`一。设置主机防火墙策略。
1.[root@michael ~]# rpm -qa | grep iptables
iptables-1.2.11-3.1.RHEL4
[root@michael ~]# rpm -ql iptables | grep bin
/sbin/iptables
/sbin/iptables-restore
/sbin/iptables-save
2.[root@michael ~]# chkconfig --list iptables
iptables 0:off 1:off 2:on 3:off 4:on 5:on 6:off
[root@michael ~]# chkconfig --level 35 iptables on
[root@michael ~]# chkconfig --list iptables
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
3.[root@michael ~]# service iptables restart
[root@michael ~]# vi /etc/sysconfig/iptables
~"/etc/sysconfig/iptables" [New] 0L, 0C written
[root@michael ~]# service iptables restart
Applying iptables firewall rules: [ OK ]
4.[root@michael ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
5.
注意:”刚开始start iptables ,default all the 规则 is ACCEPT”
“外部DNS 上的记录也是可以解析的,但是,WWW 是不能访问的。“
6.[root@michael ~]# iptables -F
[root@michael ~]# iptables -X
[root@michael ~]# iptables -Z
[root@michael ~]# iptables -P INPUT DROP
7. [root@michael ~]# iptables -A INPUT –i lo -j ACCEPT
[root@michael ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
[root@michael ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
8. [root@michael ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@michael ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
9. [root@michael ~]# iptables -A INPUT -p icmp -j ACCEPT
[root@michael ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT icmp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@michael ~]#
10. [root@michael ~]# iptables -A INPUT -p udp --dport 53 -j ACCEPT
[root@michael ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT icmp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere tcp dpt:domain (内部DNS 允许访问规则)
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
11. [root@michael ~]# iptables -A INPUT -p udp -d 192.168.1.102 --sport 53 -j ACCEPT
[root@michael ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT icmp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere 192.168.1.102 udp spt:domain (内部DNS不能解析的记录转发外部DNS规则)
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
12.[root@michael ~]# iptables -A INPUT -p tcp --dport 25 -j ACCEPT
[root@michael ~]# iptables -A INPUT -p tcp --dport 110 -j ACCEPT
[root@michael ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT icmp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere 192.168.1.102 udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
[root@michael ~]# mail
Mail version 8.1 6/6/93. Type ? for help.
"/var/spool/mail/root": 10 messages 2 new 10 unread
U 1 root@michael.fung.co Wed Aug 5 01:39 26/965 "Anacron job 'cron.dai"
U 2 root@michael.fung.co Wed Aug 5 01:39 26/965 "Anacron job 'cron.dai"
U 3 root@michael.fung.co Wed Aug 5 01:39 26/963 "Anacron job 'cron.dai"
U 4 root@michael.fung.co Wed Aug 5 01:39 41/1344 "LogWatch for michael."
U 5 root@michael.fung.co Wed Aug 5 01:39 56/1648 "LogWatch for michael."
U 6 root@michael.fung.co Wed Aug 5 01:39 140/3866 "LogWatch for michael."
U 7 root@michael.fung.co Wed Aug 5 01:55 192/6879 "LogWatch for michael."
U 8 abc2@fung.com Wed Aug 5 03:16 23/719 "111"
>N 9 root@michael.fung.co Wed Aug 5 04:02 192/6918 "LogWatch for michael."
N 10 abc2@fung.com Wed Aug 5 08:49 23/735 "111111"
& 10
Message 10:
From abc2@fung.com Wed Aug 5 08:49:57 2009
From: "abc2" <abc2@fung.com>
To: <root@fung.com>
Subject: 111111
Date: Tue, 4 Aug 2009 20:03:24 +0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="gb2312"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.1830
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by michael.fung.com id n750nu1h003953
Ssssssssssssss
二.LIUNX IN USE IPTABLES 做网关SERVER
方法1:
1.[root@michael ~]# vi /proc/sys/net/ipv4/ip_forward
0
~
~[root@michael ~]# echo "1" > /proc/sys/net/ipv4/ip_forward (启动路由功能)
[root@michael ~]# vi /proc/sys/net/ipv4/ip_forward
1
~"/proc/sys/net/ipv4/ip_forward" 1L, 2C
2.[root@michael ~]# iptables -F 清空表中规则。
[root@michael ~]# iptables –X 删除表中自定义规则
[root@michael ~]# iptables –Z 清空计数器
[root@michael ~]# iptables -t nat -F
[root@michael ~]# iptables -t nat -X
[root@michael ~]# iptables -t nat -Z
[root@michael ~]# iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -o eth0 -j MASQUERADE
来自192.168.5.0/24的数据包进行伪装,通NAT中的POSTROUTING规则链的功能转换为eth0网络接口的公网IP进行方问。
[root@michael ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.5.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@michael ~]#
Client relevant config :
方法2:
[root@michael ~]# iptables -F
[root@michael ~]# iptables -X
[root@michael ~]# iptables -Z
[root@michael ~]# iptables -t nat -F
[root@michael ~]# iptables -t nat -X
[root@michael ~]# iptables -t nat –Z
[root@michael ~]#iptables -P INPUT DROP
root@michael ~]# iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -o eth0 -j MASQUERADE
[root@michael ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@michael ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.5.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
三. Squid server relevant config
1. [root@michael ~]# rpm -qa | grep squid
squid-2.5.STABLE6-3.4E.12
[root@michael ~]# chkconfig --list squid
squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@michael ~]# chkconfig --level 35 squid on
[root@michael ~]# chkconfig --list squid
squid 0:off 1:off 2:off 3:on 4:off 5:on 6:off
[root@michael ~]# service squid restart
Stopping squid: [FAILED]
init_cache_dir /var/spool/squid... Starting squid: .[ OK ]
2. [root@michael ~]# squid –z (初始化squid server)
2009/08/05 09:23:33| Squid is already running! Process ID 4090
[root@michael ~]# ls /var/spool/squid/
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F swap.state
[root@michael ~]# service squid restart
Stopping squid: .[ OK ]
Starting squid: .[ OK ]
3. [root@michael ~]# grep -v "#" /etc/squid/squid.conf
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl clients src 192.168.5.0/24
http_access allow clients
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid
[root@michael ~]# service squid restart
Stopping squid: .[ OK ]
Starting squid: .[ OK ]
4. 
四. 配置透明代理.
1. [root@michael ~]# vi /etc/squid/squid.conf
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
# And finally deny all other access to this proxy
httpd_accel_host michael
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl clients src 192.168.5.0/24
http_access allow clients
http_access allow localhost
http_access deny all
2. [root@michael ~]# service squid restart
Stopping squid: .[ OK ]
Starting squid: .[ OK ]
3.
[root@michael ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
[root@michael ~]# iptables -F
[root@michael ~]# iptables -X
[root@michael ~]# iptables -Z
[root@michael ~]# iptables -t nat -F
[root@michael ~]# iptables -t nat -X
[root@michael ~]# iptables -t nat -Z
[root@michael ~]# iptables -P INPUT ACCEPT ( 此项一定要为ACCEPT。反之,会不成功的。)
[root@michael ~]# iptables -P FORWARD ACCEPT
[root@michael ~]# iptables -P OUTPUT ACCEPT
[root@michael ~]# iptables -t nat -P PREROUTING ACCEPT
[root@michael ~]# iptables -t nat -P POSTROUTING ACCEPT
[root@michael ~]# iptables -t nat -P OUTPUT ACCEPT
[root@michael ~]# iptables -t nat -A PREROUTING -s 192.168.5.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128
(来自5.0/24网络的WWW访问定向到重服务器主机的3128端口,由squid代理服务器进行处理。)
[root@michael ~]# iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -o eth0 -j MASQUERADE
(IP伪装处理规则>.
[root@michael ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@michael ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- 192.168.5.0/24 anywhere tcp dpt:http redir ports 3128
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.5.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
注意:LINUX主机透明代理功能如下:
1。来自内部网络中的数据包如果是访问WWW服务器,那么它会重定向到squid代理服务器进行处理。
2。来自内部网络中的数据包如果是访问非WWW服务,则进行IP伪装处理.<如:DNS域名解析
转载于:https://blog.51cto.com/michaelfung/411182
扫一扫
1797
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
