Linux + squid + iptables Enterprise Solution

Source: Internet
Author: User
Linux + squid + iptables enterprise solution-Linux Enterprise Application-Linux server application information. The following is a detailed description. 01. Some users are allowed to access the Internet, but cannot download it;

02. Some users are allowed to download the file;

03. Some people are not limited at all;

04. All personnel are allowed to remove the restrictions within the specified time period;

05. Specific url characters that cannot be downloaded: exe/zip;

06. Access to specific sites is not allowed;

07. Coexistence of transparent proxy and user authentication;

08. Some users are allowed to browse only the specified website;

09. Only sending and receiving mails (All Domain Name mails (smtp, pop3) and receiving mails from only a domain name;

10. IP/MAC binding User Name authentication for Internet access;

11. Three authentication methods (mysql, samba, and ncsa );


First of all, I think 01 is impossible, and 11 I will not perform SQL and SAMBA authentication but basic authentication, and other functions can be implemented.
For example, if the subnet is 192.168.1.0/24 and the IP address of a domain name is www.163.com, the IP address of the domain name is 202.108.36.196 and its IP address is used to send and receive emails from the domain name (which can be implemented in iptables)
The Internet Nic is eth0, the Intranet Nic is eht1, and 192.168.1.201 and 192.168.0.201 are bound to eth1.
Cp eth1 eth1: 1
Modify eht1: 1
If there is no restriction, use the MAC flag for IP addresses after 192.168.0.201.
Because AS3 does not install GCC, and its SQUID does not contain the NCSA file, fixed the re-installation of GCC and SQUID,
Tar zxvf squid-2.5.STABLE7.tar.gz
Cd squid-2.5.STABLE7
./Configure -- prefix =/usr/local/squid
-- Sysconfdir =/etc/squid # configuration file location
-- Enable-arp-acl # manage the MAC address of the client
-- Enable-linux-netfilter # allow the use of Linux's transparent Functions
-- Enable-pthreads
-- Enable-err-language = "Simplify_Chinese"
-- Enable-default-err-language = "Simplify_Chinese"
# The above two options tell Squid to compile and use the simplified Chinese error message
-- Enable-storeio = ufs, null # No buffer needed
-- Enable-auth = "basic" # authentication method
-- Enable-baisc-auth-helpers = "NCSA" # the authentication program is
-- Enable-underscore # underline in the URL that can be parsed
Make
Make install
Start configuring squid. conf
######################################## ##############################
# Server Configuration
Icp_port 0
Cache_store_log none
Cache_access_log/dev/null
Cache_log/dev/null
Http_port 3128
Cache_mem 128 MB
Cache_dir null/tmp

Pid_filename none
Client_netmask 255.255.255.255.255
Half_closed_clients on

# User category
Auth_param basic program/usr/bin/ncsa_auth/usr/etc/passwd
Auth_param basic children 5
Auth_param basic realm Tianfuming proxy-caching server
Auth_param basic credentialsttl 2 hours
Acl normal proxy_auth REQUIDE # User Authentication
Acl advance arp 00: 01: 02: 1f: 2c: 3e 00: 01: 02: 3c: 1a: 8b... #10 IP/MAC binding Username Authentication accessing the internet;
Acl lana src 192.168.1.0/24
Acl lanb src 192.168.0.1-192.168.0.200/32

# Behavior Classification
Acl download urlpath_regex-I \. mp3 $ \. exe $ \. avi $ \. rar $ \. rvmb $ \. jpg # download prohibited
# Acl conncount maxconn 5 # maximum number of connections
Acl worktime MTWHF-#04. All personnel are allowed at a fixed time, with some restrictions,
# Remove the restriction (in http_access) not within this time period)
Acl qq dstdomain .snnu.edu.cn
Acl badwords url_regex sex

Acl localhost src 127.0.0.1/32
Acl all src 0.0.0.0/0.0.0.0

Http_access allow advance #03 there are no restrictions on some people;
Http_access allow localhost
# Http_access deny conncount normal
Http_access deny!
Http_access deny badwords worktime # website with specific url characters not allowed
Http_access deny qq worktime #06 access to a specific site is not allowed
Http_access allow lana #02 users can download
Http_access deny download worktime #05 specific url characters not allowed to be downloaded: exe/zip;
Http_access allowd lanb homepage #08. Some people can only browse the specified website;
Http_access allow normal
Http_access deny all # disallow all
# Coexistence of transparent proxy 07 and transparent proxy and User Authentication
Httpd_accel_host virtual
Httpd_accel_port 80
Httpd_accel_with_proxy on
Httpd_accel_uses_host_header on
######################################## #############################
Iptables script
######################################## #############################
#! /Bin/sh

UPLINK = "eth0"
UPIP = "a. B. c. d"
LANLINK = "eth1"
ROUTER = "yes"
# NAT = "UPIP/dynamic"
NAT = "UPIP"
INTERFACES = "lo eth0 eth1"
SERVICES = "80 22 25 110"
Deny = ""
Case "$ @" in
Start)
Echo-n "Starting firewall ..."
Modprobe ip_nat_ftp
Modprobe ip_conntrack_ftp
Iptables-P INPUT DROP
Iptables-a input-I! $ {UPLINK}-j ACCEPT
Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
Iptables-A FORWARD DROP
Iptables-a forward-p tcp-m multiport -- dport 25 80 110-j ACCEPT
Iptables-a forward-d! 202.108.36.196-p tcp-m multiport -- dprot 25 110-j DROP #09. Only emails can be sent and received (emails from all domain names ).
Iptables-a forward-m state -- state ESTABLISHED, RELATED-j ACCEPT # (smtp, pop3) and can only receive and receive domain name emails
# Iptables-P OUTPUT DROP
# Enable public access to certain services
For x in $ {SERVICES}
Do
Iptables-a input-p tcp -- dport $ {x}-m state -- state NEW-j ACCEPT
Done

For y in $ {deny}
Do
Iptables-a output-p tcp -- dport $ {y}-j DROP
Iptables-a output-p udp -- dport $ {y}-j DROP
Done

# Enable system-log
# Iptables-a input-j LOG -- log-prefix "bad input :"

Iptables-a input-p tcp-I $ {UPLINK}-j REJECT -- reject-with tcp-reset
# Iptables-a input-p udp-I $ {UPLINK}-j REJECT -- reject-with icmp-port-unreachable

# Explicitly disable ECN
If [-e/proc/sys/net/ipv4/tcp_ecn]
Then
Echo 0>/proc/sys/net/ipv4/tcp_ecn
Fi

# Disable spoofing on all interfaces
For x in $ {INTERFACES}
Do
Echo 1>/proc/sys/net/ipv4/conf/$ {x}/rp_filter
Done

If ["$ ROUTER" = "yes"]
Then
# We're a router of some kind, enable IP forwarding
Echo 1>/proc/sys/net/ipv4/ip_forward
If ["$ NAT" = "dynamic"]
Then
# Dynamic IP address, use masquerading
Iptables-t nat-a postrouting-o $ {UPLINK}-j MASQUERADE
Elif ["$ NAT "! = ""]
Then
# Static IP, use SNAT
Iptables-t nat-a prerouting-I $ {LANLINK}-d! $ {UPIP}-j DNAT -- to-ports 3128
Iptables-t nat-a postrouting-o $ {UPLINK}-j SNAT -- to $ {UPIP}
Fi
Fi
Echo "OK! "
Exit 0
;;
Stop)
Echo-n "Stopping firewall ..."
Iptables-F INPUT
Iptables-P INPUT ACCEPT
Iptables-F OUTPUT
Iptables-P OUTPUT ACCEPT
# Turn off NAT/masquerading, if any
# Iptables-t nat-F POSTROUTING
Echo "OK! "
Exit 0
;;
Restart)
$0 stop
$0 start

;;
Show)
Clear
Echo "> ------------------------------------------------------"
Iptables-L
Echo "> ------------------------------------------------------"
Iptables-t nat-L POSTROUTING
Exit 0
;;
*)
Echo "Usage: $0 {start | stop | restart | show }"
Exit 1
Esac
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.