Depois de varios testes cheguei a seguinte config.. (BLoqueando o ultrasurf) fiz o teste com o 12.1
fw
## INDICAR O INICIO/REINICIO DO FIREWALL
case $1 in
start|restart)
echo "Firewall - ATIVADO"
## VARIAVEIS DAS PLACAS DE REDE
NET=eth0
RLOCAL=eth1
REDE="192.168.0.0/16"
## CARREGAR MODULOS
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_tables
modprobe iptable_filter
modprobe ipt_MASQUERADE
## LIMPAR REGRAS ANTERIORES
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -X
iptables -t nat -X
iptables -t mangle -X
iptables -t filter -Z
iptables -t nat -Z
iptables -t mangle -Z
# DEFINIR POLITICA PADRAO
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
## COMPARTILHAR CONEXAO DE INTERNET
## IP DINAMICO
iptables -t nat -A POSTROUTING -o $NET -j MASQUERADE
## ATIVAR ROTEAMENTO
echo "1" > /proc/sys/net/ipv4/ip_forward
## LIBERAR A PROPRIA MAQUINA LOOPBACK PARA ACESSO A INTERNET
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
### Aceita entrada DNS ###
iptables -A OUTPUT -o $NET -p UDP --dport 53 -j ACCEPT
## Estabilizar conexoes
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
## LIBERAR/BLOQUEAR A REDE LOCAL
iptables -A INPUT -s $REDE -j ACCEPT
######################Protege contra pacotes danificados
#Portscanners, Ping of Death, ataques DoS, Syb-flood e Etc
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
### libera acesso ao TS
##echo 1 > /proc/sys/net/ipv4/ip_forward
##iptables -t nat -A PREROUTING -p tcp -i $NET --dport 3389 -j DNAT --to 172.18.20.20
##iptables -t nat -A POSTROUTING -d 172.18.20.20 -j SNAT --to 172.18.20.253
### libera acesso ao SSH
iptables -A INPUT -i $NET -p TCP --dport 2222 -j ACCEPT
## Atualiza relogio
#iptables -A FORWARD -o $NET -p TCP --dport 123 -j ACCEPT
iptables -A FORWARD -o $NET -p UDP --dport 123 -j ACCEPT
iptables -A OUTPUT -o $NET -p UDP --dport 123 -j ACCEPT
### Libera Windows Update
iptables -A INPUT -i $NET -p tcp -s 69.44.123.167/32 --sport 80 -j ACCEPT
iptables -A OUTPUT -o $NET -p tcp -d 69.44.123.167/32 --dport 80 -j ACCEPT
iptables -A FORWARD -o $NET -p tcp -d 69.44.123.167/32 --dport 80 -j ACCEPT
iptables -A INPUT -i $NET -p tcp -s 69.44.123.167/32 --sport 443 -j ACCEPT
iptables -A OUTPUT -o $NET -p tcp -d 69.44.123.167/32 --dport 443 -j ACCEPT
iptables -A FORWARD -o $NET -p tcp -d 69.44.123.167/32 --dport 443 -j ACCEPT
iptables -A INPUT -i $NET -p tcp -s 207.46.198.93/32 --sport 443 -j ACCEPT
iptables -A OUTPUT -o $NET -p tcp -d 207.46.198.93/32 --dport 443 -j ACCEPT
iptables -A FORWARD -o $NET -p tcp -d 207.46.198.93/32 --dport 443 -j ACCEPT
## Download 8081
iptables -A OUTPUT -o $NET -p TCP --dport 8081 -j ACCEPT
iptables -A OUTPUT -o $NET -p TCP --dport 8084 -j ACCEPT
### Libera trafego ping rede externa ###
iptables -A INPUT -i $NET -p icmp -j DROP
iptables -A OUTPUT -o $NET -p icmp -j ACCEPT
iptables -A FORWARD -o $NET -p icmp -j ACCEPT
### Libera trafego ping rede interna ###
iptables -A INPUT -i $RLOCAL -p icmp -j ACCEPT
iptables -A OUTPUT -o $RLOCAL -p icmp -j ACCEPT
#### Liberados do Proxy
iptables -t nat -A PREROUTING -i $RLOCAL -d 200.242.70.164 -j ACCEPT
iptables -t nat -A PREROUTING -i $RLOCAL -d 200.242.70.3 -j ACCEPT
iptables -t nat -A PREROUTING -i $RLOCAL -d 200.201.160/20 -j ACCEPT
iptables -t nat -A PREROUTING -i $RLOCAL -d 200.201.173/20 -j ACCEPT
iptables -t nat -A PREROUTING -i $RLOCAL -d 200.201.174/20 -j ACCEPT
iptables -t nat -A PREROUTING -i $RLOCAL -d 170.66.11/20 -j ACCEPT
iptables -t nat -A PREROUTING -i $RLOCAL -d 170.66.52/20 -j ACCEPT
iptables -t nat -A PREROUTING -i $RLOCAL -d 161.148.231.100 -j ACCEPT
iptables -t nat -A PREROUTING -i $RLOCAL -d 161.148.1.43 -j ACCEPT
iptables -t nat -A PREROUTING -i $RLOCAL -d 200.194.232.62 -j ACCEPT
###Acesso a navegacao ###
iptables -A OUTPUT -o $NET -p TCP --dport 80 -j ACCEPT
iptables -A OUTPUT -o $NET -p TCP --dport 800 -j ACCEPT
iptables -A OUTPUT -o $NET -p TCP --dport 1880 -j ACCEPT
iptables -A OUTPUT -o $NET -p TCP --dport 443 -j ACCEPT
iptables -A OUTPUT -o $NET -p TCP --dport 21 -j ACCEPT
iptables -A OUTPUT -o $NET -p TCP --dport 20 -j ACCEPT
iptables -A OUTPUT -o $NET -p TCP --dport 8080 -j ACCEPT
iptables -A OUTPUT -o $NET -p TCP --dport 3389 -j ACCEPT
## Servidor de E-mail SMTP (25) POP3 (110)##
iptables -A FORWARD -o $NET -p TCP --dport 25 -j ACCEPT
iptables -A FORWARD -o $NET -p TCP --dport 110 -j ACCEPT
iptables -A FORWARD -o $NET -p TCP --dport 995 -j ACCEPT
iptables -A FORWARD -o $NET -p TCP --dport 465 -j ACCEPT
## Servidor TS
iptables -A FORWARD -o $NET -p TCP --dport 3389 -j ACCEPT
iptables -A FORWARD -o $RLOCAL -p TCP --dport 3389 -j ACCEPT
## Servidor SSH
iptables -A FORWARD -o $NET -p TCP --dport 22 -j ACCEPT
iptables -A FORWARD -o $RLOCAL -p TCP --dport 22 -j ACCEPT
### Servidor de Cameras
iptables -A FORWARD -o $NET -p TCP --dport 3550 -j ACCEPT
iptables -A FORWARD -o $RLOCAL -p TCP --dport 3550 -j ACCEPT
### Banco de dados 5432 POSTGRESQL
iptables -A FORWARD -o $NET -p TCP --dport 5432 -j ACCEPT
## Serasa Conecte ##
#iptables -t filter -A FORWARD -o $NET -p TCP -s $REDE -d 200.245.207.167/32 --dport 443 -j ACCEPT
#iptables -t filter -A FORWARD -o $NET -p TCP -s $REDE -d 200.245.207.168/32 --dport 443 -j ACCEPT
#iptables -t filter -A FORWARD -o $NET -p TCP -s $REDE -d 200.245.207.214/32 --dport 443 -j ACCEPT
iptables -t filter -A FORWARD -o $NET -p TCP -s $REDE -d sitenet.serasa.com.br --dport 443 -j ACCEPT
#iptables -t filter -A FORWARD -o $NET -p TCP -s $REDE -d br.yahoo.com --dport 443 -j ACCEPT
#iptables -t filter -A FORWARD -o $NET -p TCP -s $REDE -d login.yahoo.com --dport 443 -j ACCEPT
#iptables -t filter -A FORWARD -o $NET -p TCP -s $REDE -d mail.yahoo.com --dport 443 -j ACCEPT
# LIBERAR A PORTA 3128
iptables -t nat -A PREROUTING -s $REDE -p tcp --dport 80 -j REDIRECT --to-port 3128
## Protocolo TCP entrada ##
iptables -A INPUT -i $RLOCAL -p TCP -s $REDE -d $REDE -j ACCEPT
## Protocolo UDP saida ##
iptables -A OUTPUT -o $RLOCAL -p UDP -s $REDE -d $REDE -j ACCEPT
## Protocolo TCP saida ##
iptables -A OUTPUT -o $RLOCAL -p TCP -s $REDE -d $REDE -j ACCEPT
#Ponto Chave do firewall! Se nao entrar em nenhuma regra acima rejeita tudo!
iptables -A INPUT -i $NET -p tcp --syn -j DROP
###Mesmo assim fechar todas as portas abaixo de 32000
iptables -A INPUT -i $NET -p tcp --dport :32000 -j DROP
;;
stop)
echo "CUIDADO SUA MAQUINA ESTA SEM FIREWALL - ATENCAO!!!..."
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
## COMPARTILHAR CONEXAO DE INTERNET
## IP DINAMICO
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
## ATIVAR ROTEAMENTO
echo "1" > /proc/sys/net/ipv4/ip_forward
## LIBERAR A PROPRIA MAQUINA LOOPBACK PARA ACESSO A INTERNET
iptables -A INPUT -i lo -j ACCEPT
;;
*)
echo "Digite start, restart ou stop para ativar/reativar/desativar"
exit 1
;;
esac
squid.conf
http_port 3128 transparent
visible_hostname PACOCA
error_directory /usr/share/squid/errors/Portuguese/
cache_mgr ui@eo.com.br
cache_mem 64 MB
maximum_object_size_in_memory 64 KB
maximum_object_size 512 MB
minimum_object_size 0 KB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid 2048 16 256
cache_access_log /var/log/squid/access.log
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
acl all src 192.168.1.0/24
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 446 563 8333 10000 5200
acl Safe_ports port 21 59 70 80 210 280 443 446 488 563 777 901 1025-65535 5200
acl purge method PURGE
acl CONNECT method CONNECT
acl downloadsproibidos url_regex -i "/etc/squid/extban" # # # Bloqueia extensoes de arquivos para downloads
acl palavrasproibidas url_regex -i "/etc/squid/palavrasproibidas" # Bloqueia palavras proibidas
acl bloqueados url_regex -i "/etc/squid/bloqueados" # # Sites Bloqueados
### Liberando Grupo de acessos
acl diretoria arp "/etc/squid/ipdiretoria"
acl gerencia arp "/etc/squid/ipgerencia"
acl funcionarios src "/etc/squid/ipfuncionarios"
#ACLs de Sites Bloqueados/Liberados para Grupos/Funcionarios
acl sitesfuncionarios url_regex -i "/etc/squid/liberado"
## ACL's Padrao
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny to_localhost
## ACL Personallizada
http_access allow Diretoria
http_access deny bloqueados
http_access deny downloadsproibidos
http_access allow gerencia
http_access allow funcionarios sitesfuncionarios
http_access deny all
O que acha zekkrj
COnsegui bloquear o ultrasurf assim e montei com 3 niveis o squid:
DIretoria - Acesso full
Gerencia - Acesso full menos (-) os bloqueados.
Funcionarios - apenas acesso aos sites liberados.
So tem acesso ao msn quem esta no perfil da diretoria.
uso o arquivo wpad.dat para forçar o uso do proxy nas maquinas dos clientes.
agora quero implementar o failover conforme
http://ubuntuforum-br.org/index.php/topic,96421.0.htmljá pesquisei no google mas quero algo pratico