1 p.m.
Pessoal,
to com um problema em um squid que configurei, pois quando navegando por ele
não consigo de forma alguma acessar o site de simulação de habitação (muito
utilizado aqui na empresa)
link:
http://www8.caixa.gov.br/siopiinternet/simulaOperacaoInternet.do?method=i...
o que pode ser?
desde já agradeço...
abaixo segue meu squid.conf e meu script iptables
---- SQUID CONF ----
http_port 3128
visible_hostname SrvProxy
error_directory /usr/share/squid/errors/pt-br/
coredump_dir /var/spool/squid
cache_access_log /var/log/squid/access.log
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm (Servidor de Internet)
auth_param basic credentialsttl 1 hours
auth_param basic casesensitive off
auth_param basic program /usr/lib/squid/ncsa_auth
/etc/squid/confs/squid_passwd
#authenticate_cache_garbage_interval 1 hour
authenticate_ttl 1 hour
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 22 80 443 563 9443 2200
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 22 # ssh
acl Safe_ports port 2200 # ssh
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 86 # Speedy
acl Safe_ports port 5800 # VNC
acl Safe_ports port 5900 # VNC
acl Safe_ports port 1527 # NFP
acl Safe_ports port 8443 # NFP
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# ACL QUE EXIGE LOGIN DO USUARIO PARA NAVEGAR
acl login proxy_auth REQUIRED
# ACL DE LIBERACOES
acl lib_usuarios proxy_auth "/etc/squid/confs/lib_usuarios"
acl lib_sites dstdomain "/etc/squid/confs/lib_sites"
acl lib_ip src "/etc/squid/confs/lib_ip"
acl win url_regex -i windowsupdate
update.microsoft.com
# ACL DE BLOQUEIO
acl neg_sites dstdomain "/etc/squid/confs/neg_sites"
acl neg_hora time "/etc/squid/confs/neg_hora"
acl neg_msn dstdomain "/etc/squid/confs/neg_msn"
acl neg_msn2 url_regex "/etc/squid/confs/neg_msn2"
acl msn url_regex -i /gateway/gateway.dll
# FIM DECLARACOES ACLS
################################################################################
http_access allow all win
http_access allow lib_ip
http_access deny neg_msn
http_access deny neg_msn2
http_access deny msn
http_access deny neg_sites
http_access allow lib_sites
http_access allow !neg_hora
http_access allow lib_usuarios
http_access deny all
http_reply_access allow all
#icp_access allow all
---- SCRIPT IPTABLES ----
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat
iptables -t nat -I PREROUTING -s 192.168.7.10 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.7.11 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.7.12 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
--to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 2200 -j DNAT
--to-destination 192.168.7.1:2200
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT
--to-destination 192.168.7.100:3389
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD ACCEPT
iptables -A POSTROUTING -t nat -s 192.168.7.0/24 -o eth0 -j MASQUERADE
--
Fabiano Barros
Cel.: 55 15 9715-8004
barrosfabiano(a)gmail.com
1:22 p.m.
Cara coloca essa acl ai que passa de boa ;) isso vai solucionar teu problema
por enquanto porem eu aconselho você estudar uma outra forma de fazer isso
ok, dai tu vai usando enquanto estuda ;)
acl java browser Java e http_access allow java
Abraços,
Em 2 de agosto de 2011 15:00, Fabiano Barros <barrosfabiano(a)gmail.com>escreveu:
Pessoal,
to com um problema em um squid que configurei, pois quando navegando por
ele não consigo de forma alguma acessar o site de simulação de habitação
(muito utilizado aqui na empresa)
link:
http://www8.caixa.gov.br/siopiinternet/simulaOperacaoInternet.do?method=i...
o que pode ser?
desde já agradeço...
abaixo segue meu squid.conf e meu script iptables
---- SQUID CONF ----
http_port 3128
visible_hostname SrvProxy
error_directory /usr/share/squid/errors/pt-br/
coredump_dir /var/spool/squid
cache_access_log /var/log/squid/access.log
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm (Servidor de Internet)
auth_param basic credentialsttl 1 hours
auth_param basic casesensitive off
auth_param basic program /usr/lib/squid/ncsa_auth
/etc/squid/confs/squid_passwd
#authenticate_cache_garbage_interval 1 hour
authenticate_ttl 1 hour
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 22 80 443 563 9443 2200
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 22 # ssh
acl Safe_ports port 2200 # ssh
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 86 # Speedy
acl Safe_ports port 5800 # VNC
acl Safe_ports port 5900 # VNC
acl Safe_ports port 1527 # NFP
acl Safe_ports port 8443 # NFP
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# ACL QUE EXIGE LOGIN DO USUARIO PARA NAVEGAR
acl login proxy_auth REQUIRED
# ACL DE LIBERACOES
acl lib_usuarios proxy_auth "/etc/squid/confs/lib_usuarios"
acl lib_sites dstdomain "/etc/squid/confs/lib_sites"
acl lib_ip src "/etc/squid/confs/lib_ip"
acl win url_regex -i windowsupdate
update.microsoft.com
# ACL DE BLOQUEIO
acl neg_sites dstdomain "/etc/squid/confs/neg_sites"
acl neg_hora time "/etc/squid/confs/neg_hora"
acl neg_msn dstdomain "/etc/squid/confs/neg_msn"
acl neg_msn2 url_regex "/etc/squid/confs/neg_msn2"
acl msn url_regex -i /gateway/gateway.dll
# FIM DECLARACOES ACLS
################################################################################
http_access allow all win
http_access allow lib_ip
http_access deny neg_msn
http_access deny neg_msn2
http_access deny msn
http_access deny neg_sites
http_access allow lib_sites
http_access allow !neg_hora
http_access allow lib_usuarios
http_access deny all
http_reply_access allow all
#icp_access allow all
---- SCRIPT IPTABLES ----
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat
iptables -t nat -I PREROUTING -s 192.168.7.10 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.7.11 -j ACCEPT
iptables -t nat -I PREROUTING -s 192.168.7.12 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
--to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 2200 -j DNAT
--to-destination 192.168.7.1:2200
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT
--to-destination 192.168.7.100:3389
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD ACCEPT
iptables -A POSTROUTING -t nat -s 192.168.7.0/24 -o eth0 -j MASQUERADE
--
Fabiano Barros
Cel.: 55 15 9715-8004
barrosfabiano(a)gmail.com
--
br-users mailing list
br-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/br-users
--
Francisco Viana (Chico Fedora)
Analista de Suporte Linux
Embaixador Fedora
Desenvolvedor Ekaaty GNU/Linux
Desenvolvedor GESAC GNU/Linux
Admin. Comunidade Fedora Brasil
2:14 p.m.
Caro, Francisco,
aqui não funcionou não, tem alguma posição especifica que devo colocar esta
acl?
eu fiz assim:
# ACL DE BLOQUEIO
acl neg_sites dstdomain "/etc/squid/confs/neg_sites"
acl neg_hora time "/etc/squid/confs/neg_hora"
acl neg_msn dstdomain "/etc/squid/confs/neg_msn"
acl neg_msn2 url_regex "/etc/squid/confs/neg_msn2"
acl msn url_regex -i /gateway/gateway.dll
acl java browser Java
# FIM DECLARACOES ACLS
################################################################################
http_access allow java
http_access allow all win
http_access allow lib_ip
Obrigado pelo apoio.
2011/8/2 Francisco Viana <chicofedora(a)gmail.com>
Cara coloca essa acl ai que passa de boa ;) isso vai solucionar teu
problema por enquanto porem eu aconselho você estudar uma outra forma de
fazer isso ok, dai tu vai usando enquanto estuda ;)
acl java browser Java e http_access allow java
Abraços,
Em 2 de agosto de 2011 15:00, Fabiano Barros <barrosfabiano(a)gmail.com>escreveu:
>
> Pessoal,
>
> to com um problema em um squid que configurei, pois quando navegando por
> ele não consigo de forma alguma acessar o site de simulação de habitação
> (muito utilizado aqui na empresa)
>
> link:
>
http://www8.caixa.gov.br/siopiinternet/simulaOperacaoInternet.do?method=i...
>
> o que pode ser?
>
> desde já agradeço...
>
>
> abaixo segue meu squid.conf e meu script iptables
>
>
> ---- SQUID CONF ----
> http_port 3128
> visible_hostname SrvProxy
> error_directory /usr/share/squid/errors/pt-br/
> coredump_dir /var/spool/squid
> cache_access_log /var/log/squid/access.log
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
>
> auth_param basic children 5
> auth_param basic realm (Servidor de Internet)
> auth_param basic credentialsttl 1 hours
> auth_param basic casesensitive off
> auth_param basic program /usr/lib/squid/ncsa_auth
> /etc/squid/confs/squid_passwd
> #authenticate_cache_garbage_interval 1 hour
> authenticate_ttl 1 hour
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> #acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 22 80 443 563 9443 2200
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 22 # ssh
> acl Safe_ports port 2200 # ssh
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 86 # Speedy
> acl Safe_ports port 5800 # VNC
> acl Safe_ports port 5900 # VNC
> acl Safe_ports port 1527 # NFP
> acl Safe_ports port 8443 # NFP
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> # ACL QUE EXIGE LOGIN DO USUARIO PARA NAVEGAR
> acl login proxy_auth REQUIRED
> # ACL DE LIBERACOES
> acl lib_usuarios proxy_auth "/etc/squid/confs/lib_usuarios"
> acl lib_sites dstdomain "/etc/squid/confs/lib_sites"
> acl lib_ip src "/etc/squid/confs/lib_ip"
> acl win url_regex -i windowsupdate
> update.microsoft.com
> # ACL DE BLOQUEIO
> acl neg_sites dstdomain "/etc/squid/confs/neg_sites"
> acl neg_hora time "/etc/squid/confs/neg_hora"
> acl neg_msn dstdomain "/etc/squid/confs/neg_msn"
> acl neg_msn2 url_regex "/etc/squid/confs/neg_msn2"
> acl msn url_regex -i /gateway/gateway.dll
> # FIM DECLARACOES ACLS
>
> ################################################################################
> http_access allow all win
> http_access allow lib_ip
> http_access deny neg_msn
> http_access deny neg_msn2
> http_access deny msn
> http_access deny neg_sites
> http_access allow lib_sites
> http_access allow !neg_hora
> http_access allow lib_usuarios
> http_access deny all
> http_reply_access allow all
> #icp_access allow all
>
>
>
> ---- SCRIPT IPTABLES ----
>
> iptables -F
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -F POSTROUTING -t nat
> iptables -F PREROUTING -t nat
>
> iptables -t nat -I PREROUTING -s 192.168.7.10 -j ACCEPT
> iptables -t nat -I PREROUTING -s 192.168.7.11 -j ACCEPT
> iptables -t nat -I PREROUTING -s 192.168.7.12 -j ACCEPT
>
> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 2200 -j DNAT
> --to-destination 192.168.7.1:2200
> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT
> --to-destination 192.168.7.100:3389
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -P FORWARD ACCEPT
> iptables -A POSTROUTING -t nat -s 192.168.7.0/24 -o eth0 -j MASQUERADE
>
>
>
>
> --
> Fabiano Barros
> Cel.: 55 15 9715-8004
> barrosfabiano(a)gmail.com
>
>
>
> --
> br-users mailing list
> br-users(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/br-users
>
--
Francisco Viana (Chico Fedora)
Analista de Suporte Linux
Embaixador Fedora
Desenvolvedor Ekaaty GNU/Linux
Desenvolvedor GESAC GNU/Linux
Admin. Comunidade Fedora Brasil
--
br-users mailing list
br-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/br-users
--
Fabiano Barros
Cel.: 55 15 9715-8004
barrosfabiano(a)gmail.com
2:18 p.m.
Fabiano, experimente:
acl java browser Java/1.4 Java/1.5 Java/1.6
http_access allow java
--
Rodrigo Bezerra Brasil
Belém, PA, Brasil
'"Software Livre" é uma questão de liberdade, não de preço. Para entender o
conceito, você deve pensar em "liberdade de expressão", não em "cerveja
grátis".'
2011/8/2 Fabiano Barros <barrosfabiano(a)gmail.com>
Caro, Francisco,
aqui não funcionou não, tem alguma posição especifica que devo colocar esta
acl?
eu fiz assim:
# ACL DE BLOQUEIO
acl neg_sites dstdomain "/etc/squid/confs/neg_sites"
acl neg_hora time "/etc/squid/confs/neg_hora"
acl neg_msn dstdomain "/etc/squid/confs/neg_msn"
acl neg_msn2 url_regex "/etc/squid/confs/neg_msn2"
acl msn url_regex -i /gateway/gateway.dll
acl java browser Java
# FIM DECLARACOES ACLS
################################################################################
http_access allow java
http_access allow all win
http_access allow lib_ip
Obrigado pelo apoio.
2011/8/2 Francisco Viana <chicofedora(a)gmail.com>
> Cara coloca essa acl ai que passa de boa ;) isso vai solucionar teu
> problema por enquanto porem eu aconselho você estudar uma outra forma de
> fazer isso ok, dai tu vai usando enquanto estuda ;)
>
> acl java browser Java e http_access allow java
>
>
> Abraços,
>
>
> Em 2 de agosto de 2011 15:00, Fabiano Barros
<barrosfabiano(a)gmail.com>escreveu:
>
>>
>> Pessoal,
>>
>> to com um problema em um squid que configurei, pois quando navegando por
>> ele não consigo de forma alguma acessar o site de simulação de habitação
>> (muito utilizado aqui na empresa)
>>
>> link:
>>
http://www8.caixa.gov.br/siopiinternet/simulaOperacaoInternet.do?method=i...
>>
>> o que pode ser?
>>
>> desde já agradeço...
>>
>>
>> abaixo segue meu squid.conf e meu script iptables
>>
>>
>> ---- SQUID CONF ----
>> http_port 3128
>> visible_hostname SrvProxy
>> error_directory /usr/share/squid/errors/pt-br/
>> coredump_dir /var/spool/squid
>> cache_access_log /var/log/squid/access.log
>> hierarchy_stoplist cgi-bin ?
>> acl QUERY urlpath_regex cgi-bin \?
>> no_cache deny QUERY
>>
>> auth_param basic children 5
>> auth_param basic realm (Servidor de Internet)
>> auth_param basic credentialsttl 1 hours
>> auth_param basic casesensitive off
>> auth_param basic program /usr/lib/squid/ncsa_auth
>> /etc/squid/confs/squid_passwd
>> #authenticate_cache_garbage_interval 1 hour
>> authenticate_ttl 1 hour
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>> #acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 22 80 443 563 9443 2200
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 22 # ssh
>> acl Safe_ports port 2200 # ssh
>> acl Safe_ports port 443 563 # https, snews
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl Safe_ports port 631 # cups
>> acl Safe_ports port 86 # Speedy
>> acl Safe_ports port 5800 # VNC
>> acl Safe_ports port 5900 # VNC
>> acl Safe_ports port 1527 # NFP
>> acl Safe_ports port 8443 # NFP
>> acl CONNECT method CONNECT
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>>
>> # ACL QUE EXIGE LOGIN DO USUARIO PARA NAVEGAR
>> acl login proxy_auth REQUIRED
>> # ACL DE LIBERACOES
>> acl lib_usuarios proxy_auth
"/etc/squid/confs/lib_usuarios"
>> acl lib_sites dstdomain "/etc/squid/confs/lib_sites"
>> acl lib_ip src "/etc/squid/confs/lib_ip"
>> acl win url_regex -i windowsupdate
>> update.microsoft.com
>> # ACL DE BLOQUEIO
>> acl neg_sites dstdomain "/etc/squid/confs/neg_sites"
>> acl neg_hora time "/etc/squid/confs/neg_hora"
>> acl neg_msn dstdomain "/etc/squid/confs/neg_msn"
>> acl neg_msn2 url_regex "/etc/squid/confs/neg_msn2"
>> acl msn url_regex -i /gateway/gateway.dll
>> # FIM DECLARACOES ACLS
>>
>> ################################################################################
>> http_access allow all win
>> http_access allow lib_ip
>> http_access deny neg_msn
>> http_access deny neg_msn2
>> http_access deny msn
>> http_access deny neg_sites
>> http_access allow lib_sites
>> http_access allow !neg_hora
>> http_access allow lib_usuarios
>> http_access deny all
>> http_reply_access allow all
>> #icp_access allow all
>>
>>
>>
>> ---- SCRIPT IPTABLES ----
>>
>> iptables -F
>> iptables -F INPUT
>> iptables -F OUTPUT
>> iptables -F POSTROUTING -t nat
>> iptables -F PREROUTING -t nat
>>
>> iptables -t nat -I PREROUTING -s 192.168.7.10 -j ACCEPT
>> iptables -t nat -I PREROUTING -s 192.168.7.11 -j ACCEPT
>> iptables -t nat -I PREROUTING -s 192.168.7.12 -j ACCEPT
>>
>> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
>> --to-port 3128
>>
>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 2200 -j DNAT
>> --to-destination 192.168.7.1:2200
>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT
>> --to-destination 192.168.7.100:3389
>>
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>> iptables -P FORWARD ACCEPT
>> iptables -A POSTROUTING -t nat -s 192.168.7.0/24 -o eth0 -j MASQUERADE
>>
>>
>>
>>
>> --
>> Fabiano Barros
>> Cel.: 55 15 9715-8004
>> barrosfabiano(a)gmail.com
>>
>>
>>
>> --
>> br-users mailing list
>> br-users(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/br-users
>>
>
>
>
> --
> Francisco Viana (Chico Fedora)
>
> Analista de Suporte Linux
> Embaixador Fedora
> Desenvolvedor Ekaaty GNU/Linux
> Desenvolvedor GESAC GNU/Linux
> Admin. Comunidade Fedora Brasil
>
>
>
>
> --
> br-users mailing list
> br-users(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/br-users
>
--
Fabiano Barros
Cel.: 55 15 9715-8004
barrosfabiano(a)gmail.com
--
br-users mailing list
br-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/br-users
2:33 p.m.
Rodrigo,
Tambem não deu não...
será que tem a ver com o inicio do link iniciar em ww8.caixa.gov.br?
obrigado pelo apoio
2011/8/2 Rodrigo B Brasil <rodrigobbrasil(a)gmail.com>
Fabiano, experimente:
acl java browser Java/1.4 Java/1.5 Java/1.6
http_access allow java
--
Rodrigo Bezerra Brasil
Belém, PA, Brasil
'"Software Livre" é uma questão de liberdade, não de preço. Para entender
o
conceito, você deve pensar em "liberdade de expressão", não em "cerveja
grátis".'
2011/8/2 Fabiano Barros <barrosfabiano(a)gmail.com>
> Caro, Francisco,
>
> aqui não funcionou não, tem alguma posição especifica que devo colocar
> esta acl?
>
> eu fiz assim:
>
>
>
> # ACL DE BLOQUEIO
> acl neg_sites dstdomain "/etc/squid/confs/neg_sites"
> acl neg_hora time "/etc/squid/confs/neg_hora"
> acl neg_msn dstdomain "/etc/squid/confs/neg_msn"
> acl neg_msn2 url_regex "/etc/squid/confs/neg_msn2"
> acl msn url_regex -i /gateway/gateway.dll
> acl java browser Java
>
> # FIM DECLARACOES ACLS
>
> ################################################################################
>
> http_access allow java
>
>
> http_access allow all win
>
> http_access allow lib_ip
>
>
>
> Obrigado pelo apoio.
>
>
>
> 2011/8/2 Francisco Viana <chicofedora(a)gmail.com>
>
>> Cara coloca essa acl ai que passa de boa ;) isso vai solucionar teu
>> problema por enquanto porem eu aconselho você estudar uma outra forma de
>> fazer isso ok, dai tu vai usando enquanto estuda ;)
>>
>> acl java browser Java e http_access allow java
>>
>>
>> Abraços,
>>
>>
>> Em 2 de agosto de 2011 15:00, Fabiano Barros
<barrosfabiano(a)gmail.com>escreveu:
>>
>>>
>>> Pessoal,
>>>
>>> to com um problema em um squid que configurei, pois quando navegando por
>>> ele não consigo de forma alguma acessar o site de simulação de habitação
>>> (muito utilizado aqui na empresa)
>>>
>>> link:
>>>
http://www8.caixa.gov.br/siopiinternet/simulaOperacaoInternet.do?method=i...
>>>
>>> o que pode ser?
>>>
>>> desde já agradeço...
>>>
>>>
>>> abaixo segue meu squid.conf e meu script iptables
>>>
>>>
>>> ---- SQUID CONF ----
>>> http_port 3128
>>> visible_hostname SrvProxy
>>> error_directory /usr/share/squid/errors/pt-br/
>>> coredump_dir /var/spool/squid
>>> cache_access_log /var/log/squid/access.log
>>> hierarchy_stoplist cgi-bin ?
>>> acl QUERY urlpath_regex cgi-bin \?
>>> no_cache deny QUERY
>>>
>>> auth_param basic children 5
>>> auth_param basic realm (Servidor de Internet)
>>> auth_param basic credentialsttl 1 hours
>>> auth_param basic casesensitive off
>>> auth_param basic program /usr/lib/squid/ncsa_auth
>>> /etc/squid/confs/squid_passwd
>>> #authenticate_cache_garbage_interval 1 hour
>>> authenticate_ttl 1 hour
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern . 0 20% 4320
>>> #acl all src 0.0.0.0/0.0.0.0
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/255.255.255.255
>>> acl to_localhost dst 127.0.0.0/8
>>> acl SSL_ports port 22 80 443 563 9443 2200
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 22 # ssh
>>> acl Safe_ports port 2200 # ssh
>>> acl Safe_ports port 443 563 # https, snews
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl Safe_ports port 631 # cups
>>> acl Safe_ports port 86 # Speedy
>>> acl Safe_ports port 5800 # VNC
>>> acl Safe_ports port 5900 # VNC
>>> acl Safe_ports port 1527 # NFP
>>> acl Safe_ports port 8443 # NFP
>>> acl CONNECT method CONNECT
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>>
>>> # ACL QUE EXIGE LOGIN DO USUARIO PARA NAVEGAR
>>> acl login proxy_auth REQUIRED
>>> # ACL DE LIBERACOES
>>> acl lib_usuarios proxy_auth
"/etc/squid/confs/lib_usuarios"
>>> acl lib_sites dstdomain
"/etc/squid/confs/lib_sites"
>>> acl lib_ip src "/etc/squid/confs/lib_ip"
>>> acl win url_regex -i windowsupdate
>>> update.microsoft.com
>>> # ACL DE BLOQUEIO
>>> acl neg_sites dstdomain
"/etc/squid/confs/neg_sites"
>>> acl neg_hora time
"/etc/squid/confs/neg_hora"
>>> acl neg_msn dstdomain "/etc/squid/confs/neg_msn"
>>> acl neg_msn2 url_regex
"/etc/squid/confs/neg_msn2"
>>> acl msn url_regex -i /gateway/gateway.dll
>>> # FIM DECLARACOES ACLS
>>>
>>>
################################################################################
>>> http_access allow all win
>>> http_access allow lib_ip
>>> http_access deny neg_msn
>>> http_access deny neg_msn2
>>> http_access deny msn
>>> http_access deny neg_sites
>>> http_access allow lib_sites
>>> http_access allow !neg_hora
>>> http_access allow lib_usuarios
>>> http_access deny all
>>> http_reply_access allow all
>>> #icp_access allow all
>>>
>>>
>>>
>>> ---- SCRIPT IPTABLES ----
>>>
>>> iptables -F
>>> iptables -F INPUT
>>> iptables -F OUTPUT
>>> iptables -F POSTROUTING -t nat
>>> iptables -F PREROUTING -t nat
>>>
>>> iptables -t nat -I PREROUTING -s 192.168.7.10 -j ACCEPT
>>> iptables -t nat -I PREROUTING -s 192.168.7.11 -j ACCEPT
>>> iptables -t nat -I PREROUTING -s 192.168.7.12 -j ACCEPT
>>>
>>> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
>>> --to-port 3128
>>>
>>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 2200 -j DNAT
>>> --to-destination 192.168.7.1:2200
>>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT
>>> --to-destination 192.168.7.100:3389
>>>
>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>> iptables -P FORWARD ACCEPT
>>> iptables -A POSTROUTING -t nat -s 192.168.7.0/24 -o eth0 -j MASQUERADE
>>>
>>>
>>>
>>>
>>> --
>>> Fabiano Barros
>>> Cel.: 55 15 9715-8004
>>> barrosfabiano(a)gmail.com
>>>
>>>
>>>
>>> --
>>> br-users mailing list
>>> br-users(a)lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/br-users
>>>
>>
>>
>>
>> --
>> Francisco Viana (Chico Fedora)
>>
>> Analista de Suporte Linux
>> Embaixador Fedora
>> Desenvolvedor Ekaaty GNU/Linux
>> Desenvolvedor GESAC GNU/Linux
>> Admin. Comunidade Fedora Brasil
>>
>>
>>
>>
>> --
>> br-users mailing list
>> br-users(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/br-users
>>
>
>
>
> --
> Fabiano Barros
> Cel.: 55 15 9715-8004
> barrosfabiano(a)gmail.com
>
>
>
> --
> br-users mailing list
> br-users(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/br-users
>
--
br-users mailing list
br-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/br-users
--
Fabiano Barros
Cel.: 55 15 9715-8004
barrosfabiano(a)gmail.com
5:59 p.m.
Um relato,
trouxe a maquina para a minha casa e configurei tudo aqui e funcionou!!!
como pode?
Na empresa eu tenho um servidor de AD e ainternet passa por um roteador
Cisco, isso pode ter alguma coisa a ver?
Obrigado a todos.
2011/8/2 Fabiano Barros <barrosfabiano(a)gmail.com>
Rodrigo,
Tambem não deu não...
será que tem a ver com o inicio do link iniciar em ww8.caixa.gov.br?
obrigado pelo apoio
2011/8/2 Rodrigo B Brasil <rodrigobbrasil(a)gmail.com>
> Fabiano, experimente:
>
> acl java browser Java/1.4 Java/1.5 Java/1.6
> http_access allow java
>
> --
> Rodrigo Bezerra Brasil
> Belém, PA, Brasil
> '"Software Livre" é uma questão de liberdade, não de preço. Para
entender
> o conceito, você deve pensar em "liberdade de expressão", não em
"cerveja
> grátis".'
>
>
>
>
> 2011/8/2 Fabiano Barros <barrosfabiano(a)gmail.com>
>
>> Caro, Francisco,
>>
>> aqui não funcionou não, tem alguma posição especifica que devo colocar
>> esta acl?
>>
>> eu fiz assim:
>>
>>
>>
>> # ACL DE BLOQUEIO
>> acl neg_sites dstdomain "/etc/squid/confs/neg_sites"
>> acl neg_hora time "/etc/squid/confs/neg_hora"
>> acl neg_msn dstdomain "/etc/squid/confs/neg_msn"
>> acl neg_msn2 url_regex "/etc/squid/confs/neg_msn2"
>> acl msn url_regex -i /gateway/gateway.dll
>> acl java browser Java
>>
>> # FIM DECLARACOES ACLS
>>
>> ################################################################################
>>
>> http_access allow java
>>
>>
>> http_access allow all win
>>
>> http_access allow lib_ip
>>
>>
>>
>> Obrigado pelo apoio.
>>
>>
>>
>> 2011/8/2 Francisco Viana <chicofedora(a)gmail.com>
>>
>>> Cara coloca essa acl ai que passa de boa ;) isso vai solucionar teu
>>> problema por enquanto porem eu aconselho você estudar uma outra forma de
>>> fazer isso ok, dai tu vai usando enquanto estuda ;)
>>>
>>> acl java browser Java e http_access allow java
>>>
>>>
>>> Abraços,
>>>
>>>
>>> Em 2 de agosto de 2011 15:00, Fabiano Barros
<barrosfabiano(a)gmail.com>escreveu:
>>>
>>>>
>>>> Pessoal,
>>>>
>>>> to com um problema em um squid que configurei, pois quando navegando
>>>> por ele não consigo de forma alguma acessar o site de simulação de
habitação
>>>> (muito utilizado aqui na empresa)
>>>>
>>>> link:
>>>>
http://www8.caixa.gov.br/siopiinternet/simulaOperacaoInternet.do?method=i...
>>>>
>>>> o que pode ser?
>>>>
>>>> desde já agradeço...
>>>>
>>>>
>>>> abaixo segue meu squid.conf e meu script iptables
>>>>
>>>>
>>>> ---- SQUID CONF ----
>>>> http_port 3128
>>>> visible_hostname SrvProxy
>>>> error_directory /usr/share/squid/errors/pt-br/
>>>> coredump_dir /var/spool/squid
>>>> cache_access_log /var/log/squid/access.log
>>>> hierarchy_stoplist cgi-bin ?
>>>> acl QUERY urlpath_regex cgi-bin \?
>>>> no_cache deny QUERY
>>>>
>>>> auth_param basic children 5
>>>> auth_param basic realm (Servidor de Internet)
>>>> auth_param basic credentialsttl 1 hours
>>>> auth_param basic casesensitive off
>>>> auth_param basic program /usr/lib/squid/ncsa_auth
>>>> /etc/squid/confs/squid_passwd
>>>> #authenticate_cache_garbage_interval 1 hour
>>>> authenticate_ttl 1 hour
>>>> refresh_pattern ^ftp: 1440 20% 10080
>>>> refresh_pattern ^gopher: 1440 0% 1440
>>>> refresh_pattern . 0 20% 4320
>>>> #acl all src 0.0.0.0/0.0.0.0
>>>> acl manager proto cache_object
>>>> acl localhost src 127.0.0.1/255.255.255.255
>>>> acl to_localhost dst 127.0.0.0/8
>>>> acl SSL_ports port 22 80 443 563 9443 2200
>>>> acl Safe_ports port 80 # http
>>>> acl Safe_ports port 21 # ftp
>>>> acl Safe_ports port 22 # ssh
>>>> acl Safe_ports port 2200 # ssh
>>>> acl Safe_ports port 443 563 # https, snews
>>>> acl Safe_ports port 70 # gopher
>>>> acl Safe_ports port 210 # wais
>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>> acl Safe_ports port 280 # http-mgmt
>>>> acl Safe_ports port 488 # gss-http
>>>> acl Safe_ports port 591 # filemaker
>>>> acl Safe_ports port 777 # multiling http
>>>> acl Safe_ports port 631 # cups
>>>> acl Safe_ports port 86 # Speedy
>>>> acl Safe_ports port 5800 # VNC
>>>> acl Safe_ports port 5900 # VNC
>>>> acl Safe_ports port 1527 # NFP
>>>> acl Safe_ports port 8443 # NFP
>>>> acl CONNECT method CONNECT
>>>> http_access allow manager localhost
>>>> http_access deny manager
>>>> http_access deny !Safe_ports
>>>> http_access deny CONNECT !SSL_ports
>>>>
>>>> # ACL QUE EXIGE LOGIN DO USUARIO PARA NAVEGAR
>>>> acl login proxy_auth REQUIRED
>>>> # ACL DE LIBERACOES
>>>> acl lib_usuarios proxy_auth
"/etc/squid/confs/lib_usuarios"
>>>> acl lib_sites dstdomain
"/etc/squid/confs/lib_sites"
>>>> acl lib_ip src
"/etc/squid/confs/lib_ip"
>>>> acl win url_regex -i windowsupdate
>>>> update.microsoft.com
>>>> # ACL DE BLOQUEIO
>>>> acl neg_sites dstdomain
"/etc/squid/confs/neg_sites"
>>>> acl neg_hora time
"/etc/squid/confs/neg_hora"
>>>> acl neg_msn dstdomain
"/etc/squid/confs/neg_msn"
>>>> acl neg_msn2 url_regex
"/etc/squid/confs/neg_msn2"
>>>> acl msn url_regex -i /gateway/gateway.dll
>>>> # FIM DECLARACOES ACLS
>>>>
>>>>
################################################################################
>>>> http_access allow all win
>>>> http_access allow lib_ip
>>>> http_access deny neg_msn
>>>> http_access deny neg_msn2
>>>> http_access deny msn
>>>> http_access deny neg_sites
>>>> http_access allow lib_sites
>>>> http_access allow !neg_hora
>>>> http_access allow lib_usuarios
>>>> http_access deny all
>>>> http_reply_access allow all
>>>> #icp_access allow all
>>>>
>>>>
>>>>
>>>> ---- SCRIPT IPTABLES ----
>>>>
>>>> iptables -F
>>>> iptables -F INPUT
>>>> iptables -F OUTPUT
>>>> iptables -F POSTROUTING -t nat
>>>> iptables -F PREROUTING -t nat
>>>>
>>>> iptables -t nat -I PREROUTING -s 192.168.7.10 -j ACCEPT
>>>> iptables -t nat -I PREROUTING -s 192.168.7.11 -j ACCEPT
>>>> iptables -t nat -I PREROUTING -s 192.168.7.12 -j ACCEPT
>>>>
>>>> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
>>>> --to-port 3128
>>>>
>>>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 2200 -j
>>>> DNAT --to-destination 192.168.7.1:2200
>>>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j
>>>> DNAT --to-destination 192.168.7.100:3389
>>>>
>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>> iptables -P FORWARD ACCEPT
>>>> iptables -A POSTROUTING -t nat -s 192.168.7.0/24 -o eth0 -j MASQUERADE
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Fabiano Barros
>>>> Cel.: 55 15 9715-8004
>>>> barrosfabiano(a)gmail.com
>>>>
>>>>
>>>>
>>>> --
>>>> br-users mailing list
>>>> br-users(a)lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/br-users
>>>>
>>>
>>>
>>>
>>> --
>>> Francisco Viana (Chico Fedora)
>>>
>>> Analista de Suporte Linux
>>> Embaixador Fedora
>>> Desenvolvedor Ekaaty GNU/Linux
>>> Desenvolvedor GESAC GNU/Linux
>>> Admin. Comunidade Fedora Brasil
>>>
>>>
>>>
>>>
>>> --
>>> br-users mailing list
>>> br-users(a)lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/br-users
>>>
>>
>>
>>
>> --
>> Fabiano Barros
>> Cel.: 55 15 9715-8004
>> barrosfabiano(a)gmail.com
>>
>>
>>
>> --
>> br-users mailing list
>> br-users(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/br-users
>>
>
>
> --
> br-users mailing list
> br-users(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/br-users
>
--
Fabiano Barros
Cel.: 55 15 9715-8004
barrosfabiano(a)gmail.com
--
Fabiano Barros
Cel.: 55 15 9715-8004
barrosfabiano(a)gmail.com
10:48 p.m.
quer um conselho na boa
tira os ips da caixa do seu proxy eu faço isso por varias problemas um
deles é conectividade social
sobre o seu router ele tem alguma ACL ??
seu AD é em WINDOWS ??
tire o proxy e teste, pode ter problemas no seu link com o site
Em 02-08-2011 19:59, Fabiano Barros escreveu:
Um relato,
trouxe a maquina para a minha casa e configurei tudo aqui e
funcionou!!! como pode?
Na empresa eu tenho um servidor de AD e ainternet passa por um
roteador Cisco, isso pode ter alguma coisa a ver?
Obrigado a todos.
2011/8/2 Fabiano Barros <barrosfabiano(a)gmail.com
<mailto:barrosfabiano@gmail.com>>
Rodrigo,
Tambem não deu não...
será que tem a ver com o inicio do link iniciar em
ww8.caixa.gov.br <http://ww8.caixa.gov.br>?
obrigado pelo apoio
2011/8/2 Rodrigo B Brasil <rodrigobbrasil(a)gmail.com
<mailto:rodrigobbrasil@gmail.com>>
Fabiano, experimente:
acl java browser Java/1.4 Java/1.5 Java/1.6
http_access allow java
--
Rodrigo Bezerra Brasil
Belém, PA, Brasil
'"Software Livre" é uma questão de liberdade, não de preço.
Para entender o conceito, você deve pensar em "liberdade de
expressão", não em "cerveja grátis".'
2011/8/2 Fabiano Barros <barrosfabiano(a)gmail.com
<mailto:barrosfabiano@gmail.com>>
Caro, Francisco,
aqui não funcionou não, tem alguma posição especifica que
devo colocar esta acl?
eu fiz assim:
# ACL DE BLOQUEIO
acl neg_sites dstdomain
"/etc/squid/confs/neg_sites"
acl neg_hora time
"/etc/squid/confs/neg_hora"
acl neg_msn dstdomain
"/etc/squid/confs/neg_msn"
acl neg_msn2 url_regex
"/etc/squid/confs/neg_msn2"
acl msn url_regex -i
/gateway/gateway.dll
acl java browser Java
# FIM DECLARACOES ACLS
################################################################################
http_access allow java
http_access allow all win
http_access allow lib_ip
Obrigado pelo apoio.
2011/8/2 Francisco Viana <chicofedora(a)gmail.com
<mailto:chicofedora@gmail.com>>
Cara coloca essa acl ai que passa de boa ;) isso vai
solucionar teu problema por enquanto porem eu
aconselho você estudar uma outra forma de fazer isso
ok, dai tu vai usando enquanto estuda ;)
acl java browser Java e http_access allow java
Abraços,
Em 2 de agosto de 2011 15:00, Fabiano Barros
<barrosfabiano(a)gmail.com
<mailto:barrosfabiano@gmail.com>> escreveu:
Pessoal,
to com um problema em um squid que configurei,
pois quando navegando por ele não consigo de forma
alguma acessar o site de simulação de habitação
(muito utilizado aqui na empresa)
link:
http://www8.caixa.gov.br/siopiinternet/simulaOperacaoInternet.do?method=i...
o que pode ser?
desde já agradeço...
abaixo segue meu squid.conf e meu script iptables
---- SQUID CONF ----
http_port 3128
visible_hostname SrvProxy
error_directory /usr/share/squid/errors/pt-br/
coredump_dir /var/spool/squid
cache_access_log /var/log/squid/access.log
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm (Servidor de Internet)
auth_param basic credentialsttl 1 hours
auth_param basic casesensitive off
auth_param basic program /usr/lib/squid/ncsa_auth
/etc/squid/confs/squid_passwd
#authenticate_cache_garbage_interval 1 hour
authenticate_ttl 1 hour
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
#acl all src 0.0.0.0/0.0.0.0 <http://0.0.0.0/0.0.0.0>
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
<http://127.0.0.1/255.255.255.255>
acl to_localhost dst 127.0.0.0/8 <http://127.0.0.0/8>
acl SSL_ports port 22 80 443 563 9443 2200
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 22 # ssh
acl Safe_ports port 2200 # ssh
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 86 # Speedy
acl Safe_ports port 5800 # VNC
acl Safe_ports port 5900 # VNC
acl Safe_ports port 1527 # NFP
acl Safe_ports port 8443 # NFP
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# ACL QUE EXIGE LOGIN DO USUARIO PARA NAVEGAR
acl login proxy_auth REQUIRED
# ACL DE LIBERACOES
acl lib_usuarios proxy_auth
"/etc/squid/confs/lib_usuarios"
acl lib_sites dstdomain
"/etc/squid/confs/lib_sites"
acl lib_ip src
"/etc/squid/confs/lib_ip"
acl win url_regex -i
windowsupdate update.microsoft.com
<http://update.microsoft.com>
# ACL DE BLOQUEIO
acl neg_sites dstdomain
"/etc/squid/confs/neg_sites"
acl neg_hora time
"/etc/squid/confs/neg_hora"
acl neg_msn dstdomain
"/etc/squid/confs/neg_msn"
acl neg_msn2 url_regex
"/etc/squid/confs/neg_msn2"
acl msn url_regex -i
/gateway/gateway.dll
# FIM DECLARACOES ACLS
################################################################################
http_access allow all win
http_access allow lib_ip
http_access deny neg_msn
http_access deny neg_msn2
http_access deny msn
http_access deny neg_sites
http_access allow lib_sites
http_access allow !neg_hora
http_access allow lib_usuarios
http_access deny all
http_reply_access allow all
#icp_access allow all
---- SCRIPT IPTABLES ----
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat
iptables -t nat -I PREROUTING -s 192.168.7.10 -j
ACCEPT
iptables -t nat -I PREROUTING -s 192.168.7.11 -j
ACCEPT
iptables -t nat -I PREROUTING -s 192.168.7.12 -j
ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp
--dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m
tcp --dport 2200 -j DNAT --to-destination
192.168.7.1:2200 <http://192.168.7.1:2200>
iptables -t nat -A PREROUTING -i eth0 -p tcp -m
tcp --dport 3389 -j DNAT --to-destination
192.168.7.100:3389 <http://192.168.7.100:3389>
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD ACCEPT
iptables -A POSTROUTING -t nat -s 192.168.7.0/24
<http://192.168.7.0/24> -o eth0 -j MASQUERADE
--
Fabiano Barros
Cel.: 55 15 9715-8004
barrosfabiano(a)gmail.com
<mailto:barrosfabiano@gmail.com>
--
br-users mailing list
br-users(a)lists.fedoraproject.org
<mailto:br-users@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/br-users
--
Francisco Viana (Chico Fedora)
Analista de Suporte Linux
Embaixador Fedora
Desenvolvedor Ekaaty GNU/Linux
Desenvolvedor GESAC GNU/Linux
Admin. Comunidade Fedora Brasil
--
br-users mailing list
br-users(a)lists.fedoraproject.org
<mailto:br-users@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/br-users
--
Fabiano Barros
Cel.: 55 15 9715-8004
barrosfabiano(a)gmail.com <mailto:barrosfabiano@gmail.com>
--
br-users mailing list
br-users(a)lists.fedoraproject.org
<mailto:br-users@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/br-users
--
br-users mailing list
br-users(a)lists.fedoraproject.org
<mailto:br-users@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/br-users
--
Fabiano Barros
Cel.: 55 15 9715-8004
barrosfabiano(a)gmail.com <mailto:barrosfabiano@gmail.com>
--
Fabiano Barros
Cel.: 55 15 9715-8004
barrosfabiano(a)gmail.com <mailto:barrosfabiano@gmail.com>
--
br-users mailing list
br-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/br-users
--
Jaitony de Sousa
Contatos:
msn: jaitonys(a)hotmail.com
jabber: jaitonys(a)gmail.com
skype: knoppix_debian
yahoo menssager : jaitonys
Tel cel: +55 83 88607882
Integrante e fundador do Gud-PB
(Grupo de Usuarios Debian -PB)
Use Linux, ele é livre como você
Comissão Organizadora
VI Encontro de Software Livre da Paraíba
23 a 26 de Maio de 2012 - www.ensol.org.br <http://www.ensol.org.br/>
5:29 a.m.
Olá,
Meu roteador não tem acl, e ja tentei desativar o firewall nele pra ver se
passa.
quando coloco o modem direto na porta ele passa, somente quando o roteador
roteia é que para.
meu ad é windows sim, porem ja testei em uma rede sem ad e mesmo assim não
passou.
sem o proxy funciona perfeitamente.
Obrigado.
2011/8/3 jaitony gmail <jaitonys(a)gmail.com>
**
quer um conselho na boa
tira os ips da caixa do seu proxy eu faço isso por varias problemas um
deles é conectividade social
sobre o seu router ele tem alguma ACL ??
seu AD é em WINDOWS ??
tire o proxy e teste, pode ter problemas no seu link com o site
Em 02-08-2011 19:59, Fabiano Barros escreveu:
Um relato,
trouxe a maquina para a minha casa e configurei tudo aqui e funcionou!!!
como pode?
Na empresa eu tenho um servidor de AD e ainternet passa por um roteador
Cisco, isso pode ter alguma coisa a ver?
Obrigado a todos.
2011/8/2 Fabiano Barros <barrosfabiano(a)gmail.com>
> Rodrigo,
>
> Tambem não deu não...
>
> será que tem a ver com o inicio do link iniciar em ww8.caixa.gov.br?
>
> obrigado pelo apoio
>
>
>
> 2011/8/2 Rodrigo B Brasil <rodrigobbrasil(a)gmail.com>
>
>> Fabiano, experimente:
>>
>> acl java browser Java/1.4 Java/1.5 Java/1.6
>> http_access allow java
>>
>> --
>> Rodrigo Bezerra Brasil
>> Belém, PA, Brasil
>> '"Software Livre" é uma questão de liberdade, não de preço. Para
entender
>> o conceito, você deve pensar em "liberdade de expressão", não em
"cerveja
>> grátis".'
>>
>>
>>
>>
>> 2011/8/2 Fabiano Barros <barrosfabiano(a)gmail.com>
>>
>>> Caro, Francisco,
>>>
>>> aqui não funcionou não, tem alguma posição especifica que devo colocar
>>> esta acl?
>>>
>>> eu fiz assim:
>>>
>>>
>>>
>>> # ACL DE BLOQUEIO
>>> acl neg_sites dstdomain
"/etc/squid/confs/neg_sites"
>>> acl neg_hora time
"/etc/squid/confs/neg_hora"
>>> acl neg_msn dstdomain "/etc/squid/confs/neg_msn"
>>> acl neg_msn2 url_regex
"/etc/squid/confs/neg_msn2"
>>> acl msn url_regex -i /gateway/gateway.dll
>>> acl java browser Java
>>>
>>> # FIM DECLARACOES ACLS
>>>
>>>
################################################################################
>>>
>>> http_access allow java
>>>
>>>
>>> http_access allow all win
>>>
>>> http_access allow lib_ip
>>>
>>>
>>>
>>> Obrigado pelo apoio.
>>>
>>>
>>>
>>> 2011/8/2 Francisco Viana <chicofedora(a)gmail.com>
>>>
>>>> Cara coloca essa acl ai que passa de boa ;) isso vai solucionar teu
>>>> problema por enquanto porem eu aconselho você estudar uma outra forma de
>>>> fazer isso ok, dai tu vai usando enquanto estuda ;)
>>>>
>>>> acl java browser Java e http_access allow java
>>>>
>>>>
>>>> Abraços,
>>>>
>>>>
>>>> Em 2 de agosto de 2011 15:00, Fabiano Barros
<barrosfabiano(a)gmail.com>escreveu:
>>>>
>>>>>
>>>>> Pessoal,
>>>>>
>>>>> to com um problema em um squid que configurei, pois quando navegando
>>>>> por ele não consigo de forma alguma acessar o site de simulação de
habitação
>>>>> (muito utilizado aqui na empresa)
>>>>>
>>>>> link:
>>>>>
http://www8.caixa.gov.br/siopiinternet/simulaOperacaoInternet.do?method=i...
>>>>>
>>>>> o que pode ser?
>>>>>
>>>>> desde já agradeço...
>>>>>
>>>>>
>>>>> abaixo segue meu squid.conf e meu script iptables
>>>>>
>>>>>
>>>>> ---- SQUID CONF ----
>>>>> http_port 3128
>>>>> visible_hostname SrvProxy
>>>>> error_directory /usr/share/squid/errors/pt-br/
>>>>> coredump_dir /var/spool/squid
>>>>> cache_access_log /var/log/squid/access.log
>>>>> hierarchy_stoplist cgi-bin ?
>>>>> acl QUERY urlpath_regex cgi-bin \?
>>>>> no_cache deny QUERY
>>>>>
>>>>> auth_param basic children 5
>>>>> auth_param basic realm (Servidor de Internet)
>>>>> auth_param basic credentialsttl 1 hours
>>>>> auth_param basic casesensitive off
>>>>> auth_param basic program /usr/lib/squid/ncsa_auth
>>>>> /etc/squid/confs/squid_passwd
>>>>> #authenticate_cache_garbage_interval 1 hour
>>>>> authenticate_ttl 1 hour
>>>>> refresh_pattern ^ftp: 1440 20% 10080
>>>>> refresh_pattern ^gopher: 1440 0% 1440
>>>>> refresh_pattern . 0 20% 4320
>>>>> #acl all src 0.0.0.0/0.0.0.0
>>>>> acl manager proto cache_object
>>>>> acl localhost src 127.0.0.1/255.255.255.255
>>>>> acl to_localhost dst 127.0.0.0/8
>>>>> acl SSL_ports port 22 80 443 563 9443 2200
>>>>> acl Safe_ports port 80 # http
>>>>> acl Safe_ports port 21 # ftp
>>>>> acl Safe_ports port 22 # ssh
>>>>> acl Safe_ports port 2200 # ssh
>>>>> acl Safe_ports port 443 563 # https, snews
>>>>> acl Safe_ports port 70 # gopher
>>>>> acl Safe_ports port 210 # wais
>>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>>> acl Safe_ports port 280 # http-mgmt
>>>>> acl Safe_ports port 488 # gss-http
>>>>> acl Safe_ports port 591 # filemaker
>>>>> acl Safe_ports port 777 # multiling http
>>>>> acl Safe_ports port 631 # cups
>>>>> acl Safe_ports port 86 # Speedy
>>>>> acl Safe_ports port 5800 # VNC
>>>>> acl Safe_ports port 5900 # VNC
>>>>> acl Safe_ports port 1527 # NFP
>>>>> acl Safe_ports port 8443 # NFP
>>>>> acl CONNECT method CONNECT
>>>>> http_access allow manager localhost
>>>>> http_access deny manager
>>>>> http_access deny !Safe_ports
>>>>> http_access deny CONNECT !SSL_ports
>>>>>
>>>>> # ACL QUE EXIGE LOGIN DO USUARIO PARA NAVEGAR
>>>>> acl login proxy_auth REQUIRED
>>>>> # ACL DE LIBERACOES
>>>>> acl lib_usuarios proxy_auth
>>>>> "/etc/squid/confs/lib_usuarios"
>>>>> acl lib_sites dstdomain
"/etc/squid/confs/lib_sites"
>>>>> acl lib_ip src
"/etc/squid/confs/lib_ip"
>>>>> acl win url_regex -i windowsupdate
>>>>> update.microsoft.com
>>>>> # ACL DE BLOQUEIO
>>>>> acl neg_sites dstdomain
"/etc/squid/confs/neg_sites"
>>>>> acl neg_hora time
"/etc/squid/confs/neg_hora"
>>>>> acl neg_msn dstdomain
"/etc/squid/confs/neg_msn"
>>>>> acl neg_msn2 url_regex
"/etc/squid/confs/neg_msn2"
>>>>> acl msn url_regex -i /gateway/gateway.dll
>>>>> # FIM DECLARACOES ACLS
>>>>>
>>>>>
################################################################################
>>>>> http_access allow all win
>>>>> http_access allow lib_ip
>>>>> http_access deny neg_msn
>>>>> http_access deny neg_msn2
>>>>> http_access deny msn
>>>>> http_access deny neg_sites
>>>>> http_access allow lib_sites
>>>>> http_access allow !neg_hora
>>>>> http_access allow lib_usuarios
>>>>> http_access deny all
>>>>> http_reply_access allow all
>>>>> #icp_access allow all
>>>>>
>>>>>
>>>>>
>>>>> ---- SCRIPT IPTABLES ----
>>>>>
>>>>> iptables -F
>>>>> iptables -F INPUT
>>>>> iptables -F OUTPUT
>>>>> iptables -F POSTROUTING -t nat
>>>>> iptables -F PREROUTING -t nat
>>>>>
>>>>> iptables -t nat -I PREROUTING -s 192.168.7.10 -j ACCEPT
>>>>> iptables -t nat -I PREROUTING -s 192.168.7.11 -j ACCEPT
>>>>> iptables -t nat -I PREROUTING -s 192.168.7.12 -j ACCEPT
>>>>>
>>>>> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
>>>>> --to-port 3128
>>>>>
>>>>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 2200 -j
>>>>> DNAT --to-destination 192.168.7.1:2200
>>>>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j
>>>>> DNAT --to-destination 192.168.7.100:3389
>>>>>
>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>>> iptables -P FORWARD ACCEPT
>>>>> iptables -A POSTROUTING -t nat -s 192.168.7.0/24 -o eth0 -j
>>>>> MASQUERADE
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Fabiano Barros
>>>>> Cel.: 55 15 9715-8004
>>>>> barrosfabiano(a)gmail.com
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> br-users mailing list
>>>>> br-users(a)lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/br-users
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Francisco Viana (Chico Fedora)
>>>>
>>>> Analista de Suporte Linux
>>>> Embaixador Fedora
>>>> Desenvolvedor Ekaaty GNU/Linux
>>>> Desenvolvedor GESAC GNU/Linux
>>>> Admin. Comunidade Fedora Brasil
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> br-users mailing list
>>>> br-users(a)lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/br-users
>>>>
>>>
>>>
>>>
>>> --
>>> Fabiano Barros
>>> Cel.: 55 15 9715-8004
>>> barrosfabiano(a)gmail.com
>>>
>>>
>>>
>>> --
>>> br-users mailing list
>>> br-users(a)lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/br-users
>>>
>>
>>
>> --
>> br-users mailing list
>> br-users(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/br-users
>>
>
>
>
> --
> Fabiano Barros
> Cel.: 55 15 9715-8004
> barrosfabiano(a)gmail.com
>
>
>
--
Fabiano Barros
Cel.: 55 15 9715-8004
barrosfabiano(a)gmail.com
--
br-users mailing
listbr-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/br-users
--
Jaitony de Sousa
Contatos:
msn: jaitonys(a)hotmail.com
jabber: jaitonys(a)gmail.com
skype: knoppix_debian
yahoo menssager : jaitonys
Tel cel: +55 83 88607882
Integrante e fundador do Gud-PB
(Grupo de Usuarios Debian -PB)
Use Linux, ele é livre como você Comissão Organizadora
VI Encontro de Software Livre da Paraíba
23 a 26 de Maio de 2012 - www.ensol.org.br
--
br-users mailing list
br-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/br-users
--
Fabiano Barros
Cel.: 55 15 9715-8004
barrosfabiano(a)gmail.com
6:19 a.m.
tcpdump nele....
--
att
Marcos Carraro
marcoscarraro.blogspot.com
Em 5 de agosto de 2011 07:29, Fabiano Barros <barrosfabiano(a)gmail.com>escreveu:
Olá,
Meu roteador não tem acl, e ja tentei desativar o firewall nele pra ver se
passa.
quando coloco o modem direto na porta ele passa, somente quando o roteador
roteia é que para.
meu ad é windows sim, porem ja testei em uma rede sem ad e mesmo assim não
passou.
sem o proxy funciona perfeitamente.
Obrigado.
2011/8/3 jaitony gmail <jaitonys(a)gmail.com>
> **
> quer um conselho na boa
>
> tira os ips da caixa do seu proxy eu faço isso por varias problemas um
> deles é conectividade social
>
> sobre o seu router ele tem alguma ACL ??
> seu AD é em WINDOWS ??
> tire o proxy e teste, pode ter problemas no seu link com o site
>
> Em 02-08-2011 19:59, Fabiano Barros escreveu:
>
> Um relato,
>
> trouxe a maquina para a minha casa e configurei tudo aqui e funcionou!!!
> como pode?
>
> Na empresa eu tenho um servidor de AD e ainternet passa por um roteador
> Cisco, isso pode ter alguma coisa a ver?
>
>
> Obrigado a todos.
>
>
>
> 2011/8/2 Fabiano Barros <barrosfabiano(a)gmail.com>
>
>> Rodrigo,
>>
>> Tambem não deu não...
>>
>> será que tem a ver com o inicio do link iniciar em ww8.caixa.gov.br?
>>
>> obrigado pelo apoio
>>
>>
>>
>> 2011/8/2 Rodrigo B Brasil <rodrigobbrasil(a)gmail.com>
>>
>>> Fabiano, experimente:
>>>
>>> acl java browser Java/1.4 Java/1.5 Java/1.6
>>> http_access allow java
>>>
>>> --
>>> Rodrigo Bezerra Brasil
>>> Belém, PA, Brasil
>>> '"Software Livre" é uma questão de liberdade, não de preço.
Para
>>> entender o conceito, você deve pensar em "liberdade de expressão",
não em
>>> "cerveja grátis".'
>>>
>>>
>>>
>>>
>>> 2011/8/2 Fabiano Barros <barrosfabiano(a)gmail.com>
>>>
>>>> Caro, Francisco,
>>>>
>>>> aqui não funcionou não, tem alguma posição especifica que devo colocar
>>>> esta acl?
>>>>
>>>> eu fiz assim:
>>>>
>>>>
>>>>
>>>> # ACL DE BLOQUEIO
>>>> acl neg_sites dstdomain
"/etc/squid/confs/neg_sites"
>>>> acl neg_hora time
"/etc/squid/confs/neg_hora"
>>>> acl neg_msn dstdomain
"/etc/squid/confs/neg_msn"
>>>> acl neg_msn2 url_regex
"/etc/squid/confs/neg_msn2"
>>>> acl msn url_regex -i /gateway/gateway.dll
>>>> acl java browser Java
>>>>
>>>> # FIM DECLARACOES ACLS
>>>>
>>>>
################################################################################
>>>>
>>>> http_access allow java
>>>>
>>>>
>>>> http_access allow all win
>>>>
>>>> http_access allow lib_ip
>>>>
>>>>
>>>>
>>>> Obrigado pelo apoio.
>>>>
>>>>
>>>>
>>>> 2011/8/2 Francisco Viana <chicofedora(a)gmail.com>
>>>>
>>>>> Cara coloca essa acl ai que passa de boa ;) isso vai solucionar teu
>>>>> problema por enquanto porem eu aconselho você estudar uma outra forma
de
>>>>> fazer isso ok, dai tu vai usando enquanto estuda ;)
>>>>>
>>>>> acl java browser Java e http_access allow java
>>>>>
>>>>>
>>>>> Abraços,
>>>>>
>>>>>
>>>>> Em 2 de agosto de 2011 15:00, Fabiano Barros
<barrosfabiano(a)gmail.com
>>>>> > escreveu:
>>>>>
>>>>>>
>>>>>> Pessoal,
>>>>>>
>>>>>> to com um problema em um squid que configurei, pois quando
navegando
>>>>>> por ele não consigo de forma alguma acessar o site de simulação
de habitação
>>>>>> (muito utilizado aqui na empresa)
>>>>>>
>>>>>> link:
>>>>>>
http://www8.caixa.gov.br/siopiinternet/simulaOperacaoInternet.do?method=i...
>>>>>>
>>>>>> o que pode ser?
>>>>>>
>>>>>> desde já agradeço...
>>>>>>
>>>>>>
>>>>>> abaixo segue meu squid.conf e meu script iptables
>>>>>>
>>>>>>
>>>>>> ---- SQUID CONF ----
>>>>>> http_port 3128
>>>>>> visible_hostname SrvProxy
>>>>>> error_directory /usr/share/squid/errors/pt-br/
>>>>>> coredump_dir /var/spool/squid
>>>>>> cache_access_log /var/log/squid/access.log
>>>>>> hierarchy_stoplist cgi-bin ?
>>>>>> acl QUERY urlpath_regex cgi-bin \?
>>>>>> no_cache deny QUERY
>>>>>>
>>>>>> auth_param basic children 5
>>>>>> auth_param basic realm (Servidor de Internet)
>>>>>> auth_param basic credentialsttl 1 hours
>>>>>> auth_param basic casesensitive off
>>>>>> auth_param basic program /usr/lib/squid/ncsa_auth
>>>>>> /etc/squid/confs/squid_passwd
>>>>>> #authenticate_cache_garbage_interval 1 hour
>>>>>> authenticate_ttl 1 hour
>>>>>> refresh_pattern ^ftp: 1440 20% 10080
>>>>>> refresh_pattern ^gopher: 1440 0% 1440
>>>>>> refresh_pattern . 0 20% 4320
>>>>>> #acl all src 0.0.0.0/0.0.0.0
>>>>>> acl manager proto cache_object
>>>>>> acl localhost src 127.0.0.1/255.255.255.255
>>>>>> acl to_localhost dst 127.0.0.0/8
>>>>>> acl SSL_ports port 22 80 443 563 9443 2200
>>>>>> acl Safe_ports port 80 # http
>>>>>> acl Safe_ports port 21 # ftp
>>>>>> acl Safe_ports port 22 # ssh
>>>>>> acl Safe_ports port 2200 # ssh
>>>>>> acl Safe_ports port 443 563 # https, snews
>>>>>> acl Safe_ports port 70 # gopher
>>>>>> acl Safe_ports port 210 # wais
>>>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>>>> acl Safe_ports port 280 # http-mgmt
>>>>>> acl Safe_ports port 488 # gss-http
>>>>>> acl Safe_ports port 591 # filemaker
>>>>>> acl Safe_ports port 777 # multiling http
>>>>>> acl Safe_ports port 631 # cups
>>>>>> acl Safe_ports port 86 # Speedy
>>>>>> acl Safe_ports port 5800 # VNC
>>>>>> acl Safe_ports port 5900 # VNC
>>>>>> acl Safe_ports port 1527 # NFP
>>>>>> acl Safe_ports port 8443 # NFP
>>>>>> acl CONNECT method CONNECT
>>>>>> http_access allow manager localhost
>>>>>> http_access deny manager
>>>>>> http_access deny !Safe_ports
>>>>>> http_access deny CONNECT !SSL_ports
>>>>>>
>>>>>> # ACL QUE EXIGE LOGIN DO USUARIO PARA NAVEGAR
>>>>>> acl login proxy_auth REQUIRED
>>>>>> # ACL DE LIBERACOES
>>>>>> acl lib_usuarios proxy_auth
>>>>>> "/etc/squid/confs/lib_usuarios"
>>>>>> acl lib_sites dstdomain
"/etc/squid/confs/lib_sites"
>>>>>> acl lib_ip src
"/etc/squid/confs/lib_ip"
>>>>>> acl win url_regex -i windowsupdate
>>>>>> update.microsoft.com
>>>>>> # ACL DE BLOQUEIO
>>>>>> acl neg_sites dstdomain
"/etc/squid/confs/neg_sites"
>>>>>> acl neg_hora time
"/etc/squid/confs/neg_hora"
>>>>>> acl neg_msn dstdomain
"/etc/squid/confs/neg_msn"
>>>>>> acl neg_msn2 url_regex
"/etc/squid/confs/neg_msn2"
>>>>>> acl msn url_regex -i /gateway/gateway.dll
>>>>>> # FIM DECLARACOES ACLS
>>>>>>
>>>>>>
################################################################################
>>>>>> http_access allow all win
>>>>>> http_access allow lib_ip
>>>>>> http_access deny neg_msn
>>>>>> http_access deny neg_msn2
>>>>>> http_access deny msn
>>>>>> http_access deny neg_sites
>>>>>> http_access allow lib_sites
>>>>>> http_access allow !neg_hora
>>>>>> http_access allow lib_usuarios
>>>>>> http_access deny all
>>>>>> http_reply_access allow all
>>>>>> #icp_access allow all
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---- SCRIPT IPTABLES ----
>>>>>>
>>>>>> iptables -F
>>>>>> iptables -F INPUT
>>>>>> iptables -F OUTPUT
>>>>>> iptables -F POSTROUTING -t nat
>>>>>> iptables -F PREROUTING -t nat
>>>>>>
>>>>>> iptables -t nat -I PREROUTING -s 192.168.7.10 -j ACCEPT
>>>>>> iptables -t nat -I PREROUTING -s 192.168.7.11 -j ACCEPT
>>>>>> iptables -t nat -I PREROUTING -s 192.168.7.12 -j ACCEPT
>>>>>>
>>>>>> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j
REDIRECT
>>>>>> --to-port 3128
>>>>>>
>>>>>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 2200
-j
>>>>>> DNAT --to-destination 192.168.7.1:2200
>>>>>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3389
-j
>>>>>> DNAT --to-destination 192.168.7.100:3389
>>>>>>
>>>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>>>> iptables -P FORWARD ACCEPT
>>>>>> iptables -A POSTROUTING -t nat -s 192.168.7.0/24 -o eth0 -j
>>>>>> MASQUERADE
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fabiano Barros
>>>>>> Cel.: 55 15 9715-8004
>>>>>> barrosfabiano(a)gmail.com
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> br-users mailing list
>>>>>> br-users(a)lists.fedoraproject.org
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/br-users
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Francisco Viana (Chico Fedora)
>>>>>
>>>>> Analista de Suporte Linux
>>>>> Embaixador Fedora
>>>>> Desenvolvedor Ekaaty GNU/Linux
>>>>> Desenvolvedor GESAC GNU/Linux
>>>>> Admin. Comunidade Fedora Brasil
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> br-users mailing list
>>>>> br-users(a)lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/br-users
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Fabiano Barros
>>>> Cel.: 55 15 9715-8004
>>>> barrosfabiano(a)gmail.com
>>>>
>>>>
>>>>
>>>> --
>>>> br-users mailing list
>>>> br-users(a)lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/br-users
>>>>
>>>
>>>
>>> --
>>> br-users mailing list
>>> br-users(a)lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/br-users
>>>
>>
>>
>>
>> --
>> Fabiano Barros
>> Cel.: 55 15 9715-8004
>> barrosfabiano(a)gmail.com
>>
>>
>>
>
>
> --
> Fabiano Barros
> Cel.: 55 15 9715-8004
> barrosfabiano(a)gmail.com
>
>
>
> --
> br-users mailing
listbr-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/br-users
>
>
>
> --
> Jaitony de Sousa
>
> Contatos:
> msn: jaitonys(a)hotmail.com
> jabber: jaitonys(a)gmail.com
> skype: knoppix_debian
> yahoo menssager : jaitonys
>
> Tel cel: +55 83 88607882
> Integrante e fundador do Gud-PB
> (Grupo de Usuarios Debian -PB)
> Use Linux, ele é livre como você Comissão Organizadora
> VI Encontro de Software Livre da Paraíba
> 23 a 26 de Maio de 2012 - www.ensol.org.br
>
>
> --
> br-users mailing list
> br-users(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/br-users
>
--
Fabiano Barros
Cel.: 55 15 9715-8004
barrosfabiano(a)gmail.com
--
br-users mailing list
br-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/br-users
2:20 p.m.
Fabiano vamos então fazer alguns testes.
Antes de colocar a ACL, você retirou todas as restrições e verificou se
consegue acessar?
Lembrece toda ACL ela precisa esta em uma posição adequada ou seja primeiro
coloca-se as acl's de liberação e depois as de bloqueio.
Faz esses testes e manda aqui pra gente ok.
Abraços,
Em 2 de agosto de 2011 16:14, Fabiano Barros <barrosfabiano(a)gmail.com>escreveu:
Caro, Francisco,
aqui não funcionou não, tem alguma posição especifica que devo colocar esta
acl?
eu fiz assim:
# ACL DE BLOQUEIO
acl neg_sites dstdomain "/etc/squid/confs/neg_sites"
acl neg_hora time "/etc/squid/confs/neg_hora"
acl neg_msn dstdomain "/etc/squid/confs/neg_msn"
acl neg_msn2 url_regex "/etc/squid/confs/neg_msn2"
acl msn url_regex -i /gateway/gateway.dll
acl java browser Java
# FIM DECLARACOES ACLS
################################################################################
http_access allow java
http_access allow all win
http_access allow lib_ip
Obrigado pelo apoio.
2011/8/2 Francisco Viana <chicofedora(a)gmail.com>
> Cara coloca essa acl ai que passa de boa ;) isso vai solucionar teu
> problema por enquanto porem eu aconselho você estudar uma outra forma de
> fazer isso ok, dai tu vai usando enquanto estuda ;)
>
> acl java browser Java e http_access allow java
>
>
> Abraços,
>
>
> Em 2 de agosto de 2011 15:00, Fabiano Barros
<barrosfabiano(a)gmail.com>escreveu:
>
>>
>> Pessoal,
>>
>> to com um problema em um squid que configurei, pois quando navegando por
>> ele não consigo de forma alguma acessar o site de simulação de habitação
>> (muito utilizado aqui na empresa)
>>
>> link:
>>
http://www8.caixa.gov.br/siopiinternet/simulaOperacaoInternet.do?method=i...
>>
>> o que pode ser?
>>
>> desde já agradeço...
>>
>>
>> abaixo segue meu squid.conf e meu script iptables
>>
>>
>> ---- SQUID CONF ----
>> http_port 3128
>> visible_hostname SrvProxy
>> error_directory /usr/share/squid/errors/pt-br/
>> coredump_dir /var/spool/squid
>> cache_access_log /var/log/squid/access.log
>> hierarchy_stoplist cgi-bin ?
>> acl QUERY urlpath_regex cgi-bin \?
>> no_cache deny QUERY
>>
>> auth_param basic children 5
>> auth_param basic realm (Servidor de Internet)
>> auth_param basic credentialsttl 1 hours
>> auth_param basic casesensitive off
>> auth_param basic program /usr/lib/squid/ncsa_auth
>> /etc/squid/confs/squid_passwd
>> #authenticate_cache_garbage_interval 1 hour
>> authenticate_ttl 1 hour
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>> #acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 22 80 443 563 9443 2200
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 22 # ssh
>> acl Safe_ports port 2200 # ssh
>> acl Safe_ports port 443 563 # https, snews
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl Safe_ports port 631 # cups
>> acl Safe_ports port 86 # Speedy
>> acl Safe_ports port 5800 # VNC
>> acl Safe_ports port 5900 # VNC
>> acl Safe_ports port 1527 # NFP
>> acl Safe_ports port 8443 # NFP
>> acl CONNECT method CONNECT
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>>
>> # ACL QUE EXIGE LOGIN DO USUARIO PARA NAVEGAR
>> acl login proxy_auth REQUIRED
>> # ACL DE LIBERACOES
>> acl lib_usuarios proxy_auth
"/etc/squid/confs/lib_usuarios"
>> acl lib_sites dstdomain "/etc/squid/confs/lib_sites"
>> acl lib_ip src "/etc/squid/confs/lib_ip"
>> acl win url_regex -i windowsupdate
>> update.microsoft.com
>> # ACL DE BLOQUEIO
>> acl neg_sites dstdomain "/etc/squid/confs/neg_sites"
>> acl neg_hora time "/etc/squid/confs/neg_hora"
>> acl neg_msn dstdomain "/etc/squid/confs/neg_msn"
>> acl neg_msn2 url_regex "/etc/squid/confs/neg_msn2"
>> acl msn url_regex -i /gateway/gateway.dll
>> # FIM DECLARACOES ACLS
>>
>> ################################################################################
>> http_access allow all win
>> http_access allow lib_ip
>> http_access deny neg_msn
>> http_access deny neg_msn2
>> http_access deny msn
>> http_access deny neg_sites
>> http_access allow lib_sites
>> http_access allow !neg_hora
>> http_access allow lib_usuarios
>> http_access deny all
>> http_reply_access allow all
>> #icp_access allow all
>>
>>
>>
>> ---- SCRIPT IPTABLES ----
>>
>> iptables -F
>> iptables -F INPUT
>> iptables -F OUTPUT
>> iptables -F POSTROUTING -t nat
>> iptables -F PREROUTING -t nat
>>
>> iptables -t nat -I PREROUTING -s 192.168.7.10 -j ACCEPT
>> iptables -t nat -I PREROUTING -s 192.168.7.11 -j ACCEPT
>> iptables -t nat -I PREROUTING -s 192.168.7.12 -j ACCEPT
>>
>> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
>> --to-port 3128
>>
>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 2200 -j DNAT
>> --to-destination 192.168.7.1:2200
>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT
>> --to-destination 192.168.7.100:3389
>>
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>> iptables -P FORWARD ACCEPT
>> iptables -A POSTROUTING -t nat -s 192.168.7.0/24 -o eth0 -j MASQUERADE
>>
>>
>>
>>
>> --
>> Fabiano Barros
>> Cel.: 55 15 9715-8004
>> barrosfabiano(a)gmail.com
>>
>>
>>
>> --
>> br-users mailing list
>> br-users(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/br-users
>>
>
>
>
> --
> Francisco Viana (Chico Fedora)
>
> Analista de Suporte Linux
> Embaixador Fedora
> Desenvolvedor Ekaaty GNU/Linux
> Desenvolvedor GESAC GNU/Linux
> Admin. Comunidade Fedora Brasil
>
>
>
>
> --
> br-users mailing list
> br-users(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/br-users
>
--
Fabiano Barros
Cel.: 55 15 9715-8004
barrosfabiano(a)gmail.com
--
br-users mailing list
br-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/br-users
--
Francisco Viana (Chico Fedora)
Analista de Suporte Linux
Embaixador Fedora
Desenvolvedor Ekaaty GNU/Linux
Desenvolvedor GESAC GNU/Linux
Admin. Comunidade Fedora Brasil
2:23 p.m.
Olá,
fiz testes sim, liberando a maquina completamente pelo ip não passa, porem
se eu fizer a regra por iptables ele libera, só que dai eu libero internet
full no pc, e isso não posso fazer.
usei esta regra:
iptables -t nat -I PREROUTING -s 192.168.7.5 -j ACCEPT
Obrigado.
2011/8/2 Francisco Viana <chicofedora(a)gmail.com>
Fabiano vamos então fazer alguns testes.
Antes de colocar a ACL, você retirou todas as restrições e verificou se
consegue acessar?
Lembrece toda ACL ela precisa esta em uma posição adequada ou seja primeiro
coloca-se as acl's de liberação e depois as de bloqueio.
Faz esses testes e manda aqui pra gente ok.
Abraços,
Em 2 de agosto de 2011 16:14, Fabiano Barros <barrosfabiano(a)gmail.com>escreveu:
Caro, Francisco,
>
> aqui não funcionou não, tem alguma posição especifica que devo colocar
> esta acl?
>
> eu fiz assim:
>
>
> # ACL DE BLOQUEIO
> acl neg_sites dstdomain "/etc/squid/confs/neg_sites"
> acl neg_hora time "/etc/squid/confs/neg_hora"
> acl neg_msn dstdomain "/etc/squid/confs/neg_msn"
> acl neg_msn2 url_regex "/etc/squid/confs/neg_msn2"
> acl msn url_regex -i /gateway/gateway.dll
> acl java browser Java
>
> # FIM DECLARACOES ACLS
>
> ################################################################################
>
> http_access allow java
>
> http_access allow all win
>
> http_access allow lib_ip
>
>
>
> Obrigado pelo apoio.
>
>
> 2011/8/2 Francisco Viana <chicofedora(a)gmail.com>
>
>> Cara coloca essa acl ai que passa de boa ;) isso vai solucionar teu
>> problema por enquanto porem eu aconselho você estudar uma outra forma de
>> fazer isso ok, dai tu vai usando enquanto estuda ;)
>>
>> acl java browser Java e http_access allow java
>>
>>
>> Abraços,
>>
>>
>> Em 2 de agosto de 2011 15:00, Fabiano Barros
<barrosfabiano(a)gmail.com>escreveu:
>>
>>>
>>> Pessoal,
>>>
>>> to com um problema em um squid que configurei, pois quando navegando por
>>> ele não consigo de forma alguma acessar o site de simulação de habitação
>>> (muito utilizado aqui na empresa)
>>>
>>> link:
>>>
http://www8.caixa.gov.br/siopiinternet/simulaOperacaoInternet.do?method=i...
>>>
>>> o que pode ser?
>>>
>>> desde já agradeço...
>>>
>>>
>>> abaixo segue meu squid.conf e meu script iptables
>>>
>>>
>>> ---- SQUID CONF ----
>>> http_port 3128
>>> visible_hostname SrvProxy
>>> error_directory /usr/share/squid/errors/pt-br/
>>> coredump_dir /var/spool/squid
>>> cache_access_log /var/log/squid/access.log
>>> hierarchy_stoplist cgi-bin ?
>>> acl QUERY urlpath_regex cgi-bin \?
>>> no_cache deny QUERY
>>>
>>> auth_param basic children 5
>>> auth_param basic realm (Servidor de Internet)
>>> auth_param basic credentialsttl 1 hours
>>> auth_param basic casesensitive off
>>> auth_param basic program /usr/lib/squid/ncsa_auth
>>> /etc/squid/confs/squid_passwd
>>> #authenticate_cache_garbage_interval 1 hour
>>> authenticate_ttl 1 hour
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern . 0 20% 4320
>>> #acl all src 0.0.0.0/0.0.0.0
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/255.255.255.255
>>> acl to_localhost dst 127.0.0.0/8
>>> acl SSL_ports port 22 80 443 563 9443 2200
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 22 # ssh
>>> acl Safe_ports port 2200 # ssh
>>> acl Safe_ports port 443 563 # https, snews
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl Safe_ports port 631 # cups
>>> acl Safe_ports port 86 # Speedy
>>> acl Safe_ports port 5800 # VNC
>>> acl Safe_ports port 5900 # VNC
>>> acl Safe_ports port 1527 # NFP
>>> acl Safe_ports port 8443 # NFP
>>> acl CONNECT method CONNECT
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>>
>>> # ACL QUE EXIGE LOGIN DO USUARIO PARA NAVEGAR
>>> acl login proxy_auth REQUIRED
>>> # ACL DE LIBERACOES
>>> acl lib_usuarios proxy_auth
"/etc/squid/confs/lib_usuarios"
>>> acl lib_sites dstdomain
"/etc/squid/confs/lib_sites"
>>> acl lib_ip src "/etc/squid/confs/lib_ip"
>>> acl win url_regex -i windowsupdate
>>> update.microsoft.com
>>> # ACL DE BLOQUEIO
>>> acl neg_sites dstdomain
"/etc/squid/confs/neg_sites"
>>> acl neg_hora time
"/etc/squid/confs/neg_hora"
>>> acl neg_msn dstdomain "/etc/squid/confs/neg_msn"
>>> acl neg_msn2 url_regex
"/etc/squid/confs/neg_msn2"
>>> acl msn url_regex -i /gateway/gateway.dll
>>> # FIM DECLARACOES ACLS
>>>
>>>
################################################################################
>>> http_access allow all win
>>> http_access allow lib_ip
>>> http_access deny neg_msn
>>> http_access deny neg_msn2
>>> http_access deny msn
>>> http_access deny neg_sites
>>> http_access allow lib_sites
>>> http_access allow !neg_hora
>>> http_access allow lib_usuarios
>>> http_access deny all
>>> http_reply_access allow all
>>> #icp_access allow all
>>>
>>>
>>>
>>> ---- SCRIPT IPTABLES ----
>>>
>>> iptables -F
>>> iptables -F INPUT
>>> iptables -F OUTPUT
>>> iptables -F POSTROUTING -t nat
>>> iptables -F PREROUTING -t nat
>>>
>>> iptables -t nat -I PREROUTING -s 192.168.7.10 -j ACCEPT
>>> iptables -t nat -I PREROUTING -s 192.168.7.11 -j ACCEPT
>>> iptables -t nat -I PREROUTING -s 192.168.7.12 -j ACCEPT
>>>
>>> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT
>>> --to-port 3128
>>>
>>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 2200 -j DNAT
>>> --to-destination 192.168.7.1:2200
>>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT
>>> --to-destination 192.168.7.100:3389
>>>
>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>> iptables -P FORWARD ACCEPT
>>> iptables -A POSTROUTING -t nat -s 192.168.7.0/24 -o eth0 -j MASQUERADE
>>>
>>>
>>>
>>>
>>> --
>>> Fabiano Barros
>>> Cel.: 55 15 9715-8004
>>> barrosfabiano(a)gmail.com
>>>
>>>
>>>
>>> --
>>> br-users mailing list
>>> br-users(a)lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/br-users
>>>
>>
>>
>>
>> --
>> Francisco Viana (Chico Fedora)
>>
>> Analista de Suporte Linux
>> Embaixador Fedora
>> Desenvolvedor Ekaaty GNU/Linux
>> Desenvolvedor GESAC GNU/Linux
>> Admin. Comunidade Fedora Brasil
>>
>>
>>
>>
>> --
>> br-users mailing list
>> br-users(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/br-users
>>
>
>
>
> --
> Fabiano Barros
> Cel.: 55 15 9715-8004
> barrosfabiano(a)gmail.com
>
>
>
> --
> br-users mailing list
> br-users(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/br-users
>
--
Francisco Viana (Chico Fedora)
Analista de Suporte Linux
Embaixador Fedora
Desenvolvedor Ekaaty GNU/Linux
Desenvolvedor GESAC GNU/Linux
Admin. Comunidade Fedora Brasil
--
br-users mailing list
br-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/br-users
--
Fabiano Barros
Cel.: 55 15 9715-8004
barrosfabiano(a)gmail.com
4685
days inactive
4689
days old
br-users@lists.fedoraproject.org
10 comments
5 participants
participants (5)
-
Fabiano Barros -
Francisco Viana -
jaitony gmail -
Marcos Carraro -
Rodrigo B Brasil