In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Application of Iptables+l7+squid
Iptables is a network layer firewall, which is mainly used for filtering in the network layer and transport layer. It has less filtering on the application layer, but supports more applications, such as NAT conversion.
Layer7 enables iptables to filter based on the application layer
Squid is an application layer proxy server, which can filter not only the network layer, but also the application layer, but supports few applications.
So iptables+l7+squid is a perfect combination. Let's illustrate it through a small case.
A company, which has two departments and a manager department, requires them to have the following Internet access restrictions during office hours (Monday to Saturday):
Technical Department: you can use ftp to upload and download materials, do not use QQ chat, do not allow browsing the web, do not allow the use of Thunderbolt to download things.
Marketing Department: you can browse the web, but you are not allowed to visit some illegal sites, such as sina, and you are not allowed to use Xunlei, chat with QQ, use pplive, or browse pictures. The maximum number of connections per user is 5.
Http qq can be used by managers.
There are no restrictions after work.
The company will also release its own www server.
The eth0 network card of Linux firewall is connected to the internal network, the eth2 network card is connected to the external network, and the eth3 network card is connected to DMZ.
Eth0 192.168.101.166
Eth2 192.168.2.253
Eth3 192.168.3.253
Ip range of Technology Department 192.168.2.1Muhami Murray 192.168.2.100
Marketing ip range 192.168.2.101-192.168.2.200
Manager office ip range 192.168.2.201Murray 192.168.2.210
The www server ip address is 192.168.3.66
The topology diagram will not be drawn.
Analysis:
Ftp control we use iptables, for QQ chat, Thunderbolt download control we use L7 control, for web browsing, forbidden to browse illegal sites, picture information we use squid control.
1. Enable the packet forwarding function first
Vim / etc/sysctl.conf
Net.ipv4.ip_forward = 1-- change it to 1 to enable forwarding
Sysctl-p-effective immediately
2. Set the default rejection
Iptables-P INPUT DROP
Iptables-P OUTPUT DROP
Iptables-P FORWARD DROP
3. Configure SNAT to enable intranet users to surf the Internet.
Iptables-t nat-A POSTROUTING-s 192.168.2.0 take 24-o eth2-j MASQUERADE
4. Control
(1) allow ftp
Iptables-t filter-A FORWARD-m iprange-src-range 192.168.2.1-192.168.2.100-m time-timestart 08:00-timestop 20:00-weekdays Mon,Tue,Wed,Thu,Fri-p tcp-dport 21-j ACCEPT
Iptables-t filter-A FORWARD-m state-- state ESTABLISHED,RELATED,NEW-j ACCEPT
-- allow forwarded pass
(2) disable QQ and Thunderbolt (it is OK not to write rules, but reject by default, strengthen it)
Iptables-t filter-A FORWARD-m iprange-- src-range 192.168.2.1-192.168.2.200-m time-timestart 08:00-- timestop 20:00-- weekdays Mon,Tue,Wed,Thu,Fri-m layer7-- l7proto qq-j DROP
Iptables-t filter-A FORWARD-m iprange-- src-range 192.168.2.1-192.168.2.200-m time-timestart 08:00-- timestop 20:00-- weekdays Mon,Tue,Wed,Thu,Fri-m layer7-- l7proto xunlei-j DROP
(3) Control of squid
Vim / etc/squid/squid.conf modifies and adds the following lines as follows:
919 http_port 3128 transparent
2994 visible_hostname 192.168.2.253
4134 dns_nameservers 222.88.88.88 222.85.85.85
Restart squid. The above is the basic configuration of squid, and the following is the control configuration.
(4) iptables control
Iptables-t nat-A PREROUTING-m time-- timestart 08:00-- timestop 20:00-- weekdays Mon,Tue,Wed,Thu,Fri-m connlimit--connlimit-above 5-- connlimit-mask 32-p tcp-- dport 80-j REDIRECT-- to-port 3128
-- reset port 80 to 3128 to achieve transparent proxy
Iptables-t filter-An OUTPUT-m state-- state EASTABLISHED-j ACCEPT
Iptables-t nat-A POSTROUTING-m iprange-- src-range 192.168.2.101-192.168.2.210-m time-- timestart 08:00-- timestop 20:00-- weekdays Mon,Tue,Wed,Thu,Fri-p udp-- dport 53-j MASQUERADE-- NAT DNS resolution (this rule does not seem to use traffic matching)
Iptables-t filter-A FORWARD-m iprange-- src-range 192.168.2.101-192.168.2.210-m time-- timestart 08:00-timestop 20:00-- weekdays Mon,Tue,Wed,Thu,Fri-p udp-- dport 53-j ACCEPT--
Iptables-t filter-An OUTPUT-p tcp-- dport 80-s 192.168.101.166-j ACCEPT
Iptables-An INPUT-m state-- state ESTABLISHED-j ACCEPT
Iptables-t filter-An OUTPUT-p udp-- dport 53-j ACCEPT-- queries that allow squid agents
Iptables-t filter-A FORWARD-m iprange-- src-range 192.168.2.101-192.168.2.200-m layer7-- l7proto pplive-j DROP
Squid control of marketing department
Restart squid
Iptables-t filter-R FORWARD 8-m iprange-- src-range 192.168.2.201-192.168.2.210-o eth2-j ACCEPT
Server publish
Iptables-t nat-A POSTROUTING-s 192.168.3.66 eth2 32-o eth2-j SNAT-- to 192.168.101.166
(5) No restrictions after work
Iptables-t filter-A FORWARD-m iprange-- src-range 192.168.2.201-192.168.2.210-o eth2-j ACCEPT
What is not allowed on Saturday and Sunday is. ) function to achieve!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.