背景环境:开发人员不能上外网,但又有一些比较特殊的站点需要用到,所有用squid进行透明代理上网,之前想到haproxy,后来查阅资料貌似haproxy只能转发不能代理上网。
搭建前提:squid搭建透明代理上网,理论上需要两张网卡,两个Ip,两个ip在不同的网段,一个ip可以连接外网上网,一个ip连接内网。
[root@linux-virsh-106 log]# ifconfigeth0 Link encap:Ethernet HWaddr 00:0C:29:E1:9A:69 inet addr:192.168.1.107 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fee1:9a69/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:382562 errors:0 dropped:0 overruns:0 frame:0 TX packets:65671 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:78070930 (74.4 MiB) TX bytes:5258206 (5.0 MiB)eth1 Link encap:Ethernet HWaddr 00:0C:29:E1:9A:73 inet addr:192.168.10.26 Bcast:192.168.10.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fee1:9a73/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:320136 errors:0 dropped:0 overruns:0 frame:0 TX packets:81908 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:22754485 (21.7 MiB) TX bytes:59173280 (56.4 MiB)
这里我选用了eth0 192.168.1.107可以和外网联通,eth1 192.168.10.26和内网联通
关于ip的配置在/etc/sysconfig/network-scripts/修改 ifcfg-eth0和ifcfg-eth1即可 修改完重启网卡就行了。
[root@linux-virsh-106 network-scripts]# cat ifcfg-eth0# Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)DEVICE=eth0BOOTPROTO=static#BROADCAST=192.168.1.255HWADDR=00:0C:29:E1:9A:69IPADDR=192.168.1.107IPV6INIT=yesIPV6_AUTOCONF=yesNETMASK=255.255.255.0#NETWORK=192.168.1.0GATEWAY=192.168.1.1ONBOOT=yes[root@linux-virsh-106 network-scripts]# cat ifcfg-eth1# Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)DEVICE=eth1BOOTPROTO=staticONBOOT=yes#HWADDR=00:0c:29:e1:9a:73IPADDR=192.168.10.26NETMASK=255.255.255.0
网卡设置好了,开始设置iptables的参数
[root@linux-virsh-106 network-scripts]# echo "1" /proc/sys/net/ipv4/ip_forward[root@linux-virsh-106 network-scripts]# service iptables start[root@linux-virsh-106 network-scripts]# iptables -LChain INPUT (policy ACCEPT)target prot opt source destination Chain FORWARD (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destination [root@linux-virsh-106 network-scripts]# iptables -F[root@linux-virsh-106 network-scripts]# iptables -t nat -F[root@linux-virsh-106 network-scripts]# iptables -t nat -LChain PREROUTING (policy ACCEPT)target prot opt source destination Chain POSTROUTING (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)target prot opt source destination [root@linux-virsh-106 network-scripts]# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 192.168.1.107[root@linux-virsh-106 network-scripts]# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128[root@linux-virsh-106 network-scripts]# service iptables save将当前规则保存到 /etc/sysconfig/iptables: [确定][root@linux-virsh-106 network-scripts]# iptables -t nat -LChain PREROUTING (policy ACCEPT)target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128Chain POSTROUTING (policy ACCEPT)target prot opt source destination SNAT all -- 192.168.10.0/24 anywhere to:192.168.1.107Chain OUTPUT (policy ACCEPT)target prot opt source destination
安装squid
[root@linux-virsh-106 network-scripts]# yum install squid
配置squid
[root@linux-virsh-106 network-scripts]# cd /etc/squid/[root@linux-virsh-106 squid]# lscachemgr.conf errors icons mib.txt mime.conf mime.conf.default msntauth.conf msntauth.conf.default squid.conf squid.conf.bak20140120 squid.conf.bak2014012002 squid.conf.default
提取出配置文件中有用的信息
[root@linux-virsh-106 squid]# grep -v "^#" squid.conf.bak20140120 |grep -v "^$" squid.conf
启动squid
[root@linux-virsh-106 squid]# service squid start启动 squid:. [确定]
[root@linux-virsh-106 squid]# netstat -ntlActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:1004 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN tcp 0 0 :::22 :::* LISTEN
基本工作已经完成,现在根据自己的需求配置squid
[root@linux-virsh-106 squid]# cat squid.confacl lan src 192.168.10.0/24 #这个是内网ip要连接的地址acl all src 0.0.0.0/0.0.0.0#自己添加的可以允许访问的urlacl url1 url_regex -i qq.comacl url2 url_regex -i pengyou.comacl url3 url_regex -i baidu.comacl manager proto cache_objectacl localhost src 127.0.0.1/255.255.255.255acl to_localhost dst 127.0.0.0/8acl SSL_ports port 443acl Safe_ports port 80 # httpacl Safe_ports port 21 # ftpacl Safe_ports port 443 # httpsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling httpacl CONNECT method CONNECThttp_access allow manager localhosthttp_access deny managerhttp_access deny !Safe_portshttp_access deny CONNECT !SSL_portshttp_access allow localhosthttp_access allow url1http_access allow url2http_access allow url3http_access deny allicp_access allow all#在端口的后面要加上transparent,否则无法转发http_port 3128 transparent#visible_hostname 也是要自己添加上去visible_hostname 192.168.10.26hierarchy_stoplist cgi-bin ?access_log /var/log/squid/access.log squidacl QUERY urlpath_regex cgi-bin \?cache deny QUERYrefresh_pattern ^ftp: 1440 20% 10080refresh_pattern ^gopher: 1440 0% 1440refresh_pattern . 0 20% 4320acl apache rep_header Server ^Apachebroken_vary_encoding allow apachecoredump_dir /var/spool/squid
根据自己需求在iptables添加端口信息
[root@linux-virsh-106 squid]# iptables -t nat -A PREROUTING -p tcp --dport 8003 -j REDIRECT --to-port 3128
查看资料
http://www.ahxh.cn/html/2011/jiaocheng_1102/15411.html
视频资料
http://item.taobao.com/item.htm?spm=686.1000925.1000774.13.9vuJG9 id=37129897170
无神的瞳孔,我迫切想逃离这周遭被钢筋混凝土堆架的城市,
