#本节内容为配置iptables and squid and file to get rules to facilitate the management of rules. #接上一个脚本内容, this part of the content needs to be changed in part according to requirements. #停止squid服务systemctl enable squid &> /dev/nullsystemctl stop squid# Edit Squid profile squid_conf_file=/etc/squid/squid.confmv $squid _conf_file $squid _conf_file.bkcat > $squid _conf_file << eofacl localnet src 10.0.0.0/8 # rfc1918 possible internal networkacl localnet src 172.16.0.0/ 12 # rfc1918 possible internal networkacl localnet src 192.168.0.0/16 # rfc1918 possible internal networkacl localnet src Fc00::/7 # rfc 4193 local private network rangeacl localnet src fe80::/10 # rfc 4291 link-local (directly plugged) machinesacl  ssl_ports port 443acl safe_ports port 80 # httpacl Safe_ports port 21 # ftpacl Safe_ports port 443 # httpsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl safe_ports port 280 # http-mgmtacl safe_ports port 488 # gss-httpacl safe_ports port 591 # filemakeracl safe_ports Port 777 # multiling httpacl connect method connect#visible_hostnamehttp_access deny ! safe_portshttp_access deny connect ! Ssl_portshttp_access allow localhost managerhttp_access deny manageracl allow_ all src "/etc/squid/rules/allow_all.squid" http_access allow allow_allacl files urlpath_regex -i \.mp3$ \.avi$ \.exe$ \.rar$ \.zip$ \.mp4$ \.7z$ \.rm$ \.rmvb$ \.qsv$ \.mov$ \.msi$ \.wav$ \.torrent$ \.cab$ \.com$ \.bat$ \.gz$ \.bz2$ \.sys$ \.swf$http_access deny filesacl only_web src "/etc/squid/rules/allow_only_web.squid" http_access allow only_webhttp_access allow localhosthttp_access deny all#http_port 3128 transparenthttp_port 3129 cache_dir&Nbsp;aufs /var/spool/squid 10240 16 256cache_mem 1024 mbmaximum_object_size 8 MBminimum_object_size 0 kBmaximum_object_size_in_memory 4096 kBacl nocache urlpath_regex -i \.asp$ \.jsp$no_cache deny nocacheacl nogov Urlpath_regex -i \.gov\.cnno_cache deny nogov ipcache_size 65535fqdncache_size 65535coredump_dir /var/spool/squidcache_log /var/log/squid/cache.logaccess_log /var/log/ Squid/access.logcache_store_log /var/log/squid/store.log cache_store_log nonelogfile_rotate 7cache_swap_low 85cache_swap_high 95error_directory /usr/share/squid/errors/zh-cncache_ mgr [email protected]refresh_pattern ^ftp: 1440 20% 10080refresh_pattern ^ Gopher: &nBsp; 1440 0% 1440refresh_pattern -i \. (Jpg|jpeg|gif|png|xml|html|htm|css|js|ico) 1440 90% 2880refresh_pattern -i \. (Mp3|mp4|swf|rar|zip) 1440 20% 10080refresh_pattern -i (/cgi-bin/|\?) 0 0% 0refresh_pattern . 0 20% 4320EOFsed -i ' s/#visible_hostname/visible_hostname ' ${host_name} '/g ' ${squid_conf_file}sed -i ' s/#http_port 3128 transparent/http_ port ' ${lan_ip} ': 3128 transparent/g ' ${squid_conf_file} #configrue iptables #将以下内容复制出来 , re-write variables for daily network permissions Control! #日常管理脚本策略Self-defined according to your own requirements. #-------Copy begin---------Modprobe ip_conntrack_ftpmodprobe ip_nat_ftpmodprobe ip_ conntrackecho "1" > /proc/sys/net/ipv4/tcp_syncookiesecho "1" > /proc/sys/ net/ipv4/icmp_echo_ignore_broadcastsecho "1" > /proc/sys/net/ipv4/ip_forwardread -p "input manager host ip address : " manager_ip # The variables that are defined in the initial script are not required for daily administration scripts. #------Management script, custom variable-------#lan = #lan_ip = #lan_dns1 = #lan_dns2 = #lan_net = #manager_ip = #wan = #wan_ip =iptables - Fiptables -xiptables -ziptables -f -t natiptables -x -t natiptables -z -t natiptables -p input dropiptables -p output dropiptables -p forward dropiptables -i input -m state --state related, established -j acceptiptables -a input -d ${lan_ip} -p tcp -- Dport 3128 -j acceptiptables -a input -s ${manager_ip} -i ${lan} -p tcp --dport 22 -j acceptiptables -a input -i lo -j acceptaicmp= "0 3 3/4 4 11 12 18" for tyicmp in ${aicmp} ; do iptables -a input -i ${lan} -p icmp --icmp-type ${tyicmp } -j acceptdone iptables -n syn-floodiptables -a input -p tcp --syn -j syn-floodiptables -i syn-flood -p tcp -m limit -- limit 1/s --limit-burst 3 -j returniptables -a syn-flood -j dropiptables -i output -m state --state related,established -j acceptiptables -a output -s ${wan_ip} -p tcp -m multiport -- Dports 80,443 -j acceptiptableS -a output -p udp --dport 53 -j acceptiptables -a output -o lo -j acceptiptables -a forward -m state --state related , established -j acceptiptables -a forward -s ${lan_dns1} -p udp - -dport 53 -j acceptiptables -a forward -s ${lan_dns2} -p udp --dport 53 -j accept# redirect and snatiptables -t nat -A PREROUTING -i ${lan} -p tcp --dport 80 -j REDIRECT --to-ports 3128read -p "input super subnet! exap 192.168.0.0/22 " lan_sup_subnetiptables -t nat -a postrouting -s ${lan_sup_subnet} &NBSP;-O&NBSP;${WAN}&NBSP;-J&NBSP;SNAT&NBSP;--TO-SOURCE&NBSP;${WAN_IP} #自定义规则, the default rule is deny, port 80 permissions by squid Management, no need to add. #本通过读取文件来配置防火墙规则, e.g., rulesThe file is placed in the/usr/local/iptabes. #规则文件以IP开头, the middle is separated by a space, followed by the note name, format such as: IP address user #exap: allow all ports to pass. if [ ! -d /usr/local/iptables ] ; then mkdir /usr/local/ Iptablesfiif [ ! -d /etc/squid/rules ] ; then mkdir /etc/squid/ rulesfiecho "#允许所有端口通过" > /usr/local/iptables/allow_all.rule #管理脚本需自定义文件, No need for this trip echo "$manager _ip it" >> /usr/local/iptables/allow_all.rule #添加ITALLOW_ALL _rule= ' grep -v "#" /usr/local/iptables/allow_all.rule | awk ' {print $1} ' For allow_all in ${allow_all_rule} ; do iptables -a forward -s ${allow_all} -o ${wan} -j acceptdone# Sync squid profile echo "User no Limits" > /etc/squid/rules/allow_all.squid echo $ALLOW _all_rule | awk -v rs= " " ' {print $0} ' >> /etc/squid/rules/allow_all.squid#exap: only allows 443,80 to pass, but restricts mail keywords, such as restricting qq mailboxes. However, the Mail keyword is allowed in server 8000 ports. echo "#只允许443, 80 ports passed. and restrict "Mmail", but allow the Mail keyword in server 8000 ports. " >> /usr/local/iptables/allow_only_web.rule #管理脚本不需要此行echo " $ Manager_ip it " >> /usr/local/iptables/allow_only_web.ruleallow_only_web_rule= ' grep - v "#" /usr/local/iptables/allow_only_web.rule | awk ' {print $1} ' For allow_ only_web in ${allow_only_web_rule} ; do iptables -a forward -s ${ allow_only_web} -o ${wan} -j accept iptables -i forward -d ${ Allow_only_web} -i ${wan} -m string --algo bm --from 40 --to 450 --hex-string "Mail" -p tcp ! --sport 8000 -j dropdone# Sync squid config file echo "Allow 443,80 to pass, but limit mAil keywords " > /etc/squid/rules/allow_only_web.squidecho $ALLOW _only_web_rule | awk -v rs= " " ' {print $0} ' >> /etc/squid/rules/allow_only_web.squid# Initialize squid. sleep 1 squid -z #管理脚本不需要此行sleep 1systemctl restart squid.servicesleep 5/sbin/squid -k reconfigure#--------copy end -------------# Just change the rules file in/usr/local/iptabes and run the admin script back in daily management! #修改规则时, you need to include the appropriate rule fallback in the management script and squid configuration file. #编写自启动脚本. #cat > /usr/lib/systemd/system/ipt.rule.service << eof#[unit] #Description = iptables and squid manage script#after=syslog.target network.target Nss-lookup.target#[service] #Type =oneshot#execstart=/usr/local/iptables/ipt.rule.sh#[install] #WantedBy = Multi-user.target#eof#systemctl enable ipt.rule.service
This article is from the "Persistent" blog, please be sure to keep this source http://charhai.blog.51cto.com/440887/1879853
Automatic installation of Squid+iptables Internet agent and Internet Behavior Management script (ii).