Difference between revisions of "Script NAT Proxy"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
(5 intermediate revisions by the same user not shown) | |||
Line 10: | Line 10: | ||
# ./script.sh stop | # ./script.sh stop | ||
− | Agar script.sh langsung on waktu komputer di booting, | + | Agar script.sh langsung on waktu [[komputer]] di booting, |
anda dapat menuliskan script tersebut di folder (misalnya) /root. | anda dapat menuliskan script tersebut di folder (misalnya) /root. | ||
Masukan pada file /etc/rc/local perintah | Masukan pada file /etc/rc/local perintah | ||
/root/script.sh start | /root/script.sh start | ||
− | |||
− | |||
Isi script.sh adalah seperti tampak di bawah ini. | Isi script.sh adalah seperti tampak di bawah ini. | ||
Line 28: | Line 26: | ||
− | + | ==isi script.sh== | |
#!/bin/bash | #!/bin/bash | ||
− | + | ||
# From: AHK <akuhon@kompas.com> | # From: AHK <akuhon@kompas.com> | ||
# To: linux-admin@linux.or.id | # To: linux-admin@linux.or.id | ||
− | + | ||
# Save this file and activate through # file_name start | # Save this file and activate through # file_name start | ||
# and de-activate through # file_name stop | # and de-activate through # file_name stop | ||
− | + | ||
# This firewall-script can be used for workstation, laptop, router | # This firewall-script can be used for workstation, laptop, router | ||
# or server that are not running network service (such as web server, ftp | # or server that are not running network service (such as web server, ftp | ||
# server etc) | # server etc) | ||
− | + | ||
# change the parameter UPLINK with Interface device to the Internet. | # change the parameter UPLINK with Interface device to the Internet. | ||
# In our case WLAN router with NIC wlan0 connected to the Internet | # In our case WLAN router with NIC wlan0 connected to the Internet | ||
# and LAN connection with eth0. | # and LAN connection with eth0. | ||
# if you use dial-up modem, you might use ppp0 as your UPLINK | # if you use dial-up modem, you might use ppp0 as your UPLINK | ||
− | + | ||
UPLINK="eth1" | UPLINK="eth1" | ||
− | + | ||
# if you run the gateway as router and forward IP packet between eth devices | # if you run the gateway as router and forward IP packet between eth devices | ||
# please fill .yes., if not, please fill .no. | # please fill .yes., if not, please fill .no. | ||
− | + | ||
ROUTER="yes" | ROUTER="yes" | ||
− | + | ||
# Please change 202.150.10.45 to your static IP address of UPLINK device. | # Please change 202.150.10.45 to your static IP address of UPLINK device. | ||
# For those who use dial-up or dynamic IP, please enter .dynamic. | # For those who use dial-up or dynamic IP, please enter .dynamic. | ||
− | + | ||
# NAT="192.168.1.100" | # NAT="192.168.1.100" | ||
− | + | ||
NAT="dynamic" | NAT="dynamic" | ||
− | + | ||
# please list all network interfaces including eth devices | # please list all network interfaces including eth devices | ||
# as well as dial-up interface such as ppp0 | # as well as dial-up interface such as ppp0 | ||
− | + | ||
INTERFACES="lo eth0 eth1 eth2" | INTERFACES="lo eth0 eth1 eth2" | ||
− | + | ||
if [ "$1" = "start" ] | if [ "$1" = "start" ] | ||
then | then | ||
Line 71: | Line 69: | ||
/sbin/iptables -F | /sbin/iptables -F | ||
/sbin/iptables -P INPUT DROP | /sbin/iptables -P INPUT DROP | ||
− | + | # /sbin/iptables -A INPUT -p tcp -i eth0 --destination-port 25 -s ! 192.168.0.1 -j DROP | |
− | + | # /sbin/iptables -A INPUT -p tcp -i eth1 --destination-port 25 -s ! 192.168.0.1 -j DROP | |
− | + | ||
/sbin/iptables -A INPUT -i ! ${UPLINK} -j ACCEPT | /sbin/iptables -A INPUT -i ! ${UPLINK} -j ACCEPT | ||
/sbin/iptables -A INPUT -i ${UPLINK} -p tcp -s 0/0 --dport 25 -j ACCEPT | /sbin/iptables -A INPUT -i ${UPLINK} -p tcp -s 0/0 --dport 25 -j ACCEPT | ||
Line 80: | Line 78: | ||
/sbin/iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable | /sbin/iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable | ||
− | + | /sbin/iptables -A FORWARD -p tcp --destination-port 25 -s ! 192.168.0.1 -j DROP | |
− | + | ||
# block bad sites | # block bad sites | ||
− | + | # /sbin/iptables -I INPUT -s 68.178.211.34 -j DROP | |
− | /sbin/iptables -I INPUT -s 68.178.211.34 -j DROP | + | # /sbin/iptables -I INPUT -d 68.178.211.34 -j DROP |
− | /sbin/iptables -I INPUT -d 68.178.211.34 -j DROP | + | # /sbin/iptables -I INPUT -s 64.27.5.168 -j DROP |
− | + | # /sbin/iptables -I INPUT -d 64.27.5.168 -j DROP | |
− | /sbin/iptables -I INPUT -s 64.27.5.168 -j DROP | + | |
− | /sbin/iptables -I INPUT -d 64.27.5.168 -j DROP | ||
− | |||
# turn off packet spoofing in all interfaces | # turn off packet spoofing in all interfaces | ||
for x in ${INTERFACES} | for x in ${INTERFACES} | ||
do | do | ||
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter | echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter | ||
− | done | + | done |
− | + | ||
if [ "$ROUTER" = "yes" ] | if [ "$ROUTER" = "yes" ] | ||
then | then | ||
Line 110: | Line 106: | ||
echo "Activate SNAT (static IP) ...." | echo "Activate SNAT (static IP) ...." | ||
/sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${NAT} | /sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${NAT} | ||
− | fi | + | fi |
− | + | ||
− | # echo "Activate Port Forwarding .." | + | echo "Activate Transparent Proxy .." |
+ | for x in ${INTERFACES} | ||
+ | do | ||
+ | iptables -t nat -A PREROUTING -s 192.168.0.0/24 -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8080 | ||
+ | done | ||
+ | |||
+ | # echo "Activate SMTP Port Forwarding .." | ||
# /sbin/iptables -t nat -A PREROUTING -i ${UPLINK} -m multiport -p tcp \ | # /sbin/iptables -t nat -A PREROUTING -i ${UPLINK} -m multiport -p tcp \ | ||
− | # --dport 25 -d ${NAT} -j DNAT --to 192.168.0. | + | # --dport 25 -d ${NAT} -j DNAT --to 192.168.0.254:25 |
− | # /sbin/iptables -A FORWARD -i ${UPLINK} -m multiport -p tcp -d 192.168.0. | + | # /sbin/iptables -A FORWARD -i ${UPLINK} -m multiport -p tcp -d 192.168.0.254 \ |
− | # --dport 25 -j ACCEPT | + | # --dport 25 -j ACCEPT |
− | + | ||
fi | fi | ||
elif [ "$1" = "stop" ] | elif [ "$1" = "stop" ] | ||
Line 131: | Line 133: | ||
/sbin/iptables -t nat -F POSTROUTING | /sbin/iptables -t nat -F POSTROUTING | ||
fi | fi | ||
− | |||
− | |||
− | |||
− | |||
− | |||
==Pranala Menarik== | ==Pranala Menarik== | ||
* [[Linux Howto]] | * [[Linux Howto]] | ||
+ | * [[Script NAT Transparant Proxy & Squid]] | ||
+ | |||
+ | [[Category: Linux]] | ||
+ | [[Category: Proxy]] |
Latest revision as of 08:24, 16 June 2011
Contoh script NAT / Proxy
Untuk menjalankan
# ./script.sh start
Untuk mematikan
# ./script.sh stop
Agar script.sh langsung on waktu komputer di booting, anda dapat menuliskan script tersebut di folder (misalnya) /root. Masukan pada file /etc/rc/local perintah
/root/script.sh start
Isi script.sh adalah seperti tampak di bawah ini. Ada beberapa parameter yang perlu di perhatikan yaitu
- UPLINK
- NAT
- INTERFACES
Pastikan bahwa anda mengisi ketiga-nya dengan benar
isi script.sh
#!/bin/bash # From: AHK <akuhon@kompas.com> # To: linux-admin@linux.or.id # Save this file and activate through # file_name start # and de-activate through # file_name stop # This firewall-script can be used for workstation, laptop, router # or server that are not running network service (such as web server, ftp # server etc) # change the parameter UPLINK with Interface device to the Internet. # In our case WLAN router with NIC wlan0 connected to the Internet # and LAN connection with eth0. # if you use dial-up modem, you might use ppp0 as your UPLINK UPLINK="eth1" # if you run the gateway as router and forward IP packet between eth devices # please fill .yes., if not, please fill .no. ROUTER="yes" # Please change 202.150.10.45 to your static IP address of UPLINK device. # For those who use dial-up or dynamic IP, please enter .dynamic. # NAT="192.168.1.100" NAT="dynamic" # please list all network interfaces including eth devices # as well as dial-up interface such as ppp0 INTERFACES="lo eth0 eth1 eth2" if [ "$1" = "start" ] then echo "Activate Firewall ..... " /sbin/iptables -F /sbin/iptables -P INPUT DROP # /sbin/iptables -A INPUT -p tcp -i eth0 --destination-port 25 -s ! 192.168.0.1 -j DROP # /sbin/iptables -A INPUT -p tcp -i eth1 --destination-port 25 -s ! 192.168.0.1 -j DROP /sbin/iptables -A INPUT -i ! ${UPLINK} -j ACCEPT /sbin/iptables -A INPUT -i ${UPLINK} -p tcp -s 0/0 --dport 25 -j ACCEPT /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset /sbin/iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable /sbin/iptables -A FORWARD -p tcp --destination-port 25 -s ! 192.168.0.1 -j DROP # block bad sites # /sbin/iptables -I INPUT -s 68.178.211.34 -j DROP # /sbin/iptables -I INPUT -d 68.178.211.34 -j DROP # /sbin/iptables -I INPUT -s 64.27.5.168 -j DROP # /sbin/iptables -I INPUT -d 64.27.5.168 -j DROP # turn off packet spoofing in all interfaces for x in ${INTERFACES} do echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter done if [ "$ROUTER" = "yes" ] then # Activate IP forwarding at router echo 1 > /proc/sys/net/ipv4/ip_forward if [ "$NAT" = "dynamic" ] then # Dynamic IP address, activate Masquerading echo "Activate Masquerading (Dynamic IP) ...." /sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE elif [ "$NAT" != "" ] then # Static IP address use source NAT echo "Activate SNAT (static IP) ...." /sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${NAT} fi echo "Activate Transparent Proxy .." for x in ${INTERFACES} do iptables -t nat -A PREROUTING -s 192.168.0.0/24 -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8080 done # echo "Activate SMTP Port Forwarding .." # /sbin/iptables -t nat -A PREROUTING -i ${UPLINK} -m multiport -p tcp \ # --dport 25 -d ${NAT} -j DNAT --to 192.168.0.254:25 # /sbin/iptables -A FORWARD -i ${UPLINK} -m multiport -p tcp -d 192.168.0.254 \ # --dport 25 -j ACCEPT fi elif [ "$1" = "stop" ] then echo "Deactivate Firewall ..." /sbin/iptables -F INPUT /sbin/iptables -P INPUT ACCEPT /sbin/iptables -F FORWARD /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -F OUTPUT /sbin/iptables -P OUTPUT ACCEPT # Turn off NAT or MASQUERADING /sbin/iptables -t nat -F POSTROUTING fi