Article Title: run Windows and Linux on the same computer. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
System Function Description:
Package filtering and WEB Proxy are both effective and effective. The iptables is used to implement packet filtering. in LINUX, the famous squid and NAT are used to implement transparent WEB Proxy. The performance of SQUID proxy itself is already a leader in proxy servers. The system puts its performance to the extreme level: Through ramdisk technology, SQUID enables the web page cahce to the memory. In this way, the webpage you visit will come from the memory in the future except for the first time you need to retrieve it from the network! The following describes how to use redhat 7.2 for implementation.
(1) Select a relatively stable computer with two NICs, 256 or M memory and 10 Gb hard disk (Note: The first Nic is connected to the Intranet, and the second Nic is connected to the Internet .)
(2) install red hat 7.2. Select the server mode for automatic partitioning during installation.
(3) After about 10-15 minutes, the system is installed. After restarting, enter the system and configure the system.
1. enable packet forwarding
Edit/etc/sysctl. conf, set net. ipv4.ip _ forward = 0 to net. ipv4.ip _ forward = 1, and save the modification. The purpose is to allow the Linux kernel to forward IP Packets: Allow IP packets to pass through one network interface to another. Only in this way can the System Act as a packet filtering firewall.
2. Activate RamDisk
Modify/etc/grub. conf
# Boot =/dev/sda
Default = 0
Timeout = 10
Splashimage = (hd0, 0)/grub/splash.xpm.gz
Title Red Hat Linux (2.4.7-10)
Root (hd0, 0)
Kernel/vmlinuz-2.4.7-10 ro root =/dev/sda6
Ramdisk = 268435
Initrd/initrd-2.4.7-10.img
Here, ramdisk = 268435 is the content we want to add. The purpose is to tell the system that the default ramdisk size is 268435 k, that is, 256 M. Note that you cannot write 256 M directly, so the system does not know it. You must change it to K! (I have been exploring for several months !) After restart, the system will automatically generate a m virtual disk. Of course, you need to set this parameter based on your memory size. If you do not run XWINDOWS, it is okay to set half of your total memory, because the LINUX system itself does not need a lot of memory.
3. Set squid Parameters
Edit/etc/squid. conf and add the following entries to the end:
Httpd_accel_host virtual
Httpd_accel_port 80
Httpd_accel_with_proxy on
Httpd_accel_uses_host_header on
Http_access allow all
Cache_dir ufs/squid 256 16 256
The preceding four parameters enable squid to provide transparent proxy. "Http_access allow all" indicates that all client machines are allowed to access the proxy. Here, we particularly emphasize the last "cache_dir ufs/squid 256 16 256 ", the default cache_dir of squid is "/var/spool/squid". Because we want squid to cache the content to the memory, change it to/squid first, next, you need to shadow ramdisk to the/squid directory.
4. Create a ramdisk. Run the following two commands:
(1) Create the directory "/squid" by mkdir/squid"
(2) create a file system using mkfs/dev/ramdisk
(3) mount/dev/ramdisk/squid to mount ramdisk to the/squid directory.
Since ramdisk disappears after each restart, we can create a batch command to automatically load ramdisk during system startup:
Mkfs/dev/ramdisk
Mount/dev/ramdisk/squid
Write these two commands to a file. For now, we use myautoexec. bat is used as the file name. For convenience, we create the/admin directory and then set myautoexec. the bat file is saved in/admin and assigned executable permissions: chmod + x myautoexec. bat. However, the system will not be called when it is started, so we have to do one thing: edit/etc/rc. local file, insert a line at the end of the file:/admin/myautoexec. bat. In this way, the system will automatically call myautoexec. bat.
5. initialize squid
Do you still remember the parameter "cache_dir ufs/squid 256 16 256? The initialization process is actually to create a specified level-1 directory (16 here) in the specified cache_dir by squid, and then create 256 level-2 directories in each level-1 directory. The command used is: "squid? Z ". However, an error will be reported when you enter the command system. Because the owner of/squid is root and squid does not have the permission to operate the root file, you must first assign the/squid directory to the squid user, use "chown squid. squid/squid ". Run "squid?" again? Z ", can be completed in less than one second. If this process is performed on a disk rather than on a ramdisk, it usually takes dozens of seconds.
Similarly, you must set
Chown squid. squid/squid
Squid? Z
The two commands are written to myautoexec. bat, and the last "squid" is added to start the squid service process. So far, squid settings are complete.
6. Set NAT and firewall rules
For convenience, create the file/admin/myfirwall and write the rules to the file:
# ------ Initialization
Iptables-F
Iptables-t nat-F
Modprobe ip_tables
Modprobe iptable_nat
Modprobe iptable_filter
Modprobe ip_conntrack_ftp
Modprobe ip_nat_ftp
Modprobe ipt_state
# -- Initialization ends
#-Start nat <allows an internal computer with the IP address 10.27.0.0/16 to mask the internet.
Iptables-t nat-a postrouting-o eth1-s 10.3.37.0/24-j MASQUERADE
#>>>>> End NAT
# Port conversion: Convert all requests sent to the Internet from port 80 to port 3128 for processing by squid.
# -- Entries are the key to transparent proxy <
Iptables-t nat-a prerouting-I eth0-d! 10.27.0.0/16-p tcp-m tcp
-- Dport 80-j REDIRECT -- to-ports 3128
#>>>>>> End port Conversion
# Firewall rules <according to your requirements.
Iptables-a input-I eth1-s 0.0.0.0/0-p ICMP-j DROP
Iptables? A input? I eth1? S 0.0.0.0/0? P TCP? Port! 80? J DROP
# The above two ping packets are all discarded from the Internet, and all non-80 ports initiated by the Internet
# All requests are discarded. This means that ping requests from the Internet is not allowed, and only access from the Internet to the Intranet is allowed.
# HTTP service. The complete firewall rules should be formulated according to your network security requirements. Here is only for reference.
Note: All the lines starting with # indicate that they do not need to be written into files. Save them as/admin/myfirewall and run them with "chmod + x/admin/myfirewall. Edit/admin/myautoexec. bat and add "/admin/myfirewall" to the last line. So far, all of our good performance firewalls have been configured. After restarting reboot, we can work.
