Shulou(Shulou.com)06/01 Report--

Application of Iptables+l7+squid

Iptables is a network layer firewall, which is mainly used for filtering in the network layer and transport layer. It has less filtering on the application layer, but supports more applications, such as NAT conversion.

Layer7 enables iptables to filter based on the application layer

Squid is an application layer proxy server, which can filter not only the network layer, but also the application layer, but supports few applications.

So iptables+l7+squid is a perfect combination. Let's illustrate it through a small case.

A company, which has two departments and a manager department, requires them to have the following Internet access restrictions during office hours (Monday to Saturday):

Technical Department: you can use ftp to upload and download materials, do not use QQ chat, do not allow browsing the web, do not allow the use of Thunderbolt to download things.

Marketing Department: you can browse the web, but you are not allowed to visit some illegal sites, such as sina, and you are not allowed to use Xunlei, chat with QQ, use pplive, or browse pictures. The maximum number of connections per user is 5.

Http qq can be used by managers.

There are no restrictions after work.

The company will also release its own www server.

The eth0 network card of Linux firewall is connected to the internal network, the eth2 network card is connected to the external network, and the eth3 network card is connected to DMZ.

Eth0 192.168.101.166

Eth2 192.168.2.253

Eth3 192.168.3.253

Ip range of Technology Department 192.168.2.1Muhami Murray 192.168.2.100

Marketing ip range 192.168.2.101-192.168.2.200

Manager office ip range 192.168.2.201Murray 192.168.2.210

The www server ip address is 192.168.3.66

The topology diagram will not be drawn.

Analysis:

Ftp control we use iptables, for QQ chat, Thunderbolt download control we use L7 control, for web browsing, forbidden to browse illegal sites, picture information we use squid control.

1. Enable the packet forwarding function first

Vim / etc/sysctl.conf

Net.ipv4.ip_forward = 1-- change it to 1 to enable forwarding

Sysctl-p-effective immediately

2. Set the default rejection

Iptables-P INPUT DROP

Iptables-P OUTPUT DROP

Iptables-P FORWARD DROP

3. Configure SNAT to enable intranet users to surf the Internet.

Iptables-t nat-A POSTROUTING-s 192.168.2.0 take 24-o eth2-j MASQUERADE

4. Control

(1) allow ftp

Iptables-t filter-A FORWARD-m iprange-src-range 192.168.2.1-192.168.2.100-m time-timestart 08:00-timestop 20:00-weekdays Mon,Tue,Wed,Thu,Fri-p tcp-dport 21-j ACCEPT

Iptables-t filter-A FORWARD-m state-- state ESTABLISHED,RELATED,NEW-j ACCEPT

-- allow forwarded pass

(2) disable QQ and Thunderbolt (it is OK not to write rules, but reject by default, strengthen it)

Iptables-t filter-A FORWARD-m iprange-- src-range 192.168.2.1-192.168.2.200-m time-timestart 08:00-- timestop 20:00-- weekdays Mon,Tue,Wed,Thu,Fri-m layer7-- l7proto qq-j DROP

Iptables-t filter-A FORWARD-m iprange-- src-range 192.168.2.1-192.168.2.200-m time-timestart 08:00-- timestop 20:00-- weekdays Mon,Tue,Wed,Thu,Fri-m layer7-- l7proto xunlei-j DROP

(3) Control of squid

Vim / etc/squid/squid.conf modifies and adds the following lines as follows:

919 http_port 3128 transparent

2994 visible_hostname 192.168.2.253

4134 dns_nameservers 222.88.88.88 222.85.85.85

Restart squid. The above is the basic configuration of squid, and the following is the control configuration.

(4) iptables control

Iptables-t nat-A PREROUTING-m time-- timestart 08:00-- timestop 20:00-- weekdays Mon,Tue,Wed,Thu,Fri-m connlimit--connlimit-above 5-- connlimit-mask 32-p tcp-- dport 80-j REDIRECT-- to-port 3128

-- reset port 80 to 3128 to achieve transparent proxy

Iptables-t filter-An OUTPUT-m state-- state EASTABLISHED-j ACCEPT

Iptables-t nat-A POSTROUTING-m iprange-- src-range 192.168.2.101-192.168.2.210-m time-- timestart 08:00-- timestop 20:00-- weekdays Mon,Tue,Wed,Thu,Fri-p udp-- dport 53-j MASQUERADE-- NAT DNS resolution (this rule does not seem to use traffic matching)

Iptables-t filter-A FORWARD-m iprange-- src-range 192.168.2.101-192.168.2.210-m time-- timestart 08:00-timestop 20:00-- weekdays Mon,Tue,Wed,Thu,Fri-p udp-- dport 53-j ACCEPT--

Iptables-t filter-An OUTPUT-p tcp-- dport 80-s 192.168.101.166-j ACCEPT

Iptables-An INPUT-m state-- state ESTABLISHED-j ACCEPT

Iptables-t filter-An OUTPUT-p udp-- dport 53-j ACCEPT-- queries that allow squid agents

Iptables-t filter-A FORWARD-m iprange-- src-range 192.168.2.101-192.168.2.200-m layer7-- l7proto pplive-j DROP

Squid control of marketing department

Restart squid

Iptables-t filter-R FORWARD 8-m iprange-- src-range 192.168.2.201-192.168.2.210-o eth2-j ACCEPT

Server publish

Iptables-t nat-A POSTROUTING-s 192.168.3.66 eth2 32-o eth2-j SNAT-- to 192.168.101.166

(5) No restrictions after work

Iptables-t filter-A FORWARD-m iprange-- src-range 192.168.2.201-192.168.2.210-o eth2-j ACCEPT

What is not allowed on Saturday and Sunday is. ) function to achieve!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.