Всем добрый день! Знаю что много писали об этом, но очень-очень надо! Есть шлюз на котором eth0 смотрит в инет, а eth1 в локалку. Так же есть скрипт
#!/bin/bash
INET_IFACE="eth0"
INET_IP="192.168.0.100"
LAN_IP="192.168.10.1"
LAN_IP_RANGE="192.168.10.0/24"
LAN_BCAST_ADRESS="192.168.10.255"
LAN_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"
IPTABLES="/sbin/iptables"
IPTRESTORE="/sbin/iptables-restore"
IPTSAVE="/bin/iptables-save"
clear()
{
echo -n "Turn policies to ACCEPT...."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo "Done"
echo -n "Clear filtering table...."
$IPTABLES -F
$IPTABLES -F -t nat
echo "Done"
}
stop()
{
clear
echo -n "Delete user specified chains...."
#$IPTABLES -X bad_tcp_packets 2> /dev/null
$IPTABLES -X allowed 2> /dev/null
$IPTABLES -X allowed_udp 2> /dev/null
$IPTABLES -X icmp_packets 2> /dev/null
$IPTABLES -X tcp_packets 2> /dev/null
$IPTABLES -X udpincoming_packets 2> /dev/null
echo "Done"
}
start()
{
clear
echo -n "Create user specified chains...."
#$IPTABLES -N bad_tcp_packets 2> /dev/null
$IPTABLES -N allowed 2> /dev/null
$IPTABLES -N allowed_udp 2> /dev/null
$IPTABLES -N icmp_packets 2> /dev/null
$IPTABLES -N tcp_packets 2> /dev/null
$IPTABLES -N udpincoming_packets 2> /dev/null
echo "Done"
echo "Create content in user specified chains"
#echo -n "bad_tcp_packets chain...."
#[32;4;1M$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
echo "Done"
echo -n "allowed...."
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
echo "Done"
echo -n "allowed_udp...."
$IPTABLES -A allowed_udp -p UDP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed_udp -p UDP -j DROP
echo "Done"
echo -n "icmp_packets...."
$IPTABLES -A icmp_packets -p ICMP -j ACCEPT
echo "Done"
echo -n "tcp_packets...."
$IPTABLES -A tcp_packets -p TCP -m multiport --dport 22,25,443,53,110,143,995,80,8080,1194,22222 -j allowed
$IPTABLES -A tcp_packets -p TCP -i $INET_IFACE -m multiport --dport 137:139,445 -j DROP
echo "Done"
echo -n "udpincoming_packets...."
$IPTABLES -A udpincoming_packets -p UDP -m multiport --dport 53,9001 -j allowed_udp
echo "Done"
echo -n "INPUT chain"
$IPTABLES -t mangle -F PREROUTING
$IPTABLES -t mangle -A PREROUTING -p TCP --dport 33434:33542 -j TTL --ttl-inc 1
echo -n "."
#Bad TCP packets we don't want.
#$IPTABLES -A INPUT -p tcp -j bad_tcp_packet
echo -n "."
#Rules for incoming packets from the internet.
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
echo -n "."
#Rules for special networks not part of the Internet
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPTABLES -A INPUT -p ALL -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i eth0 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
#Log weird packets that don't match the above.
#$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died:"
$IPTABLES -P INPUT DROP
echo "Done"
echo -n "FORWARD chain.."
#Bad TCP packets we don't want
#$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
echo -n "."
#Accept the packets we actually want to forward
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -j tcp_packets
$IPTABLES -A FORWARD -p ICMP -j icmp_packets
$IPTABLES -A FORWARD -p UDP -j allowed_udp
$IPTABLES -A FORWARD -p TCP -m multiport --dports 20,21 -m state --state NEW -j ACCEPT
echo -n "."
#Log weird packets that don't match the above.
#$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died:"
$IPTABLES -P FORWARD DROP
echo "Done"
echo -n "OUTPUT chain...."
#Bad TCP packets we don't want
#$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -P OUTPUT ACCEPT
echo "Done"
echo -n "PREROUTING chain..."
#$IPTABLES -t nat -A PREROUTING -p tcp -j bad_tcp_packets
$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -s $LAN_IP_RANGE -p tcp -m multiport --dport 80,8080 -j REDIRECT --to-ports 3128
$IPTABLES -t nat -P PREROUTING ACCEPT
echo "Done"
echo "POSTROUTING chain..."
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -d $LAN_IP -p tcp -m multiport --dport 20,21,25,80,110,143,995 -j SNAT --to-source $LAN_IP
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $INET_IFACE -j SNAT --to-source $INET_IP
$IPTABLES -t nat -P POSTROUTING ACCEPT
echo "Done"
}
case $1 in
start) start ;;
stop) stop ;;
clear) clear ;;
restart)
stop
start
;;
*)
echo "Usage `basename $0` start|stop|clear|restart"
exit 1
esac
exit 0
с помощью которого трафик перенаправляется на squid и обрезается скачивание с торрентов.
На squid ограничивается доступ на некоторые сайты флэш и т.д.
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 192.168.10.0/24 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl mail method POST
##тут перечислены пользователи моей сетки, для них ограничения действовать не будут
acl user1 src 192.168.10.30/32
acl user2 src 192.168.10.31/32
##созданы списки сайтов и расширений файлов, к которым будет запрещен доступ
acl site url_regex -i "/etc/squid3/denylist"
acl content urlpath_regex -i \.avi$ \.mp3$ \.wav$ \.mpu$ \.vob$ \.torrent$ \.swf(\?.*)?$ \.flv(\?.*)?$
acl social url_regex -i "/etc/squid3/social.net"
acl torrent url_regex -i "/etc/squid3/torrent"
acl mail_public url_regex -i "/etc/squid3/mail_public"
acl torrent url_regex -i "/etc/squid3/torrent"
acl media rep_mime_type video/flv video/x-flv
acl media rep_mime_type application/x-shockwave-flash
##запрещаем доступ к ресурсам и контенту всем кроме двух пользователей
http_reply_access deny media !user1 !user2
http_access deny site !user1 !user2
http_access deny content !user1 !user2
http_access allow localnet
http_access deny all
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
### здесь указываем порт, ip адрес на котором работает прокси. Опция transparent указывает что включено "прозрачное" проксирование
http_port 192.168.10.1:3128 transparent
hierarchy_stoplist cgi-bin ?
## опция хранения файлов squid
cache_dir ufs /var/spool/squid3 4096 16 256
access_log /var/log/squid3/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
##broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIV*ITY CHECKOUT
ignore_expect_100 on
##ограничение скорости при доступе на сайты социальных сетей.
delay_pools 1
delay_class 1 1
delay_parameters 1 800/64000 #
delay_access 1 allow social !user1 !user2
delay_access 1 deny all
error_directory /usr/share/squid3/errors/Russian-koi8-r
max_filedescriptors 4096
hosts_file /etc/hosts
coredump_dir /var/spool/squid3
# TAG: follow_x_forwarded_for
# Allowing or Denying the X-Forwarded-For header to be followed to
# find the original source of a request.
#
# Requests may pass through a chain of several other proxies
# before reaching us. The X-Forwarded-For header will contain a
# comma-separated list of the IP addresses in the chain, with the
# rightmost address being the most recent.
#
# If a request reaches us from a source that is allowed by this
# configuration item, then we consult the X-Forwarded-For header
# to see where that host received the request from. If the
Необходимо сделать ограничение на скачивание абсолютно для всех пользователей в размере 10 мб. Помогите плз. Желательно подробно что куда вписывать. Сам я не очень хорошо разбираюсь.