论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2008-06-02 18:03 |只看该作者 |倒序浏览

iptables设置MACIP绑定上网+Squid 透明代理How to
http://www.opvps.com/blog/?p=114
BY:梁利文 -2008-06-02

实现功能:
1.iptables 防火墙对外只打开指定端口
2.启用NAT带局域网上网功能
3.开启NAT 端口转发将80端口转发到内网机器
3.设定只允许可指定IP的和对应的MAC才可以上网
4.启用透明代理将用户端的访问Web(80)转发到squid的8080
5.禁止用户在线听歌和看电影(通过游览器方式) 透过在squid中限制文件即可

系统及网络环境
1.系统为Red Hat Enterprise Linux AS release 4 (Nahant Update 6)
2.网络环境为双网卡eth0(内网192.168.10.254) eth1(外网202.xxx.xxx.xxx)

贴上iptables及squid配套文件分明如何实现以上功能
1. /etc/sysconfig/iptables文件如下
# Generated by iptables-save v1.2.11 on Mon Jun 2 16:19:27 2008
*nat

REROUTING ACCEPT [23128:1514270]

OSTROUTING ACCEPT [21:1521]
:OUTPUT ACCEPT [22:1561]
-A POSTROUTING -s 192.168.10.0/255.255.255.0 -j SNAT --to-source 202.170.130.116 #NAT 带内网上网
-A PREROUTING -s 192.168.10.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 #squid透明代理将80端口的访问转到squid监听的8080端口
-A PREROUTING -d 202.XXX.XXX.XXX -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.XXX
#端口映射，将外网的80转发到内部
COMMIT
# Completed on Mon Jun  2 16:19:27 2008
# Generated by iptables-save v1.2.11 on Mon Jun  2 16:19:27 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [42564:9901094]
:OUTPUT ACCEPT [2509:265716]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -s 192.168.10.XXX -m mac ! --mac-source 00:13:21:25:E5:C8 -j DROP
#这里是重点此语句的意思，如果来IP和MAC对应不上，就不能通过FORWARD链(不能通过转发链则意味无法上网) 把取得IP和MAC地址一个一个写上去
-A FORWARD -s 192.168.10.XXX -j ACCEPT #允许那些IP可以通过转发链
-A FORWARD -s 192.168.10.0/24 -j DROP  #拒绝那些网段(先允许再拒绝)
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT #(对外开启的端口)
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 65322 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jun  2 16:19:27 2008

重点是使用了iptables -A -A FORWARD -s 192.168.10.XXX -m mac ! --mac-source 00:13:21:25:E5:C8 -j DROP 实现IP和MAC的绑定

2.squid配置文件
我的squid编译参数
/usr/local/squid/sbin/squid -v
Squid Cache: Version 3.0.STABLE6
configure options:  '--prefix=/usr/local/squid' '--enable-storeio=ufs,aufs' '--with-pthreads' '--with-aufs-threads=32' '--enable-delay-pools' '--enable-disk-io=Blocking,AIO,DiskThreads,DiskDaemon' '--enable-icmp' '--enable-useragent-log' '--enable-referer-log' '--enable-kill-parent-hack' '--disable-snmp' '--enable-arp-acl' '--enable-default-err-language=Simplify_Chinese' '--enable-linux-netfilter' '--disable-internal-dns' '--enable-x-accelerator-vary'
squid.conf文件
#grep -v "#" /usr/local/squid/etc/squid.conf |grep '.'
acl video urlpath_regex -i \.mp3$ \.avi$ \.rmvb$ \.rm$ ##禁止通过浏览器打开视频文件
http_access deny video
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 192.168.10.XXX:8080 transparent #监听8080端口，透明代理一定开加transparent这个参数
hierarchy_stoplist cgi-bin ?
cache_mem 50 MB
cache_dir ufs /usr/local/squid/var/cache 100 16 256
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp:          1440 20%    10080
refresh_pattern ^gopher:       1440 0%    1440
refresh_pattern (cgi-bin|\?) 0    0%    0
refresh_pattern .             0    20%    4320
cache_mgr liangliwen@gmail.com
cache_effective_user nobody
cache_effective_group nobody
visible_hostname gateway
icp_port 3130
error_directory /usr/local/squid/share/errors/Simplify_Chinese
coredump_dir /usr/local/squid/var/cache

执行chown -R nobody:nobody /usr/local/squid/var
再执行/usr/local/squid/sbin/squid -Z
再启动squid /usr/local/squid/sbin/squid
这就行实现上述的所有功能

高级一点加上 ipp2p模块实现限制BT和电驴和使用TC实现流量控制,再加上squid使用DG实现病毒网页过滤等操作这样就更加完美了

文库|博客

返回列表

Chinaunix › 论坛 › IT运维 › 数据安全 › iptables设置MACIP绑定上网+Squid 透明代理How to

iptables设置MACIP绑定上网+Squid 透明代理How to [复制链接]