Summary
In order to save and control Internet expenditure, many companies and offices have taken a DDN line to connect the entire company or office into a local area network, then let the entire LAN share network. In this case, as shown below, we must implement it through a proxy server. (2002-09-16 13:36:43)
By Wing, Source:
Fjxufeng
In order to save and control Internet expenditure, many companies and offices have taken a DDN line to connect the entire company or office into a local area network, then let the entire LAN share network. In this case, as shown below, we must implement it through a proxy server. Figure 7-1 Using a proxy server 7.1 HTTP proxy server proxy server, as the name suggests is a machine that cannot directly access the Internet directly (for example, browsing a home page) to a proxy server capable of accessing the Internet, then proxy server agent Complete this Internet request, transfer it to the home page to be browsed into the agent's cache; then pass this page to the requester. Such a machine on the LAN is like a direct access to the network. Also, the proxy server can also perform the functions of filtering and control of some websites, so that we use its original intention - control and save online fees. In Linux, there is a very powerful HTTP / HTTPS / FTP proxy server program - Squid Proxy Server, because it is easy to install, easy to use, so it has been widely used. It already contains it in the Redhat Linux installation CD. Let's talk about it. 7.1.1 Installing Squid Proxy Server Since the RPM installation package in the installation CD is installed, we can use rpm to install Squid.
RPM-IVH Squid-1.1.22-2.rpm Of course, because this installation package is on the disc, we must first install the disc mount to the file system before it can be installed. In this way, Squid will complete the installation and do the corresponding initial settings. 7.1.2 Configuring Preliminary Squid Proxy Server has only one profile - / etc / squid.conf. We must make corresponding modifications to our system. Here is some of the most basic configuration options. We can use VI to open this file for editing. 1. Setting an agent port number of HTTP / HTTPS / FTP: The default value of the proxy port is 3128, which can be modified according to your own preference. However, it should be noted that thousands cannot conflict with some famous ports, such as POP ports - 110, etc. If you are not very familiar, keep the default value. Below is a sentence in the /etc/squid.conf file:
HTTP_PORT 3128 2. Add Access Control Group: We will define different users that need to distinguish into an access control group. For example, network IP of a company's internal network is 192.168.200.0. And I only want to district two types of users outside of the company, then we add the following table in the /etc/squid.conf file:
ACL ALL SRC 0.0.0.0.0.0.0.0
ACL Company SRC 192.168.200.0/255.255.255.0
In this way, we say that a group containing everyone, and a group containing all of the company's internal network. Below, these two groups can be performed separately. 3. Set access to each access control group: For example, we hope that everyone's internal people can access the Internet through the proxy server, and other people are prohibited from using the proxy server, then we add below the /etc/squid.conf file Two sentences:
HTTP_ACCESS ALLOW CompanyHTTP_Access Deny All
That is, our Allow "Company" group uses the proxy server, in addition to "All" Deny (prohibition) other than this group uses the proxy server. It should be noted that these two sentences must not be transformed in order. Otherwise all users will be prohibited. Please feel good. 4. The storage exit; 5. Execute the following command, make the new configuration take effect:
/etc/rc.d/init.d/squid restart is just one of the most basic settings, and Squid provides a lot of powerful options, and everyone can perform more detailed settings according to the actual situation. In the /etc/squid.conf file, each setting has a detailed comment, you can see these help for Squid for more settings. 7.1.3 Client Settings Under We use IE as an example, simply describe the settings of clients on the LAN. 1. Open IE, select Tools ® Internet Options ® "Connect" ® "LAN Settings" on the menu bar, the dialog box shown below: Figure 7-2 LAN settings are shown in the figure, select "Use" Proxy Server option, and fill in the IP address 192.168.9.1 of the proxy server and the proxy port number 3128. 2. To better use the Squid proxy server, we can make more detailed settings, click the "Advanced ..." button to enter the proxy server setting dialog as shown in Figure 7-3. Figure 7-3 Proxy Server Settings Dialog Because Squid is an HTTP and FTP proxy server, we should modify the protocol of the proxy server to only HTTP and FTP, and then modified as shown below: Figure 7-4 Removed Proxy Server 7.2 IP Proxy Server Use the HTTP proxy server to enable each computer in the LAN to obtain three HTTP / HTTPS / FTP services. Next we discuss how to let Linux become an IP proxy server that connects to LAN and Internet seamlessly. In Internet, each host must have a unique IP address. The current IP protocol is IPv4, fourth version of IP protocol, when designing it, although people have boldly use 32-bit address (approximately 32 billion different addresses), but still unable to meet the growing network needs . Therefore, the network industry has begun research and transition to IPv6 (using a 128-bit address, you can represent 32 billion four-way different addresses). However, when there is no new IP protocol, people can only use some compromised methods. The most common method now is: If a network is connected directly to the Internet, you need to apply for some public addresses, which are unique, and no repetition. For those networks that are not intended to connect directly to the Internet, some "private addresses" that allow duplicate addresses. This way, although these private addresses may be used by many networks, but because they do not communicate with each other, it will not cause any impact. According to the RFC 1918 file, the following address is "private address":
1 Class A address: 10.0.0.0
16 Addresses: 172.16.0.0 ~ 172.31.0.0
256 Class C addresses for private addresses: 192.168.0.0 ~ 192.168.255.0
That is, use these network addresses to define internal networks, and then connected to the Internet via a gateway or other system that can perform the network address translation. As shown in the figure below: Figure 7-5 IP proxy server work diagram is shown in the figure above, using private addresses on the local area network, and the gateway has two IP addresses, one is the internal network, and the other is the only worldwide Public address. In general, the application of a DDN line can obtain eight public addresses. In the following chapter, we will discuss specific setting methods as prototypes. It is worth explanation, in the local area network part, although only two sets in the map, in fact, up to 254 units. (Because we use a C class address: 192.168.0) 7.3 Installing the IP proxy server 7.3.1 Re-compiling the kernel If you are using Redhat Linux 6.0, then skip this section. This section has been completed in Redhat Linux 6.0. Otherwise, please confirm if the following options are consistent with the requirements. IP: Forwarding / Gatewaying (config_ip_forward) [Y / N] Y
IP: Optimize As Router NOT HOST (config_ip_router) [Y / N] Y
Network firewalls (config_firewall) [y / n] y
TCP / IP NetWorking (config_net) [Y / N] Y
IP: firewalling (config_ip_firewall) [y / n] y
IP: masquerading (config_ip_masquerade) y
7.3.2 Configuring Two NICs To be used as this computer for IP proxy servers, two network cards must be installed, and must confirm that both NIC ETH0 and Eth1 are working properly. For the configuration of the NIC, please refer to the third chapter of this article. In the process of configuring the NIC, you can use the following command to reload the network card:
/etc/rc.d/init.d/network restart Set the IP address of the two NICs according to the actual situation, one is the IP address in the LAN, one is the public IP address connected to the Internet. For example: We connect the IP proxy server to the internal network switch with the first network card (ETH0), the IP address of the internal network to the first block.
IP Address: 192.168.200.1 Netmask: 255.255.255.0 We connect the IP proxy server with the DDN line with the second network card (Eth1) (this part of the connection is generally supplied by the DDN line provider ISP. Public address to the second block.
IP Address: 202.101.98.1 Netmask: 255.255.255.0 7.3.3 Setting IP Forwarding Rules Different from Linux's kernel version, the IP forwarding rule settings provided by Linux are different. In earlier versions, use IPFWADM, and in new versions (later versions later) is ipchains. The following simply explains how to use the IPChains tool to set IP forwarding rules. 1. Setting ideas Generally, we can use the following two ideas for IP forwarding rules settings: 1) All input, output, forwarding package is fully prohibited, and then open the required services as needed. This method is relatively safe, but if you don't know what services and ports should be opened for services and features to be implemented, it is not good to do. 2) We can also open all the inputs, output, and forward packages. Then prohibit some dangerous bags, IP fraudbags, broadcast packages, ICMP service type attacks, etc. The disadvantage of this method is not safe enough. But more convenient, easy to configure. So this paper uses this method as a set of ideas. 2. Before you set the preparation, we should have a comprehensive understanding of the network environment and requirements you want to set, so that you have a number in your heart when you set it. In this example we are referred to in Figure 7-5. In addition, since IP's forwarding rules are more, and it is easy to change, we generally create a special script file (for example: /etc/ipchains.set) to store these IP forwarding rules. When created, we have to give it permission to be executed with a chmod command. Then run it, so that IP's forwarding rules take effect. In order to make this IP forwarding rule to take effect at a startup, we must add a line in /etc/rc.d/rc.local: /etc/ipchains.set 3. Basics Linux kernels specify three rule tables at startup, which are called chains. Input, OUTPUT, Transveter, respectively. When a package comes from the NIC, the core uses the rules of the input (Input) chain to determine the fate of this package (pass or discard); if you pass, then the core will determine where the package will be sent, if it is When you send it to another machine, the core uses the forward chain rules to determine the fate of this package; Finally, the core application outgoing (OUTPUT) chain determines the fate of this package before sending out. Lo interface: Short-write is LO, it is a local loop interface. If the package is generated by a local process as another local process, then they enter from the LO port. 4. Configuration Example The following is given a configuration instance, and the Chinese character part is an annotation. 1) In the beginning, the script file is started, and the display is set:
#! / bin / sh echo "Starting Ipchains Rules ...." 2) Clear all rules:
/ sbin / ipchains -f forward
/ sbin / ipchains -f input
/ sbin / ipchains -f output
3) Set the initial rules of the chain, DENY represents discard, Accept represents:
/ sbin / ipchains -p forward deny
/ sbin / ipchains -p Input Accept
/ sbin / ipchains -p output accept
4) Set internal IP variables: External_Interface = 192.200.168.1 5) Setting the rules for local loop LO:
/ sbin / ipchains -a input -j accept -i lo
/ sbin / ipchains -a output -j accept -i lo
Because of the package between the local process, we should pass smoothly, so we should set the two links of Input and Output to pass (ACCEPT), pay attention, because it is a local loop, so there is no Forward (Forward chain). 6) Prevent IP spoof:
/ sbin / ipchains -a input j deny -i eth1 -s 192.168.200.0/24
/ sbin / ipchains -a input -j deny -i eth1 -d 192.168.200.0/24
/ sbin / ipchains -a output -j deny -i eth1 -s 192.168.200.0/24
/ sbin / ipchains -a output -j deny -i eth1 -d 192.168.200.0/24
The so-called IP deception refers to an impossible IP source address or destination address in the IP package. Eth1 is an external Internet, while 192.168.200.0 is the network number of the internal network, that is, if there is a package from Eth1 to enter the host, saying that its source address is 192.168.200.0 network, or its The target address is this network, then this is obviously an IP spoof, so we use Deny to discard this package (first, two sentences). To explain, 192.168.200.0 / 24 indicates that the network number is 192.168.200.0 and the subnet mask is 255.255.255.0, which represents all IP addresses belonging to Network 192.168.200.0. Similarly, if there is a package to be used to the Internet, and its source address or target address belongs to the network 192.168.200.0, it is obviously impossible. We still use Deny to discard it. 7) Prevent the broadcast package from entering the LAN from the IP proxy server:
/ sbin / ipchains -a input -j deny -i eth0 -s 255.255.255.255
/ sbin / ipchains -a input -j deny -i eth0 -d 0.0.0.0
/ sbin / ipchains -a input -j deny -i eth0 -s 240.0.0.0/3
When the source address of the package is 255.255.255.255 or the target address is 0.0.0.0, then it is a broadcast package. When the broadcast package wants to enter ETH0, we should deny, discard it. At 240.0.0.0/3 is an international standard multi-purpose broadcast address. When a source address is a package belonging to a multi-player address, we will use the Deny policy to discard it. 8) Set the IP packet forwarding, allowing the LAN to access the Internet to Eth1 smoothly.
/ sbin / ipchains -a forward -j accept -i eth1 -s 192.168.200.0/24
/ sbin / ipchains -a forward -j accept -i eth1 -d 192.168.200.0/24
9) Start IP MasqueRading Rules:
Echo "1"> / proc / sys / net / ipv4_forward 10 Add some special module: / sbin / modprobe ip_masq_ftp
/ SBIN / MODPROBE IP_MASQ_QUAKE
/ sbin / modprobe ip_masq_irc
/ sbin / modprobe ip_masq_user
/ sbin / modprobe ip_masq_raudio
11) Set an IP forwarding rule of ETH0:
/ sbin / ipchains -a forward -j masq -i eth0 -s 192.168.200.0/24 12) If you want to prohibit a host 192.168.200.5 on the LAN, you can set:
/ sbin / ipchains -a forward -j deny -i eth1 -s 192.168.200.5/32
/ sbin / ipchains -a forward -j deny -i eth1 -d 192.168.200.5/32
5. After the client settings set the IP proxy server, the settings in the client are very simple. As long as the gateway is set to 192.168.200.1 in the NIC's TCP / IP attribute, you can seamlessly access the Internet.
