標籤:iptables squid 自動安裝指令碼 實現網路代理程式與部分上網行為管理功能
#本節內容為配置iptables 與 squid ,並以檔案來擷取規則,以方便管理規則。#接上一個指令碼內容,此部分內容需根據需求更改部分內容。#停止squid服務systemctl enable squid &> /dev/nullsystemctl stop squid#編輯squid設定檔squid_conf_file=/etc/squid/squid.confmv $squid_conf_file $squid_conf_file.bkcat > $squid_conf_file << EOFacl localnet src 10.0.0.0/8 # RFC1918 possible internal networkacl localnet src 172.16.0.0/12 # RFC1918 possible internal networkacl localnet src 192.168.0.0/16 # RFC1918 possible internal networkacl localnet src fc00::/7 # RFC 4193 local private network rangeacl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machinesacl SSL_ports port 443acl Safe_ports port 80 # httpacl Safe_ports port 21 # ftpacl Safe_ports port 443 # httpsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling httpacl CONNECT method CONNECT#visible_hostnamehttp_access deny !Safe_portshttp_access deny CONNECT !SSL_portshttp_access allow localhost managerhttp_access deny manageracl allow_all src "/etc/squid/rules/allow_all.squid"http_access allow allow_allacl files urlpath_regex -i \.mp3$ \.avi$ \.exe$ \.rar$ \.zip$ \.mp4$ \.7z$ \.rm$ \.rmvb$ \.qsv$ \.mov$ \.msi$ \.wav$ \.torrent$ \.cab$ \.com$ \.bat$ \.gz$ \.bz2$ \.sys$ \.swf$http_access deny filesacl only_web src "/etc/squid/rules/allow_only_web.squid"http_access allow only_webhttp_access allow localhosthttp_access deny all#http_port 3128 transparenthttp_port 3129 cache_dir aufs /var/spool/squid 10240 16 256cache_mem 1024 MBmaximum_object_size 8 MBminimum_object_size 0 kBmaximum_object_size_in_memory 4096 kBacl nocache urlpath_regex -i \.asp$ \.jsp$no_cache deny nocacheacl nogov urlpath_regex -i \.gov\.cnno_cache deny nogov ipcache_size 65535fqdncache_size 65535coredump_dir /var/spool/squidcache_log /var/log/squid/cache.logaccess_log /var/log/squid/access.logcache_store_log /var/log/squid/store.log cache_store_log nonelogfile_rotate 7cache_swap_low 85cache_swap_high 95error_directory /usr/share/squid/errors/zh-cncache_mgr [email protected]refresh_pattern ^ftp: 1440 20% 10080refresh_pattern ^gopher: 1440 0% 1440refresh_pattern -i \.(jpg|jpeg|gif|png|xml|html|htm|css|js|ico) 1440 90% 2880refresh_pattern -i \.(mp3|mp4|swf|rar|zip) 1440 20% 10080refresh_pattern -i (/cgi-bin/|\?) 0 0% 0refresh_pattern . 0 20% 4320EOFsed -i ‘s/#visible_hostname/visible_hostname ‘${host_name}‘/g‘ ${squid_conf_file}sed -i ‘s/#http_port 3128 transparent/http_port ‘${lan_ip}‘:3128 transparent/g‘ ${squid_conf_file}#configrue iptables #將以下內容複寫出來,重新編寫變數,用來日常網路許可權控制!#日常管理指令碼策略根據自身要求自行定義。#-------copy begin---------modprobe ip_conntrack_ftpmodprobe ip_nat_ftpmodprobe ip_conntrackecho "1" > /proc/sys/net/ipv4/tcp_syncookiesecho "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcastsecho "1" > /proc/sys/net/ipv4/ip_forwardread -p "input manager host ip address : " manager_ip #初始指令碼時所定義變數,日常管理指令碼不需要。#------管理指令碼,自訂變數-------#lan=#lan_ip=#lan_dns1=#lan_dns2=#lan_net=#manager_ip=#wan=#wan_ip=iptables -Fiptables -Xiptables -Ziptables -F -t natiptables -X -t natiptables -Z -t natiptables -P INPUT DROPiptables -P OUTPUT DROPiptables -P FORWARD DROPiptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -A INPUT -d ${lan_ip} -p tcp --dport 3128 -j ACCEPTiptables -A INPUT -s ${manager_ip} -i ${lan} -p tcp --dport 22 -j ACCEPTiptables -A INPUT -i lo -j ACCEPTAICMP="0 3 3/4 4 11 12 18"for TYICMP in ${AICMP} ; do iptables -A INPUT -i ${lan} -p icmp --icmp-type ${TYICMP} -j ACCEPTdone iptables -N syn-floodiptables -A INPUT -p tcp --syn -j syn-floodiptables -I syn-flood -p tcp -m limit --limit 1/s --limit-burst 3 -j RETURNiptables -A syn-flood -j DROPiptables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -A OUTPUT -s ${wan_ip} -p tcp -m multiport --dports 80,443 -j ACCEPTiptables -A OUTPUT -p udp --dport 53 -j ACCEPTiptables -A OUTPUT -o lo -j ACCEPTiptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -A FORWARD -s ${lan_dns1} -p udp --dport 53 -j ACCEPTiptables -A FORWARD -s ${lan_dns2} -p udp --dport 53 -j ACCEPT# redirect and SNATiptables -t nat -A PREROUTING -i ${lan} -p tcp --dport 80 -j REDIRECT --to-ports 3128read -p "input super subnet! exap 192.168.0.0/22 " lan_sup_subnetiptables -t nat -A POSTROUTING -s ${lan_sup_subnet} -o ${wan} -j SNAT --to-source ${wan_ip}#自訂規則,預設規則為拒絕,80連接埠的許可權由 squid 管理,不需要添加。#本通過讀取檔案來配置防火牆規則,如,規則檔案放在/usr/local/iptabes中。 #規則檔案以IP開頭,中間以空格分開,後接備忘名稱,格式如:IP地址 使用人#exap: 允許所有連接埠通過。if [ ! -d /usr/local/iptables ] ; then mkdir /usr/local/iptablesfiif [ ! -d /etc/squid/rules ] ; then mkdir /etc/squid/rulesfiecho "#允許所有連接埠通過" > /usr/local/iptables/allow_all.rule #管理指令碼需自訂檔案,不需要此行echo "$manager_ip it" >> /usr/local/iptables/allow_all.rule #添加ITALLOW_ALL_RULE=`grep -v "#" /usr/local/iptables/allow_all.rule | awk ‘{print $1}‘`for ALLOW_ALL in ${ALLOW_ALL_RULE} ; do iptables -A FORWARD -s ${ALLOW_ALL} -o ${wan} -j ACCEPTdone#同步 squid 設定檔echo "使用者沒有限制" > /etc/squid/rules/allow_all.squid echo $ALLOW_ALL_RULE | awk -v RS=" " ‘{print $0}‘ >> /etc/squid/rules/allow_all.squid#exap: 只允許443,80 通過,但限制 mail關鍵字,如限制 QQ郵箱。但允許伺服器8000連接埠中的mail關鍵字。echo "#只允許443,80連接埠通過。並限制“Mmail”,但允許伺服器8000連接埠中的mail關鍵字。 " >> /usr/local/iptables/allow_only_web.rule #管理指令碼不需要此行echo "$manager_ip it" >> /usr/local/iptables/allow_only_web.ruleALLOW_ONLY_WEB_RULE=`grep -v "#" /usr/local/iptables/allow_only_web.rule | awk ‘{print $1}‘`for ALLOW_ONLY_WEB in ${ALLOW_ONLY_WEB_RULE} ; do iptables -A FORWARD -s ${ALLOW_ONLY_WEB} -o ${wan} -j ACCEPT iptables -I FORWARD -d ${ALLOW_ONLY_WEB} -i ${wan} -m string --algo bm --from 40 --to 450 --hex-string "mail" -p tcp ! --sport 8000 -j DROPdone#同步 squid 設定檔echo "允許443,80 通過,但限制 mail關鍵字" > /etc/squid/rules/allow_only_web.squidecho $ALLOW_ONLY_WEB_RULE | awk -v RS=" " ‘{print $0}‘ >> /etc/squid/rules/allow_only_web.squid#初始化squid。sleep 1 squid -z #管理指令碼不需要此行sleep 1systemctl restart squid.servicesleep 5/sbin/squid -k reconfigure#--------copy end -------------#日常管理中只需更改/usr/local/iptabes中的規則檔案,再運行管理指令碼退可!#修改規則時,需在管理指令碼與squid設定檔中加入相應規則退可。#編寫自啟動指令碼。#cat > /usr/lib/systemd/system/ipt.rule.service << EOF#[Unit]#Description=iptables and squid manage script#After=syslog.target network.target nss-lookup.target#[Service]#Type=oneshot#ExecStart=/usr/local/iptables/ipt.rule.sh#[Install]#WantedBy=multi-user.target#EOF#systemctl enable ipt.rule.service
本文出自 “執著” 部落格,請務必保留此出處http://charhai.blog.51cto.com/440887/1879853
自動安裝squid+iptables上網代理及上網行為管理指令碼(二)。
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
