Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- # squid server IP
- SQUID_SERVER="192.168.1.1"
- # Interface connected to Internet
- INTERNET="eth0"
- # Interface connected to LAN
- LAN_IN="eth1"
- # Squid port
- SQUID_PORT="3128"
- # DO NOT MODIFY BELOW
- # Clean old firewall
- iptables -F
- iptables -X
- iptables -t nat -F
- iptables -t nat -X
- iptables -t mangle -F
- iptables -t mangle -X
- # Load IPTABLES modules for NAT and IP conntrack support
- modprobe ip_conntrack
- modprobe ip_conntrack_ftp
- # For win xp ftp client
- #modprobe ip_nat_ftp
- echo 1 > /proc/sys/net/ipv4/ip_forward
- # Setting default filter policy
- iptables -P INPUT DROP
- iptables -P OUTPUT ACCEPT
- # Unlimited access to loop back
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A OUTPUT -o lo -j ACCEPT
- # Allow UDP, DNS and Passive FTP
- iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
- # set this system as a router for Rest of LAN
- iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
- iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
- # unlimited access to LAN
- iptables -A INPUT -i $LAN_IN -j ACCEPT
- iptables -A OUTPUT -o $LAN_IN -j ACCEPT
- # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
- iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
- # if it is same system
- iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
- # DROP everything and Log it
- iptables -A INPUT -j LOG
- iptables -A INPUT -j DROP
Add Comment
Please, Sign In to add comment