squid+iptables網(wǎng)關(guān)防火墻的實(shí)現(xiàn)
利用squid+iptables實(shí)現(xiàn)網(wǎng)關(guān)防火墻是非常容易的,跟著我一步一步走,就能學(xué)會(huì)!
需求說(shuō)明:此服務(wù)器用作網(wǎng)關(guān)、MAIL(開(kāi)啟web、smtp、pop3)、FTP、DHCP服務(wù)器,內(nèi)部一臺(tái)機(jī)器(192.168.0.254)對(duì)外提供dns服務(wù),為了不讓無(wú)意者輕易看出此服務(wù)器開(kāi)啟了ssh服務(wù)器,故把ssh端口改為2018.另把proxy的端口改為60080
eth0:218.28.20.253,外網(wǎng)口
eth1:192.168.0.1/24,內(nèi)網(wǎng)口
[jackylau@proxyserver init.d]$cat /etc/squid/squid.conf(部份如下)
http_port 192.168.0.1:60080
httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl allow_lan src 192.168.0.0/24
http_access allow allow_lan
visible_hostname proxyserver
[jackylau@proxyserver init.d]$ cat firewall
- #!/bin/sh
- # Author: jackylau ;
- # chkconfig: 2345 08 92
- # description: firewall
- # Time on 2005.08.02
- # killproc
- # Set ENV
INET_IP="218.28.20.253"
INET_IFACE="eth0"
LAN_IP="192.168.0.1"
LAN_IP_RANGE="192.168.0.0/24"
LAN_BROADCAST_ADDRESS="192.168.0.255"
LAN_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"
IPTABLES="/sbin/iptables"
start(){
echo -n $"Starting firewall:"
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
echo "1" >; /proc/sys/net/ipv4/ip_forward
# Set policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# Add bad_tcp_packets, allowed and icmp_packets
$IPTABLES -N bad_tcp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N allowed
$IPTABLES -N icmp_packets
# bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-level INFO --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p TCP ! --syn -m state --state NEW -j DROP
# allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BROADCAST_ADDRESS -j ACCEPT
# TCP rules
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 20 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 2018 -j allowed
# UDP rules
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 67 -j ACCEPT
# ICMP rules
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# INPUT chain
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
# FORWARD chain
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
# OUTPUT chain
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
# SNAT table
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
# DNAT table
$IPTABLES -t nat -A PREROUTING -p ! icmp -d $INET_IP -dport 53 -j DNAT --to-destination 192.168.0.254:53
# REDIRECT
$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p tcp -s $LAN_IP_RANGE --dport 80 -j REDIRECT --to-ports 60080
touch /var/lock/subsys/firewall
}
stop(){
echo -n $"Stoping firewall:"
echo "0">;/proc/sys/net/ipv4/ip_forward
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
rm -f /var/lock/subsys/firewall
}
status(){
clear
echo "-------------------------------------------------------------------"
$IPTABLES -L
echo "-------------------------------------------------------------------"
$IPTABLES -t nat -L POSTROUTING
echo "-------------------------------------------------------------------"
$IPTABLES -t nat -L PREROUTING
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo "$0 [start|stop|restart|status]"
;;
esac
cp firewall /etc/init.d/
chmod 700 /etc/init.d/firewall
chkconfig --add firewall
通過(guò)文章的介紹和代碼的分析,我們對(duì)用squid和iptables來(lái)實(shí)現(xiàn)網(wǎng)關(guān)防火墻的功能有了一定的掌握,學(xué)會(huì)的朋友快跟朋友分享吧!
【編輯推薦】
