iptables configuações para stunnel + squid

2

Estou construindo um servidor proxy altamente anônimo com squid e stunnel, e estou enfrentando um problema de configuração no iptables.

O servidor deve agir assim:

browser <-> client stunnel <=> server stunnel <-> server squid <=> site

Onde - significa tráfego local e = significa tráfego da Internet.

Atualmente o stunnel e o squid são configurados no mesmo servidor.

Sou novato em iptables , tentei o meu melhor e defini as regras abaixo (despejo via iptables-save ):

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [117178:91123876]
:LOGGING - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 14 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 16 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 18 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 30/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 7
-A LOGGING -j DROP
COMMIT
# Completed on Tue Jan 26 12:54:01 2016

Descobri que não posso visitar alguns sites enquanto as regras iptables são aplicadas. Acredito que as configurações das regras iptables estão erradas, mas não sei como consertar isso, alguém poderia me ajudar?

CONFIGURAÇÕES

squid :

# Squid Core Settings
http_port 3128
coredump_dir /var/spool/squid3

# ACL Settings
acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny all

# Anonymous Setting
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Cookie allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all  
request_header_access All deny all
header_replace User-Agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0
forwarded_for off

# Cacheing Settings
#cache_dir ufs /var/spool/squid3/cache/ufs 4096 16 256
#cache_dir aufs /var/spool/squid3/cache/aufs 4096 16 256
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .       0   20% 4320

stunnel (lado do cliente):

[psk]
client = yes
accept = 127.0.0.1:8443
connect = SERVER_ADDR:PORT
PSKsecrets = psk.txt

[proxy]
client = yes
accept = 127.0.0.1:8089
connect = 127.0.0.1:8443
sslVersion = all
options = NO_SSLv2
options = NO_SSLv3
CAfile = cert.pem
verify = 2
checkHost = SERVER_ADDR

stunnel (lado do servidor):

pid = /run/stunnel.pid
chroot  = /var/lib/stunnel
client  = no
setuid  = stunnel
setgid  = stunnel
cert    = /etc/stunnel/cert.pem
key = /etc/stunnel/priv.pem

debug   = 7
;output = stunnel.log
foreground = yes

[PSK]
accept = 443
;accept = :::443
connect = 127.0.0.1:8443
ciphers = PSK
PSKsecrets = /etc/stunnel/psk.txt

[squid]
accept = 127.0.0.1:8443
;accept = :::8443
connect = 127.0.1:3128
sslVersion = all
ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PS
options = NO_SSLv2
options = NO_SSLv3
options = CIPHER_SERVER_PREFERENCE

LOGS

iptables DROP LOGS:

[144292.234289] IPTables-Dropped:   SRC=173.245.55.179  PROTO=TCP   SPT=50365   DPT=80
[144301.107881] IPTables-Dropped:   SRC=117.41.229.40   SPT=2008    DPT=8888    WINDOW=16384
[144360.343125] IPTables-Dropped:   SRC=80.82.79.104    SPT=42465   DPT=10000   WINDOW=1024
[144374.574490] IPTables-Dropped:   SRC=108.162.217.173 PROTO=TCP   SPT=35022   DPT=80
[144375.564623] IPTables-Dropped:   SRC=108.162.217.173 PROTO=TCP   SPT=35022   DPT=80
[144377.564581] IPTables-Dropped:   SRC=108.162.217.173 PROTO=TCP   SPT=35022   DPT=80
[144381.574600] IPTables-Dropped:   SRC=108.162.217.173 PROTO=TCP   SPT=35022   DPT=80
[144403.970319] IPTables-Dropped:   SRC=117.41.229.20   SPT=2002    DPT=3128    WINDOW=16384
[144404.914921] IPTables-Dropped:   SRC=82.114.86.90    PROTO=TCP   SPT=4020    DPT=3389
[144407.889798] IPTables-Dropped:   SRC=82.114.86.90    PROTO=TCP   SPT=4020    DPT=3389
[144431.102337] IPTables-Dropped:   SRC=117.41.229.40   SPT=2008    DPT=8888    WINDOW=16384
[144441.480311] IPTables-Dropped:   SRC=58.218.204.225  SPT=42147   DPT=8888    WINDOW=512
[144457.402085] IPTables-Dropped:   SRC=212.199.163.170 PROTO=TCP   SPT=80  DPT=45858
[144458.400167] IPTables-Dropped:   SRC=212.199.163.170 PROTO=TCP   SPT=80  DPT=45858
[144460.404178] IPTables-Dropped:   SRC=212.199.163.170 PROTO=TCP   SPT=80  DPT=45858
[144460.754622] IPTables-Dropped:   SRC=212.199.163.170 PROTO=TCP   SPT=80  DPT=45858
[144462.686286] IPTables-Dropped:   SRC=104.16.37.249   PROTO=TCP   SPT=443 DPT=54096
[144463.685486] IPTables-Dropped:   SRC=104.16.37.249   PROTO=TCP   SPT=443 DPT=54096
[144464.011240] IPTables-Dropped:   SRC=108.162.216.178 PROTO=TCP   SPT=38717   DPT=80
[144464.416256] IPTables-Dropped:   SRC=212.199.163.170 PROTO=TCP   SPT=80  DPT=45858
[144465.689500] IPTables-Dropped:   SRC=104.16.37.249   PROTO=TCP   SPT=443 DPT=54096
[144468.827527] IPTables-Dropped:   SRC=107.170.64.60   PROTO=TCP   SPT=80  DPT=41692
[144469.608763] IPTables-Dropped:   SRC=50.56.21.180    PROTO=TCP   SPT=443 DPT=46344
[144471.827936] IPTables-Dropped:   SRC=107.170.64.60   PROTO=TCP   SPT=80  DPT=41692
[144474.224868] IPTables-Dropped:   SRC=107.170.64.60   PROTO=TCP   SPT=80  DPT=41692
[144475.840049] IPTables-Dropped:   SRC=107.170.64.60   PROTO=TCP   SPT=80  DPT=41692
[144477.713538] IPTables-Dropped:   SRC=104.16.37.249   PROTO=TCP   SPT=443 DPT=54096
[144480.228830] IPTables-Dropped:   SRC=107.170.64.60   PROTO=TCP   SPT=80  DPT=41692
[144483.856005] IPTables-Dropped:   SRC=107.170.64.60   PROTO=TCP   SPT=80  DPT=41692
[144484.630156] IPTables-Dropped:   SRC=50.56.21.180    PROTO=TCP   SPT=443 DPT=46344

stunnel ERROR LOGS (lado do cliente):

  32: 2016.01.26 02:29:54 LOG5[4962]: Service [proxy] accepted connection from 127.0.0.1:8421
  33: 2016.01.26 02:29:54 LOG5[4962]: s_connect: connected 127.0.0.1:8443
  34: 2016.01.26 02:29:54 LOG5[4962]: Service [proxy] connected remote server from 127.0.0.1:8422
  38: 2016.01.26 02:29:55 LOG3[4962]: readsocket: Connection reset by peer (WSAECONNRESET) (10054)
  39: 2016.01.26 02:29:55 LOG5[4962]: Connection reset: 373 byte(s) sent to SSL, 331 byte(s) sent to socket

squid access.log :

1453812536.918  58824 127.0.0.1 TCP_TUNNEL/200 1086 CONNECT www.google-analytics.com:443 - HIER_DIRECT/2404:6800:4004:80b::100e -
1453812622.722 239778 127.0.0.1 TAG_NONE/503 0 CONNECT stackoverflow.com:443 - HIER_NONE/- -
1453812661.330 240001 127.0.0.1 TAG_NONE/503 0 CONNECT syndication.twitter.com:443 - HIER_NONE/- -
1453812717.832  60713 127.0.0.1 TCP_MISS/503 5358 GET http://jeffreifman.com/how-to-install-your-own-private-e-mail-server-in-the-amazon-cloud-aws/estimating-costs/ - HIER_DIRECT/107.170.64.60 text/html
1453812718.832  60042 127.0.0.1 TAG_NONE/503 0 CONNECT www.mailgun.com:443 - HIER_NONE/- -
    
por Hartman 26.01.2016 / 13:57

0 respostas