Slackware 12.2 - Installing TPROXY Squid 3.1.0.8 with linux router ================================================================== Public domain ******************************************************************************** ### kernel 2.6.28.3 cd /usr/src wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.3.tar.bz2 tar jxf linux-2.6.28.3.tar.bz2 ln -sfn linux-2.6.28.3 linux cd linux cp /boot/config .config make menuconfig Load an Alternate Configuration File .config Ok -*- Networking support ---> Networking options ---> [*] Network packet filtering framework (Netfilter) ---> Core Netfilter Configuration ---> Transparent proxying support (EXPERIMENTAL) "TPROXY" target support (EXPERIMENTAL) "recent" match support [*] Enable obsolete /proc/net/ipt_recent "socket" match support (EXPERIMENTAL) make all && make modules_install /bin/cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.28.3 /bin/cp System.map /boot/System.map-2.6.28.3 /bin/cp .config /boot/config-2.6.28.3 ******************************************************************************** ### /etc/lilo.conf boot = /dev/hda bitmap = /boot/slack.bmp bmp-colors = 255,0,255,0,255,0 bmp-table = 60,6,1,16 bmp-timer = 65,27,0,255 append=" vt.default_utf8=0" prompt timeout = 50 lba32 default = S12-2.6.28.3 vga = 791 image = /boot/vmlinuz root = /dev/hda2 label = Slackware12.2 read-only image = /boot/vmlinuz-2.6.28.3 root = /dev/hda2 label = S12-2.6.28.3 read-only ******************************************************************************** ### new kernel startup lilo reboot ******************************************************************************** ### libcap 2.16 cd /usr/src wget http://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-2.16.tar.gz tar zxf libcap-2.16.tar.gz cd libcap-2.16 make && make install ******************************************************************************** ### iptables 1.4.3 cd /usr/src wget http://www.netfilter.org/projects/iptables/files/iptables-1.4.3.tar.bz2 tar jxf iptables-1.4.3.tar.bz2 cd iptables-1.4.3 ./configure --prefix=/usr && make removepkg iptables make install reboot ******************************************************************************** ### squid 3.1.0.8 vi /usr/include/bits/typesizes.h #define __FD_SETSIZE 16384 cd /usr/src wget http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.0.8.tar.bz2 tar jxf squid-3.1.0.8.tar.bz2 cd squid-3.1.0.8 ulimit -HSn 16384 ulimit -HSd unlimited ./configure \ --prefix=/usr/local/squid \ --enable-forward-log \ --enable-follow-x-forwarded-for \ --enable-snmp \ --enable-linux-netfilter \ --enable-http-violations \ --enable-delay-pools \ --enable-storeio=diskd,aufs,ufs \ --with-large-files \ --enable-large-cache-files \ --with-filedescriptors=16384 \ --enable-async-io=128 \ --enable-removal-policies=lru,heap \ --enable-useragent-log \ --enable-referer-log \ --enable-err-languages=English \ --enable-default-err-language=English make make install cp /usr/local/squid/etc/squid.conf{,.bak} ******************************************************************************** ### /usr/local/squid/etc/squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl our_networks src 80.191.195.0/24 78.38.32.0/24 78.38.34.0/24 217.218.229.128/26 217.218.230.111 http_access allow our_networks http_access allow localhost http_access deny all icp_access deny all http_port 3128 tcpkeepalive=60,10,6 http_port 3129 tproxy tcpkeepalive=60,10,6 hierarchy_stoplist cgi-bin ? dll aspx cache_mem 2000 MB maximum_object_size_in_memory 64 KB cache_replacement_policy heap LFUDA cache_dir aufs /cache/1 51200 16 256 max-size=262144 cache_dir aufs /cache/2 51200 16 256 max-size=524288 cache_dir aufs /cache/3 51200 16 256 max-size=2097152 cache_dir aufs /cache/4 51200 16 256 maximum_object_size 102400 KB cache_swap_high 100 cache_swap_low 95 logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs % /proc/sys/net/ipv4/ip_local_port_range ulimit -HSn 16384 ulimit -HSd unlimited /usr/local/squid/sbin/squid echo "Ok" } stop() { echo 'Stoping TPROXY Squid' /usr/local/squid/sbin/squid -k shutdown time=0 while [ $time != "300" ] ; do time=`expr $time + 1` echo -n $time if [ ! -f /usr/local/squid/var/squid.pid ] ; then break else echo -n "." fi sleep 1 done echo ". .Ok" } case "$1" in 'start') start ;; 'stop') stop ;; 'restart') stop start ;; 'rotate') echo -n 'Rotating TPROXY Squid log files . . . ' /usr/local/squid/sbin/squid -k rotate echo "Ok" ;; *) echo "usage $0 start|stop|restart|rotate" ;; esac ******************************************************************************** ### /usr/local/sbin/tproxy-divert #!/bin/bash # Config TCPHIT="255" SEC="1" # Flush mangle table iptables -t mangle -F iptables -t mangle -X sleep 1 # Load recent module KERNEL_VERSION=$(uname -r) RECENT_MODULE=$(basename $(find /lib/modules/${KERNEL_VERSION} -iname "*recent.ko") .ko) /sbin/rmmod $RECENT_MODULE /sbin/modprobe $RECENT_MODULE ip_list_tot=2048 ip_pkt_list_tot=255 ip_list_hash_size=0 # Anti DOS attack chain iptables -t mangle -N DOS-PROOF iptables -t mangle -A DOS-PROOF -p tcp -m state --state NEW \ -m recent --rcheck --rttl --hitcount $TCPHIT --seconds ${SEC} --name TCP-RECENT-DOS-PROOF -j LOG --log-prefix "TCP:FLOOD:" iptables -t mangle -A DOS-PROOF -p tcp -m state --state NEW \ -m recent --rcheck --rttl --hitcount $TCPHIT --seconds ${SEC} --name TCP-RECENT-DOS-PROOF -j DROP iptables -t mangle -A DOS-PROOF -p tcp -m state --state NEW \ -m recent --set --name TCP-RECENT-DOS-PROOF -j RETURN iptables -t mangle -A DOS-PROOF -j RETURN # Divert chain iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT # Calling chains iptables -t mangle -A PREROUTING -j DOS-PROOF iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 ******************************************************************************** ### /etc/rc.d/rc.local # use less swap memory echo 50 > /proc/sys/vm/swappiness # tcp keep alive tuning echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time echo 10 > /proc/sys/net/ipv4/tcp_keepalive_intvl echo 6 > /proc/sys/net/ipv4/tcp_keepalive_probes # Start TPROXY Squid Cache Server: if [ -x /etc/rc.d/rc.squid ]; then /etc/rc.d/rc.squid start fi # TPROXY Divert #iptables -t mangle -N DIVERT #iptables -t mangle -A DIVERT -j MARK --set-mark 1 #iptables -t mangle -A DIVERT -j ACCEPT #iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT #iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 # TPROXY Route ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 # Divert /usr/local/sbin/tproxy-divert ******************************************************************************** ### /etc/rc.d/rc.local_shutdown #!/bin/bash # Stop TPROXY Squid Cache server: if [ -x /etc/rc.d/rc.squid ]; then /etc/rc.d/rc.squid stop fi ******************************************************************************** ### /etc/logrotate.d/squid /usr/local/squid/var/logs/access.log { daily rotate 186 start 1 copytruncate compress compresscmd /usr/bin/bzip2 compressext .bz2 compressoptions -sq9 dateext notifempty missingok } /usr/local/squid/var/logs/cache.log /usr/local/squid/var/logs/store.log { daily rotate 31 start 1 copytruncate compress compresscmd /usr/bin/bzip2 compressext .bz2 compressoptions -sq9 dateext notifempty missingok sharedscripts postrotate /usr/local/squid/sbin/squid -k rotate endscript } ******************************************************************************** ### First time lunch mkdir /usr/local/squid/var/cache mkdir -p /cache/{1,2,3,4} chown -R nobody:nobody /cache chown -R nobody:nobody /usr/local/squid/var/logs chmod +x /etc/rc.d/rc.local_shutdown chmod +x /etc/rc.d/rc.squid /usr/local/squid/sbin/squid -z /etc/rc.d/rc.squid start if [ ! -d /usr/local/squid/share/errors/fa-ir/ ]; then ln -sfn /usr/local/squid/share/errors/en /usr/local/squid/share/errors/fa-ir ; fi ******************************************************************************** ### Linux Router / cache-redirect #!/bin/bash ## Config CLIENTS="80.191.195.0/24" EXCLUDES="lksjdns" CACHEIP="80.191.195.27" CACHEMAC="00:17:9a:78:43:7e" INTIF="eth1" MARK="1000" TABLE="4" ########## # Check if rule not exist, add new rule EXIST=$(ip rule show | grep "lookup ${TABLE}") if [ "$EXIST" == "" ]; then ip rule add fwmark ${MARK} table ${TABLE} fi # Check if route not exist, add new route EXIST=$(ip route show table ${TABLE} | grep ${CACHEIP}) if [ "$EXIST" == "" ]; then ip route add default via ${CACHEIP} table ${TABLE} fi # Check if chain not exist, add new chain EXIST=$(iptables -t mangle -L -nxv | grep CACHE-REDIRECT) if [ "$EXIST" == "" ]; then iptables -t mangle -N CACHE-REDIRECT fi # Check if excluded clients not exist , add excluded clints to chain iptables -t mangle -F CACHE-REDIRECT for NET in ${EXCLUDES}; do EXIST=$(iptables -t mangle -L CACHE-REDIRECT -nxv | grep ${NET}) if [ "$EXIST" == "" ]; then iptables -t mangle -A CACHE-REDIRECT -s ${NET} -j RETURN iptables -t mangle -A CACHE-REDIRECT -d ${NET} -j RETURN fi done # Check if clients not exist , add clints to chain for NET in ${CLIENTS}; do EXIST=$(iptables -t mangle -L CACHE-REDIRECT -nxv | grep ${NET}) if [ "$EXIST" == "" ]; then iptables -t mangle -A CACHE-REDIRECT -s ${NET} -p tcp --dport 80 -j MARK --set-mark ${MARK} iptables -t mangle -A CACHE-REDIRECT -d ${NET} -p tcp --sport 80 -j MARK --set-mark ${MARK} fi done # add Return EXIST=$(iptables -t mangle -L CACHE-REDIRECT -nxv | tail -n 1 | grep RETURN) if [ "$EXIST" != "" ]; then iptables -t mangle -D CACHE-REDIRECT -j RETURN fi iptables -t mangle -A CACHE-REDIRECT -j RETURN # Check if new chain not enabled, enable new chain EXIST=$(iptables -t mangle -L PREROUTING -nxv | grep CACHE-REDIRECT) if [ "$EXIST" == "" ]; then iptables -t mangle -A PREROUTING -m mac --mac-source ! ${CACHEMAC} -j CACHE-REDIRECT fi ******************************************************************************** ### Linux Router - cache-watchdog #!/bin/bash ## Config CACHEIP="80.191.195.27" CACHEMAC="00:17:9a:78:43:7e" IT_WORKS="http://80.191.195.17/test.html" ########## # check for ping response /bin/ping -c 1 -w 3 ${CACHEIP} > /dev/null 2>&1 ALIVE=$(echo $?) if [ "${ALIVE}" == "1" ]; then # Check if new chain not disabled, disable new chain EXIST=$(iptables -t mangle -L PREROUTING -nxv | grep CACHE-REDIRECT) if [ "$EXIST" != "" ]; then iptables -t mangle -D PREROUTING -m mac --mac-source ! ${CACHEMAC} -j CACHE-REDIRECT exit fi fi # check for http reply from cache EXIST=$(links -http-proxy ${CACHEIP}:3128 -receive-timeout 5 -unrestartable-receive-timeout 5 -dump ${IT_WORKS} 2> /dev/null) EXIST=$(echo "${EXIST}" | sed -e 's, *,,') if [ "$EXIST" == "It works!" ]; then # Check if new chain not enabled, enable new chain EXIST=$(iptables -t mangle -L PREROUTING -nxv | grep CACHE-REDIRECT) if [ "$EXIST" == "" ]; then iptables -t mangle -A PREROUTING -m mac --mac-source ! ${CACHEMAC} -j CACHE-REDIRECT fi else # Check if new chain not disabled, disable new chain EXIST=$(iptables -t mangle -L PREROUTING -nxv | grep CACHE-REDIRECT) if [ "$EXIST" != "" ]; then iptables -t mangle -D PREROUTING -m mac --mac-source ! ${CACHEMAC} -j CACHE-REDIRECT fi fi ******************************************************************************** ### Test Script http://devel.squid-cache.org/cgi-bin/test ******************************************************************************** _BY: Pejman Moghadam_ _TAG: squid, tproxy, kernel_ _DATE: 2009-07-04 18:51:37_