我正在用 squid 和 stunnel 构建一个高度匿名的代理服务器,并且在 iptables 上遇到了配置问题。
服务器应该像这样运行:
browser <-> client stunnel <=> server stunnel <-> server squid <=> site
其中,wheres-表示本地流量,而=internet 则表示互联网流量。
目前 stunnel 和 squid 安装在同一个服务器中。
我是 的新手iptables,我已尽力并制定了以下规则(通过 转储iptables-save):
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [117178:91123876]
:LOGGING - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 14 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 16 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 18 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 30/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 7
-A LOGGING -j DROP
COMMIT
# Completed on Tue Jan 26 12:54:01 2016
iptables我发现在应用规则时我无法访问某些网站。我确信iptables规则配置有误,但我不知道如何修复它,有人能帮我吗?
配置
squid:
# Squid Core Settings
http_port 3128
coredump_dir /var/spool/squid3
# ACL Settings
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny all
# Anonymous Setting
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Cookie allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access All deny all
header_replace User-Agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0
forwarded_for off
# Cacheing Settings
#cache_dir ufs /var/spool/squid3/cache/ufs 4096 16 256
#cache_dir aufs /var/spool/squid3/cache/aufs 4096 16 256
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
stunnel(客户端):
[psk]
client = yes
accept = 127.0.0.1:8443
connect = SERVER_ADDR:PORT
PSKsecrets = psk.txt
[proxy]
client = yes
accept = 127.0.0.1:8089
connect = 127.0.0.1:8443
sslVersion = all
options = NO_SSLv2
options = NO_SSLv3
CAfile = cert.pem
verify = 2
checkHost = SERVER_ADDR
stunnel(服务器端):
pid = /run/stunnel.pid
chroot = /var/lib/stunnel
client = no
setuid = stunnel
setgid = stunnel
cert = /etc/stunnel/cert.pem
key = /etc/stunnel/priv.pem
debug = 7
;output = stunnel.log
foreground = yes
[PSK]
accept = 443
;accept = :::443
connect = 127.0.0.1:8443
ciphers = PSK
PSKsecrets = /etc/stunnel/psk.txt
[squid]
accept = 127.0.0.1:8443
;accept = :::8443
connect = 127.0.1:3128
sslVersion = all
ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PS
options = NO_SSLv2
options = NO_SSLv3
options = CIPHER_SERVER_PREFERENCE
日志
iptables删除日志:
[144292.234289] IPTables-Dropped: SRC=173.245.55.179 PROTO=TCP SPT=50365 DPT=80
[144301.107881] IPTables-Dropped: SRC=117.41.229.40 SPT=2008 DPT=8888 WINDOW=16384
[144360.343125] IPTables-Dropped: SRC=80.82.79.104 SPT=42465 DPT=10000 WINDOW=1024
[144374.574490] IPTables-Dropped: SRC=108.162.217.173 PROTO=TCP SPT=35022 DPT=80
[144375.564623] IPTables-Dropped: SRC=108.162.217.173 PROTO=TCP SPT=35022 DPT=80
[144377.564581] IPTables-Dropped: SRC=108.162.217.173 PROTO=TCP SPT=35022 DPT=80
[144381.574600] IPTables-Dropped: SRC=108.162.217.173 PROTO=TCP SPT=35022 DPT=80
[144403.970319] IPTables-Dropped: SRC=117.41.229.20 SPT=2002 DPT=3128 WINDOW=16384
[144404.914921] IPTables-Dropped: SRC=82.114.86.90 PROTO=TCP SPT=4020 DPT=3389
[144407.889798] IPTables-Dropped: SRC=82.114.86.90 PROTO=TCP SPT=4020 DPT=3389
[144431.102337] IPTables-Dropped: SRC=117.41.229.40 SPT=2008 DPT=8888 WINDOW=16384
[144441.480311] IPTables-Dropped: SRC=58.218.204.225 SPT=42147 DPT=8888 WINDOW=512
[144457.402085] IPTables-Dropped: SRC=212.199.163.170 PROTO=TCP SPT=80 DPT=45858
[144458.400167] IPTables-Dropped: SRC=212.199.163.170 PROTO=TCP SPT=80 DPT=45858
[144460.404178] IPTables-Dropped: SRC=212.199.163.170 PROTO=TCP SPT=80 DPT=45858
[144460.754622] IPTables-Dropped: SRC=212.199.163.170 PROTO=TCP SPT=80 DPT=45858
[144462.686286] IPTables-Dropped: SRC=104.16.37.249 PROTO=TCP SPT=443 DPT=54096
[144463.685486] IPTables-Dropped: SRC=104.16.37.249 PROTO=TCP SPT=443 DPT=54096
[144464.011240] IPTables-Dropped: SRC=108.162.216.178 PROTO=TCP SPT=38717 DPT=80
[144464.416256] IPTables-Dropped: SRC=212.199.163.170 PROTO=TCP SPT=80 DPT=45858
[144465.689500] IPTables-Dropped: SRC=104.16.37.249 PROTO=TCP SPT=443 DPT=54096
[144468.827527] IPTables-Dropped: SRC=107.170.64.60 PROTO=TCP SPT=80 DPT=41692
[144469.608763] IPTables-Dropped: SRC=50.56.21.180 PROTO=TCP SPT=443 DPT=46344
[144471.827936] IPTables-Dropped: SRC=107.170.64.60 PROTO=TCP SPT=80 DPT=41692
[144474.224868] IPTables-Dropped: SRC=107.170.64.60 PROTO=TCP SPT=80 DPT=41692
[144475.840049] IPTables-Dropped: SRC=107.170.64.60 PROTO=TCP SPT=80 DPT=41692
[144477.713538] IPTables-Dropped: SRC=104.16.37.249 PROTO=TCP SPT=443 DPT=54096
[144480.228830] IPTables-Dropped: SRC=107.170.64.60 PROTO=TCP SPT=80 DPT=41692
[144483.856005] IPTables-Dropped: SRC=107.170.64.60 PROTO=TCP SPT=80 DPT=41692
[144484.630156] IPTables-Dropped: SRC=50.56.21.180 PROTO=TCP SPT=443 DPT=46344
stunnel错误日志(客户端):
32: 2016.01.26 02:29:54 LOG5[4962]: Service [proxy] accepted connection from 127.0.0.1:8421
33: 2016.01.26 02:29:54 LOG5[4962]: s_connect: connected 127.0.0.1:8443
34: 2016.01.26 02:29:54 LOG5[4962]: Service [proxy] connected remote server from 127.0.0.1:8422
38: 2016.01.26 02:29:55 LOG3[4962]: readsocket: Connection reset by peer (WSAECONNRESET) (10054)
39: 2016.01.26 02:29:55 LOG5[4962]: Connection reset: 373 byte(s) sent to SSL, 331 byte(s) sent to socket
squid access.log:
1453812536.918 58824 127.0.0.1 TCP_TUNNEL/200 1086 CONNECT www.google-analytics.com:443 - HIER_DIRECT/2404:6800:4004:80b::100e -
1453812622.722 239778 127.0.0.1 TAG_NONE/503 0 CONNECT stackoverflow.com:443 - HIER_NONE/- -
1453812661.330 240001 127.0.0.1 TAG_NONE/503 0 CONNECT syndication.twitter.com:443 - HIER_NONE/- -
1453812717.832 60713 127.0.0.1 TCP_MISS/503 5358 GET http://jeffreifman.com/how-to-install-your-own-private-e-mail-server-in-the-amazon-cloud-aws/estimating-costs/ - HIER_DIRECT/107.170.64.60 text/html
1453812718.832 60042 127.0.0.1 TAG_NONE/503 0 CONNECT www.mailgun.com:443 - HIER_NONE/- -