- 论坛徽章:
- 0
|
这篇文章写的还是比较全的了,至于你要更多的功能,那就自己添吧......
加上squid,以提供web cache功能,对内进行QQ,ftp,上网时间等控制,对外提供mail ,web,ftp服务,
网络拓扑图
1. 主机A: 装freebsd4.9-stable,有3块网卡
rl1: 218.85.158.244----接公网
ed0: 131.107.3.3/24-----为对内服务提供区域网卡(有web,mail,ftp等服务)
rl0: 192.168.1.7/24-----对内提供上网
2. 主机B: 对外提供www,mail服务, ip地址为:131.107.3.5/24
3. 主机C 对外提供ftp服务,装serv-U ip地址为:131.107.3.8/24
internet
|
|
(rl1公ip,ed0私ip,rl0私ip)
C主机-----A主机:freebsd---------------- B主机
|
|
N台工作站
(一)
安装squid,这个不用说了
我的配置文件
squid.conf
http_port 3128
cache_mem 32 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
cache_dir /usr/local/squid/cache 100 16 256
cache_access_log /usr/local/squid/logs/access.log
cache_log /usr/local/squid/logs/cache.log
cache_store_log /usr/local/squid/logs/store.log
cache_dns_program /usr/local/squid/bin/dnsserver
unlinkd_program /usr/local/squid/bin/unlinkd
acl all src 0.0.0.0/0.0.0.0
acl wwwtime time SMTWHFA 08:00-18:00 #定上网时间,只对http请求
acl allow_ip_alltime src 192.168.1.12/32 #定上网ip,此处ip上网不限时
acl allow_ip_8time src 192.168.1.13/32 192.168.1.14/32 #定上网ip,此处ip上网10小时
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl CONNECT method CONNECT
http_access allow allow_ip_alltime
http_access allow allow_ip_8time wwwtime
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access allow all
miss_access allow all
cache_effective_user nobody
cache_effective_group nogroup
起动squid
测试squid是否正常工作
如果squid能正常工作,加上下面四句,是用于透明代理加速模式的,
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
(二 )
squid测试成功后,装ipfilter
定制内核:mykernel
cd /usr/src/sys/i386/conf
cp GENERIC mykernel
加上
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
/usr/sbin/config mykernel
cd ../../compile/mykernel
make depend all install
重起
在/etc/建立ipnat.rules文件
我的规则如下,这里要说明一点,ipfilter对web请求的处理与ipfilter对QQ请求的处理是不一样的
ipfilter对80端口的请求是转发到本机3128端口上的,再由squid通过3128端口向外部web发请求
ipfilter对其它端口的处理则是通过NAT直接出去的
ipnat.rules:
rdr rl0 0.0.0.0/0 port 80 -> 192.168.1.7 port 3128 tcp/udp
#对web请求转到本机3128端口,由squid来处理
#注意->符号左右的要有空格,以下同
map rl1 192.168.1.0/24 -> 0/32 portmap tcp/udp 10000:30000
#对其它请求的处理则用NAT出去
map rl1 192.168.1.0/24 -> 0/32
map rl1 131.107.3.0/24 -> 0/32 portmap tcp/udp 30001:60000
map rl1 131.107.3.0/24 -> 0/32 portmap
rdr rl1 218.85.158.244/32 port 80 -> 131.107.3.5 port 80
rdr rl1 218.85.158.244/32 port 25 -> 131.107.3.5 port 25
rdr rl1 218.85.158.244/32 port 110 -> 131.107.3.5 port 110
rdr rl1 218.85.158.244/32 port ftp -> 131.107.3.8 port ftp
rdr rl1 218.85.158.244/32 port 30001-50000 -> 131.107.3.8 port 30001 tcp
(三)我的ipf.rules:
先提醒一下,ipf对规则处理的先后顺序和ipfw不同,ipfw的规则是一旦匹配就不再进行规则处理了,而ipf将继续寻找其他匹配规则,因此通常是最后一个匹配规则生效,但是,ipf也可以用quick参数来改变这个状况,不再搜寻其他规则
block in log quick all with short
block in log quick all with ipopts
block in log quick all with frag
block in log quick all with opt lssr
block in log quick all with opt ssrr
pass out on rl0 all
pass in on rl0 all
pass out on ed0 all
pass in on ed0 all
pass out quick on lo0 all
pass in quick on lo0 all
block out on rl1 all
block out log on rl1 from any to 192.168.0.0/16
block out log quick on rl1 from any to 0.0.0.0/8
block out log quick on rl1 from any to 169.254.0.0/8
block out log quick on rl1 from any to 10.0.0.0/8
block out log quick on rl1 from any to 127.16.0.0/12
block out log quick on rl1 from any to 192.0.2.0/24
block out log quick on rl1 from any to 204.152.64.0/23
block out log quick on rl1 from any to 224.0.0.0/3
pass out log on rl1 proto tcp/udp from 131.107.3.8 to any keep state
#注意此处131.107.3.8是你内部ftp server的地址,一定要加,否则ftp客户端对服务
#目录显示不出来
pass out log on rl1 proto tcp/udp from 192.168.1.12 to any keep state
#假如我想让192.168.1.12上QQ or ftp写在这
#这个192.168.1.12不一定要在squid.conf的ACL中,因为它不是web请求
pass out log on rl1 proto tcp/udp from 192.168.1.13 to any port = 25 keep state
pass out log on rl1 proto tcp/udp from 192.168.1.13 to any port = 110 keep state
#假如我想让192.168.1.13上foxmail收邮件,写在这
#这个192.168.1.13不一定要在squid.conf的ACL中,因为它不是web请求
pass out log on rl1 proto tcp/udp from 218.85.158.244 to any keep state
#让接公网的ip数据包都可以出去
pass out log on rl1 proto icmp all keep state
block in log on rl1 from 192.168.0.0/16 to any
block in log quick on rl1 from 10.0.0.0/8 to any
block in log quick on rl1 from 172.16.0.0/12 to any
block in log quick on rl1 from 127.0.0.0/8 to any
block in log quick on rl1 from 192.0.2.0/24 to any
block in log quick on rl1 from 169.254.0.0/16 to any
block in log quick on rl1 from 224.0.0.0/3 to any
block in log quick on rl1 from 204.152.64.0/23 to any
block in log quick on rl1 from any to 218.85.158.0/32
block in log quick on rl1 from any to 218.85.158.255/32
pass in quick on rl1 proto tcp from any to 131.107.3.5/32 port = 80 flags S/SA keep state
pass in quick on rl1 proto tcp from any to 131.107.3.5/32 port = 25 flags S/SA keep state
pass in quick on rl1 proto tcp from any to 131.107.3.5/32 port = 110 flags S/SA keep state
pass in quick on rl1 proto tcp from any to 131.107.3.8/32 port = ftp flags S/SA keep state
pass in quick on rl1 proto tcp from any to 131.107.3.8/32 port = ftp-data flags S/SA keep state
pass in quick on rl1 proto tcp from any to 131.107.3.8/32 port 30000 >
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/25815/showart_203331.html |
|
免费注册
发表于 2006-11-20 03:03