Introduction to transparent firewall (bridge + iptables + squid)

Transparent firewall (bridge + iptables + squid)-Linux Enterprise Application-Linux server application information. For more information, see the following. Setting up transparent proxy and firewall is a hot topic on the linux platform. There are also related articles on shuimu, but there are very few full strategies on the public network. Recently, one of them has been deployed, I spent more than a week (my hands and feet are slow, don't laugh, and there are many jokes in the middle). I think it is better to write down the process and let people draw from each other.

Let's talk about the network environment, a LAN with about 200 people, a C class, And a vro for NAT (a public ip ). The network environment is still very simple. The goal is to add a transparent firewall between the router and the LAN to complete the cache server function at the same time. I don't want the firewall to be used for nat. First, it is because a vro is already in use. Second, nat is actually a resource-consuming thing (especially when many clients exist, the requirements for the cpu of the router are still high, I met a cisco 75XX router that killed 1000 users once every five minutes. Later, I had to set up a PIX for NAT. Third, if the cache server gets down, the network will still be used as long as the link is re-connected (at most performance is poor), without affecting users.

The firewall platform is a P4 2.4G server with MB of memory, 2 × 80GHD, and two NICs. RH8.0 kernel 2.4.20 was installed. (originally, we wanted to install gentoo, but we had just arrived at RC3 since 1.4, so we couldn't wait, and we stole it ~ _~)

Download the bridge to build a bridge. The bridge function is to make the two NICs a bridge device, so that the network ports at both ends completely forward packets transparently, and enable iptables to act as blocking. For http://bridge.sourceforge.net (what? Sourceforge? I don't know! No way. For all the reasons, please refer to the https proxy !) Download bridge-utils-0.9.6.tar.gz and bridge-nf-0.0.7-against-2.4.19.diff. (This is very important; otherwise, iptables cannot intercept the forwarded packets)

Go to the http://netfilter.samba.org to download iptables and go to www. linuxhq. xom to download the latest kernel and patch.

Release the kernel under/usr/src, enter/usr/src/linux, and add the bridge patch? P1 <bridge-nf-0.0.7-against-2.4.19.diff.

Finally, there is another problem. At this time, the traffic seen by ifconfig will be set to 0 after 4 GB, and then start from scratch. This is because the data type of variables such as 'rx bytes 'and 'tx bytes' is unsigned long, that is, 2 ^ 32, which is reset at 4G, in fact, you can change them to unsigned long (2 ^ 64. Change

/Usr/src/linux/include/linux/netdevice. h and .. /linux/net/core/dev. c. The following is a patch record. Find the file and change the corresponding code.

Diff-urN linux-orig/include/linux/netdevice. h linux/include/linux/netdevice. h

--- Linux-orig/include/linux/netdevice. h

++ Linux/include/linux/netdevice. h

@-96,10 + 96,10 @@

Struct net_device_stats

{

-Unsigned long rx_packets;/* total packets initialized ed */

-Unsigned long tx_packets;/* total packets transmitted */

-Unsigned long rx_bytes;/* total bytes encoded ed */

-Unsigned long tx_bytes;/* total bytes transmitted */

+ Unsigned long rx_packets;/* total packets initialized ed */

+ Unsigned long tx_packets;/* total packets transmitted */

+ Unsigned long rx_bytes;/* total bytes encoded ed */

+ Unsigned long tx_bytes;/* total bytes transmitted */

Unsigned long rx_errors;/* bad packets received */

Unsigned long tx_errors;/* packet transmit problems */

Unsigned long rx_dropped;/* no space in linux buffers */

Diff-urN linux-orig/net/core/dev. c linux/net/core/dev. c

--- Linux-orig/net/core/dev. c

+++ Linux/net/core/dev. c

@-1689,7 + 1689,7 @@

Int size;

If (stats)

-Size = sprintf (buffer, "% 6 s: % 8lu % 7lu % 4lu % 4lu % 4lu % 5lu % 10lu % 9lu % 8lu % 7lu % 4lu % 4lu % 4lu % 5lu % 7lu % 10lu
",

+ Size = sprintf (buffer, "% 6 s: % 8llu % 7llu % 4lu % 4lu % 4lu % 5lu % 10lu % 9lu % 8llu % 7llu % 4lu % 4lu % 4lu % 5lu % 7lu % 10lu
",

Dev-> name,

Stats-> rx_bytes,

Stats-> rx_packets, stats-> rx_errors,

After compilation, the issue of 4G resetting of ifconfig is eliminated.

The following is how to re-compile the kernel, make menuconfig .....

Note: In addition to compiling the driver (like NIC or something, I missed a NIC during the first compilation), I also needed to enable the most important iptables, go to Network Options and select Network Packet filtering (replaces ipchains). In this way, the IP: Netfilter Configuration --> sub-menu is displayed. Select all the Options and return to the Network Options menu, select "802.1d Ethernet Bridging" and "netfilter (firewalling) support" (it is important to know at first glance .)

Exit and start editing.

Make dep

Make modules

Make modules_install

Make bzImage

After completion, cp/usr/src/linux/arch/i386/bzImage/boot/bzImage. bridge

Copy the System. map File to/boot, and then change the corresponding configuration in lilo or grub (this will not be detailed, and the articles about re-compiling kernel are everywhere .)

Restart. If normal, start the next step, tar? Xzvf bridge-utils-0.9.6.tar.gz.

Cd./bridge-utils-0.9.3

Make

Make install (compile and install bridge. The specific installation directory can be specified when the make file is generated .)

Try the basic bridge command first. For example, brctl addbr mybridge (create a bridge mybridge, and then use ifconfig to view it, you will find an additional mybridge port)

Brctl addif mybridge eth0

Brctl addif mybridge eth1 (including eth0 and eth1 in mybridge)

Then perform the following actions on each port:

Ifconfig eth0 0.0.0.0 promisc

Ifconfig eth1 0.0.0.0 promisc (enable hybrid mode)

At this time, the bridge is successful, and the messages forwarded from the router and LAN start to pass through the machine, then you will find that the full screen TCP/IP forwarding messages make you unable to start, the hard disk is also crazy, this is what syslogd and klogd do. log priviledge is set too low to get rid of it. Telnet to the machine (you can only telnet, And the console is flooded .) Kill syslogd and klogd in/etc/syslog. *. info to/var/log/messages rules (I didn't know this at first, and the result was connected to the network on the afternoon of the first day, and I checked it on the morning of the next day, /var/log's messages actually have 2.7 GB, My God), and modify/etc/init. d/syslog: Add-2-c 4 after daemon klogd (improves the message forwarding level of klogd) to restart syslogd. Haha, the whole world is clean !!!

In fact, we can also write a STARTUP script to put it in/etc/init. d, as shown below:

#! /Bin/bash

./Etc/init. d/functions

Return = $ rc_done

Start (){

Echo "Starting service bridge tranfw"

Brctl addbr tranfw | return = $ rc_failed

Brctl addif tranfw eth0 | return = $ rc_failed

Brctl addif tranfw eth1 | return = $ rc_failed

Ifconfig eth0 0.0.0.0 promisc | return = $ rc_failed

Ifconfig eth1 0.0.0.0 promisc | return = $ rc_failed

Brctl sethello tranfw 1 | return = $ rc_failed

Brctl setmaxage tranfw 4 | return = $ rc_failed

Brctl setfd tranfw 4 | return = $ rc_failed

Ifconfig tranfw 192.168.9.11 broadcast 192.168.9.255 promisc up | return = $ rc_failed

/Sbin/route add default gw 192.168.9.1 netmask 0.0.0.0 metric 1

Echo-e "$ return"

}

Stop (){

Echo "Shutting down service bridge tranfw"

Brctl delif tranfw eth0 | return = $ rc_failed

Brctl delif tranfw eth1 | return = $ rc_failed

Brctl delbr tranfw | return = $ rc_failed

Echo-e "$ return"

}

Status (){

Ifconfig tranfw

Brctl show tranfw

}

Restart (){

$0 stop & $0 start | return = $ rc_failed

}

Case "$1" in

Start)

Start

;;

Stop)

Stop

;;

Restart)

Restart

;;

Status)

Status tranfw

RETVAL =$?

;;

*)

Echo $ "Usage: $0 {start | stop | status | restart }"

RETVAL = 1

Esac

Exit $ RETVAL

In this way, you will get up at startup.

Next, we can configure iptables.

Tar? Xjvf iptables-1.2.7.tar.bz2

Cd./iptables-1.2.7

Make

Make install

Installation is simple. The key is how to use it. I am lazy. I just copied a script to use it, as shown below:

#! /Bin/bash

# Flush all rules from the chains

Iptables-F

# Delete all user created chains (mainly KEEP_STATE chain)

Iptables-X

######################################## #####################

# Create special chain KEEP_STATE

Iptables-N KEEP_STATE

Iptables-F KEEP_STATE

# Drop bad states

Iptables-A KEEP_STATE-m state -- state INVALID-j DROP

Iptables-A KEEP_STATE-m state -- state RELATED, ESTABLISHED-j ACCEPT

######################################## #####################

# Drop RST/ACKs to limit OS detection through pinging

Iptables-a forward-p tcp -- tcp-flags RST, ACK-m limit -- limit 5/minute-j LOG -- log-level notice -- log-prefix "RST/ACK:"

Iptables-a forward-p tcp -- tcp-flags RST, ACK-j DROP

# Deny pings from outside

Iptables-a forward-p icmp -- icmp-type 0/0-d 192.168.9.0/24-j ACCEPT

Iptables-a forward-p icmp -- icmp-type 0/0-m limit -- limit 5/minute-j LOG -- log-level notice -- log-prefix "Drop Echo Reply :"

Iptables-a forward-p icmp -- icmp-type 0/0-j DROP

# Drop potential SQL Worm

Iptables-a forward-p tcp-s 192.168.9.0/24 -- dport 1433-j ACCEPT

Iptables-a forward-p tcp -- dport 1433-m limit -- limit 5/minute-j LOG -- log-level notice -- log-prefix "Possible SQL Worm :"

Iptables-a forward-p tcp -- dport 1433-j DROP

# Pass all boxes to the keep_state chain

Iptables-a forward-j KEEP_STATE

######################################## ##############################

# Set up UDP

# Outgoing Traceroute

Iptables-a forward-p udp-s 192.168.9.0/24 -- sport 32769: 65535 -- dport 33434: 33523-j ACCEPT

# Incoming Traceroute

Iptables-a forward-p udp-s 192.168.9.0/24 -- dport 32769: 65535 -- sport 33434: 33523-j ACCEPT

# Time exceeded

Iptables-a forward-p udp-s 192.168.9.0/24 -- dport 11-j ACCEPT

# Port not found

Iptables-a forward-p udp-s 192.168.9.0/24 -- dport 3-j ACCEPT

# DNS

Iptables-a forward-p udp-s 192.168.9.0/24 -- dport 53-j ACCEPT

# SNMP

Iptables-a forward-p udp-s 192.168.9.0/24 -- dport 161-j ACCEPT

# DHCP

Iptables-a forward-p udp-s 192.168.9.0/24 -- sport 68 -- dport 67-j ACCEPT

# Time Server

Iptables-a forward-p udp-s 192.168.9.0/24 -- sport 1024: 65535 -- dport 123-j ACCEPT

######################################## ##############################

# Allow outward browsing

Iptables-a forward-p tcp-s 192.168.9.0/24 -- dport 80-j ACCEPT

# Allow outward ssh

Iptables-a forward-p tcp-s 192.168.9.0/24 -- dport 22-j ACCEPT

# Allow outward ftp

Iptables-a forward-p tcp-s 192.168.9.0/24 -- dport 21-j ACCEPT

# Allow outward telnet

Iptables-a forward-p tcp-s 192.168.9.0/24 -- dport 23-j ACCEPT

# Allow outward smtp

Iptables-a forward-p tcp-s 192.168.9.0/24 -- dport 25-j ACCEPT

# Allow outward pop

Iptables-a forward-p tcp-s 192.168.9.0/24 -- dport 110-j ACCEPT

### Block HTTP Request from outside that are not authorized

Iptables-a forward-p tcp -- dport 80-j DROP

Iptables-a forward-p tcp -- dport 80-m limit -- limit 5/minute-j LOG -- log-level notice -- log-prefix "Dropped HTTP :"

# Allow Telnet out

Iptables-a forward-p tcp-s 192.168.9.0/24 -- dport 23-j ACCEPT

# Deny ports

# Telnet

Iptables-a forward-p tcp -- dport 23-m limit -- limit 5/minute-j LOG -- log-level notice -- log-prefix "Denied Telnet :"

# Deny ports

# Telnet

Iptables-a forward-p tcp -- dport 23-m limit -- limit 5/minute-j LOG -- log-level notice -- log-prefix "Denied Telnet :"

Iptables-a forward-p tcp -- dport 23-j DROP

# Deny BO

Iptables-a forward-p udp -- dport 31337-m limit -- limit 5/minute-j LOG -- log-level notice -- log-prefix "Denied BO :"

Iptables-a forward-p udp -- dport 31337-j DROP

# Deny and log ftp on all others

# Iptables-a forward-p tcp-s 192.168.9.0/24 -- dport 21-j DROP

# Iptables-a forward-p tcp -- dport 21-m limit -- limit 5/minute-j LOG -- log-level notice -- log-prefix "Denied FTP :"

# Deny suspicious traffic

Iptables-a forward-p tcp -- destination-port 1080-j DROP

Iptables-a forward-p tcp -- destination-port 8080-j DROP

Iptables-a forward-p tcp -- destination-port 8000-j DROP

Iptables-a forward-p tcp -- destination-port 8081-j DROP

# Allow all outgoing traffic

Iptables-t nat-a prerouting-p tcp -- dport 80-j REDIRECT -- to-ports 3128 (forwarded to squid)

Iptables-a forward-s 192.168.9.0/24-j ACCEPT

# Set to drop all packets not accepted by rules abve

Iptables-a forward-j DROP

Also put it in/etc/init. d, so that it can be started with xinet. d. The syntax of iptables is not detailed here. There are a lot of web pages.

The last step is the squid configuration, which needs to be discussed carefully. The squid configuration released with RH has problems and the performance is limited. It is recommended that you uninstall it first and download the latest 2.5stable1 from the www.squid-cache.org. Then re-compile. Make the following preparations before compiling:

1. Edit the value of _ FD_SETSIZE in/usr/include/bits/types. h to 32768.

2. Ulimit-HSn 32768

Then compile squid,./configure, make all, make install... In the squid src package directory .....

Squid is installed in the default/usr/local/squid directory. the executable file of squid is in the bin subdirectory of the installation directory, and the configuration file is in the etc subdirectory.

The Squid configuration file is/usr/local/squid/etc/squid. conf. The following is my Configuration:

Http_port 8080

Cache_mem 32 MB

Cache_swap_low 90

Cache_swap_high 95

Maximum_object_size 4096 KB

Cache_dir ufs/usr/local/squid/cache 10000 16 256

Cache_access_log/usr/local/squid/logs/access. log

Cache_log/usr/local/squid/logs/cache. log

Dns_nameservers 202.96.209.5

Unlinkd_program/usr/local/squid/bin/unlinkd

Acl acllist src 192.168.9.0/255.255.255.0

Acl regular_days time MTWHF-

Acl movie urlpath_regex "/etc/squid/banned. list" (write the filter keyword to the file)

Acl banned url_regex iij4u.or.jp (some control measures)

Acl cache_prevent1 url_regex cgi-bin /?

Acl cache_prevent2 url_regex Servlet

Acl all src 0.0.0.0/0.0.0.0

Acl manager proto cache_object

Acl localhost src 127.0.0.1/255.255.255.255

Acl SSL_ports port 443 563

Acl Safe_ports port 80 # http

Acl Safe_ports port 21 # ftp

Acl Safe_ports port 443 563 # https, snews

Acl Safe_ports port 70 # gopher

Acl Safe_ports port 210 # wais

Acl Safe_ports port 1025-65535 # unregistered ports

Acl Safe_ports port 280 # http-mgmt

Acl Safe_ports port 488 # gss-http

Acl Safe_ports port 591 # filemaker

Acl Safe_ports port 777 # multiling http

Http_access deny movie regular_days

No_cache deny cache_prevent1

No_cache deny cache_prevent2

Http_access deny banned

Http_access allow all

Http_access deny! Safe_ports

Http_access deny CONNECT! SSL_ports

Icp_access allow all

Http_access allow manager localhost

Http_access deny manager

Http_access allow localhost

Http_access deny all

Client_lifetime 2 hours

Half_closed_clients off

Cache_inclutive_user squid

Cache_effective_group squid (please note that squid has read and write permissions for cache and log Directories)

Httpd_accel_host virtual

Httpd_accel_port 80

Httpd_accel_with_proxy on

Httpd_accel_uses_host_header on

Add the ulimit-HSn 32768 statement to the startup script in/etc/init. d.

In this way, the squid statement is displayed in cache. log during startup:

09:30:53 | Starting Squid Cache version 2.5.STABLE1-20030303 for i686-pc-linux-gnu...

2003/03/05 09:30:53 | Process ID 12939

09:30:53 | With 32768 file descriptors available

At this time, squid has 32768 file descriptors (the default value is 1024). If there are many users, the default value will become a bottleneck and greatly affect the squid speed (it will report the error "running out of file descriptors ), I once asked a question on the board, but no one cares about me (or self-reliance, full of clothes and food.

Start squid:/usr/local/squid/bin/squid-D

Success! The http traffic from the internet goes toward squid, and the user does not know it. At the same time, the blocking function can be completed.

So hard!