Linux networking (6): Proxy Server

Article Title: Linux networking entry (6): proxy server. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: fjxufeng
　　
To save and control Internet spending, many companies and offices have applied for a ddnleased line to connect the entire company or office into a LAN, and then allow the entire LAN to share the ddnleased line. In this case, as shown in, we must use a proxy server.
　　
-1 use proxy servers to access the Internet
　　
　　
7.1 HTTP Proxy Server
A proxy server, as its name implies, is a machine that cannot directly access the Internet on the local area. For example, a browser can send an Internet request to a proxy server that can directly access the Internet, and then the proxy server proxy can complete the Internet request, call the main page to the proxy server's cache, and then send the page to the requester. In this way, machines on the LAN are used just as they can directly access the network.
In addition, the proxy server can also filter and control some websites, so that we can use it to achieve the original intention-control and save Internet access costs.
In LINUX, Squid Proxy Server, a powerful http/https/ftp Proxy Server, is widely used because it is easy to install and easy to use. It is included in the RedHat LINUX installation CD. The following describes how to use it.
　　
7.1.1 install Squid Proxy Server
Because the Squid RPM installation package is used on the installation disc, we can use RPM to install Squid.
Rpm? Ivh squid-1.1.22-2.rpm
Of course, because the installation package is on a CD, we need to mount the CD to the file system before installation.
In this way, squid is installed and the corresponding initial settings are made.
　　
7.1.2 Initial Configuration
Squid Proxy Server has only one configuration file --/etc/squid. conf. We must modify it to apply to our system. The following are some basic configuration options. We can use vi to open this file and edit it.
1. Set the proxy port number for http/https/ftp:
The default value of the proxy port is 3128, which can be modified according to your preferences. However, you must note that you must never conflict with some famous ports, such as POP port -- 110. If you are not familiar with it, keep the default value.
The following is a sentence in the/etc/squid. conf file:
Http_port 3128
2. Add an access control group:
We define different users to be differentiated into an access control group. For example, the Intranet IP address of a company is 192.168.200.0. In addition, if you only want two types of users in the Branch and out of the company, add the following two sentences to the/etc/squid. conf file:
Acl all src 0.0.0.0/0.0.0.0
Acl company src 192.168.200.0/255.255.255.0
In this way, we define a group that contains all people and a group that contains all people on the company intranet. The following describes how to set access power for the two groups.
3. Set the access power for each access control group:
For example, if we want everyone in the company to access the Internet through the proxy server and prohibit others from using the proxy server, we will be in/etc/squid. add the following two sentences to the conf file:
Http_access allow company
Http_access deny all
That is, we allow the "company" group to use proxy servers, while the "all" deny (Forbidden) group other than this group to use proxy servers. Note that these two sentences cannot be exchanged sequentially. Otherwise, all users are prohibited from using the service.
Please have a good understanding.
4. Save the disk and exit;
5. Execute the following command to make the new configuration take effect:
/Etc/rc. d/init. d/squid restart
The above is just the most basic setting. squid provides many powerful options for you to perform more detailed settings based on the actual situation. In the/etc/squid. conf file, each setting has a detailed comment. You can refer to these help for more settings for squid.
　　
7.1.3 client settings
The following uses IE as an example to briefly describe the settings of clients on the LAN.
1. Open IE and select "Tools" on the menu bar"®"Internet Options"®"Connection"®The "LAN Settings" dialog box appears, as shown in:
　　
-2 LAN Settings
, Select the "use proxy server" option, and fill in the proxy server IP address 192.168.9.1 and the proxy port number 3128.
2. to better use the squid proxy server, we can perform more detailed settings and click "Advanced ..." Button to go To the Proxy Server Settings dialog box shown in 7-3.
　　
-3 Proxy Settings dialog box
　　
Because Squid is an http and ftp proxy server, we should change the protocol for using the proxy server to only http and ftp, as shown in the following figure:
　　
-4. Modified Proxy Server
　　
7.2 IP Proxy Server
By using the HTTP proxy server, each computer in the LAN can obtain three types of services: http, https, and ftp. Next we will discuss how to make LINUX an IP proxy server that connects to the LAN and the Internet seamlessly.
In the Internet, each host must have a unique IP address. The current IP protocol is IPV4 and the fourth version of the IP protocol. When designing it, although people have boldly used 32-bit addresses (about 32 billion different addresses ), but it still cannot meet the increasing network needs. Therefore, the network community has begun to research and transition to IPV6 (using 128-bit addresses, which can represent different addresses in the fourth power of 32 billion ). However, when new IP protocols are not yet adopted, people can only use some compromise methods.
The most common method is to apply for public addresses if a network is directly connected to the Internet. These public addresses are unique and are not repeated. For those networks that do not intend to directly connect to the Internet, some "private addresses" that are allowed to be repeated are used ". In this way, although these private addresses may be used by many networks, they do not affect each other because they do not communicate with each other. According to RFC 1918, the following address is "private address ":
1 class A address: 10.0.0.0
16 class B addresses: 172.16.0.0 ~ 172.31.0.0
256 Class C addresses are used for private addresses: 192.168.0.0 ~ 192.168.255.0
That is to say, use these network addresses to define the Intranet, and then connect to the Internet through a gateway or other systems that can perform the "Network Address Translation" function. As shown in:
　　
-5 work on the IP Proxy Server
As shown in, the private IP address is used on the LAN, and the gateway has two IP addresses, one for the Intranet, and the other for the world's only public IP address. Generally, you can obtain eight public addresses after applying for a ddnleased line.
In the subsequent sections, we will use this figure as a prototype to discuss specific settings. It is worth noting that, although only two LAN servers are shown in the figure, the maximum number of LAN servers can be expanded to 254. (Because we use a class C address: 192.168.200.0)
　　
7.3 install the IP Proxy Server
7.3.1 re-compile the kernel
If you are using RedHat LINUX 6.0, skip this section. Because the RedHat LINUX 6.0 has completed this part of work. Otherwise, check whether the following options are consistent with the requirements.
IP: forwarding/gatewaying (CONFIG_IP_FORWARD) [Y/n] y
IP: optimize as router not host (CONFIG_IP_ROUTER) [Y/n] y
NetWork firewils (CONFIG_FIREWALL) [y/n] y
TCP/IP networking (CONFIG_NET) [y/n] y
IP: firewalling (CONFIG_IP_FIREWALL) [y/n] y
IP: masquerading (CONFIG_IP_MASQUERADE) y
　　
7.3.2 configure two NICs
To use the computer as the IP proxy server, you must install two NICs and ensure that the two NICs eth0 and eth1 are working properly. For more information about Nic configuration, see Chapter 3. During Nic configuration, you can use the following command to reload the NIC:
/Etc/rc. d/init. d/network restart
Set the IP addresses of the two NICs according to the actual situation. One is the IP addresses in the LAN and the other is the public IP addresses connected to the Internet. For example:
We use the first network adapter (eth0) to connect the IP proxy server to the Intranet switch, then the Intranet IP address is assigned to the first network adapter.
IP address: 192.168.200.1 netmask: 255.255.255.0
We use the second network card (eth1) to connect the IP proxy server to the ddnleased line (this part of the connection is generally set by the provider isp of the ddnleased line. The public address obtained along with DDN is assigned to the Second Nic.
IP address: 202.101.98.1 netmask: 255.255.255.0
　　
7.3.3 set IP Forwarding rules
Different LINUX kernel versions provide different IP Forwarding rules. In earlier versions, ipfwadm was used, and ipchains were used in new versions (Versions later than LINUX 2.2. The following describes how to use ipchains to set IP Forwarding rules.
1. Setting ideas
In general, we can use the following two methods to set IP Forwarding rules:
1) deny all input, output, and forwarding packets, and then gradually open the required services as needed. This method is relatively safer, but it is not easy to know which services and ports should be opened if you are not sure about the services and functions to be implemented.
2) We can also open all input, output, and forwarding packets first. Then, some dangerous packets, IP spoofing packets, broadcast packets, and ICMP service attacks are prohibited. The disadvantage of this method is that it is not safe enough. But it is convenient and easy to configure. Therefore, this method is used as the setting method.
2. Preparations before configuration
Before setting, we should have a comprehensive understanding of the network environment and requirements we want to set, so that we can be aware of the setting. In this example, we use-5 as a reference.
In addition, because there are many IP Forwarding rules that are easy to change, we generally create a special script file (for example:/etc/ipchains. set) to store the forwarding rules of these IP addresses. After the chmod is created, run the chmod command to grant it executable permissions. Then run the IP address forwarding rule.
To enable this IP Forwarding rule to take effect immediately after it is started, we must add a line in/etc/rc. d/rc. local:
/Etc/ipchains. set
3. Basic Knowledge
The Linux kernel defines three