zoukankan      html  css  js  c++  java
  • Ubuntu配置adsl + squid + iptables代理服务器

    一、背景:

         一台双网卡服务器,安装Ubuntu Server 12.04,网卡 eth0 空置,eth1连接局域网,IP 192.168.1.1/24,先连接了宽带路由器。

    二、Squid3

    尝试源码安装当前最新的Squid3.3,遇到很多问题,懒得弄了,用Ubuntu源里的3.1.19吧。
    $sudo apt-get install squid3

    配置文件在 /etc/squid3/squid.conf,这个配置文件包含详细的说明,总共5700多行,备份一份出来仔细研究吧,再从百度、Bing、谷歌里搜一搜,最后出来这么个配置文件:
    acl alldst dst all
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
    acl localnet src 192.168.1.0/16       # 修改后的
    acl SSL_ports port 443
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http
    acl CONNECT method CONNECT

    forwarded_for delete        # 修改后的,否则在远程服务器上会收到包含内网IP的 HTTP头数据(X_Forwarded_for)
    acl_uses_indirect_client on
    delay_pool_uses_indirect_client on

    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localnet  # 修改后的
    http_port 192.168.1.1:3128     # 修改后的

    cache_mem 1024 MB             #自己看情况设定。
    maximum_object_size_in_memory 2048 KB   #内存缓存的最大对象。
    cache_dir ufs /opt/cache 200000 16 256    #/opt 是个独立分区 240G,分配约200G做cache。
    coredump_dir /var/spool/squid3

    logformat custcommon %>a [%tl] %3>Hs %8<st %Ss:%Sh %rm "%ru" %mt
    access_log /var/log/squid3/access.log custcommon

    #   logformat logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
    #   access_log /var/log/squid3/access.log squid
    # 这里修改了一下默认的日志格式,更方便阅读。
    # 原格式 1361289819.737     21 192.168.1.100 TCP_DENIED/403 4295 GET http://askubuntu.com/tags - NONE/- text/html
    # 新格式 192.168.1.100 [21/Feb/2013:13:29:45 +0800] 200    13813 TCP_MISS:DIRECT GET "http://common.cnblogs.com/editor/tiny_mce/plugins/insertCode/images/insertCode.gif" image/gif
    #

    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
    refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
    # example lin deb packages
    #refresh_pattern (\.deb|\.udeb)$   129600 100% 129600
    refresh_pattern .               0       20%     4320

    内网Firefox设置代理 192.168.1.1:3128 上网正常!

    三、PPPOE

    1、安装、设置
    $ sudo apt-get install pppoe

    撤掉宽带路由器,宽带猫直接连到eth0。
    $ sudo pppoeconf
    进入向导安装模式,基本都是回答yes,尤其是开机自动连接,再填上宽带用户名和密码,ADSL连接就设好了。手动管理ADSL指令如下:            

    $ ifconfig ppp0                  #查看ADSL连接状态
    $ sudo pon dsl-provider    #手动连接ADSL  
    $ sudo poff         #手动断开ADSL
    $ sudo plog        #查看ADSL连接日志,仅显示最后一次连接。

    2、DNS
    DNS设置在 pppoeconf向导中可以设置为从ISP获得,如果喜欢设置自己的DNS,则
    $ sudo vi /etc/resolv.conf
    nameserver 8.8.8.8

    3、网络接口,注:auto dsl-provider开始的内容是pppoeconf向导添加的:
    $ cat /etc/network/interfaces
    # This file describes the network interfaces available on your system
    # and how to activate them. For more information, see interfaces(5).

    # The loopback network interface
    auto lo
    iface lo inet loopback

    auto eth1
    iface eth1 inet static
            address 192.168.1.1
            netmask 255.255.255.0
            network 192.168.1.0
            broadcast 192.168.1.255
    #        gateway 192.168.1.254
            dns-nameservers 8.8.8.8
            dnd-search domain.com

    auto dsl-provider
    iface dsl-provider inet ppp
    pre-up /sbin/ifconfig eth0 up # line maintained by pppoeconf
    provider dsl-provider

    auto eth0
    iface eth0 inet manual

    4、ADSL断线自动重拨,找到/etc/ppp/options 文件里如下几行
    # Do not exit after a connection is terminated; instead try to reopen
    # the connection.
    # persist

    去掉 # persist 之前的"# ",试试断开ADSL、重启网络、拔掉ADSL网线片刻再插上等操作,ADSL会在不久之后重新连接,这个时间么,,,有点儿长。

    四、Iptables

    Ubuntu安装了 iptables,但默认没有启动iptables,也不像 RHEL/Centos 那样把iptables设置为服务。从Centos里复制出来一份 iptables 配置文件,按照自己的需要修改成如下内容:
    # Copied from Centos6
    # Firewall configuration written by system-config-firewall
    # Manual customization of this file is not recommended.
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state -s 192.168.1.0/24 --state NEW -m tcp -p tcp --dport 22 -j ACCEPT      #仅允许内网连接ssh
    -A INPUT -m state -s 192.168.1.0/24 --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT  #仅允许内网连接代理服务
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT

    编辑网络配置文件, 在相应网卡的配置文件里增加一句
    pre-up iptables-restore /etc/iptables
    我的配置如下:
    $ sudo vi /etc/network/interfaces

    auto dsl-provider
    iface dsl-provider inet ppp
    pre-up /sbin/ifconfig eth0 up # line maintained by pppoeconf
    pre-up iptables-restore /etc/iptables
    provider dsl-provider

    重启网络
    $ sudo /etc/init.d/networking restart

    用nmap测试:
    配置iptables之前
    Nmap scan report for 113.227.36.81
    Host is up (0.25s latency).
    Not shown: 992 closed ports
    PORT     STATE    SERVICE
    22/tcp   open     ssh
    135/tcp  filtered msrpc
    139/tcp  filtered netbios-ssn
    445/tcp  filtered microsoft-ds
    593/tcp  filtered http-rpc-epmap
    1025/tcp filtered NFS-or-IIS
    1434/tcp filtered ms-sql-m
    4444/tcp filtered krb524

    之后
    Nmap scan report for 113.227.56.137
    Host is up (0.48s latency).
    Not shown: 999 filtered ports
    PORT    STATE  SERVICE
    113/tcp closed auth

    Nmap scan report for 192.168.1.1
    Host is up (0.00022s latency).
    Not shown: 998 filtered ports
    PORT     STATE SERVICE
    22/tcp   open  ssh
    3128/tcp open  squid-http

    内网Firefox设置代理 192.168.1.1:3128 上网正常!

    下一步要试试透明代理~~~~~

    参考:
    http://moko39848381.blog.163.com/blog/static/139827331201012613845110/
    http://www.linuxidc.com/Linux/2010-04/25301.htm
    以及百度、Bing、Google

  • 相关阅读:
    vs2013配置opencv2.4.13(txt中复制粘贴即可,一次配置永久使用)
    描述性统计量
    Ubuntu创建、删除文件与目录
    Linux下服务器端开发流程及相关工具介绍(C++)
    TCP 协议如何保证可靠传输
    真实记录疑似Linux病毒导致服务器 带宽跑满的解决过程
    Windbg程序调试--转载
    原来问题在这里-我的memory leak诊断历程
    用WinDbg分析Debug Diagnostic Tool生成的Userdump文件
    一个内存增长问题的分析和处理(三)
  • 原文地址:https://www.cnblogs.com/panblack/p/ubuntu_adsl_squid_iptables.html
Copyright © 2011-2022 走看看