Help ttg iptables + squid3

8 views

Skip to first unread message

Muhammad Arief Irwansyah

unread,

Jun 11, 2014, 5:18:33 AM6/11/14

to linux-...@googlegroups.com

Hallo all,

Mau tanya" neh tentang iptables + squid3

kondisinya seperti ini :

ISP : speedy dengan speed 4608 kbps

User : 30-35 PC

Topologi : Internet ------------ Modem ADSL ------------ PC Router / server ------------ switch ------------ client

Di PC Router / Server, saya pasang iptables + squid3 dengan setting seperti berikut :

berikut conf iptables

# squid server IP
SQUID_SERVER="192.168.0.1"
# Interface connected to Internet
INTERNET="eth3"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 443 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j DNAT --to-destination 192.168.0.8:80
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 443 -j DNAT --to-destination 192.168.0.8:443
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 8081 -j DNAT --to-destination 192.168.0.101:8081

iptables -A FORWARD -o $INTERNET -i $LAN_IN -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE

## IPTABLES TO BLOCK TORRENT (working correctly)
iptables -A INPUT -m string --string "BitTorrent" --algo bm --to 65535 -j DROP
iptables -A INPUT -m string --string "BitTorrent protocol" --algo bm --to 65535 -j DROP
iptables -A INPUT -m string --string "peer_id=" --algo bm --to 65535 -j DROP
iptables -A INPUT -m string --string ".torrent" --algo bm --to 65535 -j DROP
iptables -A INPUT -m string --string "announce.php?passkey=" --algo bm --to 65535 -j DROP
iptables -A INPUT -m string --string "torrent" --algo bm --to 65535 -j DROP
iptables -A INPUT -m string --string "announce" --algo bm --to 65535 -j DROP
iptables -A INPUT -m string --string "info_hash" --algo bm --to 65535 -j DROP
iptables -A INPUT -m string --string "peer_id" --algo kmp --to 65535 -j DROP
iptables -A INPUT -m string --string "BitTorrent" --algo kmp --to 65535 -j DROP
iptables -A INPUT -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j DROP
iptables -A INPUT -m string --string "bittorrent-announce" --algo kmp --to 65535 -j DROP
iptables -A INPUT -m string --string "announce.php?passkey=" --algo kmp --to 65535 -j DROP
iptables -A INPUT -m string --string "find_node" --algo kmp --to 65535 -j DROP
iptables -A INPUT -m string --string "info_hash" --algo kmp --to 65535 -j DROP
iptables -A INPUT -m string --string "get_peers" --algo kmp --to 65535 -j DROP
iptables -A INPUT -m string --string "announce" --algo kmp --to 65535 -j DROP
iptables -A INPUT -m string --string "announce_peers" --algo kmp --to 65535 -j DROP

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Dan conf squid3 nya seperti berikut :

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl SSL_ports port 443

acl youtube_domains dstdomain .googlevideo.com .youtube.com .ytimg.com

http_port 3128

coredump_dir /var/spool/squid3

visible_hostname localhost

acl gLogin dstdomain accounts.youtube.com

http_access deny youtube_domains !gLogin

http_access allow ods_network

http_access allow CONNECT

http_access allow localhost

http_access allow Safe_ports

coredump_dir /var/spool/squid

cache_effective_user serverinet

cache_effective_group serverinet

cache_dir ufs /var/spool/squid3 1024 16 256

deny_info http://192.168.0.101:8081/forum/ ods_network

deny_info http://orlansoft.com/ youtube_domains

access_log /var/log/squid/access.log

ident_lookup_access allow ODS_Network

Masalahnya :

1. Kenapa ya jaringan internetnya selalu putus - nyambung - putus - nyambung ? ada ada yang salah setting di iptables ato squid3nya ?

Sebelumnya telah di chek seperti berikut :

1. ganti modem adsl. tetap sama koneksi tidak stabil.

2. ganti kabel lan. tetap sama koneksi tidak stabil.

3. ganti lan card. tetap sama koneksi tidak stabil.

Tolong donk di kasih masukan cz awam bgt soal jaringan.

Terima kasih semuanya.

Reply all

Reply to author

Forward

0 new messages