- 论坛徽章:
- 0
|
这个是我以前作的一个squid+ipfilter的笔记
你先看看其实ipfilter基本上和pf差不了多少
代理服务器编译文档
1、安装freebsd系统
1 最小化安装,2 安装的时候加入内核sys的选项
3 安装完成后配置网卡
需要修改的内容如下
配置网卡
ifconfig_fxp0="inet 192.168.1.1 netmask 255.255.255.0"
ifconfig_fxp1="inet 218.4.84.219 netmask 255.255.255.248"
hostname="gateway.wgczx.com"
defaultrouter="218.4.84.217"
sendmail_enable="NONE"
usb_enable="NO"
配置resolv.conf文件
domain wgczx.com
nameserver 61.177.7.1
freebsd4.7系统安装完毕
2、编译freebsd内核使NAT成为可能
cd /usr/src/sys/i386/conf
cp GENERIC gateway
加上
options IPFILTER
options IPFILTER_LOG
options RANDOM_IP_ID
options BRIDGE
options IPFILTER_DEFAULT_BLOCK
/usr/sbin/config gateway
cd ../../compile/ gateway
make depend
make
make install
reboot
重新启动
编辑/etc/rc.conf
加入以下内容
gateway_enable="YES"
ipfilter_enable="YES"
ipf –C –f /etc/ipf.rules
ipfilter_program="/sbin/ipf"
ipfilter_rules="/etc/ipf.rules"
ipfilter_flags=""
ipnat_enable="YES"
ipnat_program="/sbin/ipnat"
ipnat_rules="/etc/ipnat.rules"
ipnat_flags="CF"
ipmon_enable="YES"
ipmon_program="/sbin/ipmon"
ipmon_flags="-D /var/log/ipfilter.log"
在/var/log/建立文件ipfilter.log,并更改其属性为755
touch /var/log/ipfilter.log
chmod 755 /var/log/ipfilter.log
这样你的防火墙日志就记录到/var/log/ipfilter.log文件中,可以随时对其进行查看。
在/etc/建立ipnat.rules文件
ee /etc/ipnat.rules
map fxp1 192.168.1.0/24 -> 218.4.84.221/32 proxy port ftp ftp/tcp
map fxp1 192.168.1.0/24 -> 218.4.84.221/32 portmap tcp/udp 10000:30000
map fxp1 192.168.1.0/24 -> 218.4.84.221/32
rdr fxp0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128 tcp
在/etc/建立ipf.rules文件
ee /etc/ipf.rules
block in quick on fxp0 proto tcp from 192.168.1.0/24 to any port = 2000
block in quick on fxp0 proto tcp from 192.168.1.0/24 to any port = 4000
block in quick on fxp0 proto tcp from 192.168.1.0/24 to any port = 8000
pass in all
pass out all
NAT设置完毕
squid编译
下载所需软件
解压
tar zxvf squid-2.5.STABLE6.tar.gz
cd squid-2.5.STABLE6
编译
./configure --prefix=/usr/local/squid #指定Squid的安装位置
--enable-arp-acl
#这样可以在规则设置中直接通过客户端的MAC地址进行管理,防止客户使用IP欺骗。
--enable-pthreads
--enable-err-languages="Simplify_Chinese"
--enable-default-err-languages="Simplify_Chinese"
#上面两个选项告诉Squid编入并使用简体中文错误信息。
--enable-storeio=ufs,null
--enable-underscore
#允许解析的URL中出现下划线,因为默认情况下Squid会认为带下划线的URL是
非法的,并拒绝访问该地址。
--enable-ipf-transparent
Make make install
安装完成后,接下来要对Squid的运行进行配置(不是前面安装时的配置)。所有项目都在squid.conf中完成。
Squid配置文件:
http_port 192.168.1.1:3128
cache_mgr beini@wgczx.com
cache_mem 50 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
cache_dir ufs /home/cache 3072 16 256
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log /usr/local/squid/var/logs/store.log
cache_effective_user nobody
cache_effective_group nogroup
visible_hostname squid.wgczx.com
error_directory /usr/local/squid/share/errors/Simplify_Chinese
forwarded_for off
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 280 488 591 777
http_access deny !Safe_ports
acl all src 0.0.0.0/0.0.0.0
acl mornorm time MTWHF 0:01-6:59
acl evenorm time MTWHF 11:00-12:59
acl daynorm time MTWHF 16:01-17:59
acl nignorm time MTWHF 21:01-23:59
acl weekend time SA
http_access allow mornorm
http_access allow evenorm
http_access allow daynorm
http_access allow nignorm
http_access allow weekend
acl game dst "/usr/local/squid/etc/game"
http_access deny game
acl bad dstdomain "/usr/local/squid/etc/bad"
http_access deny bad
acl good dstdomain "/usr/local/squid/etc/good"
http_access allow good
acl advance src "/usr/local/squid/etc/advance"
acl advwork time SMTWHFA
http_access allow advance advwork
http_access deny all
建立日志文件
touch /usr/local/squid/var/logs/access.log
touch /usr/local/squid/var/logs/cache.log
touch /usr/local/squid/var/logs/store.log
chmod 777 /usr/local/squid/var/logs/access.log
chmod 777 /usr/local/squid/var/logs/cache.log
chmod 777 /usr/local/squid/var/logs/store.log
ee /usr/local/squid/etc/game
61.141.194.203
61.144.238.145
61.144.238.146
61.144.238.149
61.144.238.155
61.172.249.135
65.54.229.253
202.96.170.164
202.104.129.151
202.104.129.251
202.104.129.252
202.104.129.253
202.104.129.254
211.157.38.38
218.17.209.23
218.17.209.42
218.17.217.106
218.18.95.153
218.18.95.165
219.133.40.21
219.133.40.73
219.133.40.89
219.133.40.90
219.133.40.92
219.133.40.95
219.133.40.97
219.133.40.157
219.133.40.177
219.133.40.189
ee /usr/local/squid/etc/bad
.ourgame.com
ad4.sina.com.cn
ee /usr/local/squid/etc/good
.ourgame.com
ad4.sina.com.cn
squid# cat good
9981.wx-e.com
.szedu.com
.jscsedu.com
.jsjyt.edu.cn
.jxllt.com
.cs.js.cn
.cctv.com
.sina.com.cn
.wgczx.com
.fxmake.com
.chinaunix.net
.cnfug.org
.freebsdchina.org
.hongen.com
.zhongcai.com
.englishweekly.com
.yahoo.com
.ruiwen.com
.pkuschool.com
ee /usr/local/squid/etc/advance
192.168.1.4
192.168.1.7
192.168.1.8
192.168.1.9
建立缓存目录
mkdir /home/cache
chown –R nobody /home/cache
chgrp –R nogroup /home/cache
测试squid运行是否正常
/usr/local/squid/sbin/squid start |
|