夜空

 公司的网络管理,我想是每一个管理员的最大痛苦,什么什么部门不能得罪,什么什么部门要特权,管理员夹在中间受气不说,网络有问题还说你没有管理好,最近被烦得不行,直接做个透明代理来控制他们上网操作,好了,再抱怨下去可能说上一天也说不完,看教程吧.
 系统:centos 5.5
 ip:192.168.9.166

1.安装squid
这个我是直接yum安装的squid-3.0.STABLE25-1.el5

2.配置
cd /etc/squid/
rm -f squid.conf
vi squid.conf

squid.conf里的内容:

http_port 3128 transparent
cache_mem 64 MB
cache_swap_low 90
cache_swap_high 95
#maximum_object_size 5120 KB
#minimum_object_size 0 KB
maximum_object_size 4096 KB
maximum_object_size_in_memory 8 KB
cache_dir ufs /var/spool/squid 1024 16 256
cache_effective_user squid
cache_effective_group squid
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
refresh_pattern ^ftp:  1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern .  0 20% 4320
visible_hostname cdn
dns_nameservers 61.139.2.69
dns_nameservers 202.98.96.68
cache_mgr root
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl coach urlpath_regex coach
no_cache deny coach
acl SSL_ports port 443 8080 9525 9510 5222 21 88
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443          # https
acl Safe_ports port 8080               
acl Safe_ports port 9525 9510 5222     
acl Safe_ports port 8888               
acl CONNECT method CONNECT
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl fm_hk src 192.168.9.0/24
acl to_lan dst 192.168.0.0/19
acl file_mp3 urlpath_regex -i \.mp3$
acl file_scr urlpath_regex -i \.scr$
acl file_avi urlpath_regex -i \.avi$
acl file_exe urlpath_regex -i \.exe$
acl file_pif urlpath_regex -i \.pif$
acl file_pf urlpath_regex -i \.pf$
acl file_xdb urlpath_regex -i \.xdb$
acl file_mp4 urlpath_regex -i \.mp4$
acl file_rmvb urlpath_regex -i \.rmvb$
acl file_rm urlpath_regex -i \.rm$
acl file_bt urlpath_regex -i \.torrent$
acl file_wma urlpath_regex -i \.wma$
http_access deny file_mp3
http_access deny file_scr
http_access deny file_avi
http_access deny file_pif
http_access deny file_pf
http_access deny file_xdb
http_access deny file_mp4
http_access deny file_rmvb
http_access deny file_rm
http_access deny file_bt
http_access deny file_wma
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow fm_hk
http_access allow to_lan
http_access allow localhost
http_access deny all

上面配置毕竟只是才做出来的样子,可能根据情况还有得优化.

3.启动squid并添加到开机启动
squid -z /var/spool/squid
service squid start
chkconfig squid on

4.配置iptables

iptables里的内容:

# Generated by iptables-save v1.3.5 on Wed Jun 15 19:53:48 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1516:231226]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jun 15 19:53:48 2011
# Generated by iptables-save v1.3.5 on Wed Jun 15 19:53:48 2011
*nat
:PREROUTING ACCEPT [6094:517593]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jun 15 19:53:48 2011

5.开启路由转发
echo "1">/proc/sys/net/ipv4/ip_forward

6.测试
找台windows的机器,把网关改成192.168.9.166,并设置上dns.

如果打得开网页,比如www.baidu.com这些,就说明squid透明代理设置正常.

夜空- 本站版权

1、本站所有主题由该文章作者发表，该文章作者与夜空享有文章相关版权
2、其他单位或个人使用、转载或引用本文时必须同时征得该文章作者和夜空的同意
3、本帖部分内容转载自其它媒体，但并不代表本站赞同其观点和对其真实性负责
4、如本帖侵犯到任何版权问题，请立即告知本站，本站将及时予与删除并致以最深的歉意
5、原文链接：blog.slogra.com/post-12.html

标签: squid 透明代理 iptables