Problema de IPTables com o Squid como proxy transparente

Navegue suas respostas
3

Eu tenho uma máquina Ubuntu (10.04) que está executando meu firewall, dhcp e dns. Acabei de instalar o squid a partir de pacotes e configurá-lo para ser executado na porta 8888. Antes de qualquer alteração no meu firewall as páginas funcionarão normalmente, se eu definir manualmente um proxy para 192.168.10.1:8888 no firefox ele funciona. O problema acontece quando tento transformar o squid em um proxy transparente.

Meu firewall é o seguinte: 

#!/bin/sh

iptables="/sbin/iptables"
modprobe="/sbin/modprobe"
depmod="/sbin/depmod"

EXTIF="eth1"
INTIF="eth2"

load () {

    $depmod -a

    $modprobe ip_tables
    $modprobe ip_conntrack
    $modprobe ip_conntrack_ftp
    $modprobe ip_conntrack_irc
    $modprobe iptable_nat
    $modprobe ip_nat_ftp
    $modprobe ip_conntrack_pptp
    $modprobe ip_nat_pptp

echo "enable forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "enable dynamic addr"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#  start firewall

    #default policies
    $iptables -P INPUT DROP
    $iptables -F INPUT
    $iptables -P OUTPUT DROP
    $iptables -F OUTPUT
    $iptables -P FORWARD DROP
    $iptables -F FORWARD
    $iptables -t nat -F


echo "  opening loopback interface for socket based services."
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

echo "  allow GRE 47 for VPN"
$iptables -A INPUT -p 47 -j ACCEPT

echo "  allow all connections OUT and ONLY existing related ones IN"
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -o $EXTIF -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$iptables -A FORWARD -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "

echo "  enabling SNAT (MASQUERADE) functionality on $EXTIF - allow LAN internet access"
$iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A OUTPUT -o $INTIF -j ACCEPT

echo "  Allowing packets with ICMP data (pings)"
$iptables -A INPUT -p icmp -j ACCEPT
$iptables -A OUTPUT -p icmp -j ACCEPT

$iptables -A INPUT -p udp -i $INTIF --dport 67 -m state --state NEW -j ACCEPT

echo "  port 137 for netBios"
$iptables -A INPUT -i $INTIF -p udp --dport 137 -j ACCEPT
$iptables -A OUTPUT -o $INTIF -p udp --dport 137 -j ACCEPT

#echo "  port 139 for netBios-ssn smb"
#$iptables -A INPUT -i $INTIF -p tcp --dport 139 -j ACCEPT
#$iptables -A OUTPUT -o $INTIF -p tcp --dport 139 -j ACCEPT

echo "  opening port 53 for DNS queries"
$iptables -A INPUT -p udp -i $EXTIF --sport 53 -j ACCEPT

echo "  opening port 22 for internal ssh"
$iptables -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT

echo "  opening port 80 for webserver"
$iptables -A INPUT -p tcp -i $EXTIF --dport 80 -m state --state NEW -j ACCEPT

echo "  opening port 21 for FTP Server"
$iptables  -A INPUT -p tcp -i $EXTIF --dport 21 -m state --state NEW -j ACCEPT

echo "  opening ssh for web on port 2609 for firewig"
$iptables -A INPUT -p tcp --dport 2609 -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 2609 -j ACCEPT

echo "  opening ssh for web on port 22  for WS2008-CI"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 22 -j DNAT  --to 192.168.10.97
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.97 -j ACCEPT

echo "  opening ssh for web on port 2302  for firewig 2302"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 2302 -j DNAT  --to 192.168.10.96:2302
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.96 --dport 2302 -j ACCEPT

echo "  opening Apache webserver for HoH"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 80 -j DNAT --to 192.168.10.96:80
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.96 --dport 80 -j ACCEPT

#echo "  opening Hudson"
#$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 81 -j DNAT --to 192.168.10.97:81
#$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.97 --dport 81 -j ACCEPT

echo "  opening Target Process"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 90 -j DNAT --to 192.168.10.98:90
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.98 --dport 90 -j ACCEPT


#echo "  This is designed to stop brute force attacks"
$iptables -I INPUT -p TCP -m state --state NEW -m limit --limit 6/minute --limit-burst 5 -j ACCEPT

#echo "  setting up squid proxy server"
#$iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j DNAT --to 192.168.10.1:8888
#$iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j REDIRECT --to-port 8888


#$iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j DNAT --to 192.168.10.1:8888
#$iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j REDIRECT --to-port 8888

#echo "  Diverting port 80 traffic through Squid."
#$iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 8888


#  NOTE THE THREE LINES BELOW ALLOW ACCESS FOR THE VPN CONNECTION...Ry.

$iptables -A INPUT -i $EXTIF -p TCP --dport 1723 -j ACCEPT

$iptables -A INPUT -i ppp+ -j ACCEPT
$iptables -A FORWARD -i ppp+ -o $INTIF -j ACCEPT
$iptables -A FORWARD -i $INTIF -o ppp+ -j ACCEPT
$iptables -A OUTPUT -o ppp+ -j ACCEPT

# ICMP for vpn
$iptables -A INPUT -i ppp+ -p icmp -j ACCEPT
$iptables -A OUTPUT -o ppp+ -p icmp -j ACCEPT


# DNS for vpn
$iptables -A INPUT -i ppp+ -p tcp --dport 0:65535 --sport 53 -j ACCEPT
$iptables -A OUTPUT -o ppp+ -p tcp --sport 0:65535 --dport 53 -j ACCEPT
$iptables -A INPUT -i ppp+  -p udp --dport 0:65535 --sport 53 -j ACCEPT
$iptables -A OUTPUT -o ppp+ -p udp --sport 0:65535 --dport 53 -j ACCEPT

# forward vpn--->internet
$iptables -A FORWARD -i ppp+ -o $EXTIF -p ALL -j ACCEPT
$iptables -A FORWARD -i $EXTIF -o ppp+ -p ALL -j ACCEPT


#$iptables -A FORWARD -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
#$iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
#$iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "


}
flush() {
    echo "flushing rules...."
    $iptables -P FORWARD ACCEPT
    $iptables -F INPUT
    $iptables -P INPUT ACCEPT
}

case "" in

    start|restart)
    flush
    load
    ;;
    stop)
    flush
    ;;
*)
    echo "usage: start|stop|restart."
;;

esac

Se eu descomentar as linhas de pré-visualização do squid, a internet pára de funcionar.

Não tenho certeza do que perdi. Você acha que poderia ser uma coisa de configuração do Squid?

    
por Jon 11.09.2010 / 00:55

1 resposta

6

Você ajustou sua configuração http_port para o armazenamento em cache de interceptação? 

-http_port 3128
+# FIXME enable the transparent option for interception caching
+http_port 3128 transparent

Aqui estão as regras que eu uso. Eles são um pouco mais complicados, mas tornam mais fácil adicionar uma exceção ao proxy de interceptação se eu precisar de um. 

# Creating chain 'tproxy' under 'PREROUTING' in table 'nat'
/sbin/iptables -t nat -N tproxy

# rules for source or destination addresss that will not be forced through the proxy.
/sbin/iptables -t nat -A tproxy -s 10.2.4.56 -j RETURN 
/sbin/iptables -t nat -A tproxy -s 10.2.4.86 -j RETURN 
/sbin/iptables -t nat -A tproxy -s 10.2.4.19 -j RETURN 
/sbin/iptables -t nat -A tproxy -s 10.2.4.85 -j RETURN 
/sbin/iptables -t nat -A tproxy -s 10.2.4.150 -j RETURN 
/sbin/iptables -t nat -A tproxy -d 10.2.0.0/16 -j RETURN

# redirect anything to the proxy that is not returned
/sbin/iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 8888 

# rules to send port 80 traffic on incoming interfaces vlan0004, vlan0006 to 
# tproxy chain.
/sbin/iptables -t nat -A PREROUTING -i vlan0004 -p tcp --dport 80 -j tproxy 
/sbin/iptables -t nat -A PREROUTING -i vlan0004 -p tcp --dport 8888 -j tproxy  
/sbin/iptables -t nat -A PREROUTING -i vlan0006 -p tcp --dport 80 -j tproxy  
/sbin/iptables -t nat -A PREROUTING -i vlan0006 -p tcp --dport 8888 -j tproxy
    
por Zoredache 11.09.2010 / 03:07

Tags

Configurando um sistema de compilação para o aplicativo Python Usando um serviço VPS, posso evitar que meus dados sejam acessados pelo host VPS?