Implementation of squid + iptables gateway firewall

Last Update:2013-12-23 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

ExploitationSquid+IptablesIt is very easy to implement the gateway firewall. You can learn it by following me step by step!

Requirement Description: This server is used as a gateway, MAIL (enabling web, smtp, pop3), FTP, and DHCP server. An internal machine (192.168.0.254) provides external dns services, to prevent unintentional users from easily seeing that the ssh server is enabled on this server, change the ssh port to 2018. change the proxy port to 60080.

Eth0: 218.28.255.253, Internet Port

Eth1: 192.168.0.1/24, internal network port

[Jackylau @ proxyserver init. d] $ cat/etc/squid. conf (part 1 is as follows)

Http_port 192.168.0.1: 60080

Httpd_accel_port 80

Httpd_accel_host virtual

Httpd_accel_with_proxy on

Httpd_accel_uses_host_header on

Acl allow_lan src 192.168.0.0/24

Http_access allow allow_lan

Visible_hostname proxyserver

[Jackylau @ proxyserver init. d] $ cat firewall

 
 
  
  #!/bin/sh  
  
   
  
  # Author: jackylau ;  
  
   
  
  # chkconfig: 2345 08 92  
  
   
  
  # description: firewall  
  
   
  
  # Time on 2005.08.02  
  
   
  
  # killproc  
  
   
  
  # Set ENV

INET_IP = "218.28.424253"

INET_IFACE = "eth0"

LAN_IP = "192.168.0.1"

LAN_IP_RANGE = "192.168.0.0/24"

LAN_BROADCAST_ADDRESS = "192.168.0.255"

LAN_IFACE = "eth1"

LO_IFACE = "lo"

LO_IP = "127.0.0.1"

IPTABLES = "/sbin/iptables"

Start (){

Echo-n $ "Starting firewall :"

/Sbin/depmod-

/Sbin/modprobe ip_tables

/Sbin/modprobe ip_conntrack

/Sbin/modprobe iptable_filter

/Sbin/modprobe iptable_mangle

/Sbin/modprobe iptable_nat

/Sbin/modprobe ipt_LOG

/Sbin/modprobe ipt_limit

/Sbin/modprobe ipt_state

Echo "1">;/proc/sys/net/ipv4/ip_forward

# Set policies

$ IPTABLES-P INPUT DROP

$ IPTABLES-P OUTPUT DROP

$ IPTABLES-P FORWARD DROP

# Add bad_tcp_packets, allowed and icmp_packets

$ IPTABLES-N bad_tcp_packets

$ IPTABLES-N tcp_packets

$ IPTABLES-N udp_packets

$ IPTABLES-N allowed

$ IPTABLES-N icmp_packets

# Bad_tcp_packets

$ IPTABLES-A bad_tcp_packets-p tcp! -- Syn-m state -- state NEW-j LOG -- log-level INFO -- log-prefix "New not syn :"

$ IPTABLES-A bad_tcp_packets-p TCP! -- Syn-m state -- state NEW-j DROP

# Allowed

$ IPTABLES-A allowed-p TCP -- syn-j ACCEPT

$ IPTABLES-A allowed-p TCP-m state -- state ESTABLISHED, RELATED-j ACCEPT

$ IPTABLES-A allowed-p TCP-j DROP

$ IPTABLES-a input-p ALL-I $ LAN_IFACE-d $ LAN_BROADCAST_ADDRESS-j ACCEPT

# TCP rules

$ IPTABLES-A tcp_packets-p TCP/IP 0/0 -- dport 20-j allowed

$ IPTABLES-A tcp_packets-p TCP/IP 0/0 -- dport 21-j allowed

$ IPTABLES-A tcp_packets-p TCP/IP 0/0 -- dport 25-j allowed

$ IPTABLES-A tcp_packets-p TCP/IP 0/0 -- dport 80-j allowed

$ IPTABLES-A tcp_packets-p TCP-s 0/0 -- dport 110-j allowed

$ IPTABLES-A tcp_packets-p TCP-s 0/0 -- dport 2018-j allowed

# UDP rules

$ IPTABLES-A udp_packets-p UDP-s 0/0 -- destination-port 67-j ACCEPT

# ICMP rules

$ IPTABLES-A icmp_packets-p ICMP-s 0/0 -- icmp-type 8-j ACCEPT

$ IPTABLES-A icmp_packets-p ICMP-s 0/0 -- icmp-type 11-j ACCEPT

# INPUT chain

$ IPTABLES-a input-p tcp-j bad_tcp_packets

$ IPTABLES-a input-p ALL-I $ LAN_IFACE-s $ LAN_IP_RANGE-j ACCEPT

$ IPTABLES-a input-p ALL-I $ LO_IFACE-s $ LO_IP-j ACCEPT

$ IPTABLES-a input-p ALL-I $ LO_IFACE-s $ LAN_IP-j ACCEPT

$ IPTABLES-a input-p ALL-I $ LO_IFACE-s $ INET_IP-j ACCEPT

$ IPTABLES-a input-p ALL-d $ INET_IP-m state -- state ESTABLISHED, RELATED-j ACCEPT

$ IPTABLES-a input-p TCP-I $ INET_IFACE-j tcp_packets

$ IPTABLES-a input-p UDP-I $ INET_IFACE-j udp_packets

$ IPTABLES-a input-p ICMP-I $ INET_IFACE-j icmp_packets

$ IPTABLES-a input-m limit -- limit 3/minute -- limit-burst 3-j LOG -- log-level DEBUG -- log-prefix "ept INPUT packet died :"

# FORWARD chain

$ IPTABLES-a forward-p tcp-j bad_tcp_packets

$ IPTABLES-a forward-I $ LAN_IFACE-j ACCEPT

$ IPTABLES-a forward-m state -- state ESTABLISHED, RELATED-j ACCEPT

$ IPTABLES-a forward-m limit -- limit 3/minute -- limit-burst 3-j LOG -- log-level DEBUG -- log-prefix "ert forward packet died :"

# OUTPUT chain

$ IPTABLES-a output-p tcp-j bad_tcp_packets

$ IPTABLES-a output-p ALL-s $ LO_IP-j ACCEPT

$ IPTABLES-a output-p ALL-s $ LAN_IP-j ACCEPT

$ IPTABLES-a output-p ALL-s $ INET_IP-j ACCEPT

$ IPTABLES-a output-m limit -- limit 3/minute -- limit-burst 3-j LOG -- log-level DEBUG -- log-prefix "ept OUTPUT packet died :"

# SNAT table

$ IPTABLES-t nat-a postrouting-o $ INET_IFACE-j SNAT -- to-source $ INET_IP

# DNAT table

$ IPTABLES-t nat-a prerouting-p! Icmp-d $ INET_IP-dport 53-j DNAT -- to-destination 192.168.0.254: 53

# REDIRECT

$ IPTABLES-t nat-a prerouting-I $ LAN_IFACE-p tcp-s $ LAN_IP_RANGE -- dport 80-j REDIRECT -- to-ports 60080

Touch/var/lock/subsys/firewall

}

Stop (){

Echo-n $ "Stoping firewall :"

Echo "0">;/proc/sys/net/ipv4/ip_forward

$ IPTABLES-P INPUT ACCEPT

$ IPTABLES-P FORWARD ACCEPT

$ IPTABLES-P OUTPUT ACCEPT

$ IPTABLES-t nat-P PREROUTING ACCEPT

$ IPTABLES-t nat-P POSTROUTING ACCEPT

$ IPTABLES-t nat-P OUTPUT ACCEPT

$ IPTABLES-t mangle-P PREROUTING ACCEPT

$ IPTABLES-t mangle-P OUTPUT ACCEPT

$ IPTABLES-F

$ IPTABLES-t nat-F

$ IPTABLES-t mangle-F

$ IPTABLES-X

$ IPTABLES-t nat-X

$ IPTABLES-t mangle-X

Rm-f/var/lock/subsys/firewall

}

Status (){

Clear

Echo "-------------------------------------------------------------------"

$ IPTABLES-L

Echo "-------------------------------------------------------------------"

$ IPTABLES-t nat-L POSTROUTING

Echo "-------------------------------------------------------------------"

$ IPTABLES-t nat-L PREROUTING

}

Case "$1" in

Start)

Start

;;

Stop)

Stop

;;

Restart)

Stop

Start

;;

Echo "$0 [start | stop | restart | status]"

;;

Esac

Cp firewall/etc/init. d/

Chmod 700/etc/init. d/firewall

Chkconfig -- add firewall

Through the introduction of the article and code analysis, we have some knowledge about using squid and iptables to implement the function of the gateway firewall. Learn to share it with friends!

Iptables
Iptables configuration Guide
Iptables instance analysis
Install and use the iptables firewall configuration tool ShoreWall
Advanced Application of iptables firewall configuration tool ShoreWall
How to Use iptables to implement powerful NAT functions in Linux
Common firewall configuration methods for Linux Iptables

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Implementation of squid + iptables gateway firewall

Contact Us

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support