Script NAT Proxy: Difference between revisions
From OnnoCenterWiki
Jump to navigationJump to search
Onnowpurbo (talk | contribs) New page: ==Contoh script NAT / Proxy== Untuk menjalankan # ./script.sh start Untuk mematikan # ./script.sh stop Isi script.sh adalah ---- #!/bin/bash # From: AHK <akuhon@kompas.com> # ... |
Onnowpurbo (talk | contribs) |
||
| (9 intermediate revisions by the same user not shown) | |||
| Line 10: | Line 10: | ||
# ./script.sh stop | # ./script.sh stop | ||
Agar script.sh langsung on waktu [[komputer]] di booting, | |||
anda dapat menuliskan script tersebut di folder (misalnya) /root. | |||
Masukan pada file /etc/rc/local perintah | |||
/root/script.sh start | |||
Isi script.sh adalah seperti tampak di bawah ini. | |||
Ada beberapa parameter yang perlu di perhatikan yaitu | |||
* UPLINK | |||
* NAT | |||
* INTERFACES | |||
Pastikan bahwa anda mengisi ketiga-nya dengan benar | |||
==isi script.sh== | |||
# This firewall-script can be used for workstation, laptop, router | #!/bin/bash | ||
# or server that are not running network service (such as web server, ftp | |||
# server etc) | # From: AHK <akuhon@kompas.com> | ||
# To: linux-admin@linux.or.id | |||
# change the parameter UPLINK with Interface device to the Internet. | |||
# In our case WLAN router with NIC wlan0 connected to the Internet | # Save this file and activate through # file_name start | ||
# and LAN connection with eth0. | # and de-activate through # file_name stop | ||
# if you use dial-up modem, you might use ppp0 as your UPLINK | |||
# This firewall-script can be used for workstation, laptop, router | |||
UPLINK="eth1" | # or server that are not running network service (such as web server, ftp | ||
# server etc) | |||
# if you run the gateway as router and forward IP packet between eth devices | |||
# please fill .yes., if not, please fill .no. | # change the parameter UPLINK with Interface device to the Internet. | ||
# In our case WLAN router with NIC wlan0 connected to the Internet | |||
ROUTER=" | # and LAN connection with eth0. | ||
# if you use dial-up modem, you might use ppp0 as your UPLINK | |||
# Please change 202.150.10.45 to your static IP address of UPLINK device. | |||
# For those who use dial-up or dynamic IP, please enter .dynamic. | UPLINK="eth1" | ||
# NAT="192.168.1.100" | # if you run the gateway as router and forward IP packet between eth devices | ||
# please fill .yes., if not, please fill .no. | |||
NAT="dynamic" | |||
ROUTER="yes" | |||
# please list all network interfaces including eth devices | |||
# as well as dial-up interface such as ppp0 | # Please change 202.150.10.45 to your static IP address of UPLINK device. | ||
# For those who use dial-up or dynamic IP, please enter .dynamic. | |||
INTERFACES="lo eth0 eth1 eth2" | |||
# NAT="192.168.1.100" | |||
if [ "$1" = "start" ] | |||
NAT="dynamic" | |||
# please list all network interfaces including eth devices | |||
# as well as dial-up interface such as ppp0 | |||
INTERFACES="lo eth0 eth1 eth2" | |||
if [ "$1" = "start" ] | |||
then | |||
echo "Activate Firewall ..... " | |||
/sbin/iptables -F | |||
/sbin/iptables -P INPUT DROP | |||
# /sbin/iptables -A INPUT -p tcp -i eth0 --destination-port 25 -s ! 192.168.0.1 -j DROP | |||
# /sbin/iptables -A INPUT -p tcp -i eth1 --destination-port 25 -s ! 192.168.0.1 -j DROP | |||
/sbin/iptables -A INPUT -i ! ${UPLINK} -j ACCEPT | |||
/sbin/iptables -A INPUT -i ${UPLINK} -p tcp -s 0/0 --dport 25 -j ACCEPT | |||
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |||
/sbin/iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset | |||
/sbin/iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable | |||
/sbin/iptables -A FORWARD -p tcp --destination-port 25 -s ! 192.168.0.1 -j DROP | /sbin/iptables -A FORWARD -p tcp --destination-port 25 -s ! 192.168.0.1 -j DROP | ||
# block bad sites | # block bad sites | ||
# /sbin/iptables -I INPUT -s 68.178.211.34 -j DROP | |||
/sbin/iptables -I INPUT -s 68.178.211.34 -j DROP | # /sbin/iptables -I INPUT -d 68.178.211.34 -j DROP | ||
/sbin/iptables -I INPUT -d 68.178.211.34 -j DROP | # /sbin/iptables -I INPUT -s 64.27.5.168 -j DROP | ||
# /sbin/iptables -I INPUT -d 64.27.5.168 -j DROP | |||
/sbin/iptables -I INPUT -s 64.27.5.168 -j DROP | |||
/sbin/iptables -I INPUT -d 64.27.5.168 -j DROP | # turn off packet spoofing in all interfaces | ||
for x in ${INTERFACES} | |||
do | |||
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter | |||
done | |||
# turn off packet spoofing in all interfaces | |||
for x in ${INTERFACES} | if [ "$ROUTER" = "yes" ] | ||
then | |||
# Activate IP forwarding at router | |||
echo 1 > /proc/sys/net/ipv4/ip_forward | |||
if [ "$NAT" = "dynamic" ] | |||
then | |||
# Dynamic IP address, activate Masquerading | |||
echo "Activate Masquerading (Dynamic IP) ...." | |||
/sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE | |||
elif [ "$NAT" != "" ] | |||
then | |||
# Static IP address use source NAT | |||
echo "Activate SNAT (static IP) ...." | |||
/sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${NAT} | |||
fi | |||
echo "Activate Transparent Proxy .." | |||
for x in ${INTERFACES} | |||
do | |||
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8080 | |||
done | |||
# echo "Activate SMTP Port Forwarding .." | |||
# /sbin/iptables -t nat -A PREROUTING -i ${UPLINK} -m multiport -p tcp \ | |||
# --dport 25 -d ${NAT} -j DNAT --to 192.168.0.254:25 | |||
# /sbin/iptables -A FORWARD -i ${UPLINK} -m multiport -p tcp -d 192.168.0.254 \ | |||
# --dport 25 -j ACCEPT | |||
fi | |||
elif [ "$1" = "stop" ] | |||
then | |||
echo "Deactivate Firewall ..." | |||
/sbin/iptables -F INPUT | |||
/sbin/iptables -P INPUT ACCEPT | |||
/sbin/iptables -F FORWARD | |||
/sbin/iptables -P FORWARD ACCEPT | |||
/sbin/iptables -F OUTPUT | |||
/sbin/iptables -P OUTPUT ACCEPT | |||
# Turn off NAT or MASQUERADING | |||
/sbin/iptables -t nat -F POSTROUTING | |||
fi | |||
==Pranala Menarik== | |||
* [[Linux Howto]] | |||
* [[Script NAT Transparant Proxy & Squid]] | |||
[[Category: Linux]] | |||
[[Category: Proxy]] | |||
Latest revision as of 01:24, 16 June 2011
Contoh script NAT / Proxy
Untuk menjalankan
# ./script.sh start
Untuk mematikan
# ./script.sh stop
Agar script.sh langsung on waktu komputer di booting, anda dapat menuliskan script tersebut di folder (misalnya) /root. Masukan pada file /etc/rc/local perintah
/root/script.sh start
Isi script.sh adalah seperti tampak di bawah ini. Ada beberapa parameter yang perlu di perhatikan yaitu
- UPLINK
- NAT
- INTERFACES
Pastikan bahwa anda mengisi ketiga-nya dengan benar
isi script.sh
#!/bin/bash
# From: AHK <akuhon@kompas.com>
# To: linux-admin@linux.or.id
# Save this file and activate through # file_name start
# and de-activate through # file_name stop
# This firewall-script can be used for workstation, laptop, router
# or server that are not running network service (such as web server, ftp
# server etc)
# change the parameter UPLINK with Interface device to the Internet.
# In our case WLAN router with NIC wlan0 connected to the Internet
# and LAN connection with eth0.
# if you use dial-up modem, you might use ppp0 as your UPLINK
UPLINK="eth1"
# if you run the gateway as router and forward IP packet between eth devices
# please fill .yes., if not, please fill .no.
ROUTER="yes"
# Please change 202.150.10.45 to your static IP address of UPLINK device.
# For those who use dial-up or dynamic IP, please enter .dynamic.
# NAT="192.168.1.100"
NAT="dynamic"
# please list all network interfaces including eth devices
# as well as dial-up interface such as ppp0
INTERFACES="lo eth0 eth1 eth2"
if [ "$1" = "start" ]
then
echo "Activate Firewall ..... "
/sbin/iptables -F
/sbin/iptables -P INPUT DROP
# /sbin/iptables -A INPUT -p tcp -i eth0 --destination-port 25 -s ! 192.168.0.1 -j DROP
# /sbin/iptables -A INPUT -p tcp -i eth1 --destination-port 25 -s ! 192.168.0.1 -j DROP
/sbin/iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
/sbin/iptables -A INPUT -i ${UPLINK} -p tcp -s 0/0 --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A FORWARD -p tcp --destination-port 25 -s ! 192.168.0.1 -j DROP
# block bad sites
# /sbin/iptables -I INPUT -s 68.178.211.34 -j DROP
# /sbin/iptables -I INPUT -d 68.178.211.34 -j DROP
# /sbin/iptables -I INPUT -s 64.27.5.168 -j DROP
# /sbin/iptables -I INPUT -d 64.27.5.168 -j DROP
# turn off packet spoofing in all interfaces
for x in ${INTERFACES}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done
if [ "$ROUTER" = "yes" ]
then
# Activate IP forwarding at router
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ "$NAT" = "dynamic" ]
then
# Dynamic IP address, activate Masquerading
echo "Activate Masquerading (Dynamic IP) ...."
/sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
elif [ "$NAT" != "" ]
then
# Static IP address use source NAT
echo "Activate SNAT (static IP) ...."
/sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${NAT}
fi
echo "Activate Transparent Proxy .."
for x in ${INTERFACES}
do
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8080
done
# echo "Activate SMTP Port Forwarding .."
# /sbin/iptables -t nat -A PREROUTING -i ${UPLINK} -m multiport -p tcp \
# --dport 25 -d ${NAT} -j DNAT --to 192.168.0.254:25
# /sbin/iptables -A FORWARD -i ${UPLINK} -m multiport -p tcp -d 192.168.0.254 \
# --dport 25 -j ACCEPT
fi
elif [ "$1" = "stop" ]
then
echo "Deactivate Firewall ..."
/sbin/iptables -F INPUT
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F FORWARD
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -F OUTPUT
/sbin/iptables -P OUTPUT ACCEPT
# Turn off NAT or MASQUERADING
/sbin/iptables -t nat -F POSTROUTING
fi
