Building home router + squid. Ip tables help please?
by jmgibson1981 from LinuxQuestions.org on (#5AEVA)
After much googling I managed to put together this little script to semi automate assembling a router for myself. Will be based on Ubuntu Focal. I've got this fully functional inside a virtual machine + virtual network in virtualbox. I have yet to move to bare metal. I want to make sure that I'm completely shutting down anything that comes in on the wan side. I have no need for any open ports, no vpn or anything. This is more to make the best use of the limited bandwidth we can get here.
What changes need to be made to block anything incoming on the wan save for the 80 / 443 or whatever due to normal internet usage?
Code:#!/bin/sh
# tadaen sylvermane | jason gibson
# simple home router setup
# begin script #
case "$1" in
routersetup)
for interface in $(find /sys/class/net/ -maxdepth 1) ; do
ifname=$(basename "$interface")
case "$ifname" in
net|lo|veth*)
continue
;;
*)
ifip=$(ip addr | grep 'inet ' | grep "$ifname" | awk '{print $2}' \
| cut -d\/ -f 1)
if [ ! -z "$ifip" ] ; then
case "$ifip" in
192.168.*.*|172.17.*.*)
MODIFIEDIP=$(echo "$ifip" | rev | cut -d"." -f2- | rev).0/24
route add -net "$MODIFIEDIP" dev "$ifname"
;;
*)
iptables -t nat -A POSTROUTING -o "$ifname" -j MASQUERADE
;;
esac
fi
;;
esac
done
;;
squidsetup)
# https://gist.github.com/maprangzth/453373f3052a0bd7d77b8689ada4dc40
iptables -N NO_PROXY -t nat
iptables -A NO_PROXY -t nat -d 0.0.0.0/24 -j ACCEPT
iptables -A NO_PROXY -t nat -d 127.0.0.0/24 -j ACCEPT
iptables -A NO_PROXY -t nat -d 172.17.0.0/24 -j ACCEPT
iptables -A NO_PROXY -t nat -d 192.168.0.0/24 -j ACCEPT
iptables -A NO_PROXY -t nat -j RETURN
iptables -A PREROUTING -t nat -p tcp --dport 80 -j NO_PROXY
iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -A PREROUTING -t nat -p tcp --dport 443 -j NO_PROXY
iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-ports 3130
;;
*)
echo "usage: ${0} (routersetup|squidsetup)"
exit 0
;;
esac
What changes need to be made to block anything incoming on the wan save for the 80 / 443 or whatever due to normal internet usage?
Code:#!/bin/sh
# tadaen sylvermane | jason gibson
# simple home router setup
# begin script #
case "$1" in
routersetup)
for interface in $(find /sys/class/net/ -maxdepth 1) ; do
ifname=$(basename "$interface")
case "$ifname" in
net|lo|veth*)
continue
;;
*)
ifip=$(ip addr | grep 'inet ' | grep "$ifname" | awk '{print $2}' \
| cut -d\/ -f 1)
if [ ! -z "$ifip" ] ; then
case "$ifip" in
192.168.*.*|172.17.*.*)
MODIFIEDIP=$(echo "$ifip" | rev | cut -d"." -f2- | rev).0/24
route add -net "$MODIFIEDIP" dev "$ifname"
;;
*)
iptables -t nat -A POSTROUTING -o "$ifname" -j MASQUERADE
;;
esac
fi
;;
esac
done
;;
squidsetup)
# https://gist.github.com/maprangzth/453373f3052a0bd7d77b8689ada4dc40
iptables -N NO_PROXY -t nat
iptables -A NO_PROXY -t nat -d 0.0.0.0/24 -j ACCEPT
iptables -A NO_PROXY -t nat -d 127.0.0.0/24 -j ACCEPT
iptables -A NO_PROXY -t nat -d 172.17.0.0/24 -j ACCEPT
iptables -A NO_PROXY -t nat -d 192.168.0.0/24 -j ACCEPT
iptables -A NO_PROXY -t nat -j RETURN
iptables -A PREROUTING -t nat -p tcp --dport 80 -j NO_PROXY
iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -A PREROUTING -t nat -p tcp --dport 443 -j NO_PROXY
iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-ports 3130
;;
*)
echo "usage: ${0} (routersetup|squidsetup)"
exit 0
;;
esac