单网卡squid 3.0+iptables做内网透明代理
公司的网络管理,我想是每一个管理员的最大痛苦,什么什么部门不能得罪,什么什么部门要特权,管理员夹在中间受气不说,网络有问题还说你没有管理好,最近被烦得不行,直接做个透明代理来控制他们上网操作,好了,再抱怨下去可能说上一天也说不完,看教程吧.
系统:centos 5.5
ip:192.168.9.166
1.安装squid
这个我是直接yum安装的squid-3.0.STABLE25-1.el5
2.配置
cd /etc/squid/
rm -f squid.conf
vi squid.conf
squid.conf里的内容:
http_port 3128 transparent
cache_mem 64 MB
cache_swap_low 90
cache_swap_high 95
#maximum_object_size 5120 KB
#minimum_object_size 0 KB
maximum_object_size 4096 KB
maximum_object_size_in_memory 8 KB
cache_dir ufs /var/spool/squid 1024 16 256
cache_effective_user squid
cache_effective_group squid
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
visible_hostname cdn
dns_nameservers 61.139.2.69
dns_nameservers 202.98.96.68
cache_mgr root
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl coach urlpath_regex coach
no_cache deny coach
acl SSL_ports port 443 8080 9525 9510 5222 21 88
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 8080
acl Safe_ports port 9525 9510 5222
acl Safe_ports port 8888
acl CONNECT method CONNECT
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl fm_hk src 192.168.9.0/24
acl to_lan dst 192.168.0.0/19
acl file_mp3 urlpath_regex -i \.mp3$
acl file_scr urlpath_regex -i \.scr$
acl file_avi urlpath_regex -i \.avi$
acl file_exe urlpath_regex -i \.exe$
acl file_pif urlpath_regex -i \.pif$
acl file_pf urlpath_regex -i \.pf$
acl file_xdb urlpath_regex -i \.xdb$
acl file_mp4 urlpath_regex -i \.mp4$
acl file_rmvb urlpath_regex -i \.rmvb$
acl file_rm urlpath_regex -i \.rm$
acl file_bt urlpath_regex -i \.torrent$
acl file_wma urlpath_regex -i \.wma$
http_access deny file_mp3
http_access deny file_scr
http_access deny file_avi
http_access deny file_pif
http_access deny file_pf
http_access deny file_xdb
http_access deny file_mp4
http_access deny file_rmvb
http_access deny file_rm
http_access deny file_bt
http_access deny file_wma
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow fm_hk
http_access allow to_lan
http_access allow localhost
http_access deny all
上面配置毕竟只是才做出来的样子,可能根据情况还有得优化.
3.启动squid并添加到开机启动
squid -z /var/spool/squid
service squid start
chkconfig squid on
4.配置iptables
iptables里的内容:
# Generated by iptables-save v1.3.5 on Wed Jun 15 19:53:48 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1516:231226]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jun 15 19:53:48 2011
# Generated by iptables-save v1.3.5 on Wed Jun 15 19:53:48 2011
*nat
:PREROUTING ACCEPT [6094:517593]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jun 15 19:53:48 2011
5.开启路由转发
echo "1">/proc/sys/net/ipv4/ip_forward
6.测试
找台windows的机器,把网关改成192.168.9.166,并设置上dns.
如果打得开网页,比如www.baidu.com这些,就说明squid透明代理设置正常.
rocdk890
Michael
ade
西门堵车
朱祁镇
r1p
milton010
评论: