I. basic configuration
Configure two NICs for the Squid Proxy Server
WAN: eth0: 10.10.10.200 gateway and DNS must be configured to allow Internet access
LAN: eth1: 172.161.254 do not need to configure gateway or DNS
Clinet: 172.16.1.2/24 gateway and DNS need to be configured
Squid (proxy) Port: 3128
System
Host Name
Server IP Address
Client IP
RedHat 5.4
Proxy
Eth0: 10.10.10.200
172.16.1.0
Eth1: 172.16.1.254
Requirements:
1. Disable single IP Access
2. 10-50 Internet Access prohibited
3. prohibit all network segment access IPs: 172.16.1.200 (MySQL)
4. Access prohibited: www.youku.com
5. forbidden access to URL containing keyword 163
6. Download of *. mp3 $ *. exe $ *. zip $ *. rar $ files are prohibited.
7. Prohibit clients from accessing the Internet from-from Monday to Friday.
8. Disable the port number for Internet access
9. the maximum number of concurrent connections is 5.
1. Configure the IP address
WAN Configuration:
[Root @ localhost ~] # Vim/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE = "eth0"
BOOTPROTO = "static"
IPADDR = 10.10.10.200
NETWASK = 255.255.255.0
GATEWAY = 10.10.10.1
: Wq save
LAN Configuration:
[Root @ localhost ~] # Vim/etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE = "eth1"
BOOTPROTO = "static"
IPADDR = 172.16.1.254
NETWASK = 255.255.255.0
: Wq save
[Root @ localhost ~] # Service network restart
2. Configure the DNS File
[Root @ localhost ~] # Vim/etc/resolv. conf
Nameserver 202.96.134.133
Nameserver 202.96.128.166
: Wq save
3. Configure the Host Name: proxy
[Root @ localhost ~] # Vim/etc/sysconfig/network
NETWORKING = yes
HOSTNAME = proxy
: Wq save
[Root @ localhost ~] # Hostname proxy
Disconnect the terminal and connect again. restart the system: ctrl + d.
[Root @ proxy ~] # Hostname
Proxy
4. SELinux disabled
SELinux disabled
Permanent method-server restart required
Modify selinux = disabled in the/etc/SELINUX/config file, and then restart the server.
Temporary method-set System Parameters
Run the setenforce 0 command.
5. Check the route table and test whether the Internet can be accessed.
[Root @ proxy ~] # Route-n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 10.10.10.1 0.0.0.0 UG 0 0 0 eth0
[Root @ proxy ~] # Ping www.baidu.com
PING www.a.shifen.com (220.181.111.148) 56 (84) bytes of data.
64 bytes from 220.181.111.148: icmp_seq = 1 ttl = 53 time = 42.0 MS
64 bytes from 220.181.111.148: icmp_seq = 2 ttl = 53 time = 39.6 MS
Ii. Install squid
[Root @ proxy ~] # Yum install squid-y
[Root @ proxy ~] # Rpm-ql squid | less # view the installation path
/Etc/rc. d/init. d/squid
[Root @ proxy ~] # Grep-v "^ #"/etc/squid. conf | grep-v "^ $" # important part to be modified to view the squid configuration file
[Root @ proxy ~] # Ll/var/spool/squid/
Total 0
[Root @ proxy ~] # Cp/etc/squid. conf/etc/squid. confbak # backup
1. Edit the squid configuration file
[Root @ proxy ~] # Vim/etc/squid. conf
Insert http_access allow all in the line above http_access deny all.
637 http_access allow all # set to allow access by all clients
638 http_access deny all
2995 # TAG: visible_hostname
Change
2995 visible_hostname172.16.1.254 # Set the squid visible Host Name
: Wq
[Root @ proxy ~] # Service squid start # start
Init_cache_dir/var/spool/squid... Starting squid:. [OK]
[Root @ proxy ~] # Chkconfig squid on # Set startup
[Root @ proxy ~] # Ll/var/spool/squid/
[Root @ proxy ~] # Netstat-anp | grep: 3128 # view the squid port number
Tcp 0 0 0.0.0.0: 3128 0.0.0.0: * LISTEN 5967/(squid)
2. Configure the gateway and DNS on the client
3. Enable route forwarding
[Root @ proxy ~] # Vim/etc/sysctl. conf
7. net. ipv4.ip _ forward = 0 #0 is disabled
Change
7. net. ipv4.ip _ forward = 1 #1.
: Wq save
[Root @ localhost ~] # Sysctl-p # command View
Net. ipv4.ip _ forward = 1
Net. ipv4.conf. default. rp_filter = 1
Net. ipv4.conf. default. accept_source_route = 0
Kernel. sysrq = 0
Kernel. core_uses_pid = 1
Net. ipv4.tcp _ syncookies = 1
Kernel. msgmnb = 65536
Kernel. msgmax = 65536
Kernel. shmmax = 4294967295
Kernel. shmall = 268435456
4. Configure Iptables Firewall
[Root @ proxy ~] # Setup # enter the graphic interface and Enabled the Firewall
[Root @ proxy ~] # Service iptables start # enable
[Root @ proxy ~] # Chkconfig iptables on # Start upon startup
[Root @ proxy ~] # Iptables-L # list rules
[Root @ proxy ~] # Iptables-F # clear rules
[Root @ proxy ~] # Iptables-t nat-L # list all the rules of all links in the nat table in detail
[Root @ proxy ~] # Iptables-t filter-L # list all the rules of all links in the filter table in detail
Edit the iptables configuration file and enable port 3128 of the firewall (the squid port 3128 is configured later)
[Root @ proxy ~] # Vim/etc/sysconfig/iptables
-A RH-Firewall-1-INPUT-m state -- state NEW-m tcp-p tcp -- dport3128-j ACCEPT
[Root @ proxy ~] # Service iptables restart # restart
Enable the NAT network address translation function of eth0 and DNS on the Internet.
[Root @ proxy ~] # Iptables-t nat-a postrouting-s 172.16.1.0/24-p udp -- dport 53-o eth0-j MASQUERADE
[Root @ proxy ~] # Iptables-t nat-Lvn # list all the rules of all links in the nat table in detail. Only the IP address and port number are displayed.
Set the port forwarding function to forward port 80 of eth1 to port 3128 of eth0 on the Internet.
[Root @ proxy ~] # Iptables-t nat-a prerouting-I eth1-p tcp -- dport 80-j REDIRECT -- to-ports 3128
[Root @ proxy ~] # Iptables-t nat-Lvn
Chain PREROUTING (policy ACCEPT 104 packets, 12110 bytes)
Pkts bytes targetprot optinoutsource destination
2 96 REDIRECT tcp -- eth1 * 0.0.0.0/00.0.0.0/0tcp dpt: 80 redir ports 3128
Chain POSTROUTING (policy ACCEPT 10 packets, 752 bytes)
Pkts bytes target prot opt in out source destination
5 307 MASQUERADE udp -- * eth0 172.16.1.0/24 0.0.0.0/0 udp dpt: 53
Chain OUTPUT (policy ACCEPT 1 packets, 284 bytes)
Pkts bytes target prot opt in out source destination
[Root @ proxy ~] # Service iptables save # save rules
Saving firewall rules to/etc/sysconfig/iptables: [OK]
5. Client IE browser access: http://www.baidu.com
6. Edit the squid configuration file.
[Root @ proxy ~] # Vim/etc/squid. conf
924 http_port 3128
Change
924 http_port 3128 transparent # Listen to http requests received by port 3128
1576 # cache_mem 8 MB
Change
1576 cache_mem256MB # High-speed cache
1783 # cache_dir ufs/var/spool/squid 100 16 256
Change
1783 cache_dir ufs/var/spool/squid1024016 256 # Set the hard disk cache size to 10 Gb, the directory to/var/spool/squid, 16 first-level sub-directories, and 256 second-level sub-Directories
1945 access_log/var/log/squid/access. log squid # Set access logs
1961 cache_log/var/log/squid/cache. log # Set cache logs
1971 cache_store_log/var/log/squid/store. log # Set the webpage cache log
2941 # cache_mgr root
Change
2941 cache_mgr yanghw85@163.com # Set administrator email address
: Wq save
[Root @ proxy ~] # Service squid restart
Stopping squid: [OK]
Starting squid:. [OK]
7. test normal Internet access:
8. View logs:
[Root @ proxy ~] # Tail-f/var/log/squid/access. log
9. manually add an access control policy (Note: Apply the policy properly to avoid conflict)
[Root @ proxy ~] # Vim/etc/squid. conf
The Configuration policy starts at Row 3.
Add the following policy content below:
##################### Prohibit a single IP address from accessing the internet ############### ################
Acl badip src 172.16.1.2/32
Http_access deny badip
##################### Prohibit access to the network segment 10-50 ############### ###########
Acl badip src 172.16.1.10-172.16.1.50/32
Http_access deny badip
#################### Prohibit access to all network segments: 172.16.1.200 (MySQL )#######
Acl MySQL dst 172.16.2.100
Http_access deny MySQL
##################### Prohibit access: www.youku.com website ################
Acl web dstdomain-I www.baidu.com
Http_access deny web
##################### Forbidden access to a URL containing a keyword 163 ############# #####
Acl web163 url_regex-I 163
Http_access deny web163
########## Download prohibited *. mp3 $ *. exe $ *. zip $ *. rar $ *. doc $ type file ########
Acl webxiazai urlpath_regex-I \. mp3 $ \. exe $ \. zip $ \. rar $ \. doc $
Http_access deny webxiazai
##### Prohibit clients from accessing the Internet from 10-50 on the network segment from-from Monday to Friday ######
Acl badip src 172.16.1.10-172.16.1.50/32
Acl worktime time MTWHF-
Http_access deny badip worktime
######################## Restrict the access through port 443 ############ ################
Acl http port 443
Http_access deny http
####################### The maximum number of concurrent connections of a user is: 5 ######################
Acl client15 src 172.16.1.15
Acl conn5 maxconn 5
Http_access deny client15 conn5
: Wq
[Root @ proxy ~] # Service squid restart # restart
Stopping squid: [OK]
Starting squid:. [OK]
Configuration complete! Clients in the CIDR Block 172.16.1.0/24 can access the Internet through the proxy server 172.16.1.254.