【求助】，请帮忙看看这个iptables＋squid的问题

樱家冢 · 发表于 2003-5-11 11:44:26

两块网卡
eth0 192.168.0.200/255.255.255.0
eth1 211.168.1.84/255.255.240.0

# /etc/sysconfig/iptables 文件
#
#======================= 古公 =======================

#
# mangle 段
*mangle

REROUTING ACCEPT [0]
:OUTPUT ACCEPT [0]
COMMIT
#

#
# nat 段
*nat

REROUTING ACCEPT [0]

OSTROUTING ACCEPT [0]
:OUTPUT ACCEPT [0]
#
# 为使用 SQUID 作“透明代理”而设定！
#
# 没有指定网卡、地址：
[0] -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#
# 指定网卡、地址：
#[0] -A PREROUTING -s 192.168.0.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#[0] -A PREROUTING -s 192.168.0.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128
# 将对于 80、443 端口的访问重定向到 3128 端口。
#
#
# 这些机器可以走这个机器做网关上 Internet 网。
# 需要在 /etc/sysctl.conf 文件里面修改成 net.ipv4.ip_forward = 1
# 或者 echo 1 > /proc/sys/net/ipv4/ip_forward
# 由于利用 SQUID 实现了“透明代理”，Masq 取消相应的客户地址。
# 这里，只剩下几个需要利用“IP伪装”来上网的机器（可以上 QQ、雅虎通、msn 之类的）：
#
#[0] -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE
# 若你的公网的 IP 地址是固定的，使用这个语句似乎更好些：
[0] -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j SNAT --to 211.168.1.84
COMMIT
#

#
# filter 段
*filter
:INPUT ACCEPT [0]
:FORWARD ACCEPT [0]
:OUTPUT ACCEPT [0]

#
# 屏蔽来自 microsoft 的站点:
#[0] -A INPUT -s 207.46.0.0/255.255.0.0 -j DROP
#[0] -A INPUT -d 207.46.0.0/255.255.0.0 -j DROP
#

# 防止IP欺骗：
# 所谓的IP欺骗就是指在IP包中存在着不可能的IP源地址或目标地址。
# eth1是一个与外部Internet相连，而192.168.20.0则是内部网的网络号，
# 也就是说，如果有一个包从eth1进入主机，而说自己的源地址是属于
# 192.168.20.0网络，或者说它的目标地址是属于这个网络的，那么这显
# 然是一种IP欺骗，所以我们使用DROP将这个包丢弃。
[0] -A INPUT -d 192.168.0.0/255.255.255.0 -i eth1 -j DROP
[0] -A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -j DROP
#
# 同样的，如果有包要通过eth1向Internet，而且它的源地址或目标地址是属于
# 网络192.168.20.0，那么显然也是不可能的。我们仍然使用DROP将它丢弃。
[0] -A OUTPUT -d 192.168.0.0/255.255.255.0 -o eth1 -j DROP
[0] -A OUTPUT -s 192.168.0.0/255.255.255.0 -o eth1 -j DROP
#

# 防止广播包从IP代理服务器进入局域网：
[0] -A INPUT -s 255.255.255.255 -i eth0 -j DROP
[0] -A INPUT -s 224.0.0.0/224.0.0.0 -i eth0 -j DROP
[0] -A INPUT -d 0.0.0.0 -i eth0 -j DROP
# 当包的源地址是255.255.255.255或目标地址是0.0.0.0，则说明它是一个
# 广播包，当广播包想进入eth0时，我们就应该DENY，丢弃它。而240.0.0.0/3
# 则是国际标准的多目广播地址，当有一个源地址是属于多目广播地址的包，
# 我们将用DROP策略，丢弃它。

#
# 屏蔽 windows xp 的 5000 端口（这个端口是莫名其妙的！）
#[0] -A INPUT -p tcp -m tcp --sport 5000 -j DROP
#[0] -A INPUT -p udp -m udp --sport 5000 -j DROP
#[0] -A OUTPUT -p tcp -m tcp --dport 5000 -j DROP
#[0] -A OUTPUT -p udp -m udp --dport 5000 -j DROP
# 原来是用来跑 vpn 的，呵呵，我误解了。
#

#
# 防止 Internet 网的用户访问 SAMBA 服务器：
[0] -A INPUT -s 211.168.1.84 -i eth1 -p tcp -m tcp --dport 137:139 -j DROP
[0] -A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 137:139 -j ACCEPT
[0] -A INPUT -s 211.168.1.84/255.255.255.240 -i eth1 -p tcp -m tcp --dport 137:139 -j ACCEPT
[0] -A INPUT -p tcp -m tcp --dport 137:139 -j DROP
#

#
# 对于本局域网用户不拒绝访问：
[0] -A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -p tcp -j ACCEPT
[0] -A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -p udp -j ACCEPT
#

#
[0] -A INPUT -i eth1 -p udp -m udp --dport 3 -j DROP
[0] -A INPUT -i eth1 -p tcp -m tcp --dport 3 -j DROP
[0] -A INPUT -i eth1 -p tcp -m tcp --dport 111 -j DROP
[0] -A INPUT -i eth1 -p udp -m udp --dport 111 -j DROP
#

#
[0] -A INPUT -i eth1 -p udp -m udp --dport 587 -j DROP
[0] -A INPUT -i eth1 -p tcp -m tcp --dport 587 -j DROP
#

# 防止 Internet 用户访问 SQUID 的 3128 端口：
[0] -A INPUT -s 211.168.1.84 -i eth1 -p tcp -m tcp --dport 3128 -j DROP
[0] -A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 3128 -j ACCEPT
[0] -A INPUT -s 211.168.1.84/255.255.255.240 -i eth1 -p tcp -m tcp --dport 3128 -j ACCEPT
[0] -A INPUT -p tcp -m tcp --dport 3128 -j DROP
#

# 让人家 ping 不通我！
[0] -A INPUT -i eth1 -s 192.168.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0] -A INPUT -i eth1 -s 211.168.1.84/28 -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0] -A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -j DROP
#

COMMIT
# ======================= 结束 =======================
# ======================= 古公 =======================

# /etc/squid/squid.conf 文件
#
# http_port 3128
http_port 192.168.0.200:3128

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

# cache_mem 8 MB
cache_mem 24 MB

# emulate_httpd_log off
# ============================================================================
emulate_httpd_log on
# ============================================================================

# redirect_rewrites_host_header on
# ============================================================================
redirect_rewrites_host_header off
# ============================================================================

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# ============================================================================
#
acl allow_domain dstdomain "/etc/squid/allow_domain"

acl no_allow_web dst "/etc/squid/no_allow_web"
acl no_allow_domain dstdomain "/etc/squid/no_allow_domain"
acl no_allow_client src "/etc/squid/no_allow_client"
#acl allow_time time "/etc/squid/allow_time"
#
acl allow_client_inf src "/etc/squid/allow_client_inf"
acl allow_client_fore src "/etc/squid/allow_client_fore"
acl allow_client_8h src "/etc/squid/allow_client_8h"
acl allow_client_3h src "/etc/squid/allow_client_3h"
#
#
#
acl Uncachable url_regex cgi \?
#

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# ============================================================================

# Deny requests to unknown ports
http_access deny !Safe_ports

# ============================================================================
no_cache deny Uncachable
http_access allow allow_domain
http_access allow allow_client_inf
http_access deny no_allow_web
http_access deny no_allow_domain
http_access deny no_allow_client
http_access allow allow_client_fore
#
# 下面是只允许每天上三个小时的：
#http_access deny no_allow_time_0_1 allow_client_3h
#http_access deny no_allow_time_0_2 allow_client_3h
#http_access deny no_allow_time_0_3 allow_client_3h
#http_access deny no_allow_time_0_4 allow_client_3h
#http_access deny no_allow_time_0_5 allow_client_3h
#http_access allow allow_client_3h
# 完
#http_access deny no_allow_time
# ============================================================================

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all

#Allow ICP queries from eveyone
icp_access allow all

cache_mgr [email protected]

# httpd_accel_port 80
# +++++++++++++++++++++++++++++++++++ 古公 ++++++++++++透明代理的设定+++++++++
httpd_accel_host virtual
#httpd_accel_port 80
# +++++++++++++++++++++++++++++++++++ 古公 ++++++++++++透明代理的设定+++++++++

# httpd_accel_with_proxy on
# +++++++++++++++++++++++++++++++++++ 古公 ++++++++++++透明代理的设定+++++++++
httpd_accel_with_proxy on
# +++++++++++++++++++++++++++++++++++ 古公 ++++++++++++透明代理的设定+++++++++

# httpd_accel_uses_host_header off
# +++++++++++++++++++++++++++++++++++ 古公 ++++++++++++透明代理的设定+++++++++
httpd_accel_uses_host_header on
# +++++++++++++++++++++++++++++++++++ 古公 ++++++++++++透明代理的设定+++++++++

append_domain .fruitron.com.cn

# ============================================================================
error_directory /usr/lib/squid/errors/Simplify_Chinese
# ============================================================================

# ============================================================================

delay_pools 1 # 1 delay pools
delay_class 1 3 # pool 1 is a class 3 pool

# ============================================================================

#delay_access 1 deny all

delay_access 1 allow allow_client_3h allow_client_8h allow_client_fore allow_client_inf
delay_access 1 deny all
# ============================================================================

# ============================================================================
delay_parameters 1 8000/8000 2000/4000 4000/8000
#delay_parameters 2 8000/8000 4000/8000 4000/8000
#delay_parameters 3 8000/8000 4000/8000 4000/8000
# ============================================================================

# ie_refresh off
# ============================================================================
#ie_refresh on
# ============================================================================

樱家冢 · 发表于 2003-5-11 12:55:25

[root@proxy root]# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 584 packets, 60037 bytes)
pkts bytes target    prot opt in    out    source             destination
6 288 REDIRECT tcp  --  eth0 any    192.168.0.0/24    anywhere          tcp dpt:http redir ports 3128

Chain POSTROUTING (policy ACCEPT 359 packets, 22034 bytes)
pkts bytes target    prot opt in    out    source             destination
21  1448 SNAT    all  --  any any    192.168.0.0/24    anywhere          to:211.168.1.84

Chain OUTPUT (policy ACCEPT 362 packets, 22618 bytes)
pkts bytes target    prot opt in    out    source             destination

以上是iptables －L -v -t nat的显示信息

		自动登录	找回密码
密码			注册