iptables 设置(NAT和ip限制,80转发,需要有ip文件ip2.txt):
intra
=
"
192.168.0.0/24
"
myip = " 219.217.235.73 "
myDNS = " 202.118.224.101:53 "
echo 1 > / proc / sys / net / ipv4 / ip_forward
# 清空规则
/ sbin / iptables - F
/ sbin / iptables - t nat - F
/ sbin / iptables - P FORWARD DROP
/ sbin / iptables - P INPUT DROP
/ sbin / iptables - P OUTPUT DROP
/ sbin / iptables - A INPUT - i lo - j ACCEPT
/ sbin / iptables - A OUTPUT - o lo - j ACCEPT
# 允许DNS
iptables - A INPUT - i eth0 - p udp -- sport 53 - j ACCEPT # 允许外面53端口的UDP数据进来
iptables - A PREROUTING - t nat - p udp - s $intra - d 192.168 . 0.1 -- dport 53 - j DNAT -- to - destination $myDNS # 允许局域网设置DNS为192.168.0.1
iptables - A PREROUTING - t nat - p udp - s $intra - d $myip -- dport 53 - j DNAT -- to - destination $myDNS # 允许局域网设置DNS为$myip
# iptables -A FORWARD -p udp -d 202.118.224.101 --dport ! 53 -j DROP
# iptables -A OUTPUT -d $intra -j ACCEPT
# 允许局域网发出的所有消息,如果使用地址过滤,就要修改这里,或者修改squid的规则。。
# 以下为过滤收费ip
fip = $(awk ' NF>2 {print $1 "/" $3} ' ip2.txt )
for x in $fip
do
# 允许连接免费IP段
/ sbin / iptables - A FORWARD - d $x - j ACCEPT # 允许内网访问外面
/ sbin / iptables - A OUTPUT - d $x - j ACCEPT # 允许本机访问外面
# iptables -A OUTPUT -d $x -j ACCEPT #不知道为什么这么也不行,局域网还是无法访问外网
echo $x
done
# 允许外网访问里面
/ sbin / iptables - A FORWARD - i eth0 - m state -- state ESTABLISHED,RELATED - j ACCEPT
# 允许外网访问本机
/ sbin / iptables - A INPUT - i eth0 - m state -- state ESTABLISHED,RELATED - j ACCEPT
# 允许内网访问本机
# /sbin/iptables -A INPUT -i eth1 -s $intra -m state --state ESTABLISHED,RELATED -j ACCEPT
# /sbin/iptables -A INPUT -i eth1 -s $intra -p tcp --dport 80 -j ACCEPT
/ sbin / iptables - A INPUT - i eth1 - s $intra - j ACCEPT
# 允许本机访问内网
/ sbin / iptables - A OUTPUT - o eth1 - d $intra - j ACCEPT
# iptables -A INPUT -i eth0 -p udp -j ACCEPT #允许外面的UDP数据进来
# 允许本机上网。。。如果专作服务器就可以不要
# /sbin/iptables -A INPUT -d $myip -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #允许外面访问
# /sbin/iptables -A INPUT -d $myip -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #允许里面访问
# /sbin/iptables -A OUTPUT -d $intra -i eth0 -j ACCEPT #允许访问内网
# 实现NAT多电脑上网
/ sbin / iptables - t nat - A POSTROUTING - o eth0 - s 192.168 . 0.0 / 24 - j SNAT -- to 219.217 . 235.73
# 将 对于 80、443 端口的访问 重定向到 3128 端口 </P><P>
iptables - t nat - A PREROUTING - i eth1 - p tcp - s 192.168 . 0.0 / 24 -- dport 80 - j DNAT -- to 192.168 . 0.1 : 3128
iptables - t nat - A PREROUTING - i eth1 - p tcp - s 192.168 . 0.0 / 24 -- dport 443 - j DNAT -- to 192.168 . 0.1 : 3128
myip = " 219.217.235.73 "
myDNS = " 202.118.224.101:53 "
echo 1 > / proc / sys / net / ipv4 / ip_forward
# 清空规则
/ sbin / iptables - F
/ sbin / iptables - t nat - F
/ sbin / iptables - P FORWARD DROP
/ sbin / iptables - P INPUT DROP
/ sbin / iptables - P OUTPUT DROP
/ sbin / iptables - A INPUT - i lo - j ACCEPT
/ sbin / iptables - A OUTPUT - o lo - j ACCEPT
# 允许DNS
iptables - A INPUT - i eth0 - p udp -- sport 53 - j ACCEPT # 允许外面53端口的UDP数据进来
iptables - A PREROUTING - t nat - p udp - s $intra - d 192.168 . 0.1 -- dport 53 - j DNAT -- to - destination $myDNS # 允许局域网设置DNS为192.168.0.1
iptables - A PREROUTING - t nat - p udp - s $intra - d $myip -- dport 53 - j DNAT -- to - destination $myDNS # 允许局域网设置DNS为$myip
# iptables -A FORWARD -p udp -d 202.118.224.101 --dport ! 53 -j DROP
# iptables -A OUTPUT -d $intra -j ACCEPT
# 允许局域网发出的所有消息,如果使用地址过滤,就要修改这里,或者修改squid的规则。。
# 以下为过滤收费ip
fip = $(awk ' NF>2 {print $1 "/" $3} ' ip2.txt )
for x in $fip
do
# 允许连接免费IP段
/ sbin / iptables - A FORWARD - d $x - j ACCEPT # 允许内网访问外面
/ sbin / iptables - A OUTPUT - d $x - j ACCEPT # 允许本机访问外面
# iptables -A OUTPUT -d $x -j ACCEPT #不知道为什么这么也不行,局域网还是无法访问外网
echo $x
done
# 允许外网访问里面
/ sbin / iptables - A FORWARD - i eth0 - m state -- state ESTABLISHED,RELATED - j ACCEPT
# 允许外网访问本机
/ sbin / iptables - A INPUT - i eth0 - m state -- state ESTABLISHED,RELATED - j ACCEPT
# 允许内网访问本机
# /sbin/iptables -A INPUT -i eth1 -s $intra -m state --state ESTABLISHED,RELATED -j ACCEPT
# /sbin/iptables -A INPUT -i eth1 -s $intra -p tcp --dport 80 -j ACCEPT
/ sbin / iptables - A INPUT - i eth1 - s $intra - j ACCEPT
# 允许本机访问内网
/ sbin / iptables - A OUTPUT - o eth1 - d $intra - j ACCEPT
# iptables -A INPUT -i eth0 -p udp -j ACCEPT #允许外面的UDP数据进来
# 允许本机上网。。。如果专作服务器就可以不要
# /sbin/iptables -A INPUT -d $myip -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #允许外面访问
# /sbin/iptables -A INPUT -d $myip -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #允许里面访问
# /sbin/iptables -A OUTPUT -d $intra -i eth0 -j ACCEPT #允许访问内网
# 实现NAT多电脑上网
/ sbin / iptables - t nat - A POSTROUTING - o eth0 - s 192.168 . 0.0 / 24 - j SNAT -- to 219.217 . 235.73
# 将 对于 80、443 端口的访问 重定向到 3128 端口 </P><P>
iptables - t nat - A PREROUTING - i eth1 - p tcp - s 192.168 . 0.0 / 24 -- dport 80 - j DNAT -- to 192.168 . 0.1 : 3128
iptables - t nat - A PREROUTING - i eth1 - p tcp - s 192.168 . 0.0 / 24 -- dport 443 - j DNAT -- to 192.168 . 0.1 : 3128
squid设置:
/etc/squid/squid.conf文件:(需要有ip列表文件/etc/squid/freeip_for_squid.txt,一行一个ip/mask)
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
cache_effective_user squid
cache_effective_group squid
visible_hostname hit405
acl all src 0.0 . 0.0 / 0.0 . 0.0
# acl auth proxy_auth REQUIRED
# acl our src 192.168.0.0/255.255.255.0
# http_access allow our
# http_access allow auth !our #这句话那里不对??
# 第一种配置,访问国外时显示错误
# #################################################################
acl freeip1 dst " /etc/squid/freeip_for_squid.txt "
http_access allow freeip1
http_access deny all
# ###################################################################################################################################
# 第二种配置,访问国外时使用二级代理(有些问题!!)
# ###################################################################################################################################
# acl freeip1 dst "/etc/squid/freeip_for_squid.txt"
# cache_peer 219.232.9.181 parent 80 0 no-query no-digest no-netdb-exchange
# cache_peer_access 219.232.9.181 allow !freeip1
# cache_peer_access 219.232.9.181 deny freeip1
#
# always_direct deny !freeip1
# always_direct allow freeip1
#
# never_direct allow !freeip1
# never_direct deny freeip1
# http_access allow all
# ###################################################################################################################################
cache_dir ufs / var / spool / squid 100 16 256
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
cache_effective_user squid
cache_effective_group squid
visible_hostname hit405
acl all src 0.0 . 0.0 / 0.0 . 0.0
# acl auth proxy_auth REQUIRED
# acl our src 192.168.0.0/255.255.255.0
# http_access allow our
# http_access allow auth !our #这句话那里不对??
# 第一种配置,访问国外时显示错误
# #################################################################
acl freeip1 dst " /etc/squid/freeip_for_squid.txt "
http_access allow freeip1
http_access deny all
# ###################################################################################################################################
# 第二种配置,访问国外时使用二级代理(有些问题!!)
# ###################################################################################################################################
# acl freeip1 dst "/etc/squid/freeip_for_squid.txt"
# cache_peer 219.232.9.181 parent 80 0 no-query no-digest no-netdb-exchange
# cache_peer_access 219.232.9.181 allow !freeip1
# cache_peer_access 219.232.9.181 deny freeip1
#
# always_direct deny !freeip1
# always_direct allow freeip1
#
# never_direct allow !freeip1
# never_direct deny freeip1
# http_access allow all
# ###################################################################################################################################
cache_dir ufs / var / spool / squid 100 16 256
执行以下命令启动squid
mkdir
/
var
/
spool
/
squid
useradd squid
chown squid / var / spool / squid
chown squid / var / log / squid / access.log
# cp ERR_ACCESS_DENIED /usr/share/squid/errors/English
# rm -f ./access.log
# ln /var/log/squid/access.log ./
echo " ..restart
squid - k reconfigure
squid - z
squid
useradd squid
chown squid / var / spool / squid
chown squid / var / log / squid / access.log
# cp ERR_ACCESS_DENIED /usr/share/squid/errors/English
# rm -f ./access.log
# ln /var/log/squid/access.log ./
echo " ..restart
squid - k reconfigure
squid - z
squid