for compactar in `ls /var/log/messages*.log`; do echo “tar -zcvpf ${compactar}.tar.gz ${compactar} && rm ${compactar}”; done

Estas utilizadas quando vamos criar alguma GPO e temos que restringir o acesso nem todas eu inclui a descrição pois estava com um pouco de preguiça em olhar uma por uma

access.cpl – Opções de acessibilidade
appwiz.cpl – Adcionar ou remover programas
desk.cpl – Propriedades de video
firewall.cpl – Firewall XP
hdwwiz.cpl – Assistente para adcionr novo hardware
inetcpl.cpl – Propriedades da internet
intl.cpl – Região e idioma
irprops.cpl
joy.cpl
main.cpl
mmsys.cpl
ncpa.cpl
netsetup.cpl – Assistente de configuração de rede
nusrmgr.cpl – Conta de usuário
nwc.cpl
odbccp32.cpl – Fonte de dados ODBC
powercfg.cpl – Opções de energia
sysdm.cpl – Propriedades de Sistema
telephon.cpl – Opções de telefone e modem
timedate.cpl – Data e hora
wscui.cpl – Central de cegurança
wuaucpl.cpl – Janela de atualização do windows

regedt32.exe – Abre o regedit

Logue com administrador ou com algum usuário que possua direitos administrativos não precisa ser administrador da rede basta ser adm do servidor ou do desktop

abra o cmd e navegue até o diretório C:\WINDOWS\system32> e execute o comando abaixo

C:\WINDOWS\system32>regsvr32.exe cdonts.dll

acl streaming rep_mime_type ^video/x-ms-asf
acl music urlpath_regex -i \.aif$ \.aifc$ \.aiff$ \.asf$ \.asx$ \.avi$ \.au$ \.m3u$ \.med$ \.mp3$ \.m1v$ \.mp2$ \.mp2v$ \.mpa$ \.mov$ \.mpe$ \.mpg$ \.mpeg$ \.ogg$ \.pls$ \.ram$ \.ra$ \.ram$ \.snd$ \.wma$ \.wmv$ \.wvx$ \.mid$ \.midi$ \.rmi$

http_access deny music
http_reply_access deny music

http_access deny streaming
http_reply_access deny streaming

###### DOWNLOAD SQUID 3.0
wget http://www.squid-cache.org/Versions/v3/3.0/squid-3.0.STABLE11.tar.gz

###### Verifique se o usuário do squid já existe
grep squid /etc/passwd

##### Se aparecer algo assim
##### squid : x : 23:23::/var/spool/squid:/dev/null
##### O usuário já está cadastrado no sistema
###### Caso não exista você deve cria-lo
groupadd squid
useradd – g squid – s /dev/null squid >/dev/null 2>&1

###### Descompactar o arquivo
tar -xzvf squid-3.0.STABLE11.tar.gz
cd squid-3.0.STABLE11

######
./configure – - prefix=/usr/local/squid – - enable-linux-netfilter
make all
make install

###### Criar diretorio de LOG do SQUID
mkdir -p /var/log/squid
mkdir -p /usr/local/squid/var/cache

##### De permissão para o usuário squid no diretorio de logs
chown -R squid.squid /var/log/squid
chown -R squid.squid /usr/local/squid/var

##### Crie um link simbolico
cd /bin
/usr/local/squid/sbin/squid squid

##### O SQUID JÁ ESTÁ INSTALADO VAMOS CONFIGURAR O SQUID.CONF

CONFIGURANDO O SQUID.CONF

###### Crie os arquivos
###### downloads,block,unblock,radioonline,dominio_bloqueado,semcache
###### neste caminho /usr/local/squid/etc/arquivos/

mkdir -p /usr/local/squid/etc/arquivos/
touch /usr/local/squid/etc/arquivos/downloads
touch /usr/local/squid/etc/arquivos/block
touch /usr/local/squid/etc/arquivos/unblock
touch /usr/local/squid/etc/arquivos/radiosonline
touch /usr/local/squid/etc/arquivos/dominio_bloqueado
touch /usr/local/squid/etc/arquivos/semcache

###### De permissão de execução nestes arquivos

chmod 775 /usr/local/squid/etc/arquivos/downloads
chmod 775 /usr/local/squid/etc/arquivos/block
chmod 775 /usr/local/squid/etc/arquivos/unblock
chmod 775 /usr/local/squid/etc/arquivos/radiosonline
chmod 775 /usr/local/squid/etc/arquivos/dominio_bloqueado
chmod 775 /usr/local/squid/etc/arquivos/semcache

##### Acesse o diretorio /usr/local/squid/etc/ e faça um backup do squid.conf original
cd /usr/local/squid/etc/
cp squid.conf backup_squid.conf

##### Agora vamos editar o squid.conf
##### Acesse o arquivo squid.conf e apague tudo que está la dentro e acrescente estas linhas abaixo
##### Note que em algum campos não adcionei endereço IP neste caso você deve adequar as condigurações
##### de acordo com sua rede
vi squid.conf

#################################################################################
###### Atualizado em 23/12/2008 por Adriano Mendes Aguiar #######################
#################################################################################
###### Restringe o seu PROXY apenas para este IP #
###### Aqui utilizei um proxy transparente destá forma não houve a necessidade #
###### de configurar no browser o proxy #
#################################################################################

http_port ip_do_seu_proxy:3128 transparent
icp_port 0

#################################################################################
########################## Configurações de cache ###############################
#################################################################################

cache_mem 256 MB
maximum_object_size 4096 KB
store_avg_object_size 4 KB
visible_hostname SUAEMPRESA.COM.BR
cache_dir ufs /usr/local/squid/var/cache 1000 8 128
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
emulate_httpd_log off
connect_timeout 15000 seconds
read_timeout 300 minutes
cache_mgr Administrador
cache_effective_user squid
cache_effective_group squid
dns_nameservers ip_do_seu_dns

#################################################################################
############################### ACLS PARA USUARIOS ##############################
#################################################################################
################ AQUI VOCÊ PODE DECLARAR TODOS OS IPS DA REDE ###################
#################################################################################
acl desktop1 src 10.1.1.1/255.255.255.255
acl desktop2 src 10.1.1.2/255.255.255.255
acl desktop3 src 10.1.1.3/255.255.255.255
acl desktop4 src 10.1.1.4/255.255.255.255
acl desktop5 src 10.1.1.5/255.255.255.255

#################################################################################
################################# DEMAIS ACLS ###################################
#################################################################################
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255

#################################################################################
########### DECLARANDO OS SITES QUE PODEM SER LIBERADOS OU BLOQUEADOS ###########
#################################################################################
acl uol.com.br url_regex uol.com.br
acl terra.com.br url_regex terra.com.br
acl ig.com.br url_regex ig.com.br
acl video.globo.com url_regex video.globo.com

acl SSL_ports port 443 444 447 563 7443.
acl Safe_ports port 80 21 443 444 447 563 777 591 488 280 70 210 6330 7443 1024-65535 50000-50002
acl CONNECT method CONNECT

acl downloads urlpath_regex “/usr/local/squid/etc/arquivos/downloads”
acl blacklist url_regex “/usr/local/squid/etc/arquivos/block”.
acl whitelist url_regex “/usr/local/squid/etc/arquivos/unblock”.
acl streaming rep_mime_type ^video/x-ms-asf “/usr/local/squid/etc/arquivos/radioonline”
acl dominio_bloqueado dstdomain “/usr/local/squid/etc/arquivos/dominio_bloqueado”.
acl cache urlpath_regex “/usr/local/squid/etc/arquivos/semcache”?

acl rede_interna src RANGE_DA_SUA_REDE MASCARA_DE_REDE

#################################################################################
###### SE VOCÊ TIVER MAIS DE UM GATEWAY NA SUA REDE AQUI VOCÊ PODE DEFINIR ######
###################### QUAL GATEWAY O SQUID IRA UTILIZAR ########################
###### SE VOCÊ UTILIZA APENAS UM GATEWAY NÃO IRÁ PRECISAR DESTAS LINHAS #########
#################################################################################
acl gateway_1 src “/usr/local/squid/etc/arquivos/gtw1″
tcp_outgoing_address IP_DO_GATEWAY_1 gateway_1

acl gateway_2 src “/usr/local/squid/etc/bloqueados/gtw2″
tcp_outgoing_address IP_DO_GATEWAY_2 gateway_2

#################################################################################
######################## PERMISSOES DE ACESSO ##############################
#################################################################################

http_access allow uol.com.br
http_access allow terra.com.br
http_access allow ig.com.br

#################################################################################
############################## NEGA ACESSO #################################
#################################################################################

http_access deny all video.globo.com
http_reply_access deny all video.globo.com

http_access deny dominio_bloqueado
http_reply_access deny dominio_bloqueado

http_access deny streaming
http_reply_access deny all streaming

http_access deny downloads
http_reply_access deny all downloads

http_access deny all !Safe_ports
http_access allow localhost manager
http_access allow all manager
http_access allow all CONNECT !SSL_ports
http_access allow all !blacklist
http_access allow all whitelist
http_access allow all rede_interna
icp_access allow all
miss_access allow all
no_cache deny cache

################################################################################
##### Adcione estas linhas no arquivo /usr/local/squid/etc/arquivos/downloads ##
################################################################################
^video/x-ms-asf-plugin$
^video/x-ms-asf$
^video/mpeg$
^video/x-ms-wmv$
^video/quicktime$
^audio/mpeg$
.ACM$
.acm$
.bat$
.pif$
.bin$
.cue$
.COM$
.com$
.Com$
.dll$
.DLL$
.exe$
.iso$
.ISO$
.Mp3$
.MP3$
.mP3$
.mp3$
.mpg$
.MPG$
.Mpg$
.mPg$
.mpG$
.MpG$
.mpeg$
.MPEG$
.MPEg$
.MPeg$
.Mpeg$
.mPEG$
.mpEG$
.mpeG$
.MpeG$
.MpEg$
.wma$
.WMA$
.Wma$
.WMa$
.wMA$
.wmA$
.WmA$
.wMa$
.wav$
.scr$
.SRC$
.Src$
.Src$
.sRC$
.srC$
.RTF$
.rtf$
.tar.gz$
.tgz$
.tar$
.TAR$
.tar.bz2$
.tbz$
.rar$
.zip$
.PIF$
.pif$
.PPS$
.pps$
.ppt$
.wmv$
.WMV$
.Wmv$
.WMv$
.wMV$
.wmV$
.WmV$
.wMv$
.au
.asx$
.mms$
.aif$
.aifc$
.aiff$
.asf$
.asx$
.avi$
.au$$
.m3u$
.med$
.m1v$
.mp2$
.mp2v$
.mpa$
.mov$
.mpe$
.ogg$
.pls$
.ram$
.ra$
.ram$
.snd$
.wvx$
.mid$
.midi$
.rmi$
.mpeg$
.mpg$
.rm$
.ogm$
.wmv$
.pls$
.flv$
.cab$

################################################################################
######### Adcione estas linhas no arquivo /usr/local/squid/etc/arquivos/block ##
######### Neste arquivo você deve adcionar os sites que devem ser bloqueados ###
################################################################################
orkut.com
msn.com
hotmail.com

################################################################################
####### Adcione estas linhas no arquivo /usr/local/squid/etc/arquivos/unblock ##
######### Neste arquivo você deve adcionar os sites que devem ser liberados ####
################################################################################
www.google.com.br
www.cade.com.br

################################################################################
## Adcione estas linhas no arquivo /usr/local/squid/etc/arquivos/radiosonline ##
######### Neste arquivo você deve adcionar as extensões de radios online #######
################################################################################
.asx$
.mms$
.aif$
.aifc$
.aiff$
.asf$
.asx$
.avi$
.au$$
.m3u$
.med$
.m1v$
.mp2$
.mp2v$
.mpa$
.mov$
.mpe$
.ogg$
.pls$
.ram$
.ra$
.ram$
.snd$
.wvx$
.mid$
.midi$
.rmi$
.mpeg$
.mpg$
.rm$
.ogm$
.wma$
.wmv$
.pls$
.flv$

###################################################################################
#adcione estas linhas no arquivo /usr/local/squid/etc/arquivos/dominio_bloqueado ##
##### Neste arquivo você deve adcionar os dominios que devem ser bloqueados #######
###################################################################################
.ac
.ad
.ae
.af
.ag
.ai
.al
.am
.an
.ao
.aq
.as
.at
.aw
.ax
.az
.ba
.bb
.bd
.be
.bf
.bg
.bh
.bi
.bj
.bm
.bn
.bo
.bs
.bt
.bv
.bw
.by
.bz
.cax
.cc
.cd
.cf
.cg
.ch
.ci
.ck
.cm
.cn
.cr
.cu
.cv
.cx
.cy
.cz
.de
.dj
.dk
.dm
.do
.dz
.ec
.ee
.eg
.eh
.er
.es
.et
.eu
.fi
.fj
.fk
.fm
.fo
.fr
.ga
.gb
.gd
.ge
.gf
.gg
.gh
.gi
.gl
.gm
.gn
.gp
.gq
.gr
.gs
.gt
.gu
.gw
.gy
.hk
.hm
.hn
.hr
.ht
.hu
.id
.ie
.il
.im
.in
.io
.iq
.ir
.is
.it
.je
.jm
.jo
.jp
.ke
.kg
.kh
.ki
.km
.kn
.kp
.kr
.kw
.ky
.kz
.la
.lb
.lc
.li
.lk
.lr
.ls
.lt
.lu
.lv
.ly
.ma
.mc
.md
.me
.mg
.mh
.mk
.ml
.mm
.mn
.mo
.mp
.mq
.mr
.ms
.mt
.mu
.mv
.mw
.my
.mz
.na
.nc
.ne
.nf
.ng
.ni
.nl
.no
.np
.nr
.nu
.nz
.om
.pa
.pe
.pf
.pg
.ph
.pk
.pl
.pm
.pn
.pr
.ps
.pt
.pw
.py
.qa
.re
.ro
.rs
.ru
.rw
.sa
.sb
.sc
.sd
.se
.sg
.sh
.si
.sj
.sk
.sl
.sm
.sn
.so
.sr
.st
.su
.sv
.sy
.sz
.tc
.td
.tf
.tg
.th
.tj
.tk
.tl
.tm
.tn
.to
.tp
.tr
.tt
.tw
.tz
.ua
.ug
.uk
.um
.us
.uy
.uz
.va
.vc
.ve
.vg
.vi
.vn
.vu
.wf
.ws
.ye
.yt
.yu
.za
.zm
.zw

###################################################################################
######## adcione estas linhas no arquivo /usr/local/squid/etc/arquivos/semcache ##
# Neste arquivo você deve adcionar os arquivos ou páginas que não ter cache #######
###################################################################################
.jpg
.jpeg
.gif

VPN Site-to-Site
Sistema Operacional – Fedora Core release 5 (Bordeaux) em ambas as máquinas.

Matriz:

* Hostname – FW_Matriz
* Ip Lan ETH0 – 10.2.30.1
* Ip Wan ETH1 -200.200.200.200
* Rede Matriz – 10.2.30.0/24

Filial:

* Hostname – FW_Filial
* Ip Lan ETH0 – 10.2.40.1
* Ip Wan ETH1 – 200.201.202.203
* Rede Filial – 10.2.40.0/24

Configurando nossa VPN na Matriz:

O OpenVPN trabalha em 3 modos: nenhuma criptografia (apenas o túnel), criptografia com chaves estáticas e no modo TLS, em que as chaves são trocadas periodicamente.

Neste caso vou utilizar criptografia com chaves estáticas.

Dependências necessárias:

* openssl
* lzo
* pam
* openssl-devel
* lzo-devel
* pam-devel

Faça download do pacote LZO:

$ wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz
$ tar -xzvf lzo-2.02.tar.gz
$ cd cd lzo-2.02
$ ./configure –prefix=/usr –enable-shared && make
# make install && install -v -m755 -d /usr/share/doc/lzo-2.02 && install -v -m644 doc/* /usr/share/doc/lzo-2.02

Faça o download da versão mais recente do openVPN: http://openvpn.net/index.php/downloads.html

$ wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
$ tar -xzvf openvpn-2.0.9.tar.gz
$ cd openvpn-2.0.9
$ ./configure
$ make
# make install

Ou instale pelo método mais prático:

# yum install openvpn openssl lzo pam openssl-devel lzo-devel pam-devel

Configurando a matriz
Depois de instalado devemos gerar uma chave criptografada.

# openvpn -genkey -secret /etc/openvpn/static.key

A chave foi gerada no diretório /etc/openvpn.

Dê um cat no arquivo apenas para visualização:

# cat /etc/openvpn/static.key

O resultado será algo assim:

#
# 2048 bit OpenVPN static key
#
– BEGIN OpenVPN Static key V1 –
0cfdaa32103e4c666c45812dabda87a1
4f545e028388469311sssb9d67e16f0
f063f47f21ff6b5f85fbcaaa0a7d3b9c91b
e08f712d8352b6b4db74c58d018d41fe
eb337713ce2a2171cebad4c6ac475016
bb985c23f51e0e737f4caa5850c17f21e5
f4f851074e9f8e4aaea9465d024b7d0fb01d
8fc9a01d47e32892ff71e0ef328986cc4aa4
842c1a4bbb476549493e92ec40364963f
dd6cc0c0cf49b902f46418b813805e0c
f43d7dd183422ec3bb1fc7cc863b3a80
e004b29c0193f799a01ac7c0ee73f52661
ea075a64f26bc046d889978b1e8d9f5e8
9a478c0fe7dfc0a134779b1beee791e90ddc
706c7a01a3d3e30bfc697e4b31a19069
b08d45c8b4b436255c7979af1ba52a0c
– END OpenVPN Static key V1 –

Agora acesse o diretório:

# cd /etc/openvpn

Crie um backup do arquivo original openvpn.conf:

# mv openvpn.conf openvpn.conf.ori

Crie o arquivo novamente:

# touch openvpn.conf

E preencha-o com esse conteúdo:

############### Configuração matriz ################
dev tun
ifconfig 10.2.60.1 10.2.60.2
cd /etc/openvpn
secret static.key
port 5000
comp-lzo
user nobody
group nobody
ping 10
log /var/log/openvpn_matriz.log
log-append /var/log/openvpn_matriz.log
verb 6

Em seguida vamos iniciar a conexão no servidor, faltando apenas configurar a filial.

Execute o seguinte comando no servidor da Matriz:

# openvpn -config /etc/openvpn/openvpn.conf -daemon

Ou digite:

# /etc/init.d/openvpn start

Caso não apresente nenhum erro digite no prompt:

# ifconfig

E verifique se a interface tun0 está up.

tun0 Link encap:Point-to-Point Protocol
inet addr:10.2.60.1 P-t-P:10.2.60.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1255 Metric:1
RX packets:1383257 errors:0 dropped:0 overruns:0 frame:0
TX packets:1144968 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:82865921 (79.0 Mb) TX bytes:383951667 (366.1 Mb)

Se aparecer algo assim, a configuração da matriz já está ok, faltando apenas liberar a porta 5000.

Agora para se certificar que o serviço está rodando na porta correta, digite no prompt:

# netstat -putan

O resultado será algo parecido com isso, note que o OPENVPN está rodando na porta 5000 em cima de UDP:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:199 0.0.0.0:* LISTEN 2692/snmpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1780/sshd
tcp 0 20 10.2.30.1:22 10.2.30.3:4347 ESTABLISHED 21703/1
udp 0 0 0.0.0.0:5000 0.0.0.0:* 30704/openvpn
udp 0 0 0.0.0.0:161 0.0.0.0:* 2692/snmpd

Se você estiver em dúvida se o serviço está rodando, digite no prompt:

# ps aux
root 2700 0.0 0.2 1588 416 tty3 Ss+ Feb12 0:00 /sbin/mingetty tty3
root 2701 0.0 0.2 1588 416 tty4 Ss+ Feb12 0:00 /sbin/mingetty tty4
root 2702 0.0 0.2 1584 412 tty5 Ss+ Feb12 0:00 /sbin/mingetty tty5
root 2703 0.0 0.2 1588 416 tty6 Ss+ Feb12 0:00 /sbin/mingetty tty6
root 2793 0.0 0.0 0 0 ? S131072] S=[107520->131072]
Thu Feb 19 16:39:14 2009 us=104491 UDPv4 link local (bound): [undef]:5000
Thu Feb 19 16:39:14 2009 us=104578 UDPv4 link remote: [undef]
Thu Feb 19 16:39:18 2009 us=990824 UDPv4 READ [60] from 200.201.200.203:5000: DATA len=60
Thu Feb 19 16:39:18 2009 us=991365 Peer Connection Initiated with 200.201.200.203:5000
Thu Feb 19 16:39:18 2009 us=991922 Initialization Sequence Completed
Thu Feb 19 16:39:24 2009 us=462779 UDPv4 WRITE [60] to 200.201.200.203:5000: DATA len=60
Thu Feb 19 16:39:24 2009 us=468669 UDPv4 READ [196] from 200.201.200.203:5000: DATA len=196
Thu Feb 19 16:39:34 2009 us=671371 UDPv4 READ [60] from 200.201.200.203:5000: DATA len=60
Thu Feb 19 16:39:44 2009 us=757217 UDPv4 READ [60] from 200.201.200.203:5000: DATA len=60
Thu Feb 19 16:39:54 2009 us=986099 UDPv4 READ [60] from 200.201.200.203:5000: DATA len=60
Thu Feb 19 16:40:05 2009 us=6781 UDPv4 READ [60] from 200.201.200.203:5000: DATA len=60
Thu Feb 19 16:40:15 2009 us=246863 UDPv4 READ [60] from 200.201.200.203:5000: DATA len=60
Thu Feb 19 16:40:15 2009 us=613320 TUN READ [60]
Thu Feb 19 16:40:15 2009 us=613817 UDPv4 WRITE [100] to 200.201.200.203:5000: DATA len=100
Thu Feb 19 16:40:15 2009 us=620200 UDPv4 READ [100] from 200.201.200.203:5000: DATA len=100
Thu Feb 19 16:40:15 2009 us=620570 TUN WRITE [60]
Thu Feb 19 16:40:16 2009 us=613581 TUN READ [60]
Thu Feb 19 16:40:16 2009 us=614243 UDPv4 WRITE [100] to 200.201.200.203:5000: DATA len=100

Dica: Toda vez que você reiniciar o OPENVPN suas rotas serão perdidas.

Para que isso não aconteça, acesse o diretório /etc/openvpn e crie um arquivo chamado openvpn-startup:

# cd /etc/openvpn
# touch openvpn-startup
# chmod 777 openvpn-startup

Dentro do arquivo “openvpn-startup” adicione as rotas que você precisa, fazendo isso toda vez que o openVPN for iniciando as rotas serão criadas automaticamente.

Para entender o por quê disso, dê um cat em /etc/init.d/openvpn e dê uma olhada no script de inicialização do OPENVPN. Note que em um determinado momento ele procura um arquivo openvpn-startup para ser executado durante o processo de inicialização.