[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: aiuto per proxy trasparente con squid

2009/1/4 Roberto Macchetta <roby.programmer@fastwebnet.it>:
> ciao
> ho modificato lo script cosi' come mi hai indicato :
>
> #!/bin/sh
> # squid server IP
>
> SQUID_SERVER="192.168.0.1"
>
> # Interface connected to Internet
> INTERNET="eth0"
> # Interface connected to LAN
> LAN_IN="eth1"
>
> # Squid port
> SQUID_PORT="3128"
>
> # DO NOT MODIFY BELOW
> # Clean old firewall
> iptables -F
> iptables -X
> iptables -t nat -F
> iptables -t nat -X
> iptables -t mangle -F
> iptables -t mangle -X
>
> # Load IPTABLES modules for NAT and IP conntrack support
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> # For win xp ftp client
> #modprobe ip_nat_ftp
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # Setting default filter policy
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
>
> # Unlimited access to loop back
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # Allow UDP, DNS and Passive FTP
> iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j
> ACCEPT
>
> # set this system as a router for Rest of LAN
> iptables --table nat --append POSTROUTING --out-interface $INTERNET -j
> MASQUERADE
> iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
>
> # unlimited access to LAN
> iptables -A INPUT -i $LAN_IN -j ACCEPT
> iptables -A OUTPUT -o $LAN_IN -j ACCEPT
>
> # DNAT port 80 request comming from LAN systems to squid 3128
> #($SQUID_PORT) aka transparent proxy
> #iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to
> $SQUID_SERVER:$SQUID_PORT
>
> # if it is same system
> #iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j
> REDIRECT --to-port $SQUID_PORT
>
> # presa dal ng
> #iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
>
> iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j REDIRECT
> --to-port $SQUID_PORT
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> # DROP everything and Log it
> iptables -A INPUT -j LOG
> iptables -A INPUT -j DROP
>
> ho eseguito lo script e poi ho provato sul portatile a connettermi, ma
> non funziona ancora, e' come prima, devo sempre impostare il proxy a
> mano,  vi serve che posti qualche file di configurazione (output di
> iptables o quant'altro)?
>
> non capisco perche' non va...
A doverlo ammettere, mi sembra un po' un casino questo script :-)
Provo ad interpretare i tuoi desideri, e lo riscrivo più
"ordinatamente".
Allora:

#!/bin/bash
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"

# Pulisci vecchio firewall
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z

# IP Forward
echo 1 > /proc/sys/net/ipv4/ip_forward

# Policy di default
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Catena INPUT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A INPUT -p icmp --icmp-type ! echo-request -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

# NAT e Redirect
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j REDIRECT
--to-port $SQUID_PORT

# Altre regole FORWARD
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $LAN_IN -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type ! echo-request -j ACCEPT


Prova così. Ora lo script è un po' più ordinato, e ho preso spunto
direttamente dallo script del mio proxy trasparente :-)

-- 
Dario Pilori
-Linux registered user #406515
-Debian GNU/Linux user
Reply to: