debsankha/iptable_rules.sh

## iptable_rules.sh
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.1.5"
# Interface connected to Internet
INTERNET="enp3s1"
# Interface connected to LAN
LAN_IN="enp1s0"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp -m tcp --dport 80 -j REDIRECT --to-ports $SQUID_PORT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

## squid.conf
acl lan src 192.168.1.5 10.42.0.0/24
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow lan
http_access deny all

http_port  3128 intercept
http_port  3126

coredump_dir /var/spool/squid
maximum_object_size 1024 MB
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern .               0       20%     4320
	#!/bin/sh
	# squid server IP
	SQUID_SERVER="192.168.1.5"
	# Interface connected to Internet
	INTERNET="enp3s1"
	# Interface connected to LAN
	LAN_IN="enp1s0"
	# Squid port
	SQUID_PORT="3128"
	# DO NOT MODIFY BELOW
	# Clean old firewall
	iptables -F
	iptables -X
	iptables -t nat -F
	iptables -t nat -X
	iptables -t mangle -F
	iptables -t mangle -X
	# Load IPTABLES modules for NAT and IP conntrack support
	modprobe ip_conntrack
	modprobe ip_conntrack_ftp
	# For win xp ftp client
	#modprobe ip_nat_ftp
	echo 1 > /proc/sys/net/ipv4/ip_forward
	# Setting default filter policy
	iptables -P INPUT DROP
	iptables -P OUTPUT ACCEPT
	# Unlimited access to loop back
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT
	# Allow UDP, DNS and Passive FTP
	iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
	# set this system as a router for Rest of LAN
	iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
	iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

	# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
	iptables -t nat -A PREROUTING -i $LAN_IN -p tcp -m tcp --dport 80 -j REDIRECT --to-ports $SQUID_PORT
	# unlimited access to LAN
	iptables -A INPUT -i $LAN_IN -j ACCEPT
	iptables -A OUTPUT -o $LAN_IN -j ACCEPT

	# DROP everything and Log it
	iptables -A INPUT -j LOG
	iptables -A INPUT -j DROP
	acl lan src 192.168.1.5 10.42.0.0/24
	acl SSL_ports port 443
	acl Safe_ports port 80 # http
	acl Safe_ports port 21 # ftp
	acl Safe_ports port 443 # https
	acl Safe_ports port 70 # gopher
	acl Safe_ports port 210 # wais
	acl Safe_ports port 1025-65535 # unregistered ports
	acl Safe_ports port 280 # http-mgmt
	acl Safe_ports port 488 # gss-http
	acl Safe_ports port 591 # filemaker
	acl Safe_ports port 777 # multiling http
	acl CONNECT method CONNECT

	http_access deny !Safe_ports
	http_access deny CONNECT !SSL_ports
	http_access allow localhost manager
	http_access deny manager
	http_access allow localhost
	http_access allow lan
	http_access deny all

	http_port 3128 intercept
	http_port 3126

	coredump_dir /var/spool/squid
	maximum_object_size 1024 MB
	coredump_dir /var/spool/squid
	refresh_pattern ^ftp: 1440 20% 10080
	refresh_pattern ^gopher: 1440 0% 1440
	refresh_pattern -i (/cgi-bin/\|\?) 0 0% 0
	refresh_pattern (Release\|Packages(.gz)*)$ 0 20% 2880
	refresh_pattern -i \.(gif\|png\|jpg\|jpeg\|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
	refresh_pattern -i \.(iso\|avi\|wav\|mp3\|mp4\|mpeg\|swf\|flv\|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
	refresh_pattern -i \.(deb\|rpm\|exe\|zip\|tar\|tgz\|ram\|rar\|bin\|ppt\|doc\|tiff\|pdf)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
	refresh_pattern . 0 20% 4320