Before I begin to deliver the tutorial. I assume there is a Squid installed in your Linux. I am using RHEL 5.2 to do this. Below is the step by step how to do it.
1. Here, I am using a script to manage my iptables. If you don't have the script, first create a new one. It is very simple to do so. Create a new file in your directory and named it with your own, my name is iptables.
# touch /etc/iptables
2. Then, edit that file using vim
# vim /etc/iptables
3. Input this texts into that file
#!/bin/sh
#Squid server address
SQUID_SERVER="x.x.x.x"
#This is for Internet Interface definition
INTERNET="ethx"
#This is for LAN Interface definition
LAN_INx="ethx"
LAN_INy="ethy"
#Squid Port
SQUID_PORT="3128"
#Rules Normalization
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#Flush All Rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
#Full access for localhost
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT
#Rules in order packet will automatically established
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#This rule is for NAT from LAN into Internet
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
#These rules are for necessary port to be opened
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 138 -j ACCEPT
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp --dport 8443 -j ACCEPT
iptables -A FORWARD -p tcp --dport 5050 -j ACCEPT
iptables -A FORWARD -p tcp --dport 8443 -j ACCEPT
#Rules for transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN1 -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
#Rules for allowing squid, DNS and gateway for accessing the internet
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
#Logging for troubleshooting
iptables -A INPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** INPUT DROP **'
iptables -A OUTPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** OUTPUT DROP **'
iptables -A FORWARD -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** FORWARD DROP **'
#Default rules
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#Saving Configuration
service iptables save
4. After that, save that file.
5. Make the file be executeable by doing command like below:
# chmod u+x /etc/iptables
6. Run the iptables file by directly executing the file like below:
# /etc/iptables
7. Test browsing using your browser
1. Here, I am using a script to manage my iptables. If you don't have the script, first create a new one. It is very simple to do so. Create a new file in your directory and named it with your own, my name is iptables.
# touch /etc/iptables
2. Then, edit that file using vim
# vim /etc/iptables
3. Input this texts into that file
#!/bin/sh
#Squid server address
SQUID_SERVER="x.x.x.x"
#This is for Internet Interface definition
INTERNET="ethx"
#This is for LAN Interface definition
LAN_INx="ethx"
LAN_INy="ethy"
#Squid Port
SQUID_PORT="3128"
#Rules Normalization
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#Flush All Rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
#Full access for localhost
iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT
#Rules in order packet will automatically established
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#This rule is for NAT from LAN into Internet
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
#These rules are for necessary port to be opened
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 138 -j ACCEPT
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp --dport 8443 -j ACCEPT
iptables -A FORWARD -p tcp --dport 5050 -j ACCEPT
iptables -A FORWARD -p tcp --dport 8443 -j ACCEPT
#Rules for transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN1 -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
#Rules for allowing squid, DNS and gateway for accessing the internet
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
#Logging for troubleshooting
iptables -A INPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** INPUT DROP **'
iptables -A OUTPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** OUTPUT DROP **'
iptables -A FORWARD -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** FORWARD DROP **'
#Default rules
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#Saving Configuration
service iptables save
4. After that, save that file.
5. Make the file be executeable by doing command like below:
# chmod u+x /etc/iptables
6. Run the iptables file by directly executing the file like below:
# /etc/iptables
7. Test browsing using your browser
Posts
0 comments:
Post a Comment