(CentOS) iptables + squid transparent proxy + Firewall ultimate Configuration

Source: Internet
Author: User
(CentOS) iptables + squid transparent proxy + Firewall ultimate configuration-Linux Enterprise Application-Linux server application information, the following is a detailed description. Many people are constantly asking iptables + squid to do transparent proxy. I am afraid to give a unified answer here. If you have any questions, I hope you will give me some comments.
========================================================== ==================================
Related Resources:
Man.chinaunix.net, with iptables man in the lower left corner. Take a closer look.
System:
CentOS4.2, three NICs, two Intranets, one Internet. Dual Xeon, 2 GHz, 2 GB memory. The server mainly has squid and sshd enabled, and all others are closed.
Eth0: 192.168.100.1
Eth1: 192.168.168.12
Eth2: A. B .C.D -- Internet address
========================================================== ==================================
You can set squid based on your own situation. Assume that the port is 3128 and there are listeners on all three NICs (do not bind an IP address or Nic ).
/Etc/squid. conf
Http_port 3128
Cache_mem 1000 MB
Cache_swap_low 90
Cache_swap_high 95
Cache_dir ufs/opt/cache/squid 8000 16 256
Cache_access_log/var/log/squid/access. log
Cache_store_log/var/log/squid/store. log
Dns_nameservers 210.77.192.88
Maximum_object_size 409600 KB
Maximum_object_size_in_memory 64000 KB
Emulate_httpd_log on
Ipcache_size 1024
Ipcache_low 90
Ipcache_high 95
Fqdncache_size 1024
Forwarded_for off
Coredump_dir/opt/cache/squid/coredump


Httpd_accel_port 80
Httpd_accel_host virtual
Httpd_accel_with_proxy on
Httpd_accel_single_host off
Httpd_accel_uses_host_header on

Acl all src 0.0.0.0/0
Acl lixiaedu100 src 192.168.100.0/24
Acl lixiaedu168 src 192.168.168.0/24

Http_access allow lixiaedu100
Http_access allow lixiaedu168
Http_access deny all

Cache_inclutive_user squid
Cache_paitive_group squid
Cache_mgr zhaobing8181@163.com
Visible_hostname lixiaedu

========================================================== ====================================
Iptables settings. The iptables settings are divided into two parts: one is how to perform SNAT, and the other is how to implement security protection when squid is enabled.
I. SNAT

Modprobe ip_tables
Modprobe iptable_nat
Modprobe iptable_filter
Modprobe ip_conntrack_ftp
Modprobe ip_nat_ftp
Add necessary modules of iptables for calling.

Echo 1>/proc/sys/net/ipv4/ip_forward
Enable the "forwarding" function. Enables data packets to flow between different NICs ".

Iptables-t nat-a postrouting-s 192.168.100.0/24-o eth2-j SNAT -- to A. B .C.D
Iptables-t nat-a postrouting-s 192.168.168.0/24-o eth2-j SNAT -- to A. B .C.D
Iptables-t nat-a prerouting-s 192.168.100.0/24-I eth0-p tcp -- dport 80-j REDIRECT -- to-port 3128
Iptables-t nat-a prerouting-s 192.168.168.0/24-I eth1-p tcp -- dport 80-j REDIRECT -- to-port 3128
The above four statements are important and the key to transparent proxy. The first two sentences are used to convert the source address, that is, to convert the Intranet address to the Internet address. After executing these two statements, the Intranet machine can access the Internet even if there is no squid.
The following two sentences are "port redirection" for the tcp protocol entry from two Intranet NICs and the destination port number is 80 ". Redirect to port 3128. In this way, squid can receive this packet.
OK! If your squid is correct and you have executed the preceding statement, no error is reported. Congratulations! A transparent proxy with iptables + squid is created. If you don't believe it, there are two ways to test: one is to log on: http://ipid.shat.net, This is a foreign website, can display your Internet IP address, and whether it has been proxy. The second is to download an object from an intranet machine or view a webpage with many and slow images, then go to another Intranet machine to download the same file or view the image webpage. Ratio

A little faster, you can feel it.

Ii. firewall

If you put such a server on the internet, it is tantamount to "suicide ". The firewall does not have any protection mechanisms and filtering functions. It is easy to be cracked by various attacks. Don't be confused

Considering the security of Linux, the security awareness of network administrators is much more important than shouting Linux security.

Iptables-F
Iptables-X
Iptables-F-t mangle
Iptables-t mangle-X
Iptables-F-t nat
Iptables-t nat-X
First, empty the three tables and empty the self-built rules.

Iptables-P INPUT DROP
Iptables-P OUTPUT DROP
Iptables-P FORWARD ACCEPT
Set the Default policy of INPUT and OUTPUT to DROP and FORWARD to ACCEPT.

Iptables-a input-I lo-j ACCEPT
Iptables-a output-o lo-j ACCEPT
Open the "loop" first to avoid unnecessary troubles.

Iptables-a input-I eth +-p icmp -- icmp-type 8-j ACCEPT
Iptables-a output-o eth +-p icmp -- icmp-type 0-j ACCEPT
Enable the ping function on all NICs for easy maintenance and detection.

Iptables-a input-I eth0-s 192.168.100.250-d 192.168.100.1-p tcp -- dport 22-j ACCEPT
Iptables-a output-o eth0-d 192.168.100.250-s 192.168.100.1-p tcp -- sport 22-j ACCEPT
Open Port 22 to allow remote management. (Many additional conditions are set: the IP address of the management machine must be 250 and must be entered from the eth0 Nic)

Iptables-a input-I eth0-s 192.168.100.0/24-p tcp -- dport 3128-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-d 192.168.100.0/24-p tcp -- sport 3128-m state -- state ESTABLISHED-j ACCEPT
Iptables-a input-I eth1-s 192.168.168.0/24-p tcp -- dport 3128-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth1-d 192.168.168.0/24-p tcp -- sport 3128-m state -- state ESTABLISHED-j ACCEPT
Iptables-a input-I eth2-p tcp -- dport 32768: 61000-m state -- state ESTABLISHED-j ACCEPT
Iptables-a output-o eth2-p tcp -- sport 32768: 61000-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth2-p udp -- dport 53-j ACCEPT
Iptables-a input-I eth2-p udp -- sport 53-j ACCEPT
The above statements are a headache. I will explain them one by one.

Iptables-a input-I eth0-s 192.168.100.0/24-p tcp -- dport 3128-m state -- state NEW, ESTABLISHED-j ACCEPT
Allow machines in the 192.168.100.0/24 network segment to send data packets from the eth0 Nic. If the data packet is tcp and the destination port is 3128 (because REDIRECT has changed 80 to 3128. The PREROUTING of the nat table is before the INPUT of the filter table .) And the data packet status must be NEW or ESTABLISHED (NEW represents the "first hold" of the tcp three-segment handshake, in other words, allow the client machine to send a link request to the server. ESTABLISHED indicates that a link has been ESTABLISHED through a handshake.

Iptables-a output-o eth2-p tcp -- sport 32768: 61000-m state -- state NEW, ESTABLISHED-j ACCEPT
Let's take a look at this sentence first. Now your data packets have entered the linux Server firewall. Squid needs to be accessed in place of you. Therefore, the server becomes the role of the client, so it needs to use private ports from 32768 to 61000 for access. (It should be 1024 to 65535. In fact, the private ports defined in CentOS linux are 32768 to 61000. You can check them through cat/proc/sys/net/ipv4/ip_local_port_range .) Statement again: squid accesses other servers as a client, so the source port here is 32768: 61000, not 3128!

Iptables-a input-I eth2-p tcp -- dport 32768: 61000-m state -- state ESTABLISHED-j ACCEPT
Of course, data goes back.

Iptables-a output-o eth0-d 192.168.100.0/24-p tcp -- sport 3128-m state -- state ESTABLISHED-j ACCEPT
Data packets must be forwarded to the Intranet Nic through the server. Note that squid helps you access the website you want to access. Therefore, in the Intranet, your machine is a client role, while squid is a server role. This is different from the external access process. So here, the source port is 3128 instead of 32768: 61000.

Iptables-a output-o eth2-p udp -- dport 53-j ACCEPT
Iptables-a input-I eth2-p udp -- sport 53-j ACCEPT
Of course, DNS is indispensable.

Iptables-a input-I eth +-p tcp -- dport 80-j LOG -- log-prefix "iptables_80_alert" -- log-level info
Iptables-a input-I eth +-p tcp -- dport 21-j LOG -- log-prefix "iptables_21_alert" -- log-level info
Iptables-a input-I eth +-p tcp -- dport 22-j LOG -- log-prefix "iptables_22_alert" -- log-level info
Iptables-a input-I eth +-p tcp -- dport 25-j LOG -- log-prefix "iptables_25_alert" -- log-level info
Iptables-a input-I eth +-p icmp -- icmp-type 8-j LOG -- log-prefix "iptables_icmp8_alert" -- log-level info
Of course, some log records will be helpful to network administrators.

So far, we have analyzed a complete access process. The most important thing in this article is to show that squid plays two opposite roles on Intranet machines and Internet servers.

This is not easy to understand. I tried it for a while. I hope that my article will inspire everyone's resonance and thinking.
You are welcome to repost this article. Please keep your author information.


Note: Recently, squid cannot be started, or it will automatically stop after several seconds. Messages says squid has encountered signal 25, so it stops. If this problem occurs, check whether the squid log is too large. I have read that access. log has 1.6 GB, and store. log has 2 GB. It seems that the file size is too large. Transfer or rename two files.

========================================================== ==================================
Author profile: Zhao Bing, a network engineer from the Information Center of the Education Bureau of Lichuan district, Jinan City, holds the D-Link gigabit network expert certification and soft test network engineer certification. Maintains large switches and multiple servers, and has its own unique insights on the network. You are welcome to communicate with your colleagues. Contact: zhaobing8181@163.com

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.