Test patch untuk Ipcop ... not running. ClearOS juga sama, akhirnya jadinya pake Ubuntu cos Pfsense rada sering crash,... ngak tau knp.
Untuk mempersingat waktu, kita asumsikan eth0 adalah link internet, sedangkan eth1 adalah link ke client.
1. Setting ip :
Setting ip pada interfaces : sudo vim /etc/network/interfaces
auto eth0 iface eth0 inet static address 192.168.1.70 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 # post-up iptables-restore < /etc/iptables.up.rules # dns-* options are implemented by the resolvconf package, if installed # dns-nameservers 202.134.0.155 #post-up iptables-restore < /etc/iptables.up.rules auto eth1 iface eth1 inet static address 192.168.0.1 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.1.72. Install squid dan setting squid : sudo apt-get install squid
# Squid normally listens to port 3128 http_port 3128 transparent acl our_networks src 192.168.0.0/24 acl localnet src 127.0.0.1/255.255.255.255 http_access allow our_networks http_access allow localnet #Recommended minimum configuration: acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl our_networks src 192.168.0.0/24 acl localnet src 127.0.0.1/255.255.255.255 #Default: # http_access deny all http_access allow our_networks http_access allow localnet # TAG: access_log # These files log client request activities. Has a line every HTTP or # ICP request. The format is: # access_log3. Selanjutnya copy script berikut : sudo vim /etc/fw.proxy[ [acl acl ...]] # access_log none [acl acl ...]] # # Will log to the specified file using the specified format (which # must be defined in a logformat directive) those entries which match # ALL the acl's specified (which must be defined in acl clauses). # If no acl is specified, all requests will be logged to this file. # # To disable logging of a request use the filepath "none", in which case # a logformat name should not be specified. # # To log the request via syslog specify a filepath of "syslog": # # access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] # where facility could be any of: # authpriv, daemon, local0 .. local7 or user. # # And priority could be any of: # err, warning, notice, info, debug. access_log /var/log/squid/access.log gateway 192.168.1.7
#!/bin/sh # squid server IP SQUID_SERVER="192.168.1.70" # Interface connected to Internet INTERNET="eth0" # Interface connected to LAN LAN_IN="eth1" # Squid port SQUID_PORT="3128" # DO NOT MODIFY BELOW # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp # For win xp ftp client #modprobe ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT #ssh agar server bisa diremote dari ip segmen ini iptables -A INPUT -p TCP -s 202.58.180.0/24 --dport 22 -j ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP4. Rubah permisi file tersebut : chmod +x /etc/fw.proxy
5. Masukkan path tersebut ke rc.local : sudo vim /etc/rc.local
#!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. /etc/fw.proxy6. Lanjutkan dengan mengecek hasil settingan pada log : tail -f /var/log/squid/access.log
1294469829.027 220 192.168.0.49 TCP_MISS/200 1032 GET http://scr.kliksaya.com/js-ad.php? - DIRECT/203.211.149.124 text/html 1294469829.115 3620 192.168.0.49 TCP_MISS/200 532 GET http://router.infolinks.com/gsd/1294469817940.0? - DIRECT/74.200.228.171 text/javascript 1294469829.360 562 192.168.0.49 TCP_MISS/200 910 GET http://a.tribalfusion.com/j.ad? - DIRECT/204.11.109.22 application/x-javascript 1294469829.536 154 192.168.0.49 TCP_MISS/200 1030 GET http://scr.kliksaya.com/js-ad.php? - DIRECT/203.211.149.124 text/html 1294469829.642 83 192.168.0.49 TCP_MISS/200 1132 GET http://scr5.kliksaya.com/ifr-ba.php? - DIRECT/203.211.149.120 text/html 1294469829.657 103 192.168.0.49 TCP_MISS/200 719 GET http://www.stafaband.info/embed-34924.html - DIRECT/49.0.4.68 text/html 1294469829.715 172 192.168.0.49 TCP_MISS/200 5246 GET http://scr3.kliksaya.com/ifr-ad.php? - DIRECT/203.211.149.126 text/html 1294469829.758 142 192.168.0.49 TCP_MISS/200 1402 GET http://stafaband.info/digital.php - DIRECT/49.0.4.68 text/html 1294469829.804 221 192.168.0.49 TCP_MISS/200 3220 GET http://scr3.kliksaya.com/ifr-ad.php? - DIRECT/203.211.149.126 text/html 1294469829.810 191 192.168.0.49 TCP_MISS/200 472 GET http://www.google-analytics.com/__utm.gif? - DIRECT/209.85.175.100 image/gif 1294469830.056 356 192.168.0.49 TCP_MISS/200 281 GET http://www.facebook.com/extern/login_status.php? - DIRECT/69.63.181.15 text/html 1294469830.533 700 192.168.0.49 TCP_MISS/200 4101 GET http://www.facebook.com/plugins/like.php? - DIRECT/69.63.181.15 text/html 1294469830.666 804 192.168.0.49 TCP_MISS/200 4281 GET http://www.facebook.com/plugins/like.php? - DIRECT/69.63.181.15 text/html 1294469830.706 948 192.168.0.49 TCP_MISS/200 6882 GET http://www.facebook.com/plugins/comments.php? - DIRECT/69.63.181.15 text/html 1294469831.171 312 192.168.0.49 TCP_MISS/200 800 GET http://www.facebook.com/campaign/impression.php? - DIRECT/69.63.181.15 image/gif 1294469831.502 315 192.168.0.49 TCP_MISS/200 800 GET http://www.facebook.com/campaign/impression.php? - DIRECT/69.63.181.15 image/gif 1294469831.886 701 192.168.0.49 TCP_MISS/200 1421 GET http://api.recaptcha.net/challenge? - DIRECT/64.34.251.151 text/javascript 1294469832.234 324 192.168.0.49 TCP_MISS/200 706 GET http://www.google.com/recaptcha/api/challenge? - DIRECT/209.85.175.99 text/javascript 1294469832.427 172 192.168.0.49 TCP_MISS/200 3784 GET http://www.google.com/recaptcha/api/image? - DIRECT/209.85.175.99 image/jpeg 1294469833.433 1533 192.168.0.49 TCP_MISS/200 707 GET http://www.facebook.com/ajax/captcha/recaptcha_log_actions.php? - DIRECT/69.63.
7. Selesai.
Tidak ada komentar:
Posting Komentar