Un proxy HTTP avec Squid et SquidGuard

# aptitude install squid3 squidclient squidguard
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances
Lecture des informations d'état... Fait
Lecture de l'information d'état étendu
Initialisation de l'état des paquets... Fait
Les NOUVEAUX paquets suivants vont être installés :
  squid3 squid3-common{a} squidclient squidguard
0 paquets mis à jour, 4 nouvellement installés, 0 à enlever et 0 non mis à jour.
Il est nécessaire de télécharger 1449ko d'archives. Après dépaquetage, 7881ko seront utilisés.
Voulez-vous continuer ? [Y/n/?]
Écriture de l'information d'état étendu... Fait
Prendre : 1 http://ftp.fr.debian.org testing/main squid3-common 3.0.STABLE8-1 [289kB]
Prendre : 2 http://ftp.fr.debian.org testing/main squid3 3.0.STABLE8-1 [936kB]
Prendre : 3 http://ftp.fr.debian.org testing/main squidclient 3.0.STABLE8-1 [87,4kB]
Prendre : 4 http://ftp.fr.debian.org testing/main squidguard 1.2.0-8.4 [136kB]
 1449ko téléchargés en 1s (1204ko/s)
Préconfiguration des paquets...
Sélection du paquet squid3-common précédemment désélectionné.
(Lecture de la base de données... 52990 fichiers et répertoires déjà installés.)
Dépaquetage de squid3-common (à partir de .../squid3-common_3.0.STABLE8-1_all.deb) ...
Sélection du paquet squid3 précédemment désélectionné.
Dépaquetage de squid3 (à partir de .../squid3_3.0.STABLE8-1_i386.deb) ...
Sélection du paquet squidclient précédemment désélectionné.
Dépaquetage de squidclient (à partir de .../squidclient_3.0.STABLE8-1_i386.deb) ...
Sélection du paquet squidguard précédemment désélectionné.
Dépaquetage de squidguard (à partir de .../squidguard_1.2.0-8.4_i386.deb) ...
Traitement des actions différées (« triggers ») pour « man-db »...
Paramétrage de squid3-common (3.0.STABLE8-1) ...
Paramétrage de squid3 (3.0.STABLE8-1) ...
Creating Squid HTTP proxy 3.0 spool directory structure
2008/10/30 18:44:57| Creating Swap Directories
2008/10/30 18:44:57| /var/spool/squid3 exists
2008/10/30 18:44:57| Making directories in /var/spool/squid3/00
2008/10/30 18:44:57| Making directories in /var/spool/squid3/01
2008/10/30 18:44:57| Making directories in /var/spool/squid3/02
2008/10/30 18:44:57| Making directories in /var/spool/squid3/03
2008/10/30 18:44:57| Making directories in /var/spool/squid3/04
2008/10/30 18:44:57| Making directories in /var/spool/squid3/05
2008/10/30 18:44:57| Making directories in /var/spool/squid3/06
2008/10/30 18:44:57| Making directories in /var/spool/squid3/07
2008/10/30 18:44:57| Making directories in /var/spool/squid3/08
2008/10/30 18:44:57| Making directories in /var/spool/squid3/09
2008/10/30 18:44:57| Making directories in /var/spool/squid3/0A
2008/10/30 18:44:57| Making directories in /var/spool/squid3/0B
2008/10/30 18:44:57| Making directories in /var/spool/squid3/0C
2008/10/30 18:44:57| Making directories in /var/spool/squid3/0D
2008/10/30 18:44:58| Making directories in /var/spool/squid3/0E
2008/10/30 18:44:58| Making directories in /var/spool/squid3/0F
Restarting Squid HTTP Proxy 3.0: squid3.
Paramétrage de squidclient (3.0.STABLE8-1) ...
Paramétrage de squidguard (1.2.0-8.4) ...
/usr/sbin/update-squidguard not run automatically
Check Debconf settings for squidguard to change
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances
Lecture des informations d'état... Fait
Lecture de l'information d'état étendu
Initialisation de l'état des paquets... Fait
Écriture de l'information d'état étendu... Fait

# mv /etc/squid/squidGuard.conf /etc/squid3/
# rm -rf /etc/squid
# ln -s /etc/squid3 /etc/squid
# ll /etc/ | grep squid
lrwxrwxrwx 1 root   root     11 nov  2 16:43 squid -> /etc/squid3
drwxr-xr-x 2 root   root   1,0K nov  2 16:42 squid3

# ll /etc/squid3/
total 162K
-rw-r--r-- 1 root root  421 jui 21 10:01 msntauth.conf
-rw-r--r-- 1 root root 158K jui 21 10:00 squid.conf
-rw-r--r-- 1 root root 1,3K jui 23 14:28 squidGuard.conf

$ diff -uBb /etc/squid3/squid.conf squid.conf.new 

--- /etc/squid3/squid.conf      2008-07-21 12:31:32.000000000 +0200
+++ squid.conf.new      2008-11-08 19:28:18.000000000 +0100
@@ -579,6 +579,7 @@
 #
 #Recommended minimum configuration:
 acl manager proto cache_object
+acl mynetworks src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
 acl localhost src 127.0.0.1/32
 acl to_localhost dst 127.0.0.0/8
 #
@@ -644,6 +645,7 @@
 # Adapt localnet in the ACL section to list your (internal) IP networks
 # from where browsing should be allowed
 #http_access allow localnet
+http_access allow mynetworks
 http_access allow localhost
 
 # And finally deny all other access to this proxy
@@ -677,6 +679,7 @@
 #
 #Allow ICP queries from local networks only
 #icp_access allow localnet
+icp_access allow mynetworks
 icp_access deny all
 
 #  TAG: htcp_access
@@ -867,7 +870,7 @@
 #      visible on the internal address.
 #
 # Squid normally listens to port 3128
-http_port 3128
+http_port 3128 transparent
 
 #  TAG: https_port
 # Note: This option is only available if Squid is rebuilt with the
@@ -1564,6 +1567,7 @@
 #
 #Default:
 # cache_mem 8 MB
+cache_mem 64 MB
 
 #  TAG: maximum_object_size_in_memory  (bytes)
 #      Objects greater than this size will not be attempted to kept in
@@ -1573,6 +1577,7 @@
 #
 #Default:
 # maximum_object_size_in_memory 8 KB
+maximum_object_size_in_memory 128 KB
 
 #  TAG: memory_replacement_policy
 #      The memory replacement policy parameter determines which
@@ -1582,7 +1587,7 @@
 #
 #Default:
 # memory_replacement_policy lru
-
+memory_replacement_policy heap LFUDA
 
 # DISK CACHE OPTIONS
 # -----------------------------------------------------------------------------
@@ -1624,6 +1629,7 @@
 #
 #Default:
 # cache_replacement_policy lru
+cache_replacement_policy heap LFUDA
 
 #  TAG: cache_dir
 #      Usage:
@@ -1731,6 +1737,7 @@
 #
 #Default:
 # cache_dir ufs /var/spool/squid3 100 16 256
+cache_dir aufs /var/spool/squid3 16384 16 256
 
 #  TAG: store_dir_select_algorithm
 #      Set this to 'round-robin' as an alternative.
@@ -2211,6 +2218,7 @@
 #
 #Default:
 # none
+url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
 
 #  TAG: url_rewrite_children
 #      The number of redirector processes to spawn. If you start
@@ -2220,6 +2228,7 @@
 #
 #Default:
 # url_rewrite_children 5
+url_rewrite_children 20
 
 #  TAG: url_rewrite_concurrency
 #      The number of requests each redirector helper can handle in
@@ -2509,6 +2518,7 @@
 #
 #Default:
 # request_header_max_size 20 KB
+request_header_max_size 32 KB
 
 #  TAG: reply_header_max_size  (KB)
 #      This specifies the maximum size for HTTP headers in a reply.
@@ -2519,6 +2529,7 @@
 #
 #Default:
 # reply_header_max_size 20 KB
+reply_header_max_size 32 KB
 
 #  TAG: request_body_max_size  (bytes)
 #      This specifies the maximum size for an HTTP request body.
@@ -4001,6 +4012,8 @@
 #
 #Default:
 # none
+acl debian dstdomain .debian.org
+always_direct allow debian
 
 #  TAG: never_direct
 #      Usage: never_direct allow|deny [!]aclname ...
@@ -4690,7 +4703,7 @@
 #      reasons.
 #
 #Default:
-# pipeline_prefetch off
+pipeline_prefetch on
 
 #  TAG: high_response_time_warning     (msec)
 #      If the one-minute median response time exceeds this value,

# cp /etc/squid/squid.conf /etc/squid/squid.conf.dpkg-dist
# patch -l -p0 /etc/squid/squid.conf squid.conf.patch
patching file /etc/squid/squid.conf

# ll /etc/squid/
total 336K
-rw-r--r-- 1 root root  421 jui 21 12:31 msntauth.conf
-rw-r--r-- 1 root root 158K nov  8 19:40 squid.conf
-rw-r--r-- 1 root root 158K nov  8 19:40 squid.conf.dpkg-dist
-rw-r--r-- 1 root root 1,3K jui 24 23:15 squidGuard.conf

$ diff -uBb /etc/squid3/squidGuard.conf squidGuard.conf.new 

--- squidGuard.conf.dpkg-dist   2008-11-10 11:17:36.000000000 +0100
+++ squidGuard.conf.new 2008-11-10 11:15:29.000000000 +0100
@@ -3,7 +3,7 @@
 #
 
 dbhome /var/lib/squidguard/db
-logdir /var/log/squid
+logdir /var/log/squid3
 
 #
 # TIME RULES:
@@ -46,19 +46,106 @@
 # DESTINATION CLASSES:
 #
 
-dest good {
+dest adult {
+       domainlist      adult/domains
+       expressionlist  adult/expressions
+       urllist         adult/urls
 }
 
-dest local {
+dest agressif {
+       domainlist      agressif/domains
+       expressionlist  agressif/expressions
+       urllist         agressif/urls
 }
 
-#dest adult {
-#      domainlist      adult/domains
-#      urllist         adult/urls
-#      expressionlist  adult/expressions
-#      redirect        http://admin.foo.bar.no/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
-#}
+dest astrology {
+       domainlist      astrology/domains
+       urllist         astrology/urls
+}
+
+dest dangerous_material {
+       domainlist      dangerous_material/domains
+       urllist         dangerous_material/urls
+}
+
+dest drogue {
+       domainlist      drogue/domains
+       urllist         drogue/urls
+}
+
+dest financial {
+       domainlist      financial/domains
+       urllist         financial/urls
+}
+
+dest forums {
+       domainlist      forums/domains
+       urllist         forums/urls
+}
+
+dest gambling {
+       domainlist      gambling/domains
+       urllist         gambling/urls
+}
+
+dest games {
+       domainlist      games/domains
+       urllist         games/urls
+}
+
+dest hacking {
+       domainlist      hacking/domains
+       urllist         hacking/urls
+}
+
+dest malware {
+       domainlist      malware/domains
+}
 
+dest marketingware {
+       domainlist      marketingware/domains
+}
+
+dest mixed_adult {
+       domainlist      mixed_adult/domains
+}
+
+dest phishing {
+       domainlist      phishing/domains
+}
+
+dest redirector {
+       domainlist      redirector/domains
+       expressionlist  redirector/expressions
+       urllist         redirector/urls
+}
+
+dest sect {
+       domainlist      sect/domains
+       urllist         sect/urls
+}
+
+dest strict_redirector {
+       domainlist      strict_redirector/domains
+       expressionlist  strict_redirector/expressions
+       urllist         strict_redirector/urls
+}
+
+dest strong_redirector {
+       domainlist      strong_redirector/domains
+       expressionlist  strong_redirector/expressions
+       urllist         strong_redirector/urls
+}
+
+dest warez {
+       domainlist      warez/domains
+       expressionlist  warez/expressions
+       urllist         warez/urls
+}
+
+dest white {
+        domainlist      white/domains
+}
 
 acl {
 #      admin {
@@ -76,8 +163,13 @@
 #      }
 
        default {
-               pass     local none
+               pass    white 
+               pass    !adult !agressif !astrology !dangerous_material !drogue
+               pass    !financial !forums !gambling !games !hacking !malware
+               pass    !marketingware !mixed_adult !phishing !redirector !sect
+               pass    !strict_redirector !strong_redirector !warez all
+
 #              rewrite  dmz
-#              redirect http://admin.foo.bar.no/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
+               redirect http://www.stri/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
        }
 }

$ cd /var/tmp/
$ wget ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz
----  ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz
           => `blacklists.tar.gz'
Résolution de ftp.univ-tlse1.fr... 193.49.48.249
Connexion vers ftp.univ-tlse1.fr|193.49.48.249|:21...connecté.
Ouverture de session en anonymous...Session établie!
==> SYST ... complété.    ==> PWD ... complété.
==> TYPE I ... complété.  ==> CWD /pub/reseau/cache/squidguard_contrib ... complété.
==> SIZE blacklists.tar.gz ... 5805255
==> PASV ... complété.    ==> RETR blacklists.tar.gz ... complété.
Taille: 5805255 (5,5M)

100%[===============================================>] 5 805 255   25,4M/s   in 0,2s

(25,4 MB/s) - « blacklists.tar.gz » sauvegardé [5805255]

$ tar xf blacklists.tar.gz

# mv blacklists/* /var/lib/squidguard/db/

# update-squidguard
Double checking directory and file permissions...done!
Re-building SquidGuard db files...done!
Reloading Squid...done!

#!/bin/sh

cd /var/tmp
rm -rf blacklist* >/dev/null 2>&1
wget -q ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz

if [ -f /var/tmp/blacklists.tar.gz ]; then
        tar xf blacklists.tar.gz
        cp -au blacklists/* /var/lib/squidguard/db/ >/dev/null 2>&1
        /usr/sbin/update-squidguard >/dev/null 2>&1
fi

#! /bin/sh
# db update script for Chastity
#

echo -n "Double checking directory and file permissions..."
chown -R proxy.proxy /var/lib/squidguard/db >/dev/null 2>&1
chmod 2770 /var/lib/squidguard/db >/dev/null 2>&1
echo "done!"
echo -n "Re-building SquidGuard db files..."
su - proxy -c "squidGuard -C all" >/dev/null 2>&1
su - proxy -c "squidGuard -u" >/dev/null 2>&1
echo "done!"
if [ -e /etc/init.d/squid3 ]; then
        echo -n "Reloading Squid..."
        /etc/init.d/squid3 reload >/dev/null 2>&1
        echo "done!"
fi

# cd /usr/lib/cgi-bin/
# cp /usr/share/doc/squidguard/examples/squidGuard.cgi.gz .
# gzip -d squidGuard.cgi.gz
# iconv -f iso8859-1 -t utf8 /usr/lib/cgi-bin/squidGuard.cgi >squidGuard.cgi.tmp
# mv squidGuard.cgi.tmp /usr/lib/cgi-bin/squidGuard.cgi
# chmod +x squidGuard.cgi

$ diff -uBb squidGuard.cgi /usr/lib/cgi-bin/squidGuard.cgi

--- squidGuard.cgi      2008-11-10 18:37:30.326524640 +0100
+++ /usr/lib/cgi-bin/squidGuard.cgi     2008-11-10 18:35:19.000000000 +0100
@@ -64,10 +64,11 @@
                "nl (Nederlands),",
                "no (norsk)."
               );
-$image       = "/images/blocked.gif";                                  # RELATIVE TO DOCUMENT_ROOT
-$redirect    = "http://admin.your-domain/images/blocked.gif";          # "" TO AVOID REDIRECTION
-$proxy       = "proxy.your-domain";                                    #
-$proxymaster = "operator\@your-domain";                                #
+$image       = "/images/access_denied.jpg";                            # RELATIVE TO DOCUMENT_ROOT
+$redirect    = "http://www.stri/images/access_denied.jpg";             # "" TO AVOID REDIRECTION
+$proxy       = "proxy.stri";                                   #
+$proxymaster = "abuse\@stri";                                  #
+$lang        = "fr";
 $autoinaddr  = 2;                      # 0|1|2;
                                        # 0 TO NOT REDIRECT
                                        # 1 TO AUTORESOLVE & REDIRECT IF UNIQUE
@@ -482,14 +483,14 @@
        @supported ];
   
   %logo->{"default"}->{"url"}
-    = "http://www.squidguard.org/images/squidGuard.gif";
+    = "http://www.squidguard.org/Logos/squidGuard.gif";
   %logo->{"default"}->{"href"}
     = "http://www.squidguard.org/";
 
   %logo->{"default"}->{"url"}
-    = "http://info.your-domain/images/eto.small.gif";
+    = "http://www.squidguard.org/Logos/squidGuard.gif";
   %logo->{"default"}->{"href"}
-    = "http://www.your-domain/";
+    = "http://www.stri/";
 }
 #
 # END OF CONFIGURABLE OPTIONS
@@ -608,7 +609,10 @@
       print "       $text\n";
     }
   }
-  print "  </TITLE>\n </HEAD>\n";
+  print "  </TITLE>\n";
+  print " <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\n";
+  print " <meta name=\"Content-Language\" content=\"fr\" />\n";
+  print " </HEAD>\n";
   print " <BODY BGCOLOR=\"#FFFFFF\">\n";
   print "  <TABLE BORDER=0 ALIGN=CENTER WIDTH=100%>\n";
   print "   <TR>\n";

# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

$ cat /proc/sys/net/ipv4/ip_forward
1

$ cat /etc/sysctl.conf |grep ip_forward
net/ipv4/ip_forward=1
#net/ipv6/ip_forward=1

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                    
# NAT                                                                  
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                    
*nat                                                                   
:PREROUTING ACCEPT [0:0]                                               
:POSTROUTING ACCEPT [0:0]                                              
:OUTPUT ACCEPT [0:0]                                                   
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                    
#  P O S T R O U T I N G                                               
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                    
-A POSTROUTING -o eth0 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
-A POSTROUTING -o eth0 -j SNAT --to-source aaa.bbb.ccc.ddd
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                                          
#  P R E R O U T I N G                                                                                       
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                                          
# NTP postes clients                                                                                         
-A PREROUTING -i eth1+ -p udp --dport 123 -j REDIRECT --to-port 123                                          
# Interception du trafic Web des postes clients                                                              
-A PREROUTING -i eth1+ -p tcp --dport 80 -j REDIRECT --to-port 3128                                       
COMMIT                                                                                                       
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                                          
#  N e t f i l t e r                                                                                         
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                                          
*filter                                                                                                      
:INPUT DROP [0:0]                                                                                            
:FORWARD DROP [0:0]                                                                                          
:OUTPUT ACCEPT [0:0]                                                                                         
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                                          
#  I N P U T                                                                                                 
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                                          
# Suivi de communication chaîne INPUT                                                                        
-A INPUT -p icmp -m conntrack --ctstate ESTABLISHED -j ACCEPT                                                      
-A INPUT -p icmp --icmp-type destination-unreachable -m conntrack --ctstate RELATED -j ACCEPT                      
-A INPUT -p icmp --icmp-type time-exceeded -m conntrack --ctstate RELATED -j ACCEPT                                
-A INPUT -p ospf -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT                                              
-A INPUT -p igmp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT                                              
-A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT                                               
-A INPUT -p tcp ! --syn -m conntrack --ctstate ESTABLISHED -j ACCEPT                                               
-A INPUT -p tcp --syn -m conntrack --ctstate RELATED -j ACCEPT                                                     
# Boucle locale                                                                                              
-A INPUT -i lo -j ACCEPT                                                                                     
# NTP                                                                                                        
-A INPUT -i eth1+ -p udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT                                          
# WWW                                                                                                                   
-A INPUT -i eth1+ -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT                                                
-A INPUT -i eth1+ -p tcp --syn --dport 443 -m conntrack --ctstate NEW -j ACCEPT                                               
# proxy Web                                                                                                             
-A INPUT -i eth1+ -p tcp --syn --dport 3128 -m conntrack --ctstate NEW -j ACCEPT                                              
# Poubelle
-A INPUT -m conntrack --ctstate INVALID -m limit --limit 5/min -j LOG --log-prefix "INPUT/rejected.iptables: "                     
-A INPUT -m conntrack --ctstate INVALID -j DROP                                                                                    
-A INPUT -p tcp -j REJECT --reject-with tcp-reset                                                                            
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable                                                                
-A INPUT -j LOG --log-prefix "INPUT/poubelle: "                                                                              
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                                                          
#  F O R W A R D                                                                                                             
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                                                          
# Suivi de communication chaîne FORWARD                                                                                      
-A FORWARD -p icmp -m conntrack --ctstate ESTABLISHED -j ACCEPT                                                                    
-A FORWARD -p icmp -m conntrack --ctstate RELATED --icmp-type destination-unreachable -j ACCEPT                                    
-A FORWARD -p icmp -m conntrack --ctstate RELATED --icmp-type time-exceeded -j ACCEPT                                              
-A FORWARD -p ospf -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT                                                            
-A FORWARD -p udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT                                                             
-A FORWARD -p tcp -m conntrack --ctstate ESTABLISHED -m tcp ! --syn -j ACCEPT                                                      
-A FORWARD -p tcp -m conntrack --ctstate RELATED -m tcp --syn -j ACCEPT                                                            
# Boucle locale                                                                                                              
-A FORWARD -i lo -j ACCEPT                                                                                                   
# Salles de TP                                                                                                               
-A FORWARD -i eth1+ -p tcp -m tcp --syn --sport 1024: -m conntrack --ctstate NEW -j ACCEPT                                         
-A FORWARD -i eth1+ -p udp --sport 1024: -m conntrack --ctstate NEW -j ACCEPT                                                      
-A FORWARD -i eth1+ -p icmp --icmp-type echo-request -m limit --limit 5/sec -m conntrack --ctstate NEW -j ACCEPT                   
# Poubelle
-A FORWARD -m conntrack --ctstate INVALID -m limit --limit 5/min -j LOG --log-prefix "FORWARD/rejected.iptables: "
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -p udp -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j LOG --log-prefix "FORWARD/poubelle: "
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#  O U T P U T
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Règles anti-fuites
-A OUTPUT -o eth0 -p tcp --dport 135:139 -j DROP
-A OUTPUT -o eth0 -p tcp --dport 445 -j DROP
-A OUTPUT -o eth0 -p udp --dport 135:139 -j DROP
-A OUTPUT -o eth0 -p udp --dport 445 -j DROP
-A OUTPUT -o eth0 -p tcp --dport 25 -j DROP
-A OUTPUT -o eth0 -p tcp -m multiport --sports 20,21,23,25,53,80,110,113 -j DROP
-A OUTPUT -o eth0 -s 127.0.0.0/8 -j LOG --log-prefix "OUTPUT/rejected.nat: "
-A OUTPUT -o eth0 -s 127.0.0.0/8 -j DROP
-A OUTPUT -o eth0 -s 10.0.0.0/8 -j LOG --log-prefix "OUTPUT/rejected.nat: "
-A OUTPUT -o eth0 -s 10.0.0.0/8 -j DROP
-A OUTPUT -o eth0 -s 172.16.0.0/12 -j LOG --log-prefix "OUTPUT/rejected.nat: "
-A OUTPUT -o eth0 -s 172.16.0.0/12 -j DROP
-A OUTPUT -o eth0 -s 192.168.0.0/16 -j LOG --log-prefix "OUTPUT/rejected.nat: "
-A OUTPUT -o eth0 -s 192.168.0.0/16 -j DROP
-A OUTPUT -o eth0 -s 224.0.0.0/8 -j DROP
-A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "OUTPUT/rejected.iptables: "
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
COMMIT

# tail /var/log/squid3/access.log
1226421464.379  60869 172.16.48.64 TCP_MISS/200 925 POST \
  http://update.microsoft.com/v6/UpdateRegulationService/UpdateRegulation.asmx \
  - DIRECT/207.46.17.93 text/xml
1226422061.838     48 172.16.48.65 TCP_MISS/200 407 HEAD \
  http://download.windowsupdate.com/v8/windowsupdate/redir/muv3wuredir.cab? \
  - DIRECT/204.160.98.121 application/octet-stream
1226422062.528    670 172.16.48.65 TCP_MISS/200 407 HEAD \
  http://update.microsoft.com/v8/windowsupdate/selfupdate/wuident.cab? \ 
  - DIRECT/65.55.184.93 application/octet-stream
1226422062.563     24 172.16.48.65 TCP_MISS/200 408 HEAD \
  http://download.windowsupdate.com/v8/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab? \
  - DIRECT/204.160.98.121 application/octet-stream
1226422062.680    114 172.16.48.65 TCP_MISS/200 25492 GET \
  http://download.windowsupdate.com/v8/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab? \
  - DIRECT/204.160.98.121 application/octet-stream
1226422065.039     24 172.16.48.65 TCP_REFRESH_UNMODIFIED/200 405 HEAD \
  http://download.windowsupdate.com/v8/windowsupdate/redir/muv3wuredir.cab? \
  - DIRECT/204.160.98.121 application/octet-stream
1226422069.106     35 172.16.48.65 TCP_REFRESH_UNMODIFIED/200 406 HEAD \
  http://download.windowsupdate.com/v8/windowsupdate/redir/muv3wuredir.cab? \
  - DIRECT/205.128.69.124 application/octet-stream