The following scripts were written by Tony Pearson and licensed under MIT license. In many cases, they borrow heavily from snippets and samples found in books, forums, and the internet.
I placed the following in /root/bin directory on both the Squid/Proxy server, and the Schoolserver. In my test configuration 192.168.0.29 is the IP address of the Squid server to the outside WAN.
#!/bin/sh # # Copyright (c) 2008 Tony Pearson. # # Licensed under the MIT license for contribution to the # One Laptop per Child (OLPC) foundation. # # Permission is hereby granted, free of charge, to any person # obtaining a copy of this software and associated documentation # files (the "Software"), to deal in the Software without # restriction, including without limitation the rights to use, # copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the # Software is furnished to do so, subject to the following # conditions: # # The above copyright notice and this permission notice shall be # included in all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES # OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, # WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING # FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR # OTHER DEALINGS IN THE SOFTWARE. # # For more information see the Open Source Initiative: # http://www.opensource.org/licenses/mit-license.php # # The following was based on examples from "Linux Networking Cookbook" # by Carla Schroder, O'Reilly Media, Inc. # # fire-start (written in Bash) place in /root/bin to execute mod="/sbin/modprobe" $mod ip_tables $mod ip_conntrack $mod iptable_filter $mod iptable_nat $mod iptable_mangle $mod ipt_LOG $mod ipt_limit $mod ipt_state $mod ipt_MASQUERADE $mod ip_nat_ftp $mod ip_conntrack_ftp # display that modules are loaded lsmod | grep ^ip # define variables ipt="/sbin/iptables" # WAN Wide Area Network, the address to the Internet outside-world WAN_IFACE="eth0" WAN_IP="192.168.0.29" # LAN Local Area Network, for the School Server (XS) LAN_IFACE="eth1" #Flush out previous tables $ipt -F $ipt -t nat -F $ipt -t mangle -F $ipt -X $ipt -t nat -X $ipt -t mangle -X #set default policies $ipt -P INPUT ACCEPT # Normally DROP $ipt -P FORWARD ACCEPT # Normally DROP $ipt -P OUTPUT ACCEPT $ipt -t nat -P OUTPUT ACCEPT $ipt -t nat -P PREROUTING ACCEPT $ipt -t nat -P POSTROUTING ACCEPT $ipt -t mangle -P PREROUTING ACCEPT $ipt -t mangle -P POSTROUTING ACCEPT # enable loopback $ipt -A INPUT -i lo -j ACCEPT # enable IP masquerading using Source NAT translation # # Any packet sent out to internet will look like it came from this machine # instead of from the other machines inside the LAN # $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source $WAN_IP # enable outgoing traffic, restrict incoming traffic # $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE \ -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # enable ICMP messages $ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
You can run this natively from root user. To have it automatically done at boot, I changed the /etc/init.d/iptables script as shown below. This bypasses the /etc/sysconfig/iptables settings and uses /root/bin/fire-start instead.
# $IPTABLES-restore $OPT $IPTABLES_DATA # # invoke /root/bin/fire-start instead (by Tony Pearson) # . /root/bin/fire-start if [ $? -eq 0 ]; then success; echo else failure; echo; return 1