SOLARIS + squid + ipf + TRANSPARENT


1.建立用户和组

# groupadd squid
# useradd -g squid -d /dev/null -s /bin/false squid

2．安装SQUID

# gzip –d squid-2.5.STABLE6.tar.gz
# tar –vxf squid-2.5.STABLE6.tar
# cd squid-2.5.STABLE6
# ./configure
--prefix=/usr/local/squid
--sysconfdir=/etc/squid
--enable-default-err-language=Simplify_Chinese
--enable-ipf-transparent
--disable-hostname-checks
--disable-internal-dns

# make
# make install

3.配置SQUID.CONF

# vi /usr/local/squid/etc/squid.conf
===================== squid.conf ====================
http_port 192.168.0.1:3128
cache_mgr [email]llzqq@nero.3322.org[/email]
error_directory /usr/local/squid/share/errors/Simplify_Chinese
dns_nameservers 202.99.160.68 202.99.168.8
visible_hostname nero.3322.org
httpd_accel_uses_host_header on
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_single_host off
httpd_accel_with_proxy on
cache_mem 48 MB
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 30 KB
minimum_object_size_in_memory 0 KB
cache_swap_low 85
cache_swap_high 90
cache_dir ufs /opt/sfw/squid/var/cache
cache_effective_user squid
cache_effective_group squid
acl our_networks src 192.168.100.0/24
http_access allow our_networks
===================== squid.conf ====================

# chown –R squid:squid /usr/local/squid/var
# /usr/local/squid/sbin/squid -z

4. SQUID启动脚本

# vi /etc/rc3.d/S78squid
====================== S78squid =====================
#!/sbin/sh
#
# Copyright (c) 2005 by llzqq Inc
# All rights reserved.
#
#ident  "@(#)squid    1.1     04/05/24 SMI"

case "$1" in
start)
        /usr/local/squid/sbin/squid -D
        ;;
stop)
        /usr/local/squid/sbin/squid -k shutdown
        pkill squid
        ;;
restart)
        /usr/local/squid/sbin/squid –k reconfigure
        ;;
*)
        echo "Usage: $0 { start | stop | restart }"
        exit 1
        ;;
esac
exit 0
====================== S78squid =====================

# chown root:sys /etc/rc3.d/S78squid
# chmod 744 /etc/rc3.d/S78squid
# ln -s /etc/rc3.d/S78squid /etc/rc2.d/K78squid

5. 配置IPF防火墙

# vi /etc/opt/ipf/ipf.conf

===============================ipf.conf============================
#
# +------------------+   +---------------------+   +------------------+
# | Internet Network |---| hme0  NAT+IPF   rf0 |---| Internal Network |
# +------------------+   +---------------------+   +------------------+
#
# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Interface: all
# Block all incoming and outgoing packets unless they're allowed later.
# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# block all frist
block in all
block out all

# packets with ip-options, short and fragmented packets
block in quick all with short
block in quick all with ipopts
block in quick all with frag
block in quick all with opt lsrr
block in quick all with opt ssrr

# disable nmap scan
block in quick on hme0 proto tcp from any to any flags FUP
block in quick on hme0 proto tcp from any to any flags SF/SFRA
block in quick on hme0 proto tcp from any to any flags /SFRA

# Local network traffic is allowed
pass out quick on lo0
pass in quick on lo0
pass in quick on rf0
pass out quick on rf0

# The pass rules to enable Services
pass in on hme0 proto icmp from any to any icmp-type echo
pass in on hme0 proto tcp from any to any port = 20 flags S keep state
pass in on hme0 proto tcp from any to any port = 21 flags S keep state
pass in on hme0 proto tcp from any to any port = 22 flags S keep state
pass in on hme0 proto tcp from any to any port = 80 flags S keep state
pass in on hme0 proto tcp from any to any port = 443 flags S keep state
pass in on hme0 proto tcp from any to any port 55000 >< 55100 flags S keep state

# The general pass rules.
pass out quick on hme0 proto tcp from any to any flags S/SAFR keep state keep frags
pass out quick on hme0 proto udp from any to any keep state keep frags
pass out quick on hme0 proto icmp from any to any keep state keep frags
===============================ipf.conf============================

# vi /etc/opt/ipf/ipnat.conf

==============================ipnat.conf===========================
map hme0 192.168.100.0/24 -> 192.168.10.14/32 proxy port ftp ftp/tcp
map hme0 192.168.100.0/24 -> 192.168.10.14/32 portmap tcp/udp auto
map hme0 192.168.100.0/24 -> 192.168.10.14/32

rdr rf0 0.0.0.0/0 port 80 -> 192.168.100.1 port 3128
==============================ipnat.conf===========================

6． 打开IP转发：

# touch /etc/gateways