局域网只有一台服务器可以上互联网,其他机器需要使用代理上网,windows下可以用ccproxy,linux建议使用squid(dns解析需要配合iptables)

1、安装squid

yum install squid.x86_64

2、配置squid配置文件。

vi /etc/squid/squid.conf


#

# Recommended minimum configuration:

#

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

#acl localnet src 10.0.0.0/8# RFC1918 possible internal network

#acl localnet src 172.16.0.0/12# RFC1918 possible internal network

acl localnet src 192.168.0.0/16# RFC1918 possible internal network 允许192.168.0.0/16网段

acl localnet src fc00::/7       # RFC 4193 local private network range

acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines


acl SSL_ports port 443

acl Safe_ports port 80# http

acl Safe_ports port 21# ftp

acl Safe_ports port 443# https

acl Safe_ports port 70# gopher

acl Safe_ports port 210# wais

acl Safe_ports port 1025-65535# unregistered ports

acl Safe_ports port 280# http-mgmt

acl Safe_ports port 488# gss-http

acl Safe_ports port 591# filemaker

acl Safe_ports port 777# multiling http

acl CONNECT method CONNECT


#

# Recommended minimum Access Permission configuration:

#

# Deny requests to certain unsafe ports

http_access deny !Safe_ports


# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports


# Only allow cachemgr access from localhost

http_access allow localhost manager

http_access deny manager


# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost


#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#


# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost


# And finally deny all other access to this proxy

http_access deny all


# Squid normally listens to port 3128   端口修改为808端口

http_port 808 


# Uncomment and adjust the following to add a disk cache directory.

cache_dir ufs /var/spool/squid 100 16 256


# Leave coredumps in the first cache dir

coredump_dir /var/spool/squid


#

# Add any of your own refresh_pattern entries above these.

#

refresh_pattern ^ftp:144020%10080

refresh_pattern ^gopher:14400%1440

refresh_pattern -i (/cgi-bin/|\?) 00%0

refresh_pattern .020%4320


到这里squid就配置完了。

由于客户端pc的dns解析都没有权限,所以还要把客户端的dns解析也由squid服务器这台主机转发出去。

1) echo "1" > /proc/sys/net/ipv4/ip_forward

2)iptables 配置

iptables -t nat -I PREROUTING -s -p udp --dport 53 -j DNAT --to 8.8.8.8

iptables -t nat -I POSTROUTING -p udp --dport 53 -j SNAT --to 192.168.144.49

iptables -I FORWARD -j ACCEPT


客户端配置

export http_proxy=http://192.168.144.49:808

export https_proxy=https://192.168.144.49:808

客户端配置dns

chattr -i /etc/resolv.conf  (ubuntu系统需要执行这条才能修改文件内容,其他系统不需要)

vi /etc/resolv.conf

nameserver 192.168.144.49

验证一下

root@host-192-168-145-197:~# ping www.sina.com

PING wwwus.sina.com (66.102.251.33) 56(84) bytes of data.

ok,dns可以用了。

curl www.sina.com

返回一大串字符,OK,代理配置成功了。


https的配置需要生成证书,可以参考以下文章。

http://www.linuxidc.com/Linux/2017-02/140398.htm