主页 / ubuntu / 问题 / 4010
Accepted
Jon
Asked: 2010-09-11 14:55:15 +0800 CST

使用 Squid 作为透明代理的 IPTables 问题

  • 772

我有一台运行我的防火墙、dhcp 和 dns 的 Ubuntu (10.04) 机器。我刚刚从软件包中安装了 squid 并将其设置为在端口 8888 上运行。在对我的防火墙进行任何更改之前,网页将正常工作,如果我在 firefox 上手动将代理设置为 192.168.10.1:8888 它可以工作。当我尝试将 squid 变成透明代理时,就会出现问题。

我的防火墙如下:

#!/bin/sh

iptables="/sbin/iptables"
modprobe="/sbin/modprobe"
depmod="/sbin/depmod"

EXTIF="eth1"
INTIF="eth2"

load () {

    $depmod -a

    $modprobe ip_tables
    $modprobe ip_conntrack
    $modprobe ip_conntrack_ftp
    $modprobe ip_conntrack_irc
    $modprobe iptable_nat
    $modprobe ip_nat_ftp
    $modprobe ip_conntrack_pptp
    $modprobe ip_nat_pptp

echo "enable forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "enable dynamic addr"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#  start firewall

    #default policies
    $iptables -P INPUT DROP
    $iptables -F INPUT
    $iptables -P OUTPUT DROP
    $iptables -F OUTPUT
    $iptables -P FORWARD DROP
    $iptables -F FORWARD
    $iptables -t nat -F


echo "  opening loopback interface for socket based services."
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

echo "  allow GRE 47 for VPN"
$iptables -A INPUT -p 47 -j ACCEPT

echo "  allow all connections OUT and ONLY existing related ones IN"
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -o $EXTIF -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$iptables -A FORWARD -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "

echo "  enabling SNAT (MASQUERADE) functionality on $EXTIF - allow LAN internet access"
$iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A OUTPUT -o $INTIF -j ACCEPT

echo "  Allowing packets with ICMP data (pings)"
$iptables -A INPUT -p icmp -j ACCEPT
$iptables -A OUTPUT -p icmp -j ACCEPT

$iptables -A INPUT -p udp -i $INTIF --dport 67 -m state --state NEW -j ACCEPT

echo "  port 137 for netBios"
$iptables -A INPUT -i $INTIF -p udp --dport 137 -j ACCEPT
$iptables -A OUTPUT -o $INTIF -p udp --dport 137 -j ACCEPT

#echo "  port 139 for netBios-ssn smb"
#$iptables -A INPUT -i $INTIF -p tcp --dport 139 -j ACCEPT
#$iptables -A OUTPUT -o $INTIF -p tcp --dport 139 -j ACCEPT

echo "  opening port 53 for DNS queries"
$iptables -A INPUT -p udp -i $EXTIF --sport 53 -j ACCEPT

echo "  opening port 22 for internal ssh"
$iptables -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT

echo "  opening port 80 for webserver"
$iptables -A INPUT -p tcp -i $EXTIF --dport 80 -m state --state NEW -j ACCEPT

echo "  opening port 21 for FTP Server"
$iptables  -A INPUT -p tcp -i $EXTIF --dport 21 -m state --state NEW -j ACCEPT

echo "  opening ssh for web on port 2609 for firewig"
$iptables -A INPUT -p tcp --dport 2609 -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 2609 -j ACCEPT

echo "  opening ssh for web on port 22  for WS2008-CI"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 22 -j DNAT  --to 192.168.10.97
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.97 -j ACCEPT

echo "  opening ssh for web on port 2302  for firewig 2302"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 2302 -j DNAT  --to 192.168.10.96:2302
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.96 --dport 2302 -j ACCEPT

echo "  opening Apache webserver for HoH"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 80 -j DNAT --to 192.168.10.96:80
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.96 --dport 80 -j ACCEPT

#echo "  opening Hudson"
#$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 81 -j DNAT --to 192.168.10.97:81
#$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.97 --dport 81 -j ACCEPT

echo "  opening Target Process"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 90 -j DNAT --to 192.168.10.98:90
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.98 --dport 90 -j ACCEPT


#echo "  This is designed to stop brute force attacks"
$iptables -I INPUT -p TCP -m state --state NEW -m limit --limit 6/minute --limit-burst 5 -j ACCEPT

#echo "  setting up squid proxy server"
#$iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j DNAT --to 192.168.10.1:8888
#$iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j REDIRECT --to-port 8888


#$iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j DNAT --to 192.168.10.1:8888
#$iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j REDIRECT --to-port 8888

#echo "  Diverting port 80 traffic through Squid."
#$iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 8888


#  NOTE THE THREE LINES BELOW ALLOW ACCESS FOR THE VPN CONNECTION...Ry.

$iptables -A INPUT -i $EXTIF -p TCP --dport 1723 -j ACCEPT

$iptables -A INPUT -i ppp+ -j ACCEPT
$iptables -A FORWARD -i ppp+ -o $INTIF -j ACCEPT
$iptables -A FORWARD -i $INTIF -o ppp+ -j ACCEPT
$iptables -A OUTPUT -o ppp+ -j ACCEPT

# ICMP for vpn
$iptables -A INPUT -i ppp+ -p icmp -j ACCEPT
$iptables -A OUTPUT -o ppp+ -p icmp -j ACCEPT


# DNS for vpn
$iptables -A INPUT -i ppp+ -p tcp --dport 0:65535 --sport 53 -j ACCEPT
$iptables -A OUTPUT -o ppp+ -p tcp --sport 0:65535 --dport 53 -j ACCEPT
$iptables -A INPUT -i ppp+  -p udp --dport 0:65535 --sport 53 -j ACCEPT
$iptables -A OUTPUT -o ppp+ -p udp --sport 0:65535 --dport 53 -j ACCEPT

# forward vpn--->internet
$iptables -A FORWARD -i ppp+ -o $EXTIF -p ALL -j ACCEPT
$iptables -A FORWARD -i $EXTIF -o ppp+ -p ALL -j ACCEPT


#$iptables -A FORWARD -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
#$iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
#$iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "


}
flush() {
    echo "flushing rules...."
    $iptables -P FORWARD ACCEPT
    $iptables -F INPUT
    $iptables -P INPUT ACCEPT
}

case "$1" in

    start|restart)
    flush
    load
    ;;
    stop)
    flush
    ;;
*)
    echo "usage: start|stop|restart."
;;

esac

如果我取消注释 squid 预路由线路,互联网将停止工作。

我不确定我错过了什么。你认为这可能是 Squid 配置的东西吗?

10.04 transparent-proxy

1 个回答

  1. Best Answer

    您是否调整http_port了拦截缓存的设置?

    -http_port 3128
+# FIXME enable the transparent option for interception caching
+http_port 3128 transparent

    这是我使用的规则。这有点复杂,但如果我需要,它们可以更容易地向拦截代理添加异常。

    # Creating chain 'tproxy' under 'PREROUTING' in table 'nat'
/sbin/iptables -t nat -N tproxy

# rules for source or destination addresss that will not be forced through the proxy.
/sbin/iptables -t nat -A tproxy -s 10.2.4.56 -j RETURN 
/sbin/iptables -t nat -A tproxy -s 10.2.4.86 -j RETURN 
/sbin/iptables -t nat -A tproxy -s 10.2.4.19 -j RETURN 
/sbin/iptables -t nat -A tproxy -s 10.2.4.85 -j RETURN 
/sbin/iptables -t nat -A tproxy -s 10.2.4.150 -j RETURN 
/sbin/iptables -t nat -A tproxy -d 10.2.0.0/16 -j RETURN

# redirect anything to the proxy that is not returned
/sbin/iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 8888 

# rules to send port 80 traffic on incoming interfaces vlan0004, vlan0006 to 
# tproxy chain.
/sbin/iptables -t nat -A PREROUTING -i vlan0004 -p tcp --dport 80 -j tproxy 
/sbin/iptables -t nat -A PREROUTING -i vlan0004 -p tcp --dport 8888 -j tproxy  
/sbin/iptables -t nat -A PREROUTING -i vlan0006 -p tcp --dport 80 -j tproxy  
/sbin/iptables -t nat -A PREROUTING -i vlan0006 -p tcp --dport 8888 -j tproxy
    • 6

相关问题