Author: Kamus (Zhang Lezhen) Mail: Kamus@itpub.net date: 2003.08
Environment: Server: SUSE Linux 8.2 ADSL Client: Windows2000 LAN: SUSE (192.168.1.3), Windows (192.168.1.5), ADSL (192.168.1.1) with 8 port 10-100M hub: WINDOWS (192.168.1.5)
Using Squid iptables, most of the experience is obtained from www.linuxaid.com, just summaried here.
For detailed instructions on iptables, please see: iptables howto http://www.telematik.informatik.uni-karlsruhe.de/lehre/seminare/linuxsem/downloads/netfilter/iptables-howto.html
For IPTables Configuration Tools, please see: KnetFilter: http://expansa.sns.it/knetfilter g-shield: http://muse.linuxmafia.org/gshield.html
About Squid Optimization, please see: Squid Optimization Full Handbook 1: http://www.linuxaid.com.cn/Articles/2/8/289179080.SHTML Squid Optimization Full Handbook 2: http://www.linuxaid.com. CN / Articles / 5/4 / 546967373.SHTML
For the configuration of the iptables firewall, please see: IPTales implement package-profound firewall (1): http://www.linuxaid.com.cn/Engineer/bye2000/doc/iptables1.htm with iptales to implement package-profound firewall (2 : Http://www.linuxAid.com.cn/Engineer/bye2000/doc/iptables2.htm
Ok, start the configuration below.
First explain why the transparent agent is configured. In fact, only Squid can implement proxy function, but for the client, Proxy Server must be set in the browser, for other tools, such as flashget, cuteftp, etc., this must be set, this is very troublesome. But if a transparent agent is set, you can set a gateway in the client only, and any other programs are available separately. This is the biggest temptation to set the transparent agent. Of course, this is just for me. In fact, iptables have more powerful firewall functions, this is its largest use. However, this configuration does not involve firewalls, if you are interested, please look at the iptables howto.
1. Suppose we have compiled firewall support options in our Linux, which can enter the kernel source directory and confirm with Make MenuConfig.
2. Installing Squid, generally installing all Linux distributions, it should have been installed, of course, can also be downloaded from the following URL: http://www.squid-cache.org/
3. Whether it is reinstalled or in the system, it is because the location of each release may differ from the position of the configuration file in Squid, and use the FIND command to confirm the exact location of the Squid.conf file. If it is an RPM installation, you can also use the rpm command to confirm: rpm -ql [squidrpmname.rpm] | grep squid.conf
4. Edit squid.conf file, make sure that the following exist: httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on cache_effective_user nobody cache_effective_group nobody http_access allow all cache_dir ufs / usr / local / squid / cache 100 16 256 Note: The last sentence is the cache directory, you need the following Create, you can change it to your local Squid's directory. The penultimate sentence, indicating that we allow all requests, which is very unsafe, you can create a group yourself, then this group, and deny all, the specific settings take a closer look squid.conf, it is very detailed Explanation and example 5. Create a cache directory (if not,), modify the directory owner is Nobody Chown Nobody: NoBody / Pathname / Cache
6. View the default log directory in the configuration file, modify the owner of that directory to Nobody to make sure the log can be written
7. Create Cache: Squid -z
8. Start Squid: Squid -d Squid's site maintained a very detailed FAQ, basically you need to ask questions, such as you can start with Squid -NCD1 to start with Debug mode, so if there is an error will be reported Generally, if it is ADSL dial, then start Squid before the dial is not dialing, it will be wrong (Fatal: ipcache_init: DNS Name Lookup Tests Failed), because Squid is started, check some common DNS, but this time you and No access to the Internet, naturally an error, so we need to do not check the DNS when starting, this requires the use of the -d option to start SQUID
9. After starting success, we can set up proxy to test it in the client's browser. If you can access the Internet, then Squid is successful.
10. There is also a follow-up, that is, confirm that Squid is automatically started, usually there is already a Squid script in /etc/init.d, what we need to do is to bring it LN to the appropriate RC.D directory, such as I default is Runlevel5 started, then I execute: ln -s /etc/init.d/squid /etc/init.d/rc5.dc/init.d/squid / etc / init. D / rc5.d / k01squid This is below SUSE, if it is redhat, then the RC.D directory is below / etc, not below /etc/init.d.
OK, Squid settings are over, let's start configuring iptables you can use the configuration tool mentioned earlier, but I have not tried it, so I do it directly with the iptables command. Can view help with man iptables
We exist in a script file in the iptables set command, assume that the script file is named FireWall, and then store this file in /etc/init.d and run this script in the boot file. The following is a step
1. Touch /etc/init.d
2. Vi /etc/init.d Add to the following: #! / bin / sh echo "Enabling IP forward ..." echo 1> / proc / sys / net / ipv4 / ip_forward echo "Starting iptables rules ..." #Refresh All chains / sbin / iptables -f -t nat iptables -t nat -a preording -i eth0 -p TCP -M TCP - Dport 80 -J Redirect - TO-PORTS 3128iptables -t Nat -a postrouting -s 192.168. 1.0 / 24 -o PPP0 -J Masquerade
The explanation of the above commands is as follows: / proc / sys / net / ipv4 / ip_forward must be set to 1 (default 0) to use routing functions. / sbin / iptables -f -t nat empty all existing rules in NAT Table. Eth0: For the network card in the Linux machine. 3128: For the default listening ports in Squid. PPP0: For the ADSL device in Linux (PPP0 in SUSE, in the redhat may be DSL0). Masquerade: Suitable for dial-ups, because there is no static IP address, for server with static IP, you can replace with Snat --to-Source ipadress.
Note: The above command does not involve the firewall, please refer to the configuration itself, the above command does not delete the rules in the Filter Table, that is, if it is previously set, it will not be affected.
3. CHMOD U X FireWall, changing file properties, make it executed
4. Edit the /etc/init.d/boot.local file, in the final plus /etc/init.d/firewall, make sure this script is executed. Note: SUSE is boot.local, for Redhat, you will need to edit the /etc/rc.d/rc.local file.
5. Run FireWall, the rules take effect immediately.
So far, all configurations end.
