IU22 Informatika taldearen Bloga

2010/02/12

08UD. Suebaki. Proxy gardena

Filed under: Uncategorized — irakasleibiltaria @ 8:00 am

Zer da proxy gardena?

| barne sarea |-----| squid |--------( internet )           

Barne saretik internetera sartzeko Proxytik pasa behar du. Horretarako Iptables erabiliz 80 portutik datorrena Proxya entzuten dagoen portura bideratzen da.

Proxy gardena egiteko squid konfiguratu

[Suposatzen da squid instaltua dugula]

squid.conf fitxategian, squid-en konfigurazioa gordetzen da. squid.conf fitxategia izugarri handia da eta gainera aukera gehienak komentatuta ditu. Azpiko aginduaren bidez komentario eta lero hutsak kendu daitezke. Oso erabilgarria:

# cat /etc/squid/squid.conf | sed '/^#/d; /^$/d'
(azalpena: /^#/ #-z asten den lerroa eta /^$/ lerro hutsa. 'd'-k delete esan nahi du)

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
acl barne_sarea src 10.14.5.1-10.14.5.254
acl debekatutako_URLak url_regex youtube.com
http_access deny debekatutako_URLak
http_access allow barne_sarea
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all

cache_effective_user erabiltzailea
cache_effective_group erabiltzailea

#oharra: erabiltzaile sistemako erabiltzaile bat izango da. kasu #batzutan proxy erabiltzailea sortzen da

coredump_dir /var/spool/squid
visible_hostname localhost.localdomain
 http_port 3128 transparent

  • /etc/init.d/squid restart

Proxy gardena egiteko IPTABLES aginduak:

[OHARRA. Atal hau egin aurretik komeni da Iptables buruzko sarrera aztertzea]

PTABLES erregelak jarri:

#!/bin/sh
# ————————————————————————————
# See URL: http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
# (c) 2006, nixCraft under GNU/GPL v2.0+
# ————————————————————————————-
# squid server IP
SQUID_SERVER=”10.14.5.31″
# Interface connected to Internet
INTERNET=”eth0″
# Interface connected to LAN
LAN_IN=”eth1″
# Squid port
SQUID_PORT=”3128″

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
# DROP everything and Log it
#iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

  • Erregele hauek proxy-gardena izeneko fitxategian gorde eta
  • # chown root:root proxy-gardena
  • # chmod 755 proxy-gardena
  • # mv proxy-gardena /etc/init.d/
  • # cd /etc/rc2.d/
  • # ln -s /etc/init.d/proxy-gardena S20proxy-gardena

Modu honetara sistema hasieratzen denean iptables erregelak ejekutatuko dira eta 80 portura doazen eskaerak Proxy-tik pasako ditugu.

Utzi erantzun bat »

Erantzunik ez oraindik.

RSS feed for comments on this post. TrackBack URI

Utzi erantzun bat

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Ezeztatu

Connecting to %s

Theme: Rubric. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.