Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # cat /etc/squid/squid.conf
- visible_hostname gwschool
- cache_effective_user nobody
- #cache_peer 192.168.0.1 parent 3128 0 no-query default
- #cache_peer 192.168.0.1 parent 3129 0 no-query default
- #http_port 192.168.1.33:3129 intercept
- http_port 192.168.1.33:3128
- http_port 192.168.1.33:3129 transparent
- #http_port 192.168.1.33:3129 tproxy
- icp_port 0
- #Не кешировать скрипты
- acl QUERY urlpath_regex cgi-bin
- no_cache deny QUERY
- #cache_mem 32MB
- #Путь к директории кеша и его размер(1000)
- cache_dir ufs /var/spool/squid/cache 5000 16 256
- #Путь к лог-файлу доступа к SQUID(Статистика работы через SQUID)
- cache_access_log /var/log/squid/access.log
- #Путь к лог-файлу SQUID - в нем события запуска SQUID и дочерних программ
- cache_log /var/log/squid/cache.log
- #Ротация логов
- logfile_rotate 30
- #Таблица MIME-типов для SQUID
- mime_table /etc/squid/mime.conf
- #PID-файл SQUID
- pid_filename /var/run/squid.pid
- #Пользователь для анонимного доступа к FTP
- ftp_user anonymous@asdf
- #SQUID формирует страницу с папками на FTP - этот параметр - кол-во папок
- ftp_list_width 32
- #Пассивный режим FTP
- ftp_passive on
- #Проверка подлинности FTP
- ftp_sanitycheck on
- #Адрес(а) DNS сервера(ов)
- #dns_nameservers 10.30.1.11
- dns_nameservers 10.0.1.1
- #Стандартные ACL
- #acl all src 0.0.0.0/0.0.0.0 #Все
- acl manager proto cache_object
- acl localhost src 127.0.0.1/32 ::1 #Адрес localhost
- acl SSL_ports port 443 563 #Порты SSL
- acl SMTP port 25 #Для защиты от спама ;) Оказывается SQUID может делать relay
- #Служебные ACL
- acl Safe_ports port 80 # http
- acl Safe_ports port 8080 # http
- acl Safe_ports port 2082 # cpanel
- acl Safe_ports port 21 # ftp
- acl Safe_ports port 443 563 # https, snews
- acl Safe_ports port 777 # multiling http
- acl CONNECT method CONNECT
- acl allNet src 192.168.1.1-192.168.1.254
- acl reserv src 192.168.1.1-192.168.1.50
- acl room2-2 src 192.168.1.100-192.168.1.125
- # Список доменов, доступных школьникам
- acl GoodSites dstdomain "/etc/squid/goodsites.lst"
- # Список запрещенных сайтов
- acl BlackList dstdomain "/etc/squid/blacklist.lst"
- # .squid.lan .mozilla.com .i-rs.ru .mozilla.org .freepascal.org .freepascal.ru .joomla.ru .joomlaportal.ru .google.ru .google.com .gmail.com .mail.ru .yandex.ru .presnenskiypark.ru dp-presnenskiy.ru .presnenskiypark.lan .kidsworld.ru .3dmax.com .blender.org .wikisource.org .wikiquote.org .wiktionary.org .wikimedia.org .wikipedia.org .blender3d.org.ua .rambler.ru 192.168.0.1 127.0.0.1 .htmlbook.ru .openoffice.org .gwdg.de
- acl BadRegex url_regex -i foto\. photo\. video\.
- acl Files url_regex -i \.avi$ \.rar$ \.zip$ \.mpg$ \.swf$ \.mp3$ \.exe \.wma \.wmv \.asf
- http_access deny room2-2 BadRegex
- http_access deny room2-2 Files
- http_access allow room2-2 GoodSites
- http_access deny room2-2 all
- #http_access deny reserv BadRegex
- #http_access deny reserv Files
- #http_access allow reserv GoodSites
- #http_access deny reserv all
- #http_access deny school-room BadRegex
- #http_access deny school-room Files
- #http_access allow school-room GoodSites
- http_access deny !Safe_ports
- http_access deny SMTP
- http_access deny allNet BlackList
- #http_access allow all
- http_access allow allNet
- http_access deny all
- #Каталог со страницами неполадок SQUID
- error_directory /usr/share/squid/errors/ru
- refresh_pattern -i \.gif$ 43200 100% 43200 override-lastmod override-expire
- refresh_pattern -i \.png$ 43200 100% 43200 override-lastmod override-expire
- refresh_pattern -i \.jpg$ 43200 100% 43200 override-lastmod override-expire
- refresh_pattern -i \.jpeg$ 43200 100% 43200 override-lastmod override-expire
- refresh_pattern -i \.pdf$ 43200 100% 43200 override-lastmod override-expire
- refresh_pattern -i \.zip$ 43200 100% 43200 override-lastmod override-expire
- refresh_pattern -i \.tar$ 43200 100% 43200 override-lastmod override-expire
- refresh_pattern -i \.gz$ 43200 100% 43200 override-lastmod override-expire
- refresh_pattern -i \.tgz$ 43200 100% 43200 override-lastmod override-expire
- refresh_pattern -i \.exe$ 43200 100% 43200 override-lastmod override-expire
- refresh_pattern -i \.prz$ 43200 100% 43200 override-lastmod override-expire
- refresh_pattern -i \.ppt$ 43200 100% 43200 override-lastmod override-expire
- refresh_pattern -i \.inf$ 43200 100% 43200 override-lastmod override-expire
- refresh_pattern -i \.swf$ 43200 100% 43200 override-lastmod override-expire
- refresh_pattern -i \.mid$ 43200 100% 43200 override-lastmod override-expire
- refresh_pattern -i \.wav$ 43200 100% 43200 override-lastmod override-expire
- refresh_pattern -i \.mp3$ 43200 100% 43200 override-lastmod override-expire
- --------------------------------------------------------------------
- # cat /etc/rc.d/rc.firewall
- #!/bin/sh
- # Сценарий предназначен для настройки маршрутизации и
- # межсетевого экрана на маршрутизаторе офисной сети.
- # Для запуска переименуйте сценарий в rc.firewall
- # и дайте права доступа 755
- # LAN/INET Configuration
- # Приведите в соответствие с настройками ваших сетей
- # следующие семь параметров!
- LAN_IFACE=eth0
- LAN_IP=192.168.1.33
- LAN_IP_RANGE=255.255.255.0/24
- LAN_BCAST_ADRESS=0.0.0.255/24
- INET_IFACE=eth1
- STATIC_IP=10.40.2.34
- STATIC_BCAST_ADRESS=0.0.0.224
- LO_IFACE=lo
- LOCALHOST_IP=127.0.0.1
- #PPP0_IP=0.0.0.0
- #PPP0_IFACE=ppp0
- #PPP1_IP=0.0.0.0
- #PPP1_IFACE=ppp1
- # IPTables Configuration.
- IPTABLES="/usr/sbin/iptables"
- # Required modules
- /sbin/modprobe ip_tables
- /sbin/modprobe ip_nat
- /sbin/modprobe ip_conntrack
- /sbin/modprobe iptable_filter
- /sbin/modprobe iptable_mangle
- /sbin/modprobe iptable_nat
- /sbin/modprobe ipt_LOG
- /sbin/modprobe ipt_limit
- /sbin/modprobe ipt_state
- /sbin/modprobe nf_tproxy_core
- # Non-Required modules
- /sbin/modprobe ipt_owner
- /sbin/modprobe ipt_REJECT
- /sbin/modprobe ipt_MASQUERADE
- /sbin/modprobe ip_conntrack_ftp
- /sbin/modprobe ip_conntrack_irc
- /sbin/modprobe ip_nat_ftp
- /sbin/modprobe ip_nat_irc
- echo 1 > /proc/sys/net/ipv4/ip_forward
- echo 1 > /proc/sys/net/ipv4/conf/$INET_IFACE/proxy_arp
- # Clear ALL rules
- $IPTABLES -F
- $IPTABLES -t mangle -F
- $IPTABLES -X
- $IPTABLES -t nat -F
- #----------------------------------------------------------------------------------------------------------
- $IPTABLES -t mangle -N DIVERT
- $IPTABLES -t mangle -A DIVERT -j MARK --set-mark 1
- $IPTABLES -t mangle -A DIVERT -j ACCEPT
- # Set default policies for the INPUT, FORWARD and OUTPUT chains
- $IPTABLES -P INPUT DROP
- $IPTABLES -P OUTPUT DROP
- $IPTABLES -P FORWARD DROP
- # Create chain for bad tcp packets
- $IPTABLES -N bad_tcp_packets
- # Create separate chains for ICMP, TCP and UDP to traverse
- $IPTABLES -N allowed
- $IPTABLES -N icmp_packets
- $IPTABLES -N tcp_packets
- $IPTABLES -N udpincoming_packets
- # bad_tcp_packets chain
- $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
- $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Bad TCP packet: "
- $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
- # TCP sync rules
- $IPTABLES -A allowed -p TCP --syn -j ACCEPT
- $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A allowed -p TCP -j DROP
- # ICMP rules
- $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
- $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
- $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
- $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
- $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
- # TCP rules
- $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
- $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
- $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed
- $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
- $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed
- $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3690 -j allowed
- # UDP ports
- $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
- #----------------------------------------------------------------------------------------------------------
- # PREROUTING chain
- #$IPTABLES -t nat -A PREROUTING -p tcp -s 83.237.192.219 --dport 3389 -j DNAT --to 10.0.0.4
- #$IPTABLES -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to 192.168.1.12
- #$IPTABLES -t nat -A PREROUTING -p tcp -j DNAT --to-destination 10.0.0.69
- # Black list
- #$IPTABLES -t nat -A PREROUTING -s 10.0.0.0/24 -p tcp --dport 80 -j DROP
- #$IPTABLES -t nat -A PREROUTING -s 10.0.0.65 -p tcp -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 218.202.223.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 203.155.45.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 203.145.172.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 61.103.66.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 61.189.192.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 212.25.92.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 213.176.8.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 85.37.242.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 194.167.228.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 61.247.228.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 194.185.192.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 200.71.43.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 211.233.14.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 61.218.130.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 217.199.177.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 61.211.237.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 61.211.237.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 61.64.198.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 218.108.49.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 212.24.173.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 70.88.217.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 216.23.168.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 69.60.114.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 62.183.226.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 213.227.43.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 203.232.240.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 202.8.87.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 200.142.104.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 200.89.142.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 235.187.99.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 213.207.57.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 100.154.68.0/24 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -d 10.0.0.0/8 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -d 172.16.0.0/12 -j DROP
- #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -d 192.168.0.0/16 -j DROP
- # ********* Redirect to SQUID **********
- #$IPTABLES -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
- #$IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE '!' -d 192.168.1.33 -p tcp --dport 80 -j TPROXY --on-port 3129
- #$IPTABLES -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
- $IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
- #$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 -j REDIRECT --to-port 3129
- #$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 21 -j REDIRECT --to-port 3129
- #$IPTABLES -t mangle -F
- #$IPTABLES -t mangle -A PREROUTING -d 10.80.2.2 -j ACCEPT
- #$IPTABLES -t mangle -N DIVERT
- #$IPTABLES -t mangle -A DIVERT -j MARK --set-mark 1
- #$IPTABLES -t mangle -A DIVERT -j ACCEPT
- #$IPTABLES -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
- #$IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
- # POSTROUTING chain
- $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP_RANGE -j SNAT --to-source $STATIC_IP
- # FORWARD chain
- #$IPTABLES -A FORWARD -j LOG --log-level debug --log-prefix "IPT FORWARD packet died: "
- #$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level notice --log-prefix "New not syn:"
- #$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
- $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
- $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
- $IPTABLES -A FORWARD -i $INET_IFACE -j ACCEPT
- #$IPTABLES -A FORWARD -i $PPP0_IFACE -j ACCEPT
- #$IPTABLES -A FORWARD -i $PPP1_IFACE -j ACCEPT
- $IPTABLES -A FORWARD -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT FORWARD packet died: "
- # INPUT chain
- #$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-level notice --log-prefix "New not syn:"
- #$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
- $IPTABLES -A INPUT -p tcp -j bad_tcp_packets
- $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
- $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
- $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
- $IPTABLES -A INPUT -p ALL -d $STATIC_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d 255.255.255.255 -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $STATIC_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LOCALHOST_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LAN_IP -j ACCEPT
- $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $STATIC_IP -j ACCEPT
- #$IPTABLES -A INPUT -p ALL -i $PPP0_IFACE -d $PPP0_IP -j ACCEPT
- #$IPTABLES -A INPUT -p ALL -i $PPP0_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
- #$IPTABLES -A INPUT -p ALL -i $PPP1_IFACE -d $PPP1_IP -j ACCEPT
- #$IPTABLES -A INPUT -p ALL -i $PPP1_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
- $IPTABLES -A INPUT -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT INPUT packet died: "
- # OUTPUT chain
- #$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-level notice --log-prefix "New not syn:"
- #$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
- $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
- $IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
- $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
- $IPTABLES -A OUTPUT -p ALL -s $STATIC_IP -j ACCEPT
- #$IPTABLES -A OUTPUT -p ALL -s $PPP0_IP -j ACCEPT
- #$IPTABLES -A OUTPUT -p ALL -s $PPP1_IP -j ACCEPT
- $IPTABLES -A OUTPUT -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT OUTPUT packet died: "
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement