Gateway com proxy (squid)

Colocado Segunda, 2009-12-21 21:55 por cusco

Boas.

Venho revelar aqui alguns segredos, já que debian nos tem revelado todo o seu codigo fonte...

temos definido o 192.168.2.10 como gateway, e nele temos:

--

root@gateway:~# crontab -l
# m h dom mon dow command

# MRTG
0-55/5 * * * * env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg >> /var/log/mrtg/mrtg.log 2>&1;
01-56/5 * * * * env LANG=C /usr/bin/mrtg /etc/mrtg/mem.cfg >> /var/log/mrtg/mem.log 2>&1;

# DDCLIENT
*/20 * * * * bash /usr/local/bin/update-ip >> /var/log/ddclient/update-ip.log 2>&1;

# GATEWAY
@reboot /usr/local/bin/gateway >> /var/log/gateway/gateway.log 2>&1;

--

root@gateway:~# cat /usr/local/bin/gateway
#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F;
iptables -t nat -F;
iptables -t mangle -F;
iptables -X;

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT;

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT;
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT;
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT;

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT;

# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE;

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT;

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward;

###########
## Squid ##
###########
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129;

###########
## Proxy ##
###########
ip route del 10.100.100.0/24;
ip route add 10.100.100.0/24 dev eth0 via 192.168.2.253;

--

root@gateway:~# cat /usr/local/bin/ARtelecom
#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F;
iptables -t nat -F;
iptables -t mangle -F;
iptables -X;

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT;

# Allow established connections, and those not coming from the outside
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
#iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
#iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Masquerade.
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Don't forward from the outside to the inside.
#iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward;

route del default;
route add default gw 192.168.2.253;

###########
## Squid ##
###########

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129;

echo -e "Ligacao alterada para ARtelecom\nVamos testar:\n";
#IP=`curl checkip.dyndns.org |cut -d " " -f 6|cut -d "<" -f 1`;
IP=`lynx --dump checkip.dyndns.org|head -n 1|cut -d " " -f 7`;
echo "IP externo: $IP";

--

root@gateway:~# cat /usr/local/bin/Vodafone
#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Gateway
route del default;
route add default gw 192.168.1.1;

###########
## Squid ##
###########
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129

echo -e "Ligacao alterada para VODAFONE\nVamos testar:\n";
#IP=`curl checkip.dyndns.org |cut -d " " -f 6|cut -d "<" -f 1`
IP=`lynx --dump checkip.dyndns.org|head -n 1|cut -d " " -f 7`
echo "IP externo: $IP";

--

root@gateway:~# cat /etc/squid/extra.conf
################
# Apt-Cacher #
################
#redirect_program /usr/lib/squid/jesred
#redirect_children 15

#cache_peer aptcacher parent 3142 7 proxy-only no-query no-netdb-exchange connect-timeout=15
#acl aptget browser #-i apt-get apt-http apt-cacher apt-proxy
#acl deburl urlpath_regex /(Packages|Sources|Release|Translations-.*)\(.(gpg|gz|bz2))?$ /pool/.*/\.deb$ /(Sources|Packages)\.diff/ /dists/[^/]*/[^/]*/(binary-.*|source)/.

#cache_peer_access aptcacher allow aptget
#cache_peer_access aptcacher allow deburl
#cache_peer_access aptcacher deny all

#never_direct allow aptget
#never_direct allow deburl
#never_direct deny all

################
# Interception #
################
http_port 3129 transparent

#################
# Reverse Proxy #
#################

#http_port 192.168.1.51:80 accel defaultsite=pcmedic.pt
#cache_peer 192.168.2.25 parent 80 0 no-query originserver name=pcmedicAccel
#cache_peer 192.168.2.25 parent 80 0 no-query originserver name=pcmedic.ath.cx

#acl our_website dstdomain pcmedic.pt
#http_access allow our_website
#cache_peer_access pcmedicAccel allow our_website
#cache_peer_access pcmedicAccel deny all

#################
# Blocks #
#################
# Media Streams

#rui.ferreira: desbloquiei o mms

## MediaPlayer MMS Protocol
#acl media rep_mime_type mms
#acl mediapr url_regex dvrplayer mediastream ^mms://
## (Squid does not yet handle the URI as a known proto type.)

## Active Stream Format (Windows Media Player)
#acl media rep_mime_type x-ms-asf
#acl mediapr2 urlpath_regex \.(afx|asf)(\?.*)?$

## Flash Video Format
#acl media rep_mime_type video/flv video/x-flv
#acl mediapr3 urlpath_regex \.flv(\?.*)?$

## Others currently unknown
acl media rep_mime_type ms-hdr
acl media rep_mime_type x-fcs

# Bloqueios

#http_access deny mediapr
#http_access deny mediapr2
#http_access deny mediapr3
#http_reply_access deny media

acl blocksites dstdomain -i "/etc/squid/squid-block.acl"
http_reply_access deny blocksites

## Flash General Media Scripts (Animation)
acl blockflash dstdomain -i "/etc/squid/block-flash.acl"
acl blockfl rep_mime_type application/x-shockwave-flash
acl blockedflash urlpath_regex \.swf(\?.*)?$

#http_reply_access deny blockfl blockfl

#################
# Normal Config #
#################
acl pcmedic_intra src 192.168.2.0/24
http_access allow pcmedic_intra

##debug
#debug_options ALL,1 33,2

--

root@gateway:~# cat /usr/local/bin/update-ip
#!/bin/bash

IP=`curl checkip.dyndns.org --interface eth1 2>/dev/null|cut -d " " -f 6|cut -d "<" -f 1`
echo "______________";
date +%F\ -\ %T;
/usr/sbin/ddclient -verbose -use=ip -ip $IP;
echo "--------------";

Bookmark/Search this post with:
  • del.icio.us
  • Twitter
  • Facebook
  • LinkedIn
  • Reddit
  • Digg
  • Google

Comentários

Opções de visualização dos comentários

Seleccione a sua forma preferida de visualização de comentários e clique "Gravar configuração" para activar as suas alterações.

Vi que referes o

by elmig - 2009-12-22 00:01

Vi que referes o apt-cacher...
Tive alguns problemas de fiabilidade com o apt-cacher.
Com o apt-cacher-ng funciona...

--
"No ínicio não havia nada e Ele disse: apt-get install light"