squid.sam_auth & iptabls 測試

comxyz

吸取經(jīng)驗(yàn)，請大家給意見，流量控制應(yīng)怎樣配比較好，謝謝！
eth1: wan_ip 202.96.128.68
eth1:1 wan_ip 202.96.128.69
eth0: lan_ip 192.168.200.254
eth0:1 lan_ip 192.168.250.254

### Caching Server For FedoraCore1 #####################
http_port 3128
icp_port 0

cache_mem 96 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 2048 KB
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
visible_hostname comxyz.guest.group
cache_mgr comxyz@163.com
forwarded_for off

ftp_user comxyz@163.com
ftp_list_width 64
ftp_passive on

auth_param basic realm Proxy-Caching Server
auth_param basic program /usr/lib/squid/smb_auth -W COMXYZ -U 192.168.200.1 -S Logon$
auth_param basic children 5
authenticate_ttl 300 second
authenticate_ip_ttl 600 second
auth_param basic credentialsttl 2 hours

acl safe_ports port 20 21 80 443 444 990 20000-60000
acl connect method CONNECT
acl fixuser max_user_ip 3
acl connlimit maxconn 10
acl one_time time 8:30-24:30
acl fax src 192.168.30.2/255.255.255.255
acl srv src 192.168.200.1-192.168.200.20/255.255.255.255
acl pass_web dstdomain "/etc/squid/passweb.list"
acl pass_ip dst "/etc/squid/passip.list"
acl deny_str url_regex "/etc/squid/denystr.list"
acl deny_web dstdomain "/etc/squid/denyweb.list"
acl deny_ip dst "/etc/squid/denyip.list"
acl all src 0.0.0.0/0.0.0.0

#Havp VirusScan
cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default
cache_peer_access 127.0.0.1 allow all

http_access allow pass_web
http_access allow pass_ip
http_access allow srv
http_access deny  !safe_ports
http_access deny  connect !safe_ports
http_access deny  deny_web
http_access deny  deny_ip
http_access deny  deny_str
http_access allow fax
http_access deny  connlimit
http_access deny  fixuser
http_access deny  all
############################################

####### IPtables ################################
proxy="3128"
ipnat="20,21,47,80,443,444,990,1723,5222"
iptables -F
iptables -X
iptables -F -t mangle
iptables -t mangle -X
iptables -F -t nat
iptables -t nat -X

modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_conntrack_proto_gre
modprobe ip_conntrack_pptp
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_proto_gre
modprobe ip_nat_pptp

##----- OUTPUT -----
iptables -P OUTPUT ACCEPT

##----- INPUT -----
iptables -P INPUT DROP
iptables -A INPUT -m layer7 --l7proto qq -j DROP
iptables -A INPUT -m layer7 --l7proto msnmessenger -j DROP
iptables -A INPUT -m layer7 --l7proto bittorrent -j DROP
iptables -A INPUT -m layer7 --l7proto kugoo -j DROP
iptables -A INPUT -m layer7 --l7proto xunlei -j DROP
iptables -A INPUT -m layer7 --l7proto socks -j DROP
iptables -A INPUT -m layer7 --l7proto edonkey -j DROP
iptables -A INPUT -m ipp2p --ipp2p -j DROP
iptables -A INPUT -m ipp2p --edk --bit --kazaa -j DROP
iptables -A INPUT -p udp -m ipp2p --edk --bit --kazaa -j DROP
iptables -A INPUT -p tcp -m ipp2p --edk --bit --kazaa -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports $proxy -j ACCEPT
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT

##----- FORWARD -----
iptables -P FORWARD DROP
iptables -N PASS
iptables -A FORWARD -s 192.168.200.224/27 -j PASS
iptables -A FORWARD -d 192.168.200.224/27 -j PASS
iptables -A FORWARD -s 192.168.250.224/27 -j PASS
iptables -A FORWARD -d 192.168.250.224/27 -j PASS
iptables -A FORWARD -m layer7 --l7proto qq -j DROP
iptables -A FORWARD -m layer7 --l7proto msnmessenger -j DROP
iptables -A FORWARD -m layer7 --l7proto bittorrent -j DROP
iptables -A FORWARD -m layer7 --l7proto kugoo -j DROP
iptables -A FORWARD -m layer7 --l7proto xunlei -j DROP
iptables -A FORWARD -m layer7 --l7proto socks -j DROP
iptables -A FORWARD -m layer7 --l7proto edonkey -j DROP
iptables -A FORWARD -m ipp2p --ipp2p -j DROP
iptables -A FORWARD -m ipp2p --edk --bit --kazaa -j DROP
iptables -A FORWARD -p udp -m ipp2p --edk --bit --kazaa -j DROP
iptables -A FORWARD -p tcp -m ipp2p --edk --bit --kazaa -j DROP
iptables -A PASS -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -m multiport --dports $ipnat -j ACCEPT
iptables -A FORWARD -i eth0 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i eth0 -p gre -j ACCEPT
iptables -A FORWARD -i eth0 -p icmp -j ACCEPT
#Ready One To One NAT
iptables -A FORWARD -d 192.168.250.253 -j ACCEPT

##----- Start Iptables Snat & Dnat -----
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 120 > /proc/sys/net/ipv4/neigh/default/gc_stale_time
echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
echo 65535 > /proc/sys/net/ipv4/ip_conntrack_max

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.200.0/24 -j SNAT --to 202.96.128.68
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.250.0/24 -j SNAT --to 202.96.128.68
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 202.96.128.68 --dport 2323 -j DNAT --to 192.168.250.252:23
iptables -t nat -A PREROUTING -i eth1 -d 202.96.128.69 -j DNAT --to 192.168.250.253

[ 本帖最后由 comxyz 于 2007-12-22 16:59 編輯 ]

kevin.tan

comxyz兄,能解釋一下下面的幾句配置么?

auth_param basic realm Proxy-Caching Server
auth_param basic program /usr/lib/squid/smb_auth -W COMXYZ -U 192.168.200.1 -S Logon$
auth_param basic children 5
authenticate_ttl 300 second
authenticate_ip_ttl 600 second
auth_param basic credentialsttl 2 hours