Squid + iptables create an internet gateway

Last Update:2018-05-29 Source: Internet

Author: User

Tags dns names squid proxy

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

System Environment: RedHat7.2squid (squid-cache.org) 1. system settings: Run: setup Select server by default iptables and ipchains have been selected. Remove ipchains and only run iptables. 2. Install squid. We recommend that you install mountmntcdromcdmntcm on the RedHat installation disc.

System Environment: RedHat 7.2 squid (http://squid-cache.org/) 1. system settings: Run: setup Select server by default iptables and ipchains have been selected. Remove ipchains and only run iptables. 2. Install squid. We recommend that you install mount/mnt/cdrom cd/mnt/cd from the RedHat installation disc.

System Environment:

RedHat 7.2

Squid (http://squid-cache.org /)

1. system settings:

Run: setup

Select server

By default, both iptables and ipchains are selected. Remove ipchains to run only iptables.

2. Install squid

We recommend that you install it on the RedHat installation disc.

Mount/mnt/cdrom

Cd/mnt/cdrom/RedHat/RPMS/

Rpm-ivh squid-2.4.2.STABLE2-8.i386.rpm

Start squid:/etc/rc. d/init. d/squid start

* ** Generally, the default installed squid does not need to change the squid. conf file.

3. Change the squid. conf file for transparent gateway with iptables

Vi/etc/squid. conf

Change the following lines:

Http_port 3128

Httpd_accel_host virtual

Httpd_accel_port 80

Httpd_accel_with_proxy on

Httpd_accel_uses_host_header on

4. iptables settings:

We recommend that you set iptables rules from this script. See the attachment.

./Iptables

Then execute:

Service iptables save

In this way, the command for executing the script is saved in/etc/sysconfig/iptables. Next time the system will

Automatically load these rules

If you cannot execute this script on your system, it may be that the file has no execution permission.

Chmod a + x iptables to make it executable. (Do not copy this file to/etc/rc. d/init. d .)

#! /Bin/sh

INET_IP = "222.222.222.1" # internet IP address of the proxy server

INET_IFACE = "eth0" # Nic Device of proxy service

LAN_IP = "192.168.100.4" # internal address of the proxy server

LAN_IP_RANGE = "192.168.100.0/16" # ip address segment of the LAN

LAN_BCAST_ADRESS = "192.168.100.255" # broadcast address of the LAN

LAN_IFACE = "eth1" Proxy Server internal Nic Device

LO_IFACE = "lo"

LO_IP = "127.0.0.1"

#

# IPTables Configuration.

#

IPTABLES = "/sbin/iptables"

######################################## ###################################

#

#2. Module loading.

#

#

# Needed to initially load modules

#

/Sbin/depmod-

#

#2.1 Required modules

# Load required modules

/Sbin/modprobe ip_tables

/Sbin/modprobe ip_conntrack

/Sbin/modprobe iptable_filter

/Sbin/modprobe iptable_mangle

/Sbin/modprobe iptable_nat

/Sbin/modprobe ipt_LOG

/Sbin/modprobe ipt_limit

/Sbin/modprobe ipt_state

#

#2.2 Non-Required modules

#

#/Sbin/modprobe ipt_owner

#/Sbin/modprobe ipt_REJECT

#/Sbin/modprobe ipt_MASQUERADE

#/Sbin/modprobe ip_conntrack_ftp

#/Sbin/modprobe ip_conntrack_irc

######################################## ###################################

#

#3./proc set up.

#

#

#3.1 Required proc configuration

# Set ip forward

Echo "1">/proc/sys/net/ipv4/ip_forward

#

#3.2 Non-Required proc configuration

#

Echo "1">/proc/sys/net/ipv4/conf/all/rp_filter

# Echo "1">/proc/sys/net/ipv4/conf/all/proxy_arp

# Echo "1">/proc/sys/net/ipv4/ip_dynaddr

######################################## ###################################

#

#4. rules set up.

#

######

#4.1 Filter table

#

#

#4.1.1 Set policies

#

$ IPTABLES-P INPUT DROP

$ IPTABLES-P OUTPUT DROP

$ IPTABLES-P FORWARD DROP

#

#4.1.2 Create userspecified chains

#

#

# Create chain for bad tcp packets

#

$ IPTABLES-N bad_tcp_packets

#

# Create separate chains for ICMP, TCP and UDP to traverse

#

$ IPTABLES-N allowed

$ IPTABLES-N icmp_packets

$ IPTABLES-N tcp_packets

$ IPTABLES-N udpincoming_packets

#

#4.1.3 Create content in userspecified chains

#

#

# Bad_tcp_packets chain

#

$ IPTABLES-A bad_tcp_packets-p tcp! -- Syn-m state -- state NEW-j LOG

-- Log-prefix "New not syn :"

$ IPTABLES-A bad_tcp_packets-p tcp! -- Syn-m state -- state NEW-j DROP

#

# Allowed chain

#

$ IPTABLES-A allowed-p TCP -- syn-j ACCEPT

$ IPTABLES-A allowed-p TCP-m state -- state ESTABLISHED, RELATED-j ACCEPT

$ IPTABLES-A allowed-p TCP-j DROP

#

# ICMP rules

#

# Changed rules totally

$ IPTABLES-A icmp_packets-p ICMP-s 0/0 -- icmp-type 8-j ACCEPT

$ IPTABLES-A icmp_packets-p ICMP-s 0/0 -- icmp-type 11-j ACCEPT

#

# TCP rules

#

$ IPTABLES-A tcp_packets-p TCP/IP 0/0 -- dport 21-j allowed

$ IPTABLES-A tcp_packets-p TCP/IP 0/0 -- dport 22-j allowed

$ IPTABLES-A tcp_packets-p TCP/IP 0/0 -- dport 80-j allowed

$ IPTABLES-A tcp_packets-p TCP-s 0/0 -- dport 113-j allowed

#

# UDP ports

#

# Non‑ented commenting out of these rules

$ IPTABLES-A udpincoming_packets-p UDP-s 0/0 -- source-port 53-j ACCEPT

# $ IPTABLES-A udpincoming_packets-p UDP-s 0/0 -- source-port 123-j ACCEPT

$ IPTABLES-A udpincoming_packets-p UDP-s 0/0 -- source-port 2074-j ACCEPT

$ IPTABLES-A udpincoming_packets-p UDP-s 0/0 -- source-port 4000-j DROP # prohibit customers from using OICQ

#

#4.1.4 INPUT chain

#

#

# Bad TCP packets we don't want.

#

$ IPTABLES-a input-p tcp-j bad_tcp_packets

#

# Rules for incoming packets from the internet.

#

$ IPTABLES-a input-p ICMP-I $ INET_IFACE-j icmp_packets

$ IPTABLES-a input-p TCP-I $ INET_IFACE-j tcp_packets

$ IPTABLES-a input-p UDP-I $ INET_IFACE-j udpincoming_packets

#

# Rules for special networks not part of the Internet

#

$ IPTABLES-a input-p ALL-I $ LAN_IFACE-d $ LAN_BCAST_ADRESS-j ACCEPT

$ IPTABLES-a input-p ALL-I $ LO_IFACE-s $ LO_IP-j ACCEPT

$ IPTABLES-a input-p ALL-I $ LO_IFACE-s $ LAN_IP-j ACCEPT

$ IPTABLES-a input-p ALL-I $ LO_IFACE-s $ INET_IP-j ACCEPT

$ IPTABLES-a input-p ALL-I $ LAN_IFACE-s $ LAN_IP_RANGE-j ACCEPT

$ IPTABLES-a input-p ALL-d $ INET_IP-m state -- state ESTABLISHED, RELATED

-J ACCEPT

#

# Log weird packets that don't match the above.

#

$ IPTABLES-a input-m limit -- limit 3/minute -- limit-burst 3-j LOG

-- Log-level DEBUG -- log-prefix "ipt input packet died :"

#

#4.1.5 FORWARD chain

#

#

# Bad TCP packets we don't want

#

$ IPTABLES-a forward-p tcp-j bad_tcp_packets

#

# Accept the packets we actually want to forward

#

$ IPTABLES-a forward-I $ LAN_IFACE-j ACCEPT

$ IPTABLES-a forward-m state -- state ESTABLISHED, RELATED-j ACCEPT

#

# Log weird packets that don't match the above.

#

$ IPTABLES-a forward-m limit -- limit 3/minute -- limit-burst 3-j LOG

-- Log-level DEBUG -- log-prefix "ept FORWARD packet died :"

#

#4.1.6 OUTPUT chain

#

#

# Bad TCP packets we don't want.

#

$ IPTABLES-a output-p tcp-j bad_tcp_packets

#

# Special OUTPUT rules to decide which IP's to allow.

#

$ IPTABLES-a output-p ALL-s $ LO_IP-j ACCEPT

$ IPTABLES-a output-p ALL-s $ LAN_IP-j ACCEPT

$ IPTABLES-a output-p ALL-s $ INET_IP-j ACCEPT

#

# Log weird packets that don't match the above.

#

$ IPTABLES-a output-m limit -- limit 3/minute -- limit-burst 3-j LOG

-- Log-level DEBUG -- log-prefix "ipt output packet died :"

######

#4.2 nat table

#

#

#4.2.1 Set policies

#

#

#4.2.2 Create user specified chains

#

#

#4.2.3 Create content in user specified chains

#

#

#4.2.4 PREROUTING chain

#

$ IPTABLES-t nat-I PREROUTING-m mac -- mac-source 00: 50: 4c: 3b: e6: fb-j DROP # disable Nic MAC

#00: 50: 4c: 3b: e6: fb access the internet

#

#4.2.5 POSTROUTING chain

#

# $ IPTABLES-t nat-a prerouting-I eth1-p tcp-m tcp -- dport 80-j REDIRECT -- to-ports 3128

#

$ IPTABLES-t nat-a prerouting-s 192.168.100.0/24-d 0/0-p tcp -- dport 80-j DNAT -- to 192.168.100.4: 3128

# Forward the customer's http request to port 3128 of squid (transparent proxy)

# Enable simple IP Forwarding and Network Address Translation

#

$ IPTABLES-t nat-a postrouting-o $ INET_IFACE-j SNAT -- to-source $ INET_IP

#

#4.2.6 OUTPUT chain

#

######

#4.3 mangle table

#

#

#4.3.1 Set policies

#

#

#4.3.2 Create user specified chains

#

#

#4.3.3 Create content in user specified chains

#

#

#4.3.4 PREROUTING chain

#

$ IPTABLES-t nat-a prerouting-s 0/0-d 0/0-p udp -- destination-port 8000-j DROP

# Prohibit customers from accessing the OICQ Server

Article option: friendly print: place this article in the memo, and notify the Board owner when there is time

Linux

Registered Member

Reged: 11/11/02

Article: 17

Re: squid + iptables CreateInternet gateway [re: linux]

11/12/02 PM ()

Edit the article to respond to this article reply

# NETWORK OPTIONS

#-----------------------------------------------------------------------------

# Http_port 3128

# Icp_port 3130

# Htcp_port 4827

# Mcast_groups 239.128.16.128

#

# Tcp_outgoing_address 0.0.0.0

# Udp_incoming_address 0.0.0.0

# Udp_outgoing_address 0.0.0.0

# Cache_peer hostname type 3128 3130

# Icp_query_timeout 0

# Maximum_icp_query_timeout 2000

# Mcast_icp_query_timeout 2000

# Dead_peer_timeout 10 seconds

# Hierarchy_stoplist cgi-bin?

# Acl QUERY urlpath_regex cgi-bin?

# No_cache deny QUERY

Cache_mem 16 MB

# Cache_swap_low 90

# Cache_swap_high 95

# Maximum_object_size 4096 KB

# Ipcache_size 1024

# Ipcache_low 90

# Ipcache_high 95

# TAG: fqdncache_size (number of entries)

# Maximum number of FQDN cache entries.

# Fqdncache_size 1024

#

Cache_dir ufs/var/spool/squid 100 16 256

Cache_access_log/var/log/squid/access. log

# Cache_log/var/log/squid/cache. log

#

# Cache_store_log/var/log/squid/store. log

#

# Cache_swap_log

# Emulate_httpd_log off

# Mime_table/etc/squid/mime. conf

# Log_mime_hdrs off

# Useragent_log none

# Pid_filename/var/run/squid. pid

# Debug_options ALL, 1

# Log_fqdn off

# Client_netmask 255.255.255.255

# Ftp_user Squid @

# Ftp_list_width 32

# Ftp_passive on

# Cache_dns_program/usr/lib/squid/dnsserver

# Dns_children 5

# Dns_defnames off

# Dns_nameservers none

# Unlinkd_program/usr/lib/squid/unlinkd

# Pinger_program/usr/lib/squid/pinger

# Redirect_program none

# Redirect_children 5

# Redirect_rewrites_host_header on

# Authenticate_children 5

# Authenticate_ttl 3600.

# Authenticate_ip_ttl 0

# Wais_relay_host localhost

# Wais_relay_port 8000

# Request_header_max_size 10 KB

#

# Request_body_max_size 1 MB

# Reply_body_max_size 0

# Default:

Refresh_pattern ^ ftp: 1440 20% 10080

Refresh_pattern ^ gopher: 1440 0% 1440

Refresh_pattern. 0 20% 4320

# Replacement_policy LFUDA

#

# Reference_age 1 year

# Quick_abort_min 16 KB

# Quick_abort_max 16 KB

# Quick_abort_pct 95

# Negative_ttl 5 minutes

# Positive_dns_ttl 6 hours

# Negative_dns_ttl 5 minutes

# Range_offset_limit 0 KB

# Connect_timeout 120 seconds

# Peer_connect_timeout 30 seconds

# Siteselect_timeout 4 seconds

# Read_timeout 15 minutes

# Request_timeout 30 seconds

# Client_lifetime 1 day

# Half_closed_clients on

# Pconn_timeout 120 seconds

# Ident_timeout 10 seconds

# Shutdown_lifetime 30 seconds

# ACCESS CONTROLS

#-----------------------------------------------------------------------------

# Examples:

# Acl myexample dst_as 1241

# Acl password proxy_auth REQUIRED

#

# Defaults:

Acl all src 0.0.0.0/0.0.0.0

Acl manager proto cache_object

Acl localhost src 127.0.0.1/255.255.255.255

Acl SSL_ports port 443 563

Acl Safe_ports port 80 21 443 563 70 210 1025-65535

Acl Safe_ports port 280 # http-mgmt

Acl Safe_ports port 488 # gss-http

Acl Safe_ports port 591 # filemaker

Acl Safe_ports port 777 # multiling http

Acl CONNECT method CONNECT

Acl chat url_regex-I chat sex oicq

Http_access deny chat

# Prohibit access to websites with chat, sex, and oicq words in URLs

# TAG: http_access

# Default configuration:

# Http_access allow manager localhost

# Http_access deny manager

# Http_access deny! Safe_ports

# Http_access deny CONNECT! SSL_ports

#

# Insert your own rule (S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

Http_access allow lan

# TAG: icp_access

# Reply to all ICP queries we receive

#

Icp_access allow all

Miss_access allow all

# Proxy_auth_realm Squid proxy-caching web server

# Ident_lookup_access deny all

#

Cache_mgr master@cctk.net

Cache_inclutive_user squid

Cache_paitive_group squid

# Visible_hostname www-cache.foo.org

# Unique_hostname www-cache1.foo.org

# TAG: hostname_aliases

# A list of other DNS names that your cache has.

# Announce_period 1 day

# Announce_host tracker.ircache.net

# Announce_port 3131

# HTTPD-ACCELERATOR OPTIONS

#-----------------------------------------------------------------------------

Httpd_accel_host 192.168.10.20.

Httpd_accel_port 80

Httpd_accel_with_proxy on

Httpd_accel_uses_host_header on

# Dns_testnames netscape.com internic.net nlanr.net microsoft.com

# Logfile_rotate 0

# Append_domain .yourdomain.com

# Tcp_recv_bufsize 0 bytes

# Err_html_text

# Memory_pools on

# Forwarded_for on

# Log_icp_queries on

# Icp_hit_stale off

# Minimum_direct_hops 4

# Cachemgr_passwd secret shutdown

# Cachemgr_passwd lesssssssecret info stats/objects

# Cachemgr_passwd disable all

# Store_avg_object_size 13 KB

# Store_objects_per_bucket 50

# Client_db on

#

# Netdb_low900

# Netdb_high 1000

# Netdb_ping_period 5 minutes

# Query_icmp off

# Test_reachability off

# Buffered_logs off

# Reload_assist_ims off

# Anonymize_headers

# Fake_user_agent none

# Error_directory/etc/squid/errors

# Minimum_retry_timeout 5 seconds

# Maximum_single_addr_tries 3

# Snmp_port 3401

# Example:

# Snmp_access allow snmppublic localhost

# Snmp_access deny all

# Snmp_incoming_address 0.0.0.0

# Snmp_outgoing_address 0.0.0.0

# Wccp_router 0.0.0.0

# Wccp_version 4

# Wccp_incoming_address 0.0.0.0

# Wccp_outgoing_address 0.0.0.0

# Delay_pools 0

# Delay_pools 2 #2 delay pools

# Delay_class 1 2 # pool 1 is a class 2 pool

# Delay_class 2 3 # pool 2 is a class 3 pool

#

#

# Delay_access 1 allow some_big_clients

# Delay_access 1 deny all

# Delay_access 2 allow lotsa_little_clients

# Delay_access 2 deny all

# Delay_parameters 1-1/-1 8000/8000

# Delay_parameters 2 32000/32000 8000/8000 600/64000

# Delay_initial_bucket_level 50

# Incoming_icp_average 6

# Incoming_http_average 4

# Min_icp_poll_cnt 8

# Min_http_poll_cnt 8

# Uri_whitespace strip

# Acl buggy_server url_regex ^ http ://....

# Broken_posts allow buggy_server

Nderstand what you are doing.

# Prefer_direct on

# Ignore_unknown_nameservers on

# Digest_generation on

# Digest_bits_per_entry 5

# Digest_rewrite_period 1 hour

# Digest_swapout_chunk_size 4096 bytes

# Digest_rebuild_chunk_percentage 10

# Client_persistent_connections on

# Server_persistent_connections on

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More