Sikkerhet

Squid Transparent HTTP Proxy
code aptitude install squid squid-common code
 * Install Squid Proxy**

code cp /etc/squid/squid.conf /etc/squid/squid.conf.back > /etc/squid/squid.conf code
 * Backup og empty squid.conf':**

code http_port 3128 transparent hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache access_log /var/log/squid/access.log squid hosts_file /etc/hosts refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern. 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 cache_dir ufs /var/spool/squid 1000 16 256 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 # https, snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost acl lan src 10.8.0.0/24 # My home network acl badUrl dstdomain www.vg.no http_access deny badUrl # http_access allow localhost http_access allow lan http_access deny all http_reply_access allow all icp_access allow all always_direct allow all coredump_dir /var/spool/squid code
 * Legg til squid.conf:**
 * 1) 1000MB max cache size (default is 100MB):
 * 1) Own rules here

code iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
 * Iptables**

code

Firewall iptables
Lager et stop og et stop script:

code echo "Stopping firewall" iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT code code sh /root/firewall.stop
 * //firewall.stop//**
 * //firewall.start//**
 * 1) Flush

EXTIF="eth0"
 * 1) External

EXTIP=$(/sbin/ip addr show dev "$EXTIF" | perl -lne 'if(/inet (\S+)/){print$1;last}');
 * 1) External IP address

INTIF="eth1"
 * 1) Internal interface

INTIP="192.168.2.4/32"
 * 1) Internal IP address

INTNET="192.168.2.0/24"
 * 1) Internal network address

UNIVERSE="0.0.0.0/0"
 * 1) anything/everything

echo "External: [Interface=$EXTIF] [IP=$EXTIP]" echo "Internal: [Interface=$INTIF] [IP=$INTIP] [Network:$INTNET]"

echo echo -n "Loading rules..." echo

echo 1 > /proc/sys/net/ipv4/ip_forward
 * 1) Enabling IP forwarding

ipt="iptables"


 * 1) INPUT ########

$ipt -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
 * 1) Loopback

$ipt -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
 * 1) Local interface, local machines

$ipt -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j REJECT
 * 1) Spoofing

$ipt -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
 * 1) ICMP

$ipt -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 * 1) Any Related Traffic Back to server

$ipt -A INPUT -p udp -i $EXTIF --sport 53 --dport 1024:65535 -j ACCEPT
 * 1) DNS

$ipt -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT $ipt -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
 * 1) DHCP

$ipt -A INPUT -i $EXTIF -p tcp --dport 3128 -j ACCEPT
 * 1) SQUID

SSH="192.168.1.0/24 192.168.2.0/24"
 * 1) SSH

for sip in $SSH do $ipt -A INPUT -p tcp -s $sip --dport 22 -j ACCEPT done $ipt -A INPUT -p tcp --dport 22 -j REJECT

$ipt -A INPUT -s $UNIVERSE -d $UNIVERSE -j REJECT
 * 1) Reject rest

$ipt -A OUTPUT -m conntrack -p icmp --ctstate INVALID -j DROP
 * 1) OUTPUT ########

$ipt -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
 * 1) Loopback

$ipt -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
 * 1) Any source to local net

$ipt -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
 * 1) Any source from server to local net

$ipt -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j REJECT
 * 1) Deny stuffed routing

SITES="microsoft.com hist.no"
 * 1) Block HTTP Sites

for dip in $SITES do
 * 1) (Transparent SQUID, derfor OUTPUT blir brukt)


 * 1) $ipt -A FORWARD -d $dip -j DROP

$ipt -A OUTPUT -d $dip -j DROP done

$ipt -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
 * 1) Everything else accept

$ipt -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT $ipt -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
 * 1) DHCP

$ipt -A OUTPUT -p udp -o $EXTIF --dport 53 --sport 1024:65535 -j ACCEPT
 * 1) DNS

$ipt -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j REJECT
 * 1) Reject rest

$ipt -A FORWARD -i $EXTIF -o $INTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 * 1) Accept ønsket tcp packets

$ipt -A FORWARD -i $INTIF -o $INTIF -j ACCEPT
 * 1) Allow packets across the internal interface

$ipt -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
 * 1) Forward packets from the internal network to the Internet

$ipt -A FORWARD -j REJECT
 * 1) Catch-all REJECT rule


 * 1) NAT ########

iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 3128
 * 1) Squid

$ipt -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE code
 * 1) Masquerade

**Automatisk loading av iptables:**
code nano /etc/network/if-pre-up.d/iptablesload code
 * iptablesload:**

code sh /path/til/firewall.start code

code nano /etc/network/if-post-down.d/iptablestop code
 * iptablestop:**

code sh /path/til/firewall.stop code