请高手贴一个做透明网关的IPTABLES 范例出来 ，谢谢！

snake_she

请高手贴一个做透明网关的IPTABLES  和sqouid 配置文件的范例出来 ，谢谢！

bwb

别人的配置不一定适合你，因为网络条件不同，只可做参考。
1./etc/rc.d/firewall
#!/bin/bash

echo "Starting iptables rules..."
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
/sbin/iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
echo 1 >/proc/sys/net/ipv4/ip_forward

################Define HTTP packets########################
#Allow www request packets from Internet clients to www servers
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -p tcp --dport 3128 -j SNAT --to Internet IP

####################Define FTP packets######################
#Allow ftp request packets from Internet clients to Intranet ftp server
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -p tcp --dport 21 -j SNAT --to Internet IP
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -p tcp --dport 3128 -j REDIRECT --to-port 21

##################Define smtp packets#######################
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -p tcp --dport 25 -j SNAT --to Internet IP
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -p tcp --dport 3128 -j REDIRECT --to-port 25
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -p udp --dport 25 -j SNAT --to Internet IP
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -p udp --dport 3128 -j REDIRECT --to-port 25

###################Define pop3 packet#######################
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -p tcp --dport 110 -j SNAT --to Internet IP
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -p tcp --dport 3128 -j REDIRECT --to-port 110
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -p tcp --dport 110 -j SNAT --to Internet IP
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -p tcp --dport 3128 -j REDIRECT --to-port 110

#######################Define DNS Packet############################################
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -p tcp --dport 53 -j SNAT --to Internet IP
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -p udp --dport 53 -j SNAT --to Internet IP


2./etc/squid/squid.conf
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 8 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
cache_dir ufs /var/spool/squid 3000 16 36
ftp_user Squid@
refresh_pattern ^ftp:          1440    20%     10080
refresh_pattern ^gopher:       1440    0%      1440
refresh_pattern .
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl machine.domain.com src 192.168.0.0/255.255.255.0
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 20 21       # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl safe_ports port 25          # smtp
acl safe_ports port 110         # pop3
acl CONNECT method CONNECT
http_access allow all
http_access deny manager
http_access deny !safe_ports
http_access deny CONNECT !SSL_ports
icp_access allow all
miss_access allow all
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on