Last active
February 21, 2017 21:13
-
-
Save debsankha/8f0de35dcf5f451fbff5d2221d4bea24 to your computer and use it in GitHub Desktop.
Transparent proxy with squid and iptables
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# squid server IP | |
SQUID_SERVER="192.168.1.5" | |
# Interface connected to Internet | |
INTERNET="enp3s1" | |
# Interface connected to LAN | |
LAN_IN="enp1s0" | |
# Squid port | |
SQUID_PORT="3128" | |
# DO NOT MODIFY BELOW | |
# Clean old firewall | |
iptables -F | |
iptables -X | |
iptables -t nat -F | |
iptables -t nat -X | |
iptables -t mangle -F | |
iptables -t mangle -X | |
# Load IPTABLES modules for NAT and IP conntrack support | |
modprobe ip_conntrack | |
modprobe ip_conntrack_ftp | |
# For win xp ftp client | |
#modprobe ip_nat_ftp | |
echo 1 > /proc/sys/net/ipv4/ip_forward | |
# Setting default filter policy | |
iptables -P INPUT DROP | |
iptables -P OUTPUT ACCEPT | |
# Unlimited access to loop back | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A OUTPUT -o lo -j ACCEPT | |
# Allow UDP, DNS and Passive FTP | |
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# set this system as a router for Rest of LAN | |
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE | |
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT | |
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy | |
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp -m tcp --dport 80 -j REDIRECT --to-ports $SQUID_PORT | |
# unlimited access to LAN | |
iptables -A INPUT -i $LAN_IN -j ACCEPT | |
iptables -A OUTPUT -o $LAN_IN -j ACCEPT | |
# DROP everything and Log it | |
iptables -A INPUT -j LOG | |
iptables -A INPUT -j DROP |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
acl lan src 192.168.1.5 10.42.0.0/24 | |
acl SSL_ports port 443 | |
acl Safe_ports port 80 # http | |
acl Safe_ports port 21 # ftp | |
acl Safe_ports port 443 # https | |
acl Safe_ports port 70 # gopher | |
acl Safe_ports port 210 # wais | |
acl Safe_ports port 1025-65535 # unregistered ports | |
acl Safe_ports port 280 # http-mgmt | |
acl Safe_ports port 488 # gss-http | |
acl Safe_ports port 591 # filemaker | |
acl Safe_ports port 777 # multiling http | |
acl CONNECT method CONNECT | |
http_access deny !Safe_ports | |
http_access deny CONNECT !SSL_ports | |
http_access allow localhost manager | |
http_access deny manager | |
http_access allow localhost | |
http_access allow lan | |
http_access deny all | |
http_port 3128 intercept | |
http_port 3126 | |
coredump_dir /var/spool/squid | |
maximum_object_size 1024 MB | |
coredump_dir /var/spool/squid | |
refresh_pattern ^ftp: 1440 20% 10080 | |
refresh_pattern ^gopher: 1440 0% 1440 | |
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | |
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 | |
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private | |
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private | |
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff|pdf)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private | |
refresh_pattern . 0 20% 4320 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment