Configure transparent proxy server for Squid in Centos

I. basic configuration

Configure two NICs for the Squid Proxy Server

WAN: eth0: 10.10.10.200 gateway and DNS must be configured to allow Internet access

LAN: eth1: 172.161.254 do not need to configure gateway or DNS

Clinet: 172.16.1.2/24 gateway and DNS need to be configured

Squid (proxy) Port: 3128

System

Host Name

Server IP Address

Client IP

RedHat 5.4

Proxy

Eth0: 10.10.10.200

172.16.1.0

Eth1: 172.16.1.254

Requirements:

1. Disable single IP Access

2. 10-50 Internet Access prohibited

3. prohibit all network segment access IPs: 172.16.1.200 (MySQL)

4. Access prohibited: www.youku.com

5. forbidden access to URL containing keyword 163

6. Download of *. mp3 $ *. exe $ *. zip $ *. rar $ files are prohibited.

7. Prohibit clients from accessing the Internet from-from Monday to Friday.

8. Disable the port number for Internet access

9. the maximum number of concurrent connections is 5.

1. Configure the IP address

WAN Configuration:

[Root @ localhost ~] # Vim/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE = "eth0"

BOOTPROTO = "static"

IPADDR = 10.10.10.200

NETWASK = 255.255.255.0

GATEWAY = 10.10.10.1

: Wq save

LAN Configuration:

[Root @ localhost ~] # Vim/etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE = "eth1"

BOOTPROTO = "static"

IPADDR = 172.16.1.254

NETWASK = 255.255.255.0

: Wq save

[Root @ localhost ~] # Service network restart

2. Configure the DNS File

[Root @ localhost ~] # Vim/etc/resolv. conf

Nameserver 202.96.134.133

Nameserver 202.96.128.166

: Wq save

3. Configure the Host Name: proxy

[Root @ localhost ~] # Vim/etc/sysconfig/network

NETWORKING = yes

HOSTNAME = proxy

: Wq save

[Root @ localhost ~] # Hostname proxy

Disconnect the terminal and connect again. restart the system: ctrl + d.

[Root @ proxy ~] # Hostname

Proxy

4. SELinux disabled

SELinux disabled

Permanent method-server restart required

Modify selinux = disabled in the/etc/SELINUX/config file, and then restart the server.

Temporary method-set System Parameters

Run the setenforce 0 command.

5. Check the route table and test whether the Internet can be accessed.

[Root @ proxy ~] # Route-n

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1

0.0.0.0 10.10.10.1 0.0.0.0 UG 0 0 0 eth0

[Root @ proxy ~] # Ping www.baidu.com

PING www.a.shifen.com (220.181.111.148) 56 (84) bytes of data.

64 bytes from 220.181.111.148: icmp_seq = 1 ttl = 53 time = 42.0 MS

64 bytes from 220.181.111.148: icmp_seq = 2 ttl = 53 time = 39.6 MS

Ii. Install squid

[Root @ proxy ~] # Yum install squid-y

[Root @ proxy ~] # Rpm-ql squid | less # view the installation path

/Etc/rc. d/init. d/squid

[Root @ proxy ~] # Grep-v "^ #"/etc/squid. conf | grep-v "^ $" # important part to be modified to view the squid configuration file

[Root @ proxy ~] # Ll/var/spool/squid/

Total 0

[Root @ proxy ~] # Cp/etc/squid. conf/etc/squid. confbak # backup

1. Edit the squid configuration file

[Root @ proxy ~] # Vim/etc/squid. conf

Insert http_access allow all in the line above http_access deny all.

637 http_access allow all # set to allow access by all clients

638 http_access deny all

2995 # TAG: visible_hostname

Change

2995 visible_hostname172.16.1.254 # Set the squid visible Host Name

: Wq

[Root @ proxy ~] # Service squid start # start

Init_cache_dir/var/spool/squid... Starting squid:. [OK]

[Root @ proxy ~] # Chkconfig squid on # Set startup

[Root @ proxy ~] # Ll/var/spool/squid/

[Root @ proxy ~] # Netstat-anp | grep: 3128 # view the squid port number

Tcp 0 0 0.0.0.0: 3128 0.0.0.0: * LISTEN 5967/(squid)

2. Configure the gateway and DNS on the client

3. Enable route forwarding

[Root @ proxy ~] # Vim/etc/sysctl. conf

7. net. ipv4.ip _ forward = 0 #0 is disabled

Change

7. net. ipv4.ip _ forward = 1 #1.

: Wq save

[Root @ localhost ~] # Sysctl-p # command View

Net. ipv4.ip _ forward = 1

Net. ipv4.conf. default. rp_filter = 1

Net. ipv4.conf. default. accept_source_route = 0

Kernel. sysrq = 0

Kernel. core_uses_pid = 1

Net. ipv4.tcp _ syncookies = 1

Kernel. msgmnb = 65536

Kernel. msgmax = 65536

Kernel. shmmax = 4294967295

Kernel. shmall = 268435456

4. Configure Iptables Firewall

[Root @ proxy ~] # Setup # enter the graphic interface and Enabled the Firewall

[Root @ proxy ~] # Service iptables start # enable

[Root @ proxy ~] # Chkconfig iptables on # Start upon startup

[Root @ proxy ~] # Iptables-L # list rules

[Root @ proxy ~] # Iptables-F # clear rules

[Root @ proxy ~] # Iptables-t nat-L # list all the rules of all links in the nat table in detail

[Root @ proxy ~] # Iptables-t filter-L # list all the rules of all links in the filter table in detail

Edit the iptables configuration file and enable port 3128 of the firewall (the squid port 3128 is configured later)

[Root @ proxy ~] # Vim/etc/sysconfig/iptables

-A RH-Firewall-1-INPUT-m state -- state NEW-m tcp-p tcp -- dport3128-j ACCEPT

[Root @ proxy ~] # Service iptables restart # restart

Enable the NAT network address translation function of eth0 and DNS on the Internet.

[Root @ proxy ~] # Iptables-t nat-a postrouting-s 172.16.1.0/24-p udp -- dport 53-o eth0-j MASQUERADE

[Root @ proxy ~] # Iptables-t nat-Lvn # list all the rules of all links in the nat table in detail. Only the IP address and port number are displayed.

Set the port forwarding function to forward port 80 of eth1 to port 3128 of eth0 on the Internet.

[Root @ proxy ~] # Iptables-t nat-a prerouting-I eth1-p tcp -- dport 80-j REDIRECT -- to-ports 3128

[Root @ proxy ~] # Iptables-t nat-Lvn

Chain PREROUTING (policy ACCEPT 104 packets, 12110 bytes)

Pkts bytes targetprot optinoutsource destination

2 96 REDIRECT tcp -- eth1 * 0.0.0.0/00.0.0.0/0tcp dpt: 80 redir ports 3128

Chain POSTROUTING (policy ACCEPT 10 packets, 752 bytes)

Pkts bytes target prot opt in out source destination

5 307 MASQUERADE udp -- * eth0 172.16.1.0/24 0.0.0.0/0 udp dpt: 53

Chain OUTPUT (policy ACCEPT 1 packets, 284 bytes)

Pkts bytes target prot opt in out source destination

[Root @ proxy ~] # Service iptables save # save rules

Saving firewall rules to/etc/sysconfig/iptables: [OK]

5. Client IE browser access: http://www.baidu.com

6. Edit the squid configuration file.

[Root @ proxy ~] # Vim/etc/squid. conf

924 http_port 3128

Change

924 http_port 3128 transparent # Listen to http requests received by port 3128

1576 # cache_mem 8 MB

Change

1576 cache_mem256MB # High-speed cache

1783 # cache_dir ufs/var/spool/squid 100 16 256

Change

1783 cache_dir ufs/var/spool/squid1024016 256 # Set the hard disk cache size to 10 Gb, the directory to/var/spool/squid, 16 first-level sub-directories, and 256 second-level sub-Directories

1945 access_log/var/log/squid/access. log squid # Set access logs

1961 cache_log/var/log/squid/cache. log # Set cache logs

1971 cache_store_log/var/log/squid/store. log # Set the webpage cache log

2941 # cache_mgr root

Change

2941 cache_mgr yanghw85@163.com # Set administrator email address

: Wq save

[Root @ proxy ~] # Service squid restart

Stopping squid: [OK]

Starting squid:. [OK]

7. test normal Internet access:

8. View logs:

[Root @ proxy ~] # Tail-f/var/log/squid/access. log

9. manually add an access control policy (Note: Apply the policy properly to avoid conflict)

[Root @ proxy ~] # Vim/etc/squid. conf

The Configuration policy starts at Row 3.

Add the following policy content below:

##################### Prohibit a single IP address from accessing the internet ############### ################

Acl badip src 172.16.1.2/32

Http_access deny badip

##################### Prohibit access to the network segment 10-50 ############### ###########

Acl badip src 172.16.1.10-172.16.1.50/32

Http_access deny badip

#################### Prohibit access to all network segments: 172.16.1.200 (MySQL )#######

Acl MySQL dst 172.16.2.100

Http_access deny MySQL

##################### Prohibit access: www.youku.com website ################

Acl web dstdomain-I www.baidu.com

Http_access deny web

##################### Forbidden access to a URL containing a keyword 163 ############# #####

Acl web163 url_regex-I 163

Http_access deny web163

########## Download prohibited *. mp3 $ *. exe $ *. zip $ *. rar $ *. doc $ type file ########

Acl webxiazai urlpath_regex-I \. mp3 $ \. exe $ \. zip $ \. rar $ \. doc $

Http_access deny webxiazai

##### Prohibit clients from accessing the Internet from 10-50 on the network segment from-from Monday to Friday ######

Acl badip src 172.16.1.10-172.16.1.50/32

Acl worktime time MTWHF-

Http_access deny badip worktime

######################## Restrict the access through port 443 ############ ################

Acl http port 443

Http_access deny http

####################### The maximum number of concurrent connections of a user is: 5 ######################

Acl client15 src 172.16.1.15

Acl conn5 maxconn 5

Http_access deny client15 conn5

: Wq

[Root @ proxy ~] # Service squid restart # restart

Stopping squid: [OK]

Starting squid:. [OK]

Configuration complete! Clients in the CIDR Block 172.16.1.0/24 can access the Internet through the proxy server 172.16.1.254.