function iptables_rules()
{
$squid = new squidbee();
$unix = new unix();
$sock = new sockets();
$SquidBinIpaddr = trim($sock->GET_INFO("SquidBinIpaddr"));
if ($SquidBinIpaddr == null) {
$SquidBinIpaddr = "0.0.0.0";
}
$UseTProxyMode = intval($sock->GET_INFO("UseTProxyMode"));
$EnableArticaHotSpot = $sock->GET_INFO("EnableArticaHotSpot");
$ssl_port = $squid->get_ssl_port();
if (!is_numeric($squid->listen_port)) {
$squid->listen_port = 3128;
}
$listen_ssl_port = $squid->listen_port + 1;
$SSL_BUMP = $squid->SSL_BUMP;
$iptables = $unix->find_program("iptables");
$GLOBALS["IPTABLESBIN"] = $iptables;
$sysctl = $unix->find_program("sysctl");
$ips = $unix->ifconfig_interfaces_list();
$KernelSendRedirects = $sock->GET_INFO("KernelSendRedirects");
if (!is_numeric($KernelSendRedirects)) {
$KernelSendRedirects = 1;
}
if (!is_numeric($EnableArticaHotSpot)) {
$EnableArticaHotSpot = 0;
}
$EnableNatProxy = intval($sock->GET_INFO("EnableNatProxy"));
$NatProxyServer = $sock->GET_INFO("NatProxyServer");
$NatProxyPort = intval($sock->GET_INFO("NatProxyPort"));
echo "Starting......: " . date("H:i:s") . " Squid iptables Rules: UseTProxyMode.....:{$UseTProxyMode}\n";
if ($UseTProxyMode == 1) {
disable_transparent();
iptables_wccp_delete_all();
$php = $unix->LOCATE_PHP5_BIN();
echo "Starting......: " . date("H:i:s") . " Squid running Tproxy Mode\n";
system("{$php} /usr/share/artica-postfix/exec.squid.tproxy.php");
echo "Starting......: " . date("H:i:s") . " Squid running TProxy script...\n";
shell_exec("/etc/init.d/tproxy start");
return;
}
$php = $unix->LOCATE_PHP5_BIN();
$GLOBALS["echobin"] = $unix->find_program("echo");
$MARKLOG = "-m comment --comment \"ArticaSquidTransparent\"";
$sh = array();
$sh[] = script_startfile();
build_progress("Creating rules...", 35);
$sh[] = "{$GLOBALS["echobin"]} \"Patching kernel\"";
$sh[] = "{$sysctl} -w net.ipv4.ip_forward=1 2>&1";
$sh[] = "{$sysctl} -w net.ipv4.conf.default.send_redirects={$KernelSendRedirects} 2>&1";
$sh[] = "{$sysctl} -w net.ipv4.conf.all.send_redirects={$KernelSendRedirects} 2>&1";
if (is_file("/proc/sys/net/ipv4/conf/eth0/send_redirects")) {
$sh[] = "{$sysctl} -w net.ipv4.conf.eth0.send_redirects={$KernelSendRedirects} 2>&1";
}
$sh[] = "{$php} /usr/share/artica-postfix/exec.squid.transparent.delete.php || true";
$sh[] = ebtables_rules();
$sh[] = "{$GLOBALS["echobin"]} \"Enable rules\"";
$sh[] = "{$iptables} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT {$MARKLOG} || true";
if (!$GLOBALS["EBTABLES"]) {
$sh[] = "{$GLOBALS["echobin"]} \"Add internetT dictionary\"";
$sh[] = "{$iptables} -t mangle -N internetT {$MARKLOG} || true";
$sh[] = "{$GLOBALS["echobin"]} \"Add internsslT dictionary\"";
$sh[] = "{$iptables} -t mangle -N internsslT {$MARKLOG} || true";
$sh[] = "{$GLOBALS["echobin"]} \"Add mangle MARK 97 for internsslT\"";
$sh[] = "{$iptables} -t mangle -A internsslT -j MARK --set-mark 97 {$MARKLOG} || true";
$sh[] = "{$GLOBALS["echobin"]} \"Add mangle MARK 96 for internetT\"";
$sh[] = "{$iptables} -t mangle -A internetT -j MARK --set-mark 96 {$MARKLOG} || true";
}
$sh[] = "{$iptables} -t nat -A OUTPUT --match owner --uid-owner squid -p tcp -j ACCEPT {$MARKLOG}";
$sh[] = "{$iptables} -t nat -A OUTPUT --match owner --uid-owner squid -p tcp -j ACCEPT {$MARKLOG}";
$sh[] = "{$iptables} -t nat -I POSTROUTING -p tcp --dport 80 -j MASQUERADE {$MARKLOG}";
$sh[] = "{$iptables} -t nat -I POSTROUTING -p tcp --dport 443 -j MASQUERADE {$MARKLOG}";
$sql = "SELECT * FROM transparent_networks WHERE `enabled`=1 ORDER BY zOrder";
$q = new mysql_squid_builder();
$results = $q->QUERY_SQL($sql);
while ($ligne = mysql_fetch_assoc($results)) {
$transparent = $ligne["transparent"];
$block = $ligne["block"];
if ($ligne["destination_port"] == 0) {
$ligne["destination_port"] = 80;
if ($ligne["ssl"] == 1) {
$ligne["destination_port"] == 443;
}
}
if ($ligne["destination_port"] == 443) {
$ligne["ssl"] = 1;
}
if ($ligne["destination_port"] == 80) {
$ligne["ssl"] = 0;
}
if ($block == 1) {
$sh[] = pattern_to_www($ligne);
continue;
}
if ($transparent == 0) {
$sh[] = pattern_to_direct($ligne);
continue;
}
$sh[] = pattern_to_proxy($ligne, $squid->listen_port, $ssl_port);
}
if ($EnableNatProxy == 1) {
$sh[] = "{$iptables} -t nat -I PREROUTING -s {$NatProxyServer}/32 -p tcp -m tcp --dport 80 {$MARKLOG} -j RETURN";
$sh[] = "{$iptables} -t nat -I PREROUTING -s {$NatProxyServer}/32 -p tcp -m tcp --dport 443 {$MARKLOG} -j RETURN";
}
$sh[] = ChildsProxys();
$sh[] = script_endfile();
build_progress("Writing script...", 45);
@file_put_contents("/etc/init.d/tproxy", @implode("\n", $sh));
build_progress("Installing script...", 48);
script_install();
}
function build()
{
$sock = new sockets();
$unix = new unix();
$ini = new Bs_IniHandler();
$IPADDRSSL = array();
$IPADDRSSL2 = array();
$ArticaSquidParameters = $sock->GET_INFO('ArticaSquidParameters');
$visible_hostname = $ini->_params["NETWORK"]["visible_hostname"];
if ($visible_hostname == null) {
$visible_hostname = $unix->hostname_g();
}
$SquidBinIpaddr = $sock->GET_INFO("SquidBinIpaddr");
$AllowAllNetworksInSquid = $sock->GET_INFO("AllowAllNetworksInSquid");
if (!is_numeric($AllowAllNetworksInSquid)) {
$AllowAllNetworksInSquid = 1;
}
$ini->loadString($ArticaSquidParameters);
NETWORK_ALL_INTERFACES();
$LISTEN_PORT = intval($ini->_params["NETWORK"]["LISTEN_PORT"]);
$ICP_PORT = intval(trim($ini->_params["NETWORK"]["ICP_PORT"]));
$certificate_center = $ini->_params["NETWORK"]["certificate_center"];
$SSL_BUMP = intval($ini->_params["NETWORK"]["SSL_BUMP"]);
$LogsWarninStop = intval($sock->GET_INFO("LogsWarninStop"));
$ssl = false;
if ($ICP_PORT == 0) {
$ICP_PORT = 3130;
}
if ($LISTEN_PORT == 0) {
$LISTEN_PORT = 3128;
}
$squid = new squidbee();
$q = new mysql_squid_builder();
$IPADDRS = array();
if ($SquidBinIpaddr != null) {
if (!isset($GLOBALS["NETWORK_ALL_INTERFACES"][$SquidBinIpaddr])) {
$SquidBinIpaddr = null;
} else {
$IPADDRS[$SquidBinIpaddr] = $LISTEN_PORT;
if ($GLOBALS["OUTPUT"]) {
echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} Listens {$SquidBinIpaddr}\n";
}
}
}
if ($SSL_BUMP == 1) {
$ssl = true;
$ssl_port = $squid->get_ssl_port();
}
if ($SquidBinIpaddr == null) {
reset($GLOBALS["NETWORK_ALL_INTERFACES"]);
while (list($ipaddr, $val) = each($GLOBALS["NETWORK_ALL_INTERFACES"])) {
if ($GLOBALS["OUTPUT"]) {
echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} Listens {$ipaddr}:{$LISTEN_PORT}\n";
}
$IPADDRS[$ipaddr] = $LISTEN_PORT;
$IPADDRSSL[$ipaddr] = $ssl_port;
}
}
if ($GLOBALS["OUTPUT"]) {
echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} visible hostname........: {$visible_hostname}\n";
}
if ($GLOBALS["OUTPUT"]) {
echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} AllowAllNetworksInSquid.: {$AllowAllNetworksInSquid}\n";
}
if ($GLOBALS["OUTPUT"]) {
echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} ICP Port................: {$ICP_PORT}\n";
}
if ($ssl) {
if ($GLOBALS["OUTPUT"]) {
echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} SSL Intercept...........: Yes - {$ssl_port}\n";
}
if ($GLOBALS["OUTPUT"]) {
echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} Certificate.............: {$certificate_center}\n";
}
$MAINSSL = $squid->SaveCertificate($certificate_center, false, false, false, true);
$f[] = $MAINSSL[0];
$certificate = $MAINSSL[1]["certificate"];
$key = $MAINSSL[1]["key"];
if ($GLOBALS["OUTPUT"]) {
echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} Certificate.............: {$certificate}\n";
}
if ($GLOBALS["OUTPUT"]) {
echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} Key.....................: {$key}\n";
}
}
$sql = "SELECT * FROM proxy_ports WHERE enabled=1 and transparent=1";
$results = $q->QUERY_SQL($sql);
$f[] = "# --------- proxy_ports enabled=1 and transparent=1 -> " . mysql_num_rows($results) . " ports";
while ($ligne = mysql_fetch_assoc($results)) {
$ipaddr = $ligne["ipaddr"];
$xport = $ligne["port"];
$transparent_text = null;
if (!isset($GLOBALS["NETWORK_ALL_INTERFACES"][$ipaddr])) {
$f[] = "# --------- table proxy_ports {$ipaddr}:{$xport} -> Hardware Error [" . __LINE__ . "]\n";
$f[] = "# --------- http {$ipaddr} -> Hardware Error [" . __LINE__ . "]\n";
continue;
}
if ($ssl) {
$IPADDRSSL[$ipaddr] = $ssl_port;
}
$IPADDRS[$ipaddr] = $xport;
}
$transparent = " transparent";
while (list($ipaddr, $xport) = each($IPADDRSSL)) {
$IPADDRSSL2["{$ipaddr}:{$xport}"] = true;
}
while (list($ipaddr, $xport) = each($IPADDRS)) {
$IPADDRS2["{$ipaddr}:{$xport}"] = true;
}
while (list($ipaddr, $none) = each($IPADDRS2)) {
$f[] = "http_port {$ipaddr}{$transparent}";
}
if ($ssl) {
$f[] = "# --------- https -> " . count($IPADDRSSL2) . " addresses";
while (list($ipaddr, $none) = each($IPADDRSSL2)) {
$f[] = "https_port {$ipaddr} transparent cert={$certificate} key={$key}";
}
}
if ($AllowAllNetworksInSquid == 1) {
$f[] = "acl localnet src all";
}
if ($AllowAllNetworksInSquid == 0) {
$k = array();
$NetworkScannerMasks = $sock->GET_INFO('NetworkScannerMasks');
$tbl = explode("\n", $NetworkScannerMasks);
if (is_array($tbl)) {
while (list($num, $cidr) = each($tbl)) {
if (trim($cidr) == null) {
continue;
}
$k[$cidr] = $cidr;
}
}
if (count($this->network_array) > 0) {
while (list($num, $val) = each($this->network_array)) {
if ($val == null) {
continue;
}
$k[$val] = $val;
}
}
if (count($k == 0)) {
$f[] = "acl localnet src all";
}
if (count($k > 0)) {
while (list($m, $l) = each($k)) {
$s[] = $l;
}
$f[] = "acl localnet src " . implode(" ", $s);
}
}
if ($ssl) {
}
$f[] = "acl all src all";
$f[] = "acl manager proto cache_object";
$f[] = "acl localhost src 127.0.0.1/32";
$f[] = "acl to_localhost dst 127.0.0.0/8 0.0.0.0/32";
$f[] = "acl SSL_ports port \"/etc/squid3/acls/SSLPorts\"";
$f[] = "acl Safe_ports port 80\t\t# http";
$f[] = "acl Safe_ports port 21\t\t# ftp";
$f[] = "acl Safe_ports port 443\t\t# https";
$f[] = "acl Safe_ports port 70\t\t# gopher";
$f[] = "acl Safe_ports port 210\t\t# wais";
$f[] = "acl Safe_ports port 1025-65535\t# unregistered ports";
$f[] = "acl Safe_ports port 280\t\t# http-mgmt";
$f[] = "acl Safe_ports port 488\t\t# gss-http";
$f[] = "acl Safe_ports port 591\t\t# filemaker";
$f[] = "acl Safe_ports port 777\t\t# multiling http";
$f[] = "acl CONNECT method CONNECT";
$f[] = "";
$f[] = "";
if ($sock->EnableUfdbGuard() == 1) {
$f[] = ufdbguard27();
$EnableUfdbGuardArtica = $sock->EnableUfdbGuardArtica();
if (!is_file("/etc/squid3/acls/office365-nets.acl")) {
@touch("/etc/squid3/acls/office365-nets.acl");
}
if (!is_file("/etc/squid3/acls/office365-domains.acl")) {
@touch("/etc/squid3/acls/office365-domains.acl");
}
if (!is_file("/etc/squid3/acls/skype-nets.acl")) {
@touch("/etc/squid3/acls/skype-nets.acl");
}
if (!is_file("/etc/squid3/acls/dropbox-nets.acl")) {
@touch("/etc/squid3/acls/dropbox-nets.acl");
}
$f[] = "acl squidclient proto cache_object";
$f[] = "acl MgRDest dst 127.0.0.1";
$f[] = "acl MgRPort dst 127.0.0.1";
$f[] = "acl MyTestPort src 127.0.0.1";
$f[] = "acl MyLocalIpsDest dst 127.0.0.1";
$f[] = "acl ToArticaWWW dstdomain .artica.fr .articatech.net .articatech.com";
if ($EnableUfdbGuardArtica == 0) {
$f[] = "acl UrlRewriteDenyList dstdomain \"/etc/squid3/url_rewrite_program.deny.db\"";
}
$f[] = "acl ArticaMetaWhiteDoms dstdomain \"/etc/squid3/artica-meta/whitelist-domains.db\"";
$f[] = "acl ArticaMetaWhiteIPs dst \"/etc/squid3/artica-meta/whitelist-nets.db\"";
$f[] = "acl BrowsersNoWebF browser -i \"/etc/squid3/acls/Browsers-nofilter.acl\"";
$f[] = "acl whitelisted_mac_computers arp \"/etc/squid3/whitelisted-computers-by-mac.acl\"";
$f[] = "acl office365_ips dst \"/etc/squid3/acls/office365-nets.acl\"";
$f[] = "acl office365_www dstdomain \"/etc/squid3/acls/office365-domains.acl\"";
$f[] = "acl skype_www dstdomain .live.com .skypeassets.com";
$f[] = "acl skype_ips dst \"/etc/squid3/acls/skype-nets.acl\"";
$f[] = "acl dropbox_ips dst \"/etc/squid3/acls/dropbox-nets.acl\"";
$f[] = "acl dropbox_www dstdomain .dropbox.com";
$f[] = @file_get_contents("/etc/squid3/url_rewrite_access.conf");
}
$f[] = "http_access allow manager localhost";
$f[] = "http_access deny manager";
$f[] = "http_access deny !Safe_ports";
$f[] = "http_access deny CONNECT !SSL_ports";
$f[] = "http_access allow localnet";
$f[] = "http_access deny all";
$f[] = "icp_access allow localnet";
$f[] = "icp_access deny all";
$f[] = "cache_peer 127.0.0.1\tparent\t{$LISTEN_PORT}\t3130\tdefault";
$f[] = "never_direct allow all";
$f[] = "cache_mem 64 MB";
$f[] = "maximum_object_size_in_memory 256 KB";
$f[] = "memory_replacement_policy lru";
$LOGFORMAT[] = "%>a";
$LOGFORMAT[] = "%[ui";
$LOGFORMAT[] = "%[un";
$LOGFORMAT[] = "[%tl]";
$LOGFORMAT[] = "\"%rm %ru HTTP/%rv\"";
$LOGFORMAT[] = "%Hs";
$LOGFORMAT[] = "%<st";
$LOGFORMAT[] = "%Ss:";
$LOGFORMAT[] = "%Sh";
$LOGFORMAT[] = "UserAgent:\"%{User-Agent}>h\"";
$LOGFORMAT[] = "Forwarded:\"%{X-Forwarded-For}>h\"";
$f[] = "logformat common MAC:00:00:00:00:00:00 " . @implode(" ", $LOGFORMAT);
$f[] = "access_log none";
$f[] = "cache_store_log none";
if ($LogsWarninStop == 0) {
$f[] = "logfile_rotate 10";
}
if ($LogsWarninStop == 1) {
$f[] = "logfile_rotate 0";
}
$f[] = "# emulate_httpd_log off";
$f[] = "log_ip_on_direct on";
$f[] = "mime_table /etc/squid27/mime.conf";
$f[] = "# log_mime_hdrs off";
$f[] = "pid_filename /var/run/squid/squid-nat.pid";
$f[] = "debug_options ALL,1";
$f[] = "log_fqdn on";
$f[] = "client_netmask 255.255.255.255";
$f[] = "strip_query_terms off";
$f[] = "buffered_logs on";
$f[] = "netdb_filename /var/log/squid/netdb_nat.state";
if ($LogsWarninStop == 0) {
$f[] = "cache_log /var/log/squid/cache-nat.log";
}
if ($LogsWarninStop == 1) {
$f[] = "cache_log /dev/null";
}
$f[] = "#url_rewrite_program";
$f[] = "# url_rewrite_children 5";
$f[] = "# url_rewrite_concurrency 0";
$f[] = "# url_rewrite_host_header on";
$f[] = "refresh_pattern .\t\t0\t20%\t4320";
$f[] = "cache_effective_user squid";
$f[] = "cache_effective_group squid";
$f[] = "httpd_suppress_version_string on";
$f[] = "visible_hostname {$visible_hostname}";
$f[] = "cache_dir null /tmp";
$f[] = "# icon_directory /usr/share/squid27/icons";
$f[] = "# error_directory /usr/share/squid27/errors/English";
$f[] = "forwarded_for on";
$f[] = "client_db on";
$f[] = "";
CheckFilesAndSecurity();
@file_put_contents("/etc/squid27/squid.conf", @implode("\n", $f));
if ($GLOBALS["OUTPUT"]) {
echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} /etc/squid27/squid.conf done\n";
}
}
function ucarp_notify($nic = null, $SQUIDIP = null, $trois = null, $quatre = null, $cinq = null)
{
if ($nic == null) {
VirtualsIPSyslog("[Failover] No nic, no IP...");
return;
}
$unix = new unix();
$LOCATE_SQUID_BIN = $unix->LOCATE_SQUID_BIN();
if (!is_file($LOCATE_SQUID_BIN)) {
return;
}
$nohup = $unix->find_program("nohup");
include_once dirname(__FILE__) . "/ressources/class.squid.inc";
$sock = new sockets();
$hasProxyTransparent = $sock->GET_INFO("hasProxyTransparent");
if (!is_numeric($hasProxyTransparent)) {
$hasProxyTransparent = 0;
}
VirtualsIPSyslog("[Failover] state UP detected {$nic}:{$SQUIDIP} Proxy Transparent mode: {$hasProxyTransparent}");
if (is_file("/usr/share/ucarp/Master")) {
VirtualsIPSyslog("[Failover] UP mode Master... nothing to do...");
return;
}
$MAIN = unserialize(base64_decode($sock->GET_INFO("HASettings")));
if ($MAIN["SLAVE"] != null) {
VirtualsIPSyslog("[Failover] UP mode Master... nothing to do...");
return;
}
if ($hasProxyTransparent == 0) {
return;
}
$squid = new squidbee();
$ssl_port = $squid->get_ssl_port();
if (!is_numeric($squid->listen_port)) {
$squid->listen_port = 3128;
}
$listen_ssl_port = $squid->listen_port + 1;
$SSL_BUMP = $squid->SSL_BUMP;
$iptables = $unix->find_program("iptables");
$MARKLOG = "-m comment --comment \"SquidFailOverTransparent\"";
$SQUIDPORT = $squid->listen_port;
VirtualsIPSyslog("[Failover] UP Redirect connections from {$SQUIDIP}:80/443 to port {$SQUIDPORT}/{$ssl_port} - if ssl enabled -");
ucarp_notify_removeiptables();
shell_exec("{$iptables} -t nat -A PREROUTING -s {$SQUIDIP} -p tcp --dport 80 -j ACCEPT {$MARKLOG}");
if ($SSL_BUMP == 1) {
shell_exec("{$iptables} -t nat -A PREROUTING -s {$SQUIDIP} -p tcp --dport 443 -j ACCEPT {$MARKLOG}");
}
shell_exec("{$iptables} -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port {$SQUIDPORT} {$MARKLOG}");
if ($SSL_BUMP == 1) {
shell_exec("{$iptables} -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port {$ssl_port} {$MARKLOG}");
}
shell_exec("{$iptables} -t nat -A POSTROUTING -j MASQUERADE {$MARKLOG}");
shell_exec("{$iptables} -t mangle -A PREROUTING -p tcp --dport {$SQUIDPORT} -j DROP {$MARKLOG}");
if ($SSL_BUMP == 1) {
shell_exec("{$iptables} -t mangle -A PREROUTING -p tcp --dport {$ssl_port} -j DROP {$MARKLOG}");
}
$cmd = "/etc/init.d/squid reload --script=" . basename(__FILE__);
shell_exec("{$cmd} >/dev/null 2>&1");
shell_exec("{$nohup} /etc/init.d/snmpd restart >/dev/null 2>&1 &");
}
function script_tproxy()
{
$unix = new unix();
$ip = $unix->find_program("ip");
$sock = new sockets();
$squid = new squidbee();
$SSL_BUMP = $squid->SSL_BUMP;
$ssl_port = $squid->get_ssl_port();
$php = $unix->LOCATE_PHP5_BIN();
$SquidTProxyInterface = $sock->GET_INFO("SquidTProxyInterface");
$MARKLOG = "-m comment --comment \"ArticaSquidTransparent\"";
$echo = $unix->find_program("echo");
$iptables = $unix->find_program("iptables");
$modprobe = $unix->find_program("modprobe");
$sh[] = "{$modprobe} xt_TPROXY || true";
$sh[] = "{$modprobe} xt_socket || true";
$sh[] = "{$modprobe} xt_mark || true";
$sh[] = "{$modprobe} nf_nat || true";
$sh[] = "{$modprobe} nf_conntrack_ipv4 || true";
$sh[] = "{$modprobe} nf_conntrack || true";
$sh[] = "{$modprobe} nf_defrag_ipv4 || true";
$sh[] = "{$modprobe} ipt_REDIRECT || true";
$sh[] = "{$modprobe} iptable_nat || true";
$sh[] = "{$echo} \"Squid TProxy mode: Check routing table 'Proxy'\"";
$sh[] = "{$php} " . __FILE__ . " --table-proxy || true";
$sh[] = "{$ip} route del 127.0.0.1 dev lo || true";
$sh[] = "{$ip} route del local 127.0.0.0/24 dev lo table local || true";
$sh[] = "{$ip} route del local 127.0.0.0/8 del lo table local || true";
$sh[] = "{$ip} -f inet rule add fwmark 1 lookup proxy || true";
$sh[] = "{$ip} -f inet route add local default dev lo table proxy || true";
$sh[] = "{$echo} 1 > /proc/sys/net/ipv4/ip_forward";
$sh[] = "{$echo} 0 > /proc/sys/net/ipv4/conf/default/rp_filter";
$sh[] = "{$echo} 0 > /proc/sys/net/ipv4/conf/all/rp_filter";
$sh[] = "{$echo} 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter";
$sh[] = "{$iptables} -t mangle -N DIVERT {$MARKLOG} || true";
$sh[] = "{$iptables} -t mangle -A DIVERT -j MARK --set-mark 1 {$MARKLOG} || true";
$sh[] = "{$iptables} -t mangle -A DIVERT -j ACCEPT {$MARKLOG} || true";
$sh[] = "{$iptables} -t mangle -A PREROUTING -p tcp -m socket -j DIVERT {$MARKLOG} || true";
$sh[] = "{$echo} \"Squid TProxy mode: enabled in transparent mode in {$squid->listen_port} Port (SSL_BUMP={$SSL_BUMP}) SSL PORT:{$ssl_port}\"";
$sh[] = "{$iptables} -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port {$squid->listen_port} {$MARKLOG} || true";
if ($SSL_BUMP == 1) {
$sh[] = "{$iptables} -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port {$ssl_port} {$MARKLOG} || true";
}
return @implode("\n", $sh);
}