先交代一下网络环境;公司用两套局域网,光纤接入路由器,从路由器出来的是192.168.10.X网段,作为对外服务外网,部署了www/ftp/mail等服务器;192.168.10.2 是外网的一台主机,内部局域网192.168.0.X网段,通过10.2这台机器上网;哈哈,不知道说清楚了没有,比较少见吧。
(1)安装 Debian 基本系统(5.0.1)
(2)链接网络,配置网卡
firewall:/# vi /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0 eth1
iface eth0 inet static
address 192.168.10.2
netmask 255.255.255.0
network 192.168.10.0
broadcast 192.168.10.255
gateway 192.168.10.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 192.168.10.1
#
# deb cdrom:[Debian GNU/Linux 5.0.1 _Lenny_ - Official i386 CD Binary-1 20090413-00:10]/ lenny main
# deb cdrom:[Debian GNU/Linux 5.0.1 _Lenny_ - Official i386 CD Binary-1 20090413-00:10]/ lenny main
cache_store_log none
visible_hostname squidtest
执行 firewall:/# squid3 -z 创建缓存目录,创建前先查看是否存放缓存目录
我这里用的 /var/spool/squid3 ,如果不存在用下面命令创建,并修改权限
firewall:/# mkdir -p /var/spool/squid3
firewall:/# chmod -R 777 /var/spool/squid3/
最后启动 squid ,可以用 netstat -ltn 来查看是否已启动
firewall:/# netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
(9)编辑 firewall 和 flowctrl 两个脚本文件,分别用于NAT和流量控制
firewall:/# vi /etc/init.d/firewall
firewall:/# vi /etc/init.d/flowctrl
设置可执行属性
firewall:/# chmod +x /etc/init.d/firewall
firewall:/# chmod +x /etc/init.d/flowctrl
创建自动启动链接
firewall:/# ln -s /etc/init.d/firewall /etc/rc2.d/S50firewall
firewall:/# ln -s /etc/init.d/flowctrl /etc/rc2.d/S51flowctrl
防火墙脚本,局域网NAT上网,squid透明代理,IP地址MAC地址管理
#!/bin/sh
echo "Starting firewall script."
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ip_tables
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
# ip & mac
# iptables -A FORWARD -s 192.168.0.5 -m mac --mac-source 00:17:31:98:a2:2a -j ACCEPT
# gong cheng bu
iptables -A FORWARD -s 192.168.0.16 -m mac --mac-source 00:24:8c:03:bf:69 -j ACCEPT
iptables -A FORWARD -s 192.168.0.18 -m mac --mac-source 00:0a:eb:1f:6e:bf -j ACCEPT
# kai fa bu
iptables -A FORWARD -s 192.168.0.21 -m mac --mac-source 00:23:54:f5:88:1a -j ACCEPT
iptables -A FORWARD -s 192.168.0.22 -m mac --mac-source 00:23:54:f5:88:6a -j ACCEPT
iptables -A FORWARD -s 192.168.0.25 -m mac --mac-source 00:0a:eb:1f:91:c2 -j ACCEPT
iptables -A FORWARD -s 192.168.0.27 -m mac --mac-source 00:03:0d:6d:d2:4d -j ACCEPT
iptables -A FORWARD -s 192.168.0.29 -m mac --mac-source 00:16:17:16:6a:aa -j ACCEPT
iptables -A FORWARD -s 192.168.0.32 -m mac --mac-source 00:23:54:f5:88:53 -j ACCEPT
iptables -A FORWARD -s 192.168.0.34 -m mac --mac-source 00:0a:eb:22:66:59 -j ACCEPT
iptables -A FORWARD -s 192.168.0.35 -m mac --mac-source 00:0a:eb:1f:91:78 -j ACCEPT
iptables -A FORWARD -s 192.168.0.39 -m mac --mac-source 00:23:54:f5:84:23 -j ACCEPT
iptables -A FORWARD -s 192.168.0.41 -m mac --mac-source 00:0a:eb:51:09:37 -j ACCEPT
....(其他需要上网的ip和mac地址)
iptables -A FORWARD -s 192.168.0.0/24 -j DROP
echo "Firewall script load ok"
流量控制脚本,给局域网的每个IP限速,采用的最简单和傻瓜的方式
#!/bin/sh
#
echo "Load TC script ..."
tc qdisc del dev eth1 root 2>/dev/null
tc qdisc add dev eth1 root handle 10: htb default 255
tc class add dev eth1 parent 10: classid 10:1 htb rate 12500kbps ceil 12500kbps
# speed
SPEED1=250kbps
SPEED2=250kbps
SPEED3=500kbps
SPEED4=64kbps
SPEED5=32kbps
tc class add dev eth1 parent 10:1 classid 101 htb rate $SPEED1 ceil $SPEED1 prio 1
tc class add dev eth1 parent 10:1 classid 102 htb rate $SPEED2 ceil $SPEED2 prio 2
tc class add dev eth1 parent 10:1 classid 103 htb rate $SPEED3 ceil $SPEED3 prio 3
tc class add dev eth1 parent 10:1 classid 104 htb rate $SPEED4 ceil $SPEED4 prio 4
tc class add dev eth1 parent 10:1 classid 105 htb rate $SPEED5 ceil $SPEED5 prio 5
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.2/32 classid 10:101
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.3/32 classid 10:101
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.4/32 classid 10:101
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.5/32 classid 10:101
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.6/32 classid 10:101
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.7/32 classid 10:101
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.8/32 classid 10:101
.....(自己重复吧,方法傻点,实用)
echo "OK"
(10)安装 bandwidthd 进行流程检测,同时需要一个http服务器支持,我用的 mini-httpd
firewall:/# apt-get install bandwidthd
firewall:/# apt-get install mini-httpd
先配置 bandwidthd
firewall:/# vi /etc/bandwidthd/bandwidthd.conf
####################################################
# Bandwidthd.conf
#
# Commented out options are here to provide
# documentation and represent defaults
# Subnets to collect statistics on. Traffic that
# matches none of these subnets will be ignored.
# Syntax is either IP Subnet Mask or CIDR
#subnet 192.168.0.0/24
subnet 192.168.0.0/24
# subnet 192.168.10.0/24
# Device to listen on
# Bandwidthd listens on the first device it detects
# by default. Run "bandwidthd -l" for a list of
# devices.
#dev "eth0"
dev "eth1"
###################################################
# Options that don't usually get changed
# An interval is 2.5 minutes, this is how many
# intervals to skip before doing a graphing run
#skip_intervals 0
# Graph cutoff is how many k must be transfered by an
# ip before we bother to graph it
graph_cutoff 1024
#Put interface in promiscuous mode to score to traffic
#that may not be routing through the host machine.
promiscuous true
#Log data to cdf file htdocs/log.cdf
#output_cdf false
output_cdf true
#Set the cdf log output directory
#log_dir "/var/lib/bandwidthd"
#Read back the cdf file on startup
recover_cdf true
#Libpcap format filter string used to control what bandwidthd see's
#Please always include "ip" in the string to avoid strange problems
filter "ip"
#Draw Graphs - This default to true to graph the traffic bandwidthd is recording
#Usually set this to false if you only want cdf output or
#you are using the database output option. Bandwidthd will use very little
#ram and cpu if this is set to false.
#graph true
#Set META REFRESH for static pages in seconds(default 150, use 0 to disable).
#meta_refresh 150
meta_refresh 150
#Set the static html output directory
htdocs_dir "/var/lib/bandwidthd/htdocs"