01, allowing some people to access the Internet, but can not download; 02, allowing some people to download; 03, allowing some people to completely unrestricted; 04, allow all personnel at fixed time, some restrictions, not within this time, remove Restrictions; 05, not allowed to download specific URL characters: EXE / ZIP, etc. Allows sending and receiving emails (all domain name mail (SMTP, POP3)) and only a domain name can only send and receive a domain message; 10, IP / MAC bind username authentication Internet; 11, three authentication methods (mysql, samba, ncsa);
First, I think that 01 is impossible, and 11 I will not be SQL and Samba certification only basic authentication, in addition to this, the rest can achieve assumption subnet 192.168.1.0/24, a domain is www.163. COM passes the IP of 202.108.36.196 through the PING, and the domain name mail is transmitted and received through its IP restrictions (implemented in iptables) The outer network card is ETH0 internal network card for ETH1, 192.168.1.201 and 192.168.0.201 cp Eth1 Eth1: 1 Modify EHT1: 1 Unlimited users After 192.168.0.201 IP after IP, with MAC logo Because AS3 does not have GCC and there is no NCSA file in its own Squid, fixed to the GCC and Squid, Tar ZXVF Squid-2.5.stable7 .tar.gz cd Squid-2.5.stable7 ./configure --prefix = / usr / local / Squid --sysconfdir = / etc / squid # Profile location - An Internet-ARP-ACL # client's MAC address for management - -ENABLE-Linux-Netfilter # Allows Transparent Features of Linux --Nable-Pthreads --enable-Err-Language = "Simplify_CHINESE" --Nable-default-err-language = "simplify_chinese" # above two options tell Squid Enter and use Simplified Chinese Error Message --Nable-Storeio = UFS, NULL # can not buffer - anenable-auth = "Basic" # authentication method --enable-baisc-auth-helpers = "ncsa" # authentication program - -ENABLE-UNDERSCORE # Allows UB Make Make Install in the URL to start configuring Squid.conf ########################################################################################################################################################################################################################################################### ################################## server configuring ICP_Port 0 cache_store_log none cache_access_log / dev / NULL CACHE_LOG / DEV / NULL HTTP_PORT 3128 CACHE_MEM 128 MB cache_dir null / tmp pid_filename none client_netmask 255.255.255.255 half_closed_clients on # user classification auth_param basic program / usr / bin / ncsa_auth / usr / etc / passwd auth_param basic children 5 auth_param basic realm Tianfuming proxy-caching server auth_param basic credentialsttl 2 hours acl normal proxy_auth Requide # User Certification ACL Advance ARP 00: 01: 02: 1F: 2C: 3E 00: 01: 02: 3C: 1A: 8B ... # 10 IP / MAC Bind User Name Certification Internet; ACL LANA SRC 192.168.1.0 / 24 ACL LANB SRC 192.168.0.1-192.168.0.200 / 32 # Behavioral classification ACL Download URLPATH_REGEX -I /.MP3$ /.exe /.avi@mp3 j$ # CONNCOUNT MAXCONN 5 # Maximum connection ACL Worktime MTWHF 8: 00-18: 00 # 04, allowing all personnel to fixed time,
Some restrictions, # 不 在 在 时间 时间 (Limit restriction in http_access) ACL QQ DSTDOMAIN. Snnu.edu.cn ACL Badwords URL_REGEX SEX ACL LOCALHOST SRC 127.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 http_access allow advance # 03 to allow some people who have no limit; http_access allow localhost #http_access deny conncount normal http_access deny http_access deny badwords worktime # character is not allowed to access a particular url website http_access deny qq worktime # 06 does not allow access to specific sites http_access allow lana! # 02 Allow some people to download the HTTP_ACCESS DENY DOWNLOAD WORKTIME # 05 Not allowed to download specific URL characters: EXE / ZIP, etc .; http_access allowd lanb homepage # 08, allowing some people to view only the specified website; http_access allow normal http_access deny all # In addition to these, prohibit all # 结 透 透 代理 07, transparent agent and user authentication coexist HTTPD_ACCEL_HOST VIRTUAL httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on ####################### ################################################################################################################################################################################################################################################################################################# ######################################################################################################################################################################################################################################################################################################## #############@@@@@@ t0 "Upip =" abcd "LANLINK =" Eth1 "router =" yes "# nat =" Upip / Dynamic "NAT = "Upip" interfaces = "lo eth0 eth1" services = "80 22 25 110" Deny = "" Case "$ @" in start) echo -n "starting firewall ..." ModProbe ip_nat_ftp mode ip_conntrack_ftp iptables -p Input Drop iptables -a input -i! $ {Uplink} -j Accept iptables -a input -m state --state established, Related -j Accept iptables -a forward drop iptables -a forward -p tcp -m MultiPort - Dport 25 80 110 -j Accept iptables -a forward -d! 202.108. 36.196 -p TCP -M MultiPort --dprot 25 110 -J Drop ## 09, only send and receive mail (all domain mail iptables -a forward -m state --state established, Related -j Accept # (SMTP, POP3))
And only a domain name to send and receive a domain name mail #iptables -p outprop #enable public access to certnet services for x in $ {services} DO iptables -a input -p tcp --dport $ {x} -m state - State new -j accept done for y in $ {deny} do iptables -a output -p tcp --dport $ {y} -j drop iptables -a output -p udp --dport $ {y} -j drop done # Enable system-log #iptables -a input -j log --log-prefix "Bad Input:" iptables -a input -p tcp -i $ {uplink} -j respject --reject-with tcp-reset #iptables -a INPUT -P UDP -I $ {UPLINK} -j repject --reject-with icmp-port-unreachable #Explicitly disable ECN IF [-e / proc / sys / net / ipv4 / tcp_ecn] THEN Echo 0> / proc / sys / net / ipv4 / tcp_ecn fi #disable spoofing on all interfaces for x in $ {interfaces} do echo 1> / proc / sys / net / ipv4 / conf / $ {x} / rp_filter done = "$ router" = " Yes "] Then # We're A Router of Some Kind, Enable IP Forwarding Echo 1> / Proc / Sys / Net / IPv4 / IP_Forward IF [" $ nat "=" Dynamic "] Then #dynamic ip address, use masquerading iptables -t nat -a postrouting -o $ {UPLINK} -j masquerade elif [ "$ Nat"! = ""] The #static ip, use snat iptables -t nat -a preording -i $ {tanlink} -d! $ {Upip} -j dnat --to-ports 3128 iptables -t nat - A postrouting -o $ {uplink} -j snat --to $ {upip} FI FI Echo "OK!" EXIT 0 ;; STOP) Echo -n "stopping fire ..." iptables -f input iptables -p Input Accept iptables -f output #turn off nat / masquerading, if any #iptables -t nat -f postrouting echo "ok!" exit 0 ;; rest) $ 0 stop $ 0 start ;; show) Clear Echo> - -------------------------------------------------- --- "iptables -l echo"> ------------------------------------------------------------------------------------------------------------------------------- -------------- "
iptables -t nat -l postrouting exit 0 ;; *) echo "USAGE: $ 0 {start | stop | restart | show}" EXIT 1 ESAC (http://www.fanqiang.com)
Original link: http://blog.ztlz.neet/more.asp? Name = jingyuanke & id = 53
