|
Hello:
Very nice and easy script to use. Thank you very much for
this good work. It's been running on my linux machine for two years now(version
0.9).
For half a year, I have been trying to solve one
issue:
My linux firewall machine has squid as the proxy server,
all internal network comuters will be redirected to squid as long as they set it
(on iexplorer connection setting) so. But the problem is that they can also
browse out when setting iexplorer NOT using proxy. this time, the out-going
internet browsing is by-passing the squid(Nat'ed out directly).
Your feedback is appreciated.
David Chen
This is my firewall.conf ( pretending
my external IP is 123.123.123.123 )
==========================================================
#!/bin/sh
# ------------------------------------------------------------ # Configuration file for firewall script # Author: Jamin W. Collins # Web Site: http://www.asgardsrealm.net/linux/firewall # E-Mail: [EMAIL PROTECTED] # ------------------------------------------------------------ # This is the configuration file for the firewall script # The firewall script expects to find this file as: # /etc/firewall.conf # ------------------------------------------------------------ #
# Begin variable configuration # # Location of iptables
executable
IPTABLES=/sbin/iptables # IP address for everything outside
# This should not need to be changed from 0/0, except in very # special cases ANYWHERE="0/0"
# IP of interface internal to the private
network
INT_IP="192.168.1.51" # IP of public/Internet interface
#EXT_IP=`ifconfig eth0 | grep -i "addr:" | cut -f2 -d: | cut -f1 -d " "` EXT_IP="123.123.123.123"
# All variables from this point on accept multiple
entries
# separated by spaces # Device name of external interface(s) (eg.
eth0)
EXT_INTERFACES="eth1"
# IP address for internal network(s)
# you can specify ip/mask pairs INT_NETWORKS="192.168.0.0/24 192.168.1.0/24"
## Logging ##
# Would you like logging of disallowed
packets?
LOGGING_ENABLED="1"
# What would you like prefixed to every log entry made by
the
# firewall script? LOGGING_PREFIX="FW:"
## Blocking ##
# Entries in the Blocking section will be blocked from making # any connection(s) of any kind on all interfaces. These # connection attempts will be dropped with no logging of # any kind. This includes any internal or trusted interfaces. # The following MAC addresses will be explicitly blocked
from
# making any and all connections to the system. #BLOCKED_MACS="50:da:b5:13:02:08"
# The following IP addresses will be explicity blocked
from
# making any and all connections to the system. # Note: as many people have dynamic IP addresses, it is better # to block by MAC address (AFAIK) BLOCKED_SRC_IPS="210.78.31.71 129.89.14.142
194.19.2.166"
# Traffic destined for any of the following IP
addresses
# will be dropped BLOCKED_DST_IPS="255.255.255.255 192.168.2.255
224.0.0.0/8"
# Traffic attempting to connect out to these ports will
be
# dropped. ##### I added these ports for messenger file transfer ports ######### BLOCKED_OUTGOING_PORTS="1863 6891:6900" # The following ports will be blocked for both UDP and
TCP
# This option is included to help eliminate log flooding # Note, this pertains only to traffic coming in on the # external interfaces for these ports. #_*_*_* I added a 111 port: a sunrpc a portmapper NIS/NIS+
(network yellow pages)####
#_*_*_* I added a 631 port:IPP Internet Printing Protocol, to become network printing standard ### #_*_*_* I added a 873 port:RSYNC copying files between networked computer. only copy diffs, good ### #_*_*_* I added a 6000 port:X11 ### BLOCKED_PORTS="111 137:139 631 1863 873 6891:6900" ## Allowing ##
# Allowed Ports
# The following ports will be allowed in from the interfaces listed # in EXT_INTERFACES. For more information on which ports and/or # protocols are needed for which services, check "/etc/services". # # Ports for all protocols ALLOWED_PORTS="53" # Ports for UDP only
# 53 is used for DNS queries into the firewall machine #ALLOWED_PORTS_UDP="500"
# Ports for TCP
# 22 is used for SSH connections into the firewall machine # 80 is used for HTTP connection into the firewall machine ALLOWED_PORTS_TCP="20 21 22 25 110 80"
# Protocols to allow and from where
# 0/0 stands for anywhere # protocol numbers are taken from /etc/protocols (names may be # used also. 1 is for ICMP (pings, traceroute). 50 is for IPSEC #ALLOWED_PROTOCOLS="0/0(1) 0/0(50)"
## Forwarding ##
# Forwarding Ports
# The following will redirect port connections on one IP address # to another. This is commonly used to make services running on # a machine behind your firewall available to machines connected # on your firewall's external interfaces. This is commonly # referred to as "punching a hole" in your firewall. # # format: external_ip(ex# format: remote_ip(remote_port)-local_ip(local_port) # # To allow 232.123.123.6 to access all privliged ports, 232.123.123.5 # to access rsh, but only if the connection came from a secure port # (under 1024) # TRUSTED_CONNECTIONS="232.123.123.6()-192.168.0.2(:1024) \ # 232.123.123.5(:1024)-192.168.0.2(514)" #TRUSTED_CONNECTIONS=""
TRUSTED_INTERFACES="eth0"
## Squid Proxy ##
# The following variables can be used to enable
transparent redirection
# throught a Squid proxy server. Simply set SQUID_ENABLED to 1, and # SQUID_PORT to the port your Squid proxy is listening on. Any outbound # connections to port 80 will be redirected to the Squid proxy. For # more information on configuring Squid, please visit this site: # # http://www.tldp.org/HOWTO/mini/TransparentProxy.html SQUID_ENABLED="1"
SQUID_PORT="3128" ## Hooks ## # Pre and Post Hooks
# These variables provide a convienient means of adding custom # extensions to the firewall script. These variables can be set to # any command/script that you would like to run. The command/script # will be run at the appropriate time automatically. For example, # any command listed for PRESTART will be run prior to the normal # START sequence for the firewall script. Likewise POSTSTART will # be run after the normal start sequence for the firewall script. PRESTART=""
POSTSTART="" PRESTOP="" POSTSTOP="" PRERESTART="" POSTRESTART="" # # End of variable configuration # # ------------------------------------------------------------
========================================================== |
- Re: squid vs firewall David Chen
- Re: squid vs firewall Jamin W. Collins
