Chinaunix首页 | 论坛 | 博客
  • 博客访问: 5473735
  • 博文数量: 890
  • 博客积分: 12876
  • 博客等级: 上将
  • 技术积分: 10760
  • 用 户 组: 普通用户
  • 注册时间: 2004-10-04 14:18
个人简介

猝然临之而不惊,无故加之而不怒。

文章分类

全部博文(890)

文章存档

2016年(1)

2014年(18)

2013年(41)

2012年(48)

2011年(65)

2010年(84)

2009年(121)

2008年(101)

2007年(129)

2006年(95)

2005年(118)

2004年(69)

分类: LINUX

2005-02-01 11:05:18

我的squid+iptable在redhat 9.0上配置笔记

搞了半天,也在不知不觉中做好,也不知怎么做好的:)希望对每个初始配置squid的朋友有所帮忙吧,也希望有对iptables熟悉的朋友帮忙在安全方面做一下改动
环境:redhat 9.0 +squid+iptables(9.0附带)

一,IP的设置:eth0是连接内网的, eth1是连接ADSL的

[root@ADSLserver network-scripts]# cat ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=172.16.3.2
NETMASK=255.255.255.0
NETWORK=172.16.3.0
[root@ADSLserver network-scripts]# cat ifcfg-eth1
DEVICE=eth1
BOOTPROTO=dhcp
ONBOOT=yes
[root@ADSLserver network-scripts]#
[root@ADSLserver sysconfig]# cat network
NETWORKING=yes
HOSTNAME=ADSLserver
GATEWAYDEV=ppp0
GATEWAY=
[root@ADSLserver sysconfig]#
二,设置pppoe拨号

[root@ADSLserver sysconfig]##adsl-setup
Welcome to the ADSL client setup. First, I will run some checks on
your system to make sure the PPPoE client is installed properly...

LOGIN NAME

Enter your Login Name (default root): ADSL提供商给的用户名,写在这里(###@163.gd)

INTERFACE

Enter the Ethernet interface connected to the ADSL modem
For Solaris, this is likely to be something like /dev/hme0.
For Linux, it will be ethX, where X is a number.
(default eth0): eth1 我的通过eth1提供ADSL上网的

Do you want the link to come up on demand, or stay up continuously?
If you want it to come up on demand, enter the idle time in seconds
after which the link should be dropped. If you want the link to
stay up permanently, enter no (two letters, lower-case.)
NOTE: Demand-activated links do not interact well with dynamic IP
addresses. You may have some problems with demand-activated links.
Enter the demand value (default no):在这里按一下回车就行了。

DNS

Please enter the IP address of your ISPs primary DNS server.
If your ISP claims that the server will provide dynamic DNS addresses,
enter server (all lower-case) here.
If you just press enter, I will assume you know what you are
doing and not modify your DNS setup.
Enter the DNS information here: 202.96.134.133这是DSN,最好用你本地电信给的
Please enter the IP address of your ISPs secondary DNS server.
If you just press enter, I will assume there is only one DNS server.
Enter the secondary DNS server address here: 202.96.168.68这是第二个DNS,也是电信给的。

PASSWORD

Please enter your Password:在这里把ADSL提供商给的密码写上
Please re-enter your Password:

USERCTRL

Please enter yes (two letters, lower-case.) if you want to allow
normal user to start or stop DSL connection (default yes): yes

FIREWALLING

Please choose the firewall rules to use. Note that these rules are
very basic. You are strongly encouraged to use a more sophisticated
firewall setup; however, these will provide basic security. If you
are running any servers on your machine, you must choose NONE and
set up firewalling yourself. Otherwise, the firewall rules will deny
access to all standard servers like Web, e-mail, ftp, etc. If you
are using SSH, the rules will block outgoing SSH connections which
allocate a privileged source port.

The firewall choices are:
0 - NONE: This script will not set any firewall rules. You are responsible
for ensuring the security of your machine. You are STRONGLY
recommended to use some kind of firewall rules.
1 - STANDALONE: Appropriate for a basic stand-alone web-surfing workstation
2 - MASQUERADE: Appropriate for a machine acting as an Internet gateway
for a LAN
Choose a type of firewall (0-2): 2

Start this connection at boot time

Do you want to start this connection at boot time?
Please enter no or yes (default no):yes 每次开机自动拨号

** Summary of what you entered **

Ethernet Interface: eth0
User name: ADSL用户名
Activate-on-demand: No
Primary DNS: 202.96.134.133
Secondary DNS: 202.96.168.68
Firewalling: MASQUERADE
User Control: yes
Accept these settings and adjust configuration files (y/n)?y

设置完毕

可以通过adsl-start启动拨号,adsl-stop停止ADSL,adsl-status查看ADSL状态


三,设置iptables,开启NAT功能

#setup

Firewall configuration中把防火墙关掉

#ntsysv

禁止iptables开机启动

#vi /etc/rc.d/init.d/rc.local

加入如下语句

/usr/local/nat/nat.sh
route del default gw 192.168.1.1
route add -net 172.16.86.0 netmask 255.255.255.0 gw 172.16.3.2
adsl-start
#不知怎么搞的,每次默认的网关都是eth1 DHCP的192.168.1.1,我在/etc/sysconfig/network中指定用ppp0了?奇怪,没有办法,只有把这条路由拿掉才可以启动NAT上网.哪位朋友给些提示,为什么?
#我的有两个网段172.16.3.0/24,172.16.86.0/24,为了让86网段的用户不用新增3网段的IP一样可以proxy上网,所以增加一条路由指向eth0 gateway(172.16.3.2)

#mkdir /usr/local/nat

#vi /usr/local/nat/nat.sh /*如下内容,不用看了,鸟哥网站上的脚本,我自己修改了一下*/

#!/bin/bash
# 說明:
# a. 這個程式主要用來進行簡易 NAT 的功能的!使用的模組為 iptables 。
# b. 執行的方式為:
#    將檔案放在 /usr/local/nat 底下,檔名為 nat.sh (範例)
#    chmod 744 /usr/local/nat/nat.sh
#    /usr/local/nat/nat.sh
# c. 或者是直接在開機時啟動,可以使用:
#    vi /etc/rc.d/rc.local
#    寫入最後一行為: /usr/local/nat/nat.sh
# d. Made by VBird 2002/08/14
###########################################################################

# 0. 請輸入你的參數值:
EXIF='ppp0'             # 這個是對外的介面,如果是 cable ,則可能為 eth0!
INIF='eth0'
EXNET='172.16.3.0/24'  # 這個是對內的網域!這裡我只設定一個網域而已!

# 底下如無需要,請不要變動了!
# 0.1 Testing your Kernel version ..
echo -n "Check your kernel version...             "
kver=`uname -r | cut -c 1-3`
if [ "$kver" == "2.4" ] || [ "$kver" == "2.5" ]; then
        echo "[OK]"
        echo "Your Linux Kernel Version is no problem!"
else
        echo "[Failure]"
        echo "Your Linux Kernel Version may not be suported by this script!"
        echo "This scripts will not be runing"
        exit
fi

# 0.2 Tell you what is this
  echo "  "
  echo "Note:"
  echo "     This script will clear your iptables' rules"
  echo "     Please make sure that you want to do this script!"
  echo "     Ha Ha! No problem ! If you just want to be an NAT server !"
  echo " "
#  echo -n "     Please Keyin your choice ( y/n ) : "
#  read yn
#  until [ "$yn" == "y" ] || [ "$yn" == "Y" ] || [ "$yn" == "n" ] || [ "$yn" == "N" ]
#  do
#       if   [ "$yn" == "n" ] || [ "$yn" == "N" ]; then
#               echo " Do nothing ...."
#               exit
#       elif [ "$yn" == "y" ] || [ "$yn" == "Y" ]; then
#               echo " Running NAT script...."
#       else
#               echo -n "     Please Keyin your choice ( y/n ) : "
#               read yn
#       fi
#  done

# 0.3 remove ipchains modules
  ipchains=`lsmod | grep ipchains`
  if [ "$ipchains" != "" ]; then
        rmmod ipchains 2> /dev/null
        modprobe ip_tables 2> /dev/null
  fi

# 1. 宣告變數、啟動 Routing 與清除規則:
  PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
  export PATH
  /sbin/iptables -F
  /sbin/iptables -X
  /sbin/iptables -Z
  /sbin/iptables -F -t nat
  /sbin/iptables -X -t nat
  /sbin/iptables -Z -t nat
  /sbin/iptables -P INPUT   ACCEPT
  /sbin/iptables -P OUTPUT  ACCEPT
  /sbin/iptables -P FORWARD ACCEPT
  /sbin/iptables -t nat -P PREROUTING  ACCEPT
  /sbin/iptables -t nat -P POSTROUTING ACCEPT
  /sbin/iptables -t nat -P OUTPUT      ACCEPT

# 2. 載入模組啦!
  modprobe ip_tables  2> /dev/null
  modprobe iptable_nat > /dev/null 2>&1
  modprobe ip_nat_ftp  2> /dev/null
  modprobe ip_nat_irc  2> /dev/null
  modprobe ip_conntrack  2> /dev/null
  modprobe ip_conntrack_ftp  2> /dev/null
  modprobe ip_conntrack_irc  2> /dev/null

# 3. 啟動 IP 偽裝:
  /sbin/iptables -A INPUT -i lo -j ACCEPT
  /sbin/iptables -A INPUT -i $INIF -j ACCEPT
  echo 1 > /proc/sys/net/ipv4/ip_forward
  /sbin/iptables -t nat -A POSTROUTING -s $EXNET -o $EXIF -j MASQUERADE
  echo " "
  echo " OK! Your Linux Server Now have been an NAT Sever ! ^_^"
  echo " If you still have any question, please come here"
  echo " "
  /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  AICWP="0 3 3/4 4 11 12 14 16 18"
  for tyicmp in $AICWP
  do
        /sbin/iptables -A INPUT -i $EXIF -p icmp --icmp-type $tyicmp -j ACCEPT
  done
  /sbin/iptables -t nat -A PREROUTING -i $INIF -p TCP -s 172.16.0.0/24 --dport 80 -j REDIRECT --to-ports 3128
  /sbin/iptables -A INPUT -p TCP -i eth0 --dport 3128:3130 -j ACCEPT
  /sbin/iptables -A INPUT -p TCP -i $EXIF --dport 22 -j ACCEPT          #SSH
#  /sbin/iptables -A INPUT -p TCP -i $EXIF --dport 25 -j ACCEPT         #SMTP
#  /sbin/iptables -A INPUT -p UDP -i $EXIF --dport 53 -j ACCEPT         #DNS
#  /sbin/iptables -A INPUT -p TCP -i $EXIF --dport 53 -j ACCEPT         #DNS
  /sbin/iptables -A INPUT -p TCP -i $EXIF --dport 80 -j ACCEPT          #WWW
#  /sbin/iptables -A INPUT -p TCP -i $EXIF --dport 110 -j ACCEPT                #POP3
  /sbin/iptables -A INPUT -p TCP -i $EXIF --dport 113 -j ACCEPT         #AUTH
#  /sbin/iptables -A FORWARD -p tcp --dport 4444 -j DROP
#  /sbin/iptables -A FORWARD -p udp --dport 4444 -j DROP
#  /sbin/iptables -A FORWARD -p tcp --dport 445 -j DROP
#  /sbin/iptables -A FORWARD -p udp --dport 445 -j DROP
#  /sbin/iptables -A FORWARD -p tcp --dport 69 -j DROP
#  /sbin/iptables -A FORWARD -p udp --dport 69 -j DROP
#  /sbin/iptables -A FORWARD -p tcp --dport 139 -j DROP
#  /sbin/iptables -A FORWARD -p udp --dport 139 -j DROP
#  /sbin/iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
#  /sbin/iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
#  /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
   /sbin/iptables -A INPUT -i $EXIF -s 192.168.1.0/24 -j DROP
   /sbin/iptables -A INPUT -i $EXIF -s 10.0.0.0/8 -j DROP
   /sbin/iptables -A INPUT -i $EXIF -s 172.16.0.0/24 -j DROP
   /sbin/iptables -A INPUT -i $EXIF -s 127.0.0.0/8 -j DROP


四,至此NAT SERVER建立完毕

客户端可以设置如下上网:

ip:172.16.3.*

netmask:255.255.255.0

gateway:172.16.3.2

dns:202.96.134.133

以上设置完成后就可以上网了,下面谈squid proxy上网的问题

五,squid :proxy server

#vi /etc/squid/squid.conf

http_port 172.16.3.2:3128 #你的主机名称及Squid的端口号
icp_port 3130
udp_outgoing_address 255.255.255.255
acl QUERY urlpath_regex cgi-bin ?
no_cache deny QUERY
cache_mem 32 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8192 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_replacement_policy lru
cache_dir ufs /var/spool/squid 4000 16 256 #要根据你硬盘的实际容量进行改动
cache_access_log /var/log/squid/access.log
client_netmask 255.255.255.255
dns_nameservers 202.96.134.133 202.96.128.68 #你的ISP的DNS
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow all
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_reply_access allow all
icp_access allow all
cache_mgr root
cache_effective_user nobody
cache_effective_group nobody
visible_hostname ADSLserver
httpd_accel_host 172.16.3.2 #你的主称名称
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on


#rm -rf /var/spool/squid
#mkdir /var/spool/squid
#chown nobody.nobody -R /var/spool/squid
#su nobody -c "/usr/sbin/squid -z" #或su nobody后直接squid -z也可以
#每次更改cache的容量后都要做如上的动作,这个很重要,我的几次不成,都是这个引起的
#ntsysv
选取squid,让系统每次开机自动开启squid proxy服务
#sync;sync;sync;reboot
重新启动后应该就可以了
至此SQUID PROXY SERVER设置完毕

我有一个奇怪的问题就是每次开机我的网关是那个鬼DHCP的
害的我要每次改一下才可以正常启用NAT
#route del default gw 192.168.1.1
#adsl-start
不明白,先做一下笔记,有空研究一下,如上这些,再加上我的用sarg来查看squid的运转情况的文章,每个人上网情况就一览无余了(大家不要拍砖呀,我也是听公司的)
参考网站

阅读(1939) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~