Estou construindo um servidor proxy altamente anônimo com squid e stunnel, e estou enfrentando um problema de configuração no iptables.
O servidor deve agir assim:
browser <-> client stunnel <=> server stunnel <-> server squid <=> site
Onde -
significa tráfego local e =
significa tráfego da Internet.
Atualmente o stunnel e o squid são configurados no mesmo servidor.
Sou novato em iptables
, tentei o meu melhor e defini as regras abaixo (despejo via iptables-save
):
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [117178:91123876]
:LOGGING - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 14 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 16 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 18 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 30/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 7
-A LOGGING -j DROP
COMMIT
# Completed on Tue Jan 26 12:54:01 2016
Descobri que não posso visitar alguns sites enquanto as regras iptables
são aplicadas. Acredito que as configurações das regras iptables
estão erradas, mas não sei como consertar isso, alguém poderia me ajudar?
squid
:
# Squid Core Settings
http_port 3128
coredump_dir /var/spool/squid3
# ACL Settings
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny all
# Anonymous Setting
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Cookie allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access All deny all
header_replace User-Agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0
forwarded_for off
# Cacheing Settings
#cache_dir ufs /var/spool/squid3/cache/ufs 4096 16 256
#cache_dir aufs /var/spool/squid3/cache/aufs 4096 16 256
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
stunnel
(lado do cliente):
[psk]
client = yes
accept = 127.0.0.1:8443
connect = SERVER_ADDR:PORT
PSKsecrets = psk.txt
[proxy]
client = yes
accept = 127.0.0.1:8089
connect = 127.0.0.1:8443
sslVersion = all
options = NO_SSLv2
options = NO_SSLv3
CAfile = cert.pem
verify = 2
checkHost = SERVER_ADDR
stunnel
(lado do servidor):
pid = /run/stunnel.pid
chroot = /var/lib/stunnel
client = no
setuid = stunnel
setgid = stunnel
cert = /etc/stunnel/cert.pem
key = /etc/stunnel/priv.pem
debug = 7
;output = stunnel.log
foreground = yes
[PSK]
accept = 443
;accept = :::443
connect = 127.0.0.1:8443
ciphers = PSK
PSKsecrets = /etc/stunnel/psk.txt
[squid]
accept = 127.0.0.1:8443
;accept = :::8443
connect = 127.0.1:3128
sslVersion = all
ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PS
options = NO_SSLv2
options = NO_SSLv3
options = CIPHER_SERVER_PREFERENCE
iptables
DROP LOGS:
[144292.234289] IPTables-Dropped: SRC=173.245.55.179 PROTO=TCP SPT=50365 DPT=80
[144301.107881] IPTables-Dropped: SRC=117.41.229.40 SPT=2008 DPT=8888 WINDOW=16384
[144360.343125] IPTables-Dropped: SRC=80.82.79.104 SPT=42465 DPT=10000 WINDOW=1024
[144374.574490] IPTables-Dropped: SRC=108.162.217.173 PROTO=TCP SPT=35022 DPT=80
[144375.564623] IPTables-Dropped: SRC=108.162.217.173 PROTO=TCP SPT=35022 DPT=80
[144377.564581] IPTables-Dropped: SRC=108.162.217.173 PROTO=TCP SPT=35022 DPT=80
[144381.574600] IPTables-Dropped: SRC=108.162.217.173 PROTO=TCP SPT=35022 DPT=80
[144403.970319] IPTables-Dropped: SRC=117.41.229.20 SPT=2002 DPT=3128 WINDOW=16384
[144404.914921] IPTables-Dropped: SRC=82.114.86.90 PROTO=TCP SPT=4020 DPT=3389
[144407.889798] IPTables-Dropped: SRC=82.114.86.90 PROTO=TCP SPT=4020 DPT=3389
[144431.102337] IPTables-Dropped: SRC=117.41.229.40 SPT=2008 DPT=8888 WINDOW=16384
[144441.480311] IPTables-Dropped: SRC=58.218.204.225 SPT=42147 DPT=8888 WINDOW=512
[144457.402085] IPTables-Dropped: SRC=212.199.163.170 PROTO=TCP SPT=80 DPT=45858
[144458.400167] IPTables-Dropped: SRC=212.199.163.170 PROTO=TCP SPT=80 DPT=45858
[144460.404178] IPTables-Dropped: SRC=212.199.163.170 PROTO=TCP SPT=80 DPT=45858
[144460.754622] IPTables-Dropped: SRC=212.199.163.170 PROTO=TCP SPT=80 DPT=45858
[144462.686286] IPTables-Dropped: SRC=104.16.37.249 PROTO=TCP SPT=443 DPT=54096
[144463.685486] IPTables-Dropped: SRC=104.16.37.249 PROTO=TCP SPT=443 DPT=54096
[144464.011240] IPTables-Dropped: SRC=108.162.216.178 PROTO=TCP SPT=38717 DPT=80
[144464.416256] IPTables-Dropped: SRC=212.199.163.170 PROTO=TCP SPT=80 DPT=45858
[144465.689500] IPTables-Dropped: SRC=104.16.37.249 PROTO=TCP SPT=443 DPT=54096
[144468.827527] IPTables-Dropped: SRC=107.170.64.60 PROTO=TCP SPT=80 DPT=41692
[144469.608763] IPTables-Dropped: SRC=50.56.21.180 PROTO=TCP SPT=443 DPT=46344
[144471.827936] IPTables-Dropped: SRC=107.170.64.60 PROTO=TCP SPT=80 DPT=41692
[144474.224868] IPTables-Dropped: SRC=107.170.64.60 PROTO=TCP SPT=80 DPT=41692
[144475.840049] IPTables-Dropped: SRC=107.170.64.60 PROTO=TCP SPT=80 DPT=41692
[144477.713538] IPTables-Dropped: SRC=104.16.37.249 PROTO=TCP SPT=443 DPT=54096
[144480.228830] IPTables-Dropped: SRC=107.170.64.60 PROTO=TCP SPT=80 DPT=41692
[144483.856005] IPTables-Dropped: SRC=107.170.64.60 PROTO=TCP SPT=80 DPT=41692
[144484.630156] IPTables-Dropped: SRC=50.56.21.180 PROTO=TCP SPT=443 DPT=46344
stunnel
ERROR LOGS (lado do cliente):
32: 2016.01.26 02:29:54 LOG5[4962]: Service [proxy] accepted connection from 127.0.0.1:8421
33: 2016.01.26 02:29:54 LOG5[4962]: s_connect: connected 127.0.0.1:8443
34: 2016.01.26 02:29:54 LOG5[4962]: Service [proxy] connected remote server from 127.0.0.1:8422
38: 2016.01.26 02:29:55 LOG3[4962]: readsocket: Connection reset by peer (WSAECONNRESET) (10054)
39: 2016.01.26 02:29:55 LOG5[4962]: Connection reset: 373 byte(s) sent to SSL, 331 byte(s) sent to socket
squid
access.log
:
1453812536.918 58824 127.0.0.1 TCP_TUNNEL/200 1086 CONNECT www.google-analytics.com:443 - HIER_DIRECT/2404:6800:4004:80b::100e -
1453812622.722 239778 127.0.0.1 TAG_NONE/503 0 CONNECT stackoverflow.com:443 - HIER_NONE/- -
1453812661.330 240001 127.0.0.1 TAG_NONE/503 0 CONNECT syndication.twitter.com:443 - HIER_NONE/- -
1453812717.832 60713 127.0.0.1 TCP_MISS/503 5358 GET http://jeffreifman.com/how-to-install-your-own-private-e-mail-server-in-the-amazon-cloud-aws/estimating-costs/ - HIER_DIRECT/107.170.64.60 text/html
1453812718.832 60042 127.0.0.1 TAG_NONE/503 0 CONNECT www.mailgun.com:443 - HIER_NONE/- -