Difference between revisions of "Script NAT Proxy"

From OnnoWiki
Jump to navigation Jump to search
 
(5 intermediate revisions by the same user not shown)
Line 10: Line 10:
 
  # ./script.sh stop
 
  # ./script.sh stop
  
Agar script.sh langsung on waktu komputer di booting,
+
Agar script.sh langsung on waktu [[komputer]] di booting,
 
anda dapat menuliskan script tersebut di folder (misalnya) /root.
 
anda dapat menuliskan script tersebut di folder (misalnya) /root.
 
Masukan pada file /etc/rc/local perintah
 
Masukan pada file /etc/rc/local perintah
  
 
  /root/script.sh start
 
  /root/script.sh start
 
 
  
 
Isi script.sh adalah seperti tampak di bawah ini.
 
Isi script.sh adalah seperti tampak di bawah ini.
Line 28: Line 26:
  
  
----
+
==isi script.sh==
  
 
  #!/bin/bash
 
  #!/bin/bash
 
+
 
  # From: AHK <akuhon@kompas.com>
 
  # From: AHK <akuhon@kompas.com>
 
  # To: linux-admin@linux.or.id
 
  # To: linux-admin@linux.or.id
 
+
 
  # Save this file and activate through # file_name start
 
  # Save this file and activate through # file_name start
 
  # and de-activate through # file_name stop
 
  # and de-activate through # file_name stop
 
+
 
  # This firewall-script can be used for workstation, laptop, router
 
  # This firewall-script can be used for workstation, laptop, router
 
  # or server that are not running network service (such as web server, ftp
 
  # or server that are not running network service (such as web server, ftp
 
  # server etc)
 
  # server etc)
 
+
 
  # change the parameter UPLINK with Interface device to the Internet.
 
  # change the parameter UPLINK with Interface device to the Internet.
 
  # In our case WLAN router with NIC wlan0 connected to the Internet
 
  # In our case WLAN router with NIC wlan0 connected to the Internet
 
  # and LAN connection with eth0.
 
  # and LAN connection with eth0.
 
  # if you use dial-up modem, you might use ppp0 as your UPLINK
 
  # if you use dial-up modem, you might use ppp0 as your UPLINK
 
+
 
  UPLINK="eth1"
 
  UPLINK="eth1"
 
+
 
  # if you run the gateway as router and forward IP packet between eth devices
 
  # if you run the gateway as router and forward IP packet between eth devices
 
  # please fill .yes., if not, please fill .no.
 
  # please fill .yes., if not, please fill .no.
 
+
 
  ROUTER="yes"
 
  ROUTER="yes"
 
+
 
  # Please change 202.150.10.45 to your static IP address of UPLINK device.
 
  # Please change 202.150.10.45 to your static IP address of UPLINK device.
 
  # For those who use dial-up or dynamic IP, please enter .dynamic.
 
  # For those who use dial-up or dynamic IP, please enter .dynamic.
 
+
 
  # NAT="192.168.1.100"
 
  # NAT="192.168.1.100"
 
+
 
  NAT="dynamic"  
 
  NAT="dynamic"  
 
+
 
  # please list all network interfaces including eth devices
 
  # please list all network interfaces including eth devices
 
  # as well as dial-up interface such as ppp0
 
  # as well as dial-up interface such as ppp0
 
+
 
  INTERFACES="lo eth0 eth1 eth2"
 
  INTERFACES="lo eth0 eth1 eth2"
 
+
 
  if [ "$1" = "start" ]
 
  if [ "$1" = "start" ]
 
   then
 
   then
Line 71: Line 69:
 
   /sbin/iptables -F
 
   /sbin/iptables -F
 
   /sbin/iptables -P INPUT DROP
 
   /sbin/iptables -P INPUT DROP
  /sbin/iptables -A INPUT -p tcp -i eth0 --destination-port 25 -s ! 192.168.0.1  -j DROP
+
/sbin/iptables -A INPUT -p tcp -i eth0 --destination-port 25 -s ! 192.168.0.1  -j DROP
  /sbin/iptables -A INPUT -p tcp -i eth1 --destination-port 25 -s ! 192.168.0.1  -j DROP
+
/sbin/iptables -A INPUT -p tcp -i eth1 --destination-port 25 -s ! 192.168.0.1  -j DROP
 
+
 
   /sbin/iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
 
   /sbin/iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
 
   /sbin/iptables -A INPUT -i ${UPLINK} -p tcp -s 0/0 --dport 25 -j ACCEPT
 
   /sbin/iptables -A INPUT -i ${UPLINK} -p tcp -s 0/0 --dport 25 -j ACCEPT
Line 80: Line 78:
 
   /sbin/iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
 
   /sbin/iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
 
    
 
    
/sbin/iptables -A FORWARD -p tcp --destination-port 25 -s ! 192.168.0.1  -j DROP
+
  /sbin/iptables -A FORWARD -p tcp --destination-port 25 -s ! 192.168.0.1  -j DROP
 
+
 
  # block bad sites
 
  # block bad sites
 
+
  # /sbin/iptables -I INPUT -s 68.178.211.34 -j DROP
  /sbin/iptables -I INPUT -s 68.178.211.34 -j DROP
+
  # /sbin/iptables -I INPUT -d 68.178.211.34 -j DROP  
  /sbin/iptables -I INPUT -d 68.178.211.34 -j DROP  
+
  # /sbin/iptables -I INPUT -s 64.27.5.168 -j DROP
 
+
  # /sbin/iptables -I INPUT -d 64.27.5.168 -j DROP
  /sbin/iptables -I INPUT -s 64.27.5.168 -j DROP
+
  /sbin/iptables -I INPUT -d 64.27.5.168 -j DROP
 
 
 
 
  # turn off packet spoofing in all interfaces
 
  # turn off packet spoofing in all interfaces
 
  for x in ${INTERFACES}
 
  for x in ${INTERFACES}
 
   do
 
   do
 
     echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
 
     echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
   done
+
   done  
 
+
 
  if [ "$ROUTER" = "yes" ]
 
  if [ "$ROUTER" = "yes" ]
 
   then
 
   then
Line 110: Line 106:
 
   echo "Activate SNAT (static IP) ...."
 
   echo "Activate SNAT (static IP) ...."
 
   /sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${NAT}
 
   /sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${NAT}
  fi
+
  fi  
 
+
  # echo "Activate Port Forwarding .."
+
echo "Activate Transparent Proxy .."
 +
for x in ${INTERFACES}
 +
  do
 +
    iptables -t nat -A PREROUTING -s 192.168.0.0/24 -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8080
 +
  done
 +
 +
  # echo "Activate SMTP Port Forwarding .."
 
  # /sbin/iptables -t nat -A PREROUTING -i ${UPLINK} -m multiport -p tcp \
 
  # /sbin/iptables -t nat -A PREROUTING -i ${UPLINK} -m multiport -p tcp \
  # --dport 25 -d ${NAT} -j DNAT --to 192.168.0.1:25
+
  # --dport 25 -d ${NAT} -j DNAT --to 192.168.0.254:25
  # /sbin/iptables -A FORWARD -i ${UPLINK} -m multiport -p tcp -d 192.168.0.1 \
+
  # /sbin/iptables -A FORWARD -i ${UPLINK} -m multiport -p tcp -d 192.168.0.254 \
  #  --dport 25 -j ACCEPT
+
  #  --dport 25 -j ACCEPT  
 
+
 
  fi
 
  fi
 
   elif [ "$1" = "stop" ]
 
   elif [ "$1" = "stop" ]
Line 131: Line 133:
 
       /sbin/iptables -t nat -F POSTROUTING
 
       /sbin/iptables -t nat -F POSTROUTING
 
  fi
 
  fi
 
 
 
 
 
  
 
==Pranala Menarik==
 
==Pranala Menarik==
  
 
* [[Linux Howto]]
 
* [[Linux Howto]]
 +
* [[Script NAT Transparant Proxy & Squid]]
 +
 +
[[Category: Linux]]
 +
[[Category: Proxy]]

Latest revision as of 08:24, 16 June 2011

Contoh script NAT / Proxy

Untuk menjalankan

# ./script.sh start

Untuk mematikan

# ./script.sh stop

Agar script.sh langsung on waktu komputer di booting, anda dapat menuliskan script tersebut di folder (misalnya) /root. Masukan pada file /etc/rc/local perintah

/root/script.sh start

Isi script.sh adalah seperti tampak di bawah ini. Ada beberapa parameter yang perlu di perhatikan yaitu

  • UPLINK
  • NAT
  • INTERFACES

Pastikan bahwa anda mengisi ketiga-nya dengan benar


isi script.sh

#!/bin/bash

# From: AHK <akuhon@kompas.com>
# To: linux-admin@linux.or.id

# Save this file and activate through # file_name start
# and de-activate through # file_name stop

# This firewall-script can be used for workstation, laptop, router
# or server that are not running network service (such as web server, ftp
# server etc)

# change the parameter UPLINK with Interface device to the Internet.
# In our case WLAN router with NIC wlan0 connected to the Internet
# and LAN connection with eth0.
# if you use dial-up modem, you might use ppp0 as your UPLINK

UPLINK="eth1"

# if you run the gateway as router and forward IP packet between eth devices
# please fill .yes., if not, please fill .no.

ROUTER="yes"

# Please change 202.150.10.45 to your static IP address of UPLINK device.
# For those who use dial-up or dynamic IP, please enter .dynamic.

# NAT="192.168.1.100"

NAT="dynamic" 

# please list all network interfaces including eth devices
# as well as dial-up interface such as ppp0

INTERFACES="lo eth0 eth1 eth2"

if [ "$1" = "start" ]
  then
  echo "Activate Firewall ..... "
  /sbin/iptables -F
  /sbin/iptables -P INPUT DROP
#  /sbin/iptables -A INPUT -p tcp -i eth0 --destination-port 25 -s ! 192.168.0.1  -j DROP
#  /sbin/iptables -A INPUT -p tcp -i eth1 --destination-port 25 -s ! 192.168.0.1  -j DROP

  /sbin/iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
  /sbin/iptables -A INPUT -i ${UPLINK} -p tcp -s 0/0 --dport 25 -j ACCEPT
  /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  /sbin/iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
  /sbin/iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
 
  /sbin/iptables -A FORWARD -p tcp --destination-port 25 -s ! 192.168.0.1  -j DROP

# block bad sites
# /sbin/iptables -I INPUT -s 68.178.211.34 -j DROP
# /sbin/iptables -I INPUT -d 68.178.211.34 -j DROP 
# /sbin/iptables -I INPUT -s 64.27.5.168 -j DROP
# /sbin/iptables -I INPUT -d 64.27.5.168 -j DROP

# turn off packet spoofing in all interfaces
for x in ${INTERFACES}
  do
    echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
  done 

if [ "$ROUTER" = "yes" ]
  then
  # Activate IP forwarding at router
    echo 1 > /proc/sys/net/ipv4/ip_forward
if [ "$NAT" = "dynamic" ]
  then
  # Dynamic IP address, activate Masquerading
    echo "Activate Masquerading (Dynamic IP) ...."
    /sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
elif [ "$NAT" != "" ]
  then
  # Static IP address use source NAT
  echo "Activate SNAT (static IP) ...."
  /sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${NAT}
fi 

echo "Activate Transparent Proxy .."
for x in ${INTERFACES}
  do
    iptables -t nat -A PREROUTING -s 192.168.0.0/24 -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8080
  done 

# echo "Activate SMTP Port Forwarding .."
# /sbin/iptables -t nat -A PREROUTING -i ${UPLINK} -m multiport -p tcp \
# --dport 25 -d ${NAT} -j DNAT --to 192.168.0.254:25
# /sbin/iptables -A FORWARD -i ${UPLINK} -m multiport -p tcp -d 192.168.0.254 \
#  --dport 25 -j ACCEPT 

fi
  elif [ "$1" = "stop" ]
    then
      echo "Deactivate Firewall ..."
      /sbin/iptables -F INPUT
      /sbin/iptables -P INPUT ACCEPT
      /sbin/iptables -F FORWARD
      /sbin/iptables -P FORWARD ACCEPT
      /sbin/iptables -F OUTPUT
      /sbin/iptables -P OUTPUT ACCEPT
      # Turn off NAT or MASQUERADING
      /sbin/iptables -t nat -F POSTROUTING
fi

Pranala Menarik