首页 运维 正文
squid+iptables网关防火墙的实现

 2022-10-23    380  

利用squid+iptables实现网关防火墙是非常容易的,跟着我一步一步走,就能学会!

  需求说明:此服务器用作网关、MAIL(开启web、smtp、pop3)、FTP、DHCP服务器,内部一台机器(192.168.0.254)对外提供dns服务,为了不让无意者轻易看出此服务器开启了ssh服务器,故把ssh端口改为2018.另把proxy的端口改为60080

squid+iptables网关防火墙的实现

  eth0:218.28.20.253,外网口

  eth1:192.168.0.1/24,内网口

  [jackylau@proxyserver init.d]$cat /etc/squid/squid.conf(部份如下)

  http_port 192.168.0.1:60080

  httpd_accel_port 80

  httpd_accel_host virtual

  httpd_accel_with_proxy on

  httpd_accel_uses_host_header on

  acl allow_lan src 192.168.0.0/24

  http_access allow allow_lan

  visible_hostname proxyserver

  [jackylau@proxyserver init.d]$ cat firewall

  #!/bin/sh 

  #Author:jackylau; 

  #chkconfig:23450892 

  #description:firewall 

  #Timeon2005.08.02 

  #killproc 

  #SetENV

  INET_IP="218.28.20.253"

  INET_IFACE="eth0"

  LAN_IP="192.168.0.1"

  LAN_IP_RANGE="192.168.0.0/24"

  LAN_BROADCAST_ADDRESS="192.168.0.255"

  LAN_IFACE="eth1"

  LO_IFACE="lo"

  LO_IP="127.0.0.1"

  IPTABLES="/sbin/iptables"

  start(){

  echo -n $"Starting firewall:"

  /sbin/depmod -a

  /sbin/modprobe ip_tables

  /sbin/modprobe ip_conntrack

  /sbin/modprobe iptable_filter

  /sbin/modprobe iptable_mangle

  /sbin/modprobe iptable_nat

  /sbin/modprobe ipt_LOG

  /sbin/modprobe ipt_limit

  /sbin/modprobe ipt_state

  echo "1" >; /proc/sys/net/ipv4/ip_forward

  # Set policies

  $IPTABLES -P INPUT DROP

  $IPTABLES -P OUTPUT DROP

  $IPTABLES -P FORWARD DROP

  # Add bad_tcp_packets, allowed and icmp_packets

  $IPTABLES -N bad_tcp_packets

  $IPTABLES -N tcp_packets

  $IPTABLES -N udp_packets

  $IPTABLES -N allowed

  $IPTABLES -N icmp_packets

  # bad_tcp_packets

  $IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG –log-level INFO –log-prefix "New not syn:"

  $IPTABLES -A bad_tcp_packets -p TCP ! –syn -m state –state NEW -j DROP

  # allowed

  $IPTABLES -A allowed -p TCP –syn -j ACCEPT

  $IPTABLES -A allowed -p TCP -m state –state ESTABLISHED,RELATED -j ACCEPT

  $IPTABLES -A allowed -p TCP -j DROP

  $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BROADCAST_ADDRESS -j ACCEPT

  # TCP rules

  $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 20 -j allowed

  $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 21 -j allowed

  $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 25 -j allowed

  $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 80 -j allowed

  $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 110 -j allowed

  $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 2018 -j allowed

  # UDP rules

  $IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 67 -j ACCEPT

  # ICMP rules

  $IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT

  $IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT

  # INPUT chain

  $IPTABLES -A INPUT -p tcp -j bad_tcp_packets

  $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT

  $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT

  $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT

  $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

  $IPTABLES -A INPUT -p ALL -d $INET_IP -m state –state ESTABLISHED,RELATED -j ACCEPT

  $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets

  $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets

  $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

  $IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix "IPT INPUT packet died: "

  # FORWARD chain

  $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

  $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT

  $IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

  $IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix "IPT FORWARD packet died: "

  # OUTPUT chain

  $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

  $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT

  $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT

  $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

  $IPTABLES -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix "IPT OUTPUT packet died: "

  # SNAT table

  $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT –to-source $INET_IP

  # DNAT table

  $IPTABLES -t nat -A PREROUTING -p ! icmp -d $INET_IP -dport 53 -j DNAT –to-destination 192.168.0.254:53

  # REDIRECT

  $IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p tcp -s $LAN_IP_RANGE –dport 80 -j REDIRECT –to-ports 60080

  touch /var/lock/subsys/firewall

  }

  stop(){

  echo -n $"Stoping firewall:"

  echo "0">;/proc/sys/net/ipv4/ip_forward

  $IPTABLES -P INPUT ACCEPT

  $IPTABLES -P FORWARD ACCEPT

  $IPTABLES -P OUTPUT ACCEPT

  $IPTABLES -t nat -P PREROUTING ACCEPT

  $IPTABLES -t nat -P POSTROUTING ACCEPT

  $IPTABLES -t nat -P OUTPUT ACCEPT

  $IPTABLES -t mangle -P PREROUTING ACCEPT

  $IPTABLES -t mangle -P OUTPUT ACCEPT

  $IPTABLES -F

  $IPTABLES -t nat -F

  $IPTABLES -t mangle -F

  $IPTABLES -X

  $IPTABLES -t nat -X

  $IPTABLES -t mangle -X

  rm -f /var/lock/subsys/firewall

  }

  status(){

  clear

  echo "——————————————————————-"

  $IPTABLES -L

  echo "——————————————————————-"

  $IPTABLES -t nat -L POSTROUTING

  echo "——————————————————————-"

  $IPTABLES -t nat -L PREROUTING

  }

  case "$1" in

  start)

  start

  ;;

  stop)

  stop

  ;;

  restart)

  stop

  start

  ;;

  *)

  echo "$0 [start|stop|restart|status]"

  ;;

  esac

  cp firewall /etc/init.d/

  chmod 700 /etc/init.d/firewall

  chkconfig –add firewall

发表评论:

原文链接:https://77isp.com/post/8313.html

=========================================

https://77isp.com/ 为 “云服务器技术网” 唯一官方服务平台,请勿相信其他任何渠道。

热门文章
热门标签
最新留言
友情链接

首页 IT运维空间 网云互联 1818IP网

本站资源均来自原创及互联网,仅供学习与参考,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。

苏ICP备2022008373号-1