#本节内容为配置iptables 与 squid ,并以文件来获取规则,以方便管理规则。 #接上一个脚本内容,此部分内容需根据需求更改部分内容。 #停止squid服务 systemctl enable squid &> /dev/null systemctl stop squid #编辑squid配置文件 squid_conf_file=/etc/squid/squid.conf mv $squid_conf_file $squid_conf_file.bk cat > $squid_conf_file << EOF acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT #visible_hostname http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager acl allow_all src "/etc/squid/rules/allow_all.squid" http_access allow allow_all acl files urlpath_regex -i \.mp3$ \.avi$ \.exe$ \.rar$ \.zip$ \.mp4$ \.7z$ \.rm$ \.rmvb$ \.qsv$ \.mov$ \.msi$ \.wav$ \.torrent$ \.cab$ \.com$ \.bat$ \.gz$ \.bz2$ \.sys$ \.swf$ http_access deny files acl only_web src "/etc/squid/rules/allow_only_web.squid" http_access allow only_web http_access allow localhost http_access deny all #http_port 3128 transparent http_port 3129 cache_dir aufs /var/spool/squid 10240 16 256 cache_mem 1024 MB maximum_object_size 8 MB minimum_object_size 0 kB maximum_object_size_in_memory 4096 kB acl nocache urlpath_regex -i \.asp$ \.jsp$ no_cache deny nocache acl nogov urlpath_regex -i \.gov\.cn no_cache deny nogov ipcache_size 65535 fqdncache_size 65535 coredump_dir /var/spool/squid cache_log /var/log/squid/cache.log access_log /var/log/squid/access.log cache_store_log /var/log/squid/store.log cache_store_log none logfile_rotate 7 cache_swap_low 85 cache_swap_high 95 error_directory /usr/share/squid/errors/zh-cn cache_mgr [email protected] refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i \.(jpg|jpeg|gif|png|xml|html|htm|css|js|ico) 1440 90% 2880 refresh_pattern -i \.(mp3|mp4|swf|rar|zip) 1440 20% 10080 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 EOF sed -i ‘s/#visible_hostname/visible_hostname ‘${host_name}‘/g‘ ${squid_conf_file} sed -i ‘s/#http_port 3128 transparent/http_port ‘${lan_ip}‘:3128 transparent/g‘ ${squid_conf_file} #configrue iptables #将以下内容复制出来,重新编写变量,用来日常网络权限控制! #日常管理脚本策略根据自身要求自行定义。 #-------copy begin--------- modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ip_conntrack echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "1" > /proc/sys/net/ipv4/ip_forward read -p "input manager host ip address : " manager_ip #初始脚本时所定义变量,日常管理脚本不需要。 #------管理脚本,自定义变量------- #lan= #lan_ip= #lan_dns1= #lan_dns2= #lan_net= #manager_ip= #wan= #wan_ip= iptables -F iptables -X iptables -Z iptables -F -t nat iptables -X -t nat iptables -Z -t nat iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -d ${lan_ip} -p tcp --dport 3128 -j ACCEPT iptables -A INPUT -s ${manager_ip} -i ${lan} -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT AICMP="0 3 3/4 4 11 12 18" for TYICMP in ${AICMP} ; do iptables -A INPUT -i ${lan} -p icmp --icmp-type ${TYICMP} -j ACCEPT done iptables -N syn-flood iptables -A INPUT -p tcp --syn -j syn-flood iptables -I syn-flood -p tcp -m limit --limit 1/s --limit-burst 3 -j RETURN iptables -A syn-flood -j DROP iptables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -s ${wan_ip} -p tcp -m multiport --dports 80,443 -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s ${lan_dns1} -p udp --dport 53 -j ACCEPT iptables -A FORWARD -s ${lan_dns2} -p udp --dport 53 -j ACCEPT # redirect and SNAT iptables -t nat -A PREROUTING -i ${lan} -p tcp --dport 80 -j REDIRECT --to-ports 3128 read -p "input super subnet! exap 192.168.0.0/22 " lan_sup_subnet iptables -t nat -A POSTROUTING -s ${lan_sup_subnet} -o ${wan} -j SNAT --to-source ${wan_ip} #自定义规则,默认规则为拒绝,80端口的权限由 squid 管理,不需要添加。 #本通过读取文件来配置防火墙规则,如,规则文件放在/usr/local/iptabes中。 #规则文件以IP开头,中间以空格分开,后接备注名称,格式如:IP地址 使用人 #exap: 允许所有端口通过。 if [ ! -d /usr/local/iptables ] ; then mkdir /usr/local/iptables fi if [ ! -d /etc/squid/rules ] ; then mkdir /etc/squid/rules fi echo "#允许所有端口通过" > /usr/local/iptables/allow_all.rule #管理脚本需自定义文件,不需要此行 echo "$manager_ip it" >> /usr/local/iptables/allow_all.rule #添加IT ALLOW_ALL_RULE=`grep -v "#" /usr/local/iptables/allow_all.rule | awk ‘{print $1}‘` for ALLOW_ALL in ${ALLOW_ALL_RULE} ; do iptables -A FORWARD -s ${ALLOW_ALL} -o ${wan} -j ACCEPT done #同步 squid 配置文件 echo "用户没有限制" > /etc/squid/rules/allow_all.squid echo $ALLOW_ALL_RULE | awk -v RS=" " ‘{print $0}‘ >> /etc/squid/rules/allow_all.squid #exap: 只允许443,80 通过,但限制 mail关键字,如限制 QQ邮箱。但允许服务器8000端口中的mail关键字。 echo "#只允许443,80端口通过。并限制“Mmail”,但允许服务器8000端口中的mail关键字。 " >> /usr/local/iptables/allow_only_web.rule #管理脚本不需要此行 echo "$manager_ip it" >> /usr/local/iptables/allow_only_web.rule ALLOW_ONLY_WEB_RULE=`grep -v "#" /usr/local/iptables/allow_only_web.rule | awk ‘{print $1}‘` for ALLOW_ONLY_WEB in ${ALLOW_ONLY_WEB_RULE} ; do iptables -A FORWARD -s ${ALLOW_ONLY_WEB} -o ${wan} -j ACCEPT iptables -I FORWARD -d ${ALLOW_ONLY_WEB} -i ${wan} -m string --algo bm --from 40 --to 450 --hex-string "mail" -p tcp ! --sport 8000 -j DROP done #同步 squid 配置文件 echo "允许443,80 通过,但限制 mail关键字" > /etc/squid/rules/allow_only_web.squid echo $ALLOW_ONLY_WEB_RULE | awk -v RS=" " ‘{print $0}‘ >> /etc/squid/rules/allow_only_web.squid #初始化squid。 sleep 1 squid -z #管理脚本不需要此行 sleep 1 systemctl restart squid.service sleep 5 /sbin/squid -k reconfigure #--------copy end ------------- #日常管理中只需更改/usr/local/iptabes中的规则文件,再运行管理脚本退可! #修改规则时,需在管理脚本与squid配置文件中加入相应规则退可。 #编写自启动脚本。 #cat > /usr/lib/systemd/system/ipt.rule.service << EOF #[Unit] #Description=iptables and squid manage script #After=syslog.target network.target nss-lookup.target #[Service] #Type=oneshot #ExecStart=/usr/local/iptables/ipt.rule.sh #[Install] #WantedBy=multi-user.target #EOF #systemctl enable ipt.rule.service
时间: 2024-09-29 16:23:28