iptables+squid

由 弄潮儿 在 10-05-2003 00:37 发表:

iptables+squid

有没有人能把iptables+squid这两个东西在一起用写一篇完整的配置方法,让我这个莱鸟很容易看懂得,而且适合我的机器配置的:

我用的服务器:P4 CPU ,512MB内存,微星主板,神州数码网卡;

客户机:150台;

请问用readhat7.2怎么做?


由 KornLee 在 10-05-2003 01:04 发表:


http://www.douzhe.com/linux/

里面的[代理服务]里面有比较详细的介绍~~~


请删除我的ID!!!谢谢大家!!!


由 弄潮儿 在 10-05-2003 22:47 发表:

老大,能不能像我所说的配置给一个完整的方法?

老大,能不能像我所说的配置给一个完整的方法?


由 dsj 在 10-06-2003 10:33 发表:


一、 /etc/sysconfig/iptables 文件

/etc/sysconfig/iptables 文件

#======================= 古公 =======================

mangle 段

*mangle

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

COMMIT

nat 段

*nat

:PREROUTING ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

为使用 SQUID 作“透明代理”而设定!

没有指定 网卡、地址:

#[0:0] -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

指定 网卡、地址:

[0:0] -A PREROUTING -s 192.168.20.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

[0:0] -A PREROUTING -s 192.168.20.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128

将 对于 80、443 端口的访问 重定向到 3128 端口。

这些机器可以走这个机器做网关上 Internet 网。

需要在 /etc/sysctl.conf 文件里面修改成 net.ipv4.ip_forward = 1

或者 echo 1 > /proc/sys/net/ipv4/ip_forward

由于利用 SQUID 实现了“透明代理”,Masq 取消相应的客户地址。

这里,只剩下几个需要利用“IP伪装”来上网的机器(可以上 QQ、雅虎通、msn 之类的):

[0:0] -A POSTROUTING -s 192.168.20.3 -j MASQUERADE

[0:0] -A POSTROUTING -s 192.168.20.10 -j MASQUERADE

[0:0] -A POSTROUTING -s 192.168.20.32/255.255.255.240 -j MASQUERADE

若你的 公网的 IP 地址是固定的,使用这个语句似乎更好些:

#[0:0] -A POSTROUTING -s 192.168.20.32/255.255.255.240 -j SNAT --to 211.148.130.133

COMMIT

filter 段

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

屏蔽 来自 microsoft 的站点:

[0:0] -A INPUT -s 207.46.0.0/255.255.0.0 -j DROP

[0:0] -A INPUT -d 207.46.0.0/255.255.0.0 -j DROP

防止IP欺骗:

所谓的IP欺骗就是指在IP包中存在着不可能的IP源地址或目标地址。

eth1是一个与外部Internet相连,而192.168.20.0则是内部网的网络号,

也就是说,如果有一个包从eth1进入主机,而说自己的源地址是属于

192.168.20.0网络,或者说它的目标地址是属于这个网络的,那么这显

然是一种IP欺骗,所以我们使用DROP将这个包丢弃。

[0:0] -A INPUT -d 192.168.20.0/255.255.255.0 -i eth1 -j DROP

[0:0] -A INPUT -s 192.168.20.0/255.255.255.0 -i eth1 -j DROP

同样的,如果有包要通过eth1向Internet,而且它的源地址或目标地址是属于

网络192.168.20.0,那么显然也是不可能的。我们仍然使用DROP将它丢弃。

[0:0] -A OUTPUT -d 192.168.20.0/255.255.255.0 -o eth1 -j DROP

[0:0] -A OUTPUT -s 192.168.20.0/255.255.255.0 -o eth1 -j DROP

防止广播包从IP代理服务器进入局域网:

[0:0] -A INPUT -s 255.255.255.255 -i eth0 -j DROP

[0:0] -A INPUT -s 224.0.0.0/224.0.0.0 -i eth0 -j DROP

[0:0] -A INPUT -d 0.0.0.0 -i eth0 -j DROP

当包的源地址是255.255.255.255或目标地址是0.0.0.0,则说明它是一个

广播包,当广播包想进入eth0时,我们就应该DENY,丢弃它。而240.0.0.0/3

则是国际标准的多目广播地址,当有一个源地址是属于多目广播地址的包,

我们将用DROP策略,丢弃它。

屏蔽 windows xp 的 5000 端口(这个端口是莫名其妙的 !)

[0:0] -A INPUT -p tcp -m tcp --sport 5000 -j DROP

[0:0] -A INPUT -p udp -m udp --sport 5000 -j DROP

[0:0] -A OUTPUT -p tcp -m tcp --dport 5000 -j DROP

[0:0] -A OUTPUT -p udp -m udp --dport 5000 -j DROP

原来是用来跑 vpn 的,呵呵,我误解了。

防止 Internet 网的用户访问 SAMBA 服务器:

[0:0] -A INPUT -s 211.148.130.129 -i eth1 -p tcp -m tcp --dport 137:139 -j DROP

[0:0] -A INPUT -s 192.168.20.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 137:139 -j ACCEPT

[0:0] -A INPUT -s 211.148.130.128/255.255.255.240 -i eth1 -p tcp -m tcp --dport 137:139 -j ACCEPT

[0:0] -A INPUT -p tcp -m tcp --dport 137:139 -j DROP

对于本局域网用户不拒绝访问:

[0:0] -A INPUT -s 192.168.20.0/255.255.255.0 -i eth0 -p tcp -j ACCEPT

[0:0] -A INPUT -s 192.168.20.0/255.255.255.0 -i eth0 -p udp -j ACCEPT

[0:0] -A INPUT -i eth1 -p udp -m udp --dport 3 -j DROP

[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 3 -j DROP

[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 111 -j DROP

[0:0] -A INPUT -i eth1 -p udp -m udp --dport 111 -j DROP

[0:0] -A INPUT -i eth1 -p udp -m udp --dport 587 -j DROP

[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 587 -j DROP

防止 Internet 用户访问 SQUID 的 3128 端口:

[0:0] -A INPUT -s 211.148.130.129 -i eth1 -p tcp -m tcp --dport 3128 -j DROP

[0:0] -A INPUT -s 192.168.20.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 3128 -j ACCEPT

[0:0] -A INPUT -s 211.148.130.128/255.255.255.240 -i eth1 -p tcp -m tcp --dport 3128 -j ACCEPT

[0:0] -A INPUT -p tcp -m tcp --dport 3128 -j DROP

让人家 ping 不通我 !

[0:0] -A INPUT -i eth1 -s 192.168.30/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT

[0:0] -A INPUT -i eth1 -s 211.148.130.128/28 -p icmp -m icmp --icmp-type 8 -j ACCEPT

[0:0] -A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -j DROP

COMMIT

======================= 结束 =======================

======================= 古公 =======================

二、再看看 /etc/squid/squid.conf 文件

/etc/squid/squid.conf 文件

http_port 3128

http_port 192.168.20.8:3128

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin ?

no_cache deny QUERY

cache_mem 8 MB

cache_mem 48 MB

emulate_httpd_log off

============================================================================

emulate_httpd_log on

============================================================================

redirect_rewrites_host_header on

============================================================================

redirect_rewrites_host_header off

============================================================================

#Recommended minimum configuration:

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl SSL_ports port 443 563

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 563 # https, snews

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

============================================================================

acl allow_domain dstdomain "/etc/squid/allow_domain"

下面是只允许每天上三个小时的:

acl no_allow_time_0_1 time "/etc/squid/no_allow_time_0_1"

acl no_allow_time_0_2 time "/etc/squid/no_allow_time_0_2"

acl no_allow_time_0_3 time "/etc/squid/no_allow_time_0_3"

acl no_allow_time_0_4 time "/etc/squid/no_allow_time_0_4"

acl no_allow_time_0_5 time "/etc/squid/no_allow_time_0_5"

下面是只允许每天上八个小时的:

acl no_allow_time_1_1 time "/etc/squid/no_allow_time_1_1"

acl no_allow_time_1_2 time "/etc/squid/no_allow_time_1_2"

acl no_allow_time_1_3 time "/etc/squid/no_allow_time_1_3"

acl no_allow_time_1_4 time "/etc/squid/no_allow_time_1_4"

acl no_allow_time_1_5 time "/etc/squid/no_allow_time_1_5"

acl no_allow_web dst "/etc/squid/no_allow_web"

acl no_allow_domain dstdomain "/etc/squid/no_allow_domain"

acl no_allow_client src "/etc/squid/no_allow_client"

#acl allow_time time "/etc/squid/allow_time"

acl allow_client_inf src "/etc/squid/allow_client_inf"

acl allow_client_fore src "/etc/squid/allow_client_fore"

acl allow_client_8h src "/etc/squid/allow_client_8h"

acl allow_client_3h src "/etc/squid/allow_client_3h"

acl Uncachable url_regex cgi ?

Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager

============================================================================

Deny requests to unknown ports

http_access deny !Safe_ports

============================================================================

no_cache deny Uncachable

http_access allow allow_domain

http_access allow allow_client_inf

http_access deny no_allow_web

http_access deny no_allow_domain

http_access deny no_allow_client

http_access allow allow_client_fore

下面是只允许每天上八个小时的:

http_access deny no_allow_time_1_1 allow_client_8h

http_access deny no_allow_time_1_2 allow_client_8h

http_access deny no_allow_time_1_3 allow_client_8h

http_access deny no_allow_time_1_4 allow_client_8h

http_access deny no_allow_time_1_5 allow_client_8h

http_access allow allow_client_8h

下面是只允许每天上三个小时的:

http_access deny no_allow_time_0_1 allow_client_3h

http_access deny no_allow_time_0_2 allow_client_3h

http_access deny no_allow_time_0_3 allow_client_3h

http_access deny no_allow_time_0_4 allow_client_3h

http_access deny no_allow_time_0_5 allow_client_3h

http_access allow allow_client_3h

#http_access deny no_allow_time

============================================================================

Deny CONNECT to other than SSL ports

http_access deny CONNECT !SSL_ports

INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

And finally deny all other access to this proxy

http_access allow localhost

http_access deny all

#Allow ICP queries from eveyone

icp_access allow all

cache_mgr [email protected]

httpd_accel_port 80

+++++++++++++++++++++++++++++++++++ 古公 ++++++++++++透明代理的设定+++++++++

httpd_accel_host virtual

#httpd_accel_port 80

+++++++++++++++++++++++++++++++++++ 古公 ++++++++++++透明代理的设定+++++++++

httpd_accel_with_proxy on

+++++++++++++++++++++++++++++++++++ 古公 ++++++++++++透明代理的设定+++++++++

httpd_accel_with_proxy off

+++++++++++++++++++++++++++++++++++ 古公 ++++++++++++透明代理的设定+++++++++

httpd_accel_uses_host_header off

+++++++++++++++++++++++++++++++++++ 古公 ++++++++++++透明代理的设定+++++

Published At
Categories with 服务器类
Tagged with
comments powered by Disqus