FQDN-----|
| FQDN ip: 192.168.0.10
PC---------|
PC-------S----------
PC-------| |
192.168.0.0/24 |
|
|
|
|
PC------- | |
PC-------S-------SWITCH==========ROUTER--(eth0) INUX (eth1)===ISP
PC-------| |
192.168.1.0/24 | eth0: 192.168.0.12
| eth1: 202.103.0.12
|
|
|
|
|
PC-------| |
PC-------S--------
PC-------|
192.168.2.0/24
要求:
1) 通过代理服务器提高internet用户访问位于ip地址为192.168.0.10 的web 服务器的速度
2) 市场部可在工作时间(周一到周五的9:00到18:00)内访问internet 但只能下载与工作相关
的文件(TXT、DOC、DOCX、XLS、XLSX、PPT、PPTX、DPF)
3) 计划财务部不允许访问internet
4) 设计部可以在非工作时间(周一到周五12:30 到13:30)访问internet .
FOR EXAMPLE
########
###squid
http_port 8080 transparent
dns_nameservers 210.21.4.130 221.5.88.88
visible_hostname 192.168.0.12
cache_dir ufs /var/spool/squid 10000 16 256
cache_mem 1000 MB
cache_mgr [email protected]
redirect_children 30
dns_children 25
http_port 80 bhost vport
cache_peer 192.168.0.10 parent 80 0 no-query originserver
maximum_object_size 409600 KB ## maximum_object_size 是 能cache最大的文件大小。对应wmv,rm文件,建议设置为32768 kB
maximum_object_size_in_memory 64000 KB ##picture=256KB,video=8196KB。 在内存中最大文件的大小
emulate_httpd_log on
fqdncache_size 1024
frowarded_for off
cache_swap_low 90
cache_sqap_high 95
coredump_dir /opt/cache/squid/coredump
cache_access_log /var/squid/access.log
cachelog /var/squid/cache.log
cache_store_log /var/squid/store.log
##ACL
acl OutWeb dst 192.168.0.10
http_acces allow OurWeb
never_direct allow ! OurWeb
acl MarketingClient src 192.168.2.0/24
acl MarketingTime MTWHF 09:00-18:00
acl MarketingFile urlpath_regex -i \.txt$ \.doc$ \.docx$ \.xls$ \.xlsx$ \.ppt$ \.pptx$ \.pdf$
http_access deny MarketingClinet !MarketingFile
http_access allow MarketingClient MarketingTime
acl DesignClient src 192.168.0.0/24
acl DesignTime MTWHF 12:30-13:30
http_access allow DesignClient DesignTime
setsebool -P squid_disable_trans on
semanage port -a -t http_acahe_port_t -p tcp 8080
####iptables
modprobe iptable_filter
WANIP=202.103.0.12
WANFACE=eth1
LANIP=192.168.0.12
LANNET_0=192.168.0.0/24
LANNET_1=192.168.1.0/24
LANNET_2_192.168.2.0
LANFACE=eth0
LOIP=127.0.0.1
LOFACE=lo
IPTABLES=/sbin/iptables
$IPTABLES -t nat -F
$IPTABLES -t nat -Z
$IPTABLES -t nat -X
$IPTABLES -t filter -F
$IPTABLES -t filter -Z
$IPTABLES -t filter -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t filter -A INPUT -s $LOIP -j ACCEPT
$IPTABLES -t filter -A OUTPUT -d $LOIP -j ACCEPT
$IPTABLES -t filter -A INPUT -s $LANNET_0 -j ACCEPT
$IPTABLES -t filter -A INPUT -s $LANNET_1 -j ACCEPT
$IPTABLES -t filter -A INPUT -s $LANNET_2 -j ACCEPT
$IPTABLES -t filter -A OUTPUT -d $LANNET_0 -j ACCEPT
$IPTABLES -t filter -A OUTPUT -d $LANNET_1 -j ACCEPT
$IPTABLES -t filter -A OUTPUT -d $LANNET_2 -j ACCEPT
$IPTABLES -t filter -A INPUT -i $WANFACE -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $WANFACE -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $LANNET_0 -o $WANFACE -j SNAT --to-source $WANIP
$IPTABLES -t nat -A POSTROUTING -s $LANNET_1 -o $WANFACE -j SNAT --to-source $WANIP
$IPTABLES -t nat -A POSTROUTING -s $LANNET_2 -o $WANFACE -j SNAT --to-source $WANIP
$IPTABLES -t nat -A PREROUTING -s $LANNET_0 -i $LANFACE -p tcp --dport 80 -j REDIRECT --to-ports 8080
$IPTABLES -t nat -A PREROUTING -s $LANNET_1 -i $LANFACE -p tcp --dport 80 -j REDIRECT --to-ports 8080
$IPTABLES -t nat -A PREROUTING -s $LANNET_2 -i $LANFACE -p tcp --dport 80 -j REDIRECT --to-ports 8080
echo "1">/proc/sys/net/ipv4/ip_forward
#sysctl
/etc/init.d/squid start
#server squid start
chkconfig squid on
本文出自 “小杨” 博客,转载请与作者联系!