Following is an sample internet sharing script file. By Using it, You can share internet on your Linux system.
In this example, we are using 2 interfaces on squid. eth0 is connected with Internet, and eth1 is connected to LAN. [OR Mikrotik]
Remember to rename the squid LAN ip address and interface names accordingly in this file, otherwise this may not work.
Lets Start . . .
Create a new file name fw.sh in /etc by following command
touch /etc/fw.sh
Now change permission for this file so it can be executed,
chmod +x /etc/fw.sh
Now edit this file by following command
nano /etc/fw.sh
and paste the following data
#!/bin/sh # ------------------------------------ # Syed Jahanzaib / aacable@hotmail.com # https://aacable.wordpress.com # Created: January, 2011 # Last Modified: 7th Jan, 2017 # ------------------------------------ ## Squid Server LAN IP Address (Change it as per your SQUID LAN interface IP) SQUID_SERVER="192.168.6.2" ## Interface connected to Internet INTERNET="eth0" ## Interface connected to LAN LAN_IN="eth1" ## Squid port SQUID_PORT="8080" # Clear old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X ## Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp ## For win xp ftp client ## modprobe ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward ## Setting default filter policy, Use it with CARE / zaib ## iptables -P INPUT DROP iptables -P OUTPUT ACCEPT ## Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ## Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT ## set this system as a router for Rest of LAN iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT ## unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT ## DNAT port 80 request coming from LAN systems to squid 8080 ($SQUID_PORT) , This is to make your squid as transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT ## If you are hosting Apache Server on the same system, (which is not recommended IMPO, keep below rule disabled. # iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT ## if you want to do PORT forward via this system to another local lan port #sudo iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 50002 -j DNAT --to-destination 10.0.0.2:50002 #sudo iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1236 -j DNAT --to-destination 192.168.100.1:1236 #sudo iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1235 -j DNAT --to-destination 192.168.100.1:80 # Adding route for SQUID proxy connected with Mikrotik directly, Can be used if you are using MARK n ROUTE method for redirecting # http traffic to log user source IP / ZAIB #route add -net 10.0.0.0 netmask 255.255.255.0 gw 192.168.6.2 dev $LAN_IN # #route add -net 192.168.6.0 netmask 255.255.255.0 gw 192.168.6.2 dev $LAN_IN #route add -net 172.16.0.0 netmask 255.255.255.0 gw 192.168.6.2 dev $LAN_IN ############################################################################## # To add permanent static route, use following in /etc/network/interfaces file #up route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.100.2 #up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.100.2 #up route add -net 172.16.0.0 netmask 255.255.0.0 gw 192.168.100.2 ############################################################################## ## LOG everything iptables -A INPUT -j LOG # Allow ip range to allow prot 8080 access on all interfaces useful if you are doing remote administration # of squid proxy server and you want to test browsing from your remote admin pc. # iptables -A INPUT -m iprange --src-range 1.2.3.4-5.6.7.8 -p tcp --dport 8080 -j ACCEPT # Allow single IP Adddress to access port 8080 # iptables -A INPUT --src 1.2.3.4 -p tcp --dport 8080 -j ACCEPT # DROP access to port 8080 for every on INTERNET interface - YOU SHOULD REALLY USE THIS / Syed Jahanzaib # iptables -A INPUT -i $INTERNET -p tcp --dport 8080 -j DROP ## Drop Everything else. I m not enabling it, use it at your own. ## iptables -A INPUT -j DROP
.
.
After pasting and editing data , Save & Exit.
Try running it by using following command
/etc/fw.sh
.
If everything goes fine, you should see no message, otherwise if any error occurs, diagnose the fw.sh again using the error description , make sure everything matches according to your network scenario. You can add this file in /etc/rc.local so it should execute upon every restart.
Now You can put its shortcut in /etc/rc.local, So it will execute on every reboot.
.
Sample Rules to allow specific IP address range
another sample of simple firewall rules to allow port 8080 to specific range of ips, and block this port for all others.
#!/bin/sh # ------------------------------------------------------------------------------------ # Syed Jahanzaib / aacable@hotmail.com # https://aacable.wordpress.com # ------------------------------------------------------------------------------------- # Clear old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # allow ip range iptables -A INPUT -m iprange --src-range 1.2.3.4-5.6.7.8 -p tcp --dport 8080 -j ACCEPT # Allow single IP Adddress iptables -A INPUT --src 1.2.3.4 -p tcp --dport 8080 -j ACCEPT iptables -A INPUT -p tcp --dport 8080 -j DROP ## LOG everything iptables -A INPUT -j LOG
.Manual command to add route …
route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.100.2 dev eth0
sudo iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 50002 -j DNAT --to-destination 10.0.0.2:50002 sudo iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1236 -j DNAT --to-destination 192.168.100.1:1236 sudo iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1235 -j DNAT --to-destination 192.168.100.1:80
Sample Firewall to Allow some ips to access local dns installed on local server
Scenario:
DNS Server is installed in Ubuntu 16.4 server with single interface , public ip is configured. we want to restrict dns access fro local and some ip’s only.
#!/bin/bash PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # Very Basic Level of Firewall to allow DNS only for some ip ranges # Script by Syed Jahanzaib # 23-NOV-2017 DATE=`date` logger "DNS Firewall executed by syed jahanzaib @ $DATE" iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -F iptables -X sudo iptables -A INPUT -s 10.0.0.0/8 -p udp --dport 53 -j ACCEPT sudo iptables -A INPUT -s 192.168.0.0/16 -p udp --dport 53 -j ACCEPT sudo iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 53 -j ACCEPT # 127.0.0.1 is important or else dns query will fail for all as well , maybe - zaib sudo iptables -A INPUT -s 127.0.0.1 -p udp --dport 53 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 53 -j DROP sudo iptables -A INPUT -p udp --dport 53 -j DROP service dnsmasq restart
Another update to allow only specific IP pool range to access some ports on web server [27-aug-2021]
This was made for Galaxy Tech. make a file with allowed ip list who can access specified ports all time.
mkdir /temp/allowed_ip_list.txt nano /temp/allowed_ip_list.txt
& add ip ranges like this
10.0.0.0/16 192.168.0.0/16 172.16.0.0/16
Now edit the main file
nano /etc/fw.sh
Paste following & then cut un necessary details
#!/bin/sh # ------------------------------------ # Syed Jahanzaib / aacable@hotmail.com # https://aacable.wordpress.com # Created: January, 2011 # Last Modified: 7th Jan, 2017 # Last Modified: 27th-Aug-2021 [for galaxy tech khi/pk] # ------------------------------------ # MODIFY THIS NAME IF REQUIRED ALLOWED_IP_LIST=/temp/allowed_ip_list.txt ################################### ################################### ################################### ### donot modify below this line ### ################################### ################################### ## Setting default filter policy, Use it with CARE / zaib # Clear old firewall iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -F iptables -X # LOG everything #iptables -A INPUT -j LOG iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 0 -s 0/0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT ## Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ## Allow UDP, DNS and Passive FTP, JUNK, leave this line unless you fully understand it, zaib #iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT for x in $(cat $ALLOWED_IP_LIST) do # Allow ip range to allow port range access on all interfaces , duplicate this rule as needed iptables -A INPUT -s $x -p tcp --match multiport --dports 80,443,2347,10002 -j ACCEPT iptables -A OUTPUT -s $x -p tcp --match multiport --dports 80,443,2347,10002 -j ACCEPT # Allow single IP Address to access port 8080 # iptables -A INPUT --src 1.2.3.4 -p tcp --dport 8080 -j ACCEPT ################################### ################################### ## Drop Everything else, use it at your own. done iptables -A INPUT -j DROP # script ends here
Regard’s
SYED JAHANZAIB
thank you for sharing this great information. you soled my hugest problem.
thanks
LikeLike
Comment by Mikheil — July 15, 2011 @ 10:28 PM
[…] For Basic Internet Sharing on Linux , please read the following post. https://aacable.wordpress.com/2011/06/01/linux-simple-internet-sharing-script/ […]
LikeLike
Pingback by Howto setup Mini ISP using Mikrotik as PPPoE Server + DMASOFTLAB Radius Manager Scratch Card Billing System+ Linux Transparent Firewall Bridge + Ubuntu SQUID 2.7 Proxy Server « Syed Jahanzaib Personnel Blog to share knwoledge ! — October 13, 2011 @ 11:29 AM
Thanks you my brothers. You save my live :)))) thanks
LikeLike
Comment by Cisco academy — December 15, 2011 @ 12:20 AM
[…] https://aacable.wordpress.com/2011/06/01/linux-simple-internet-sharing-script/ […]
LikeLike
Pingback by Linux Transparent Squid Proxy Server Guide | Syed Jahanzaib Personnel Blog to Share Knowledge ! — July 23, 2013 @ 8:22 AM
I like thee valuable information you provide in your articles.
I’ll bookmark your weblog and check once more here regularly.
I’m quite sure I will be told lots of new stuff right here!
Best of luck foor the next!
LikeLike
Comment by minecraft how to download mods for free — January 31, 2014 @ 10:28 AM
I’m realy gracefully about your contribution. Can I contact u?. Thanks.
LikeLike
Comment by Pablo — March 26, 2014 @ 7:11 PM
yes
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — March 27, 2014 @ 10:33 AM
Fristly i apriciate your efforts
2ndly i have applied this script and then try it on my laptop just only HTTPS websites are working and all other sites which start with http:// are not working
can i know why its doing so ?
LikeLike
Comment by faraz — June 18, 2014 @ 2:11 AM
[…] https://aacable.wordpress.com/2011/06/01/linux-simple-internet-sharing-script/ https://aacable.wordpress.com/2011/06/01/working-squid-conf-example-fil/ […]
LikeLike
Pingback by MIKROTIK :Howto Redirect HTTP traffic to SQUID with Original Source Client IP – WELCOME TO UT SOLUTIONs — August 15, 2017 @ 8:05 PM
Sir Ye Script Bilkul b kam nai kr rhi Ubuntu 16.04 pe. Plz Ic ka koi Hal bta dein
LikeLike
Comment by KAMI KING — October 21, 2017 @ 8:52 PM