GeisonRDS

Boa noite galera, precisei criar um servidor proxy utilizando um notebook Acer que é a única máquina disponível que possuo e estou com dificuldades em acesso a internet com os clientes wifi. O notebook é um Acer com 3gb de ram, processador core i3, 240gb de disco, placa de rede ethernet e uma placa de rede wifi usb. A minha ideia era criar um servidor proxy que distribuiria a internet pela placa wifi usb, então instalei o Centos 7 conectei o cado do modem da mina operadora de internet no notebook e pluguei a placa wifi usb. A placa ethernet que está plugada no modem da operadora ficou assim: placa enp2s0f0 IP 192.168.2.1 A placa wifi usb configurei como access pint e ficou assim: IP 192.168.1.1 Gateway 192.168.2.1 DNS 8.8.8.8 DNS 8.8.4.4 Depois de configurar as placas de rede instalei o squid, o dhcp e configurei o iptables, consigo conectar na rede wifi mas não tenho acesso a internet já fiz várias alterações no squid.conf, no script do iptables e não consigo acessar a internet, não tenho experiência em redes e acredito que possa ter cometido algum erro, já pesquisei em vários foruns e blogs e não consegui resolver o problema, abaixo está o script do firewall iptables e os arquivos de configuração do squid e do dhcp. Agradeço a ajuda. firewall iptables #!/bin/bash iniciar_firewall(){ echo "################################################" echo "# SCRIPT FIREWALL - COMPARTILHAMENTO DE REDE #" echo "################################################" externa="enp2s0f0" interna="wlp0s29u1u2" rede_interna="192.168.1.0/24" echo "Interface Rede Externa .......................... "$externa echo "Interface Rede Interna .......................... "$interna echo "Faixa de IP Rede Interna ........................ "$rede_interna echo "Limpando Politicas .............................. [ OK ]" iptables -X iptables -Z iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -F -t nat iptables -F -t filter iptables -F -t mangle echo "Aplicando nova politica ......................... [ OK ]" iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP echo "Ativa Modulos Basicos ........................... [ OK ]" modprobe ip_tables modprobe ip_conntrack modprobe iptable_filter modprobe iptable_mangle modprobe iptable_nat modprobe ipt_LOG modprobe ipt_limit modprobe ipt_state modprobe ipt_REDIRECT modprobe ipt_owner modprobe ipt_REJECT modprobe ipt_MASQUERADE modprobe ip_conntrack_ftp modprobe ip_nat_ftp echo "Roteamento de Kernal ............................ [ OK ]" echo 1 > /proc/sys/net/ipv4/ip_forward echo "Compartilhar Internet ........................... [ OK ]" iptables -t nat -A POSTROUTING -o $externa -j MASQUERADE echo "Mantendo conexões estabelecidas ................. [ OK ]" iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT echo "Logs de bloqueios ............................... [ OK ]" iptables -A INPUT -j LOG iptables -A OUTPUT -j LOG iptables -A FORWARD -j LOG echo "Regras DNAT para servidor WEB ................... [ OK ]" iptables -t nat -A PREROUTING -i $externa -p tcp --dport 80 -j DNAT --to 192.168.1.1:80 #REGRAS FORWARD echo "Permite ping pra Rede Externa ................... [ OK ]" iptables -A FORWARD -i $interna -o $externa -p icmp -j ACCEPT echo "Permite conexões da Rede Interna pra Externa .... [ OK ]" iptables -A FORWARD -i $interna -o $externa -p tcp -m multiport --dports 80,443,3128,110,20,21,587,995,143,22,3389,25,5900,5100,3389 -j ACCEPT echo "Regras cliente .................................. [ OK ]" iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -j ACCEPT echo "Regras servidor ................................. [ OK ]" iptables -A INPUT -p tcp -i $interna --dport 22 -j ACCEPT iptables -A INPUT -p tcp -i $interna -m multiport --dports 3128,443,445,113,80,587,25,22,110,53,139,5900,5100,3389 -j ACCEPT iptables -A INPUT -p udp -i $interna -m multiport --dports 53,110,67,68,137,113,443,138 -j ACCEPT echo "Redirecionamento de porta ....................... [ OK ]" iptables -t nat -A PREROUTING -i $interna -p tcp --dport 80 -j REDIRECT --to-port 3128 echo "Permite conexões loopback ....................... [ OK ]" iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT echo "##################### SEGURANÇA ########################" echo "Segurança contra IP Spoofing .................... [ OK ]" echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter iptables -A INPUT -m state --state INVALID -j DROP echo "Proteção contra alteração de rota ............... [ OK ]" echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo "Proteção contra alteração de caminho ............ [ OK ]" echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo "Proteção contra responses bogus ................. [ OK ]" echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo "Bloqueando traceroute ........................... [ OK ]" iptables -A INPUT -p udp -s 0/0 -i $interna --dport 33435:33525 -j DROP echo "Proteção para SYN flood ......................... [ OK ]" echo 1 > /proc/sys/net/ipv4/tcp_syncookies iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -p tcp --syn -j DROP echo "Negando portas invalidas (trojans, trinoo) ...... [ OK ]" iptables -A INPUT -p tcp -i $externa -m multiport --dports 666,4000,6000,6006,16660,27444,27665,31335,34555,35555 -j DROP iptables -A INPUT -p tcp -i $interna -m multiport --dports 1433,6670,6711,6712,6713,12345,12346,20034,31337,6000 -j DROP echo "Proteção contra telnet .......................... [ OK ]" iptables -A INPUT -p TCP -i $externa --dport telnet -j DROP echo "Dropando pacotes TCP indesejaveis ............... [ OK ]" iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP echo "Proteção contra worms ........................... [ OK ]" iptables -A FORWARD -p tcp --dport 135 -i $externa -j REJECT echo "Proteção contra ICMP Broadcasting ............... [ OK ]" echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "Proteção contra Port Scanners ocultos ........... [ OK ]" iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT echo "Proteção contra Ping da morte ................... [ OK ]" iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT echo "Proteção contra IP Spoofing ..................... [ OK ]" iptables -A INPUT -s 172.16.0.0/12 -i $externa -j DROP iptables -A INPUT -s 127.0.0.0/8 -i $externa -j DROP iptables -A INPUT -s 10.0.0.0/8 -i $externa -j DROP iptables -A INPUT -s 192.168.0.0/16 -i $externa -j DROP echo "Bloqueando Pacotes Fragmentados.................. [ OK ]" iptables -A INPUT -i $externa -f -j LOG --log-prefix "Pacote Fragmentado: " iptables -A INPUT -i $externa -f -j DROP iptables -A INPUT -i $interna -f -j LOG --log-prefix "Pacote Fragmentado: " iptables -A INPUT -i $interna -f -j DROP } parar_firewall(){ echo "Parando Firewall ................................ [ OK ]" iptables -X iptables -F iptables -t nat -F iptables -t filter -F iptables -t mangle -F echo "Liberando Politicas ............................. [ OK ]" iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT echo "Parando ................................ [ OK ]" echo 0 > /proc/sys/net/ipv4/ip_forward echo "Firewall Desativado............................. [ OK ]" } case "$1" in "start") iniciar_firewall ;; "stop") parar_firewall ;; "restart") parar_firewall; iniciar_firewall;; *) echo "Use os parametros | start | stop | restart |" esac squid.conf # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports #http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 transparent # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 dhcpd.conf # # DHCP Server Configuration file. # see /usr/share/doc/dhcp*/dhcpd.conf.example # see dhcpd.conf(5) man page # ####Our basic DHCP example configuration ####Our Domain option domain-name "fpv.local"; ####The DNS servers for name resolution option domain-name-servers 8.8.8.8; ####Our IP Lease time default-lease-time 600; max-lease-time 7200; ####Use this to enble / disable dynamic dns updates globally. ddns-update-style none; #### This DHCP server is the official DHCP server for the local network. authoritative; #### Use this to send dhcp log messages to a different log file (you also #### have to hack syslog.conf to complete the redirection). log-facility local7; #### Our Subnet, IP address Pool and gateway/router subnet 192.168.1.0 netmask 255.255.255.0 { range dynamic-bootp 192.168.1.10 192.168.1.253; option broadcast-address 192.168.1.255; option routers 192.168.1.254; } #### Use this to send dhcp log messages to a different log file (you also #### have to hack syslog.conf to complete the redirection). log-facility local7; #### Our Subnet, IP address Pool and gateway/router subnet 192.168.1.0 netmask 255.255.255.0 { range dynamic-bootp 192.168.1.10 192.168.1.253; option broadcast-address 192.168.1.255; option routers 192.168.1.254; }