- 论坛徽章:
- 0
|
吸取經驗,請大家給意見,流量控制應怎樣配比較好,謝謝!
eth1: wan_ip 202.96.128.68
eth1:1 wan_ip 202.96.128.69
eth0: lan_ip 192.168.200.254
eth0:1 lan_ip 192.168.250.254
### Caching Server For FedoraCore1 #####################
http_port 3128
icp_port 0
cache_mem 96 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 2048 KB
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
visible_hostname comxyz.guest.group
cache_mgr comxyz@163.com
forwarded_for off
ftp_user comxyz@163.com
ftp_list_width 64
ftp_passive on
auth_param basic realm Proxy-Caching Server
auth_param basic program /usr/lib/squid/smb_auth -W COMXYZ -U 192.168.200.1 -S Logon$
auth_param basic children 5
authenticate_ttl 300 second
authenticate_ip_ttl 600 second
auth_param basic credentialsttl 2 hours
acl safe_ports port 20 21 80 443 444 990 20000-60000
acl connect method CONNECT
acl fixuser max_user_ip 3
acl connlimit maxconn 10
acl one_time time 8:30-24:30
acl fax src 192.168.30.2/255.255.255.255
acl srv src 192.168.200.1-192.168.200.20/255.255.255.255
acl pass_web dstdomain "/etc/squid/passweb.list"
acl pass_ip dst "/etc/squid/passip.list"
acl deny_str url_regex "/etc/squid/denystr.list"
acl deny_web dstdomain "/etc/squid/denyweb.list"
acl deny_ip dst "/etc/squid/denyip.list"
acl all src 0.0.0.0/0.0.0.0
#Havp VirusScan
cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default
cache_peer_access 127.0.0.1 allow all
http_access allow pass_web
http_access allow pass_ip
http_access allow srv
http_access deny !safe_ports
http_access deny connect !safe_ports
http_access deny deny_web
http_access deny deny_ip
http_access deny deny_str
http_access allow fax
http_access deny connlimit
http_access deny fixuser
http_access deny all
############################################
####### IPtables ################################
proxy="3128"
ipnat="20,21,47,80,443,444,990,1723,5222"
iptables -F
iptables -X
iptables -F -t mangle
iptables -t mangle -X
iptables -F -t nat
iptables -t nat -X
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_conntrack_proto_gre
modprobe ip_conntrack_pptp
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_proto_gre
modprobe ip_nat_pptp
##----- OUTPUT -----
iptables -P OUTPUT ACCEPT
##----- INPUT -----
iptables -P INPUT DROP
iptables -A INPUT -m layer7 --l7proto qq -j DROP
iptables -A INPUT -m layer7 --l7proto msnmessenger -j DROP
iptables -A INPUT -m layer7 --l7proto bittorrent -j DROP
iptables -A INPUT -m layer7 --l7proto kugoo -j DROP
iptables -A INPUT -m layer7 --l7proto xunlei -j DROP
iptables -A INPUT -m layer7 --l7proto socks -j DROP
iptables -A INPUT -m layer7 --l7proto edonkey -j DROP
iptables -A INPUT -m ipp2p --ipp2p -j DROP
iptables -A INPUT -m ipp2p --edk --bit --kazaa -j DROP
iptables -A INPUT -p udp -m ipp2p --edk --bit --kazaa -j DROP
iptables -A INPUT -p tcp -m ipp2p --edk --bit --kazaa -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports $proxy -j ACCEPT
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
##----- FORWARD -----
iptables -P FORWARD DROP
iptables -N PASS
iptables -A FORWARD -s 192.168.200.224/27 -j PASS
iptables -A FORWARD -d 192.168.200.224/27 -j PASS
iptables -A FORWARD -s 192.168.250.224/27 -j PASS
iptables -A FORWARD -d 192.168.250.224/27 -j PASS
iptables -A FORWARD -m layer7 --l7proto qq -j DROP
iptables -A FORWARD -m layer7 --l7proto msnmessenger -j DROP
iptables -A FORWARD -m layer7 --l7proto bittorrent -j DROP
iptables -A FORWARD -m layer7 --l7proto kugoo -j DROP
iptables -A FORWARD -m layer7 --l7proto xunlei -j DROP
iptables -A FORWARD -m layer7 --l7proto socks -j DROP
iptables -A FORWARD -m layer7 --l7proto edonkey -j DROP
iptables -A FORWARD -m ipp2p --ipp2p -j DROP
iptables -A FORWARD -m ipp2p --edk --bit --kazaa -j DROP
iptables -A FORWARD -p udp -m ipp2p --edk --bit --kazaa -j DROP
iptables -A FORWARD -p tcp -m ipp2p --edk --bit --kazaa -j DROP
iptables -A PASS -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -m multiport --dports $ipnat -j ACCEPT
iptables -A FORWARD -i eth0 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i eth0 -p gre -j ACCEPT
iptables -A FORWARD -i eth0 -p icmp -j ACCEPT
#Ready One To One NAT
iptables -A FORWARD -d 192.168.250.253 -j ACCEPT
##----- Start Iptables Snat & Dnat -----
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 120 > /proc/sys/net/ipv4/neigh/default/gc_stale_time
echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
echo 65535 > /proc/sys/net/ipv4/ip_conntrack_max
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.200.0/24 -j SNAT --to 202.96.128.68
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.250.0/24 -j SNAT --to 202.96.128.68
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 202.96.128.68 --dport 2323 -j DNAT --to 192.168.250.252:23
iptables -t nat -A PREROUTING -i eth1 -d 202.96.128.69 -j DNAT --to 192.168.250.253
[ 本帖最后由 comxyz 于 2007-12-22 16:59 编辑 ] |
|
免费注册
发表于 2007-12-22 15:28
