System preparation: A normal Linux (this is all) hardware requirements: at least one network card, broadband device has been applied, and has been opened
Guangzhou Telecom's ADS (LAN) L uses PPPoE dialing, so you must use ADSL under Linux to install PPPoE client software. The following explains how to install: I use Redhat Linux 7.3 as a platform, and other platform Linux installation methods can refer to the steps installed below. First, the prerequisite of the installation 1. Make sure the NIC is installed and the normal use command #ifconfig eth0 View NIC status 2. Do not set the default route (gateway) in the system, let the ADSL dialing After you have set the default route, use The following method is deleted: Delete the gateway = this line in the file / etc / sysconfig / network, then execute with root: # / etc / rc.d / init.d / network restart 3. Already installed PPPD packages If there is file / USR / SBIN / PPPD, the PPPD has been installed; if not installed, PPP-2.3.11-4.i386.rpm is installed from the RedHatlinux installation CD (version may not be the same) This package is installed, and the PPPoE client software Linux is installed. The lower PPPoE client software is more, and most of which use the GNU license, it is recommended to use the rp-pppoe package, from http://www.roaringpenguin.com/pppoe/ this website, not only can plant RP under the Red Hat platform -PPPOE binary package, and you can plant a source code package. 1. Installation of binary packages: A. Add binary package http://www.roaringpenguin.com/pppoe/rp-pppoe-3.5-1.i386.rpm B. Installation with root execution: # rpm -uvh RP-PPPOE-3.5-1.i386.rpm 2. Install from the source code: Installing from the source code is also suitable for Linux for other platforms, but must install the GCC compiler in the Linux system. A. Lower planting source code package http://www.roaringpenguin.com/pppoe/rp-pppoe-3.5.tar.gz B. Decompression #TAR XVFZ RP-PPPOE-3.5.TAR.GZ #CD RP-PPPoe -3.5 C. Compile and install and run the script #. / GO will automatically compile and install, finally, automatically call / usr / sbin / adsl-setup for configuration, see three. Third, after configuring the PPPoE client software After installing the package, you must configure the PPPoE profile /etc/ppp/pppoE.conf to make the username, password, etc. in the configuration file when the ADSL dial is allowed.
We don't have to manually change this file, you can configure this tool using ADSL-SETUP: # / usr / sbin / adsl-setup When the appearance >>> Enter Your PPPoE User Name: Enter the user name of the ADSL account appears >>> Enter T Ethernet Interface Connected to the ADSL MODEM for Solaris, this Is Likey to Be Something Like / dev / hme0. For Linux, IT Will Be Ethn, WHERE 'N' IS A Number. (Default Eth0): Enter eth0, this is connected to ADSL NEM's Name When >>> Enter The Demand Value (Default NO): Enter no When "" Enter the DNS Information Here: Enter "Server", this means that the DNS server IP address that is automatically obtained using ADSL dial >>> please enter your pppoe password: Enter the password of the ADSL account When appearing >>> CHOOSE A TYPE OF FIREWALL (0-2): Input 0 / N)? If the information entered is correct, enter Y, complete the configuration, otherwise, enter N re-enter. Fourth, start the PPPoE client software to start the PPPoE client software using the command / usr / sbin / adsl-start, connect, if successful, will appear; if it is not successful, please check the network cable, ADSL MODEM and other physical devices, and view / Information / USR / SBIN / ADSL-STOP Off and ISP Connection / USR / SBIN / ADSL-Status View the status of the current connection If you want to start the ADSL connection when you want to start in the Linux system, enter the following command # ChkConfig --Add ADSL will add ADSL's self-start script in the current run level. After the connection is successful, use the command #ifconfig -a in the output to contain information about PPP0, which is also bound to the IP address, Note The IP address has been obtained from the dial. Use the command #NetStat -nr to view routing table information, the default route should be the IP address obtained above. If there is no default route, we can manually add: #ROUTE Add Default GW The IP address acquired above Use the command #nslookup www.sina.com.cn If the IP of Sina is parsed, the DNS server is finally obtained from the dialing. Use the command ping a domain name or IP, if there is a response, indicating that you have already gone.
Note: It seems that you will prompt you to load ADSL when you start configure, select Yes, so you will save START after login. Six, use dual network card to drive company network, home network Internet access
Hardware requirements: same dual network card
NAT mode: NIC settings IP in the internal network set IP for private addresses (192.168.0.0.0.0.0.0.0.0.0.0.0.8), such as 192.168.100.123/24. Do not set the default route (gateway), DNS is set to Guangzhou region (61.14.56.100), the corresponding changes in other regions are DNS in the region. Use the touch command with the touch command in the /etc/rc.d/ directory, execute chmod u X FireWall to change the file properties, edit the /etc/rc.d/rc.local file, plus /etc/rc.d/firewall at the end to ensure that the script can be run automatically. FireWall content is: #! / bin / shecho "Enable IP Forwarding ..." echo "1"> / proc / sys / net / ipv4 / ip_forwardecho "Starting iptables rules ..." / sbin / modprobe iptable_filter / sbin / modprobe ip_tables / sbin / modprobe iptable_nat # Refresh all chains / sbin / iptables -f -t natiptables -t nat -a postrouting -s 192.168.0.0/24 -o ppp0 -j mmasquerade client settings (Windows98 / 2000 / XP, Linux) gateway set to this Linux address (192.168.100.123), DNS is set to 61.144.56.100.
Transparent agent configuration agent software Squid: editing /usr/local/squid/etc/squid.conf, modify the following: http_port 192.168.100.123:8080 Cache_MEM 48 MB ACL ALL SRC 0.0.0.0.0.0.0 ACL Manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl flag src 192.168.100.0/255.255 .255.0 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on cache_effective_user nobody cache_effective_group nobody http_access allow flag http_access deny all (only allow LAN users to use a proxy, squid specifically refer to the manual on the contents of access Control Lists to restrict access to the proxy) cache_dir ufs / var / spool / squid 100 16 256cache_dir type directory-name mbytes level-1 Level2
(Description: Specifies the size of the Squid to store the switching space of the object and its directory structure. You can use multiple cache_dir commands to define multiple such swap spaces, and these swap spaces can be distributed different disk partitions. "Directory" indicated The top-level directory of this switching space. If you want to use the entire disk as the exchange space, you can use the directory as a load point to go up the entire disk mount. Default value /var/spool/squid."mbytes defines available The total space is required. It should be noted that the Squid process must have read and write power to the directory. "Level-1" is the number of first-level subdirectories created in the top-level directory, the default is 16. Similarly, "Level-2" is the number of the second-level subdirectory that can be established. The default is 256. Why do so many subdirectorys? This is because if the subdirectories are too small, they are stored in a subdirectory. The number of files will be greatly increased, which will also cause the system to find a file to increase, so that the overall performance of the system has dropped sharply. So, in order to reduce the number of files in each directory, we must increase the directory used. The number. If you use only one subdirectory, the number of subdirectory in the top-level directory is too big, so we use the two-level subdirectory structure. So how do you determine the number of subdirects you need your system? We can use The following formula is estimated. Known: DS = available exchange space (unit KB) / exchange space Number OS = Average Each object size = 20K NO = The number of objects stored in each secondary subdirectory = 256 Unconscious: L1 = Number of primary subdirectory L2 = Quantity of secondary subdirectory Calculation formula: L1 x l2 = DS / OS / NO (Note this is an unpretentious equation, there can be multiple solutions) ACL ALLOW_DOMAIN DSTDOMAIN "/ ETC / Squid / ALLOW_DOMAIN "Create a cache directory [root @ proxy Squid] # Squid -z modified this directory owner Squid: [root @ proxy squid] # chown squid: Squid / usr / spool / squid Last start Squid: [root @ iptable logs] # / usr / local / squid / bin / runcache
And there should be the following ports in the system being listened: [root @ proxy logs] # netstat -ln
TCP 0 0 0.0.0.0:3128 0.0.0.0:0:8 Listen
UDP 0 0 0.0.0.0:3130 0.0.0.0:0:8
These instructions Squid has been started normally. Then use the Redhat's serviceConf tool to automatically start the Squid server when the system starts. 5.iptables set in the /etc/rc.d/ directory to create a firewall file with the touch command, execute the ChMOD U X Firewll to change the file properties, edit the /etc/rc.d/rc.local file, plus /etc/rc.d/firewall can automatically execute the script when it is turned on. The FireWall file content is: #! / Bin / sh
echo "enabling ip forwarding ..."
Echo 1> / Proc / Sys / Net / IPv4 / IP_FORWARD
Echo "Starting Iptables Rules ..."
#Refresh all chains
/ sbin / iptables -f -t nat
iptables -t nat -a preording -i eth1 -p tcp -m TCP - DPORT 80 -J Redirect --to-Ports 8080
iptables -t nat -a postrol -s 192.168.0.0.0/24 -o ppp0 - -j mmasquerade
7. Implementing Squid iptables in the three-layer switching network with multiple VLANs often has three floors in the enterprise. It can effectively isolate broadcasts to prevent broadcast storms. By dividing the VLAN through a three-layer switch, it makes it easy for applications and management. However, it also brings a little bit of trouble to the agent, and the traditional agent has to set the proxy server address and port, which has no problem with the three-layer switching network. The key is the setting of the transparent agent, the gateway of each VLAN, the gateway of each VLAN in the network, such as the gateway of VLAN1 in the next table must be 192.168.100.1, VLAN2 gateway must It is 192.168.110.1, which is absolutely not possible to set the address of the gateway into a proxy server like a normal network. Therefore, the main problem of transparent agent in the three-layer switching network focuses on the setting of the three-storey center switch and proxy server routing. There must be a default route in the three-layer switch to point to the proxy server, the server's routing table must have one Acute all VLAN gateways. The following is my network description: 15 VLANs, such as routing tables, proxy servers (Squid iptables) have two network cards in VLAN1, Eth0 connection external network IP is A.b.c.d, gateway is A. C.1. Eth1 connection intranet IP is 192.168.100.123/24 does not have a gateway. Add a route to the server, point 192.168.0.0.0.0.0 NetMask 255.2.168.0.0 Netmask 255.2.168.0.0 Netmask 255.25.0.0.0 NetMask 255.255.0.0.0 Netmask 255.255.0.0.0 Netmask 255.255.0.0.0.0 Netmask 255.25.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 to ensure that the network part is successful, Transparent agent settings are not mentioned here, please refer to other articles. Such all VLANs can be online as long as the gateway and DNS are configured, such as a computer IP setting in VLAN3 192.168.120.47, the gateway is 192.168.120.1, the DNS address is the service provider (Guangzhou ADSL: 61.144. 56.100), this is OK. The route from it is -> 192.168.120.1-> 192.168.100.1-> 192.168.100.123-> a.b.c.1 -> ......
