FQDN-----|
                  |              FQDN ip: 192.168.0.10
PC---------|
PC-------S----------
PC-------|               |
192.168.0.0/24       |
                               |
                               |
                               |
                               |
PC------- |              |
PC-------S-------SWITCH==========ROUTER--(eth0) INUX (eth1)===ISP
PC-------|              |
192.168.1.0/24      |                                             eth0: 192.168.0.12
                              |                                             eth1: 202.103.0.12
                              |
                              |
                              |
                              |
                              |
PC-------|              |
PC-------S--------
PC-------|
192.168.2.0/24


要求:
1)  通过代理服务器提高internet用户访问位于ip地址为192.168.0.10 的web 服务器的速度
2)  市场部可在工作时间(周一到周五的9:00到18:00)内访问internet 但只能下载与工作相关
    的文件(TXT、DOC、DOCX、XLS、XLSX、PPT、PPTX、DPF)
3)  计划财务部不允许访问internet
4)  设计部可以在非工作时间(周一到周五12:30 到13:30)访问internet .


FOR EXAMPLE
########
###squid
http_port 8080 transparent
dns_nameservers 210.21.4.130 221.5.88.88
visible_hostname 192.168.0.12

cache_dir ufs /var/spool/squid 10000 16 256
cache_mem 1000 MB
cache_mgr [email protected]

redirect_children 30
dns_children 25

http_port 80 bhost vport
cache_peer 192.168.0.10 parent 80 0 no-query originserver

maximum_object_size 409600 KB                      ## maximum_object_size 是 能cache最大的文件大小。对应wmv,rm文件,建议设置为32768 kB
maximum_object_size_in_memory 64000 KB             ##picture=256KB,video=8196KB。   在内存中最大文件的大小
emulate_httpd_log on

fqdncache_size 1024
frowarded_for off

cache_swap_low 90
cache_sqap_high 95
coredump_dir /opt/cache/squid/coredump
cache_access_log /var/squid/access.log
cachelog /var/squid/cache.log
cache_store_log /var/squid/store.log

##ACL
acl OutWeb dst 192.168.0.10
http_acces allow OurWeb
never_direct allow ! OurWeb

acl MarketingClient src 192.168.2.0/24
acl MarketingTime MTWHF 09:00-18:00
acl MarketingFile urlpath_regex -i \.txt$ \.doc$ \.docx$ \.xls$ \.xlsx$ \.ppt$ \.pptx$ \.pdf$
http_access deny MarketingClinet !MarketingFile
http_access allow MarketingClient MarketingTime

acl DesignClient src 192.168.0.0/24
acl DesignTime MTWHF 12:30-13:30
http_access allow DesignClient DesignTime

setsebool -P squid_disable_trans on
semanage port -a -t http_acahe_port_t -p tcp 8080

####iptables

modprobe iptable_filter

WANIP=202.103.0.12
WANFACE=eth1

LANIP=192.168.0.12
LANNET_0=192.168.0.0/24
LANNET_1=192.168.1.0/24
LANNET_2_192.168.2.0

LANFACE=eth0

LOIP=127.0.0.1
LOFACE=lo

IPTABLES=/sbin/iptables
$IPTABLES -t nat -F
$IPTABLES -t nat -Z
$IPTABLES -t nat -X
$IPTABLES -t filter -F
$IPTABLES -t filter -Z
$IPTABLES -t filter -X

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD ACCEPT

$IPTABLES -t filter -A INPUT -s $LOIP -j ACCEPT
$IPTABLES -t filter -A OUTPUT -d $LOIP -j ACCEPT
$IPTABLES -t filter -A INPUT -s $LANNET_0 -j ACCEPT
$IPTABLES -t filter -A INPUT -s $LANNET_1 -j ACCEPT
$IPTABLES -t filter -A INPUT -s $LANNET_2 -j ACCEPT
$IPTABLES -t filter -A OUTPUT -d $LANNET_0 -j ACCEPT
$IPTABLES -t filter -A OUTPUT -d $LANNET_1 -j ACCEPT
$IPTABLES -t filter -A OUTPUT -d $LANNET_2 -j ACCEPT
$IPTABLES -t filter -A INPUT -i $WANFACE -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $WANFACE -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $LANNET_0 -o $WANFACE -j SNAT --to-source $WANIP
$IPTABLES -t nat -A POSTROUTING -s $LANNET_1 -o $WANFACE -j SNAT --to-source $WANIP
$IPTABLES -t nat -A POSTROUTING -s $LANNET_2 -o $WANFACE -j SNAT --to-source $WANIP
$IPTABLES -t nat -A PREROUTING -s $LANNET_0 -i $LANFACE -p tcp --dport 80 -j REDIRECT --to-ports 8080
$IPTABLES -t nat -A PREROUTING -s $LANNET_1 -i $LANFACE -p tcp --dport 80 -j REDIRECT --to-ports 8080
$IPTABLES -t nat -A PREROUTING -s $LANNET_2 -i $LANFACE -p tcp --dport 80 -j REDIRECT --to-ports 8080

echo "1">/proc/sys/net/ipv4/ip_forward
#sysctl

/etc/init.d/squid start
#server squid start
chkconfig squid on