Squid加IpTables实现网关防火墙的方法

需求说明：此服务器用作网关、MAIL(开启web、smtp、pop3)、FTP、DHCP服务器，内部一台机器(192.168.0.254)对外提供dns服务,为了不让无意者轻易看出此服务器开启了ssh服务器，故把ssh端口改为2018.另把proxy的端口改为60080

eth0:218.28.20.253,外网口

eth1:192.168.0.1/24,内网口

[jackylau@proxyserver init.d]$cat /etc/squid/squid.conf(部份如下)

http_port 192.168.0.1:60080

httpd_accel_port 80

httpd_accel_host virtual

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

acl allow_lan src 192.168.0.0/24

http_access allow allow_lan

visible_hostname proxyserver

[jackylau@proxyserver init.d]$ cat firewall

#!/bin/sh

# Author: jackylau ;

# chkconfig: 2345 08 92

# description: firewall

# Time on 2005.08.02

# killproc

# Set ENV

INET_IP=”218.28.20.253″

INET_IFACE=”eth0″

LAN_IP=”192.168.0.1″

LAN_IP_RANGE=”192.168.0.0/24″

LAN_BROADCAST_ADDRESS=”192.168.0.255″

LAN_IFACE=”eth1″

LO_IFACE=”lo”

LO_IP=”127.0.0.1″

IPTABLES=”/sbin/iptables”

start(){

echo -n $”Starting firewall:”

/sbin/depmod -a

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe iptable_filter

/sbin/modprobe iptable_mangle

/sbin/modprobe iptable_nat

/sbin/modprobe ipt_LOG

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_state

echo “1” >; /proc/sys/net/ipv4/ip_forward

# Set policies

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT DROP

$IPTABLES -P FORWARD DROP

# Add bad_tcp_packets, allowed and icmp_packets

$IPTABLES -N bad_tcp_packets

$IPTABLES -N tcp_packets

$IPTABLES -N udp_packets

$IPTABLES -N allowed

$IPTABLES -N icmp_packets

# bad_tcp_packets

$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG –log-level INFO –log-prefix “New not syn:”

$IPTABLES -A bad_tcp_packets -p TCP ! –syn -m state –state NEW -j DROP

# allowed

$IPTABLES -A allowed -p TCP –syn -j ACCEPT

$IPTABLES -A allowed -p TCP -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A allowed -p TCP -j DROP

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BROADCAST_ADDRESS -j ACCEPT

# TCP rules

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 20 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 21 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 25 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 80 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 110 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 2018 -j allowed

# UDP rules

$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 67 -j ACCEPT

# ICMP rules

$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT

$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT

# INPUT chain

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets

$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

$IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix “IPT INPUT packet died: ”

# FORWARD chain

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT

$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix “IPT FORWARD packet died: ”

# OUTPUT chain

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

$IPTABLES -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix “IPT OUTPUT packet died: ”

# SNAT table

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT –to-source $INET_IP

# DNAT table

$IPTABLES -t nat -A PREROUTING -p ! icmp -d $INET_IP -dport 53 -j DNAT –to-destination 192.168.0.254:53

# REDIRECT

$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p tcp -s $LAN_IP_RANGE –dport 80 -j REDIRECT –to-ports 60080

touch /var/lock/subsys/firewall

}

stop(){

echo -n $”Stoping firewall:”

echo “0”>;/proc/sys/net/ipv4/ip_forward

$IPTABLES -P INPUT ACCEPT

$IPTABLES -P FORWARD ACCEPT

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -t nat -P PREROUTING ACCEPT

$IPTABLES -t nat -P POSTROUTING ACCEPT

$IPTABLES -t nat -P OUTPUT ACCEPT

$IPTABLES -t mangle -P PREROUTING ACCEPT

$IPTABLES -t mangle -P OUTPUT ACCEPT

$IPTABLES -F

$IPTABLES -t nat -F

$IPTABLES -t mangle -F

$IPTABLES -X

$IPTABLES -t nat -X

$IPTABLES -t mangle -X

rm -f /var/lock/subsys/firewall

}

status(){

clear

echo “——————————————————————-”

$IPTABLES -L

echo “——————————————————————-”

$IPTABLES -t nat -L POSTROUTING

echo “——————————————————————-”

$IPTABLES -t nat -L PREROUTING

}

case “$1” in

start)

start

;;

stop)

stop

;;

restart)

stop

start

;;

*)

echo “$0 [start|stop|restart|status]”

;;

esac

cp firewall /etc/init.d/

chmod 700 /etc/init.d/firewall

chkconfig –add firewall