My internet facing server has 2 nic,the nic connected to the internal network has
ip address 10.10.0.1/24
So at first type at terminal
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
see current iptables configuration by
iptables -L -t nat (to see the nat table)or iptables -L(to see the generel iptables setting)
we will remove the 2 reject statement in the input section and the forwarding section
iptables -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited
yum install squid
nano /etc/squid/squid.conf
go to this line
http_port 3128
make this line
http_port 3128 intercept
to use a transparent proxy
save the file
service squid restart
to make sure all client's traffic(the intercepted traffic) from port 80 use port 3128 on the squid server
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 10.10.0.1:3128
Now we need to make sure clients can only use port 3128 to access net
iptables -t filter -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
By default there is a line in iptables in the INPUT section which accepts anything from anywhere
you can see this by
iptables -L
In my case it is the third line
I had to delete it to make sure the clients use 3128 port
iptables -t filter -D INPUT 3
so at the end the input section of my iptables configuration looks like this
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:squid
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
at the client at the browser set the proxy with port 3128
Save this configuration by
iptables-save > iptables.conf
This will create iptables.conf(in whatever directory you are in) which have the current iptables configuration
make a backup of the original iptables
cp /etc/sysconfig/iptables /etc/sysconfig/iptables_back
now replace the original iptables with our custom iptable configuration
mv /etc/iptables.conf /etc/sysconfig/iptables
now
service restart iptables
to load a iptables configuration temporarily
iptables-restore < iptables.conf
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
see current iptables configuration by
iptables -L -t nat (to see the nat table)or iptables -L(to see the generel iptables setting)
we will remove the 2 reject statement in the input section and the forwarding section
iptables -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited
yum install squid
nano /etc/squid/squid.conf
go to this line
http_port 3128
make this line
http_port 3128 intercept
to use a transparent proxy
save the file
service squid restart
to make sure all client's traffic(the intercepted traffic) from port 80 use port 3128 on the squid server
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 10.10.0.1:3128
Now we need to make sure clients can only use port 3128 to access net
iptables -t filter -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
By default there is a line in iptables in the INPUT section which accepts anything from anywhere
you can see this by
iptables -L
In my case it is the third line
I had to delete it to make sure the clients use 3128 port
iptables -t filter -D INPUT 3
so at the end the input section of my iptables configuration looks like this
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:squid
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
at the client at the browser set the proxy with port 3128
Save this configuration by
iptables-save > iptables.conf
This will create iptables.conf(in whatever directory you are in) which have the current iptables configuration
make a backup of the original iptables
cp /etc/sysconfig/iptables /etc/sysconfig/iptables_back
now replace the original iptables with our custom iptable configuration
mv /etc/iptables.conf /etc/sysconfig/iptables
now
service restart iptables
to load a iptables configuration temporarily
iptables-restore < iptables.conf
No comments:
Post a Comment