squid单网卡配置透明代理

zhai_liang2046

适合环境说明:squid服务器无外网接口,只有一个内网IP 但是Squid本身所在的机器是可以出外网的,本人举例的环摬为CentOS+squid3 网络为192.168.10.0/24 squid服务器ip为192.168.10.254 squid使用8080端口 客户端设定网关指向为192.168.10.254(squid) 设定DNS
1.squid编译参数
[root@squidvps ~]# /usr/local/squid/sbin/squid -v
Squid Cache: Version 3.0.STABLE8
configure options:  ‘–with-large-files’ ‘–with-filedescriptors=1248000′ ‘–prefix=/usr/local/squid’ ‘–enable-storeio=ufs,aufs’ ‘–with-pthreads’ ‘–with-aufs-threads=2048′ ‘–enable-delay-pools’ ‘–enable-disk-io=Blocking,AIO,DiskThreads,DiskDaemon’ ‘–enable-icmp’ ‘–enable-useragent-log’ ‘–enable-referer-log’ ‘–enable-kill-parent-hack’ ‘–disable-snmp’ ‘–enable-arp-acl’ ‘–enable-default-err-language=Simplify_Chinese’ ‘–enable-linux-netfilter’ ‘–disable-internal-dns’
2.squid conf文件如下
[root@squidvps squid]# grep -v “#” etc/squid.conf |grep .
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl VPS src 192.168.10.0/24
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow VPS
http_access deny all
http_access allow manager localhost
cache_mgr vps
cachemgr_passwd vpsvps all
http_access allow manager
http_access deny CONNECT !SSL_ports
icp_access deny all
http_port 8080 transparent
hierarchy_stoplist cgi-bin ?
cache_mem 100 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
maximum_object_size_in_memory 8 KB
cache_dir ufs /usr/local/squid/var/cache 100 16 256
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0       0%      0
refresh_pattern .               0       20%     4320
acl QUERY urlpath_regex -i cgi-bin \? \.asp \.php \.jsp \.cgi \.aspx
acl denyssl urlpath_regex -i ^https:\\
no_cache deny QUERY
no_cache deny denyssl
forwarded_for off
cache_mgr
root@opvps.com
cache_effective_user nobody
cache_effective_group nobody
visible_hostname squidvps
error_directory /usr/local/squid/share/errors/Simplify_Chinese
coredump_dir /usr/local/squid/var/cache
access_log /usr/local/squid/var/logs/access.log squid
allow_underscore on
3.iptables设定内容 开启防火墙,只开放22 80 8080 及53 信任内部允许192.168.10.0/24通过转发链
/etc/sysconfig/iptables
[root@squidvps squid]# more /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*nat
:PREROUTING ACCEPT [1:153]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 8080
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-A FORWARD -s 192.168.10.0/255.255.255.0 -j ACCEPT
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT

本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u3/94932/showart_2167143.html