Forums:
buenos dias amigos, herede un squid en la empresa donde inicie a trabajar pero no funciona como deberia, mas abajo agrego las lineas del squid:
squid.conf
--------------
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl redlocal src 192.168.15.0/24 # RFC1918 possible internal network
acl redlocal src 192.168.10.0/24 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 37777
acl SSL_ports port 443
acl SSL-ports port 8443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 26 # smtp-global
acl CONNECT method CONNECT
acl full src "/etc/squid/full.acl"
acl semifull src "/etc/squid/semifull.acl"
acl webpermitidas url_regex -i # mail gmail hotmail outlook target liugong login.live portal.ips.gov hacienda.gov bcp.gov google stopparaguay.com
acl drop src "/etc/squid/drop.acl"
acl dominiospremitidos dstdomain "/etc/squid/dominiospremitidos.acl"
acl hora time 12:30-13:30
acl Sin_Redes_sociales src "/etc/squid/redes_sociales.acl"
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports !full
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports !full
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localhost
#http_access allow localhost
# And finally deny all other access to this proxy
http_access allow full all
http_access allow hora
http_access allow webpermitidas !drop
http_access allow dominiospremitidos !drop
http_access allow semifull
http_access deny all redes_sociales
http_access deny all drop
http_access deny all redlocal
# Squid normally listens to port 3128
# Designer
access_log /var/log/squid/access.log
cache_mem 32 MB
http_port 3128 intercept
#https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/squid/ssl/myCA.pem
# http_port 8080 transparent
#http_port 3128
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
logfile_rotate 7
err_html_text informatica@targetsa.com.py
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#shutdown_lifetime 5 seconds
cache_effective_user squid
cache_effective_group squid
-------------------------------------------------------------------------------------------------------------------------------------------
mi idea es que los que estan en full - puedan navegar sin problemas tipo los jefes de la empresa
y que los que sean semiFull no ingresenta a redes sociales.
Gracias
Miguel Baum
haber no vas a parar el
haber no vas a parar el ingreso a redes sociales solo con squid, necesitas tambien bloquear con un buen script de iptables bloquear el acceso https de esas redes (q x default todas ingresan en https), busca aca mismo se colocó hace algun tiempo scripts para bloquear face, etc--
No le hagas caso, si puedes
No le hagas caso, si puedes bloquear solo con squid, nada más no hagas NAT o enmascares el tráfico HTTP/HTTPS o ninguno, no uses proxy transparente y obliga a los usuarios a que configuren el proxy en sus navegadores, listo, todos tienen que obedecer lo que diga SQUID ...
bye
;)
deathUser
deathUser
--------------
acá configuramos en el navegador el proxy (ip server & port). si agregamos un iplan/32 a la regla full.acl o semifull.acl - todos pueden navegar full igual, si los extraigo de cualquiera de las 2 reglas no navegan nada. mi consulta es en mi script me falta algunas lineas o me faltan mas configuraciones como en el iptables?
iptables
------------
# Generated by iptables-save v1.4.7 on Thu Sep 4 15:59:41 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Ifw - [0:0]
:Reject - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:fw2loc - [0:0]
:fw2net - [0:0]
:loc2fw - [0:0]
:loc2net - [0:0]
:logdrop - [0:0]
:logreject - [0:0]
:net2fw - [0:0]
:net2loc - [0:0]
:reject - [0:0]
:shorewall - [0:0]
[56161557:39538223268] -A INPUT -j Ifw
[2617411:222825340] -A INPUT -m conntrack --ctstate INVALID,NEW -j dynamic
[31691467:36826124831] -A INPUT -i eth0 -j net2fw
[23810996:2664169951] -A INPUT -i eth1 -j loc2fw
[659094:47928486] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -j Reject
[0:0] -A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
[0:0] -A INPUT -g reject
[12092673:2054294225] -A FORWARD -s 192.168.15.0/24 -d 192.168.10.0/24 -j ACCEPT
[19275964:25922921787] -A FORWARD -s 192.168.10.0/24 -d 192.168.15.0/24 -j ACCEPT
[2029392:124453473] -A FORWARD -m conntrack --ctstate INVALID,NEW -j dynamic
[5707430:4342393110] -A FORWARD -i eth0 -o eth1 -j net2loc
[6674631:2323779670] -A FORWARD -i eth1 -o eth0 -j loc2net
[69:5527] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[2801:238816] -A FORWARD -j Reject
[409:66022] -A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
[409:66022] -A FORWARD -g reject
[24026604:2795591289] -A OUTPUT -o eth0 -j fw2net
[38002747:38214932380] -A OUTPUT -o eth1 -j fw2loc
[654714:46683891] -A OUTPUT -o lo -j ACCEPT
[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -j Reject
[0:0] -A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
[0:0] -A OUTPUT -g reject
[625469:81193391] -A Drop
[0:0] -A Drop -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject
[625469:81193391] -A Drop -j dropBcast
[0:0] -A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
[0:0] -A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
[1792:294690] -A Drop -j dropInvalid
[0:0] -A Drop -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j DROP
[39:3042] -A Drop -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j DROP
[0:0] -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j DROP
[131:6840] -A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j DROP
[0:0] -A Drop -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP
[16:4238] -A Drop -p tcp -j dropNotSyn
[31:2300] -A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
[0:0] -A Ifw -m set --match-set ifw_wl src -j RETURN
[0:0] -A Ifw -m set --match-set ifw_bl src -j DROP
[48:3918] -A Ifw -m state --state INVALID,NEW -m psd --psd-weight-threshold 10 --psd-delay-threshold 10000 --psd-lo-ports-weight 2 --psd-hi-ports-weight 1 -j IFWLOG --log-prefix "SCAN"
[1703:102164] -A Ifw -p tcp -m state --state NEW -m tcp --dport 80 -j IFWLOG --log-prefix "NEW"
[0:0] -A Ifw -p tcp -m state --state NEW -m tcp --dport 443 -j IFWLOG --log-prefix "NEW"
[2801:238816] -A Reject
[0:0] -A Reject -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject
[2801:238816] -A Reject -j dropBcast
[0:0] -A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
[0:0] -A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
[2801:238816] -A Reject -j dropInvalid
[0:0] -A Reject -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j reject
[1031:80418] -A Reject -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j reject
[0:0] -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j reject
[1123:56900] -A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j reject
[0:0] -A Reject -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP
[211:33731] -A Reject -p tcp -j dropNotSyn
[1:250] -A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
[546864:71979951] -A dropBcast -m addrtype --dst-type BROADCAST -j DROP
[76813:8918750] -A dropBcast -d 224.0.0.0/4 -j DROP
[1586:277756] -A dropInvalid -m conntrack --ctstate INVALID -j DROP
[154:33769] -A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
[37915406:38207077756] -A fw2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[87341:7854624] -A fw2loc -j ACCEPT
[23302794:2747463943] -A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[723810:48127346] -A fw2net -j ACCEPT
[22120131:2540600982] -A loc2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[1690865:123568969] -A loc2fw -j ACCEPT
[4648223:2199575519] -A loc2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[2026408:124204151] -A loc2net -j ACCEPT
[0:0] -A logdrop -j DROP
[0:0] -A logreject -j reject
[31066181:36744941946] -A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A net2fw -p tcp -m multiport --dports 80,443 -j ACCEPT
[625286:81182885] -A net2fw -j Drop
[78:5705] -A net2fw -j LOG --log-prefix "Shorewall:net2fw:DROP:" --log-level 6
[78:5705] -A net2fw -j DROP
[5707247:4342382604] -A net2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[183:10506] -A net2loc -j Drop
[10:504] -A net2loc -j LOG --log-prefix "Shorewall:net2loc:DROP:" --log-level 6
[10:504] -A net2loc -j DROP
[0:0] -A reject -m addrtype --src-type BROADCAST -j DROP
[0:0] -A reject -s 224.0.0.0/4 -j DROP
[0:0] -A reject -p igmp -j DROP
[1184:60476] -A reject -p tcp -j REJECT --reject-with tcp-reset
[1379:142864] -A reject -p udp -j REJECT --reject-with icmp-port-unreachable
[0:0] -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
[0:0] -A reject -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Sep 4 15:59:41 2014
# Generated by iptables-save v1.4.7 on Thu Sep 4 15:59:41 2014
*mangle
:PREROUTING ACCEPT [100738327:74258097774]
:INPUT ACCEPT [56161556:39538223216]
:FORWARD ACCEPT [43753568:34643633135]
:OUTPUT ACCEPT [62741838:41065893900]
:POSTROUTING ACCEPT [106563429:75713842579]
:tcfor - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
[100738327:74258097774] -A PREROUTING -j tcpre
[43753568:34643633135] -A FORWARD -j MARK --set-xmark 0x0/0xffffffff
[43753568:34643633135] -A FORWARD -j tcfor
[62741838:41065893900] -A OUTPUT -j tcout
[106563429:75713842579] -A POSTROUTING -j tcpost
COMMIT
# Completed on Thu Sep 4 15:59:41 2014
# Generated by iptables-save v1.4.7 on Thu Sep 4 15:59:41 2014
*nat
:PREROUTING ACCEPT [12:706]
:POSTROUTING ACCEPT [4:232]
:OUTPUT ACCEPT [3:180]
[32:1760] -A PREROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 37777 -j ACCEPT
[742:41388] -A PREROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 5222 -j ACCEPT
[37192:1934060] -A PREROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A PREROUTING -s 192.168.10.0/24 -p tcp -m tcp --dport 37777 -j ACCEPT
[12:616] -A PREROUTING -s 192.168.10.0/24 -p tcp -m tcp --dport 8080 -j ACCEPT
[6:360] -A PREROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 18004 -j ACCEPT
[16:888] -A PREROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 8443 -j ACCEPT
[5755:299488] -A PREROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128
[110435:5812816] -A PREROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
[0:0] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 4370 -j MASQUERADE
[32:1760] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 37777 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 37777 -j MASQUERADE
[177:9288] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 5222 -j MASQUERADE
[23:1196] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 8443 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.15.0/24 -d 201.217.50.26/32 -p tcp -m tcp --dport 443 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.15.0/24 -d 201.217.50.26/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
[311:18524] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 10000 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 10000 -j MASQUERADE
[63:3324] -A POSTROUTING -s 192.168.15.0/24 -d IPPUBLICA -p tcp -m tcp --dport 443 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.15.0/24 -d IPPUBLICA -p tcp -m tcp --dport 443 -j MASQUERADE
[27:1188] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 995 -j MASQUERADE
[27:1188] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 993 -j MASQUERADE
[20:952] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 465 -j MASQUERADE
[2:120] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 2082 -j MASQUERADE
[177210:8950230] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 110 -j MASQUERADE
[4873:242412] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 25 -j MASQUERADE
[253954:16728803] -A POSTROUTING -s 192.168.15.0/24 -p udp -m udp --dport 53 -j MASQUERADE
[42:1912] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 20:21 -j MASQUERADE
COMMIT
# Completed on Thu Sep 4 15:59:41 2014
# Generated by iptables-save v1.4.7 on Thu Sep 4 15:59:41 2014
*raw
:PREROUTING ACCEPT [100738327:74258097774]
:OUTPUT ACCEPT [62741838:41065893900]
COMMIT
# Completed on Thu Sep 4 15:59:41 2014
Que pereza leer todo ese
Que pereza leer todo ese iptables ...
En principio, si has configurado el proxy en el browser para "todos los protocolos" debería usarlo y bloquearte sin importar la configuración de iptables.
Mira los logs de SQUID a ver si te dan una pista, voy a ver la configuración de SQUID que posteaste que también me dio pereza leer ...
Ya comento cualquier actualización ...
bye
;)
A ver ...
A ver ...
(Distinto de haber :D)
La parte clave de la configuración de SQUID está acá:
# And finally deny all other access to this proxy
http_access allow full all
http_access allow hora
http_access allow webpermitidas !drop
http_access allow dominiospremitidos !drop
http_access allow semifull
http_access deny all redes_sociales
http_access deny all drop
http_access deny all redlocal
Los ACLs se procesan como una pila, es decir, la primera regla que se cumple es la que se aplica y listo, no se evalúan las subsiguientes ...
En ese sentido ...
Una IP presente en el ACL semifull por lo tanto no pasará por el deny de las redes sociales y demás ...
Así pues podrías subir el deny de las redes sociales o combinar las ACLs para una mejor aplicación de las reglas combinadas ...
Prueba con menos reglas combinándolas y vas ampliando las restricciones.
bye
;)
Solucionado. Gracias
Solucionado.
Gracias
Genial (Y) bye ;)
Genial (Y)
bye
;)