Automatic installation of Squid+iptables Internet agent and Internet Behavior Management script (ii).

#本节内容为配置iptables   and  squid  and file to get rules to facilitate the management of rules. #接上一个脚本内容, this part of the content needs to be changed in part according to requirements. #停止squid服务systemctl  enable squid &> /dev/nullsystemctl stop squid# Edit Squid profile squid_conf_file=/etc/squid/squid.confmv  $squid _conf_file  $squid _conf_file.bkcat >   $squid _conf_file << eofacl localnet src 10.0.0.0/8      # rfc1918 possible internal networkacl localnet src 172.16.0.0/ 12  # rfc1918 possible internal networkacl localnet src  192.168.0.0/16 # rfc1918 possible internal networkacl localnet src  Fc00::/7       # rfc 4193 local private network  rangeacl localnet src fe80::/10      # rfc 4291  link-local  (directly plugged)  machinesacl&nbsp ssl_ports port 443acl safe_ports port 80           # httpacl Safe_ports port 21           # ftpacl Safe_ports port 443          # httpsacl Safe_ports port 70           # gopheracl Safe_ports port 210          # waisacl Safe_ports port 1025-65535  # unregistered  portsacl safe_ports port 280         #  http-mgmtacl safe_ports port 488         #  gss-httpacl safe_ports port 591         #  filemakeracl safe_ports Port 777         # multiling httpacl connect  method connect#visible_hostnamehttp_access deny ! safe_portshttp_access deny connect ! Ssl_portshttp_access allow localhost managerhttp_access deny manageracl allow_ all src  "/etc/squid/rules/allow_all.squid" http_access allow allow_allacl files  urlpath_regex -i \.mp3$ \.avi$ \.exe$ \.rar$ \.zip$ \.mp4$ \.7z$  \.rm$ \.rmvb$ \.qsv$ \.mov$ \.msi$ \.wav$ \.torrent$ \.cab$ \.com$  \.bat$ \.gz$ \.bz2$ \.sys$ \.swf$http_access deny filesacl only_web  src  "/etc/squid/rules/allow_only_web.squid" http_access allow only_webhttp_access  allow localhosthttp_access deny all#http_port 3128 transparenthttp_port 3129  cache_dir&Nbsp;aufs /var/spool/squid 10240 16 256cache_mem 1024 mbmaximum_object_size  8 MBminimum_object_size 0 kBmaximum_object_size_in_memory 4096 kBacl  nocache urlpath_regex -i \.asp$ \.jsp$no_cache deny nocacheacl nogov  Urlpath_regex -i \.gov\.cnno_cache deny nogov ipcache_size 65535fqdncache_size  65535coredump_dir /var/spool/squidcache_log /var/log/squid/cache.logaccess_log /var/log/ Squid/access.logcache_store_log /var/log/squid/store.log cache_store_log nonelogfile_rotate  7cache_swap_low 85cache_swap_high 95error_directory /usr/share/squid/errors/zh-cncache_ mgr [email protected]refresh_pattern ^ftp:            1440    20%     10080refresh_pattern ^ Gopher:     &nBsp;  1440    0%      1440refresh_pattern -i  \. (Jpg|jpeg|gif|png|xml|html|htm|css|js|ico)  1440    90%      2880refresh_pattern -i \. (Mp3|mp4|swf|rar|zip)       1440    20%      10080refresh_pattern -i  (/cgi-bin/|\?)  0     0%      0refresh_pattern .                0        20%     4320EOFsed -i  ' s/#visible_hostname/visible_hostname   ' ${host_name} '/g '  ${squid_conf_file}sed -i  ' s/#http_port  3128 transparent/http_ port  ' ${lan_ip} ': 3128 transparent/g '  ${squid_conf_file} #configrue  iptables  #将以下内容复制出来 , re-write variables for daily network permissions Control! #日常管理脚本策略Self-defined according to your own requirements. #-------Copy begin---------Modprobe ip_conntrack_ftpmodprobe ip_nat_ftpmodprobe ip_ conntrackecho  "1"  > /proc/sys/net/ipv4/tcp_syncookiesecho  "1"  > /proc/sys/ net/ipv4/icmp_echo_ignore_broadcastsecho  "1"  > /proc/sys/net/ipv4/ip_forwardread -p   "input manager host ip address : "   manager_ip  # The variables that are defined in the initial script are not required for daily administration scripts. #------Management script, custom variable-------#lan = #lan_ip = #lan_dns1 = #lan_dns2 = #lan_net = #manager_ip = #wan = #wan_ip =iptables - Fiptables -xiptables -ziptables -f -t natiptables -x -t natiptables  -z -t natiptables -p input dropiptables -p output dropiptables  -p forward dropiptables -i input -m state --state related, established -j acceptiptables -a input -d ${lan_ip} -p tcp -- Dport 3128 -j acceptiptables -a input -s ${manager_ip} -i ${lan} -p  tcp --dport 22 -j acceptiptables -a input -i lo -j  acceptaicmp= "0 3 3/4 4 11 12 18" for tyicmp in ${aicmp} ;  do iptables -a input -i ${lan} -p icmp --icmp-type ${tyicmp } -j acceptdone iptables -n syn-floodiptables -a input -p tcp  --syn -j syn-floodiptables -i syn-flood -p tcp -m limit -- limit 1/s --limit-burst 3 -j returniptables -a syn-flood -j  dropiptables -i output -m state --state related,established -j  acceptiptables -a output -s ${wan_ip} -p tcp -m multiport -- Dports 80,443 -j acceptiptableS -a output -p udp --dport 53 -j acceptiptables -a output  -o lo -j acceptiptables -a forward -m state --state related , established -j acceptiptables -a forward -s ${lan_dns1} -p udp - -dport 53 -j acceptiptables -a forward -s ${lan_dns2} -p udp  --dport 53 -j accept#  redirect and snatiptables -t nat  -A PREROUTING -i ${lan} -p tcp --dport 80 -j REDIRECT  --to-ports 3128read -p  "input super subnet! exap 192.168.0.0/22 "   lan_sup_subnetiptables -t nat -a postrouting -s ${lan_sup_subnet} &NBSP;-O&NBSP;${WAN}&NBSP;-J&NBSP;SNAT&NBSP;--TO-SOURCE&NBSP;${WAN_IP} #自定义规则, the default rule is deny, port 80 permissions by  squid  Management, no need to add. #本通过读取文件来配置防火墙规则, e.g., rulesThe file is placed in the/usr/local/iptabes.   #规则文件以IP开头, the middle is separated by a space, followed by the note name, format such as: IP address    user #exap:  allow all ports to pass. if [ ! -d /usr/local/iptables ] ; then mkdir /usr/local/ Iptablesfiif [ ! -d /etc/squid/rules ] ; then mkdir /etc/squid/ rulesfiecho  "#允许所有端口通过"  > /usr/local/iptables/allow_all.rule    #管理脚本需自定义文件, No need for this trip echo  "$manager _ip it"  >> /usr/local/iptables/allow_all.rule  #添加ITALLOW_ALL _rule= ' grep -v  "#"  /usr/local/iptables/allow_all.rule | awk  ' {print $1} ' For allow_all in ${allow_all_rule} ; do iptables -a forward -s  ${allow_all} -o ${wan} -j acceptdone# Sync  squid  profile echo  "User no Limits"   > /etc/squid/rules/allow_all.squid echo  $ALLOW _all_rule | awk -v rs= "   "  ' {print $0} '  >> /etc/squid/rules/allow_all.squid#exap:  only allows 443,80  to pass, but restricts  mail keywords, such as restricting  qq mailboxes. However, the Mail keyword is allowed in server 8000 ports. echo  "#只允许443, 80 ports passed. and restrict "Mmail", but allow the Mail keyword in server 8000 ports.   " >> /usr/local/iptables/allow_only_web.rule    #管理脚本不需要此行echo  " $ Manager_ip it " >> /usr/local/iptables/allow_only_web.ruleallow_only_web_rule= ' grep - v  "#"  /usr/local/iptables/allow_only_web.rule | awk  ' {print $1} ' For allow_ only_web in ${allow_only_web_rule} ; do iptables -a forward -s ${ allow_only_web} -o ${wan} -j accept iptables -i forward -d ${ Allow_only_web} -i ${wan} -m string --algo bm --from 40 --to  450 --hex-string  "Mail"  -p tcp ! --sport 8000 -j dropdone# Sync  squid  config file echo  "Allow 443,80  to pass, but limit  mAil keywords " > /etc/squid/rules/allow_only_web.squidecho  $ALLOW _only_web_rule | awk  -v rs= " "   ' {print $0} '  >> /etc/squid/rules/allow_only_web.squid# Initialize squid. sleep 1  squid -z  #管理脚本不需要此行sleep  1systemctl restart  squid.servicesleep 5/sbin/squid -k reconfigure#--------copy end -------------# Just change the rules file in/usr/local/iptabes and run the admin script back in daily management! #修改规则时, you need to include the appropriate rule fallback in the management script and squid configuration file. #编写自启动脚本. #cat  > /usr/lib/systemd/system/ipt.rule.service << eof#[unit] #Description = iptables and squid manage script#after=syslog.target network.target  Nss-lookup.target#[service] #Type =oneshot#execstart=/usr/local/iptables/ipt.rule.sh#[install] #WantedBy = Multi-user.target#eof#systemctl enable ipt.rule.service

This article is from the "Persistent" blog, please be sure to keep this source http://charhai.blog.51cto.com/440887/1879853

Automatic installation of Squid+iptables Internet agent and Internet Behavior Management script (ii).