Mapa Configuracao Server Iptables Squid

1
Topologia da Rede 02/09/2010 (desenvolver o projeto de rede)

Sistema servidor ; UBUNTU 8.10 server
Senha aluno;aluno
Root alvaro
Interface eth0
Dhcp
192.168.254.1
Interface eth1
static
192.168.18.1
Rede 192.168.18.0/24
Dhcp ubuntu
Rede 192.168.254.0/24
Dhcp roteador
IPTABLES
SQUID

Servios atuais ; SQUID , IPTABLES , DHCP , APACHE , SARG , NTOP
Instalao , configurao , administrao;
1. Install dhcp3-server
a. /etc/default/dhcp3-server (escuta dhcp ), /etc/network/interfaces
(conf das interfaces), /etc/dhcp3/dhcp3.conf (conf do DHCP),
/var/log/syslog (log do dhcp)
2. Install squid squid-common
a. /etc/squid/squid.conf (conf do squid), /var/log/squid (log do squid),
/etc/squid/regras/ ip_liberado.txt sitesliberados sitesbloqueados
acesso_restrito downloads palavra.txt ,
3. Install apache2
a. Para ver pela web SARG (/squid-reports)
b. Para ver pela web NTOP (:3000)
4. Install sarg
a. /etc/squid/sarg.conf
5. Install ntop
6. IPTABLES
a. /etc/init.d/script_iptables.sh , /var/log/messages ( cadeias para
ordenar logs)

2

Configurao DHCP

1) Configurando interface para requisio dhcp
a) /etc/default/dhcp3-server
i) INTERFACES="eth1"
2) Configurando interface eth0 wan; eth1 lan
a) /etc/network/interfaces
i) # The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

#interface lan eth1
auto eth1
iface eth1 inet static
address 192.168.18.1
netmask 255.255.255.0
network 192.168.18.0
broadcast 192.168.18.255
#gateway 192.168.18.1

3) Configurando dhcp3-server
a) /etc/dhcp3/dhcp3.conf
i) default-lease-time 600;
max-lease-time 7200;
authoritative;
subnet 192.168.18.0 netmask 255.255.255.0 {
range 192.168.18.10 192.168.18.100;
option routers 192.168.18.1;
option domain-name-servers 192.168.254.254;
option broadcast-address 192.168.18.255;
}
Configurao SQUID

3

1) Configurando squid.conf
a) /etc/squid/squid.conf (conf do squid)
i) ######## Configura da Porta do SQUID ########
#escuta na porta 3128 e recebe pacotes 80 do iptables
http_port 3128 transparent
#nome do servidor proxy
visible_hostname proxy_NANE

acl Apache rep_header Server ^Apache
broken_vary_encoding allow apache

### local dos logs ###
access_log /var/log/squid/access.log

############# arquivos de listas de Bloqueios ###############
#usa numero ip SRC#
#usa URL do site - url_regex#
#usa palavras das urls - dstdom_regex#
# -i para maiuscula e minuscula#

acl acesso_total src "/etc/squid/regras/ip_liberado.txt"
acl sitesliberados url_regex "/etc/squid/regras/sitesliberados"
acl sitesbloqueados url_regex -i "/etc/squid/regras/sitesbloqueados"
acl acesso_restrito src "/etc/squid/regras/acesso_restrito"
acl downloads url_regex -i "/etc/squid/regras/downloads"
acl palavra dstdom_regex -i "/etc/squid/regras/palavra.txt"

############## Declara das ACL's ######################
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 280 443 488 563 591 777 1025-65535
acl purge method CONNECT
acl CONNECT method CONNECT
acl redelocal src 192.168.18.0/24

##### acl para horario restrito #######
acl horario time 12:00-14:00

############# Execu das ACL's, bloqueios e liberas #############
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

4

############# Liberas e exes ###############

http_access allow acesso_total
http_access allow sitesliberados
http_access allow acesso_restrito horario
http_access deny acesso_restrito
http_access deny downloads
http_access deny sitesbloqueados
http_access deny palavra

######### Libera para rede interna ########
http_access allow localhost
http_access allow redelocal

######### Bloqueia "o" Resto ##############
http_access deny all

######## Pagina de Erro ou nega de site bloqueado ##########
error_directory /usr/share/squid/errors/Portuguese
#error_directory /usr/share/squid/errors/English

2) criando os arquivos de regras do squid
a) /etc/squid/regras/
i) ip_liberado.txt (coloca IPS )
sitesliberados (coloca URL site )
sitesbloqueados (coloca URL site )
acesso_restrito (coloca IPS )
downloads ( coloca extenso \.avi )
palavra.txt (coloca palavras)

Configurao SARG

1) configurando conf do sarg
a) /etc/squid/sarg.conf
i) language Portuguese
access_log /var/log/squid/access.log
output_dir /var/www/squid-reports

Configurao IPTABLES

1) Criando script do iptables
a) Adicionando script como service, para inicio automatico
i) Chmod +x script_iptables.sh
ii) Cp script_iptables.sh /etc/init.d/
iii) Update-rc.d -f script_iptables.sh defaults (remove para deletar)

5

2) Conf do script_iptables.sh
i) ####### script iptables v 1 ######
####### data 31/09/2010 #####

#lan - interface com local = 192.168.18.1/24
#wan - interface com roteador = 192.168.254.1/24

#interface externa
wan="eth0"

#interface local
lan="eth1"

iniciar(){

# porta dos servicos
# 80 , 443 . http e https (paginas web)
# 3128 - proxy (necessario para as estacoes navegarem na internet)
# tcp udp 389 . AD
# tcp 135 . rpc , servidor link distribuido
# udp 137 138 tcp 139 . pesquisador computador
# udp 53 . dns
# tcp 25 110 143 udp 25 . smtp, pop, imap
# tcp 445 . smb( diretiva grupo)
# tcp 88 464 udp 88 464 389 . kerberus, localizador DC
# tcp 23 . telnet
# tcp 3389 . terminal service
# udp 123 . Windows time, ntp sntp
# 113 autenticacao de MTA email linux

##### carregar modulos #####

/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

##### comandos padrao #####

6

#encaminhar entre placas
echo 1 > /proc/sys/net/ipv4/ip_forward
#redirecionamento de pacotes em roteador
echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects
#informacao de rotas
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#tipo de spoofing
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#inundacao de syns syn flood
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# icmp de broadcast
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#contra spoofing
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter

#ping da morte
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j
ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
# syn-flood
iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT

##### conexoes validas #####
iptables -A INPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT

7

##### comandos NAT ######
# Redireciona porta 80 para 3128 (squid)
iptables -t nat -I PREROUTING -s 192.168.18.0/24 -p tcp --dport 80 -j REDIRECT
--to-port 3128

# Primeiro, ativar o mascaramento (nat)
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

################ para bloquear e liberar msn no iptables pelo nat
###########################
### verificar
#ip para sair do bloqueio msn
iptables -t nat -I PREROUTING -s 192.168.18.0/24 -p tcp -m tcp --dport 1863 -j
ACCEPT

##### criando as cadeias para LOG #####
iptables -N C_HTTP
iptables -N C_DNS
iptables -N C_SSH
iptables -N C_FTP
iptables -N C_EMAIL
iptables -N C_AD
iptables -N C_SQUID
iptables -N C_GERAL

##### referencia das cadeias ######
# HTTP
iptables -I INPUT -p tcp -m multiport --dports 80,443 -j C_HTTP
iptables -I FORWARD -p tcp -m multiport --dports 80,443 -j C_HTTP

8

# DNS
iptables -I INPUT -p tcp --dport 53 -j C_DNS
iptables -I FORWARD -p tcp --dport 53 -j C_DNS
iptables -I INPUT -p udp --dport 53 -j C_DNS
iptables -I FORWARD -p udp --dport 53 -j C_DNS
# SSH
iptables -I INPUT -p tcp --dport 22 -j C_SSH
iptables -I FORWARD -p tcp --dport 22 -j C_SSH
# FTP
iptables -I INPUT -p tcp -m multiport --dports 20,21 -j C_FTP
iptables -I FORWARD -p tcp -m multiport --dports 20,21 -j C_FTP
# EMAIL
iptables -I INPUT -p tcp -m multiport --dports 25,110,113 -j C_EMAIL
iptables -I FORWARD -p tcp -m multiport --dports 25,110 -j C_EMAIL
iptables -A INPUT -p udp --dport 113 -j C_EMAIL
# AD
iptables -I INPUT -p udp -m multiport --dports
67,68,123,88,137:139,389,464,543,544,749,750,1434,2105,4444 -j C_AD
iptables -I FORWARD -p udp -m multiport --dports
67,68,123,88,137:139,389,464,543,544,749,750,1434,2105,4444 -j C_AD
iptables -I INPUT -p tcp -m multiport --dports 135,389,445 -j C_AD
iptables -I FORWARD -p tcp -m multiport --dports 135,389,445 -j C_AD
# SQUID
iptables -I INPUT -p tcp --dport 3128 -j C_SQUID
iptables -I FORWARD -p tcp --dport 3128 -j C_SQUID
# GERAL
iptables -A INPUT -j C_GERAL
iptables -A FORWARD -j C_GERAL

9

##### bloqueando MSN , vai para 80 e descarta
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 1863 -j REDIRECT --
to-port 80
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DROP
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 3128 -j DROP
##############

# Politica Default das Cadeias
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

##### regras
### http
iptables -I C_HTTP -m limit --limit 6/m --limit-burst 6 -j LOG --log-prefix "fw
http: "
iptables -A C_HTTP -j ACCEPT

### dns
iptables -I C_DNS -m limit --limit 6/m --limit-burst 6 -j LOG --log-prefix "fw dns:
"
iptables -A C_DNS -j ACCEPT

### ssh
iptables -I C_SSH -m limit --limit 6/m --limit-burst 6 -j LOG --log-prefix "fw ssh:
"
iptables -A C_SSH -j ACCEPT

10

### ftp
iptables -I C_FTP -m limit --limit 6/m --limit-burst 6 -j LOG --log-prefix "fw ftp: "
iptables -A C_FTP -j ACCEPT

### email
iptables -I C_EMAIL -m limit --limit 6/m --limit-burst 6 -j LOG --log-prefix "fw
email: "
iptables -A C_EMAIL -j ACCEPT

### ad
iptables -I C_AD -m limit --limit 6/m --limit-burst 6 -j LOG --log-prefix "fw ad: "
iptables -A C_AD -j ACCEPT

### squid

iptables -I C_SQUID -m limit --limit 6/m --limit-burst 6 -j LOG --log-prefix "fw
squid: "
iptables -A C_SQUID -i eth1 -p tcp --dport 3128 -j ACCEPT

##### Protecao contra acesso externo squid
#iptables -A INPUT -p TCP -i eth0 --dport 3128 -j DROP
#iptables -A INPUT -p TCP -i eth0 --dport 8080 -j DROP

### geral
iptables -I C_GERAL -m limit --limit 6/m --limit-burst 6 -j LOG --log-prefix "fw
geral: "

#vnc

11

iptables -A C_GERAL -p tcp --dport 5700 -j ACCEPT

#terminal server
iptables -A C_GERAL -p tcp --dport 3389 -j ACCEPT

###vpn criar estas regras para todas vpns
# iptables -A INPUT -p tcp --dport 5001 -j ACCEPT
# iptables -A FORWARD -p tcp --dport 5001 -j ACCEPT
# iptables -A INPUT -p udp --dport 5001 -j ACCEPT
# iptables -A FORWARD -p udp --dport 5001 -j ACCEPT
# iptables -I FORWARD -i tun0 -j ACCEPT
# iptables -I FORWARD -o tun0 -j ACCEPT
#########################
#iptables -A C_GERAL -j ACCEPT
iptables -A C_GERAL -j DROP
}
parar(){
#limpar regras
iptables -F
iptables -F C_HTTP
iptables -F C_DNS
iptables -F C_SSH
iptables -F C_FTP
iptables -F C_EMAIL
iptables -F C_AD
iptables -F C_SQUID

12

iptables -F C_GERAL

#deleta cadeias
iptables -X C_HTTP
iptables -X C_DNS
iptables -X C_SSH
iptables -X C_FTP
iptables -X C_EMAIL
iptables -X C_AD
iptables -X C_SQUID
iptables -X C_GERAL

#limpar tabela nat
iptables -F -t nat
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat

# limpar Politica Default
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#limpar padrao
#encaminhar entre placas
echo 0 > /proc/sys/net/ipv4/ip_forward
#redirecionamento de pacotes em roteador
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

13

}
case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar ; iniciar ;;
*) echo "use start ou stop ou restart"
esac

Mapa Configuracao Server Iptables Squid

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Mapa Configuracao Server Iptables Squid

Enviado por

Direitos autorais:

Formatos disponíveis

1

Topologia da Rede 02/09/2010 (desenvolver o projeto de rede)

Você também pode gostar