Syed Jahanzaib Personal Blog to Share Knowledge !

June 1, 2011

Linux: Simple Internet Sharing Script !

Filed under: Linux Related — Syed Jahanzaib / Pinochio~:) @ 10:47 AM


Following is an sample internet sharing script file. By Using it, You can share internet on your Linux system.

In this example, we are using 2 interfaces on squid. eth0 is connected with Internet, and eth1 is connected to LAN. [OR Mikrotik]

Remember to rename the squid LAN ip address and interface names accordingly in this file, otherwise this may not work.

.

Lets Start . . .

.

Create a new file name fw.sh in /etc by following command

touch /etc/fw.sh

Now change permission for this file so it can be executed,

chmod +x /etc/fw.sh

Now edit this file by following command

nano /etc/fw.sh

and paste the following data

.

#!/bin/sh
# ------------------------------------> zzz
# Syed Jahanzaib / aacable@hotmail.com
# https://aacable.wordpress.com
# Created: January, 2011
# Last Modified: 7th Jan, 2017
# ------------------------------------> zzz

## Squid Server LAN IP Address (Change it as per your SQUID LAN interface IP)
SQUID_SERVER="192.168.6.2"
## Interface connected to Internet
INTERNET="eth0"
## Interface connected to LAN
LAN_IN="eth1"
## Squid port
SQUID_PORT="8080"

# Clear old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

## Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp

## For win xp ftp client
## modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward

## Setting default filter policy, Use it with CARE / zaib
## iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

## Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

## Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT

## set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT

## unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT

## DNAT port 80 request coming from LAN systems to squid 8080 ($SQUID_PORT) , This is to make your squid as transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

## If you are hosting Apache Server on the same system, (which is not recommended IMPO, keep below rule disabled.
# iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

# Adding route for SQUID proxy connected with Mikrotik directly, Can be used if you are using MARK n ROUTE method for redirecting
# http traffic to log user source IP / ZAIB
#route add -net 10.0.0.0 netmask 255.255.255.0 gw 192.168.6.2 dev $LAN_IN #
#route add -net 192.168.6.0 netmask 255.255.255.0 gw 192.168.6.2 dev $LAN_IN
#route add -net 172.16.0.0 netmask 255.255.255.0 gw 192.168.6.2 dev $LAN_IN

##############################################################################
# To add permanent static route, use following in /etc/network/interfaces file
#up route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.100.2
#up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.100.2
#up route add -net 172.16.0.0 netmask 255.255.0.0 gw 192.168.100.2
##############################################################################

## LOG everything
iptables -A INPUT -j LOG
# Allow ip range to allow prot 8080 access on all interfaces useful if you are doing remote administration
# of squid proxy server and you want to test browsing from your remote admin pc.
# iptables -A INPUT -m iprange --src-range 1.2.3.4-5.6.7.8 -p tcp --dport 8080 -j ACCEPT

# Allow single IP Adddress to access port 8080
# iptables -A INPUT --src 1.2.3.4 -p tcp --dport 8080 -j ACCEPT

# DROP access to port 8080 for every on INTERNET interface - YOU SHOULD REALLY USE THIS / Syed Jahanzaib
# iptables -A INPUT -i $INTERNET -p tcp --dport 8080 -j DROP
## Drop Everything else. I m not enabling it, use it at your own.
## iptables -A INPUT -j DROP

.

.

After pasting and editing data , Save & Exit.

Try running it by using following command

/etc/fw.sh

.

If everything goes fine, you should see no message, otherwise if any error occurs, diagnose the fw.sh again using the error description , make sure everything matches according to your network scenario. You can add this file in /etc/rc.local so it should execute upon every restart.

Now You can put its shortcut in /etc/rc.local,  So it will execute on every reboot.

.


Sample Rules to allow specific IP address range

another sample of simple firewall rules to allow port 8080 to specific range of ips, and block this port for all others.

#!/bin/sh
# ------------------------------------------------------------------------------------
# Syed Jahanzaib / aacable@hotmail.com
# https://aacable.wordpress.com
# -------------------------------------------------------------------------------------
# Clear old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# allow ip range
iptables -A INPUT -m iprange --src-range 1.2.3.4-5.6.7.8 -p tcp --dport 8080 -j ACCEPT
# Allow single IP Adddress
iptables -A INPUT --src 1.2.3.4 -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

## LOG everything
iptables -A INPUT -j LOG

.Manual command to add route …

 route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.100.2 dev eth0

 

Regard’s
SYED JAHANZAIB

Advertisements

8 Comments »

  1. thank you for sharing this great information. you soled my hugest problem.

    thanks

    Like

    Comment by Mikheil — July 15, 2011 @ 10:28 PM

  2. Thanks you my brothers. You save my live :)))) thanks

    Like

    Comment by Cisco academy — December 15, 2011 @ 12:20 AM

  3. I like thee valuable information you provide in your articles.
    I’ll bookmark your weblog and check once more here regularly.
    I’m quite sure I will be told lots of new stuff right here!
    Best of luck foor the next!

    Like

    Comment by minecraft how to download mods for free — January 31, 2014 @ 10:28 AM

  4. I’m realy gracefully about your contribution. Can I contact u?. Thanks.

    Like

    Comment by Pablo — March 26, 2014 @ 7:11 PM

  5. Fristly i apriciate your efforts

    2ndly i have applied this script and then try it on my laptop just only HTTPS websites are working and all other sites which start with http:// are not working

    can i know why its doing so ?

    Like

    Comment by faraz — June 18, 2014 @ 2:11 AM


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: