Iptables 1.35 + squid 3.0 透明代理配置实例详解

发布时间:2020-12-26编辑:脚本学堂
本文介绍下,使用squid 3.0与iptables 1.35配置透明代理的详细步骤,从中您可以学习到squid的配置方法,以及iptables的经典应用,是一篇不错的文章,有需要的朋友值得参考。

一、系统环境:
 

CentOS 5.0  #2.6.18-8.el5
iptables-1.3.5-1.2.1  #安装系统时默认安装
Squid 3.0 STABLE4  #http://www.squid-cache.org/Versions/v3/3.0/

 
二、网络环境:
1、服务器安装有两块网卡:
 

Eth0: 192.168.3.3  # lan
Eth1:120.57.30.218 # wan (有5个公网IP)
 120.57.30.219
 120.57.30.220
 128.174.14.161
 128.174.14.162

2、网络配置:
 

复制代码 代码示例:
[root@jbxue network-scripts]# cat ifcfg-*
# VIA Technologies, Inc. VT6105 [Rhine-III]
DEVICE=eth0
BROADCAST=192.168.3.255
HWADDR=00:1B:11:05:07:E5
IPADDR=192.168.3.3
#IPV6ADDR=
#IPV6PREFIX=
NETMASK=255.255.255.0
NETWORK=192.168.3.0
ONBOOT=yes
# VIA Technologies, Inc. VT6105 [Rhine-III]
DEVICE=eth1            #接口名称
BROADCAST=120.57.30.223   #广播地址
HWADDR=00:1B:11:03:2B:A6  #MAC地址
IPADDR=120.57.30.218    #IP地址
#IPV6ADDR=    #IPV6地址,此处设为禁用
#IPV6PREFIX=
NETMASK=255.255.255.248  #子网掩码
NETWORK=120.57.30.216    #网络地址
ONBOOT=yes        #是否启用该接口
# VIA Technologies, Inc. VT6105 [Rhine-III]
DEVICE=eth1:0
BROADCAST=128.174.14.167
HWADDR=00:1B:11:03:2B:A6
IPADDR=128.174.14.161
GATEWAY=128.174.14.166
NETMASK=255.255.255.248
NETWORK=128.174.14.160
ONBOOT=yes
# VIA Technologies, Inc. VT6105 [Rhine-III]
DEVICE=eth1:1
BROADCAST=120.57.30.223
HWADDR=00:1B:11:03:2B:A6
IPADDR=120.57.30.219
GATEWAY=120.57.30.217
NETMASK=255.255.255.248
NETWORK=120.57.30.216
ONBOOT=yes
# VIA Technologies, Inc. VT6105 [Rhine-III]
DEVICE=eth1:2
BROADCAST=128.174.14.167
HWADDR=00:1B:11:03:2B:A6
IPADDR=128.174.14.162
GATEWAY=128.174.14.166
NETMASK=255.255.255.248
NETWORK=128.174.14.160
ONBOOT=yes
# VIA Technologies, Inc. VT6105 [Rhine-III]
DEVICE=eth1:3
BROADCAST=120.57.30.223
HWADDR=00:1B:11:03:2B:A6
IPADDR=120.57.30.220
GATEWAY=120.57.30.217
NETMASK=255.255.255.248
NETWORK=120.57.30.216
ONBOOT=yes

3、静态路由 #由于是多网段,添加了到其它网段的路由
 

复制代码 代码示例:
[root@jbxue network-scripts]# cat route-eth0
# lan 192.168.4.0
GATEWAY0=192.168.3.98   #网关(下一跳)
NETMASK0=255.255.255.0    #子网掩码
ADDRESS0=192.168.4.0          #目标网络
# lan 192.168.5.0
GATEWAY1=192.168.3.98
NETMASK1=255.255.255.0
ADDRESS1=192.168.5.0
#lan 192.168.6.0
GATEWAY2=192.168.3.98
NETMASK2=255.255.255.0
ADDRESS2=192.168.6.0
#lan 192.168.7.0
GATEWAY3=192.168.3.99
NETMASK3=255.255.255.0
ADDRESS3=192.168.7.0
#lan 192.168.10.0
GATEWAY4=192.168.3.99
NETMASK4=255.255.255.0
ADDRESS4=192.168.10.0
#lan 192.168.11.0
GATEWAY5=192.168.3.99
NETMASK5=255.255.255.0
ADDRESS5=192.168.11.0
#lan 192.168.12.0
GATEWAY6=192.168.3.99
NETMASK6=255.255.255.0
ADDRESS6=192.168.12.0
#lan 192.168.13.0
GATEWAY7=192.168.3.99
NETMASK7=255.255.255.0
ADDRESS7=192.168.13.0
#lan 192.168.14.0
GATEWAY8=192.168.3.99
NETMASK8=255.255.255.0
ADDRESS8=192.168.14.0
#lan 192.168.15.0
GATEWAY9=192.168.3.99
NETMASK9=255.255.255.0
ADDRESS9=192.168.15.0
#lan 192.168.1.0
GATEWAY10=192.168.3.98
NETMASK10=255.255.255.0
ADDRESS10=192.168.1.0

4、服务器名称:
 

复制代码 代码示例:
[root@jbxue sysconfig]# cat network
NETWORKING=yes
#NETWORKING_IPV6=yes
HOSTNAME=jbxue.linux.local

5、DNS配置:
 

复制代码 代码示例:
[root@jbxue sysconfig]# cat /etc/resolv.conf
search linux.local
nameserver 202.181.224.2  #香港DNS
nameserver 168.95.1.1         #台湾中华电信DNS
nameserver 192.168.3.21     #内部DNS

三、软件安装
1、Squid 3.0编译安装
 

复制代码 代码示例:
[root@jbxue source]# tar -zxvf squid-3.0.STABLE4.tar.gz
[root@jbxue source]# cd squid-3.0.STABLE4
[root@jbxue squid-3.0.STABLE4]# ./configure --prefix=/usr/local/squid   #安装路径
#编译时添加下面参数
--enable-gnuregex   #使用GNU提供的正规表示法的原则来进行编译
--enable-async-io=80   #这个项目主要在控制一些输出、输入的组件,非同步输出模式
--enable-icmp      #支持ICMP
--enable-kill-parent-hack  #在关闭squid时,是否要连parent process一起关掉
 --enable-snmp   #启用snmp
--disable-ident-lookups
 --enable-cache-digests 
--enable-poll   #可以提升效能
 --enable-linux-netfilter
--disable-ident-lookups –
-enable-ssl   #启用支持ssl
 [root@jbxue squid-3.0.STABLE4]# make && make install
 

至此,Squid安装完毕,下面开始对squid进行配置、初始化等;
 

复制代码 代码示例:
[root@jbxue squid-3.0.STABLE4]# cd /usr/local/squid/etc/     # squid配置文件存放点
[root@jbxue etc]# mv squid.conf squid.conf.bak   #将默认配置文件另存为,重新配置
[root@jbxue etc]# touch squid.conf   #新建配置文件,

配置文件内容:
 

复制代码 代码示例:
[root@jbxue etc]# cat squid.conf
#  WELCOME TO SQUID 3.0 STABLE4
###### System Setting #######################################
http_port 3128 transparent
#http_port 3128
#acl apache rep_header Server ^Apache
#broken_vary_encoding allow apache
cache_mem 64 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 5120 KB
minimum_object_size 0 KB
cache_dir ufs /var/spool/squid 15360 16 256
cache_effective_user squid
cache_effective_group squid
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
refresh_pattern ^ftp:  1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern .  0 20% 4320
visible_hostname jbxue.linux.com
dns_nameservers 202.181.224.2 168.95.1.1 61.144.56.100
cache_mgr admin@jb200.com
###### No Cache List #######################################
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin ?
no_cache deny QUERY
acl coach urlpath_regex coach
no_cache deny coach
###### Access Control List #################################
acl SSL_ports port 443 8080 9525 9510 5222 21 88
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443          # https
acl Safe_ports port 8080                # dgsi.dg.gov.cn
acl Safe_ports port 9525 9510 5222      # ebgz.itownet.cn
acl Safe_ports port 88                  # fdatacraft.vicp.net:88
#acl Safe_ports port 1025-65535  # unregistered ports
acl CONNECT method CONNECT
#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl fm_hk src 192.168.1.0/24
acl to_lan dst 192.168.0.0/19
acl hkmanager src "/usr/local/squid/etc/hkmanager_hosts"    #调用其它文件,便于分类,下同
acl server src "/usr/local/squid/etc/server_hostip"
acl itsupport src "/usr/local/squid/etc/itsupport_hosts"
acl dhcpaddrpool src "/usr/local/squid/etc/dhcp_address_pool"
acl whitelist_ip dst "/usr/local/squid/etc/whitelist_ip"
acl whitelist_site dstdomain "/usr/local/squid/etc/whitelist_sites"
acl blacklist_sites dstdomain "/usr/local/squid/etc/blacklist_sites"
acl file_mp3 urlpath_regex -i .mp3$           #禁止下载所规定的文件类型
acl file_scr urlpath_regex -i .scr$
acl file_avi urlpath_regex -i .avi$
acl file_exe urlpath_regex -i .exe$
acl file_pif urlpath_regex -i .pif$
acl file_pf urlpath_regex -i .pf$
acl file_xdb urlpath_regex -i .xdb$
acl file_mp4 urlpath_regex -i .mp4$
acl file_rmvb urlpath_regex -i .rmvb$
acl file_rm urlpath_regex -i .rm$
acl file_bt urlpath_regex -i .torrent$
acl file_wma urlpath_regex -i .wma$
###### SNMP Config #########################################
#snmp_port 3401
#acl snmppublic snmp_community public
#acl adminhost src 192.168.3.0/24 192.168.11.0/24
#snmp_access allow snmppublic adminhost
#snmp_access deny all
###### Rules ###############################################
http_access deny file_mp3      #禁止下载所规定的文件类型
http_access deny file_scr
http_access deny file_avi
http_access deny file_exe !itsupport
http_access deny file_pif
http_access deny file_pf
http_access deny file_xdb
http_access deny file_mp4
http_access deny file_rmvb
http_access deny file_rm
http_access deny file_bt
http_access deny file_wma
http_access deny blacklist_sites
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow fm_hk
http_access allow to_lan
http_access allow localhost
http_access allow hkmanager
http_access allow itsupport
http_access allow dhcpaddrpool
http_access allow server
http_access allow whitelist_site
http_access allow whitelist_ip
http_access deny all
#http_reply_access allow all
#icp_access allow all
 

[root@jbxue etc]#cat blacklist_sites
 

sex
nude
porn
.3721.com

[root@jbxue etc]# cat dhcp_address_pool
 

复制代码 代码示例:
#lan3
192.168.3.201-192.168.3.240
#lan4
192.168.4.201-192.168.4.240
#lan5
192.168.5.201-192.168.5.240
#lan6
192.168.6.201-192.168.6.240
#lan7
192.168.7.201-192.168.7.240
#lan11
192.168.11.201-192.168.11.240
[root@jbxue etc]# cat itsupport_hosts
#IT_Support
#jack
192.168.4.68
#it staffs
192.168.11.93-192.168.11.96
192.168.11.105-192.168.11.108
 

[root@jbxue etc]# cat whitelist_ip
 

复制代码 代码示例:
#dg.gov.cn
61.145.199.0/24
#itownet.cn
59.42.252.66
61.145.120.33
202.105.50.136
210.51.9.164
#corsica.globat.com
216.193.201.64
 

[root@jbxue etc]# cat server_hostip
 

复制代码 代码示例:
#server host ip
192.168.3.60-192.168.3.90
 

[root@jbxue etc]# cat hkmanager_hosts
 

复制代码 代码示例:
192.168.5.108
192.168.5.109

 

复制代码 代码示例:
[root@jbxue squid]#useradd squid        #添加squid管理帐户
[root@jbxue squid]# id squid                  #查看squid用户ID及组ID
uid=500(squid) gid=500(squid) groups=500(squid)
[root@jbxue squid]# cd /var/ spool/ 
[root@jbxue spool]# mkdir squid                 #新建目录
[root@jbxue spool]# chown squid squid/    #改变目录拥有者
[root@jbxue spool]# chgrp squid squid/     #改变目录所属组
[root@jbxue etc]# /usr/local/squid/sbin/squid -k parse    #检查配置文件是否正确
[root@jbxue etc]# /usr/local/squid/sbin/squid –zX             #初始化 squid
[root@jbxue etc]# /usr/local/squid/sbin/squid  start           #启动squid
[root@jbxue etc]# netstat -tunl |grep ":3128"                    #检查squid是否在运行
tcp        0      0 0.0.0.0:3128                0.0.0.0:*                   LISTEN    
[root@jbxue etc]# nano /etc/rc.d/rc.local                 #编辑开机启动文件,添加以下内容
/usr/local/squid/sbin/squid                                        #开机自动启动squid
 

至此,squid就基本上配置完毕,下面将进入iptables的脚本编写;
Iptables 脚本内容如下:
 

复制代码 代码示例:

cat /home/firewall/fw.sh
#### Define networks #######################
#!/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH
INIF="eth0"
EXTIF="eth1"
LAN3="192.168.3.0/24"
LAN4="192.168.4.0/24"
LAN5="192.168.5.0/24"
LAN6="192.168.6.0/24"
LAN7="192.168.7.0/24"
CT1="120.57.30.218"
CT2="120.57.30.220"
CNC1="128.174.14.161"
CNC2="128.174.14.162"
MX01="192.168.3.61"
export EXTIF INIF LAN3 LAN4 LAN5 LAN6 LAN7 CT1 CT2 CNC1 CNC2 MX01
############################################
#### PART I: Localhost Firewall Setting ####
############################################

#### 1. Clear any existing chains ####
iptables -F
iptables -X
iptables -Z
#### 2. Setting up default policies ####
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#### 3. Setting up interface lo access policies ####
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#### 5. Setting up Access Polices ####
iptables -A INPUT -p TCP -i $EXTIF --dport 22 -j ACCEPT     #ssh  
iptables -A INPUT -p tcp -i $INIF --dport 3128 -j ACCEPT     #squid
 
###################################################
#### PART II: Internal Server Filewall Setting ####
###################################################

#### 1. Load any special modules ####
modprobe ip_tables             > /dev/null 2>&1
modprobe iptable_nat           > /dev/null 2>&1
modprobe ip_nat_ftp            > /dev/null 2>&1
modprobe ip_nat_irc            > /dev/null 2>&1
modprobe ip_conntrack          > /dev/null 2>&1
modprobe ip_conntrack_ftp      > /dev/null 2>&1
modprobe ip_conntrack_irc      > /dev/null 2>&1
#### 2. Clear NAT table rules ####
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
iptables -t nat -P PREROUTING   ACCEPT
iptables -t nat -P POSTROUTING  ACCEPT
iptables -t nat -P OUTPUT       ACCEPT
#### 3. Enable ip forward ####
iptables -A INPUT -i $INIF -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
#### Access internet control list ####
sh "/home/firewall/fw.acl"   #调用另一个脚本文件,内容附后
#iptables -t nat -A POSTROUTING -s 0/0 -o $EXTIF -j MASQUERADE       #Urgent use
#### Enable transparence proxy ####
#将所有80请求转发到3128处理
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0/0 --dport 80 -j REDIRECT --to-port 3128

#### 4. Enable NAT forward ####
### MX01 SMTP Service ###
iptables -t nat -A PREROUTING -d $CT1 -p tcp --dport 25 -j DNAT --to $MX01:25         #SMTP
iptables -t nat -A PREROUTING -d $CNC1 -p tcp --dport 25 -j DNAT --to $MX01:25        #SMTP
iptables -A FORWARD -p tcp -d $MX01 --dport 25 -j ACCEPT
### MX01 POP3 Service ###
iptables -t nat -A PREROUTING -d $CT1 -p tcp --dport 110 -j DNAT --to $MX01:110       #POP3   
iptables -t nat -A PREROUTING -d $CNC1 -p tcp --dport 110 -j DNAT --to $MX01:110      #POP3    
 
iptables -A FORWARD -p tcp -d $MX01 --dport 110 -j ACCEPT 
### MX01 IMAP Service ###
iptables -t nat -A PREROUTING -d $CT1 -p tcp --dport 143 -j DNAT --to $MX01:143       #IMAP    
 
iptables -t nat -A PREROUTING -d $CNC1 -p tcp --dport 143 -j DNAT --to $MX01:143      #IMAP    
 
iptables -A FORWARD -p tcp -d $MX01 --dport 143 -j ACCEPT
### MX01 Webmail Service ###
iptables -t nat -A PREROUTING -d $CT1 -p tcp --dport 80 -j DNAT --to $MX01:80         #Webmail
iptables -t nat -A PREROUTING -d $CNC1 -p tcp --dport 80 -j DNAT --to $MX01:80        #Webmail
iptables -A FORWARD -p tcp -d $MX01 --dport 80 -j ACCEPT
### NS2 DNS Service(backup) ###
#iptables -t nat -A PREROUTING -d $CT1 -p tcp --dport 53 -j DNAT --to $MX01:53         #DNS_tcp
#iptables -t nat -A PREROUTING -d $CT1 -p udp --dport 53 -j DNAT --to $MX01:53         #DNS_udp
#iptables -A FORWARD -p tcp -d $NS2 --dport 53 -j ACCEPT
#iptables -A FORWARD -p udp -d $NS2 --dport 53 -j ACCEPT
### SSH to MX01 Service ###
iptables -t nat -A PREROUTING -d $CT2 -p tcp --dport 22222 -j DNAT --to $MX01:22      #SSH
iptables -A FORWARD -p tcp -d $MX01 --dport 22 -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
#######################################
#### Modification/Update Date note ####
#######################################
#2008/04/07
#2008/04/08 by lingping edit acl
#2008/04/09 by lingping enable transparent proxy

[root@jbxue ~]# cat /home/firewall/fw.acl
#!/bin/bash
#### Access Internet Control List ####
 
#mark
#将80以外的端口直接转发出去,事实上,如果已将80端口请求转发到3128,在此处设不设80已无意义,所有
80端口的请求还需要再经过squid控制或过滤
iptables -t nat -A POSTROUTING -s 192.168.4.48 -p tcp -m multiport --destination-port
25,110,53,80,443 -o $EXTIF -j MASQUERADE   
#注意:多个不连续端口的参数及语法

#jack
iptables -t nat -A POSTROUTING -s 192.168.4.68 -p tcp -m multiport --destination-port 443 -o
$EXTIF -j MASQUERADE
#hk manager
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.5.108-192.168.5.109 -p tcp -m
multiport --destination-port 25,110,53,80,443 -o $EXTIF -j MASQUERADE
#server address pool
iptables -t nat -A POSTROUTING -s $MX01  -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.3.60-192.168.3.90 -p tcp -m
multiport --destination-port 53,443 -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.3.60-192.168.3.90 -p udp --dport
53 -o $EXTIF -j MASQUERADE
#lan3 dhcp address pool
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.3.201-192.168.3.240 -p tcp -m
multiport --destination-port 25,110,53,80,443 -o $EXTIF -j MASQUERADE
#注意:在iptables中,一组连续IP地址的参数及语法
#lan4 dhcp address pool
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.4.201-192.168.4.240 -p tcp -m
multiport --destination-port 25,110,53,80,443 -o $EXTIF -j MASQUERADE
#lan5 dhcp address pool
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.5.201-192.168.5.240 -p tcp -m
multiport --destination-port 25,110,53,80,443 -o $EXTIF -j MASQUERADE
#lan6 dhcp address pool
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.6.201-192.168.6.240 -p tcp -m
multiport --destination-port 25,110,53,80,443 -o $EXTIF -j MASQUERADE
#lan7 dhcp address pool
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.7.201-192.168.7.240 -p tcp -m
multiport --destination-port 25,110,53,80,443 -o $EXTIF -j MASQUERADE
 

#######################################
#### Modification/Update Date note ####
#######################################
#2008/04/08
#2008/04/09 Add server ip address

[root@jbxue ~]#
在/etc/rc.d/rc.local文件中添加以下一行:
 

复制代码 代码示例:
#auto load  iptables script
sh /home/firewall/fw.sh