Transparent proxy configuration scheme based on Linux2.4 kernel

Article title: transparent proxy configuration scheme based on Linux2.4 kernel. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Environment:
Server: SuSE Linux 8.2 + ADSL
Client: Windows2000
Lan: use eight 10-100M hubs to connect to SuSE (192.168.1.3), Windows (192.168.1.5), and ADSL (192.168.1.1)
　　
Using squid + iptables, most of the experience is obtained from www.linuxaid.com, which is just summarized here.
　　
For more information about iptables, see:
IPTABLES HOWTO
Http://www.telematik.informatik.uni-karlsruhe.de/lehre/seminare/LinuxSem/downloads/netfilter/iptables-HOWTO.html
　　
For iptables configuration tools, see:
Knetfilter:
Http://expansa.sns.it/knetfilter
G-Shield:
Http://muse.linuxmafia.org/gshield.html
　　
For squid optimization, see:
Squid optimization full manual 1:
Http://www.linuxaid.com.cn/articles/2/8/289179080.shtml
Squid optimization full manual 2:
Http://www.linuxaid.com.cn/articles/5/4/546967373.shtml
　　
For more information about iptables firewall configuration, see:
Use iptales to implement a packet-over firewall (1 ):
Http://www.linuxaid.com.cn/engineer/bye2000/doc/iptables1.htm
Use iptales to implement a packet-over firewall (2 ):
Http://www.linuxaid.com.cn/engineer/bye2000/doc/iptables2.htm
　　
OK. the configuration starts below.
　　
First, explain why transparent proxy should be configured.
In fact, you can only configure squid to implement the proxy function, but for the client, you must set the proxy server in the browser. for other tools, such as FlashGet and CuteFTP, you must also set them one by one, this is very troublesome. However, if a transparent proxy is set, you only need to set a gateway in the network configuration of the client. No other program needs to be set. This is the biggest temptation to set transparent proxy. of course, this is only for me. in fact, iptables has more powerful firewall functions, which is the biggest use of iptables. However, this configuration does not involve the firewall. if you are interested, see The iptables howto.
　　
1. Suppose that the firewall support option has been compiled in linux. you can enter the kernel source directory and use make menuconfig to confirm.
　　
2. Install squid. generally, it should have been installed for all Linux distributions. you can also download and install squid from the following URL:
Http://www.squid-cache.org/
　　
3. Whether re-installed or in the system, because the positions of squid Configuration files may be different for each release, run the find command to confirm squid. the exact location of the conf file. For rpm installation, run the rpm command to confirm: rpm-ql [squidrpmname. rpm] | grep squid. conf
　　
4. Edit the squid. conf file to make sure the following content exists:
Httpd_accel_host virtual
Httpd_accel_port 80
Httpd_accel_with_proxy on
Httpd_accel_uses_host_header on
Cache_inclutive_user nobody
Cache_inclutive_group nobody
Http_access allow all
Cache_dir ufs/usr/local/squid/cache 100 16 256
Note: The last sentence is the cache directory, which needs to be created below. you can change it to the directory where your local squid is located. The last sentence indicates that we allow all requests. this is very insecure. you can create a group by yourself, then allow the group, and deny all. take a closer look at squid for specific settings. conf is enough. There are detailed explanations and examples.
　　
5. Create a cache Directory (if not) and change the directory owner to nobody.
Chown nobody: nobody/pathname/cache
　　
6. View the default log directory in the configuration file and change the owner of the directory to nobody to ensure that logs can be written
　　
7. Create cache: squid-z
　　
8. Start squid: squid-D
The squid site maintains a very detailed FAQ. basically, you have answers to all the questions you need to ask. for example, you can use squid-NCd1 to start in debug mode, in this case, an error will be reported. generally, if an ADSL dial-up occurs, an error will occur if you start squid before dialing (FATAL: ipcache_init: DNS name lookup tests failed ), because squid will check some frequently-used DNS when it is started, but you are not connected to the internet at this time, it will naturally go wrong, so we need not check DNS at startup, in this case, you need to add the-D option to start squid.
　　
9. After the startup is successful, we can go to the browser of the client to set the proxy to test. if you can access the internet, squid is successfully set.
　　
10. Another task is to check whether squid is automatically started when it is started. generally, it is in/etc/init. d has the squid script. All we need to do is to ln it to the appropriate rc. d Directory. for example, if runlevel5 is started by default, run the following command:
Ln-s/etc/init. d/squid/etc/init. d/rc5.d/S99squid
Ln-s/etc/init. d/squid/etc/init. d/rc5.d/K01squid
This is under SuSE. if it is RedHat, the rc. d Directory is under/etc, not under/etc/init. d.
　　
OK. the squid setting is complete. next we will configure iptables.
You can use the configuration tool mentioned above, but I have not tried it. Therefore, you can directly use the iptables command.
You can use man iptables to view help information.
　　
The iptables setting command is stored in a script file. assume that the script file name is firewall and the file is stored in/etc/init. d, and run the script in the startup file. The procedure is as follows:
　　
1. Touch/etc/init. d
　　
2. Vi/etc/init. d
Add the following content:
#! /Bin/sh
Echo "Enabling IP Forwarding ..."
Echo 1>/proc/sys/net/ipv4/ip_forward
Echo "Starting iptables rules ..."
# Refresh all chains
/Sbin/iptables-F-t nat
Iptables-t nat-a prerouting-I eth0-p tcp-m tcp
-- Dport 80-j REDIRECT -- to-ports 3128
　　
Iptables-t nat-a postrouting-s 192.168.1.0/24-o
Ppp0-j MASQUERADE
　　
The preceding commands are explained as follows:
/Proc/sys/net/ipv4/ip_forward must be set to 1 (the default value is 0) to use the routing function.
/Sbin/iptables-F-t nat clears all existing rules in the nat table.
Eth0: The Nic in the Linux machine.
3128: the default listening port in squid.
Ppp0: the ADSL device in linux (ppp0 in SuSE and dsl0 in redhat ).
MASQUERADE: Applicable to servers with dial-up Internet access. because there is no static IP address, SNAT -- to-source ipadress can be used to replace servers with static IP addresses.
　　
Note: The above commands do not involve the firewall. please refer to the configuration. the above commands did not delete the rules in the filter table, that is, if you have set a firewall before, it will not be affected.
　　
3. Chmod u + x firewall, change the file attributes so that they can be executed
　　
4. Edit the/etc/init. d/boot. local file and add the/etc/init. d/firewall statement at the end to ensure that the script is executed at startup.
Note: boot. local is used in SuSE. for redhat, you need to edit the/etc/rc. d/rc. local file.
　　
5. Run firewall and the rule takes effect immediately.
　　
So far, all configurations have ended.