LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-16-2020, 12:03 PM   #1
jmgibson1981
Member
 
Registered: Jun 2015
Location: Tucson, AZ USA
Distribution: Debian
Posts: 571

Rep: Reputation: Disabled
Building home router + squid. Ip tables help please?


After much googling I managed to put together this little script to semi automate assembling a router for myself. Will be based on Ubuntu Focal. I've got this fully functional inside a virtual machine + virtual network in virtualbox. I have yet to move to bare metal. I want to make sure that I'm completely shutting down anything that comes in on the wan side. I have no need for any open ports, no vpn or anything. This is more to make the best use of the limited bandwidth we can get here.

What changes need to be made to block anything incoming on the wan save for the 80 / 443 or whatever due to normal internet usage?


Code:
#!/bin/sh
# tadaen sylvermane | jason gibson
# simple home router setup

# begin script #

case "$1" in
        routersetup)
                for interface in $(find /sys/class/net/ -maxdepth 1) ; do
                        ifname=$(basename "$interface")
                        case "$ifname" in
                                net|lo|veth*)
                                        continue
                                        ;;
                                *)
                                        ifip=$(ip addr | grep 'inet ' | grep "$ifname" | awk '{print $2}' \
                                        | cut -d\/ -f 1)
                                        if [ ! -z "$ifip" ] ; then
                                                case "$ifip" in
                                                        192.168.*.*|172.17.*.*)
                                                                MODIFIEDIP=$(echo "$ifip" | rev | cut -d"." -f2- | rev).0/24
                                                                route add -net "$MODIFIEDIP" dev "$ifname"
                                                                ;;
                                                        *)
                                                                iptables -t nat -A POSTROUTING -o "$ifname" -j MASQUERADE
                                                                ;;
                                                esac
                                        fi
                                        ;;
                        esac
                done
                ;;
        squidsetup)
                # https://gist.github.com/maprangzth/453373f3052a0bd7d77b8689ada4dc40
                iptables -N NO_PROXY -t nat
                iptables -A NO_PROXY -t nat -d 0.0.0.0/24 -j ACCEPT
                iptables -A NO_PROXY -t nat -d 127.0.0.0/24 -j ACCEPT
                iptables -A NO_PROXY -t nat -d 172.17.0.0/24 -j ACCEPT
                iptables -A NO_PROXY -t nat -d 192.168.0.0/24 -j ACCEPT
                iptables -A NO_PROXY -t nat -j RETURN
                iptables -A PREROUTING -t nat -p tcp --dport 80 -j NO_PROXY
                iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 3129
                iptables -A PREROUTING -t nat -p tcp --dport 443 -j NO_PROXY
                iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-ports 3130
                ;;
        *)
                echo "usage: ${0} (routersetup|squidsetup)"
                exit 0
                ;;
esac

Last edited by jmgibson1981; 11-16-2020 at 12:05 PM.
 
Old 11-17-2020, 12:06 AM   #2
jmgibson1981
Member
 
Registered: Jun 2015
Location: Tucson, AZ USA
Distribution: Debian
Posts: 571

Original Poster
Rep: Reputation: Disabled
Code:
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
		iptables -A INPUT -p icmp -j ACCEPT
		iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
		iptables -A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable
		for interface in $(find /sys/class/net/ -maxdepth 1) ; do
			ifname=$(basename "$interface")
			ifip=$(ip addr | grep 'inet ' | grep "$ifname" | awk '{print $2}' \
			| cut -d\/ -f 1)
			case "$ifname" in
				net|lo|veth*)
					continue
					;;
				*)
					if [ ! -z "$ifip" ] ; then
						case "$ifip" in
							192.168.100.*|172.17.*.*)
								MODIFIEDIP=$(echo "$ifip" | rev | cut -d"." -f2- | rev).0/24
								route add -net "$MODIFIEDIP" dev "$ifname"
								iptables -A INPUT -i "$ifname" -p tcp --dport 53 -j ACCEPT
								iptables -A INPUT -i "$ifname" -p udp --dport 53 -j ACCEPT
								iptables -A INPUT -i "$ifname" -p tcp --dport 22 -j ACCEPT
								iptables -A INPUT -i "$ifname" -p udp --dport 67 -j ACCEPT
								echo "${ifname} lan" >> "$ROUTERVARS"
								;;
							*)
								iptables -t nat -A POSTROUTING -o "$ifname" -j MASQUERADE
								echo "${ifname} wan" >> "$ROUTERVARS"
								;;
						esac
					fi
					;;
			esac
		done
		lan_if=$(grep lan "$ROUTERVARS" | awk '{print $1}')
		iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
		iptables -A INPUT -j DROP
		for lan_if in $(grep lan "$ROUTERVARS" | awk '{print $1}') ; do
			for wan_if in $(grep wan "$ROUTERVARS" | awk '{print $1}') ; do
				iptables -A FORWARD -i "$lan_if" -o "$wan_if" -j ACCEPT
			done
		done
		iptables -A FORWARD -j DROP
		rm "$ROUTERVARS"
Came up with this today. Now it seems to work properly however my squid iptables rules are no longer working.

Code:
# https://gist.github.com/maprangzth/453373f3052a0bd7d77b8689ada4dc40
		iptables -N NO_PROXY -t nat
		iptables -A NO_PROXY -t nat -d 0.0.0.0/8 -j ACCEPT
		iptables -A NO_PROXY -t nat -d 127.0.0.0/8 -j ACCEPT
		iptables -A NO_PROXY -t nat -d 172.17.0.0/12 -j ACCEPT
		iptables -A NO_PROXY -t nat -d 192.168.100.0/24 -j ACCEPT
		iptables -A NO_PROXY -t nat -j RETURN
		iptables -A PREROUTING -t nat -p tcp --dport 80 -j NO_PROXY
		iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 3129
		iptables -A PREROUTING -t nat -p tcp --dport 443 -j NO_PROXY
		iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-ports 3130
 
Old 11-17-2020, 05:55 PM   #3
jmgibson1981
Member
 
Registered: Jun 2015
Location: Tucson, AZ USA
Distribution: Debian
Posts: 571

Original Poster
Rep: Reputation: Disabled
Marking solved. My script has evolved quite a bit. Posting git link rather than script as it's a constant WIP. My issue ended up being with my global INPUT drop line. I had to add rules for the squid ports (3129, 3130) before the drop.

https://github.com/jmgibson1981/scri...erouter.source

I welcome anyone to test, suggest, or do whatever. I'm always looking for suggestions for improvement. I won't be offended regardless. Thank you for your views.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid reverse proxy help, Any Squid expert here please mirjee4u Linux - Server 2 05-08-2014 05:19 AM
LXer: Tables of Contents, Indexes and Other Special Tables in Scribus LXer Syndicated Linux News 0 05-13-2011 06:30 AM
Building my first home server - atom based router/file server build need advice mothergoose729 Linux - Networking 5 03-23-2010 04:19 AM
Building a Router - LFS advice on a router distro Shalkith Linux From Scratch 1 02-07-2009 09:08 PM
Building a router, need to buy a little router case. gian2oo1 Linux - Hardware 4 04-22-2005 03:18 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration