您现在的位置:主页 > 服务器 > 代理服务器 >

squid+iptables实现网关防火墙代理服务器教程

来源:新2备用网址hg622.com|首页吧 责任编辑:Jzq8 发表时间:2011-12-25 点击:次
需求说明:此服务器用作网关、MAIL(开启web、smtp、pop3)、FTP、DHCP服务器,内部一台机器(192.168.0.254)对外提供dns服务,为了不让无意者轻易看出此服务器开启了ssh服务器,故把ssh端口改为2018.另把proxy的端口改为60080

eth0:218.28.20.253,外网口?

eth1:192.168.0.1/24,内网口
?
[jackylau@proxyserver?init.d]$cat?/etc/squid/squid.conf(部份如下)
http_port?192.168.0.1:60080
httpd_accel_port?80
httpd_accel_host?virtual
httpd_accel_with_proxy?on
httpd_accel_uses_host_header?on
acl?allow_lan?src?192.168.0.0/24
http_access?allow?allow_lan
visible_hostname?proxyserver
[jackylau@proxyserver?init.d]$?cat?firewall?
#!/bin/sh
#?Author:?jackylau?
#?chkconfig:?2345?08?92
#?description:?firewall
#?Time?on?2005.08.02


#?killproc
#?Set?ENV
INET_IP="218.28.20.253"
INET_IFACE="eth0"
LAN_IP="192.168.0.1"
LAN_IP_RANGE="192.168.0.0/24"
LAN_BROADCAST_ADDRESS="192.168.0.255"
LAN_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"
IPTABLES="/sbin/iptables"

start(){
echo?-n?$"Starting?firewall:"
/sbin/depmod?-a
/sbin/modprobe?ip_tables
/sbin/modprobe?ip_conntrack
/sbin/modprobe?iptable_filter
/sbin/modprobe?iptable_mangle
/sbin/modprobe?iptable_nat
/sbin/modprobe?ipt_LOG
/sbin/modprobe?ipt_limit
/sbin/modprobe?ipt_state

echo?"1"?>?/proc/sys/net/ipv4/ip_forward

#?Set?policies
$IPTABLES?-P?INPUT?DROP
$IPTABLES?-P?OUTPUT?DROP
$IPTABLES?-P?FORWARD?DROP

#?Add?bad_tcp_packets,?allowed?and?icmp_packets
$IPTABLES?-N?bad_tcp_packets
$IPTABLES?-N?tcp_packets
$IPTABLES?-N?udp_packets
$IPTABLES?-N?allowed
$IPTABLES?-N?icmp_packets

#?bad_tcp_packets?
$IPTABLES?-A?bad_tcp_packets?-p?tcp?!?--syn?-m?state?--state?NEW?-j?LOG?--log-level?INFO?--log-prefix?"New?not?syn:"
$IPTABLES?-A?bad_tcp_packets?-p?TCP?!?--syn?-m?state?--state?NEW?-j?DROP

#?allowed?
$IPTABLES?-A?allowed?-p?TCP?--syn?-j?ACCEPT
$IPTABLES?-A?allowed?-p?TCP?-m?state?--state?ESTABLISHED,RELATED?-j?ACCEPT
$IPTABLES?-A?allowed?-p?TCP?-j?DROP

$IPTABLES?-A?INPUT?-p?ALL?-i?$LAN_IFACE?-d?$LAN_BROADCAST_ADDRESS?-j?ACCEPT

#?TCP?rules
$IPTABLES?-A?tcp_packets?-p?TCP?-s?0/0?--dport?20?-j?allowed
$IPTABLES?-A?tcp_packets?-p?TCP?-s?0/0?--dport?21?-j?allowed
$IPTABLES?-A?tcp_packets?-p?TCP?-s?0/0?--dport?25?-j?allowed
$IPTABLES?-A?tcp_packets?-p?TCP?-s?0/0?--dport?80?-j?allowed
$IPTABLES?-A?tcp_packets?-p?TCP?-s?0/0?--dport?110?-j?allowed
$IPTABLES?-A?tcp_packets?-p?TCP?-s?0/0?--dport?2018?-j?allowed

#?UDP?rules
$IPTABLES?-A?udp_packets?-p?UDP?-s?0/0?--destination-port?67?-j?ACCEPT

#?ICMP?rules
$IPTABLES?-A?icmp_packets?-p?ICMP?-s?0/0?--icmp-type?8?-j?ACCEPT
$IPTABLES?-A?icmp_packets?-p?ICMP?-s?0/0?--icmp-type?11?-j?ACCEPT

#?INPUT?chain
$IPTABLES?-A?INPUT?-p?tcp?-j?bad_tcp_packets

$IPTABLES?-A?INPUT?-p?ALL?-i?$LAN_IFACE?-s?$LAN_IP_RANGE?-j?ACCEPT
$IPTABLES?-A?INPUT?-p?ALL?-i?$LO_IFACE?-s?$LO_IP?-j?ACCEPT
$IPTABLES?-A?INPUT?-p?ALL?-i?$LO_IFACE?-s?$LAN_IP?-j?ACCEPT
$IPTABLES?-A?INPUT?-p?ALL?-i?$LO_IFACE?-s?$INET_IP?-j?ACCEPT
$IPTABLES?-A?INPUT?-p?ALL?-d?$INET_IP?-m?state?--state?ESTABLISHED,RELATED?-j?ACCEPT
$IPTABLES?-A?INPUT?-p?TCP?-i?$INET_IFACE?-j?tcp_packets
$IPTABLES?-A?INPUT?-p?UDP?-i?$INET_IFACE?-j?udp_packets
$IPTABLES?-A?INPUT?-p?ICMP?-i?$INET_IFACE?-j?icmp_packets
$IPTABLES?-A?INPUT?-m?limit?--limit?3/minute?--limit-burst?3?-j?LOG?--log-level?DEBUG?--log-prefix?"IPT?INPUT?packet?died:?"

#?FORWARD?chain
$IPTABLES?-A?FORWARD?-p?tcp?-j?bad_tcp_packets

$IPTABLES?-A?FORWARD?-i?$LAN_IFACE?-j?ACCEPT
$IPTABLES?-A?FORWARD?-m?state?--state?ESTABLISHED,RELATED?-j?ACCEPT
$IPTABLES?-A?FORWARD?-m?limit?--limit?3/minute?--limit-burst?3?-j?LOG?--log-level?DEBUG?--log-prefix?"IPT?FORWARD?packet?died:?"

#?OUTPUT?chain
$IPTABLES?-A?OUTPUT?-p?tcp?-j?bad_tcp_packets

$IPTABLES?-A?OUTPUT?-p?ALL?-s?$LO_IP?-j?ACCEPT
$IPTABLES?-A?OUTPUT?-p?ALL?-s?$LAN_IP?-j?ACCEPT
$IPTABLES?-A?OUTPUT?-p?ALL?-s?$INET_IP?-j?ACCEPT

$IPTABLES?-A?OUTPUT?-m?limit?--limit?3/minute?--limit-burst?3?-j?LOG?--log-level?DEBUG?--log-prefix?"IPT?OUTPUT?packet?died:?"

#?SNAT?table
$IPTABLES?-t?nat?-A?POSTROUTING?-o?$INET_IFACE?-j?SNAT?--to-source?$INET_IP

#?DNAT?table
$IPTABLES?-t?nat?-A?PREROUTING?-p?!?icmp?-d?$INET_IP?-dport?53?-j?DNAT?--to-destination?192.168.0.254:53?

#?REDIRECT?
$IPTABLES?-t?nat?-A?PREROUTING?-i?$LAN_IFACE?-p?tcp?-s?$LAN_IP_RANGE?--dport?80?-j?REDIRECT?--to-ports?60080
touch?/var/lock/subsys/firewall
}

stop(){
echo?-n?$"Stoping?firewall:"
echo?"0">/proc/sys/net/ipv4/ip_forward
$IPTABLES?-P?INPUT?ACCEPT
$IPTABLES?-P?FORWARD?ACCEPT
$IPTABLES?-P?OUTPUT?ACCEPT
$IPTABLES?-t?nat?-P?PREROUTING?ACCEPT
$IPTABLES?-t?nat?-P?POSTROUTING?ACCEPT
$IPTABLES?-t?nat?-P?OUTPUT?ACCEPT
$IPTABLES?-t?mangle?-P?PREROUTING?ACCEPT
$IPTABLES?-t?mangle?-P?OUTPUT?ACCEPT
$IPTABLES?-F
$IPTABLES?-t?nat?-F
$IPTABLES?-t?mangle?-F
$IPTABLES?-X
$IPTABLES?-t?nat?-X
$IPTABLES?-t
    发表评论
    请自觉遵守互联网相关的政策法规,严禁发布色情、暴力、反动的言论。
    评价:
    表情:
    验证码:点击我更换图片 匿名?

    今日头条

    更多>>

    推荐图文

    • 安全基础之代理服务器知识菜鸟普及篇
    • 代理服务器WinGate教程
    • 什么是SOCK5代理,什么是HTTP代理
    • 代理服务器CCProxy 软件教程
    • 利用squid反向代理提高网站性能
    • 不知道大家遇到过这个问题没?代理服务器教程
    • 使用Squid实现反向代理
    • FreeBSD内核级透明代理(IPFILTER)代理服务器教程
    • squid的安装代理服务器教程
    Alexa - 客户服务 - 联系方法 - 招聘信息 - 友情链接 - 网站地图 - TAG标签 - RSS订阅
    Copyright ? 2010-2012 JZQ8.COM. 新2备用网址hg622.com|首页吧|新2备用网址hg622.com|首页去吧 版权所有
    冀ICP备09002514号
    冀ICP备09002514号 网络报警 企业法人营业执照 中国互联网协会 支付宝付款 网银在线付款