Linux + iptables + squid Policy Routing implementation

Source: Internet
Author: User
Linux + iptables + squid Policy Routing implementation-Linux Enterprise Application-Linux server application information, the following is a detailed description. Linux + iptables + squid Policy Routing implementation
Linux + iptables + squid Policy Routing implementation
1. Environment
Network Access: 2 lines (1 CT + 1 CNC)
Intranet users: Internet access and other application requirements

2. Network Topology
/--------> Eth1: 10.10.10.23/24
Eth0 (192.168.0.1) ---> Proxy
\ ________> Eth2: 10.0.0.75/24
3. IP Address

4. Hardware
Hp pc/3 NICs

5. Process
5.1 install the Operating System
5.1.1. linux: RedHat AS 5 or CentOS 5
5.1.2 check that the following installation packages have been installed
[Root @ off-proxy/] # rpm-qa | grep iptables
Iptables-ipv6-1.3.5-1.2.1
Iptables-1.3.5-1.2.1
LINUX PROXY
CT ROUTE
CNC ROUTE
INTERNET
INTRANET
LINUX PROXY
CT ROUTE
CNC ROUTE
INTERNET
INTRANET
ETH1: 10.10.10.23/24/10 .10.10.254
ETH2: 10.0.0.75/24/10 .0.0.254
ETH0: 192.168.0.X/24/192 .168.0.1

[Root @ off-proxy/] # rpm-qa | grep iproute
Iproute-2.6.18-4.el5
[Root @ off-proxy/] # rpm-qa | grep squid
Squid-2.6.STABLE6-4.el5

5.2 Nic IP settings:
5.2.1, Vi/etc/sysconfig/network-scripts/ifcfg-eth0
# Intel Corporation 82562ET/EZ/GT/GZ-PRO/100 VE (LOM) Ethernet Controller
DEVICE = eth0
BOOTPROTO = static
BROADCAST = 192.168.0.255
HWADDR = 00: 16: 76: 58: 5C: 23
IPADDR = 192.168.0.1
20176addr =
IPV6PREFIX =
IPV6_AUTOCONF = yes
NETMASK = 255.255.255.0
NETWORK = 192.168.0.0
ONBOOT = yes

5.2.2, Vi/etc/sysconfig/network-scripts/ifcfg-eth1
# ADMtek NC100 Network Everywhere Fast Ethernet 10/100
DEVICE = eth1
BOOTPROTO = static
BROADCAST = 10.10.10.255
HWADDR = 00: E0: 4C: B0: 68: A0
IPADDR = 10.10.10.23
20176addr =
IPV6PREFIX =
IPV6_AUTOCONF = yes
NETMASK = 255.255.255.0
NETWORK = 10.10.10.0
ONBOOT = yes

5.2.3, Vi/etc/sysconfig/network-scripts/ifcfg-eth1
# Realtek semiconduco., Ltd. RTL-8139/8139C/8139C +
DEVICE = eth2
BOOTPROTO = static
BROADCAST = 10.0.0.255
HWADDR = 00: E0: 4C: E0: C0: A4
IPADDR = 10.0.0.75
20176addr =
IPV6PREFIX =
IPV6_AUTOCONF = yes
NETMASK = 255.255.255.0
NETWORK = 10.0.0.0
ONBOOT = yes

5.2.4 Detection
[Root @ off-proxy/] # ifconfig
Eth0 Link encap: Ethernet HWaddr 00: 16: 76: 58: 5C: 23
Inet addr: 192.168.0.1 Bcast: 192.168.0.255 Mask: 255.255.255.0
Inet6 addr: fe80: 216: 76ff: fe58: 5c23/64 Scope: Link
Up broadcast running multicast mtu: 1500 Metric: 1
RX packets: 745 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 609 errors: 0 dropped: 0 overruns: 0 carrier: 0
Collisions: 66 txqueuelen: 1000
RX bytes: 147143 (143.6 KiB) TX bytes: 100574 (98.2 KiB)
Eth1 Link encap: Ethernet HWaddr 00: E0: 4C: B0: 68: A0
Inet addr: 10.10.10.23 Bcast: 10.10.255 Mask: 255.255.255.0
Inet6 addr: fe80: 2e0: 4cff: feb0: 68a0/64 Scope: Link
Up broadcast running multicast mtu: 1500 Metric: 1
RX packets: 3634 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 2278 errors: 0 dropped: 0 overruns: 0 carrier: 0
Collisions: 0 FIG: 1000
RX bytes: 3176716 (3.0 MiB) TX bytes: 250080 (244.2 KiB)
Interrupt: 225 Base address: 0xcc00
Eth2 Link encap: Ethernet HWaddr 00: E0: 4C: E0: C0: A4
Inet addr: 10.0.0.75 Bcast: 10.0.0.255 Mask: 255.255.255.0
Inet6 addr: fe80: 2e0: 4cff: fee0: c0a4/64 Scope: Link
Up broadcast running multicast mtu: 1500 Metric: 1
RX packets: 11231 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 1086 errors: 0 dropped: 0 overruns: 0 carrier: 0
Collisions: 0 FIG: 1000
RX bytes: 9363025 (8.9 MiB) TX bytes: 100008 (97.6 KiB)
Interrupt: 177 Base address: 0xab00
Lo Link encap: Local Loopback
Inet addr: 127.0.0.1 Mask: 255.0.0.0
Inet6 addr: 1/128 Scope: Host
Up loopback running mtu: 16436 Metric: 1
RX packets: 1762 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 1762 errors: 0 dropped: 0 overruns: 0 carrier: 0
Collisions: 0 txqueuelen: 0
RX bytes: 3110536 (2.9 MiB) TX bytes: 3110536 (2.9 MiB)

[Root @ off-proxy/] # ping 10.10.10.23
PING 10.10.10.23 (10.10.10.23) 56 (84) bytes of data.
64 bytes from 10.10.10.23: icmp_seq = 1 ttl = 64 time = 0.119 MS
64 bytes from 10.10.10.23: icmp_seq = 2 ttl = 64 time = 0.061 MS
64 bytes from 10.10.10.23: icmp_seq = 3 ttl = 64 time = 0.062 MS
[1] + Stopped ping 10.10.10.23

[Root @ off-proxy/] # ping 10.0.0.75
PING 10.0.0.75 (10.0.0.75) 56 (84) bytes of data.
64 bytes from 10.0.0.75: icmp_seq = 1 ttl = 64 time = 0.062 MS
64 bytes from 10.0.0.75: icmp_seq = 2 ttl = 64 time = 0.061 MS
64 bytes from 10.0.0.75: icmp_seq = 3 ttl = 64 time = 0.062 MS
[2] + Stopped ping 10.0.0.75

[Root @ off-proxy/] # ping 192.168.0.1

PING 192.168.0.1 (192.168.0.1) 56 (84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq = 1 ttl = 64 time = 0.066 MS
64 bytes from 192.168.0.1: icmp_seq = 2 ttl = 64 time = 0.063 MS
[3] + Stopped ping 192.168.0.1

5.3 routing:
[Root @ off-proxy/] # ip route ls
10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.75
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1
10.10.10.0/24 dev eth1 proto kernel scope link src 10.10.10.23
169.254.0.0/16 dev eth2 scope link
Default via 10.10.10.254 dev eth1 (added)
Command: ip route add default via 10.10.254 dev eth1 .)

[Root @ off-proxy/] # cat/etc/iproute2/rt_tables
Command: [root @ off-proxy/] # vi/etc/iproute2/rt_tables
#
# Reserved values
#
255 local
254 main
253 default
0 unspec
#
100 CT (increased)
# Local
#
#1 inr. ruhu

Command: [root @ off-proxy/] # ip route add default via 10.0.0.254 dev eth2 table 100

[Root @ off-proxy/] # ip rule ls
0: from all lookup 255
32763: from all to 192.168.183.0/24 lookup CT (added)
32764: from all to 60.0.0.0/13 lookup CT (added)
32765: from 192.168.0.10 lookup CT (added)
32766: from all lookup main
32767: from all lookup default

5.4 route Detection:
[Root @ off-proxy/] # ping 192.168.0.99 (intranet PC)
PING 192.168.0.99 (192.168.0.99) 56 (84) bytes of data.
64 bytes from 192.168.0.99: icmp_seq = 1 ttl = 128 time = 0.316 MS
64 bytes from 192.168.0.99: icmp_seq = 2 ttl = 128 time = 0.325 MS
64 bytes from 192.168.0.99: icmp_seq = 3 ttl = 128 time = 0.322 MS
[6] + Stopped ping 192.168.0.99

[Root @ off-proxy/] # ping 10.10.10.254 (CT gateway)
PING 10.10.10.254 (10.10.10.254) 56 (84) bytes of data.
64 bytes from 10.10.10.254: icmp_seq = 1 ttl = 255 time = 0.704 MS
64 bytes from 10.10.10.254: icmp_seq = 2 ttl = 255 time = 7.83 MS
64 bytes from 10.10.10.254: icmp_seq = 3 ttl = 255 time = 0.706 MS
[7] + Stopped ping 10.10.254
[Root @ off-proxy/] # ping 10.0.0.254 (CNC gateway)
PING 10.0.0.254 (10.0.0.254) 56 (84) bytes of data.
64 bytes from 10.0.0.254: icmp_seq = 1 ttl = 255 time = 12.1 MS
64 bytes from 10.0.0.254: icmp_seq = 2 ttl = 255 time = 1.20 MS
64 bytes from 10.0.0.254: icmp_seq = 3 ttl = 255 time = 1.03 MS
64 bytes from 10.0.0.254: icmp_seq = 4 ttl = 255 time = 9.86 MS
[8] + Stopped ping 10.0.0.254

5.5 IPTABLES settings:
5.5.1 edit scripts
Command: [root @ off-proxy/] # chmod 755/etc/rc. d/firewall. sh (modify the file attribute of firewall)
Command: [root @ off-proxy/] # vi/etc/rc. d/firewall. sh (use the vi command to open the firewall file for editing)
Iptables script content:
#! /Bin/sh
#
/Sbin/modprobe ip_conntrack_ftp
/Sbin/modprobe ip_nat_ftp
/Sbin/iptables-F
/Sbin/iptables-t nat-F
/Sbin/iptables-X
/Sbin/iptables-t nat-X
/Sbin/iptables-t mangle-F
Iptables-a input-I lo-j ACCEPT
Iptables-a output-o lo-j ACCEPT
Iptables-a input-p ICMP -- icmp-type 8-j ACCEPT
Iptables-a input-p ICMP -- icmp-type 11-j ACCEPT
Iptables-a input-m state -- state RELATED, ESTABLISHED-j ACCEPT
Iptables-a input-p udp -- dport 161-j ACCEPT
Echo "1">/proc/sys/net/ipv4/ip_forward
/Sbin/iptables-a input-I eth1-p udp-m multiport -- dports 53-j ACCEPT
/Sbin/iptables-a input-I eth2-p udp-m multiport -- dports 53-j ACCEPT
Iptables-a input-p tcp -- dport 22-j ACCEPT
/Sbin/iptables-t nat-a postrouting-o eth1-j SNAT -- to 10.10.10.23
/Sbin/iptables-t nat-a postrouting-o eth2-j SNAT -- to 10.0.0.75
Ip route add 0/0 via 10.10.10.254
Ip route add 0/0 via 10.0.0.254 table 100
Ip rule add from 192.168.0.10 table 100
Ip rule add to 60.0.0.0/13 table 100
Ip rule add to 192.168.183.0/24 table 100


5.5.2 start script editing
[Root @ off-proxy rc. d] # cat rc. local
#! /Bin/sh
#
# This script will be executed * after * all the other init scripts.
# You can put your own initialization stuff in here if you don't
# Want to do the full Sys V style init stuff.
/Etc/rc. d/firewall. sh (added)
Touch/var/lock/subsys/local

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.