本文介绍下,使用squid 3.0与iptables 1.35配置透明代理的详细步骤,从中您可以学习到squid的配置方法,以及iptables的经典应用,是一篇不错的文章,有需要的朋友值得参考。
一、系统环境:
CentOS 5.0 #2.6.18-8.el5
iptables-1.3.5-1.2.1 #安装系统时默认安装
Squid 3.0 STABLE4 #http://www.squid-cache.org/Versions/v3/3.0/
二、网络环境:
1、服务器安装有两块网卡:
Eth0: 192.168.3.3 # lan
Eth1:120.57.30.218 # wan (有5个公网IP)
120.57.30.219
120.57.30.220
128.174.14.161
128.174.14.162
2、网络配置:
复制代码 代码示例:
[root@jbxue network-scripts]# cat ifcfg-*
# VIA Technologies, Inc. VT6105 [Rhine-III]
DEVICE=eth0
BROADCAST=192.168.3.255
HWADDR=00:1B:11:05:07:E5
IPADDR=192.168.3.3
#IPV6ADDR=
#IPV6PREFIX=
NETMASK=255.255.255.0
NETWORK=192.168.3.0
ONBOOT=yes
# VIA Technologies, Inc. VT6105 [Rhine-III]
DEVICE=eth1 #接口名称
BROADCAST=120.57.30.223 #广播地址
HWADDR=00:1B:11:03:2B:A6 #MAC地址
IPADDR=120.57.30.218 #IP地址
#IPV6ADDR= #IPV6地址,此处设为禁用
#IPV6PREFIX=
NETMASK=255.255.255.248 #子网掩码
NETWORK=120.57.30.216 #网络地址
ONBOOT=yes #是否启用该接口
# VIA Technologies, Inc. VT6105 [Rhine-III]
DEVICE=eth1:0
BROADCAST=128.174.14.167
HWADDR=00:1B:11:03:2B:A6
IPADDR=128.174.14.161
GATEWAY=128.174.14.166
NETMASK=255.255.255.248
NETWORK=128.174.14.160
ONBOOT=yes
# VIA Technologies, Inc. VT6105 [Rhine-III]
DEVICE=eth1:1
BROADCAST=120.57.30.223
HWADDR=00:1B:11:03:2B:A6
IPADDR=120.57.30.219
GATEWAY=120.57.30.217
NETMASK=255.255.255.248
NETWORK=120.57.30.216
ONBOOT=yes
# VIA Technologies, Inc. VT6105 [Rhine-III]
DEVICE=eth1:2
BROADCAST=128.174.14.167
HWADDR=00:1B:11:03:2B:A6
IPADDR=128.174.14.162
GATEWAY=128.174.14.166
NETMASK=255.255.255.248
NETWORK=128.174.14.160
ONBOOT=yes
# VIA Technologies, Inc. VT6105 [Rhine-III]
DEVICE=eth1:3
BROADCAST=120.57.30.223
HWADDR=00:1B:11:03:2B:A6
IPADDR=120.57.30.220
GATEWAY=120.57.30.217
NETMASK=255.255.255.248
NETWORK=120.57.30.216
ONBOOT=yes
3、静态路由 #由于是多网段,添加了到其它网段的路由
复制代码 代码示例:
[root@jbxue network-scripts]# cat route-eth0
# lan 192.168.4.0
GATEWAY0=192.168.3.98 #网关(下一跳)
NETMASK0=255.255.255.0 #子网掩码
ADDRESS0=192.168.4.0 #目标网络
# lan 192.168.5.0
GATEWAY1=192.168.3.98
NETMASK1=255.255.255.0
ADDRESS1=192.168.5.0
#lan 192.168.6.0
GATEWAY2=192.168.3.98
NETMASK2=255.255.255.0
ADDRESS2=192.168.6.0
#lan 192.168.7.0
GATEWAY3=192.168.3.99
NETMASK3=255.255.255.0
ADDRESS3=192.168.7.0
#lan 192.168.10.0
GATEWAY4=192.168.3.99
NETMASK4=255.255.255.0
ADDRESS4=192.168.10.0
#lan 192.168.11.0
GATEWAY5=192.168.3.99
NETMASK5=255.255.255.0
ADDRESS5=192.168.11.0
#lan 192.168.12.0
GATEWAY6=192.168.3.99
NETMASK6=255.255.255.0
ADDRESS6=192.168.12.0
#lan 192.168.13.0
GATEWAY7=192.168.3.99
NETMASK7=255.255.255.0
ADDRESS7=192.168.13.0
#lan 192.168.14.0
GATEWAY8=192.168.3.99
NETMASK8=255.255.255.0
ADDRESS8=192.168.14.0
#lan 192.168.15.0
GATEWAY9=192.168.3.99
NETMASK9=255.255.255.0
ADDRESS9=192.168.15.0
#lan 192.168.1.0
GATEWAY10=192.168.3.98
NETMASK10=255.255.255.0
ADDRESS10=192.168.1.0
4、服务器名称:
复制代码 代码示例:
[root@jbxue sysconfig]# cat network
NETWORKING=yes
#NETWORKING_IPV6=yes
HOSTNAME=jbxue.linux.local
5、DNS配置:
复制代码 代码示例:
[root@jbxue sysconfig]# cat /etc/resolv.conf
search linux.local
nameserver 202.181.224.2 #香港DNS
nameserver 168.95.1.1 #台湾中华电信DNS
nameserver 192.168.3.21 #内部DNS
三、软件安装
1、Squid 3.0编译安装
复制代码 代码示例:
[root@jbxue source]# tar -zxvf squid-3.0.STABLE4.tar.gz
[root@jbxue source]# cd squid-3.0.STABLE4
[root@jbxue squid-3.0.STABLE4]# ./configure --prefix=/usr/local/squid #安装路径
#编译时添加下面参数
--enable-gnuregex #使用GNU提供的正规表示法的原则来进行编译
--enable-async-io=80 #这个项目主要在控制一些输出、输入的组件,非同步输出模式
--enable-icmp #支持ICMP
--enable-kill-parent-hack #在关闭squid时,是否要连parent process一起关掉
--enable-snmp #启用snmp
--disable-ident-lookups
--enable-cache-digests
--enable-poll #可以提升效能
--enable-linux-netfilter
--disable-ident-lookups –
-enable-ssl #启用支持ssl
[root@jbxue squid-3.0.STABLE4]# make && make install
至此,Squid安装完毕,下面开始对squid进行配置、初始化等;
复制代码 代码示例:
[root@jbxue squid-3.0.STABLE4]# cd /usr/local/squid/etc/ # squid配置文件存放点
[root@jbxue etc]# mv squid.conf squid.conf.bak #将默认配置文件另存为,重新配置
[root@jbxue etc]# touch squid.conf #新建配置文件,
配置文件内容:
复制代码 代码示例:
[root@jbxue etc]# cat squid.conf
# WELCOME TO SQUID 3.0 STABLE4
###### System Setting #######################################
http_port 3128 transparent
#http_port 3128
#acl apache rep_header Server ^Apache
#broken_vary_encoding allow apache
cache_mem 64 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 5120 KB
minimum_object_size 0 KB
cache_dir ufs /var/spool/squid 15360 16 256
cache_effective_user squid
cache_effective_group squid
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
visible_hostname jbxue.linux.com
dns_nameservers 202.181.224.2 168.95.1.1 61.144.56.100
cache_mgr admin@jb200.com
###### No Cache List #######################################
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin ?
no_cache deny QUERY
acl coach urlpath_regex coach
no_cache deny coach
###### Access Control List #################################
acl SSL_ports port 443 8080 9525 9510 5222 21 88
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 8080 # dgsi.dg.gov.cn
acl Safe_ports port 9525 9510 5222 # ebgz.itownet.cn
acl Safe_ports port 88 # fdatacraft.vicp.net:88
#acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl fm_hk src 192.168.1.0/24
acl to_lan dst 192.168.0.0/19
acl hkmanager src "/usr/local/squid/etc/hkmanager_hosts" #调用其它文件,便于分类,下同
acl server src "/usr/local/squid/etc/server_hostip"
acl itsupport src "/usr/local/squid/etc/itsupport_hosts"
acl dhcpaddrpool src "/usr/local/squid/etc/dhcp_address_pool"
acl whitelist_ip dst "/usr/local/squid/etc/whitelist_ip"
acl whitelist_site dstdomain "/usr/local/squid/etc/whitelist_sites"
acl blacklist_sites dstdomain "/usr/local/squid/etc/blacklist_sites"
acl file_mp3 urlpath_regex -i .mp3$ #禁止下载所规定的文件类型
acl file_scr urlpath_regex -i .scr$
acl file_avi urlpath_regex -i .avi$
acl file_exe urlpath_regex -i .exe$
acl file_pif urlpath_regex -i .pif$
acl file_pf urlpath_regex -i .pf$
acl file_xdb urlpath_regex -i .xdb$
acl file_mp4 urlpath_regex -i .mp4$
acl file_rmvb urlpath_regex -i .rmvb$
acl file_rm urlpath_regex -i .rm$
acl file_bt urlpath_regex -i .torrent$
acl file_wma urlpath_regex -i .wma$
###### SNMP Config #########################################
#snmp_port 3401
#acl snmppublic snmp_community public
#acl adminhost src 192.168.3.0/24 192.168.11.0/24
#snmp_access allow snmppublic adminhost
#snmp_access deny all
###### Rules ###############################################
http_access deny file_mp3 #禁止下载所规定的文件类型
http_access deny file_scr
http_access deny file_avi
http_access deny file_exe !itsupport
http_access deny file_pif
http_access deny file_pf
http_access deny file_xdb
http_access deny file_mp4
http_access deny file_rmvb
http_access deny file_rm
http_access deny file_bt
http_access deny file_wma
http_access deny blacklist_sites
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow fm_hk
http_access allow to_lan
http_access allow localhost
http_access allow hkmanager
http_access allow itsupport
http_access allow dhcpaddrpool
http_access allow server
http_access allow whitelist_site
http_access allow whitelist_ip
http_access deny all
#http_reply_access allow all
#icp_access allow all
[root@jbxue etc]#cat blacklist_sites
sex
nude
porn
.3721.com
[root@jbxue etc]# cat dhcp_address_pool
复制代码 代码示例:
#lan3
192.168.3.201-192.168.3.240
#lan4
192.168.4.201-192.168.4.240
#lan5
192.168.5.201-192.168.5.240
#lan6
192.168.6.201-192.168.6.240
#lan7
192.168.7.201-192.168.7.240
#lan11
192.168.11.201-192.168.11.240
[root@jbxue etc]# cat itsupport_hosts
#IT_Support
#jack
192.168.4.68
#it staffs
192.168.11.93-192.168.11.96
192.168.11.105-192.168.11.108
[root@jbxue etc]# cat whitelist_ip
复制代码 代码示例:
#dg.gov.cn
61.145.199.0/24
#itownet.cn
59.42.252.66
61.145.120.33
202.105.50.136
210.51.9.164
#corsica.globat.com
216.193.201.64
[root@jbxue etc]# cat server_hostip
复制代码 代码示例:
#server host ip
192.168.3.60-192.168.3.90
[root@jbxue etc]# cat hkmanager_hosts
复制代码 代码示例:
192.168.5.108
192.168.5.109
复制代码 代码示例:
[root@jbxue squid]#useradd squid #添加squid管理帐户
[root@jbxue squid]# id squid #查看squid用户ID及组ID
uid=500(squid) gid=500(squid) groups=500(squid)
[root@jbxue squid]# cd /var/ spool/
[root@jbxue spool]# mkdir squid #新建目录
[root@jbxue spool]# chown squid squid/ #改变目录拥有者
[root@jbxue spool]# chgrp squid squid/ #改变目录所属组
[root@jbxue etc]# /usr/local/squid/sbin/squid -k parse #检查配置文件是否正确
[root@jbxue etc]# /usr/local/squid/sbin/squid –zX #初始化 squid
[root@jbxue etc]# /usr/local/squid/sbin/squid start #启动squid
[root@jbxue etc]# netstat -tunl |grep ":3128" #检查squid是否在运行
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
[root@jbxue etc]# nano /etc/rc.d/rc.local #编辑开机启动文件,添加以下内容
/usr/local/squid/sbin/squid #开机自动启动squid
至此,squid就基本上配置完毕,下面将进入iptables的脚本编写;
Iptables 脚本内容如下:
复制代码 代码示例:
cat /home/firewall/fw.sh
#### Define networks #######################
#!/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH
INIF="eth0"
EXTIF="eth1"
LAN3="192.168.3.0/24"
LAN4="192.168.4.0/24"
LAN5="192.168.5.0/24"
LAN6="192.168.6.0/24"
LAN7="192.168.7.0/24"
CT1="120.57.30.218"
CT2="120.57.30.220"
CNC1="128.174.14.161"
CNC2="128.174.14.162"
MX01="192.168.3.61"
export EXTIF INIF LAN3 LAN4 LAN5 LAN6 LAN7 CT1 CT2 CNC1 CNC2 MX01
############################################
#### PART I: Localhost Firewall Setting ####
############################################
#### 1. Clear any existing chains ####
iptables -F
iptables -X
iptables -Z
#### 2. Setting up default policies ####
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#### 3. Setting up interface lo access policies ####
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#### 5. Setting up Access Polices ####
iptables -A INPUT -p TCP -i $EXTIF --dport 22 -j ACCEPT #ssh
iptables -A INPUT -p tcp -i $INIF --dport 3128 -j ACCEPT #squid
###################################################
#### PART II: Internal Server Filewall Setting ####
###################################################
#### 1. Load any special modules ####
modprobe ip_tables > /dev/null 2>&1
modprobe iptable_nat > /dev/null 2>&1
modprobe ip_nat_ftp > /dev/null 2>&1
modprobe ip_nat_irc > /dev/null 2>&1
modprobe ip_conntrack > /dev/null 2>&1
modprobe ip_conntrack_ftp > /dev/null 2>&1
modprobe ip_conntrack_irc > /dev/null 2>&1
#### 2. Clear NAT table rules ####
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
#### 3. Enable ip forward ####
iptables -A INPUT -i $INIF -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
#### Access internet control list ####
sh "/home/firewall/fw.acl" #调用另一个脚本文件,内容附后
#iptables -t nat -A POSTROUTING -s 0/0 -o $EXTIF -j MASQUERADE #Urgent use
#### Enable transparence proxy ####
#将所有80请求转发到3128处理
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0/0 --dport 80 -j REDIRECT --to-port 3128
#### 4. Enable NAT forward ####
### MX01 SMTP Service ###
iptables -t nat -A PREROUTING -d $CT1 -p tcp --dport 25 -j DNAT --to $MX01:25 #SMTP
iptables -t nat -A PREROUTING -d $CNC1 -p tcp --dport 25 -j DNAT --to $MX01:25 #SMTP
iptables -A FORWARD -p tcp -d $MX01 --dport 25 -j ACCEPT
### MX01 POP3 Service ###
iptables -t nat -A PREROUTING -d $CT1 -p tcp --dport 110 -j DNAT --to $MX01:110 #POP3
iptables -t nat -A PREROUTING -d $CNC1 -p tcp --dport 110 -j DNAT --to $MX01:110 #POP3
iptables -A FORWARD -p tcp -d $MX01 --dport 110 -j ACCEPT
### MX01 IMAP Service ###
iptables -t nat -A PREROUTING -d $CT1 -p tcp --dport 143 -j DNAT --to $MX01:143 #IMAP
iptables -t nat -A PREROUTING -d $CNC1 -p tcp --dport 143 -j DNAT --to $MX01:143 #IMAP
iptables -A FORWARD -p tcp -d $MX01 --dport 143 -j ACCEPT
### MX01 Webmail Service ###
iptables -t nat -A PREROUTING -d $CT1 -p tcp --dport 80 -j DNAT --to $MX01:80 #Webmail
iptables -t nat -A PREROUTING -d $CNC1 -p tcp --dport 80 -j DNAT --to $MX01:80 #Webmail
iptables -A FORWARD -p tcp -d $MX01 --dport 80 -j ACCEPT
### NS2 DNS Service(backup) ###
#iptables -t nat -A PREROUTING -d $CT1 -p tcp --dport 53 -j DNAT --to $MX01:53 #DNS_tcp
#iptables -t nat -A PREROUTING -d $CT1 -p udp --dport 53 -j DNAT --to $MX01:53 #DNS_udp
#iptables -A FORWARD -p tcp -d $NS2 --dport 53 -j ACCEPT
#iptables -A FORWARD -p udp -d $NS2 --dport 53 -j ACCEPT
### SSH to MX01 Service ###
iptables -t nat -A PREROUTING -d $CT2 -p tcp --dport 22222 -j DNAT --to $MX01:22 #SSH
iptables -A FORWARD -p tcp -d $MX01 --dport 22 -j ACCEPT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
#######################################
#### Modification/Update Date note ####
#######################################
#2008/04/07
#2008/04/08 by lingping edit acl
#2008/04/09 by lingping enable transparent proxy
[root@jbxue ~]# cat /home/firewall/fw.acl
#!/bin/bash
#### Access Internet Control List ####
#mark
#将80以外的端口直接转发出去,事实上,如果已将80端口请求转发到3128,在此处设不设80已无意义,所有
80端口的请求还需要再经过squid控制或过滤
iptables -t nat -A POSTROUTING -s 192.168.4.48 -p tcp -m multiport --destination-port
25,110,53,80,443 -o $EXTIF -j MASQUERADE
#注意:多个不连续端口的参数及语法
#jack
iptables -t nat -A POSTROUTING -s 192.168.4.68 -p tcp -m multiport --destination-port 443 -o
$EXTIF -j MASQUERADE
#hk manager
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.5.108-192.168.5.109 -p tcp -m
multiport --destination-port 25,110,53,80,443 -o $EXTIF -j MASQUERADE
#server address pool
iptables -t nat -A POSTROUTING -s $MX01 -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.3.60-192.168.3.90 -p tcp -m
multiport --destination-port 53,443 -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.3.60-192.168.3.90 -p udp --dport
53 -o $EXTIF -j MASQUERADE
#lan3 dhcp address pool
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.3.201-192.168.3.240 -p tcp -m
multiport --destination-port 25,110,53,80,443 -o $EXTIF -j MASQUERADE
#注意:在iptables中,一组连续IP地址的参数及语法
#lan4 dhcp address pool
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.4.201-192.168.4.240 -p tcp -m
multiport --destination-port 25,110,53,80,443 -o $EXTIF -j MASQUERADE
#lan5 dhcp address pool
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.5.201-192.168.5.240 -p tcp -m
multiport --destination-port 25,110,53,80,443 -o $EXTIF -j MASQUERADE
#lan6 dhcp address pool
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.6.201-192.168.6.240 -p tcp -m
multiport --destination-port 25,110,53,80,443 -o $EXTIF -j MASQUERADE
#lan7 dhcp address pool
iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.7.201-192.168.7.240 -p tcp -m
multiport --destination-port 25,110,53,80,443 -o $EXTIF -j MASQUERADE
#######################################
#### Modification/Update Date note ####
#######################################
#2008/04/08
#2008/04/09 Add server ip address
[root@jbxue ~]#
在/etc/rc.d/rc.local文件中添加以下一行:
复制代码 代码示例:
#auto load iptables script
sh /home/firewall/fw.sh