API tools faq
paste
Guest User

squid.confANDrc.firewall

a guest
May 12th, 2012
1,611
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.53 KB | None | 0 0
raw download clone embed print report
  1. # cat /etc/squid/squid.conf
  2. visible_hostname gwschool
  3.  
  4. cache_effective_user nobody
  5. #cache_peer 192.168.0.1 parent 3128 0 no-query default
  6. #cache_peer 192.168.0.1 parent 3129 0 no-query default
  7.  
  8. #http_port 192.168.1.33:3129 intercept
  9. http_port 192.168.1.33:3128
  10. http_port 192.168.1.33:3129 transparent
  11. #http_port 192.168.1.33:3129 tproxy
  12. icp_port 0
  13.  
  14. #Не кешировать скрипты
  15. acl QUERY urlpath_regex cgi-bin
  16. no_cache deny QUERY
  17.  
  18. #cache_mem 32MB
  19.  
  20. #Путь к директории кеша и его размер(1000)
  21. cache_dir ufs /var/spool/squid/cache 5000 16 256
  22.  
  23. #Путь к лог-файлу доступа к SQUID(Статистика работы через SQUID)
  24. cache_access_log /var/log/squid/access.log
  25.  
  26. #Путь к лог-файлу SQUID - в нем события запуска SQUID и дочерних программ
  27. cache_log /var/log/squid/cache.log
  28.  
  29. #Ротация логов
  30. logfile_rotate 30
  31.  
  32. #Таблица MIME-типов для SQUID
  33. mime_table /etc/squid/mime.conf
  34.  
  35. #PID-файл SQUID
  36. pid_filename /var/run/squid.pid
  37.  
  38. #Пользователь для анонимного доступа к FTP
  39. ftp_user anonymous@asdf
  40.  
  41. #SQUID формирует страницу с папками на FTP - этот параметр - кол-во папок
  42. ftp_list_width 32
  43.  
  44. #Пассивный режим FTP
  45. ftp_passive on
  46.  
  47. #Проверка подлинности FTP
  48. ftp_sanitycheck on
  49.  
  50. #Адрес(а) DNS сервера(ов)
  51. #dns_nameservers 10.30.1.11
  52. dns_nameservers 10.0.1.1
  53.  
  54. #Стандартные ACL
  55. #acl all src 0.0.0.0/0.0.0.0 #Все
  56. acl manager proto cache_object
  57. acl localhost src 127.0.0.1/32 ::1 #Адрес localhost
  58. acl SSL_ports port 443 563 #Порты SSL
  59. acl SMTP port 25 #Для защиты от спама ;) Оказывается SQUID может делать relay
  60.  
  61. #Служебные ACL
  62. acl Safe_ports port 80 # http
  63. acl Safe_ports port 8080 # http
  64. acl Safe_ports port 2082 # cpanel
  65. acl Safe_ports port 21 # ftp
  66. acl Safe_ports port 443 563 # https, snews
  67. acl Safe_ports port 777 # multiling http
  68. acl CONNECT method CONNECT
  69.  
  70.  
  71.  
  72. acl allNet src 192.168.1.1-192.168.1.254
  73. acl reserv src 192.168.1.1-192.168.1.50
  74. acl room2-2 src 192.168.1.100-192.168.1.125
  75.  
  76.  
  77. # Список доменов, доступных школьникам
  78. acl GoodSites dstdomain "/etc/squid/goodsites.lst"
  79. # Список запрещенных сайтов
  80. acl BlackList dstdomain "/etc/squid/blacklist.lst"
  81. # .squid.lan .mozilla.com .i-rs.ru .mozilla.org .freepascal.org .freepascal.ru .joomla.ru .joomlaportal.ru .google.ru .google.com .gmail.com .mail.ru .yandex.ru .presnenskiypark.ru dp-presnenskiy.ru .presnenskiypark.lan .kidsworld.ru .3dmax.com .blender.org .wikisource.org .wikiquote.org .wiktionary.org .wikimedia.org .wikipedia.org .blender3d.org.ua .rambler.ru 192.168.0.1 127.0.0.1 .htmlbook.ru .openoffice.org .gwdg.de
  82.  
  83.  
  84. acl BadRegex url_regex -i foto\. photo\. video\.
  85. acl Files url_regex -i \.avi$ \.rar$ \.zip$ \.mpg$ \.swf$ \.mp3$ \.exe \.wma \.wmv \.asf
  86.  
  87. http_access deny room2-2 BadRegex
  88. http_access deny room2-2 Files
  89. http_access allow room2-2 GoodSites
  90. http_access deny room2-2 all
  91.  
  92. #http_access deny reserv BadRegex
  93. #http_access deny reserv Files
  94. #http_access allow reserv GoodSites
  95. #http_access deny reserv all
  96.  
  97. #http_access deny school-room BadRegex
  98. #http_access deny school-room Files
  99. #http_access allow school-room GoodSites
  100.  
  101. http_access deny !Safe_ports
  102. http_access deny SMTP
  103. http_access deny allNet BlackList
  104. #http_access allow all
  105. http_access allow allNet
  106. http_access deny all
  107.  
  108. #Каталог со страницами неполадок SQUID
  109. error_directory /usr/share/squid/errors/ru
  110.  
  111.  
  112. refresh_pattern -i \.gif$ 43200 100% 43200 override-lastmod override-expire
  113. refresh_pattern -i \.png$ 43200 100% 43200 override-lastmod override-expire
  114. refresh_pattern -i \.jpg$ 43200 100% 43200 override-lastmod override-expire
  115. refresh_pattern -i \.jpeg$ 43200 100% 43200 override-lastmod override-expire
  116. refresh_pattern -i \.pdf$ 43200 100% 43200 override-lastmod override-expire
  117. refresh_pattern -i \.zip$ 43200 100% 43200 override-lastmod override-expire
  118. refresh_pattern -i \.tar$ 43200 100% 43200 override-lastmod override-expire
  119. refresh_pattern -i \.gz$ 43200 100% 43200 override-lastmod override-expire
  120. refresh_pattern -i \.tgz$ 43200 100% 43200 override-lastmod override-expire
  121. refresh_pattern -i \.exe$ 43200 100% 43200 override-lastmod override-expire
  122. refresh_pattern -i \.prz$ 43200 100% 43200 override-lastmod override-expire
  123. refresh_pattern -i \.ppt$ 43200 100% 43200 override-lastmod override-expire
  124. refresh_pattern -i \.inf$ 43200 100% 43200 override-lastmod override-expire
  125. refresh_pattern -i \.swf$ 43200 100% 43200 override-lastmod override-expire
  126. refresh_pattern -i \.mid$ 43200 100% 43200 override-lastmod override-expire
  127. refresh_pattern -i \.wav$ 43200 100% 43200 override-lastmod override-expire
  128. refresh_pattern -i \.mp3$ 43200 100% 43200 override-lastmod override-expire
  129. --------------------------------------------------------------------
  130. # cat /etc/rc.d/rc.firewall
  131. #!/bin/sh
  132.  
  133. # Сценарий предназначен для настройки маршрутизации и
  134. # межсетевого экрана на маршрутизаторе офисной сети.
  135. # Для запуска переименуйте сценарий в rc.firewall
  136. # и дайте права доступа 755
  137.  
  138. # LAN/INET Configuration
  139. # Приведите в соответствие с настройками ваших сетей
  140. # следующие семь параметров!
  141. LAN_IFACE=eth0
  142. LAN_IP=192.168.1.33
  143. LAN_IP_RANGE=255.255.255.0/24
  144. LAN_BCAST_ADRESS=0.0.0.255/24
  145.  
  146. INET_IFACE=eth1
  147. STATIC_IP=10.40.2.34
  148. STATIC_BCAST_ADRESS=0.0.0.224
  149.  
  150. LO_IFACE=lo
  151. LOCALHOST_IP=127.0.0.1
  152.  
  153. #PPP0_IP=0.0.0.0
  154. #PPP0_IFACE=ppp0
  155. #PPP1_IP=0.0.0.0
  156. #PPP1_IFACE=ppp1
  157.  
  158. # IPTables Configuration.
  159. IPTABLES="/usr/sbin/iptables"
  160.  
  161. # Required modules
  162. /sbin/modprobe ip_tables
  163. /sbin/modprobe ip_nat
  164. /sbin/modprobe ip_conntrack
  165. /sbin/modprobe iptable_filter
  166. /sbin/modprobe iptable_mangle
  167. /sbin/modprobe iptable_nat
  168. /sbin/modprobe ipt_LOG
  169. /sbin/modprobe ipt_limit
  170. /sbin/modprobe ipt_state
  171. /sbin/modprobe nf_tproxy_core
  172.  
  173. # Non-Required modules
  174. /sbin/modprobe ipt_owner
  175. /sbin/modprobe ipt_REJECT
  176. /sbin/modprobe ipt_MASQUERADE
  177. /sbin/modprobe ip_conntrack_ftp
  178. /sbin/modprobe ip_conntrack_irc
  179. /sbin/modprobe ip_nat_ftp
  180. /sbin/modprobe ip_nat_irc
  181.  
  182. echo 1 > /proc/sys/net/ipv4/ip_forward
  183. echo 1 > /proc/sys/net/ipv4/conf/$INET_IFACE/proxy_arp
  184.  
  185. # Clear ALL rules
  186. $IPTABLES -F
  187. $IPTABLES -t mangle -F
  188. $IPTABLES -X
  189. $IPTABLES -t nat -F
  190. #----------------------------------------------------------------------------------------------------------
  191. $IPTABLES -t mangle -N DIVERT
  192. $IPTABLES -t mangle -A DIVERT -j MARK --set-mark 1
  193. $IPTABLES -t mangle -A DIVERT -j ACCEPT
  194.  
  195. # Set default policies for the INPUT, FORWARD and OUTPUT chains
  196. $IPTABLES -P INPUT DROP
  197. $IPTABLES -P OUTPUT DROP
  198. $IPTABLES -P FORWARD DROP
  199.  
  200. # Create chain for bad tcp packets
  201. $IPTABLES -N bad_tcp_packets
  202.  
  203. # Create separate chains for ICMP, TCP and UDP to traverse
  204. $IPTABLES -N allowed
  205. $IPTABLES -N icmp_packets
  206. $IPTABLES -N tcp_packets
  207. $IPTABLES -N udpincoming_packets
  208.  
  209. # bad_tcp_packets chain
  210. $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
  211. $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Bad TCP packet: "
  212. $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
  213.  
  214. # TCP sync rules
  215. $IPTABLES -A allowed -p TCP --syn -j ACCEPT
  216. $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
  217. $IPTABLES -A allowed -p TCP -j DROP
  218.  
  219. # ICMP rules
  220. $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
  221. $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
  222. $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
  223. $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
  224. $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
  225.  
  226. # TCP rules
  227. $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
  228. $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
  229. $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed
  230. $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
  231. $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed
  232. $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3690 -j allowed
  233.  
  234. # UDP ports
  235. $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
  236.  
  237. #----------------------------------------------------------------------------------------------------------
  238.  
  239. # PREROUTING chain
  240. #$IPTABLES -t nat -A PREROUTING -p tcp -s 83.237.192.219 --dport 3389 -j DNAT --to 10.0.0.4
  241. #$IPTABLES -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to 192.168.1.12
  242. #$IPTABLES -t nat -A PREROUTING -p tcp -j DNAT --to-destination 10.0.0.69
  243.  
  244. # Black list
  245. #$IPTABLES -t nat -A PREROUTING -s 10.0.0.0/24 -p tcp --dport 80 -j DROP
  246. #$IPTABLES -t nat -A PREROUTING -s 10.0.0.65 -p tcp -j DROP
  247. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 218.202.223.0/24 -j DROP
  248. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 203.155.45.0/24 -j DROP
  249. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 203.145.172.0/24 -j DROP
  250. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 61.103.66.0/24 -j DROP
  251. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 61.189.192.0/24 -j DROP
  252. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 212.25.92.0/24 -j DROP
  253. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 213.176.8.0/24 -j DROP
  254. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 85.37.242.0/24 -j DROP
  255. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 194.167.228.0/24 -j DROP
  256. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 61.247.228.0/24 -j DROP
  257. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 194.185.192.0/24 -j DROP
  258. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 200.71.43.0/24 -j DROP
  259. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 211.233.14.0/24 -j DROP
  260. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 61.218.130.0/24 -j DROP
  261. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 217.199.177.0/24 -j DROP
  262. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 61.211.237.0/24 -j DROP
  263. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 61.211.237.0/24 -j DROP
  264. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 61.64.198.0/24 -j DROP
  265. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 218.108.49.0/24 -j DROP
  266. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 212.24.173.0/24 -j DROP
  267. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 70.88.217.0/24 -j DROP
  268. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 216.23.168.0/24 -j DROP
  269. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 69.60.114.0/24 -j DROP
  270. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 62.183.226.0/24 -j DROP
  271. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 213.227.43.0/24 -j DROP
  272. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 203.232.240.0/24 -j DROP
  273. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 202.8.87.0/24 -j DROP
  274. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 200.142.104.0/24 -j DROP
  275. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 200.89.142.0/24 -j DROP
  276. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 235.187.99.0/24 -j DROP
  277. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 213.207.57.0/24 -j DROP
  278. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 100.154.68.0/24 -j DROP
  279. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
  280. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
  281. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
  282. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -d 10.0.0.0/8 -j DROP
  283. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -d 172.16.0.0/12 -j DROP
  284. #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -d 192.168.0.0/16 -j DROP
  285.  
  286. # ********* Redirect to SQUID **********
  287. #$IPTABLES -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
  288. #$IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE '!' -d 192.168.1.33 -p tcp --dport 80 -j TPROXY --on-port 3129
  289. #$IPTABLES -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
  290. $IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
  291. #$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 -j REDIRECT --to-port 3129
  292. #$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 21 -j REDIRECT --to-port 3129
  293.  
  294. #$IPTABLES -t mangle -F
  295. #$IPTABLES -t mangle -A PREROUTING -d 10.80.2.2 -j ACCEPT
  296. #$IPTABLES -t mangle -N DIVERT
  297. #$IPTABLES -t mangle -A DIVERT -j MARK --set-mark 1
  298. #$IPTABLES -t mangle -A DIVERT -j ACCEPT
  299.  
  300. #$IPTABLES -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
  301. #$IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
  302.  
  303. # POSTROUTING chain
  304. $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $LAN_IP_RANGE -j SNAT --to-source $STATIC_IP
  305.  
  306. # FORWARD chain
  307. #$IPTABLES -A FORWARD -j LOG --log-level debug --log-prefix "IPT FORWARD packet died: "
  308. #$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-level notice --log-prefix "New not syn:"
  309. #$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
  310. $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
  311. $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  312. $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
  313. $IPTABLES -A FORWARD -i $INET_IFACE -j ACCEPT
  314. #$IPTABLES -A FORWARD -i $PPP0_IFACE -j ACCEPT
  315. #$IPTABLES -A FORWARD -i $PPP1_IFACE -j ACCEPT
  316. $IPTABLES -A FORWARD -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT FORWARD packet died: "
  317.  
  318. # INPUT chain
  319. #$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-level notice --log-prefix "New not syn:"
  320. #$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
  321. $IPTABLES -A INPUT -p tcp -j bad_tcp_packets
  322. $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
  323. $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
  324. $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
  325. $IPTABLES -A INPUT -p ALL -d $STATIC_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
  326. $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d 255.255.255.255 -j ACCEPT
  327. $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
  328. $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
  329. $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $STATIC_IP -j ACCEPT
  330. $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LOCALHOST_IP -j ACCEPT
  331. $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LAN_IP -j ACCEPT
  332. $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $STATIC_IP -j ACCEPT
  333. #$IPTABLES -A INPUT -p ALL -i $PPP0_IFACE -d $PPP0_IP -j ACCEPT
  334. #$IPTABLES -A INPUT -p ALL -i $PPP0_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
  335. #$IPTABLES -A INPUT -p ALL -i $PPP1_IFACE -d $PPP1_IP -j ACCEPT
  336. #$IPTABLES -A INPUT -p ALL -i $PPP1_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
  337. $IPTABLES -A INPUT -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT INPUT packet died: "
  338.  
  339. # OUTPUT chain
  340. #$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-level notice --log-prefix "New not syn:"
  341. #$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
  342. $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
  343. $IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
  344. $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
  345. $IPTABLES -A OUTPUT -p ALL -s $STATIC_IP -j ACCEPT
  346. #$IPTABLES -A OUTPUT -p ALL -s $PPP0_IP -j ACCEPT
  347. #$IPTABLES -A OUTPUT -p ALL -s $PPP1_IP -j ACCEPT
  348. $IPTABLES -A OUTPUT -m limit --limit 1/hour --limit-burst 5 -j LOG --log-level notice --log-prefix "IPT OUTPUT packet died: "
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!