# cd squid-3.0.STABLE19 #entrar na pasta do squid
#antes de configurar o squid instalr todas as dependencias dele
#compilador C, CPP ,GCC , LIB PERL eetc dica abra o gerenciador de pacotes synaptc do debian 4.0 etch
#coloque o DVD do debian e va instalando de acordo onde for parando o configurador
#ate que a configuracao seja feita completamente
# ./configure --enable-delay-pools --enable-cache-digests\
--enable-poll --disable-ident-lookups --enable-truncate \
--enable-removal-policies --enable-arp-acl --enable-large-files
#
#habilitar as flags para o uso de controle de banda(delay-pools)
#
# make all
# make install
# cd helpers/basic_auth/NCSA
# make
# make install
# cd ..
# cd ..
# cd ..
#
# colocar um hd ou uma particao chamada u1 no diretorio raiz (/u1) dessa forma
# exemplo de squid.conf com proxy transparent e cache separado
#
# junto ao squid e necessario o firewall ip-filter (iptables)
#
#
#apos a instalacao e necessario criar esses arquivos
>/usr/local/squid/etc/ip_liberado
>/usr/local/squid/etc/ip_bloqueado
>/usr/local/squid/etc/site_bloqueado
>/usr/local/squid/etc/site_liberado
>/usr/local/squid/etc/passwd
>/usr/local/squid/etc/palavra_liberada
>/usr/local/squid/etc/palavra_bloqueada
>/usr/local/squid/etc/banda64
>/usr/local/squid/etc/banda128
>/usr/local/squid/etc/banda256
>/usr/local/squid/etc/banda300
>/usr/local/squid/etc/banda400
>/usr/local/squid/etc/banda512
>/usr/local/squid/etc/banda1024
#dicar do tutorial e so ./nome desse arquivo de texto e sera feito todo o processo automaticamente pra vc
# requisitos para esse tutorial
# duas placas de rede no mico com odebian
#eth0=192.168.0.254
#eth1= o seu ip devido nao haver regras para esse ip
############## SQUID.CONF ########################
#regras squid
#configuracoes gerais
visible_hostname "squid.gdm.com.br"
http_port 3128 transparent
ftp_passive off
ftp_sanitycheck on
cache_mem 8 MB
maximum_object_size 1024 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 64 KB
cache_swap_low 90
cache_swap_high 95
cache_mgr hunter_maraba01@hotmail.com
cache_effective_user squid
cache_effective_group squid
#configuracoes de log
cache_dir ufs /u1/squid/var/cache 40960 16 256
hierarchy_stoplist cgi-bin ?
access_log /u1/squid/var/logs/access.log squid
#
refresh_pattern -i ^http://.*\.(css|htm|html|ico|js|jsp|xml)$ 1440 80% 999999
refresh_pattern -i ^http://.*\.(bmp|gif|jpeg|jpg|png)$ 1440 80% 999999 ignore-reload
refresh_pattern -i ^http://.*\.(ace|adt|arj|asf|avi|bin|bz2|bzip|cab|dat|dll|doc|dot|exe|fla|flv|gz|iso|lha|log|lzh|mdb|mid|mov|mp3|mpeg|mpg|msi|mso|ogg|pps|ppt|rar|rm|rtf|shs|src|sys|swf|tgz|tif|ttf|wav|wma|wri|wmv|vpu|vpaa|vqf|vob|zip)$ 43200 100% 999999 ignore-reload
#cache windows update
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern http://www.microsoft.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
refresh_pattern download.windowsupdate.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
refresh_pattern update.microsoft.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
refresh_pattern msgr.dlservice.microsoft.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
refresh_pattern go.microsoft.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
refresh_pattern msgr.dlservice.microsoft.com/.*\.(cab|exe|dll|msi) 4320 100% 43200 reload-into-ims
#CACHE
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
coredump_dir /u1/squid/var/cache
error_directory /usr/local/squid/share/errors/Portuguese/
#REGRAS DE ACESSO PADRAO
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl QUERY urlpath_regex cgi-bin \? #nao fara cache
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1863 # msn
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # swat
acl purge method PURGE
acl CONNECT method CONNECT
#REGRAS DE ACESSO
#AUTENTICACAO CONF
auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/etc/passwd
auth_param basic children 5
auth_param basic realm ||CPD - GDM - INFORMATICA||
auth_param basic credentialsttl 2 hours
acl login proxy_auth "/usr/local/squid/etc/passwd"
acl login proxy_auth REQUIRED
#VALIDACAO DAS REGRAS DE PADRAO
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
htcp_access deny all
http_access allow purge localhost
http_access deny purge
#REGRAS GERAIS
#acl local src 192.168.0.0/24 # RFC1918 possible internal network
acl ip_liberado src "/usr/local/squid/etc/ip_liberado"
#acl ip_bloqueado src "/usr/local/squid/etc/ip_bloqueado"
acl site_bloqueado url_regex -i "/usr/local/squid/etc/site_bloqueado"
#acl palavra_bloqueada dstdom_regex -i "/usr/local/squid/etc/palavra_bloqueada"
#acl palavra_liberada dstdom_regex -i "/usr/local/squid/etc/palavra_liberada"
#acl conexoes maxconn 3
#CONTROLE DE BANDA
acl banda64 src "/usr/local/squid/etc/banda64"
acl banda128 src "/usr/local/squid/etc/banda128"
acl banda256 src "/usr/local/squid/etc/banda256"
acl banda300 src "/usr/local/squid/etc/banda300"
acl banda400 src "/usr/local/squid/etc/banda400"
acl banda512 src "/usr/local/squid/etc/banda512"
acl banda1024 src "/usr/local/squid/etc/banda1024"
#CONTROLE DE BANDA
delay_pools 7
delay_class 1 2
delay_class 2 2
delay_class 3 2
delay_class 4 2
delay_class 5 2
delay_class 6 2
delay_class 7 2
delay_parameters 1 8192/8192 8192/8192
delay_parameters 2 16384/16384 16384/16384
delay_parameters 3 32768/32768 32768/32768
delay_parameters 4 38400/38400 38400/38400
delay_parameters 5 51200/51200 51200/51200
delay_parameters 6 65536/65536 65536/65536
delay_parameters 7 132072/131072 131072/131072
delay_access 1 allow banda64
delay_access 2 allow banda128
delay_access 3 allow banda256
delay_access 4 allow banda300
delay_access 5 allow banda400
delay_access 6 allow banda512
delay_access 7 allow banda1024
# VALIDACAO DAS REGRAS DE ACESSO
http_access deny site_bloqueado
#http_access deny palavra_bloqueada !palavra_liberada
http_access allow ip_liberado
#http_access allow login
#http_access allow conexoes
################################ FIREWALL #######################################
#!/bin/bash
############################################################
# REGRAS DE FIREWALL e SQUID TRANSPARENTE
############################################################
########################################
## shell-script para facilitar
## a manutencao do servidor
## e tarefas do dia-dia (adptado a partir do guteis)
## Autor:Geovane Santos (Hunter)
## Nome do script: firewall
## Atualizado:26-05-2010
## Criado: 01-01-2008
#######################################
clear
echo "============================================================================"
echo " CONFIGURACAO FIREWALL: `iptables -V` "
echo "============================================================================"
INTERNA=eth0 #clientes 192.168.0.254
EXTERNA=eth1 #10.132.9.252
zera_regras()
{
#echo "zerando regras.."
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
echo "regras zeradas...........................................[OK]"
}
add_regras()
{
#echo "carrengando modulos"
#resolve os problemas de FTP, sempre que tiver problemas com acesso a sites de FTP,
#lentidão, problemas de login ou acesso, tente carregar estes modulos relacionados a FTP.
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ipt_state
modprobe ip_conntrack_ftp
modprobe ipt_multiport
modprobe ipt_tos
modprobe ipt_limit
echo "modulos carregados......................................[OK]"
#echo "ativando o mascaramento"
#ativando o mascaramento
iptables -t nat -A POSTROUTING -o $EXTERNA -j MASQUERADE
echo "mascaramento ativado $EXTERNA...............................[OK]"
#echo "ativando roteamento repasse de pacotes "
#ativando roteamento repasse de pacotes
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "ativado o repasse de pacotes roteamento.................[OK]"
#echo "checa conexoes ativas pra nao parar"
#chega estado da conexao
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "conecxoes ativas mantidas...............................[OK]"
#echo "liberando algumas portas no servidor "
#liberando algumas portas no servidor
#echo "liberando o VNC,FTP e TELNET de qualquer lugar rede local"
iptables -A INPUT -p tcp --dport 5800 -j ACCEPT
iptables -A INPUT -p tcp --dport 5900 -j ACCEPT
iptables -A FORWARD -p tcp --dport 5800 -j ACCEPT
iptables -A FORWARD -p tcp --dport 5900 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 23 -j ACCEPT
iptables -A FORWARD -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -p tcp --dport 23 -j ACCEPT
echo "liberadas VNC,FTP e TELNET pra rede de qualquer lugar..[OK]"
#echo "liberando o no-ip "
#liberando no-ip
iptables -A INPUT -p tcp -i $INTERNA --dport 8245 -j ACCEPT
echo "liberado no-ip..........................................[OK]"
#echo "liberando o ping"
#liberando o ping
iptables -A FORWARD -p icmp --icmp-type ping -j ACCEPT
iptables -A INPUT -p icmp --icmp-type ping -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type ping -j ACCEPT
echo "liberado o ping.........................................[OK]"
#echo "liberando o torrent"
#liberando torrent
iptables -A FORWARD -p udp -i $INTERNA --dport 28753 -d 192.168.0.0/24 -j ACCEPT
echo "liberado o torrent......................................[OK]"
#echo " Libera passagem de SMTP (necessário p/ Outlook e T-Bird)"
# Libera passagem de SMTP (necessário p/ Outlook e T-Bird)
iptables -A FORWARD -p tcp -i $INTERNA --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -i $INTERNA --dport 110 -j ACCEPT
echo "liberado SMTP outlook express...........................[OK]"
#echo "liberando a passagem de DNS "
# Libera passagem de DNS (necessário p/ Outlook e T-Bird MSN e WEB)
#iptables -A INPUT -p tcp -i $INTERNA --dport 53 -j ACCEPT
#iptables -A INPUT -p udp -i $INTERNA --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -i $INTERNA --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp -i $INTERNA --dport 53 -j ACCEPT
echo "liberado a passagem de DNS..............................[OK]"
#echo "liberando msn "
# Liberando MSN
iptables -t filter -A INPUT -i $INTERNA -p tcp --dport 3128 -j ACCEPT
cat /usr/local/squid/etc/ip_liberado | while read liberado
do
iptables -A FORWARD -s $liberado -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -s $liberado -d loginnet.passport.com -j ACCEPT
iptables -A FORWARD -s $liberado -d 64.4.13.0/24 -j ACCEPT
iptables -A FORWARD -s $liberado -d login.live.com -j ACCEPT
iptables -A FORWARD -s $liberado -d login.passport.com -j ACCEPT
iptables -A FORWARD -s $liberado -d gateway.messenger.hotmail.com -j ACCEPT
echo "liberado $liberado ................................[OK]"
done
echo "liberado MSN............................................[OK]"
#echo "liberando orkut"
#liberando orkut
cat /usr/local/squid/etc/ip_liberado | while read liberado
do
iptables -A FORWARD -p tcp -s $liberado --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -s $liberado --dport 443 -j ACCEPT
echo "liberado orkut para $liberado ..........................[OK]"
done
echo "liberado orkut..........................................[OK]"
#echo "liberando o loopback"
#liberando loopback
iptables -A INPUT -i lo -j ACCEPT
echo "liberado o loopback.....................................[OK]"
#echo "protegendo contra, Ping of Dearth, ataques DoS, Syb-flood e Etc"
#echo "protegendo contra, Ping da morte, ataques DoS, Syb-flood e Etc"
#Portscanners, Ping of Death, ataques DoS, Syb-flood e Etc
#iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
echo "protegido Ping of Dearth, ataques DoS, Syb-flood........[OK]"
#echo "liberando conectividade social"
#CONECTIVIDADE SOCIAL
iptables -t nat -A PREROUTING -p tcp -d 200.201.173.68 --dport 80 -j DNAT --to 200.201.173.68:80
iptables -I FORWARD -p tcp -s 0/0 -d 200.201.173.68/32 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 200.201.166.200 --dport 80 -j DNAT --to 200.201.166.200:80
iptables -I FORWARD -p tcp -s 0/0 -d 200.201.166.200/32 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 200.201.174.207 --dport 80 -j DNAT --to 200.201.174.207:80
iptables -I FORWARD -p tcp -s 0/0 -d 200.201.174.207/32 --dport 80 -j ACCEPT
iptables -I FORWARD -p all -s 200.201.174.0/24 -d 0/0 -j ACCEPT
iptables -I OUTPUT -p all -s 200.201.174.0/24 -d 0/0 -j ACCEPT
iptables -I INPUT -p all -s 200.201.174.0/24 -d 0/0 -j ACCEPT
echo "liberado conectividade social...........................[OK]"
#echo "proxy transparente pra rede interna"
#proxy transparente
iptables -A INPUT -p tcp -i $INTERNA --destination-port 80 -j ACCEPT
iptables -t nat -A PREROUTING -i $INTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $INTERNA -p tcp --dport 21 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $INTERNA -p tcp --dport 23 -j REDIRECT --to-port 3128
echo "proxy transparente ativado so pra rede $INTERNA.............[OK]"
#servidor web
iptables -A INPUT -p tcp -i $EXTERNA --dport 80 -j ACCEPT
echo "liberado servidor apache................................[OK]"
#echo "bloqueando servidor do banner do navega"
#bloqueado o banner do navega
iptables -A INPUT -s 192.168.0.0/24 -p tcp -d 10.1.1.13 -j REJECT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -d 10.1.1.13 -j REJECT
iptables -A OUTPUT -p tcp -d 10.1.1.13 -j REJECT
echo "bloqueado servidor do banner do navega.................[OK]"
#echo "bloqueando IP"
#clientes bloqueados
#iptables -A INPUT -p tcp -i $INTERNA -s 192.168.0.20 -j DROP
#iptables -A INPUT -p tcp -i $INTERNA-s 192.168.0.21 -j DROP
#iptables -A FORWARD -p tcp -i $INTERNA -s 192.168.0.20 -j DROP
#iptables -A FORWARD -p tcp -i$INTERNA -s 192.168.0.21 -j DROP
#echo "bloqueado IP............................................[OK]"
#echo "se nao entrou em nehuma das regras rejeita tudo ponto chave firewall"
iptables -A INPUT -i $INTERNA -p tcp --syn -j DROP
iptables -A INPUT -i $EXTERNA -p tcp --syn -j DROP
echo "fechado tudo q nao ta em nehuma das regas acima.........[OK]"
echo "fim das regas de firewall...............................[OK]"
echo "regas de firewall adicionadas...........................[OK]"
}
ativa_log()
{
LOG_FLOOD="1/s"
iptables -A INPUT -p icmp -m limit --limit $LOG_FLOOD -j LOG --log-level info --log-prefix "ICMP Dropped "
iptables -A INPUT -p tcp -m limit --limit $LOG_FLOOD -j LOG --log-level info --log-prefix "TCP Dropped "
iptables -A INPUT -p udp -m limit --limit $LOG_FLOOD -j LOG --log-level info --log-prefix "UDP Dropped "
iptables -A INPUT -f -m limit --limit $LOG_FLOOD -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
iptables -A INPUT -m limit --limit 1/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
echo "ativado o log...........................................[OK]"
}
squid_start()
{
#echo "iniciando o squid "
#iniciar o squid
/usr/local/squid/sbin/squid start
echo "squid iniciado..........................................[ok]"
}
squid_reconfigura()
{
#echo "reconfigurar o squid "
#reconfigurar o squid
/usr/local/squid/sbin/squid -k reconfigure
echo "squid reconfigurado.....................................[ok]"
}
case $1 in
start)
#echo "zerando regras"
zera_regras
echo "regras zeradas..........................................[OK]"
add_regras
echo "add_regas carregada.....................................[ok]"
if ps -ef | grep squid | grep start > /dev/null
then
echo "SQUID em execucao recarregando as regras....i.............[OK]"
squid_reconfigura
echo "squid_reconfigura.........................................[OK]"
else
#echo "iniciando o squid"
squid_start
echo "squid_start.......................................[OK]"
fi
ativa_log
echo "firewall iniciado.......................................[OK]"
;;
stop)
#echo "zerando as regras de Firewall"
zera_regras
iptables -A INPUT --dport 5900 -j ACCEPT
iptables -A INPUT --dport 5800 -j ACCEPT
iptables -A INPUT --dport 23 -j ACCEPT
;;
restart)
#echo "zerando as regras do firewall"
zera_regras
#echo "adicionado regas de firewall"
add_regras
#ativa o LOG
ativa_log
#echo "reconfigurando o SQUID"
squid_reconfigura
;;
status)
echo "============================ Regras do Firewall:"
iptables -L -n
echo "============================"
echo "============================ Tabela Mascaradas:"
iptables -t nat -L -n
echo "============================"
echo "============================ Tabela Mangle:"
iptables -t mangle -L -n
echo "============================"
;;
*)
echo Usar: "$0 { start | stop | restart | status }"
;;
esac
Compartilhe esse conteúdo!!!
