QQ登录

只需一步,快速开始

 找回密码
 注册

QQ登录

只需一步,快速开始

返回列表 发新帖
查看: 659|回复: 0

squid+iptables透明代理的问题!

[复制链接]
发表于 2005-2-22 22:33:41 | 显示全部楼层 |阅读模式
squid+iptables透明代理的问题!

eth0 内网网卡
eth1 外网
192.168.0.58 网关
192.168.0.140 内网cs服务器


/etc/sysconfig/iptables

# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*mangle
REROUTING ACCEPT [0]
:OUTPUT ACCEPT [0]
COMMIT

*filter
:INPUT ACCEPT [0]
:FORWARD ACCEPT [0]
:OUTPUT ACCEPT [0]
:RH-Firewall-1-INPUT - [0]
-A INPUT -s 192.168.0.0/24 -i eth0 -p tcp -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth0 -p udp -j ACCEPT
-A INPUT -i eth0 -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -s 192.168.0.0/24 -p tcp --dport 80 -j ACCEPT
-A FORWARD -o eth1 -d 192.168.0.140 -j ACCEPT
-A FORWARD -i eth1 -s 192.168.0.140 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

*nat
REROUTING ACCEPT [0]
OSTROUTING ACCEPT [0]
:OUTPUT ACCEPT [0]
-A PREROUTING -d 218.16.xxx.xx -p tcp --dport 27015 -j DNAT --to 192.168.0.140
-A PREROUTING -d 218.16.xxx.xx -p udp --dport 27015 -j DNAT --to 192.168.0.140
-A POSTROUTING -d 192.168.0.140 -p udp --dport 27015 -j SNAT --to 218.16.xxx.xx
-A POSTROUTING -d 192.168.0.140 -p tcp --dport 27015 -j SNAT --to 218.16.xxx.xx
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to 3128
-A POSTROUTING -o eth1 -s 192.168.0.0/24 -j MASQUERADE
COMMIT




/etc/squid/squid.conf
http_port 192.168.0.58:3128
#icp_port 0 #icp端口
hierarchy_stoplist cgi-bin ?
hierarchy_stoplist -i ^https:\\ ?
acl QUERY urlpath_regex -i cgi-bin \? \.asp \.php \.jsp \.cgi
acl denyssl urlpath_regex -i ^https:\\
no_cache deny QUERY
no_cache deny denyssl
cache_mgr [email protected]
visible_hostname 192.168.0.58

#about cache
cache_dir ufs /var/spool/squid 10240 16 256
cache_mem 80 MB
cache_swap_low 90
cache_swap_high 100
maximum_object_size 4096 KB
maximum_object_size_in_memory 8 KB

#about DNS
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
dns_nameservers 202.96.128.143 202.96.128.166

#about log
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

#about proxy
httpd_accel_host fly
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

acl all src 0.0.0.0/0.0.0.0
http_access allow all




这样设置后,客户端需在IE里设置代理服务192.168.0.58端口3128才能上网!不设置时不能上网
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

GMT+8, 2024-11-6 12:35 , Processed in 0.035671 second(s), 16 queries .

© 2021 Powered by Discuz! X3.5.

快速回复 返回顶部 返回列表