squid

Forums: 

buenos dias amigos, herede un squid en la empresa donde inicie a trabajar pero no funciona como deberia, mas abajo agrego las lineas del squid:

squid.conf
--------------

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl redlocal src 192.168.15.0/24 # RFC1918 possible internal network
acl redlocal src 192.168.10.0/24 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 37777
acl SSL_ports port 443
acl SSL-ports port 8443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 26 # smtp-global
acl CONNECT method CONNECT
acl full src "/etc/squid/full.acl"
acl semifull src "/etc/squid/semifull.acl"
acl webpermitidas url_regex -i # mail gmail hotmail outlook target liugong login.live portal.ips.gov hacienda.gov bcp.gov google stopparaguay.com
acl drop src "/etc/squid/drop.acl"
acl dominiospremitidos dstdomain "/etc/squid/dominiospremitidos.acl"
acl hora time 12:30-13:30
acl Sin_Redes_sociales src "/etc/squid/redes_sociales.acl"

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports !full

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports !full

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localhost
#http_access allow localhost

# And finally deny all other access to this proxy
http_access allow full all
http_access allow hora
http_access allow webpermitidas !drop
http_access allow dominiospremitidos !drop
http_access allow semifull
http_access deny all redes_sociales
http_access deny all drop
http_access deny all redlocal

# Squid normally listens to port 3128
# Designer
access_log /var/log/squid/access.log
cache_mem 32 MB
http_port 3128 intercept
#https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/squid/ssl/myCA.pem

# http_port 8080 transparent

#http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
logfile_rotate 7
err_html_text informatica@targetsa.com.py
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#shutdown_lifetime 5 seconds
cache_effective_user squid
cache_effective_group squid
-------------------------------------------------------------------------------------------------------------------------------------------

mi idea es que los que estan en full - puedan navegar sin problemas tipo los jefes de la empresa
y que los que sean semiFull no ingresenta a redes sociales.

Gracias
Miguel Baum

haber no vas a parar el

Imagen de falcom

haber no vas a parar el ingreso a redes sociales solo con squid, necesitas tambien bloquear con un buen script de iptables bloquear el acceso https de esas redes (q x default todas ingresan en https), busca aca mismo se colocó hace algun tiempo scripts para bloquear face, etc--

No le hagas caso, si puedes

Imagen de deathUser

No le hagas caso, si puedes bloquear solo con squid, nada más no hagas NAT o enmascares el tráfico HTTP/HTTPS o ninguno, no uses proxy transparente y obliga a los usuarios a que configuren el proxy en sus navegadores, listo, todos tienen que obedecer lo que diga SQUID ...

bye
;)

deathUser

Imagen de miguelbaum

deathUser
--------------

acá configuramos en el navegador el proxy (ip server & port). si agregamos un iplan/32 a la regla full.acl o semifull.acl - todos pueden navegar full igual, si los extraigo de cualquiera de las 2 reglas no navegan nada. mi consulta es en mi script me falta algunas lineas o me faltan mas configuraciones como en el iptables?

iptables
------------

# Generated by iptables-save v1.4.7 on Thu Sep 4 15:59:41 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Ifw - [0:0]
:Reject - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:fw2loc - [0:0]
:fw2net - [0:0]
:loc2fw - [0:0]
:loc2net - [0:0]
:logdrop - [0:0]
:logreject - [0:0]
:net2fw - [0:0]
:net2loc - [0:0]
:reject - [0:0]
:shorewall - [0:0]
[56161557:39538223268] -A INPUT -j Ifw
[2617411:222825340] -A INPUT -m conntrack --ctstate INVALID,NEW -j dynamic
[31691467:36826124831] -A INPUT -i eth0 -j net2fw
[23810996:2664169951] -A INPUT -i eth1 -j loc2fw
[659094:47928486] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -j Reject
[0:0] -A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
[0:0] -A INPUT -g reject
[12092673:2054294225] -A FORWARD -s 192.168.15.0/24 -d 192.168.10.0/24 -j ACCEPT
[19275964:25922921787] -A FORWARD -s 192.168.10.0/24 -d 192.168.15.0/24 -j ACCEPT
[2029392:124453473] -A FORWARD -m conntrack --ctstate INVALID,NEW -j dynamic
[5707430:4342393110] -A FORWARD -i eth0 -o eth1 -j net2loc
[6674631:2323779670] -A FORWARD -i eth1 -o eth0 -j loc2net
[69:5527] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[2801:238816] -A FORWARD -j Reject
[409:66022] -A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
[409:66022] -A FORWARD -g reject
[24026604:2795591289] -A OUTPUT -o eth0 -j fw2net
[38002747:38214932380] -A OUTPUT -o eth1 -j fw2loc
[654714:46683891] -A OUTPUT -o lo -j ACCEPT
[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -j Reject
[0:0] -A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
[0:0] -A OUTPUT -g reject
[625469:81193391] -A Drop
[0:0] -A Drop -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject
[625469:81193391] -A Drop -j dropBcast
[0:0] -A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
[0:0] -A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
[1792:294690] -A Drop -j dropInvalid
[0:0] -A Drop -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j DROP
[39:3042] -A Drop -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j DROP
[0:0] -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j DROP
[131:6840] -A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j DROP
[0:0] -A Drop -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP
[16:4238] -A Drop -p tcp -j dropNotSyn
[31:2300] -A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
[0:0] -A Ifw -m set --match-set ifw_wl src -j RETURN
[0:0] -A Ifw -m set --match-set ifw_bl src -j DROP
[48:3918] -A Ifw -m state --state INVALID,NEW -m psd --psd-weight-threshold 10 --psd-delay-threshold 10000 --psd-lo-ports-weight 2 --psd-hi-ports-weight 1 -j IFWLOG --log-prefix "SCAN"
[1703:102164] -A Ifw -p tcp -m state --state NEW -m tcp --dport 80 -j IFWLOG --log-prefix "NEW"
[0:0] -A Ifw -p tcp -m state --state NEW -m tcp --dport 443 -j IFWLOG --log-prefix "NEW"
[2801:238816] -A Reject
[0:0] -A Reject -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject
[2801:238816] -A Reject -j dropBcast
[0:0] -A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
[0:0] -A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
[2801:238816] -A Reject -j dropInvalid
[0:0] -A Reject -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j reject
[1031:80418] -A Reject -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j reject
[0:0] -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j reject
[1123:56900] -A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j reject
[0:0] -A Reject -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP
[211:33731] -A Reject -p tcp -j dropNotSyn
[1:250] -A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
[546864:71979951] -A dropBcast -m addrtype --dst-type BROADCAST -j DROP
[76813:8918750] -A dropBcast -d 224.0.0.0/4 -j DROP
[1586:277756] -A dropInvalid -m conntrack --ctstate INVALID -j DROP
[154:33769] -A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
[37915406:38207077756] -A fw2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[87341:7854624] -A fw2loc -j ACCEPT
[23302794:2747463943] -A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[723810:48127346] -A fw2net -j ACCEPT
[22120131:2540600982] -A loc2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[1690865:123568969] -A loc2fw -j ACCEPT
[4648223:2199575519] -A loc2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[2026408:124204151] -A loc2net -j ACCEPT
[0:0] -A logdrop -j DROP
[0:0] -A logreject -j reject
[31066181:36744941946] -A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A net2fw -p tcp -m multiport --dports 80,443 -j ACCEPT
[625286:81182885] -A net2fw -j Drop
[78:5705] -A net2fw -j LOG --log-prefix "Shorewall:net2fw:DROP:" --log-level 6
[78:5705] -A net2fw -j DROP
[5707247:4342382604] -A net2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[183:10506] -A net2loc -j Drop
[10:504] -A net2loc -j LOG --log-prefix "Shorewall:net2loc:DROP:" --log-level 6
[10:504] -A net2loc -j DROP
[0:0] -A reject -m addrtype --src-type BROADCAST -j DROP
[0:0] -A reject -s 224.0.0.0/4 -j DROP
[0:0] -A reject -p igmp -j DROP
[1184:60476] -A reject -p tcp -j REJECT --reject-with tcp-reset
[1379:142864] -A reject -p udp -j REJECT --reject-with icmp-port-unreachable
[0:0] -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
[0:0] -A reject -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Sep 4 15:59:41 2014
# Generated by iptables-save v1.4.7 on Thu Sep 4 15:59:41 2014
*mangle
:PREROUTING ACCEPT [100738327:74258097774]
:INPUT ACCEPT [56161556:39538223216]
:FORWARD ACCEPT [43753568:34643633135]
:OUTPUT ACCEPT [62741838:41065893900]
:POSTROUTING ACCEPT [106563429:75713842579]
:tcfor - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
[100738327:74258097774] -A PREROUTING -j tcpre
[43753568:34643633135] -A FORWARD -j MARK --set-xmark 0x0/0xffffffff
[43753568:34643633135] -A FORWARD -j tcfor
[62741838:41065893900] -A OUTPUT -j tcout
[106563429:75713842579] -A POSTROUTING -j tcpost
COMMIT
# Completed on Thu Sep 4 15:59:41 2014
# Generated by iptables-save v1.4.7 on Thu Sep 4 15:59:41 2014
*nat
:PREROUTING ACCEPT [12:706]
:POSTROUTING ACCEPT [4:232]
:OUTPUT ACCEPT [3:180]
[32:1760] -A PREROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 37777 -j ACCEPT
[742:41388] -A PREROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 5222 -j ACCEPT
[37192:1934060] -A PREROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A PREROUTING -s 192.168.10.0/24 -p tcp -m tcp --dport 37777 -j ACCEPT
[12:616] -A PREROUTING -s 192.168.10.0/24 -p tcp -m tcp --dport 8080 -j ACCEPT
[6:360] -A PREROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 18004 -j ACCEPT
[16:888] -A PREROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 8443 -j ACCEPT
[5755:299488] -A PREROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128
[110435:5812816] -A PREROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
[0:0] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 4370 -j MASQUERADE
[32:1760] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 37777 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 37777 -j MASQUERADE
[177:9288] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 5222 -j MASQUERADE
[23:1196] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 8443 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.15.0/24 -d 201.217.50.26/32 -p tcp -m tcp --dport 443 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.15.0/24 -d 201.217.50.26/32 -p tcp -m tcp --dport 8443 -j MASQUERADE
[311:18524] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 10000 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 10000 -j MASQUERADE
[63:3324] -A POSTROUTING -s 192.168.15.0/24 -d IPPUBLICA -p tcp -m tcp --dport 443 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.15.0/24 -d IPPUBLICA -p tcp -m tcp --dport 443 -j MASQUERADE
[27:1188] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 995 -j MASQUERADE
[27:1188] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 993 -j MASQUERADE
[20:952] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 465 -j MASQUERADE
[2:120] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 2082 -j MASQUERADE
[177210:8950230] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 110 -j MASQUERADE
[4873:242412] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 25 -j MASQUERADE
[253954:16728803] -A POSTROUTING -s 192.168.15.0/24 -p udp -m udp --dport 53 -j MASQUERADE
[42:1912] -A POSTROUTING -s 192.168.15.0/24 -p tcp -m tcp --dport 20:21 -j MASQUERADE
COMMIT
# Completed on Thu Sep 4 15:59:41 2014
# Generated by iptables-save v1.4.7 on Thu Sep 4 15:59:41 2014
*raw
:PREROUTING ACCEPT [100738327:74258097774]
:OUTPUT ACCEPT [62741838:41065893900]
COMMIT
# Completed on Thu Sep 4 15:59:41 2014

Que pereza leer todo ese

Imagen de deathUser

Que pereza leer todo ese iptables ...
En principio, si has configurado el proxy en el browser para "todos los protocolos" debería usarlo y bloquearte sin importar la configuración de iptables.

Mira los logs de SQUID a ver si te dan una pista, voy a ver la configuración de SQUID que posteaste que también me dio pereza leer ...

Ya comento cualquier actualización ...

bye
;)

A ver ...

Imagen de deathUser

A ver ...
(Distinto de haber :D)

La parte clave de la configuración de SQUID está acá:


# And finally deny all other access to this proxy
http_access allow full all
http_access allow hora
http_access allow webpermitidas !drop
http_access allow dominiospremitidos !drop
http_access allow semifull
http_access deny all redes_sociales
http_access deny all drop
http_access deny all redlocal

Los ACLs se procesan como una pila, es decir, la primera regla que se cumple es la que se aplica y listo, no se evalúan las subsiguientes ...

En ese sentido ...

Una IP presente en el ACL semifull por lo tanto no pasará por el deny de las redes sociales y demás ...

Así pues podrías subir el deny de las redes sociales o combinar las ACLs para una mejor aplicación de las reglas combinadas ...

Prueba con menos reglas combinándolas y vas ampliando las restricciones.

bye
;)