<\/p>\n
Para a implanta\u00e7\u00e3o do servidor utilizaremos como checklist as seguintes etapas:<\/p>\n
<\/p>\n
As configura\u00e7\u00f5es das interfaces de rede em sistemas baseados em Debian s\u00e3o poss\u00edveis atrav\u00e9s do arquivo interfaces localizado na pasta\/etc\/network<\/em>. Antes da edi\u00e7\u00e3o deste arquivo ser\u00e3o necess\u00e1rias as seguintes informa\u00e7\u00f5es:<\/p>\n Todos os procedimentos devem ser realizados com a conta do superusu\u00e1rio e atrav\u00e9s da edi\u00e7\u00e3o de arquivos de configura\u00e7\u00e3o via terminal. Neste roteiro as informa\u00e7\u00f5es recolhidas foram as seguinte:<\/p>\n Inicialmente \u00e9 necess\u00e1rio a edi\u00e7\u00e3o do arquivo interfaces. Abaixo temos um exemplo das configura\u00e7\u00f5es mediante as informa\u00e7\u00f5es recolhidas, ambas as interfaces foram setadas com endere\u00e7o IP est\u00e1tico. Pare o servi\u00e7o de rede e efetue a configura\u00e7\u00e3o necess\u00e1ria:<\/p>\n # systemctl stop networking<\/strong> Encerre a edi\u00e7\u00e3o do arquivo e inicie os servi\u00e7os de rede:<\/p>\n # systemctl start networking<\/strong><\/p>\n Verifique com o comando ifconfig as configura\u00e7\u00f5es das interfaces:<\/p>\n # ifconfig<\/strong><\/p>\n Verifique atrav\u00e9s do comando ping se h\u00e1 conectividade:<\/p>\n # ping -c 3 www.vivaolinux.com.br<\/strong> — www.vivaolinux.com.br ping statistics — Atualize o conte\u00fado do arquivo \/etc\/hosts<\/em> de forma que a interface loopback (127.0.0.1) aponte para o hostname:<\/p>\n # cat \/etc\/hosts<\/strong><\/p>\n # The following lines are desirable for IPv6 capable hosts <\/p>\n # apt-get update && apt-get upgrade -y<\/strong><\/p>\n Instale os pacotes:<\/p>\n # apt-get install -y squid3 samba sarg cups isc-dhcp-server ntp bind9 apache2 debmirror<\/strong><\/p>\n O servidor DHCP ser\u00e1 o respons\u00e1vel por distribuir IPs na rede local, para editar as configura\u00e7\u00f5es iniciais localize o arquivo dhcpd.conf<\/em> na pasta \/etc\/dhcp<\/em> e tenha em m\u00e3os as informa\u00e7\u00f5es relativas ao servidor DNS prim\u00e1rio e secund\u00e1rio, para este exemplo foi usado o servidor do opendns.com:<\/p>\n # nano \/etc\/dhcp\/dhcpd.conf<\/strong><\/p>\n Status do funcionamento do ISC DHCP Server:<\/p>\n # systemctl status isc-dhcp-server<\/strong> Jul 08 23:28:33 onix dhcpd[9406]: Wrote 0 leases to leases file. Em car\u00e1ter opcional \u00e9 poss\u00edvel realizar a atualiza\u00e7\u00e3o do arquivo \/etc\/resolv.conf<\/em> de forma que \u00e9 poss\u00edvel apontar quais servidores DNS ser\u00e3o consultados primeiramente. A cada nova conex\u00e3o o arquivo resolv.conf \u00e9 atualizado, a forma mais apropriada para a atualiza\u00e7\u00e3o deste arquivo e atrav\u00e9s do dhclient.conf na pasta \/etc\/dhcp. Localize no arquivo as linhas:<\/p>\n #supersede domain-name “fugue.com home.vix.com”; Modifique-as retirando o # e adicione as informa\u00e7\u00f5es necess\u00e1rias, neste exemplo ser\u00e1 usado OpenDNS.<\/p>\n Encerre a edi\u00e7\u00e3o do arquivo e reinicie o servi\u00e7o.<\/p>\n A defini\u00e7\u00e3o do firewall ser\u00e1 realizado pelo iptables atrav\u00e9s de um script. O conte\u00fado deste script deve ser definido de acordo com as necessidades e normas de seguran\u00e7a da rede. Neste exemplo ser\u00e1 utilizado um firewall b\u00e1sico para redirecionar todas as requisi\u00e7\u00f5es para a porta 3128:<\/p>\n # touch \/etc\/init.d\/rc.firewall<\/strong><\/p>\n Atribua o valor de execut\u00e1vel para o arquivo e adicione o script \u00e0 inicializa\u00e7\u00e3o do sistema:<\/p>\n # chmod +x rc.firewall<\/strong> Verifique as tabelas do iptables:<\/p>\n # iptables -t nat -L<\/strong> Chain INPUT (policy ACCEPT) Chain OUTPUT (policy ACCEPT) Chain POSTROUTING (policy ACCEPT) <\/p>\n <\/p>\n Para a implanta\u00e7\u00e3o do proxy transparente h\u00e1 um exemplo de configura\u00e7\u00f5es m\u00ednimas, o arquivo alvo da edi\u00e7\u00e3o est\u00e1 localizado na pasta\/etc\/squid3<\/em> com o nome squid.conf<\/em>:<\/p>\n # nano \/etc\/squid3\/squid.conf<\/strong><\/p>\n # Configura\u00e7\u00f5es do servidor<\/span> acl localhost src 127.0.0.1\/255.255.255.255 http_access allow manager localhost acl redelocal src 172.16.0.0\/16<\/p>\n # Defini\u00e7\u00e3o de Cache<\/span><\/p>\n cache_mem 64 MB # Defini\u00e7\u00f5es de logs<\/span><\/p>\n access_log \/var\/log\/squid3\/access.log # Considera\u00e7\u00f5es finais<\/span><\/p>\n http_access allow localhost Reinicie o servi\u00e7o do Squid:<\/p>\n # systemctl restart squid3<\/strong><\/p>\n Verifique o status do servi\u00e7os.<\/p>\n # systemctl status -l squid3<\/strong> Jul 13 23:44:12 onix squid3[1554]: 2015\/07\/13 23:44:12 kid1| Making directories in \/var\/spool\/squid3\/06 Com este arquivo base nenhum acesso ser\u00e1 negado e a partir dele podemos definir as diretivas atrav\u00e9s das ACLs.<\/p>\n Com a configura\u00e7\u00e3o do Squid funcional \u00e9 poss\u00edvel definir acessos e seus controles atrav\u00e9s das ACLs (Access Control List). Antes de tratar das ACLs \u00e9 necess\u00e1rio o entendimento de algumas regras:<\/p>\n 1. Por defini\u00e7\u00e3o quando a requisi\u00e7\u00e3o \u00e9 realizada o Squid analisa o conte\u00fado do squid.conf do topo para o fim, procurando uma diretiva que se encaixe com o padr\u00e3o da requisi\u00e7\u00e3o at\u00e9 o final do arquivo.<\/p>\n 2. \u00c9 interessante definir como \u00faltima diretiva uma regra para bloquear todas as requisi\u00e7\u00f5es de acesso no caso do pacote n\u00e3o combinar com nenhuma diretiva anterior. Uma analogia que pode ser realiza \u00e9 a de que o Squid possui pol\u00edticas de acesso similares a um firewall.<\/p>\n 3. Evite regras desnecess\u00e1rias ou redundantes.<\/p>\n A sintaxe b\u00e1sica para defini\u00e7\u00e3o da ACL \u00e9:<\/p>\n acl [nome_da_ACL] [Classe da ACL] <\/samp><\/p>\n Para cada ACL criada \u00e9 necess\u00e1rio definir se acesso ser\u00e1 permitido, allow, ou negado, deny.<\/p>\n Classes de acesso:<\/p>\n <\/p>\n <\/p>\n Para compila\u00e7\u00e3o ser\u00e3o utilizados os bin\u00e1rios da instala\u00e7\u00e3o corrente do Squid 3. A partir daqui utilizaremos a vers\u00e3o 3.5:<\/p>\n # wget<\/strong> http:\/\/www.squid-cache.org\/Versions\/v3\/3.5\/squid-3.5.6.tar.gz<\/a><\/p>\n Descompacte o arquivo:<\/p>\n # tar xvfz squid-3.5.6.tar.gz<\/strong><\/p>\n Acesse a pasta rec\u00e9m criada \/usr\/src\/squid-3.5.6<\/em>, resolva das depend\u00eancias e instale os pacotes adicionais:<\/p>\n # apt-get build-dep squid3 && apt-get install libssl-dev build-essential<\/strong><\/p>\n Execute o .\/configure com as seguintes op\u00e7\u00f5es:<\/p>\n # .\/configure –prefix=\/usr –includedir=${prefix}\/include –mandir=${prefix}\/share\/man –infodir=${prefix}\/share\/info –sysconfdir=\/etc –localstatedir=\/var –libexecdir=${prefix}\/lib\/squid3 –srcdir=. –datadir=\/usr\/share\/squid3 –sysconfdir=\/etc\/squid3 –mandir=\/usr\/share\/man –enable-icap-client –enable-ssl –enable-ssl-crtd –enable-follow-x-forwarded-for –enable-linux-netfilter –with-openssl –with-swapdir=\/var\/spool\/squid3 –with-logdir=\/var\/log\/squid3 –with-pidfile=\/var\/run\/squid3.pid –with-filedescriptors=65536 –with-large-files –with-default-user=proxy<\/strong><\/p>\n Aguarde o final do processo, interrompa a execu\u00e7\u00e3o do Squid e execute:<\/p>\n # systemctl stop squid3<\/strong> Atualize as configura\u00e7\u00f5es no arquivo squid.conf adicionando as seguintes linhas:<\/p>\n Realize as c\u00f3pias dos bin\u00e1rios:<\/p>\n # mv \/usr\/sbin\/squid3 \/usr\/sbin\/squid3_old && mv \/usr\/sbin\/squid \/usr\/sbin\/squid3<\/strong><\/p>\n Utilize o OpenSSL para gerar os certificados que devem ser importados para os clientes. A cria\u00e7\u00e3o do certificado deve apontar para o caminho descrito no squid.conf:<\/p>\n # mkdir ssl_cert<\/strong> Crie o arquivo que ser\u00e1 importado para os clientes:<\/p>\n # openssl x509 -in onix.pem -outform DER -out onix.der<\/strong><\/p>\n Atualize as diretivas do firewall:<\/p>\n Utilize o ssl_crtd para criar o diret\u00f3rio onde ser\u00e3o arquivados o cache de certificados din\u00e2micos:<\/p>\n # \/lib\/squid3\/ssl_crtd -c -s \/var\/lib\/ssl_db -M 4MB<\/strong><\/p>\n Mude o grupo e o usu\u00e1rio do diret\u00f3rio para que o Squid possa realizar o cache:<\/p>\n # chown -R proxy:proxy \/var\/lib\/ssl_db<\/strong><\/p>\n Reinicie o Squid:<\/p>\n # systemctl status -l squid3<\/strong> Jul 20 15:39:45 onix squid3[9552]: Starting Squid HTTP Proxy 3.x: squid3Creating Squid HTTP Proxy 3.x cache structure … (warning). Importe o certificado onix.der para o cliente e verifique o acesso \u00e0 p\u00e1ginas HTTPS atrav\u00e9s do log em \/var\/log\/squid3\/access.log<\/em>:<\/p>\n # tail \/var\/log\/squid3\/access.log<\/strong> Ap\u00f3s a compila\u00e7\u00e3o aplique as configura\u00e7\u00f5es necess\u00e1rias ao squid.conf.<\/p>\n<\/div>\n <\/p>\n <\/p>\n Execute o comando:<\/p>\n # sarg<\/strong><\/p>\n O acesso ao relat\u00f3rio do Sarg pode ser acessado atrav\u00e9s do endere\u00e7o:<\/p>\n Na segunda parte deste artigo os seguintes t\u00f3picos ser\u00e3o apresentados:<\/p>\n Refer\u00eancias:<\/p>\n CONSIDERA\u00c7\u00d5ES INICIAIS Este artigo tem como principal objetivo orientar a implanta\u00e7\u00e3o de um servidor para oferecer os servi\u00e7os de proxy transparente, armazenamento\/compartilhamento de arquivos e controle de acesso, al\u00e9m de servir a novos usu\u00e1rios do GNU\/Linux como refer\u00eancia preliminar para estudo. O S.O. escolhido para implanta\u00e7\u00e3o ser\u00e1 a \u00faltima vers\u00e3o est\u00e1vel do Debian 8, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[455,460,91,1,730,830,540,772,725,42,51,439,495,85,68,501,127,111,548],"tags":[952,951,87,72],"class_list":["post-4119","post","type-post","status-publish","format-standard","hentry","category-apache2","category-awstats","category-banco-de-dados","category-viazap","category-clusterweb","category-debian","category-dhcp-2","category-dns-2","category-hospedagem","category-leitura-recomendada","category-linux-linuxrs","category-midia","category-profissional-de-ti","category-proxy","category-redes-2","category-shell-script","category-sistemas-de-armazenamento","category-squid-2","category-ubuntu-2","tag-i","tag-parte","tag-proxy-2","tag-servidor"],"_links":{"self":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts\/4119","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4119"}],"version-history":[{"count":1,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts\/4119\/revisions"}],"predecessor-version":[{"id":4120,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts\/4119\/revisions\/4120"}],"wp:attachment":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4119"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4119"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
\n
\n# nano \/etc\/network\/interfaces<\/strong><\/p>\n
\n#<\/span>
\n# Interface Loopback<\/span>
\nauto lo
\niface lo inet loopback
\n#<\/span>
\n# Configura\u00e7\u00e3o da Interface de rede prim\u00e1ria<\/span>
\nauto eth0
\niface eth0 inet static
\naddress 192.168.0.2
\nnetwork 192.168.0.0
\nnetmask 255.255.255.0
\nbroadcast 192.168.0.255
\ngateway 192.168.0.1
\n#<\/span>
\n# Configura\u00e7\u00e3o da Interface de rede secund\u00e1ria<\/span>
\nauto eth1
\niface eth1 inet static
\naddress 172.16.0.1
\nnetwork 172.16.0.0
\nnetmask 255.255.0.0
\nbroadcast 172.16.255.255<\/div>\neth0 Link encap:Ethernet Endere\u00e7o de HW 08:00:27:0c:c3:73\r\n inet end.: 192.168.0.2 Bcast:192.168.0.255 Masc:255.255.255.0\r\n endere\u00e7o inet6: fe80::a00:27ff:fe0c:c373\/64 Escopo:Link\r\n UP BROADCASTRUNNING MULTICAST MTU:1500 M\u00e9trica:1\r\n RX packets:606 errors:0 dropped:0 overruns:0 frame:0\r\n TX packets:380 errors:0 dropped:0 overruns:0 carrier:0\r\n colis\u00f5es:0 txqueuelen:1000\r\n RX bytes:582316 (568.6 KiB) TX bytes:33198 (32.4 KiB)\r\n\r\neth1 Link encap:Ethernet Endere\u00e7o de HW 08:00:27:77:c1:45\r\n inet end.: 172.16.0.1 Bcast:172.16.255.255 Masc:255.255.0.0\r\n endere\u00e7o inet6: fe80::a00:27ff:fe77:c145\/64 Escopo:Link\r\n UP BROADCASTRUNNING MULTICAST MTU:1500 M\u00e9trica:1\r\n RX packets:0 errors:0 dropped:0 overruns:0 frame:0\r\n TX packets:8 errors:0 dropped:0 overruns:0 carrier:0\r\n colis\u00f5es:0 txqueuelen:1000\r\n RX bytes:0 (0.0 B) TX bytes:648 (648.0 B)\r\n\r\nlo Link encap:Loopback Local\r\n inet end.: 127.0.0.1 Masc:255.0.0.0\r\n endere\u00e7o inet6: ::1\/128 Escopo:M\u00e1quina\r\n UP LOOPBACKRUNNING MTU:65536 M\u00e9trica:1\r\n RX packets:0 errors:0 dropped:0 overruns:0 frame:0\r\n TX packets:0 errors:0 dropped:0 overruns:0 carrier:0\r\n colis\u00f5es:0 txqueuelen:0\r\n RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)\r\n\r\n<\/pre>\n
\nPING www.vivaolinux.com.br (162.144.34.3) 56(84) bytes of data.
\n64 bytes from 162-144-34-3.unifiedlayer.com (162.144.34.3): icmp_seq=1 ttl=52 time=185 ms
\n64 bytes from 162-144-34-3.unifiedlayer.com (162.144.34.3): icmp_seq=2 ttl=52 time=186 ms
\n64 bytes from 162-144-34-3.unifiedlayer.com (162.144.34.3): icmp_seq=3 ttl=52 time=187 ms<\/p>\n
\n3 packets transmitted, 3 received, 0% packet loss, time 2002ms
\nrtt min\/avg\/max\/mdev = 185.369\/186.339\/187.087\/0.800 ms <\/samp><\/p>\n
\n<\/span>::1\u00a0\u00a0\u00a0\u00a0 onix ip6-onix ip6-loopback
\nff02::1 ip6-allnodes
\nff02::2 ip6-allrouters<\/div>\n<\/div>\nATUALIZA\u00c7\u00c3O DO S.O. \/ CONFIGURA\u00c7\u00d5ES DO SERVIDOR DHCP E FIREWALL<\/h1>\n
CONFIGURA\u00c7\u00d5ES DO SERVIDOR DHCP<\/h1>\n
\n#<\/span>
\nINTERFACES=eth1;
\nddns-update-style none;
\nauthoritative;
\n#<\/span>
\n# Declara\u00e7\u00e3o da Rede Local<\/span>
\nsubnet 172.16.0.0 netmask 255.255.0.0 {
\nrange 172.16.0.2 172.16.0.254;
\noption domain-name-servers 208.67.222.222,208.67.220.220;
\noption domain-name “opendns.com”;
\noption routers 172.16.0.1;
\noption broadcast-address 172.16.255.255;
\ndefault-lease-time 600;
\nmax-lease-time 7200;
\n}
\n# Declara\u00e7\u00e3o para Interface Prim\u00e1ria<\/span>
\nsubnet 192.168.0.0 netmask 255.255.255.0 {
\n}<\/div>\n
\n\u25cf isc-dhcp-server.service – LSB: DHCP server
\nLoaded: loaded (\/etc\/init.d\/isc-dhcp-server)
\nActive: active (running) since Qua 2015-07-08 23:28:36 BRT; 2s ago
\nProcess: 9399 ExecStart=\/etc\/init.d\/isc-dhcp-server start (code=exited, status=0\/SUCCESS)
\nCGroup: \/system.slice\/isc-dhcp-server.service
\n\u2514\u25009407 \/usr\/sbin\/dhcpd -q -cf \/etc\/dhcp\/dhcpd.conf -pf \/var\/run\/dhcpd.pid<\/p>\n
\nJul 08 23:28:34 onix dhcpd[9407]: Server starting service.
\nJul 08 23:28:36 onix isc-dhcp-server[9399]: Starting ISC DHCP server: dhcpd. <\/samp><\/p>\n
\n#prepend domain-name-servers 127.0.0.1; <\/samp><\/p>\n
\nprepend domain-name-servers 208.67.222.222,208.67.220.220;<\/div>\nDEFINI\u00c7\u00c3O DE FIREWALL E REDIRECIONAMENTO<\/h1>\n
#!\/bin\/bash\r\n### BEGIN INIT INFO\r\n# Provides: Script Firewall\r\n# Required-Start: $remote_fs $syslog\r\n# Required-Stop: $remote_fs $syslog\r\n# Default-Start: 2 3 4 5\r\n# Default-Stop:\r\n# Short-Decription: Script Firewall based on Iptables\r\n### END INIT INFO\r\n\r\n# Clean modules\r\niptables -F\r\niptables -t nat -F\r\niptables -t mangle -F\r\n\r\n# Proxy\r\niptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128\r\n\r\n# Masquerading IP\r\niptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\r\n\r\n# Forward\r\necho 1 > \/proc\/sys\/net\/ipv4\/ip_forward\r\n<\/pre>\n
\n# update-rc.d rc.firewall defaults<\/strong><\/p>\n
\nChain PREROUTING (policy ACCEPT)
\ntarget\u00a0\u00a0\u00a0\u00a0 prot opt source\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 destination
\nREDIRECT\u00a0\u00a0 tcp\u00a0\u00a0—\u00a0\u00a0anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 tcp dpt:http redir ports 3128<\/p>\n
\ntarget\u00a0\u00a0\u00a0\u00a0 prot opt source\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 destination<\/p>\n
\ntarget\u00a0\u00a0\u00a0\u00a0 prot opt source\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 destination<\/p>\n
\ntarget\u00a0\u00a0\u00a0\u00a0 prot opt source\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 destination
\nMASQUERADE\u00a0\u00a0all\u00a0\u00a0—\u00a0\u00a0anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere <\/samp><\/p>\n<\/div>\nCONFIGURA\u00c7\u00c3O DO SQUID<\/h1>\n
\n#<\/span>
\n# Inicio do arquivo<\/span>
\n# Configuracoes basicas<\/span>
\nhttp_port 3128 transparent
\nvisible_hostname onix.arm<\/p>\n
\nerror_directory \/usr\/share\/squid3\/errors\/pt-br
\nacl all src<\/p>\n
\nacl SSL_ports port 443 563 873
\nacl Safe_ports port 80 # http
\nacl Safe_ports port 21 # FTP
\nacl Safe_ports port 443 563 873 # https,News
\nacl Safe_ports port 70 # gopher
\nacl Safe_ports port 210 # wais
\nacl Safe_ports port 280 # http-mgmt
\nacl Safe_ports port 488 # gss-http
\nacl Safe_ports port 591 # filemaker
\nacl Safe_ports port 777 # multiling http
\nacl Safe_ports port 901 # swat
\nacl Safe_ports port 1025-65535 # Portas altas
\nacl purge method PURGE
\nacl CONNECT method CONNECT<\/p>\n
\nhttp_access deny manager
\nhttp_access allow purge localhost
\nhttp_access deny purge
\nhttp_access deny !Safe_ports
\nhttp_access deny CONNECT !SSL_ports<\/p>\n
\ncache_dir ufs \/var\/spool\/squid3 820 16 256
\nmaximum_object_size_in_memory 52 KB
\nmaximum_object_size 512 KB
\nminimum_object_size 10 KB
\ncache_swap_low 85
\ncache_swap_high 95
\nrefresh_pattern ^ftp: 15 20% 2280
\nrefresh_pattern ^gopher: 15 0% 2280
\nrefresh_pattern . 15 20% 2280<\/p>\n
\ncache_access_log \/var\/log\/squid3\/access.log
\ncache_log \/var\/log\/squid3\/cache.log
\ncache_swap_log \/var\/log\/squid3\/swap.log
\nlogformat squid3 %ts.%03tu %6tr %>a %Ss\/%03Hs %<st %rm %ru %un %Sh\/%<A %mt
\ncache_mgr onix.arm@onix.com # Email da p\u00e1gina de erro do Squid<\/p>\n
\nhttp_access allow redelocal
\nhttp_access deny all<\/p><\/div>\n
\n\u25cf squid3.service – LSB: Squid HTTP Proxy version 3.x
\nLoaded: loaded (\/etc\/init.d\/squid3)
\nActive: active (running) since Seg 2015-07-13 23:44:12 BRT; 4s ago
\nProcess: 1531 ExecStop=\/etc\/init.d\/squid3 stop (code=exited, status=0\/SUCCESS)
\nProcess: 1554 ExecStart=\/etc\/init.d\/squid3 start (code=exited, status=0\/SUCCESS)
\nCGroup: \/system.slice\/squid3.service
\n\u251c\u25001590 \/usr\/sbin\/squid3 -YC -f \/etc\/squid3\/squid.conf
\n\u251c\u25001592 (squid-1) -YC -f \/etc\/squid3\/squid.conf
\n\u251c\u25001593 (unlinkd)
\n\u2514\u25001594 (pinger)<\/p>\n
\nJul 13 23:44:12 onix squid3[1554]: 2015\/07\/13 23:44:12 kid1| Making directories in \/var\/spool\/squid3\/07
\nJul 13 23:44:12 onix squid3[1554]: 2015\/07\/13 23:44:12 kid1| Making directories in \/var\/spool\/squid3\/08
\nJul 13 23:44:12 onix squid3[1554]: 2015\/07\/13 23:44:12 kid1| Making directories in \/var\/spool\/squid3\/09
\nJul 13 23:44:12 onix squid3[1554]: 2015\/07\/13 23:44:12 kid1| Making directories in \/var\/spool\/squid3\/0A
\nJul 13 23:44:12 onix squid3[1554]: 2015\/07\/13 23:44:12 kid1| Making directories in \/var\/spool\/squid3\/0B
\nJul 13 23:44:12 onix squid3[1554]: 2015\/07\/13 23:44:12 kid1| Making directories in \/var\/spool\/squid3\/0C
\nJul 13 23:44:12 onix squid3[1554]: 2015\/07\/13 23:44:12 kid1| Making directories in \/var\/spool\/squid3\/0D
\nJul 13 23:44:12 onix squid3[1554]: 2015\/07\/13 23:44:12 kid1| Making directories in \/var\/spool\/squid3\/0E
\nJul 13 23:44:12 onix squid3[1554]: 2015\/07\/13 23:44:12 kid1| Making directories in \/var\/spool\/squid3\/0F <\/samp><\/p>\nACCESS CONTROL LIST<\/h1>\n
\n
A POSSIBILIDADE DE COMPILA\u00c7\u00c3O PARA ESCUTA DA PORTA 443 (HTTPS)<\/h1>\n
\n# make all && make install<\/strong><\/p>\n
\nhttps_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=\/etc\/squid3\/ssl_cert\/onix.pem
\nacl broken_sites dstdomain .example.com
\nssl_bump none localhost
\nssl_bump none broken_sites
\nssl_bump server-first all
\nsslcrtd_program \/lib\/squid3\/ssl_crtd -s \/var\/lib\/ssl_db -M 4MB
\nsslcrtd_children 5<\/div>\n
\n# cd ssl_cert\/<\/strong>
\n# openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout onix.pem -out onix.pem<\/strong><\/p>\n#!\/bin\/bash\r\n### BEGIN INIT INFO\r\n# Provides: Script Firewall\r\n# Required-Start: $remote_fs $syslog\r\n# Required-Stop: $remote_fs $syslog\r\n# Default-Start: 2 3 4 5\r\n# Default-Stop:\r\n# Short-Decription: Script Firewall based on Iptables\r\n### END INIT INFO\r\n\r\n# Clean modules\r\niptables -Fd \/etc\r\niptables -t nat -F\r\niptables -t mangle -F\r\n\r\n# Proxy\r\niptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128\r\niptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3127\r\n\r\n# Masquerading IP\r\niptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\r\n\r\n# Forward\r\necho 1 > \/proc\/sys\/net\/ipv4\/ip_forward\r\n<\/pre>\n
\n\u25cf squid3.service – LSB: Squid HTTP Proxy version 3.x
\nLoaded: loaded (\/etc\/init.d\/squid3)
\nActive: active (running) since Seg 2015-07-20 15:39:45 BRT; 3s ago
\nProcess: 9493 ExecStop=\/etc\/init.d\/squid3 stop (code=exited, status=0\/SUCCESS)
\nProcess: 9552 ExecStart=\/etc\/init.d\/squid3 start (code=exited, status=0\/SUCCESS)
\nCGroup: \/system.slice\/squid3.service
\n\u251c\u25001452 \/usr\/sbin\/squid3 -YC -f \/etc\/squid3\/squid.conf
\n\u251c\u25001454 (squid-1) -YC -f \/etc\/squid3\/squid.conf
\n\u251c\u25001456 (logfile-daemon) \/var\/log\/squid3\/access.log
\n\u2514\u25001469 (pinger)<\/p>\n
\nJul 20 15:39:45 onix squid3[9552]: 2015\/07\/20 15:39:45| Squid is already running! Process ID 1454
\nJul 20 15:39:45 onix squid3[9552]: . <\/samp><\/p>\n
\n1437524554.277\u00a0\u00a0\u00a0\u00a0180 172.16.222.41 TCP_MISS\/200 642 GET https:\/\/www.google.com.br\/url? – ORIGINAL_DST\/74.125.196.94 text\/html
\n1437524554.277\u00a0\u00a0\u00a0\u00a0180 172.16.222.41 TCP_MISS\/200 642 GET https:\/\/www.google.com.br\/url? – ORIGINAL_DST\/74.125.196.94 text\/html
\n1437524560.693\u00a0\u00a0\u00a0\u00a0731 172.16.222.41 TAG_NONE\/200 0 CONNECT 157.56.172.28:443 – ORIGINAL_DST\/157.56.172.28 –
\n1437524560.693\u00a0\u00a0\u00a0\u00a0731 172.16.222.41 TAG_NONE\/200 0 CONNECT 157.56.172.28:443 – ORIGINAL_DST\/157.56.172.28 –
\n1437524570.129\u00a0\u00a0 9412 172.16.222.41 TCP_MISS\/302 1999 GET https:\/\/www.live.com\/ – ORIGINAL_DST\/157.56.172.28 text\/html
\n1437524570.129\u00a0\u00a0 9412 172.16.222.41 TCP_MISS\/302 1999 GET https:\/\/www.live.com\/ – ORIGINAL_DST\/157.56.172.28 text\/html
\n1437524580.790\u00a0\u00a0\u00a0\u00a0911 172.16.222.41 TAG_NONE\/200 0 CONNECT 131.253.61.66:443 – ORIGINAL_DST\/131.253.61.66 –
\n1437524580.790\u00a0\u00a0\u00a0\u00a0911 172.16.222.41 TAG_NONE\/200 0 CONNECT 131.253.61.66:443 – ORIGINAL_DST\/131.253.61.66 –
\n1437524590.058\u00a0\u00a0 9250 172.16.222.41 TCP_MISS\/200 9920 GET https:\/\/login.live.com\/login.srf? – ORIGINAL_DST\/131.253.61.66 text\/html
\n1437524590.058\u00a0\u00a0 9250 172.16.222.41 TCP_MISS\/200 9920 GET https:\/\/login.live.com\/login.srf? – ORIGINAL_DST\/131.253.61.66 text\/html <\/samp><\/p>\nAJUSTES PARA SARG GERAR OS RELAT\u00d3RIOS DE ACESSO \/ CONCLUS\u00c3O<\/h1>\n
\naccess_log \/var\/log\/squid3\/access.log
\n# TAG: output_dir<\/span>
\noutput_dir \/var\/www\/html\/squid-reports
\n#output_dir \/var\/lib\/sarg<\/span>
\n# TAG: charset<\/span>
\ncharset UTF-8<\/div>\n\n
CONCLUS\u00c3O<\/h1>\n
\n
\n