服务器 Gind.cn
  1. 服务器 Gind.cn
  3. iptablesconfiguration为stunnel +鱿鱼
Intereting Posts
Exchange 2010 SP1自动发现服务 1个DHCP服务器为2个独立的networking 如何将控制台redirect/保存到文件并使其在屏幕上可见? 与SSH连接时,path未加载 locking共享互联网主机的服务器 mysql的init文件configuration选项给文件未find错误 MXlogging优先级 删除所有快照,现在不能启动虚拟机,但找不到快照 发件人限制到Postfix中的别名/地址 Wget最低下载率 我重新启动Apache,现在我收到以下错误? 通过Wi-Fi将高清video从服务器播放到局域网中的10台Android平板电脑 IIS7应用程序使用错误的SQL Server 2008 Express数据库 postfix邮件服务器无法收到邮件 作为反向代理的Apache公开内部服务器string

iptablesconfiguration为stunnel +鱿鱼

我正在构build一个高度匿名的代理服务器与鱿鱼stunnel,我面临着iptables的configuration问题。

服务器应该是这样的: 

browser <-> client stunnel <=> server stunnel <-> server squid <=> site

Wheres -表示本地stream量, =表示互联网stream量。

目前stunnel和squid都安装在同一台服务器上。

我是iptables的新手,我已经尽我所能,并设置下面的规则(通过iptables-save转储): 

 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [117178:91123876] :LOGGING - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 4 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 12 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 14 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 16 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 18 -j ACCEPT -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT -A INPUT -j LOGGING -A LOGGING -m limit --limit 30/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 7 -A LOGGING -j DROP COMMIT # Completed on Tue Jan 26 12:54:01 2016

我发现,当iptables规则被应用时,我不能访问一些网站。 我beilive, iptables规则configuration是错误的,但我不知道如何解决它,有人可以帮我吗?

CONFIGURATIONS

squid

 # Squid Core Settings http_port 3128 coredump_dir /var/spool/squid3 # ACL Settings acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localhost http_access deny all # Anonymous Setting request_header_access Allow allow all request_header_access Authorization allow all request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access Cookie allow all request_header_access Proxy-Connection allow all request_header_access User-Agent allow all request_header_access All deny all header_replace User-Agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 forwarded_for off # Cacheing Settings #cache_dir ufs /var/spool/squid3/cache/ufs 4096 16 256 #cache_dir aufs /var/spool/squid3/cache/aufs 4096 16 256 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320

stunnel (客户端): 

 [psk] client = yes accept = 127.0.0.1:8443 connect = SERVER_ADDR:PORT PSKsecrets = psk.txt [proxy] client = yes accept = 127.0.0.1:8089 connect = 127.0.0.1:8443 sslVersion = all options = NO_SSLv2 options = NO_SSLv3 CAfile = cert.pem verify = 2 checkHost = SERVER_ADDR

stunnel (服务器端): 

 pid = /run/stunnel.pid chroot = /var/lib/stunnel client = no setuid = stunnel setgid = stunnel cert = /etc/stunnel/cert.pem key = /etc/stunnel/priv.pem debug = 7 ;output = stunnel.log foreground = yes [PSK] accept = 443 ;accept = :::443 connect = 127.0.0.1:8443 ciphers = PSK PSKsecrets = /etc/stunnel/psk.txt [squid] accept = 127.0.0.1:8443 ;accept = :::8443 connect = 127.0.1:3128 sslVersion = all ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PS options = NO_SSLv2 options = NO_SSLv3 options = CIPHER_SERVER_PREFERENCE

日志

iptables DROP LOGS: 

 [144292.234289] IPTables-Dropped: SRC=173.245.55.179 PROTO=TCP SPT=50365 DPT=80 [144301.107881] IPTables-Dropped: SRC=117.41.229.40 SPT=2008 DPT=8888 WINDOW=16384 [144360.343125] IPTables-Dropped: SRC=80.82.79.104 SPT=42465 DPT=10000 WINDOW=1024 [144374.574490] IPTables-Dropped: SRC=108.162.217.173 PROTO=TCP SPT=35022 DPT=80 [144375.564623] IPTables-Dropped: SRC=108.162.217.173 PROTO=TCP SPT=35022 DPT=80 [144377.564581] IPTables-Dropped: SRC=108.162.217.173 PROTO=TCP SPT=35022 DPT=80 [144381.574600] IPTables-Dropped: SRC=108.162.217.173 PROTO=TCP SPT=35022 DPT=80 [144403.970319] IPTables-Dropped: SRC=117.41.229.20 SPT=2002 DPT=3128 WINDOW=16384 [144404.914921] IPTables-Dropped: SRC=82.114.86.90 PROTO=TCP SPT=4020 DPT=3389 [144407.889798] IPTables-Dropped: SRC=82.114.86.90 PROTO=TCP SPT=4020 DPT=3389 [144431.102337] IPTables-Dropped: SRC=117.41.229.40 SPT=2008 DPT=8888 WINDOW=16384 [144441.480311] IPTables-Dropped: SRC=58.218.204.225 SPT=42147 DPT=8888 WINDOW=512 [144457.402085] IPTables-Dropped: SRC=212.199.163.170 PROTO=TCP SPT=80 DPT=45858 [144458.400167] IPTables-Dropped: SRC=212.199.163.170 PROTO=TCP SPT=80 DPT=45858 [144460.404178] IPTables-Dropped: SRC=212.199.163.170 PROTO=TCP SPT=80 DPT=45858 [144460.754622] IPTables-Dropped: SRC=212.199.163.170 PROTO=TCP SPT=80 DPT=45858 [144462.686286] IPTables-Dropped: SRC=104.16.37.249 PROTO=TCP SPT=443 DPT=54096 [144463.685486] IPTables-Dropped: SRC=104.16.37.249 PROTO=TCP SPT=443 DPT=54096 [144464.011240] IPTables-Dropped: SRC=108.162.216.178 PROTO=TCP SPT=38717 DPT=80 [144464.416256] IPTables-Dropped: SRC=212.199.163.170 PROTO=TCP SPT=80 DPT=45858 [144465.689500] IPTables-Dropped: SRC=104.16.37.249 PROTO=TCP SPT=443 DPT=54096 [144468.827527] IPTables-Dropped: SRC=107.170.64.60 PROTO=TCP SPT=80 DPT=41692 [144469.608763] IPTables-Dropped: SRC=50.56.21.180 PROTO=TCP SPT=443 DPT=46344 [144471.827936] IPTables-Dropped: SRC=107.170.64.60 PROTO=TCP SPT=80 DPT=41692 [144474.224868] IPTables-Dropped: SRC=107.170.64.60 PROTO=TCP SPT=80 DPT=41692 [144475.840049] IPTables-Dropped: SRC=107.170.64.60 PROTO=TCP SPT=80 DPT=41692 [144477.713538] IPTables-Dropped: SRC=104.16.37.249 PROTO=TCP SPT=443 DPT=54096 [144480.228830] IPTables-Dropped: SRC=107.170.64.60 PROTO=TCP SPT=80 DPT=41692 [144483.856005] IPTables-Dropped: SRC=107.170.64.60 PROTO=TCP SPT=80 DPT=41692 [144484.630156] IPTables-Dropped: SRC=50.56.21.180 PROTO=TCP SPT=443 DPT=46344

stunnel错误日志(客户端): 

  32: 2016.01.26 02:29:54 LOG5[4962]: Service [proxy] accepted connection from 127.0.0.1:8421 33: 2016.01.26 02:29:54 LOG5[4962]: s_connect: connected 127.0.0.1:8443 34: 2016.01.26 02:29:54 LOG5[4962]: Service [proxy] connected remote server from 127.0.0.1:8422 38: 2016.01.26 02:29:55 LOG3[4962]: readsocket: Connection reset by peer (WSAECONNRESET) (10054) 39: 2016.01.26 02:29:55 LOG5[4962]: Connection reset: 373 byte(s) sent to SSL, 331 byte(s) sent to socket

squid access.log

 1453812536.918 58824 127.0.0.1 TCP_TUNNEL/200 1086 CONNECT www.google-analytics.com:443 - HIER_DIRECT/2404:6800:4004:80b::100e - 1453812622.722 239778 127.0.0.1 TAG_NONE/503 0 CONNECT stackoverflow.com:443 - HIER_NONE/- - 1453812661.330 240001 127.0.0.1 TAG_NONE/503 0 CONNECT syndication.twitter.com:443 - HIER_NONE/- - 1453812717.832 60713 127.0.0.1 TCP_MISS/503 5358 GET http://jeffreifman.com/how-to-install-your-own-private-e-mail-server-in-the-amazon-cloud-aws/estimating-costs/ - HIER_DIRECT/107.170.64.60 text/html 1453812718.832 60042 127.0.0.1 TAG_NONE/503 0 CONNECT www.mailgun.com:443 - HIER_NONE/- -