GlennsPref |
01-30-2009 03:44 AM |
Part of my network set-up
Make sure the address matches the ip address on your system.
I think the order of the lines in squid.conf is important,
as you can't open a lower gate if the upper gate is closed.
I tried to attach the files I mentioned above but I can't see them. So here they are...
/etc/squid/squid.conf
Code:
http_port 192.168.0.2:3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache_replacement_policy heap LFUDA
no_cache deny QUERY
cache_dir diskd /var/spool/squid 512 16 256
cache_store_log /var/log/squid/store.log
maximum_object_size_in_memory 8192 KB
maximum_object_size 51200 KB
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
half_closed_clients off
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 563
acl SSL_ports port 873
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#http_access allow CONNECT webmin_port local_host
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_reply_access allow all
icp_access allow all
visible_hostname GamesBox.GlennsPref.net
append_domain .GlennsPref.net
err_html_text squid@GamesBox.GlennsPref.net
deny_info ERR_CUSTOM_ACCESS_DENIED all
memory_pools off
coredump_dir /var/spool/squid
ie_refresh on
/etc/init.d/atomic.firewall.sh
Code:
#!/bin/sh
#
# Atomic IPTables firewall script v1.2
#
# Simple but effective firewall written for
# the Atomic Uber Linux box guide,
# Issue 21, Oct 2002
#
# Updated May 2003 for bandwidth shaping
#
# Ashton Mills
# amills@iinet.com.au
# Environment variables, change these values accordingly
EXT_IF=ppp0
INT_IF=eth0
INT_NET=192.168.0.0/24
ANY=0.0.0.0/0
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
#
## You shouldn't need to touch anything below here
#
# Load appropriate iptables modules, others will be loaded dynamically on demand
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE ip_nat_ftp
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
# Set proc values for TCP/IP. In order:
#
# Disable IP spoofing attacks
# Ignore broadcast pings
# Block source routing
# Kill redirects
# Set acceptable local port range
# Allow dynamic IP addresses
# Enable forwarding (gateway)
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward
# Flush everything
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
## --- DEFAULT POLICY --- ##
#
# Drop everything on INPUT and FORWARD chains, accept OUTPUT
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
#
## --- INPUT CHAIN --- ##
#
# Allow Telstra hearbeat -- BPA users uncomment this
# $IPTABLES -A INPUT -p udp --sport 5050 -j ACCEPT
# $IPTABLES -A INPUT -p udp --sport 5051 -j ACCEPT
# Allow local net browsing avahi/Zeroconf
$IPTABLES -A INPUT -p udp --sport 5353 -j ACCEPT
# Allow bootp port -- Optus and some ADSL users need this
# $IPTABLES -A INPUT -p udp -d 255.255.255.255 --dport 68 -j ACCEPT
# Allow access to services on this (the gateway) machine
# SSH
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
# Teamspeak
# $IPTABLES -A INPUT -p udp --dport 8767 -j ACCEPT
# Half Life server
# $IPTABLES -A INPUT -p udp --dport 27015 -j ACCEPT
# $IPTABLES -A INPUT -p udp --dport 27010 -j ACCEPT
# FTP
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
# Bittorrent
$IPTABLES -A INPUT -p tcp --dport 6881:6969 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 6881:6969 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 4444 -j ACCEPT
# Accept all connections on local and internal interfaces
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INT_IF -j ACCEPT
# Stateful inspection -- Allow packets in from connections already established
$IPTABLES -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop packets from invalid sources (reserved networks and localhost)
$IPTABLES -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j DROP
$IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP
# Don't log igmp, web or ssl. More noise we don't need to log.
$IPTABLES -A INPUT -p igmp -j DROP
$IPTABLES -A INPUT -p tcp --dport 80 -j DROP
$IPTABLES -A INPUT -p tcp --dport 443 -j DROP
# Log everything else
$IPTABLES -A INPUT -i $EXT_IF -j LOG --log-prefix "|iptables -- "
#
## -- BANDWIDTH SHAPING -- ##
#
#
# EGRESS (upstream)
#
# TOS marked packets (we'll just work with minimise-delay and maximise-throughput)
$IPTABLES -t mangle -A POSTROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 30
# UDP (most games, including all Half Life mods as well as DNS, IM clients and more)
$IPTABLES -t mangle -A POSTROUTING -p udp -j MARK --set-mark 10
# Games that use DirectPlay from DirectX (note UDP traffic already matched above)
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 47624 -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10
# Place other games here
# EVE online
# $IPTABLES -t mangle -A POSTROUTING -p tcp --dport 26000 -j MARK --set-mark 10
# ICMP (ping)
$IPTABLES -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 10
# SSH
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 22 -j MARK --set-mark 10
# Web, SSL
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 80 -j MARK --set-mark 20
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 443 -j MARK --set-mark 20
# ACKs
$IPTABLES -t mangle -A POSTROUTING -p tcp -m length --length :64 -j MARK --set-mark 20
#
# No need for catchall for class 30, handled by HTB root qdisc initilisation
#
#
# INGRESS (downstream)
#
# Only prioritise class 10 traffic
# Don't police high priority UDP, game, ping and SSH packets
$IPTABLES -t mangle -A PREROUTING -p udp -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 47624 -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p icmp -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 22 -j MARK --set-mark 10
# Place other games here
# EVE online
# $IPTABLES -t mangle -A PREROUTING -p tcp --sport 26000 -j MARK --set-mark 10
# Catchall, police everything else
$IPTABLES -t mangle -A PREROUTING -m mark --mark 0 -j MARK --set-mark 30
#
# NOTE: It's a good idea -not- to add HTTP to be let through the police filter even
# for browsing as many P2P programs, not to mention your HTTP file downloads, will
# flood the link unpoliced, causing delays with high priority (class 10) packets.
# Shape HTTP going out, but let it be bulk coming in.
#
# Read the note at the end of the atomic.shaper script for more on INGRESS shaping.
#
#
## --- FORWARD CHAIN --- ##
#
# Stateful inspection -- Forward in connections already established
$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# Allow outbound DNS queries from the FW and the replies too
#
# - Interface ppp0 is the internet interface
#
# Zone transfers use TCP and not UDP. Most home networks
# / websites using a single DNS server won't require TCP statements
#
#---------------------------------------------------------------
iptables -A OUTPUT -p udp -o ppp0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i ppp0 --sport 53 --dport 1024:65535 -j ACCEPT
# Forwards for software running on Windows/Linux machines behind the firewall
# Kazaa Lite (change destination IP accordingly)
# $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 1214 -j DNAT --to-dest 192.168.0.2
# $IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 1214 -d 192.168.0.2 -j ACCEPT
# Bittorrent
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6881:6969 -j DNAT --to-dest 192.168.0.2
$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 6881:6969 -d 192.168.0.2 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 6881:6969 -j DNAT --to-dest 192.168.0.2
$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 6881:6969 -d 192.168.0.2 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 4444 -j DNAT --to-dest 192.168.0.2
$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 4444 -d 192.168.0.2 -j ACCEPT
# Forwards for hosting DirectPlay games
# iptables -A FORWARD -i ppp0 -o eth0 -p tcp --dport 47624 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 47624 -j DNAT --to-destination 192.168.0.2:47624
# iptables -A FORWARD -i ppp0 -o eth0 -p tcp --dport 2300:2400 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2300:2400 -j DNAT --to-destination 192.168.0.2:2300-2400
# iptables -A FORWARD -i ppp0 -o eth0 -p udp --dport 2300:2400 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 2300:2400 -j DNAT --to-destination 192.168.0.2:2300-2400
# Forward out all traffic
$IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT
#
## --- OUTPUT CHAIN --- ##
#
# Follows policy
#
## --- NAT --- ##
#
# Enable masquerade
$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -j MASQUERADE
#
## -- Transparent proxy to Squid --- ##
#
$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128
/etc/rc.d/rc.local
Code:
#!/bin/sh
#
### BEGIN INIT INFO
# Provides: rc.local
# X-Mandriva-Compat-Mode
# Default-Start: 2 3 4 5
# Short-Description: Local initialization script
# Description: This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
### END INIT INFO
touch /var/lock/subsys/local
/etc/init.d/atomic.firewall
ifup eth0
service squid start
eth0 is my internal connection, 192.168.0.2
ppp0 is my external connection to the www.
Some other network files that help, are found in /etc/sysconfig/...
My other pc uses the squid proxy transparently, no changes to that machines network settings is required.
This pc uses the proxy by changing the proxy settings in konqueror and firefox.
Hope you see the order I mentioned.
Regards, Glenn
|