共计 5383 个字符,预计需要花费 14 分钟才能阅读完成。
一、背景:
一台双网卡服务器,安装 Ubuntu Server 12.04,网卡 eth0 空置,eth1 连接局域网,IP 192.168.1.1/24,先连接了宽带路由器。
二、Squid3
尝试源码安装当前最新的 Squid3.3,遇到很多问题,懒得弄了,用 Ubuntu 源里的 3.1.19 吧。
$sudo apt-get install squid3
配置文件在 /etc/squid3/squid.conf,这个配置文件包含详细的说明,总共 5700 多行,备份一份出来仔细研究吧,再从百度、Bing、谷歌里搜一搜,最后出来这么个配置文件:
acl alldst dst all
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.1.0/16 # 修改后的
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
forwarded_for delete # 修改后的,否则在远程服务器上会收到包含内网 IP 的 HTTP 头数据(X_Forwarded_for)
acl_uses_indirect_client on
delay_pool_uses_indirect_client on
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet # 修改后的
http_port 192.168.1.1:3128 # 修改后的
cache_mem 1024 MB #自己看情况设定。
maximum_object_size_in_memory 2048 KB #内存缓存的最大对象。
cache_dir ufs /opt/cache 200000 16 256 #/opt 是个独立分区 240G,分配约 200G 做 cache。
coredump_dir /var/spool/squid3
logformat custcommon %>a [%tl] %3>Hs %8<st %Ss:%Sh %rm “%ru” %mt
access_log /var/log/squid3/access.log custcommon
# logformat logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
# access_log /var/log/squid3/access.log squid
# 这里修改了一下默认的日志格式,更方便阅读。
# 原格式 1361289819.737 21 192.168.1.100 TCP_DENIED/403 4295 GET http://askubuntu.com/tags – NONE/- text/html
# 新格式 192.168.1.100 [21/Feb/2013:13:29:45 +0800] 200 13813 TCP_MISS:DIRECT GET “http://common.cnblogs.com/editor/tiny_mce/plugins/insertCode/images/insertCode.gif” image/gif
#
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
# example lin deb packages
#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
refresh_pattern . 0 20% 4320
内网 Firefox 设置代理 192.168.1.1:3128 上网正常!
三、PPPOE
1、安装、设置
$ sudo apt-get install pppoe
撤掉宽带路由器,宽带猫直接连到 eth0。
$ sudo pppoeconf
进入向导安装模式,基本都是回答 yes,尤其是开机自动连接,再填上宽带用户名和密码,ADSL 连接就设好了。手动管理 ADSL 指令如下:
$ ifconfig ppp0 #查看 ADSL 连接状态
$ sudo pon dsl-provider #手动连接 ADSL
$ sudo poff #手动断开 ADSL
$ sudo plog #查看 ADSL 连接日志,仅显示最后一次连接。
2、DNS
DNS 设置在 pppoeconf 向导中可以设置为从 ISP 获得,如果喜欢设置自己的 DNS,则
$ sudo vi /etc/resolv.conf
nameserver 8.8.8.8
3、网络接口,注:auto dsl-provider 开始的内容是 pppoeconf 向导添加的:
$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
# gateway 192.168.1.254
dns-nameservers 8.8.8.8
dnd-search domain.com
auto dsl-provider
iface dsl-provider inet ppp
pre-up /sbin/ifconfig eth0 up # line maintained by pppoeconf
provider dsl-provider
auto eth0
iface eth0 inet manual
4、ADSL 断线自动重拨,找到 /etc/ppp/options 文件里如下几行
# Do not exit after a connection is terminated; instead try to reopen
# the connection.
# persist
去掉 # persist 之前的 ”# “,试试断开 ADSL、重启网络、拔掉 ADSL 网线片刻再插上等操作,ADSL 会在不久之后重新连接,这个时间么,,,有点儿长。
四、Iptables
Ubuntu 安装了 iptables,但默认没有启动 iptables,也不像 RHEL/CentOS 那样把 iptables 设置为服务。从 Centos 里复制出来一份 iptables 配置文件,按照自己的需要修改成如下内容:
# Copied from Centos6
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state -s 192.168.1.0/24 –state NEW -m tcp -p tcp –dport 22 -j ACCEPT #仅允许内网连接 ssh
-A INPUT -m state -s 192.168.1.0/24 –state NEW -m tcp -p tcp –dport 3128 -j ACCEPT #仅允许内网连接代理服务
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT
编辑网络配置文件, 在相应网卡的配置文件里增加一句
pre-up iptables-restore /etc/iptables
我的配置如下:
$ sudo vi /etc/network/interfaces
auto dsl-provider
iface dsl-provider inet ppp
pre-up /sbin/ifconfig eth0 up # line maintained by pppoeconf
pre-up iptables-restore /etc/iptables
provider dsl-provider
重启网络
$ sudo /etc/init.d/networking restart
用 nmap 测试:
配置 iptables 之前
Nmap scan report for 113.227.36.81
Host is up (0.25s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp open ssh
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1025/tcp filtered NFS-or-IIS
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
之后
Nmap scan report for 113.227.56.137
Host is up (0.48s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
113/tcp closed auth
Nmap scan report for 192.168.1.1
Host is up (0.00022s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
内网 Firefox 设置代理 192.168.1.1:3128 上网正常!
下一步要试试透明代理~~~~~
参考:http://www.linuxidc.com/Linux/2010-04/25301.htm
配置 Squid 代理 http 和 rsync http://www.linuxidc.com/Linux/2013-05/84642.htm
Linux 下防火墙 iptables 用法规则详解 http://www.linuxidc.com/Linux/2012-08/67952.htm
Squid:实现高速的 Web 访问 http://www.linuxidc.com/Linux/2013-04/83512.htm
CentOS 6.2 编译安装 Squid 配置反向代理服务器 http://www.linuxidc.com/Linux/2012-11/74529.htm
简单配置 Squid 代理和反向代理 http://www.linuxidc.com/Linux/2014-04/99465.htm
CentOS 6.4 下 DNS+Squid+Nginx+MySQL 搭建高可用 Web 服务器 http://www.linuxidc.com/Linux/2014-04/99984.htm
Squid 的详细介绍:请点这里
Squid 的下载地址:请点这里
更多 Ubuntu 相关信息见Ubuntu 专题页面 http://www.linuxidc.com/topicnews.aspx?tid=2
