2009/1/4 Roberto Macchetta <[email protected]>: > ciao > ho modificato lo script cosi' come mi hai indicato : > > #!/bin/sh > # squid server IP > > SQUID_SERVER="192.168.0.1" > > # Interface connected to Internet > INTERNET="eth0" > # Interface connected to LAN > LAN_IN="eth1" > > # Squid port > SQUID_PORT="3128" > > # DO NOT MODIFY BELOW > # Clean old firewall > iptables -F > iptables -X > iptables -t nat -F > iptables -t nat -X > iptables -t mangle -F > iptables -t mangle -X > > # Load IPTABLES modules for NAT and IP conntrack support > modprobe ip_conntrack > modprobe ip_conntrack_ftp > # For win xp ftp client > #modprobe ip_nat_ftp > echo 1 > /proc/sys/net/ipv4/ip_forward > > # Setting default filter policy > iptables -P INPUT DROP > iptables -P OUTPUT ACCEPT > > # Unlimited access to loop back > iptables -A INPUT -i lo -j ACCEPT > iptables -A OUTPUT -o lo -j ACCEPT > > # Allow UDP, DNS and Passive FTP > iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j > ACCEPT > > # set this system as a router for Rest of LAN > iptables --table nat --append POSTROUTING --out-interface $INTERNET -j > MASQUERADE > iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT > > # unlimited access to LAN > iptables -A INPUT -i $LAN_IN -j ACCEPT > iptables -A OUTPUT -o $LAN_IN -j ACCEPT > > # DNAT port 80 request comming from LAN systems to squid 3128 > #($SQUID_PORT) aka transparent proxy > #iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to > $SQUID_SERVER:$SQUID_PORT > > # if it is same system > #iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j > REDIRECT --to-port $SQUID_PORT > > # presa dal ng > #iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE > > iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j REDIRECT > --to-port $SQUID_PORT > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > > # DROP everything and Log it > iptables -A INPUT -j LOG > iptables -A INPUT -j DROP > > ho eseguito lo script e poi ho provato sul portatile a connettermi, ma > non funziona ancora, e' come prima, devo sempre impostare il proxy a > mano, vi serve che posti qualche file di configurazione (output di > iptables o quant'altro)? > > non capisco perche' non va... A doverlo ammettere, mi sembra un po' un casino questo script :-) Provo ad interpretare i tuoi desideri, e lo riscrivo più "ordinatamente". Allora:
#!/bin/bash # Interface connected to Internet INTERNET="eth0" # Interface connected to LAN LAN_IN="eth1" # Squid port SQUID_PORT="3128" # Pulisci vecchio firewall iptables -F iptables -X iptables -Z iptables -t nat -F iptables -t nat -X iptables -t nat -Z iptables -t mangle -F iptables -t mangle -X iptables -t mangle -Z # IP Forward echo 1 > /proc/sys/net/ipv4/ip_forward # Policy di default iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP # Catena INPUT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A INPUT -p icmp --icmp-type ! echo-request -j ACCEPT iptables -A INPUT -i lo -j ACCEPT # NAT e Redirect iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # Altre regole FORWARD iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i $LAN_IN -j ACCEPT iptables -A FORWARD -p icmp --icmp-type ! echo-request -j ACCEPT Prova così. Ora lo script è un po' più ordinato, e ho preso spunto direttamente dallo script del mio proxy trasparente :-) -- Dario Pilori -Linux registered user #406515 -Debian GNU/Linux user
