Author: Kamus (Zhang Leyi)
Mail: kamus@itpub.net
Date: 2003.08
surroundings:
Server: SUSE Linux 8.2 ADSL
Client: windows2000
LAN: SUSE (192.168.1.3), Windows (192.168.1.5), ADSL (192.168.1.1) with 8 port 10-100M hub.
Using Squid iptables, most of the experience is obtained from www.linuxaid.com, just summaried here.
For detailed instructions on iptables, please see:
Iptables howto
Http://www.telematik.informatik.uni-karlsruhe.de/lehre/seminare/linuxsem/downloads/netfilter/iptables-howto.html
For IPTables Configuration Tools, please see:
Knetfilter:
http://expansa.sns.it/knetfilter
g-shield:
Http://muse.linuxmafia.org/gshield.html
For Squid optimization, please see:
Squid Optimization Full Handbook 1:
Http://www.linuxaid.com.cn/Articles/2/8/289179080.shtml
Squid Optimization Complete Manual 2:
Http://www.linuxaid.com.cn/Articles/5/4/546967373.SHTML
For the configuration of the iptables firewall, please see:
Use iptales to implement package-profound firewall (1):
Http://www.linuxAid.com.cn/Engineer/bye2000/doc/iptables1.htm
Implementing a package-profound firewall with iptales (2):
http://www.linuxaid.com.cn/Engineer/bye2000/doc/iptables2.htm
Ok, start the configuration below.
First explain why the transparent agent is configured.
In fact, only Squid can implement proxy function, but for the client, Proxy Server must be set in the browser, for other tools, such as flashget, cuteftp, etc., this must be set, this is very troublesome. But if a transparent agent is set, you can set a gateway in the client only, and any other programs are available separately. This is the biggest temptation to set the transparent agent. Of course, this is just for me. In fact, iptables have more powerful firewall functions, this is its largest use. However, this configuration does not involve firewalls, if you are interested, please look at the iptables howto.
1. Suppose we have compiled firewall support options in our Linux, which can enter the kernel source directory and confirm with Make MenuConfig.
2. Installing Squid, generally installed all Linux distributions, if fully installed, of course, can also be downloaded from the following URL:
http://www.squid-cache.org/
3. Whether it is reinstalled or in the system, it is because the location of each release may differ from the position of the configuration file in Squid, and use the FIND command to confirm the exact location of the Squid.conf file. If it is an RPM installation, you can also use the RPM command to confirm: rpm -ql [squidrpmname.rpm] | grep squares. Edit the Squid.conf file, make sure the following exists:
HTTPD_ACCEL_HOST VIRTUAL
HTTPD_ACCEL_PORT 80
HTTPD_ACCEL_WITH_PROXY ON
HTTPD_ACCEL_USES_HOST_HEADER ON
Cache_effective_user nobody
Cache_effective_Group Nobody
HTTP_ACCESS Allow All
Cache_dir ufs / usr / local / squid / cache 100 16 256
Note: The last sentence is a cache directory, you need to create it below, you can change it to your local Squid's directory. The penultimate sentence, indicating that we allow all requests, which is very unsafe, you can create a group yourself, then this group, and deny all, the specific settings take a closer look squid.conf, it is very detailed Explanation and example
5. Create a cache directory (if not, "modify the directory owner is Nobody
Chown Nobody: Nobody / Pathname / Cache
6. View the default log directory in the configuration file, modify the owner of that directory to Nobody to make sure the log can be written
7. Create Cache: Squid -z
8. Start Squid: Squid -d
Squid site maintained a very detailed FAQ, basically you need to ask questions, such as you can start with Squid -ncd1 to start with Debug mode, so if there is an error will be reported, usually if it is ADSL dialup If you start Squid before you don't die, you will be wrong (Fatal: ipcache_init: DNS Name Lookup Tests Failed), because Squid is started, you will check some common DNS, but at this time you have not access to Internet, nature It's wrong, so we need to do not check the DNS when you start, you need to use the -d option to start Squid
9. After starting success, we can set up proxy to test it in the client's browser. If you can access the Internet, then Squid is successful.
10. There is also a follow-up, that is, confirm that Squid is automatically started, usually there is already a Squid script in /etc/init.d, what we need to do is to bring it LN to the appropriate RC.D directory, such as I default is Runlevel5 started, then I execute:
Ln -s /etc/init.d/squid /etc/init.d/rc5.d/s99squid
Ln -s /etc/init.d/squid /etc/init.d/rc5.d/k01squid
This is below SUSE, if it is redhat, then the RC.D directory is below / etc, not below /etc/init.d.
OK, Squid setting is over, let's start configuring iptables
You can use the configuration tool mentioned earlier, but I have not tried it, so I do it directly with the iptables command.
Can view help with man iptables
We exist in a script file in the iptables set command, assume that the script file is named FireWall, and then store this file in /etc/init.d and run this script in the boot file. The following is to step 1. Touch /etc/init.d
2. vi /etc/init.d
Add the following:
#! / bin / sh
echo "enabling ip forwarding ..."
Echo 1> / Proc / Sys / Net / IPv4 / IP_FORWARD
Echo "Starting Iptables Rules ..."
#Refresh all chains
/ sbin / iptables -f -t nat
iptables -t nat -a preording -i eth0 -p tcp -m TCP
--DPORT 80 -J Redirect --to-Ports 3128
iptables -t nat -a postrol-s 192.168.1.0/24 -o
PPP0 -J Masquerade
The explanation of the above command is as follows:
/ proc / sys / net / ipv4 / ip_forward must be set to 1 (default 0) to use routing functions.
/ sbin / iptables -f -t nat empty all existing rules in NAT Table.
Eth0: For the network card in the Linux machine.
3128: For the default listening ports in Squid.
PPP0: For the ADSL device in Linux (PPP0 in SUSE, in the redhat may be DSL0).
Masquerade: Suitable for dial-ups, because there is no static IP address, for server with static IP, you can replace with Snat --to-Source ipadress.
Note: The above command does not involve the firewall, please refer to the configuration itself, the above command does not delete the rules in the Filter Table, that is, if it is previously set, it will not be affected.
3. CHMOD U X FireWall, changing file properties, make it executed
4. Edit the /etc/init.d/boot.local file, in the final plus /etc/init.d/firewall, make sure this script is executed.
Note: SUSE is boot.local, for Redhat, you will need to edit the /etc/rc.d/rc.local file.
5. Run FireWall, the rules take effect immediately.
So far, all configurations end.
