Debian Raspberry Pi加速上網體驗之設定Squid3透明代理

首先我們已經配置好了無線熱點，如果不清楚的話可以參考我前面的文章，配置好的效果是通過無線網卡串連到樹莓派，然後流量經過wlan0網卡轉到eth0然後出口，也就是說eth0相當於我們路由器的WAN口，而wlan0相當於區域網路LAN口，理清這個關係後下面我們繼續。

首先要安裝squid3，這裡可以直接通過下面的命令進行：

代碼如下	複製代碼
apt-get install squid3

之前大家應該記得我設定無線路由功能時使用了下面的iptables配置：

代碼如下	複製代碼
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

如果我們已經做了上述配置，那麼下面只要再運行一條iptables命令就可以把80連接埠的流量轉到squid3的3128連接埠了：

代碼如下	複製代碼
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-ports 3128

替換之前我們設定的iptables.ipv4.nat，當然先備份一下：

代碼如下	複製代碼
sudo mv /etc/iptables.ipv4.nat /etc/iptables.ipv4.nat.old sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

做完上述命令後你會發現現在所有的網頁都出現了squid的預設拒絕訪問的畫面，說明squid3已經開始工作了，下面我們需要對其進行配置，參考如下的patch編輯設定檔/etc/squid3/squid.conf：

代碼如下

複製代碼

-- /etc/squid3/squid.conf.orig 2013-02-25 11:31:23.839560066 +1300 +++ /etc/squid3/squid.conf      2013-02-26 09:07:15.388951441 +1300 @@ -702,6 +702,7 @@  #acl localnet src 192.168.0.0/16       # RFC1918 possible internal network  #acl localnet src fc00::/7       # RFC 4193 local private network range  #acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines +acl localnet src 192.168.42.0/24    acl SSL_ports port 443  acl Safe_ports port 80         # http @@ -828,7 +829,7 @@  # We strongly recommend the following be uncommented to protect innocent  # web applications running on the proxy server who think the only  # one who can access services on "localhost" is a local user -#http_access deny to_localhost +http_access deny to_localhost    #  # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS @@ -837,7 +838,7 @@  # Example rule allowing access from your local networks.  # Adapt localnet in the ACL section to list your (internal) IP networks  # from where browsing should be allowed -#http_access allow localnet +http_access allow localnet  http_access allow localhost    # And finally deny all other access to this proxy @@ -1133,7 +1134,7 @@  #    # Squid normally listens to port 3128 -http_port 3128 +http_port 3128 intercept    #  TAG: https_port  # Note: This option is only available if Squid is rebuilt with the @@ -2073,7 +2074,7 @@  #      accessed frequently in memory to improve performance whilst low  #      enough to keep larger objects from hoarding cache_mem.  #Default: -# maximum_object_size_in_memory 512 KB +maximum_object_size 128000 KB    #  TAG: memory_replacement_policy  #      The memory replacement policy parameter determines which @@ -2229,7 +2230,7 @@  #    # Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs /var/spool/squid3 100 16 256 +cache_dir ufs /var/spool/squid3 1000 16 256    #  TAG: store_dir_select_algorithm  #      Set this to 'round-robin' as an alternative. @@ -2611,7 +2612,7 @@  #      Note2, for Debian/Linux the default of logfile_rotate is  #      zero, since it includes external logfile-rotation methods.  #Default: -# logfile_rotate 0 +logfile_rotate 10    #  TAG: emulate_httpd_log      on|off  #      The Cache can emulate the log file format which many 'httpd' @@ -3673,7 +3674,7 @@  #      during shutdown mode.  Any active clients after this many  #      seconds will receive a 'timeout' message.  #Default: -# shutdown_lifetime 30 seconds +shutdown_lifetime 2 seconds    # ADMINISTRATIVE PARAMETERS

 # -----------------------------------------------------------------------------注意這裡maximum_object_size，由於我通過free -m查看發覺記憶體已經被消耗了200多M了，所以綜合考慮我讓squid3再用128M作為記憶體緩衝用；cache_dir ufs /var/spool/squid3 1000 16 256根據個人情況設定，我根據儲存卡大小設定為1000，也就是1GB。

設定完成後通過squid3 -k parse檢查一下有沒有錯誤，沒有錯誤的話直接通過squid3 -k reconfigure載入配置。

現在可以正常瀏覽網頁了吧？

下面講解如何屏蔽廣告網站，首先還是編輯squid3的設定檔/etc/squid3/squid.conf，添加如下內容：

代碼如下

複製代碼

## disable ads ( http://pgl.yoyo.org/adservers/ ) acl ads dstdom_regex "/etc/squid/ad_block.txt" http_access deny ads #deny_info TCP_RESET ads建立廣告列表更新指令碼ad_servers_newlist.sh： #### Calomel.org  ad_servers_newlist.sh # ## get new ad server list wget -O /etc/squid3/ad_block.txt 'http://pgl.yoyo.org/adservers/serverlist.php?hostformat=squid-dstdom-regex&showintro=0&mimetype=plaintext'   ## refresh squid /usr/sbin/squid3 -k reconfigure

具體的被屏蔽的廣告列表見這裡，好了，下面需要運行一下這個指令碼：

sudo sh ad_servers_newlist.sh
然後任意訪問剛才廣告列表中列出的網址，看看是不是被squid3攔截了？

今天在樹莓上架設了Web伺服器，然後發現在eth0沒有連網的情況下，訪問這個Web服務會異常緩慢，於是決定改寫上面的iptables規則，假設樹莓主機wlan0的IP地址是192.168.43.1，我們可以讓所有訪問這個地址的不進行轉寄，最終的規則整理如下，當然在操作前建議使用sudo iptables -t nat -F清空先前的設定：

代碼如下	複製代碼
sudo iptables -t nat  -A PREROUTING -i wlan0 -p tcp -d 192.168.43.1 --dport 80 -j ACCEPT sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-ports 3128 sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT