Fórum Ubuntu Linux - PT
Suporte Técnico => Internet, Redes e Segurança => Tópico iniciado por: paulofnet em 20 de Dezembro de 2010, 13:48
-
???Preciso de ajuda.. Meu servidor tem duas placas ethernet. Uma para rede interna/proxy e outra para acesso a internet.
Abaixo segue toda a minha configuração de rede. O que está errado/faltando...????
Desde já agradeço qq. ajuda.
Meu ambiente/servidor: Debian Lenny
# uname -a
Linux wega 2.6.26-2-amd64 #1 SMP Thu Nov 25 04:30:55 UTC 2010 x86_64 GNU/Linux
# squid -v
Squid Cache: Version 2.7.STABLE3
Clientes: Ubuntu 9.10/10.04, Windows XP, windows Vista, Windows 7 e Windows XP.
Configuração das minhas placas de rede:
/etc/network/interfaces:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address yyy.yyy.yyy.y
netmask 255.255.255.192
gateway yyy.yyy.yyy.x
#Rede Interna
auto eth1
iface eth1 inet static
address 192.168.1.7 #proxy
netmask 255.255.255.0
========================================================================
Saída para internet através de NAT carregado no rc.local:
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
iptables -F
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
# Limite contra ping da morte e DoS
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s -j DROP
exit 0
========================================================================
Proxy/Squid:
http_port 3128 transparent
visible_hostname wega
error_directory /usr/share/squid/errors/Portuguese/
cache_mem 64 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 KB
minimum_object_size 0KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 20% 2280
refresh_pattern . 15 20% 2280
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 443 563 70 210 280 488 59 777 901 1025-65535 # ftp https, snews, gopher whais http_mgmt gss-http filemaker multiling http swat
acl Safe_ports port 1025-65535 # portas altas
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl permitidos url_regex -i "/etc/squid/data/permitidos"
http_access allow permitidos
acl bloqueados dstdomain -i "/etc/squid/data/sites_bloqueados"
http_access deny bloqueados
acl wordblock url_regex "/etc/squid/data/wordblock"
http_access deny wordblock
acl extbloq url_regex -i "/etc/squid/data/ext_bloqueda"
http_access deny extbloq
acl redelocal src 192.168.1.0/24
http_access allow localhost
http_access allow redelocal
http_access deny all
=========================================================================
Configuração DHCP para rede interna:
default-lease-time 600;
max-lease-time 7200;
option domain-name-servers 200.221.11.100, 200.221.11.101;
# sub-rede lig
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.7 192.168.1.254;
option routers 192.168.1.1;
option broadcast-address 192.168.1.255;
default-lease-time 600;
max-lease-time 7200;
}
-
address 192.168.1.7 #proxy
option routers 192.168.1.1;
Cara, se vc quer fazer proxy transparente, vc tem que fazer da sua máquina o gateway da rede (ou então, fazer com que o gateway redirecione pra vc as saídas pra internet).