freebsd双线代理服务器架设
# BY kerryhu
# QQ:263205768
# MAIL:[email protected]
# BLOG:http://kerry.blog.51cto.com
# 电信网通双线代理:网通用户通过代理访问电信服务器
# QQ:263205768
# MAIL:[email protected]
# BLOG:http://kerry.blog.51cto.com
# 电信网通双线代理:网通用户通过代理访问电信服务器
1、IP初始化
bce0 网通接口,默认设置网通网关
bce1 电信接口,访问电信服务器设置静态路由
bce0 网通接口,默认设置网通网关
bce1 电信接口,访问电信服务器设置静态路由
2、静态路由设置
freebsd# cat /etc/rc.conf
freebsd# cat /etc/rc.conf
static_routes="static1 static2 static3 static4 static5 static6 static7 static8 static9 static10"
route_static1="-net 61.147.19.0/24 22.224.199.25"
route_static2="-net 222.93.106.56/29 22.224.199.25"
route_static3="-net 222.18.114.0/24 22.224.199.25"
route_static4="-net 222.16.29.0/24 22.224.199.25"
route_static5="-net 61.13.24.0/24 22.224.199.25"
route_static6="-net 219.15.6.0/24 22.224.199.25"
route_static7="-net 220.19.20.0/24 22.224.199.25"
route_static8="-net 218.193.9.0/24 22.224.199.25"
route_static9="-net 61.15.9.192/26 22.224.199.25"
route_static10="-net 61.155.18.120/29 22.224.199.25"
route_static1="-net 61.147.19.0/24 22.224.199.25"
route_static2="-net 222.93.106.56/29 22.224.199.25"
route_static3="-net 222.18.114.0/24 22.224.199.25"
route_static4="-net 222.16.29.0/24 22.224.199.25"
route_static5="-net 61.13.24.0/24 22.224.199.25"
route_static6="-net 219.15.6.0/24 22.224.199.25"
route_static7="-net 220.19.20.0/24 22.224.199.25"
route_static8="-net 218.193.9.0/24 22.224.199.25"
route_static9="-net 61.15.9.192/26 22.224.199.25"
route_static10="-net 61.155.18.120/29 22.224.199.25"
3、优化内核,调整文件描述符(重要)
freebsd# ee /etc/sysctl.conf
freebsd# ee /etc/sysctl.conf
kern.ipc.somaxconn=8192
kern.ipc.maxsockbuf=2097152
kern.maxfilesperproc=65536
kern.maxfiles=65536
net.inet.tcp.sendspace=65536
net.inet.tcp.recvspace=32768
net.inet.udp.maxdgram=57344
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=0
net.inet.ip.redirect=0
net.inet.icmp.icmplim=100
net.inet.tcp.always_keepalive=0
net.inet.tcp.delayed_ack=0
net.inet.tcp.log_in_vain=0
net.inet.udp.log_in_vain=0
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.local.stream.sendspace=65535
net.local.stream.recvspace=32768
net.inet.ip.fastforwarding=1
net.inet.tcp.syncookies=1
net.inet.ip.portrange.hifirst=8888
net.inet.ip.portrange.first=8888
compat.linux.osrelease=2.6.16
//使sysctl.conf配置生效
freebsd# sysctl -p
kern.ipc.maxsockbuf=2097152
kern.maxfilesperproc=65536
kern.maxfiles=65536
net.inet.tcp.sendspace=65536
net.inet.tcp.recvspace=32768
net.inet.udp.maxdgram=57344
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=0
net.inet.ip.redirect=0
net.inet.icmp.icmplim=100
net.inet.tcp.always_keepalive=0
net.inet.tcp.delayed_ack=0
net.inet.tcp.log_in_vain=0
net.inet.udp.log_in_vain=0
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.local.stream.sendspace=65535
net.local.stream.recvspace=32768
net.inet.ip.fastforwarding=1
net.inet.tcp.syncookies=1
net.inet.ip.portrange.hifirst=8888
net.inet.ip.portrange.first=8888
compat.linux.osrelease=2.6.16
//使sysctl.conf配置生效
freebsd# sysctl -p
freebsd# ee /boot/loader.conf
kern.ipc.maxsockets="4008"
kern.ipc.nmbclusters="32768"
kern.ipc.nmbufs="65535"
kern.ipc.nsfbufs="2496"
net.inet.tcp.tcbhashsize="2048"
linux_load="YES"
kern.ipc.nmbclusters="32768"
kern.ipc.nmbufs="65535"
kern.ipc.nsfbufs="2496"
net.inet.tcp.tcbhashsize="2048"
linux_load="YES"
4、安装squid
freebsd# groupadd squid
freebsd# useradd -g squid -s /sbin/nologin squid
freebsd# mkdir -p /cache/{cache,logs}
freebsd# chown -R squid.squid /cache/cache
freebsd# chown -R squid.squid /cache/logs
freebsd# cd /usr/ports/www/squid3
freebsd# make install clean
freebsd# groupadd squid
freebsd# useradd -g squid -s /sbin/nologin squid
freebsd# mkdir -p /cache/{cache,logs}
freebsd# chown -R squid.squid /cache/cache
freebsd# chown -R squid.squid /cache/logs
freebsd# cd /usr/ports/www/squid3
freebsd# make install clean
5、编辑squid.conf
freebsd# ee /usr/local/etc/squid/squid.conf
freebsd# ee /usr/local/etc/squid/squid.conf
visible_hostname squid.king.com
http_port 8008
http_port 80
cache_mgr [email protected]
cache_effective_user squid
cache_effective_group squid
cache_mem 1024 MB
maximum_object_size_in_memory 10 MB
memory_replacement_policy lru
cache_replacement_policy lru
cache_dir ufs /cache/cache 8000 32 128
max_open_disk_fds 0
maximum_object_size 300 MB
cache_swap_low 90
cache_swap_high 95
http_access allow all
#logs
access_log none
cache_log /cache/logs/cache.log
cache_store_log none
error_directory /usr/local/squid/share/errors/Simplify_Chinese
http_port 8008
http_port 80
cache_mgr [email protected]
cache_effective_user squid
cache_effective_group squid
cache_mem 1024 MB
maximum_object_size_in_memory 10 MB
memory_replacement_policy lru
cache_replacement_policy lru
cache_dir ufs /cache/cache 8000 32 128
max_open_disk_fds 0
maximum_object_size 300 MB
cache_swap_low 90
cache_swap_high 95
http_access allow all
#logs
access_log none
cache_log /cache/logs/cache.log
cache_store_log none
error_directory /usr/local/squid/share/errors/Simplify_Chinese
6、初始化squid并启动
freebsd# /usr/local/sbin/squid -z
freebsd# /usr/local/etc/rc.d/squid start
freebsd# /usr/local/sbin/squid -z
freebsd# /usr/local/etc/rc.d/squid start
7、squid自启动
freebsd# ee /etc/rc.conf
squid_enable="YES"
freebsd# ee /etc/rc.conf
squid_enable="YES"
8、pf设置
# macros
ext_if = "bce0"
icmp_types = "echoreq"
table <master> {222.93.106.56/29,202.12.54.99}
table <ddos> persist
table <gm> {222.93.106.58,119.36.79.9}
table <web> {222.93.106.56/29,61.155.19.12/26}
# macros
ext_if = "bce0"
icmp_types = "echoreq"
table <master> {222.93.106.56/29,202.12.54.99}
table <ddos> persist
table <gm> {222.93.106.58,119.36.79.9}
table <web> {222.93.106.56/29,61.155.19.12/26}
# options
set block-policy return
set loginterface $ext_if
set limit states 60000
set block-policy return
set loginterface $ext_if
set limit states 60000
# scrub
scrub in all
scrub in all
# filter rules
#pass quick all
pass in quick inet from <master>
block in quick from <ddos>
block in all
pass quick on lo0 all
pass in quick proto tcp to ($ext_if) port 80 flags S/SA keep state (max-src-conn 100, max-src-conn-rate 30/5, overload <ddos> flush)
pass in quick proto tcp to ($ext_if) port 8080 flags S/SA keep state (max-src-conn 100, max-src-conn-rate 30/5, overload <ddos> flush)
pass quick inet proto icmp all icmp-type $icmp_types
pass quick proto udp to any port 53
pass out to <gm>
pass out to <web>
#pass quick all
pass in quick inet from <master>
block in quick from <ddos>
block in all
pass quick on lo0 all
pass in quick proto tcp to ($ext_if) port 80 flags S/SA keep state (max-src-conn 100, max-src-conn-rate 30/5, overload <ddos> flush)
pass in quick proto tcp to ($ext_if) port 8080 flags S/SA keep state (max-src-conn 100, max-src-conn-rate 30/5, overload <ddos> flush)
pass quick inet proto icmp all icmp-type $icmp_types
pass quick proto udp to any port 53
pass out to <gm>
pass out to <web>
#<master>表里面的为管理IP,允许访问所有
#允许网通玩家访问80,8080端口
#经过此双线服务器中转,只允许访问<gm> <web> 定义的电信服务器
#允许网通玩家访问80,8080端口
#经过此双线服务器中转,只允许访问<gm> <web> 定义的电信服务器