Hardware HP DL145: Opteron × 2, AMD8111 / 8131 chipset, 1GB of memory, Redhat El Advanced Server 4 for i386. First, based on the data found on the Internet: Squid and iptable specific installation I don't do too much, generally look at them. Our company uses a machine as a proxy. ETH0 is connected to the external network, and Eth1 is connected to the internal network. Let me write down my configuration. IPTable configuration, use the touch command with the touch command in the /etc/rc.d/ directory, execute the Chmod U X Firewll to change the file properties, edit the /etc/rc.d/rc.local file, plus / ETC / RC.D / FireWall to ensure that this script can be performed automatically when booting.
Reference: echo "starting ip forward" echo 1> / proc / sys / net / ipv4 / ip_forward echo "starting iptables rules" modprobe ip_tables modprobe ip_nat_ftp / sbin / iptables -F -t nat iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j redirect --to-ports 3128 # Transfer all 80 ports to 3128 port iptables -t nat -a postrouting -o eth0 -j masquerade # spoof for ETH0 port
Squid configuration:
Reference: http_port 3128 cache_mem 512 M cache_swap_low 75 cache_swap_high 95 maximum_object_size 1024 KB cache_dir ufs / usr / local / squid / cache 60000 16 256 cache_access_log /var/squid/logs/access.log cache_log / dev / null cache_store_log none debug_options ALL, 1 icp_access allow all icp_query_time out 2000 cache_effective_user nobody cache_effective_group nogroup httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on acl all src 0.0.0.0/0 acl our_networks src 192.168.30.0/24 http_access allow our_networks http_access deny all acl QUERY urlpath_regex -i cgi-bin /? / .exe $ /.zip$ /.mp3$ /.mp2$ /.rm$ /.avi$ no_cache deny QUERY reference_age 3 days quick_abort_min 16 KB quick_abort_max 16 KB quick_abort_pct 95 connect_timeout 60 seconds read_timeout 3 minutes request_timeout 30 seconds client_lifetime 30 seconds half_closed_clients OFF PCONN_TIMEOUT 60 SECONDS IDENT_TIMEOUT 10 Seconds Shutdown_lifetime 10 Seconds Memory_Pools Off Memory_Pools_Limit 0 where Reference_age 3 days, Ident_timeout 10 Seconds Two lines:
Quote: 2005/03/03 15: 09: 34 | Parseconfigfile: Line 3379 Unrecognized: 'Reference_age 3 Days' 2005/03/03 15: 34: 57 | Parseconfigfile: line 1645 Unrecognized: 'Ident_Timeout 10 Seconds'
Later, I was deleted with Reference_age 3 Days. At this time, the transparent agent can be implemented, and the client's gateway is set to the IP of the Eth1 of this proxy server, and the client browser does not need to be set up. However, the client DNS has a problem. In the client browser input IP, you can access the external network. If you enter the domain name, you can do the nslookup www.chinaUnix.net command in the client command line mode, prompt
Quote: DNS Request Time OUT
Add to Squid.conf
Quote: ACL SAFE_PORTS Port 53 # DNS
The fault is still executed:
Quote: iptables -a forward -p udp --dport 53 -j accept
After the fault is still running SETUP on the proxy server, reconfigure the firewall, write 53 there, then restart iptables, re-run your Firewall script problem, Squid is not restarted, success! That is to say, only 53 ports have been opened on the proxy server. Because the BIND service is not launched, use the NMAP scan server and not found 53 port open. Prepare some ACL restrictions, then increase in Squid.conf: Quote: ACL MMXFILE URLPATH_REGEX -I /.MP3$ /.avi $ HTTP_ACCESS DENY MMXFILE
Squid.conf is originally:
Quote: ACL Query URLPATH_REGEX -I CGI-bin /? /.Exe@zip $ /.mp3 /.mp2 $ /.mp3 /.avi $ NO_CACHE DENY Query
Restart Squid, but the client can still download MP3, but only downloaded a part of the previous section, and some of the sections that have been downloaded can be played. I don't know if it is Squid's question or network problem.
Quote: [root @ amd squid] # tail access.log 1109905921.282 30003 192.168.30.2 TCP_MISS / 206 306468 Get http://www.joyhero.net/down/music/barn/0052.mp3 - Direct / 202.102.246.240 Audio / mpeg 1109905957.105 2134 192.168.30.2 TCP_MISS / 302 664 GET http://autoupdate.windowsmedia.com/update/update.asp - DIRECT / 207.46.248.96 text / html 1109905967.471 10365 192.168.30.2 TCP_MISS / 200 10689 GET http:? // autoupdate.windowsmedia.com/update/CHS/control.xml - DIRECT / 207.46.248.96 text / xml 1109905982.264 29696 192.168.30.2 TCP_MISS / 200 354348 GET http://www.joyhero.net/down/music/barn/0012. MP3 - Direct / 202.102.246.240 Audio / MPEG 1109906054.122 1155 192.168.30.2 TCP_MISS / 304 202 Get http://www.joyhero.net/down/music/barn/0052.mp3 - Direct / 202.102.246.240 -
Look carefully to Squid.conf, find the reason for the restriction download, no success, because my client network defined in Squid.conf is Our_Networks, this line:
Quote: http_access allowur_networks
The location is in front of this line:
Quote: http_access deny mmxfile
Therefore, the MP3 file has passed first and will not be blocked. This is also the most common mistake of conflicting the ACL of Squid, the order of the ACL rules! ! ! After changing the ACL order, the client cannot download MP3, which is a record of the audio and video conveyor:
Quote: 2005-03-04 14: 45: 42.796 is connected DN.clubhi.com:80 2005-03-04 14: 45: 42.796 is connected 61.129.67.121:80 2005-03-04 14: 45: 42.812 2005-03-04 14: 45: 42.812 GET / 1.1 2005-03-04 14: 45: 42.812 Host: dn.clubhi.com 2005-03-04 14: 45: 42.812 Accept: * / * 2005-03-04 14: 45: 42.812 User-agent: mozilla / 4.0 (compatible; msie 5.00; Windows 9icon_cool.gif 2005-03-04 14: 45: 42.812 Connection: Keep-alive 2005-03-04 14:45 : 42.843 HTTP / 1.0 403 Forbidden 2005-03-04 14: 45: 42.843 Server: Squid / 2.5.Stable6 2005-03-04 14: 45: 42.843 Mime-Version: 1.0 2005-03-04 14: 45: 42.843 Date : Fri, 04 Mar 2005 06:45:19 GMT 2005-03-04 14: 45: 42.843 Content-Type: Text / HTML 2005-03-04 14: 45: 42.843 Content-Length: 1144 2005-03-04 14 : 45: 42.843 Expires: Fri, 04 Mar 2005 06:45:19 GMT 2005-03-04 14: 45: 42.843 X-Squid-error 0 2005-03-04 14: 45: 42.843 X-Cache: Miss From amd.zzzx.net.cn 2005-03-04 14: 45: 42.843 Connection: Keep-alive 2005-03-04 14: 45: 42.859 Waiting for 5 seconds after retry 2005-03-04 14: 45: 44.812 User Pause at 0: [Root @ AMD Squid] # Ta il access.log 1109918593.578 1 192.168.30.2 TCP_DENIED / 403 1436 GET http://dn.clubhi.com/2005.mp3 - NONE / - text / html 1109918606.563 46 192.168.30.2 TCP_DENIED / 403 1436 GET http: // dn. clubhi.com/2005.mp3 - NONE / - text / html 1109918611.604 25 192.168.30.2 TCP_DENIED / 403 1436 GET http://dn.clubhi.com/2005.mp3 - NONE / - text / html 1109918616.666 24 192.168.30.2 TCP_DENIED / 403 1436 Get http://dn.clubhi.com/2005.mp3 - none / - text / html
When I download this MP3 from another machine, the speed is fast, and the time a few MB's file time has not been shown.
