Squid transparent proxy
Transparent proxy is the perfect combination of NAT and proxy. It is called transparent because in this way, the user does not feel the existence of the proxy server and does not need to use a browser or other client tools, such as network express) for any settings, the client only needs to set the default gateway as the IP address of the Linux server. When the client accesses the Internet and requests data packets are forwarded by the Linux server, iptables on the Linux Server redirects the HTTP request of the client to the Squid Proxy Server. The proxy server replaces the client to access external information resources, then, return the obtained data to the client.
When you install the squid package that comes with the RedHat EnterpriseLinux 5 system CD, squid forwards packets to the outside by default, and all packages will be rejected. In this case, you only need to modify "http_access deny all" in the configuration file/etc/squid. conf to "http_access allow all" to connect the squid proxy LAN user to the Internet. For basic configurations of squid, refer to my blog on squid service installation and basic configurations.
First, install the DHCP service to assign IP addresses to users in the LAN.
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531593X6-0.jpg "title =" topology 1.jpg "alt =" 215841852.jpg"/>
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531591421-1.jpg "title =" 1.jpg" alt = "215922819.jpg"/>
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531591S2-2.jpg "title =" 2.jpg" alt = "220034249.jpg"/>
After modifying the service configuration file, you need to restart the service: service dhcpd restart
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531594362-3.jpg "title =" 3.jpg" alt = "220046750.jpg"/>
Install Squid
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531594114-4.jpg "style =" float: none; "title =" 4.jpg" alt = "220136585.jpg"/>
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/05315a952-5.jpg "style =" float: none; "title =" 5.jpg" alt = "220140953.jpg"/>
Because Squid can only Proxy tcp, mail, httpd, and other protocols, it cannot proxy DNS. Therefore, in order to enable normal DNS resolution for LAN users, SNAT is used mainly by iptables in Linux.
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/053159B52-6.jpg "style =" float: none; "title =" 6.jpg" alt = "220237314.jpg"/>
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531595253-7.jpg "title =" 7-1.jpg "alt =" 220332955.jpg"/>
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/05315aC0-8.jpg "title =" 8.jpg" alt = "220403687.jpg"/>
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531593493-9.jpg "style =" float: none; "title =" 9.jpg" alt = "220431352.jpg"/>
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/05315a4V-10.jpg "style =" float: none; "title =" 10.jpg" alt = "220434817.jpg"/>
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531592144-11.jpg "style =" float: none; "title =" 11.jpg" alt = "220438931.jpg"/>
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/05315a005-12.jpg "style =" float: none; "title =" 12.jpg" alt = "220442799.jpg"/>
Iptables-t nat-a prerouting-s 192.168.2.0/24-ptcp-dport 80-j REDIRECT-to-port 3128
Use iptables to create a table nat and add it to PREROUTING. All data packets from the 192.168.2.0 CIDR block that use the tcp protocol access target port 80 will be redirected to port 3128. In this way, when a LAN User accesses httpd, the destination port is redirected to port 3128 when the packet is sent to the Linux server.
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531596215-13.jpg "title =" 13.jpg" alt = "220524482.jpg"/>
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/05315920T-14.jpg "title =" 14.jpg" alt = "220540236.jpg"/>
Test whether transparent proxy is implemented:
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531594X7-15.jpg "title =" 15.jpg" alt = "220603409.jpg"/>
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531593B7-16.jpg "title =" 16.jpg" alt = "220625800.jpg"/>
Access control application instance:
1. Disable access from clients whose IP address is 192.168.2.99.
Acl_badclientip1src 192.168.2.99
Http_access deny badclientip1
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531591596-17.jpg "title =" 17.jpg" alt = "2206500004.jpg"/>
2. Disable access from all clients in the subnet 192.168.2.0.
Acl badclientnet1 src 192.168.2.0/255.255.255.0
Http_access deny badclientnet1
3. Prohibit users from accessing websites with the IP address 115.239.210.26.
Acl badsrvip1 dst 115.239.210.26
Http_access deny badsrvip1
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/0531595941-18.jpg "title =" 18.jpg" alt = "2207172.16.jpg"/>
4. Users are prohibited from accessing websites with the domain name www.163.com.
Acl baddomain1 dstdomain-I www.163.com
Http_access deny baddomain1
5. Prohibit users from accessing websites with a domain name containing 163.com.
Acl badurl1 url_regex-I 163.com
Http_access deny badurl1
6. Prohibit users from accessing URLs with sex keywords in the domain name.
Acl badurl2 url_regex-I sex
Http_access deny badurl2
7. the maximum number of concurrent connections of clients with the IP address 192.168.16.200 is 5.
Acl clientip1 src 192.168.16.200
Acl conn5 maxconn 5
Http_access deny client1 conn1
8. Disable all clients in the subnet 192.168.2.0 from accessing the Internet from to from Monday to Friday.
Acl clientnet1 src 192.168.2.0/255.255.255.0
Acl worktime time MTWHF-
Http_access deny clientnet1 worktime
9. Prohibit the client from downloading *. mp3, *. exe, *. zip, and *. rar files.
Acl badfile1 urlpath_regex-I \. mp3 $ \. exe $ \. zip $ \. rar $
Http_access deny badfile1
10. Prohibit QQ from accessing the Internet through Squid proxy.
Acl qq url_regex-I tencent.com
Http_access deny qq
This article is from the blog "life is on duty, don't seek anything". I will not repost it!