一、背景:
一台雙網卡服務器,安裝Ubuntu Server 12.04,網卡 eth0 空置,eth1連接局域網,IP 192.168.1.1/24,先連接了寬帶路由器。
二、Squid3
嘗試源碼安裝當前最新的Squid3.3,遇到很多問題,懶得弄了,用Ubuntu源裡的3.1.19吧。
$sudo apt-get install squid3
配置文件在 /etc/squid3/squid.conf,這個配置文件包含詳細的說明,總共5700多行,備份一份出來仔細研究吧,再從百度、Bing、谷歌裡搜一搜,最後出來這麼個配置文件:
acl alldst dst all
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.1.0/16 # 修改後的
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 #
filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
forwarded_for delete # 修改後的,否則在遠程服務器上會收到包含內網IP的 HTTP頭數據(X_Forwarded_for)
acl_uses_indirect_client on
delay_pool_uses_indirect_client on
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet # 修改後的
http_port 192.168.1.1:3128 # 修改後的
cache_mem 1024 MB #自己看情況設定。
maximum_object_size_in_memory 2048 KB #內存緩存的最大對象。
cache_dir ufs /opt/cache 200000 16 256 #/opt 是個獨立分區 240G,分配約200G做cache。
coredump_dir /var/spool/squid3
logformat custcommon %>a [%tl] %3>Hs %8<st %Ss:%Sh %rm "%ru" %mt
access_log /var/log/squid3/access.log custcommon
# logformat logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
# access_log /var/log/squid3/access.log squid
# 這裡修改了一下默認的日志格式,更方便閱讀。
# 原格式 1361289819.737 21 192.168.1.100 TCP_DENIED/403 4295 GET http://askubuntu.com/tags - NONE/- text/html
# 新格式 192.168.1.100 [21/Feb/2013:13:29:45 +0800] 200 13813 TCP_MISS:DIRECT GET "http://common.cnblogs.com/editor/tiny_mce/plugins/insertCode/images/insertCode.gif" image/gif
#
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
# example lin deb packages
#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
refresh_pattern . 0 20% 4320
內網Firefox設置代理 192.168.1.1:3128 上網正常!
三、PPPOE
1、安裝、設置
$ sudo apt-get install pppoe
撤掉寬帶路由器,寬帶貓直接連到eth0。
$ sudo pppoeconf
進入向導安裝模式,基本都是回答yes,尤其是開機自動連接,再填上寬帶用戶名和密碼,ADSL連接就設好了。手動管理ADSL指令如下:
$ ifconfig ppp0 #查看ADSL連接狀態
$ sudo pon dsl-provider #手動連接ADSL
$ sudo poff #手動斷開ADSL
$ sudo plog #查看ADSL連接日志,僅顯示最後一次連接。
2、DNS
DNS設置在 pppoeconf向導中可以設置為從ISP獲得,如果喜歡設置自己的DNS,則
$ sudo vi /etc/resolv.conf
nameserver 8.8.8.8
3、網絡接口,注:auto dsl-provider開始的內容是pppoeconf向導添加的:
$
cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
# gateway 192.168.1.254
dns-nameservers 8.8.8.8
dnd-search domain.com
auto dsl-provider
iface dsl-provider inet ppp
pre-up /sbin/ifconfig eth0 up # line maintained by pppoeconf
provider dsl-provider
auto eth0
iface eth0 inet manual
4、ADSL斷線自動重撥,找到/etc/ppp/options 文件裡如下幾行
# Do not exit after a connection is terminated; instead try to reopen
# the connection.
# persist
去掉 # persist 之前的"# ",試試斷開ADSL、重啟網絡、拔掉ADSL網線片刻再插上等操作,ADSL會在不久之後重新連接,這個時間麼,,,有點兒長。
四、Iptables
Ubuntu安裝了 iptables,但默認沒有啟動iptables,也不像 RHEL/Centos 那樣把iptables設置為服務。從Centos裡復制出來一份 iptables 配置文件,按照自己的需要修改成如下內容:
# Copied from Centos6
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state -s 192.168.1.0/24 --state NEW -m tcp -p tcp --dport 22 -j ACCEPT #僅允許內網連接ssh
-A INPUT -m state -s 192.168.1.0/24 --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT #僅允許內網連接代理服務
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
編輯網絡配置文件, 在相應網卡的配置文件裡增加一句
pre-up iptables-restore /etc/iptables
我的配置如下:
$ sudo vi /etc/network/interfaces
auto dsl-provider
iface dsl-provider inet ppp
pre-up /sbin/ifconfig eth0 up # line maintained by pppoeconf
pre-up iptables-restore /etc/iptables
provider dsl-provider
重啟網絡
$ sudo /etc/init.d/networking restart
用nmap測試:
配置iptables之前
Nmap scan report for 113.227.36.81
Host is up (0.25s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp open ssh
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1025/tcp filtered NFS-or-IIS
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
之後
Nmap scan report for 113.227.56.137
Host is up (0.48s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
113/tcp closed auth
Nmap scan report for 192.168.1.1
Host is up (0.00022s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
3128/tcp open squid-http
內網Firefox設置代理 192.168.1.1:3128 上網正常!