论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2013-07-23 16:41 |只看该作者 |倒序浏览

本帖最后由 BSD_KT 于 2013-07-23 16:43 编辑

处于测试的目的，想通过squid 来缓存加速一下局域网对外访问网页的速度，结果卡主了。
系统环境: freebsd 9.1

两个网卡桥接后，不起pf，都是可以上网的. 实现了透明

疑惑有几点：
1.要是先squid 缓存加速，pf 默认全部放行，只是针对 80端口做转向
  pf.conf

  rdr pass on bridge0 proto tcp from any to any port 80 -> 192.168.1.71 port 8080
  pass all

但是通过pfctl -ss  查看到的任然发现有内网直接与外网通信的. 也有通过 192.168.1.71:8080 出去的
总条数10000多条

all tcp 112.90.138.96:80 <- 192.168.1.73:6018 ESTABLISHED:ESTABLISHED
all tcp 192.168.1.73:6018 -> 112.90.138.96:80 ESTABLISHED:ESTABLISHED
all tcp 112.90.138.96:80 <- 192.168.1.73:6019 ESTABLISHED:ESTABLISHED
all tcp 192.168.1.73:6019 -> 112.90.138.96:80 ESTABLISHED:ESTABLISHED
all tcp 118.123.250.203:80 <- 192.168.21.48:2756 ESTABLISHED:ESTABLISHED
all tcp 192.168.21.48:2756 -> 118.123.250.203:80 ESTABLISHED:ESTABLISHED
all tcp 58.221.38.8:8080 <- 192.168.22.6:25366 FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.22.6:25366 -> 58.221.38.8:8080 FIN_WAIT_2:FIN_WAIT_2
all tcp 58.250.135.156:80 <- 192.168.24.8:2319 FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.24.8:2319 -> 58.250.135.156:80 FIN_WAIT_2:FIN_WAIT_2
all tcp 101.226.103.122:80 <- 192.168.21.48:2757 TIME_WAIT:TIME_WAIT
all tcp 192.168.21.48:2757 -> 101.226.103.122:80 TIME_WAIT:TIME_WAIT
all tcp 112.90.137.48:80 <- 192.168.1.73:6023 FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.1.73:6023 -> 112.90.137.48:80 FIN_WAIT_2:FIN_WAIT_2
all tcp 112.90.137.48:80 <- 192.168.1.73:6024 FIN_WAIT_2:FIN_WAIT_2

复制代码

数量40左右,但是只是单向的, 也没建立连接

all tcp 192.168.1.71:8080 (220.181.112.75:80) <- 192.168.22.48:3031 TIME_WAIT:TIME_WAIT
all tcp 192.168.1.71:8080 (123.125.106.124:80) <- 192.168.22.97:1173 TIME_WAIT:TIME_WAIT
all tcp 192.168.1.71:8080 (220.181.111.24:80) <- 192.168.22.48:3148 TIME_WAIT:TIME_WAIT
all tcp 192.168.1.71:8080 (202.108.23.30:80) <- 192.168.1.184:47507 CLOSED:SYN_SENT
all tcp 192.168.1.71:8080 (180.149.131.195:80) <- 192.168.22.48:3151 TIME_WAIT:TIME_WAIT
all tcp 192.168.1.71:8080 (180.149.131.33:80) <- 192.168.22.48:3149 TIME_WAIT:TIME_WAIT
all tcp 192.168.1.71:8080 (180.149.132.72:80) <- 192.168.22.48:3153 TIME_WAIT:TIME_WAIT
all tcp 192.168.1.71:8080 (60.28.113.115:80) <- 192.168.21.22:63951 CLOSED:SYN_SENT
all tcp 192.168.1.71:8080 (124.160.136.250:80) <- 192.168.1.252:6765 TIME_WAIT:TIME_WAIT
all tcp 192.168.1.71:8080 (58.68.235.54:80) <- 192.168.1.123:49886 CLOSED:SYN_SENT
all tcp 192.168.1.71:8080 (220.181.112.216:80) <- 192.168.22.48:3147 TIME_WAIT:TIME_WAIT
all tcp 192.168.1.71:8080 (220.181.112.75:80) <- 192.168.22.48:3155 TIME_WAIT:TIME_WAIT
all tcp 192.168.1.71:8080 (220.181.164.53:80) <- 192.168.22.48:3163 TIME_WAIT:TIME_WAIT
all tcp 192.168.1.71:8080 (220.181.164.53:80) <- 192.168.22.48:3162 TIME_WAIT:TIME_WAIT
all tcp 192.168.1.71:8080 (220.181.112.75:80) <- 192.168.22.48:3156 TIME_WAIT:TIME_WAIT
all tcp 192.168.1.71:8080 (119.188.65.121:80) <- 192.168.1.72:50644 CLOSED:SYN_SENT
all tcp 192.168.1.71:8080 (110.75.70.19:80) <- 192.168.22.29:2713 TIME_WAIT:TIME_WAIT

复制代码

请问，这个是否有配置错误或遗漏

2. squid -v : 3.3.8 启用 transparent 的

http_port 3128

实现透明代理,能够缓存，是使用
http_port 8080 intercept 透明
还是
http_port 8080 accel 加速

3. store.log 中文件根本没有对外网图片等的日志
查看命中率也是0

文库|博客

alexpdl

白手起家

论坛徽章:: 0

2楼 [报告]

发表于 2013-07-24 18:15 |只看该作者

Fikker 反向代理服务器也用的是透明代理的方式，通过配置 iptables 做 80端口的 NAT 缓存web数据, 脚本你可以参考下：

# 安装模块
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_MASQUERADE

# 清除之前的规则
iptables -F
iptables -t nat -F

# 允许接收并转发所有的数据
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A FORWARD -j ACCEPT

# 从Wayos过来的 tcp 80 端口的数据转发到 fikker 处理
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 80

# 允许包转发
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1000000 > /proc/sys/net/netfilter/nf_conntrack_max

# 保存配置
/etc/rc.d/init.d/iptables save

ip_forward 和 nf_conntrack_max 可以写到 /etc/rc.d/rc.local 中，开机能自动修改参数