Public domain
cd /usr/src
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.3.tar.bz2
tar jxf linux-2.6.28.3.tar.bz2
ln -sfn linux-2.6.28.3 linux
cd linux
cp /boot/config .config
make menuconfig
Load an Alternate Configuration File
.config
Ok
-*- Networking support --->
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration --->
<M> Transparent proxying support (EXPERIMENTAL)
<M> "TPROXY" target support (EXPERIMENTAL)
<M> "recent" match support
[*] Enable obsolete /proc/net/ipt_recent
<M> "socket" match support (EXPERIMENTAL)
make all && make modules_install
/bin/cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.28.3
/bin/cp System.map /boot/System.map-2.6.28.3
/bin/cp .config /boot/config-2.6.28.3
boot = /dev/hda
bitmap = /boot/slack.bmp
bmp-colors = 255,0,255,0,255,0
bmp-table = 60,6,1,16
bmp-timer = 65,27,0,255
append=" vt.default_utf8=0"
prompt
timeout = 50
lba32
default = S12-2.6.28.3
vga = 791
image = /boot/vmlinuz
root = /dev/hda2
label = Slackware12.2
read-only
image = /boot/vmlinuz-2.6.28.3
root = /dev/hda2
label = S12-2.6.28.3
read-only
lilo
reboot
cd /usr/src
wget http://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/libcap-2.16.tar.gz
tar zxf libcap-2.16.tar.gz
cd libcap-2.16
make && make install
cd /usr/src
wget http://www.netfilter.org/projects/iptables/files/iptables-1.4.3.tar.bz2
tar jxf iptables-1.4.3.tar.bz2
cd iptables-1.4.3
./configure --prefix=/usr && make
removepkg iptables
make install
reboot
vi /usr/include/bits/typesizes.h
#define __FD_SETSIZE 16384
cd /usr/src
wget http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.0.8.tar.bz2
tar jxf squid-3.1.0.8.tar.bz2
cd squid-3.1.0.8
ulimit -HSn 16384
ulimit -HSd unlimited
./configure \
--prefix=/usr/local/squid \
--enable-forward-log \
--enable-follow-x-forwarded-for \
--enable-snmp \
--enable-linux-netfilter \
--enable-http-violations \
--enable-delay-pools \
--enable-storeio=diskd,aufs,ufs \
--with-large-files \
--enable-large-cache-files \
--with-filedescriptors=16384 \
--enable-async-io=128 \
--enable-removal-policies=lru,heap \
--enable-useragent-log \
--enable-referer-log \
--enable-err-languages=English \
--enable-default-err-language=English
make
make install
cp /usr/local/squid/etc/squid.conf{,.bak}
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 80.191.195.0/24 78.38.32.0/24 78.38.34.0/24 217.218.229.128/26 217.218.230.111
http_access allow our_networks
http_access allow localhost
http_access deny all
icp_access deny all
http_port 3128 tcpkeepalive=60,10,6
http_port 3129 tproxy tcpkeepalive=60,10,6
hierarchy_stoplist cgi-bin ? dll aspx
cache_mem 2000 MB
maximum_object_size_in_memory 64 KB
cache_replacement_policy heap LFUDA
cache_dir aufs /cache/1 51200 16 256 max-size=262144
cache_dir aufs /cache/2 51200 16 256 max-size=524288
cache_dir aufs /cache/3 51200 16 256 max-size=2097152
cache_dir aufs /cache/4 51200 16 256
maximum_object_size 102400 KB
cache_swap_high 100
cache_swap_low 95
logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
access_log /usr/local/squid/var/logs/access.log squid
acl watchdog src 80.191.195.17
log_access deny watchdog
logfile_rotate 0
refresh_pattern http://.*\.windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://office\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://windowsupdate\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://w?xpsp[0-9]\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://w2ksp[0-9]\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://download\.microsoft\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://download\.macromedia\.com/ 0 80% 20160 reload-into-ims
refresh_pattern ftp://ftp\.nai\.com/ 0 80% 20160 reload-into-ims
refresh_pattern http://ftp\.software\.ibm\.com/ 0 80% 20160 reload-into-ims
refresh_pattern cgi-bin 1 20% 2
refresh_pattern \.asp$ 1 20% 2
refresh_pattern \.acgi$ 1 20% 2
refresh_pattern \.cgi$ 1 20% 2
refresh_pattern \.pl$ 1 20% 2
refresh_pattern \.shtml$ 1 20% 2
refresh_pattern \.php3$ 1 20% 2
refresh_pattern \? 1 20% 2
refresh_pattern \.gif$ 10080 90% 43200 reload-into-ims
refresh_pattern \.jpg$ 10080 90% 43200 reload-into-ims
refresh_pattern \.bom\.gov\.au 30 20% 120 reload-into-ims
refresh_pattern \.html$ 480 50% 22160 reload-into-ims
refresh_pattern \.htm$ 480 50% 22160 reload-into-ims
refresh_pattern \.class$ 10080 90% 43200 reload-into-ims
refresh_pattern \.zip$ 10080 90% 43200 reload-into-ims
refresh_pattern \.jpeg$ 10080 90% 43200 reload-into-ims
refresh_pattern \.mid$ 10080 90% 43200 reload-into-ims
refresh_pattern \.shtml$ 480 50% 22160 reload-into-ims
refresh_pattern \.exe$ 10080 90% 43200 reload-into-ims
refresh_pattern \.thm$ 10080 90% 43200 reload-into-ims
refresh_pattern \.wav$ 10080 90% 43200 reload-into-ims
refresh_pattern \.txt$ 10080 90% 43200 reload-into-ims
refresh_pattern \.cab$ 10080 90% 43200 reload-into-ims
refresh_pattern \.au$ 10080 90% 43200 reload-into-ims
refresh_pattern \.mov$ 10080 90% 43200 reload-into-ims
refresh_pattern \.xbm$ 10080 90% 43200 reload-into-ims
refresh_pattern \.ram$ 10080 90% 43200 reload-into-ims
refresh_pattern \.avi$ 10080 90% 43200 reload-into-ims
refresh_pattern \.chtml$ 480 50% 22160 reload-into-ims
refresh_pattern \.thb$ 10080 90% 43200 reload-into-ims
refresh_pattern \.dcr$ 10080 90% 43200 reload-into-ims
refresh_pattern \.bmp$ 10080 90% 43200 reload-into-ims
refresh_pattern \.phtml$ 480 50% 22160 reload-into-ims
refresh_pattern \.mpg$ 10080 90% 43200 reload-into-ims
refresh_pattern \.pdf$ 10080 90% 43200 reload-into-ims
refresh_pattern \.art$ 10080 90% 43200 reload-into-ims
refresh_pattern \.swf$ 10080 90% 43200 reload-into-ims
refresh_pattern \.mp3$ 10080 90% 43200 reload-into-ims
refresh_pattern \.ra$ 10080 90% 43200 reload-into-ims
refresh_pattern \.spl$ 10080 90% 43200 reload-into-ims
refresh_pattern \.viv$ 10080 90% 43200 reload-into-ims
refresh_pattern \.doc$ 10080 90% 43200 reload-into-ims
refresh_pattern \.gz$ 10080 90% 43200 reload-into-ims
refresh_pattern \.Z$ 10080 90% 43200 reload-into-ims
refresh_pattern \.tgz$ 10080 90% 43200 reload-into-ims
refresh_pattern \.tar$ 10080 90% 43200 reload-into-ims
refresh_pattern \.vrm$ 10080 90% 43200 reload-into-ims
refresh_pattern \.vrml$ 10080 90% 43200 reload-into-ims
refresh_pattern \.aif$ 10080 90% 43200 reload-into-ims
refresh_pattern \.aifc$ 10080 90% 43200 reload-into-ims
refresh_pattern \.aiff$ 10080 90% 43200 reload-into-ims
refresh_pattern \.arj$ 10080 90% 43200 reload-into-ims
refresh_pattern \.c$ 10080 90% 43200 reload-into-ims
refresh_pattern \.cpt$ 10080 90% 43200 reload-into-ims
refresh_pattern \.dir$ 10080 90% 43200 reload-into-ims
refresh_pattern \.dxr$ 10080 90% 43200 reload-into-ims
refresh_pattern \.hqx$ 10080 90% 43200 reload-into-ims
refresh_pattern \.jpe$ 10080 90% 43200 reload-into-ims
refresh_pattern \.lha$ 10080 90% 43200 reload-into-ims
refresh_pattern \.lzh$ 10080 90% 43200 reload-into-ims
refresh_pattern \.midi$ 10080 90% 43200 reload-into-ims
refresh_pattern \.movie$ 10080 90% 43200 reload-into-ims
refresh_pattern \.mp2$ 10080 90% 43200 reload-into-ims
refresh_pattern \.mpe$ 10080 90% 43200 reload-into-ims
refresh_pattern \.mpeg$ 10080 90% 43200 reload-into-ims
refresh_pattern \.mpga$ 10080 90% 43200 reload-into-ims
refresh_pattern \.pl$ 10080 90% 43200 reload-into-ims
refresh_pattern \.ppt$ 10080 90% 43200 reload-into-ims
refresh_pattern \.ps$ 10080 90% 43200 reload-into-ims
refresh_pattern \.qt$ 10080 90% 43200 reload-into-ims
refresh_pattern \.qtm$ 10080 90% 43200 reload-into-ims
refresh_pattern \.ras$ 10080 90% 43200 reload-into-ims
refresh_pattern \.sea$ 10080 90% 43200 reload-into-ims
refresh_pattern \.sit$ 10080 90% 43200 reload-into-ims
refresh_pattern \.tif$ 10080 90% 43200 reload-into-ims
refresh_pattern \.tiff$ 10080 90% 43200 reload-into-ims
refresh_pattern \.snd$ 10080 90% 43200 reload-into-ims
refresh_pattern \.wrl$ 10080 90% 43200 reload-into-ims
refresh_pattern ^ftp: 1440 60% 22160
refresh_pattern ^gopher: 1440 20% 1440
refresh_pattern -i (cgi-bin|\?) 0 0% 0
refresh_pattern . 480 50% 22160 reload-into-ims
quick_abort_min 32 KB
quick_abort_max 32 KB
quick_abort_pct 95
negative_ttl 3 minutes
positive_dns_ttl 15 hours
request_header_max_size 100 KB
cache_mgr Pejman_Moghadam@yahoo.com
visible_hostname SohaCache
acl mrtg src 80.191.195.17 127.0.0.1
acl snmppublic snmp_community public
snmp_access allow snmppublic mrtg
snmp_access deny all
snmp_port 3401
#dns_children 200
ipcache_size 10240
coredump_dir /usr/local/squid/var/cache
forwarded_for transparent
via off
#!/bin/bash
#
# /etc/rc.d/rc.squid
#
# Start/stop/restart the Squid web caching server.
#
# To make Squid start automatically at boot, make this
# file executable: chmod +x /etc/rc.d/rc.squid
#
start()
{
echo -n 'Starting TPROXY Squid . . . '
PROCESS=$(ps -A | egrep ' squid$')
if [ "$PROCESS" == "" ]; then
if [ -f /usr/local/squid/var/squid.pid ] ; then
rm /usr/local/squid/var/squid.pid
fi
fi
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
ulimit -HSn 16384
ulimit -HSd unlimited
/usr/local/squid/sbin/squid
echo "Ok"
}
stop()
{
echo 'Stoping TPROXY Squid'
/usr/local/squid/sbin/squid -k shutdown
time=0
while [ $time != "300" ] ; do
time=`expr $time + 1`
echo -n $time
if [ ! -f /usr/local/squid/var/squid.pid ] ; then
break
else
echo -n "."
fi
sleep 1
done
echo ". .Ok"
}
case "$1" in
'start')
start
;;
'stop')
stop
;;
'restart')
stop
start
;;
'rotate')
echo -n 'Rotating TPROXY Squid log files . . . '
/usr/local/squid/sbin/squid -k rotate
echo "Ok"
;;
*)
echo "usage $0 start|stop|restart|rotate"
;;
esac
#!/bin/bash
# Config
TCPHIT="255"
SEC="1"
# Flush mangle table
iptables -t mangle -F
iptables -t mangle -X
sleep 1
# Load recent module
KERNEL_VERSION=$(uname -r)
RECENT_MODULE=$(basename $(find /lib/modules/${KERNEL_VERSION} -iname "*recent.ko") .ko)
/sbin/rmmod $RECENT_MODULE
/sbin/modprobe $RECENT_MODULE ip_list_tot=2048 ip_pkt_list_tot=255 ip_list_hash_size=0
# Anti DOS attack chain
iptables -t mangle -N DOS-PROOF
iptables -t mangle -A DOS-PROOF -p tcp -m state --state NEW \
-m recent --rcheck --rttl --hitcount $TCPHIT --seconds ${SEC} --name TCP-RECENT-DOS-PROOF -j LOG --log-prefix "TCP:FLOOD:"
iptables -t mangle -A DOS-PROOF -p tcp -m state --state NEW \
-m recent --rcheck --rttl --hitcount $TCPHIT --seconds ${SEC} --name TCP-RECENT-DOS-PROOF -j DROP
iptables -t mangle -A DOS-PROOF -p tcp -m state --state NEW \
-m recent --set --name TCP-RECENT-DOS-PROOF -j RETURN
iptables -t mangle -A DOS-PROOF -j RETURN
# Divert chain
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
# Calling chains
iptables -t mangle -A PREROUTING -j DOS-PROOF
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
# use less swap memory
echo 50 > /proc/sys/vm/swappiness
# tcp keep alive tuning
echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 10 > /proc/sys/net/ipv4/tcp_keepalive_intvl
echo 6 > /proc/sys/net/ipv4/tcp_keepalive_probes
# Start TPROXY Squid Cache Server:
if [ -x /etc/rc.d/rc.squid ]; then
/etc/rc.d/rc.squid start
fi
# TPROXY Divert
#iptables -t mangle -N DIVERT
#iptables -t mangle -A DIVERT -j MARK --set-mark 1
#iptables -t mangle -A DIVERT -j ACCEPT
#iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
#iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
# TPROXY Route
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
# Divert
/usr/local/sbin/tproxy-divert
#!/bin/bash
# Stop TPROXY Squid Cache server:
if [ -x /etc/rc.d/rc.squid ]; then
/etc/rc.d/rc.squid stop
fi
/usr/local/squid/var/logs/access.log {
daily
rotate 186
start 1
copytruncate
compress
compresscmd /usr/bin/bzip2
compressext .bz2
compressoptions -sq9
dateext
notifempty
missingok
}
/usr/local/squid/var/logs/cache.log /usr/local/squid/var/logs/store.log {
daily
rotate 31
start 1
copytruncate
compress
compresscmd /usr/bin/bzip2
compressext .bz2
compressoptions -sq9
dateext
notifempty
missingok
sharedscripts
postrotate
/usr/local/squid/sbin/squid -k rotate
endscript
}
mkdir /usr/local/squid/var/cache
mkdir -p /cache/{1,2,3,4}
chown -R nobody:nobody /cache
chown -R nobody:nobody /usr/local/squid/var/logs
chmod +x /etc/rc.d/rc.local_shutdown
chmod +x /etc/rc.d/rc.squid
/usr/local/squid/sbin/squid -z
/etc/rc.d/rc.squid start
if [ ! -d /usr/local/squid/share/errors/fa-ir/ ]; then ln -sfn /usr/local/squid/share/errors/en /usr/local/squid/share/errors/fa-ir ; fi
#!/bin/bash
## Config
CLIENTS="80.191.195.0/24"
EXCLUDES="lksjdns"
CACHEIP="80.191.195.27"
CACHEMAC="00:17:9a:78:43:7e"
INTIF="eth1"
MARK="1000"
TABLE="4"
##########
# Check if rule not exist, add new rule
EXIST=$(ip rule show | grep "lookup ${TABLE}")
if [ "$EXIST" == "" ]; then
ip rule add fwmark ${MARK} table ${TABLE}
fi
# Check if route not exist, add new route
EXIST=$(ip route show table ${TABLE} | grep ${CACHEIP})
if [ "$EXIST" == "" ]; then
ip route add default via ${CACHEIP} table ${TABLE}
fi
# Check if chain not exist, add new chain
EXIST=$(iptables -t mangle -L -nxv | grep CACHE-REDIRECT)
if [ "$EXIST" == "" ]; then
iptables -t mangle -N CACHE-REDIRECT
fi
# Check if excluded clients not exist , add excluded clints to chain
iptables -t mangle -F CACHE-REDIRECT
for NET in ${EXCLUDES}; do
EXIST=$(iptables -t mangle -L CACHE-REDIRECT -nxv | grep ${NET})
if [ "$EXIST" == "" ]; then
iptables -t mangle -A CACHE-REDIRECT -s ${NET} -j RETURN
iptables -t mangle -A CACHE-REDIRECT -d ${NET} -j RETURN
fi
done
# Check if clients not exist , add clints to chain
for NET in ${CLIENTS}; do
EXIST=$(iptables -t mangle -L CACHE-REDIRECT -nxv | grep ${NET})
if [ "$EXIST" == "" ]; then
iptables -t mangle -A CACHE-REDIRECT -s ${NET} -p tcp --dport 80 -j MARK --set-mark ${MARK}
iptables -t mangle -A CACHE-REDIRECT -d ${NET} -p tcp --sport 80 -j MARK --set-mark ${MARK}
fi
done
# add Return
EXIST=$(iptables -t mangle -L CACHE-REDIRECT -nxv | tail -n 1 | grep RETURN)
if [ "$EXIST" != "" ]; then
iptables -t mangle -D CACHE-REDIRECT -j RETURN
fi
iptables -t mangle -A CACHE-REDIRECT -j RETURN
# Check if new chain not enabled, enable new chain
EXIST=$(iptables -t mangle -L PREROUTING -nxv | grep CACHE-REDIRECT)
if [ "$EXIST" == "" ]; then
iptables -t mangle -A PREROUTING -m mac --mac-source ! ${CACHEMAC} -j CACHE-REDIRECT
fi
#!/bin/bash
## Config
CACHEIP="80.191.195.27"
CACHEMAC="00:17:9a:78:43:7e"
IT_WORKS="http://80.191.195.17/test.html"
##########
# check for ping response
/bin/ping -c 1 -w 3 ${CACHEIP} > /dev/null 2>&1
ALIVE=$(echo $?)
if [ "${ALIVE}" == "1" ]; then
# Check if new chain not disabled, disable new chain
EXIST=$(iptables -t mangle -L PREROUTING -nxv | grep CACHE-REDIRECT)
if [ "$EXIST" != "" ]; then
iptables -t mangle -D PREROUTING -m mac --mac-source ! ${CACHEMAC} -j CACHE-REDIRECT
exit
fi
fi
# check for http reply from cache
EXIST=$(links -http-proxy ${CACHEIP}:3128 -receive-timeout 5 -unrestartable-receive-timeout 5 -dump ${IT_WORKS} 2> /dev/null)
EXIST=$(echo "${EXIST}" | sed -e 's, *,,')
if [ "$EXIST" == "It works!" ]; then
# Check if new chain not enabled, enable new chain
EXIST=$(iptables -t mangle -L PREROUTING -nxv | grep CACHE-REDIRECT)
if [ "$EXIST" == "" ]; then
iptables -t mangle -A PREROUTING -m mac --mac-source ! ${CACHEMAC} -j CACHE-REDIRECT
fi
else
# Check if new chain not disabled, disable new chain
EXIST=$(iptables -t mangle -L PREROUTING -nxv | grep CACHE-REDIRECT)
if [ "$EXIST" != "" ]; then
iptables -t mangle -D PREROUTING -m mac --mac-source ! ${CACHEMAC} -j CACHE-REDIRECT
fi
fi
http://devel.squid-cache.org/cgi-bin/test
BY: Pejman Moghadam
TAG: squid, tproxy, kernel
DATE: 2009-07-04 18:51:37