iptables与透明代理quid的script

viento

这是别人写的,你可以复制下文保存于linux中,更改为可执行权限.

#!/bin/bash
#

PATH=/sbin:/usr/sbin:/bin:/usr/bin
RC_SQUID=/etc/rc.d/init.d/squid
#你的外网接口,要修改,如果是拨号就用ppp0,如果是网卡,请确认.
EXT_IF=eth1
#内网接口
INT_IF=eth0
TRUSTED_TCP_PORT="20 21 22 25 53 80 110 113 143 220 443 465 993 995"
TRUSTED_UDP_PORT="53"
ALLOWED_ICMP="0 3 3/4 4 11 12 14 16 18"

#
# ------------- ensure iptables ----------
which iptables &>/dev/null || {
        echo
        echo "$(basename $0): iptables program is not found."
        echo "        Please install the program first."
        echo
        exit 1
}

# ------------- disable ipchains ----------
lsmod | grep ipchains &>/dev/null && {
        echo "Disabling ipchains..."
        rmmod ipchains
}

# ------------- modules -----------
echo "Loading modules..."
modprobe ip_tables &>/dev/null || {
    echo -n "$(basename $0): loading ip_tables module failure."
    echo " Please Fix it!"
    exit 3
}
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_*.o
do
    module=$(basename $file)
    modprobe ${module%.*} &>/dev/null
done
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_*.o
do
    module=$(basename $file)
    modprobe ${module%.*} &>/dev/null
done

# ------------- ipforwarding -----------
echo "Turning on IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward

# ------------- anti spoofing -----------
echo "Turning on anti-spoofing..."
for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo "1" > $file
done

# ------------- flushing ----------
echo "Cleaning up..."
iptables -F -t filter
iptables -X -t filter
iptables -Z -t filter
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat

# ------------- policies -------------
echo "Setting up policies to ACCEPT..."
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

# ------------- ICMP -------------
echo "Creating icmpfilter chain..."
iptables -N icmpfilter
for TYPE in $ALLOWED_ICMP; do
    iptables -A icmpfilter -i $EXT_IF -p icmp \
        --icmp-type $TYPE -j ACCEPT
done

# ------------- services ------------
echo "Creating services chain...."
iptables -N services
for PORT in $TRUSTED_TCP_PORT; do
    iptables -A services -i $EXT_IF -p tcp --dport $PORT -j ACCEPT
done
for PORT in $TRUSTED_UDP_PORT; do
    iptables -A services -i $EXT_IF -p udp --dport $PORT -j ACCEPT
done

# ------------- block -------------
echo "Creating block chain..."
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! $EXT_IF -j ACCEPT
iptables -A block -j DROP

# ------------- filter -------------
echo "Filtering packets..."
iptables -A INPUT -j icmpfilter
iptables -A INPUT -j services
iptables -A INPUT -j block
iptables -A FORWARD -j icmpfilter
iptables -A FORWARD -j block

# ------------- masq -------------
echo "Masquerading internel network..."
iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE

# ------------- tproxy -------------
$RC_SQUID status | grep pid &>/dev/null && {
        echo "Enabling transparent proxy...."
        INT_IP=$(ifconfig | grep $INT_IF -A 1 \
                | awk '/inet/ {print $2}' | sed -e s/addr\://)
        if [ -z "$INT_IP" ]; then
                echo
                echo "$(basename $0): there is no IP found on $INT_IF."
                echo "        Please make sure $INT_IF is setup properly."
                echo
                exit 3
        fi
        iptables -t nat -A PREROUTING -d $INT_IP -i $INT_IF \
                -p tcp -m tcp --dport 80 -j ACCEPT
        iptables -t nat -A PREROUTING -i $INT_IF -p tcp -m tcp \
                --dport 80 -j REDIRECT --to-ports 3128
}
exit 0
## EOS

==============================================================================
然后你可以在你的目录下运行,或把文件路径添到
/etc/rc.d/rc.local里头让启动时自动执行

============================================================================
Squid的配置,
我用的是RedHat8.1,Squid的用户没改,就用默认用户squid和组squid.
其他要改的地方可以按照gugong的文章改,记住一定要添加
httpd_accel_host virtual

httpd_accel_port 80
httpd_accel_with_proxy off
#默认是on,改off让代理透明
httpd_accel_uses_host_header on

其他可以用默认值,如果你还是新手.

==========================================================================
用这段script,局域网内不能打开加密网站,如hotmail, yahoo email,是由这2句引起的
iptables -t nat -A PREROUTING -d $INT_IP -i $INT_IF \
                -p tcp -m tcp --dport 80 -j ACCEPT
        iptables -t nat -A PREROUTING -i $INT_IF -p tcp -m tcp \
                --dport 80 -j REDIRECT --to-ports 3128
我正在修改,高手也请指点一下.