Eth0 is my outer network card, Eth1 is my intranet network card 1. Establish a static IP / MAC bundle: establish the / etc / ethers file, which contain the correct IP / MAC correspondence, the format is as follows:
[root @ Test2 root] # More /etc/ethers192.168.10.18 00: 10: DC: 6B: C6: 31192.168.10.111 00: 10: 5c: C0: 2B: C1192.168.10.13 4C: 00: 10: A3: 38: 5D192.168.10.113 00: E0: 4C: 00: 0C: 2B192.168.10.166 00: 10: DC: 61: B4: 78192.168.10.10 78: 06: 18: 25: 88: 06: 18: 25: 88: 40192.168.10.173 00: 0F: 1F: 4D: EC: 99192.168.10.212 00: 10: DC: 6A: C0: C0192.168.10.23 00: 07: 95: D8: C6: 39
Then add: ARP -F to implement IP / MAC bundle in /etc/rc.d/rc.local
2. Write a fake package Internet script [root @ Test2 root] # CAT / etc / xxx #! / Bin / bashecho "1"> /proc/sys/net/ipv4/ip_forwardinet_iface="eth0"inet_ip="210.75.18.36 " LAN_IFACE = "eth1" LAN_IP = "192.168.10.2" LAN_IP_RANGE = "192.168.10.0/24" IPT = "/ sbin / iptables" / sbin / depmod -a / sbin / modprobe ip_tables / sbin / modprobe iptable_nat / sbin / modprobe ip_nat_ftp / sbin / modprobe ipt_mac / sbin / modprobe ipt_state / sbin / modprobe ipt_logfor table in filter nat mangle;
Do $ IPT -T $ TABLE -F $ ipt -t $ table-xdoneiptables -p input dropiptables -p output dropiptables -p forward drop $ ipt -t nat -p preloading accept $ ipt -t nat -p postrouting accept $ ipt - T NAT -P OUTPUT Acceptiptables -a INPUT -I LO -J Acceptiptables -a Output -o Lo -j Acceptiptables -a INPUT -I Eth1 -j Acceptiptables -a Output -o Eth1 -j Accept iptables -a Input -i Eth0 - J ACCEPTIPTABLES -A OUTPUT -O Eth0 -j Acceptiptables -a forward -m state --state established, Related -j Acceptiptables -a forward -s 192.168.10.18 -m Mac --Mac-Source 00: 10: DC: 6B: C6: 31 -J ACCEPT # MAC, IP Address Binding Check Iptables -a Forward-S 192.168.10.111 -m Mac - Mac-Source 00: 10: 5c: C0: 2B: C1 -J Acceptiptables -a Forward - S 192.168.10.13 -m Mac - Mac-Source 4c: 00: 10: A3: 38: 5D -J Acceptiptables -a forward -s 192.168.10.113 -m mac --MAC-Source 00: E0: 4C: 00: 0c: 2b -j acceptiptables -a forward -s 192.168.10.166 -m mac - Mac-Source 00: 10: DC: 61: B4: 78 -J Acceptiptables -a forward -s 192.168.10.10 -m mac - Mac -Source 78: 06: 18: 25: 88: 40 -j a Cceptiptables -a forward -s 192.168.10.173 -m mac - Mac-Source 00: 0F: 1F: 4D: EC: 99 -J Acceptiptables -a forward -s 192.168.10.212 -m mac --Mac-Source 00:10 : DC: 6A: C0: C0 -J Acceptiptables -a forward -s 192.168.10.23 -m mac - Mac-Source 00: 07: 95: D8: C6: 39 -J Acceptiptables -a forward -s 192.168.10.52 - M Mac - Mac-Source 00: 02: A5: 2E: B9: 56 -J ACCEPT / SBIN / IPTABLES -A Forward -P TCP - Dport 6881: 6890 -J DROP # Limit BT Download / SBIN / iptables -a Input -P TCP - Dport 6881: 6890 -J Drop / Sbin / iptables -a Output -p TCP - Dport 6881: 6890 -J Dropiptables -a forward -p tcp -j log --Log-level info --log -prefix "Input Packets" # Add iptables log information, pay attention to enable IF [$ inet_iface "= PPP0];
Then iptables log needs to join Kern. = INFO / VAR / LOG / IPTABLESELSE and restart Syslog Services $ ipt -t nat -a postrouting -o $ inet_iface -j snat --to $ inet_ipfi3. Starting Squid
Modify the /etc/squid/squid.conf configuration file 53 line # http_port 3128 modified to http_port 3128 Add visible_hostname XXX # can also write machine name to Cache_MEM 170 MB # in 480 rows, approximately memory 1/3 modified cache_dir ufs / var / spool / squid 100 16 256 is cache_dir ufs / var / spool / squid 512 24 256 # at 679 line, 512 represents the cache space capacity, 24 represents the first layer of directory, 256 represents Layer 2 directory
Add ACL MyClient SRC 192.168.10.0.04 # in 1699 Row Add IP Network Segment Code Add to HTTP_ACCESS ALLOW MyClient # Add this configuration before http_access allow localhost http_access deny all line configuration
Connect the error message page to Simplified Chinese [root @ Test2 Squid] # cd / etc / squid / [root @ Test2 Squid] # rm -f errors [root @ Test2 Squid] # ln -s / usr / share / squid / errors / Simplify_chinese / errors [root @ Test2 Squid] # ll -d errors lrwxrwrwx 1 root root 41 March 17 10:11 errors -> / usr / share / squid / errors / simplify_chinese / [root @ Test2 Squid] #
Initialization and start Squid [root @ Test2 Squid] # Squid -z # Create a Squid Cache Directory 2005/03/17 10: 27: 44 | CREANG SWAP Directories [root @ Test2 Squid] # service Squid Start # launch Squid boot Squid :. [OK]
4. Set the transparent agent editor /etc/squid/squid.conf Add the following configuration at 2067 row HTTPD_ACCEL_HOST VIRTUAL HTTPD_ACCEL_PORT 80 httpd_accel_with_proxy on httpd_accel_uses_host_header ON
Restart Squid [root @ Test2 Squid] # Service Squid Restart Stop Squid: .. [OK] Start Squid :. [OK] Modify / etc / xxx iptables script, add iptables -t nat -a preording -i eth1 -p TCP --DPORT 80 -J Redirect --to-Ports 3128
[root @ TEST2 SQUID] # CAT / ETC / XXX #! / bin / Bashecho "1"> /Proc/sys/net/ipv4/ip_forwardinet_iface="eth0"inet_ip="210.75.18.36"land_iface="eth1"lan_ip= "192.168.10.2" LAN_IP_RANGE = "192.168.10.0/24" IPT = "/ sbin / iptables" / sbin / depmod -a / sbin / modprobe ip_tables / sbin / modprobe iptable_nat / sbin / modprobe ip_nat_ftp / sbin / modprobe ipt_mac / sbin / Modprobe ipt_state / sbin / modprobe ipt_logfor table in filter nat mangle;
Do $ IPT -T $ TABLE -F $ ipt -t $ table-xdoneiptables -p input dropiptables -p output dropiptables -p forward drop $ ipt -t nat -p preloading accept $ ipt -t nat -p postrouting accept $ ipt - T NAT -P OUTPUT Acceptiptables -a INPUT -I LO -J Acceptiptables -a Output -o Lo -j Acceptiptables -a INPUT -I Eth1 -j Acceptiptables -a Output -o Eth1 -j Accept iptables -a Input -i Eth0 - J ACCEPTIPTABLES -A OUTPUT -O Eth0 -j Acceptiptables -a forward -m state --state established, Related -j Acceptiptables -a forward -s 192.168.10.18 -m Mac --Mac-Source 00: 10: DC: 6B: C6: 31 -J Acceptiptables -a forward -s 192.168.10.111 -m mac - Mac-Source 00: 10: 5c: C0: 2B: c1 -j acceptiptables -a forward -s 192.168.10.13 -m mac - Mac -Source 4c: 00: 10: A3: 38: 5D -J Acceptiptables -a forward -s 192.168.10.113 -m mac - Mac-Source 00: E0: 4C: 00: 0C: 2B -J Acceptiptables -a Forward - S 192.168.10.166 -m Mac - Mac-Source 00: 10: DC: 61: B4: 78 -J Acceptiptables -a Forward-S 192.168.10.10 -M Mac - Mac-Source 78: 06: 18: 25: 88:40 -j Acceptiptables -a forpt Ward -s 192.168.10.173 -m mac --Mac-Source 00: 0F: 1F: 4D: EC: 99 -J Acceptiptables -a forward -s 192.168.10.212 -m mac - Mac-Source 00: 10: DC: 6A: C0: C0 -J Acceptiptables -a forward -s 192.168.10.23 -m mac - Mac-Source 00: 07: 95: D8: C6: 39 -J Acceptiptables -a forward -s 192.168.10.52 -m mac -MAC-Source 00: 02: A5: 2E: B9: 56 -J ACCEPT / SBIN / IPTABLES -A Forward -P TCP - Dport 6881: 6890 -J Drop / Sbin / iptables -a Input -p TCP - Dport 6881: 6890 -J Drop / sbin / iptables -a output -p tcp --dport 6881: 6890 -j dropipiptables -a forward -p tcp -j log --Log-level info --log-prefix "input packets" iptables -t nat -a preording -i Eth1 -P TCP - Dport 80 -J Redirect - TO-PORTS 3128IF ["$ inet_iface" = PPP0];
THEN $ ipt -t nat -a postrouting -o $ inet_iface -j masqueradeelse $ ipt -t nat -a postrouting -o $ inet_iface -j snat --to $ inet_ipfi to perform / etc / xxx
5. Restriction Download BT file modification /etc/squid/squid.conf at 444 row Add ACL BT URLPATH_REGEX -I /.TORRENT "If you need to do you need to download MP3, etc., you can set it to ACL BT URLPATH_REGEX -I /.torrent $ /.mp3$ increase in line http_access deny BT # 1762 Note: must be placed http_access allow myclients http_access allow localhost http_access deny restart squid [root @ test2 squid] # service squid restart stop squid before all three configuration :. [OK ] Start Squid :. [OK]
Reference: http://bbs.chinaunix.net/forum/viewtopic.php? T = 471650 & show_type = & postDays = 0 & postorder = asc & start = 10 & SID = 70602430d8ec2299a4e6f56d81fa26de
Http://iptables-tutorial.frozentux.net/cn/iptables-tutorial-cn-1.1.19.html http://www.linuxeden.com/edu/docText.php?docid=3200 attached 1: Check the module Loaded applet
#! / bin / shkversion = `uname -r`lsmod | grep -q" ipt_mac "IF [$? =" 0 "]; the echo" there exist ipt_mod in the kernel, u Have Insert It to the kernel "Else Echo "There isn't a ipt_mod in the kernel" echo "----- ===== Looking for the ipt_mac kernel ===== -----" CD / lib / modules / $ kversion cat modules. Dep | grep -q "ipt_mac" if [$? = "0"]; the echo "ok, got it ..." modprobe ipt_mac f [$? = "0"]; the echo "----- = ==== load ipt_mac modules success ===== ----- "else echo" ----- ===== Load ipt_mac modules failed ===== ----- "Fi Else Echo "There isn't ipt_mac modules.please compile the kernel or make it it ipt_mac in the kernel or make it it it ipt_ fifi Note 2: Block Specify IP Internet or QQNAT to block the rules of Forward
Plus -s ip
/ sbin / iptables -a forward -p tcp -d tcpconn.tencent.com --dport 80 -j drop / sbin / iptables -a forward -p tcp -d tcpconn.tencent.com --dport 443 -j drop / sbin / iptables -a forward -p tcp -d tcpoN2.tencent.com -j drop / sbin / iptables -a forward -i eth0 -p udp --dport 8000 -j drop
Note 3: MSN Message and Netmeeting after NAT Solution Http://www.chinalinuxpub.com/vbbforum/showthread.php?s=&threadid=42745
