Boa tarde senhores.
Estou com o seguinte problema: Ao configurar o trio Dhcp + Iptables + Squid Transpatente, tento acessar alguma pagina no pc do usuario e ele funciona rapidinho, inclusive bloqueando urls.
Porém depois do 3 ou 4 acessos, o usuario pára de acessar quaisquer paginas e o navegador simplesmente informa "falha no carregamento - servidor não encontrado" - como se nao tivesse mais conectividade (pensei até algo como o DNS, mas por que funciona no inicio e depois pára?).
Bom, nos clientes não tem nada configurado. Os IPs sao liberados via DHCP do servidor.
O servidor é o dhcp/gateway/firewall da rede.
Detalhe, mesmo com os usuarios nao tendo acesso à internet, quando testo o squidclient no servidor, aparentemente o squid está funcionando, pois retorna a liberação ou bloqueio de paginas.
Tentei adicionar alguns IP do servidor e do DNS nos clientes mas não obtive sucesso, ou fiz algo errado.
Algumas configurações
squid:
http_port 3128 transparent
visible_hostname linuxs
debug_options ALL,1 33,2
cache_mem 128 MB
maximum_object_size_in_memory 128 KB
maximum_object_size 100 MB
minimum_object_size 2 KB
cache_dir ufs /var/spool/squid 4096 16 32
cache_swap_low 85
cache_swap_high 90
cache_access_log /var/log/squid/access.log
error_directory /usr/share/squid/errors/Portuguese/
refresh_pattern ^ftp: 15 20% 2280
refresh_pattern ^gopher: 15 0% 2280
refresh_pattern . 15 20% 2280
e ACL's ...
iptables:
#REDE="192.168.1.0/24"
#IF_EXTERNA="eth2"
#IF_INTERNA="eth1"
modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
modprobe ip_queue
# Zera regras
# -------------------------------------------------------
iptables -F
iptables -F -t nat
iptables -F -t mangle
# Determina a política padrão
# -------------------------------------------------------
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# -------------------------------------------------------
# Ativa roteamento no kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
# Proteção contra IP spoofing
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Protege contra synflood:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Proteção contra ICMP Broadcasting:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# -------------------------------------------------------
# Accept - Regras
# -------------------------------------------------------
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Aceita todo o tráfego vindo do loopback e indo pro loopback
iptables -A INPUT -i lo -j ACCEPT
# Todo tráfego vindo da rede interna também é aceito
iptables -A INPUT -s 192.168.1.0/24 -i eth1 -j ACCEPT
# Limite contra ping da morte e DoS
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s -j DROP
# bloqueia conexão nas demais portas, protegendo o servidor.
iptables -A INPUT -p tcp --syn -j DROP
# Qualquer outra conexão desconhecida é imediatamente registrada e derrubada
iptables -A INPUT -j LOG --log-prefix "FIREWALL: INPUT "
iptables -A INPUT -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -j ACCEPT
# Proxy transparente
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
# Ativa mascaramento de saída
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
# LOG
iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
iptables-save
ufw
sudo ufw status
Estado: inativo
sudo iptables -L -v -n
sudo iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
200 92474 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 180 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
74 6879 ACCEPT all -- eth1 * 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5
9 2821 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables denied: '
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 limit: avg 1/sec burst 5
11 528 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
86 14486 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `FIREWALL: INPUT '
86 14486 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
473 214K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
294 12708 ACCEPT all -- eth1 * 192.168.1.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 336 packets, 85358 bytes)
pkts bytes target prot opt in out source destination
sudo iptables -t nat -L -v -n
sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 90 packets, 12438 bytes)
pkts bytes target prot opt in out source destination
26 1312 REDIRECT tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:80 redir ports 3128
Chain OUTPUT (policy ACCEPT 22 packets, 1762 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 21 packets, 1359 bytes)
pkts bytes target prot opt in out source destination
45 3111 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0
últimas linhas do CACHE.log
CACHE.LOG
2011/12/29 14:46:06| The request GET http://www.sexo.com.br is DENIED, because it matched 'palavrasproibidas'
2011/12/29 14:46:06| The reply for GET http://www.sexo.com.br is ALLOWED, because it matched 'palavrasproibidas'
2011/12/29 14:46:18| [b]Preparing for shutdown after 13 requests[/b]
2011/12/29 14:46:18| Waiting 30 seconds for active connections to finish
2011/12/29 14:46:18| FD 14 Closing HTTP connection
2011/12/29 14:47:04| Starting Squid Cache version 2.7.STABLE7 for i386-debian-linux-gnu...
2011/12/29 14:47:04| Process ID 1051
2011/12/29 14:47:04| With 1024 file descriptors available
2011/12/29 14:47:04| Using epoll for the IO loop
2011/12/29 14:47:04| DNS Socket created at 0.0.0.0, port 43628, FD 6
2011/12/29 14:47:04| Adding nameserver from /etc/resolv.conf
2011/12/29 14:47:04| User-Agent logging is disabled.
2011/12/29 14:47:04| Referer logging is disabled.
2011/12/29 14:47:04| logfileOpen: opening log /var/log/squid/access.log
2011/12/29 14:47:04| Unlinkd pipe opened on FD 12
2011/12/29 14:47:04| Swap maxSize 4194304 + 131072 KB, estimated 332721 objects
2011/12/29 14:47:04| Target number of buckets: 16636
2011/12/29 14:47:04| Using 32768 Store buckets
2011/12/29 14:47:04| Max Mem size: 131072 KB
2011/12/29 14:47:04| Max Swap size: 4194304 KB
2011/12/29 14:47:04| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2011/12/29 14:47:04| logfileOpen: opening log /var/log/squid/store.log
2011/12/29 14:47:04| Rebuilding storage in /var/spool/squid (DIRTY)
2011/12/29 14:47:04| Using Least Load store dir selection
2011/12/29 14:47:04| Current Directory is /
2011/12/29 14:47:04| Loaded Icons.
2011/12/29 14:47:05| Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 14.
2011/12/29 14:47:05| Accepting ICP messages at 0.0.0.0, port 3130, FD 15.
2011/12/29 14:47:05| HTCP Disabled.
2011/12/29 14:47:05| WCCP Disabled.
2011/12/29 14:47:05| Ready to serve requests.
2011/12/29 14:47:05| Done reading /var/spool/squid swaplog (200 entries)
2011/12/29 14:47:05| Finished rebuilding storage from disk.
2011/12/29 14:47:05| 200 Entries scanned
2011/12/29 14:47:05| 0 Invalid entries.
2011/12/29 14:47:05| 0 With invalid flags.
2011/12/29 14:47:05| 200 Objects loaded.
2011/12/29 14:47:05| 0 Objects expired.
2011/12/29 14:47:05| 0 Objects cancelled.
2011/12/29 14:47:05| 0 Duplicate URLs purged.
2011/12/29 14:47:05| 0 Swapfile clashes avoided.
2011/12/29 14:47:05| Took 0.3 seconds ( 645.8 objects/sec).
2011/12/29 14:47:05| Beginning Validation Procedure
2011/12/29 14:47:05| Completed Validation Procedure
2011/12/29 14:47:05| Validated 200 Entries
2011/12/29 14:47:05| store_swap_size = 2912k
2011/12/29 14:47:05| storeLateRelease: released 0 objects
Qualquer ajuda será bem-vinda.
Obrigado.