Здравствуйте!
У меня следующая проблема. Есть сервер Ubuntu 12.04, squid3+sams2, сделаны настройки iptables. Все работает, пользователи выходят в инет через proxy, собирается статистика и т.п.
Но как выяснилось, при попытке с любого рабочего места сделать ping до какого либо ресурса - пинга нет. nslookup так же не определяет имя. На рабочих местах шлюзом прописан прокси, DNS - полученные от провайдера.
На прокси:
eth0 - смотрит в инет и получает сетевые настройки по DHCP
eth1 - смотрит в локалку 192.168.2.0 /24 и имеет ip 192.168.2.222
С самого proxy все пингуется и по имени и по ip
Подскажите, как и где на proxy открыть пинги для клиентских компьютеров?
Вот мои настройки iptables:
#!/bin/shecho 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
iptables -X
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j REJECT
iptables -A INPUT -p tcp -i eth0 -m tcp --dport 22 -j DROP
iptables -A INPUT -p tcp -i eth0 -m tcp --dport 80 -j DROP
iptables -A INPUT -p tcp -i eth0 -m tcp --dport 8080 -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type 8 -j DROP
А вот конфиг squid3:
# WELCOME TO SQUID 3.1.19
# ----------------------------
#
# TAG: dns_testnames
# Remove this line. DNS is no longer tested on startup.
#Default:
# none
# OPTIONS FOR AUTHENTICATION
# -----------------------------------------------------------------------------
##
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/sams2.ncsa
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
# Recommended minimum configuration:
#
#acl all src all
acl Sams2Time1 time MTWHFAS 00:00-23:59
acl Sams2Template5 proxy_auth 8567pak_am
acl Sams2Template5 proxy_auth 8567shakin_sa
acl Sams2Template8 proxy_auth 8567sadykov_di
acl Sams2Template11 proxy_auth dr_update
acl Sams2Template11 proxy_auth win_update
acl manager proto cache_object
acl localhost src 127.0.0.1/32 #::1
acl to_localhost dst 127.0.0.0/8 #0.0.0.0/32 ::1
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.2.0/24 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl ip_disable src "/etc/squid3/ip_disable"
http_access deny ip_disable
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 87 # UDP
acl CONNECT method CONNECT
# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" entry at the end of your access
# lists to avoid potential confusion.
#
# This clause supports both fast and slow acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
#Default:
# http_access deny all
#
# Setup Sams2 HTTP Access here
http_access allow Sams2Template5
http_access allow Sams2Template8
http_access allow Sams2Template11
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
#http_access allow purge localhost
#http_access deny purge
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# TAG: icp_access
# Allowing or Denying access to the ICP port based on defined
# access lists
#
# icp_access allow|deny [!]aclname ...
#
# See http_access for details
#
# This clause only supports fast acl types.
# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
## Allow ICP queries from local networks only
##icp_access allow localnet
##icp_access deny all
#Default:
icp_access allow localnet
icp_access deny all
#
# Squid normally listens to port 3128
http_port 192.168.2.222:3128
# TAG: hierarchy_stoplist
# A list of words which, if found in a URL, cause the object to
# be handled directly by this cache. In other words, use this
# to not query neighbor caches for certain objects. You may
# list this option multiple times.
#
# Example:
# hierarchy_stoplist cgi-bin ?
#
# Note: never_direct overrides this option.
#Default:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
#Default:
cache_mem 64 MB
# TAG: maximum_object_size_in_memory (bytes)
# Objects greater than this size will not be attempted to kept in
# the memory cache. This should be set high enough to keep objects
# accessed frequently in memory to improve performance whilst low
# enough to keep larger objects from hoarding cache_mem.
#Default:
maximum_object_size_in_memory 5000 KB
# TAG: memory_replacement_policy
# The memory replacement policy parameter determines which
# objects are purged from memory when memory space is needed.
#
# See cache_replacement_policy for details.
#Default:
memory_replacement_policy lru
#Default:
cache_replacement_policy heap LRU
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid3 4096 16 256
# TAG: store_dir_select_algorithm
# Set this to 'round-robin' as an alternative.
#Default:
store_dir_select_algorithm least-load
#Default:
maximum_object_size 10240 KB
# TAG: cache_swap_low (percent, 0-100)
#Default:
cache_swap_low 90
# TAG: cache_swap_high (percent, 0-100)
#
# The low- and high-water marks for cache object replacement.
# Replacement begins when the swap (disk) usage is above the
# low-water mark and attempts to maintain utilization near the
# low-water mark. As swap utilization gets close to high-water
# mark object eviction becomes more aggressive. If utilization is
# close to the low-water mark less replacement is done each time.
#
# Defaults are 90% and 95%. If you have a large cache, 5% could be
# hundreds of MB. If this is the case you may wish to set these
# numbers closer together.
#Default:
cache_swap_high 95
#Default:
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
# Default:
# access_log /var/log/squid3/access.log squid
#Default:
access_log /var/log/squid3/access.log squid
# Example:
# cache_store_log /var/log/squid3/store.log
#Default:
cache_store_log /var/log/squid3/store.log
# zero, since it includes external logfile-rotation methods.
#Default:
logfile_rotate 0
# A filename to write the process-id to. To disable, enter "none".
#Default:
pid_filename /var/run/squid3.pid
# TAG: buffered_logs on|off
# cache.log log file is written with stdio functions, and as such
# it can be buffered or unbuffered. By default it will be unbuffered.
# Buffering it can speed up the writing slightly (though you are
# unlikely to need to worry unless you run with tons of debugging
# enabled in which case performance will suffer badly anyway..).
#Default:
buffered_logs on
#Default:
cache_log /var/log/squid3/cache.log
#Default:
coredump_dir /var/spool/squid3
#
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid3
#Default:
url_rewrite_program /usr/local/bin/samsredir
# TAG: url_rewrite_children
# The number of redirector processes to spawn. If you start
# too few Squid will have to wait for them to process a backlog of
# URLs, slowing it down. If you start too many they will use RAM
# and other system resources.
#Default:
url_rewrite_children 5
#Default:
# none
acl Sams2Proxy dst 192.168.2.222
url_rewrite_access deny Sams2Proxy
# TAG: url_rewrite_bypass
# When this is 'on', a request will not go through the
# redirector if all redirectors are busy. If this is 'off'
# and the redirector queue grows too large, Squid will exit
# with a FATAL error and ask you to increase the number of
# redirectors. You should only enable this if the redirectors
# are not critical to your caching system. If you use
# redirectors for access control, and you enable this option,
# users may have access to pages they should not
# be allowed to request.
#Default:
# url_rewrite_bypass off
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
# example lin deb packages
#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
refresh_pattern . 0 20% 4320
#Default:
half_closed_clients off
#Example:
#ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block
#ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg
#Default:
# cache_dns_program /usr/lib/squid3/dnsserver
# TAG: dns_children
# Note: This option is only available if Squid is rebuilt with the
# --disable-internal-dns option
#
# The number of processes spawn to service DNS name lookups.
# For heavily loaded caches on large servers, you should
# probably increase this value to at least 10. The maximum
# is 32. The default is 5.
#
# You must have at least one dnsserver process.
#Default:
# dns_children 5
# TAG: dns_retransmit_interval
# Initial retransmit interval for DNS queries. The interval is
# doubled each time all configured DNS servers have been tried.
#
#Default:
# dns_retransmit_interval 5 seconds
# TAG: dns_timeout
# DNS Query timeout. If no response is received to a DNS query
# within this time all DNS servers for the queried domain
# are assumed to be unavailable.
#Default:
# dns_timeout 2 minutes
# TAG: dns_defnames on|off
# Normally the RES_DEFNAMES resolver option is disabled
# (see res_init(3)). This prevents caches in a hierarchy
# from interpreting single-component hostnames locally. To allow
# Squid to handle single-component names, enable this option.
#Default:
# dns_defnames off
# TAG: dns_nameservers
# Use this if you want to specify a list of DNS name servers
# (IP addresses) to use instead of those given in your
# /etc/resolv.conf file.
# On Windows platforms, if no value is specified here or in
# the /etc/resolv.conf file, the list of DNS name servers are
# taken from the Windows registry, both static and dynamic DHCP
# configurations are supported.
#
# Example: dns_nameservers 10.0.0.1 192.172.0.4
#Default:
#dns_nameservers 217.148.193.18 217.148.195.1 188.168.64.254 188.168.65.254
#Default:
hosts_file /etc/hosts