Linux + iptables + squid Policy Routing implementation

Last Update:2017-09-07 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Linux + iptables + squid Policy Routing implementation-Linux Enterprise Application-Linux server application information, the following is a detailed description. Linux + iptables + squid Policy Routing implementation
Linux + iptables + squid Policy Routing implementation
1. Environment
Network Access: 2 lines (1 CT + 1 CNC)
Intranet users: Internet access and other application requirements

2. Network Topology
/--------> Eth1: 10.10.10.23/24
Eth0 (192.168.0.1) ---> Proxy
\ ________> Eth2: 10.0.0.75/24
3. IP Address

4. Hardware
Hp pc/3 NICs

5. Process
5.1 install the Operating System
5.1.1. linux: RedHat AS 5 or CentOS 5
5.1.2 check that the following installation packages have been installed
[Root @ off-proxy/] # rpm-qa | grep iptables
Iptables-ipv6-1.3.5-1.2.1
Iptables-1.3.5-1.2.1
LINUX PROXY
CT ROUTE
CNC ROUTE
INTERNET
INTRANET
LINUX PROXY
CT ROUTE
CNC ROUTE
INTERNET
INTRANET
ETH1: 10.10.10.23/24/10 .10.10.254
ETH2: 10.0.0.75/24/10 .0.0.254
ETH0: 192.168.0.X/24/192 .168.0.1

[Root @ off-proxy/] # rpm-qa | grep iproute
Iproute-2.6.18-4.el5
[Root @ off-proxy/] # rpm-qa | grep squid
Squid-2.6.STABLE6-4.el5

5.2 Nic IP settings:
5.2.1, Vi/etc/sysconfig/network-scripts/ifcfg-eth0
# Intel Corporation 82562ET/EZ/GT/GZ-PRO/100 VE (LOM) Ethernet Controller
DEVICE = eth0
BOOTPROTO = static
BROADCAST = 192.168.0.255
HWADDR = 00: 16: 76: 58: 5C: 23
IPADDR = 192.168.0.1
20176addr =
IPV6PREFIX =
IPV6_AUTOCONF = yes
NETMASK = 255.255.255.0
NETWORK = 192.168.0.0
ONBOOT = yes

5.2.2, Vi/etc/sysconfig/network-scripts/ifcfg-eth1
# ADMtek NC100 Network Everywhere Fast Ethernet 10/100
DEVICE = eth1
BOOTPROTO = static
BROADCAST = 10.10.10.255
HWADDR = 00: E0: 4C: B0: 68: A0
IPADDR = 10.10.10.23
20176addr =
IPV6PREFIX =
IPV6_AUTOCONF = yes
NETMASK = 255.255.255.0
NETWORK = 10.10.10.0
ONBOOT = yes

5.2.3, Vi/etc/sysconfig/network-scripts/ifcfg-eth1
# Realtek semiconduco., Ltd. RTL-8139/8139C/8139C +
DEVICE = eth2
BOOTPROTO = static
BROADCAST = 10.0.0.255
HWADDR = 00: E0: 4C: E0: C0: A4
IPADDR = 10.0.0.75
20176addr =
IPV6PREFIX =
IPV6_AUTOCONF = yes
NETMASK = 255.255.255.0
NETWORK = 10.0.0.0
ONBOOT = yes

5.2.4 Detection
[Root @ off-proxy/] # ifconfig
Eth0 Link encap: Ethernet HWaddr 00: 16: 76: 58: 5C: 23
Inet addr: 192.168.0.1 Bcast: 192.168.0.255 Mask: 255.255.255.0
Inet6 addr: fe80: 216: 76ff: fe58: 5c23/64 Scope: Link
Up broadcast running multicast mtu: 1500 Metric: 1
RX packets: 745 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 609 errors: 0 dropped: 0 overruns: 0 carrier: 0
Collisions: 66 txqueuelen: 1000
RX bytes: 147143 (143.6 KiB) TX bytes: 100574 (98.2 KiB)
Eth1 Link encap: Ethernet HWaddr 00: E0: 4C: B0: 68: A0
Inet addr: 10.10.10.23 Bcast: 10.10.255 Mask: 255.255.255.0
Inet6 addr: fe80: 2e0: 4cff: feb0: 68a0/64 Scope: Link
Up broadcast running multicast mtu: 1500 Metric: 1
RX packets: 3634 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 2278 errors: 0 dropped: 0 overruns: 0 carrier: 0
Collisions: 0 FIG: 1000
RX bytes: 3176716 (3.0 MiB) TX bytes: 250080 (244.2 KiB)
Interrupt: 225 Base address: 0xcc00
Eth2 Link encap: Ethernet HWaddr 00: E0: 4C: E0: C0: A4
Inet addr: 10.0.0.75 Bcast: 10.0.0.255 Mask: 255.255.255.0
Inet6 addr: fe80: 2e0: 4cff: fee0: c0a4/64 Scope: Link
Up broadcast running multicast mtu: 1500 Metric: 1
RX packets: 11231 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 1086 errors: 0 dropped: 0 overruns: 0 carrier: 0
Collisions: 0 FIG: 1000
RX bytes: 9363025 (8.9 MiB) TX bytes: 100008 (97.6 KiB)
Interrupt: 177 Base address: 0xab00
Lo Link encap: Local Loopback
Inet addr: 127.0.0.1 Mask: 255.0.0.0
Inet6 addr: 1/128 Scope: Host
Up loopback running mtu: 16436 Metric: 1
RX packets: 1762 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 1762 errors: 0 dropped: 0 overruns: 0 carrier: 0
Collisions: 0 txqueuelen: 0
RX bytes: 3110536 (2.9 MiB) TX bytes: 3110536 (2.9 MiB)

[Root @ off-proxy/] # ping 10.10.10.23
PING 10.10.10.23 (10.10.10.23) 56 (84) bytes of data.
64 bytes from 10.10.10.23: icmp_seq = 1 ttl = 64 time = 0.119 MS
64 bytes from 10.10.10.23: icmp_seq = 2 ttl = 64 time = 0.061 MS
64 bytes from 10.10.10.23: icmp_seq = 3 ttl = 64 time = 0.062 MS
[1] + Stopped ping 10.10.10.23

[Root @ off-proxy/] # ping 10.0.0.75
PING 10.0.0.75 (10.0.0.75) 56 (84) bytes of data.
64 bytes from 10.0.0.75: icmp_seq = 1 ttl = 64 time = 0.062 MS
64 bytes from 10.0.0.75: icmp_seq = 2 ttl = 64 time = 0.061 MS
64 bytes from 10.0.0.75: icmp_seq = 3 ttl = 64 time = 0.062 MS
[2] + Stopped ping 10.0.0.75

[Root @ off-proxy/] # ping 192.168.0.1

PING 192.168.0.1 (192.168.0.1) 56 (84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq = 1 ttl = 64 time = 0.066 MS
64 bytes from 192.168.0.1: icmp_seq = 2 ttl = 64 time = 0.063 MS
[3] + Stopped ping 192.168.0.1

5.3 routing:
[Root @ off-proxy/] # ip route ls
10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.75
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1
10.10.10.0/24 dev eth1 proto kernel scope link src 10.10.10.23
169.254.0.0/16 dev eth2 scope link
Default via 10.10.10.254 dev eth1 (added)
Command: ip route add default via 10.10.254 dev eth1 .)

[Root @ off-proxy/] # cat/etc/iproute2/rt_tables
Command: [root @ off-proxy/] # vi/etc/iproute2/rt_tables
#
# Reserved values
#
255 local
254 main
253 default
0 unspec
#
100 CT (increased)
# Local
#
#1 inr. ruhu

Command: [root @ off-proxy/] # ip route add default via 10.0.0.254 dev eth2 table 100

[Root @ off-proxy/] # ip rule ls
0: from all lookup 255
32763: from all to 192.168.183.0/24 lookup CT (added)
32764: from all to 60.0.0.0/13 lookup CT (added)
32765: from 192.168.0.10 lookup CT (added)
32766: from all lookup main
32767: from all lookup default

5.4 route Detection:
[Root @ off-proxy/] # ping 192.168.0.99 (intranet PC)
PING 192.168.0.99 (192.168.0.99) 56 (84) bytes of data.
64 bytes from 192.168.0.99: icmp_seq = 1 ttl = 128 time = 0.316 MS
64 bytes from 192.168.0.99: icmp_seq = 2 ttl = 128 time = 0.325 MS
64 bytes from 192.168.0.99: icmp_seq = 3 ttl = 128 time = 0.322 MS
[6] + Stopped ping 192.168.0.99

[Root @ off-proxy/] # ping 10.10.10.254 (CT gateway)
PING 10.10.10.254 (10.10.10.254) 56 (84) bytes of data.
64 bytes from 10.10.10.254: icmp_seq = 1 ttl = 255 time = 0.704 MS
64 bytes from 10.10.10.254: icmp_seq = 2 ttl = 255 time = 7.83 MS
64 bytes from 10.10.10.254: icmp_seq = 3 ttl = 255 time = 0.706 MS
[7] + Stopped ping 10.10.254
[Root @ off-proxy/] # ping 10.0.0.254 (CNC gateway)
PING 10.0.0.254 (10.0.0.254) 56 (84) bytes of data.
64 bytes from 10.0.0.254: icmp_seq = 1 ttl = 255 time = 12.1 MS
64 bytes from 10.0.0.254: icmp_seq = 2 ttl = 255 time = 1.20 MS
64 bytes from 10.0.0.254: icmp_seq = 3 ttl = 255 time = 1.03 MS
64 bytes from 10.0.0.254: icmp_seq = 4 ttl = 255 time = 9.86 MS
[8] + Stopped ping 10.0.0.254

5.5 IPTABLES settings:
5.5.1 edit scripts
Command: [root @ off-proxy/] # chmod 755/etc/rc. d/firewall. sh (modify the file attribute of firewall)
Command: [root @ off-proxy/] # vi/etc/rc. d/firewall. sh (use the vi command to open the firewall file for editing)
Iptables script content:
#! /Bin/sh
#
/Sbin/modprobe ip_conntrack_ftp
/Sbin/modprobe ip_nat_ftp
/Sbin/iptables-F
/Sbin/iptables-t nat-F
/Sbin/iptables-X
/Sbin/iptables-t nat-X
/Sbin/iptables-t mangle-F
Iptables-a input-I lo-j ACCEPT
Iptables-a output-o lo-j ACCEPT
Iptables-a input-p ICMP -- icmp-type 8-j ACCEPT
Iptables-a input-p ICMP -- icmp-type 11-j ACCEPT
Iptables-a input-m state -- state RELATED, ESTABLISHED-j ACCEPT
Iptables-a input-p udp -- dport 161-j ACCEPT
Echo "1">/proc/sys/net/ipv4/ip_forward
/Sbin/iptables-a input-I eth1-p udp-m multiport -- dports 53-j ACCEPT
/Sbin/iptables-a input-I eth2-p udp-m multiport -- dports 53-j ACCEPT
Iptables-a input-p tcp -- dport 22-j ACCEPT
/Sbin/iptables-t nat-a postrouting-o eth1-j SNAT -- to 10.10.10.23
/Sbin/iptables-t nat-a postrouting-o eth2-j SNAT -- to 10.0.0.75
Ip route add 0/0 via 10.10.10.254
Ip route add 0/0 via 10.0.0.254 table 100
Ip rule add from 192.168.0.10 table 100
Ip rule add to 60.0.0.0/13 table 100
Ip rule add to 192.168.183.0/24 table 100

5.5.2 start script editing
[Root @ off-proxy rc. d] # cat rc. local
#! /Bin/sh
#
# This script will be executed * after * all the other init scripts.
# You can put your own initialization stuff in here if you don't
# Want to do the full Sys V style init stuff.
/Etc/rc. d/firewall. sh (added)
Touch/var/lock/subsys/local

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Linux + iptables + squid Policy Routing implementation

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support

Linux + iptables + squid Policy Routing implementation

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

Trending Topic

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support