歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux管理 >> Linux配置

Ubuntu配置adsl,squid,iptables代理服務器

一、背景:
     一台雙網卡服務器,安裝Ubuntu Server 12.04,網卡 eth0 空置,eth1連接局域網,IP 192.168.1.1/24,先連接了寬帶路由器。

二、Squid3
嘗試源碼安裝當前最新的Squid3.3,遇到很多問題,懶得弄了,用Ubuntu源裡的3.1.19吧。
$sudo apt-get install squid3

配置文件在 /etc/squid3/squid.conf,這個配置文件包含詳細的說明,總共5700多行,備份一份出來仔細研究吧,再從百度、Bing、谷歌裡搜一搜,最後出來這麼個配置文件:
acl alldst dst all
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.1.0/16       # 修改後的
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

forwarded_for delete        # 修改後的,否則在遠程服務器上會收到包含內網IP的 HTTP頭數據(X_Forwarded_for)
acl_uses_indirect_client on
delay_pool_uses_indirect_client on

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet  # 修改後的
http_port 192.168.1.1:3128     # 修改後的

cache_mem 1024 MB             #自己看情況設定。
maximum_object_size_in_memory 2048 KB   #內存緩存的最大對象。
cache_dir ufs /opt/cache 200000 16 256    #/opt 是個獨立分區 240G,分配約200G做cache。
coredump_dir /var/spool/squid3

logformat custcommon %>a [%tl] %3>Hs %8<st %Ss:%Sh %rm "%ru" %mt
access_log /var/log/squid3/access.log custcommon

#   logformat logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
#   access_log /var/log/squid3/access.log squid
# 這裡修改了一下默認的日志格式,更方便閱讀。
# 原格式 1361289819.737     21 192.168.1.100 TCP_DENIED/403 4295 GET http://askubuntu.com/tags - NONE/- text/html
# 新格式 192.168.1.100 [21/Feb/2013:13:29:45 +0800] 200    13813 TCP_MISS:DIRECT GET "http://common.cnblogs.com/editor/tiny_mce/plugins/insertCode/images/insertCode.gif" image/gif
#

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
# example lin deb packages
#refresh_pattern (\.deb|\.udeb)$   129600 100% 129600
refresh_pattern .               0       20%     4320

內網Firefox設置代理 192.168.1.1:3128 上網正常!

三、PPPOE
1、安裝、設置
$ sudo apt-get install pppoe

撤掉寬帶路由器,寬帶貓直接連到eth0。
$ sudo pppoeconf
進入向導安裝模式,基本都是回答yes,尤其是開機自動連接,再填上寬帶用戶名和密碼,ADSL連接就設好了。手動管理ADSL指令如下:            

$ ifconfig ppp0                  #查看ADSL連接狀態
$ sudo pon dsl-provider    #手動連接ADSL  
$ sudo poff         #手動斷開ADSL
$ sudo plog        #查看ADSL連接日志,僅顯示最後一次連接。

2、DNS
DNS設置在 pppoeconf向導中可以設置為從ISP獲得,如果喜歡設置自己的DNS,則
$ sudo vi /etc/resolv.conf
nameserver 8.8.8.8

3、網絡接口,注:auto dsl-provider開始的內容是pppoeconf向導添加的:
$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

auto eth1
iface eth1 inet static
        address 192.168.1.1
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
#        gateway 192.168.1.254
        dns-nameservers 8.8.8.8
        dnd-search domain.com

auto dsl-provider
iface dsl-provider inet ppp
pre-up /sbin/ifconfig eth0 up # line maintained by pppoeconf
provider dsl-provider

auto eth0
iface eth0 inet manual

4、ADSL斷線自動重撥,找到/etc/ppp/options 文件裡如下幾行
# Do not exit after a connection is terminated; instead try to reopen
# the connection.
# persist

去掉 # persist 之前的"# ",試試斷開ADSL、重啟網絡、拔掉ADSL網線片刻再插上等操作,ADSL會在不久之後重新連接,這個時間麼,,,有點兒長。

四、Iptables
Ubuntu安裝了 iptables,但默認沒有啟動iptables,也不像 RHEL/Centos 那樣把iptables設置為服務。從Centos裡復制出來一份 iptables 配置文件,按照自己的需要修改成如下內容:
# Copied from Centos6
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state -s 192.168.1.0/24 --state NEW -m tcp -p tcp --dport 22 -j ACCEPT      #僅允許內網連接ssh
-A INPUT -m state -s 192.168.1.0/24 --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT  #僅允許內網連接代理服務
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

編輯網絡配置文件, 在相應網卡的配置文件裡增加一句
pre-up iptables-restore /etc/iptables
我的配置如下:
$ sudo vi /etc/network/interfaces

auto dsl-provider
iface dsl-provider inet ppp
pre-up /sbin/ifconfig eth0 up # line maintained by pppoeconf
pre-up iptables-restore /etc/iptables
provider dsl-provider

重啟網絡
$ sudo /etc/init.d/networking restart

用nmap測試:
配置iptables之前
Nmap scan report for 113.227.36.81
Host is up (0.25s latency).
Not shown: 992 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1025/tcp filtered NFS-or-IIS
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524

之後
Nmap scan report for 113.227.56.137
Host is up (0.48s latency).
Not shown: 999 filtered ports
PORT    STATE  SERVICE
113/tcp closed auth

Nmap scan report for 192.168.1.1
Host is up (0.00022s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
3128/tcp open  squid-http

內網Firefox設置代理 192.168.1.1:3128 上網正常!
Copyright © Linux教程網 All Rights Reserved