Linux+iptables+squid策略路由实施说明
catspaw
|
1#
catspaw 发表于 2008-09-04 11:39
Linux+iptables+squid策略路由实施说明
Linux+iptables+squid策略路由实施说明
Linux+iptables+squid策略路由实施说明 1、环境 网络接入:2根线路(1根CT+1根CNC) 内网用户:上网等应用需求 2、网络拓扑 /--------> eth1: 10.10.10.23/24 eth0(192.168.0.1)---> Proxy \ ________> eth2: 10.0.0.75/24 3、IP地址 4、硬件 HP PC机/3块网卡 5、流程 5.1、安装操作系统 5.1.1、linux:RedHat AS 5或CentOS 5 5.1.2、查看已经安装以下安装包 [root@off-proxy /]# rpm -qa | grep iptables iptables-ipv6-1.3.5-1.2.1 iptables-1.3.5-1.2.1 LINUX PROXY CT ROUTE CNC ROUTE INTERNET INTRANET LINUX PROXY CT ROUTE CNC ROUTE INTERNET INTRANET ETH1:10.10.10.23/24/10.10.10.254 ETH2:10.0.0.75/24/10.0.0.254 ETH0:192.168.0.X/24/192.168.0.1 [root@off-proxy /]# rpm -qa | grep iproute iproute-2.6.18-4.el5 [root@off-proxy /]# rpm -qa | grep squid squid-2.6.STABLE6-4.el5 5.2、网卡IP设置: 5.2.1、Vi /etc/sysconfig/network-scripts/ifcfg-eth0 # Intel Corporation 82562ET/EZ/GT/GZ - PRO/100 VE (LOM) Ethernet Controller DEVICE=eth0 BOOTPROTO=static BROADCAST=192.168.0.255 HWADDR=00:16:76:58:5C:23 IPADDR=192.168.0.1 IPV6ADDR= IPV6PREFIX= IPV6_AUTOCONF=yes NETMASK=255.255.255.0 NETWORK=192.168.0.0 ONBOOT=yes 5.2.2、Vi /etc/sysconfig/network-scripts/ifcfg-eth1 # ADMtek NC100 Network Everywhere Fast Ethernet 10/100 DEVICE=eth1 BOOTPROTO=static BROADCAST=10.10.10.255 HWADDR=00:E0:4C:B0:68:A0 IPADDR=10.10.10.23 IPV6ADDR= IPV6PREFIX= IPV6_AUTOCONF=yes NETMASK=255.255.255.0 NETWORK=10.10.10.0 ONBOOT=yes 5.2.3、Vi /etc/sysconfig/network-scripts/ifcfg-eth1 # Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ DEVICE=eth2 BOOTPROTO=static BROADCAST=10.0.0.255 HWADDR=00:E0:4C:E0:C0:A4 IPADDR=10.0.0.75 IPV6ADDR= IPV6PREFIX= IPV6_AUTOCONF=yes NETMASK=255.255.255.0 NETWORK=10.0.0.0 ONBOOT=yes 5.2.4、检测 [root@off-proxy /]# ifconfig eth0 Link encap:Ethernet HWaddr 00:16:76:58:5C:23 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::216:76ff:fe58:5c23/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:745 errors:0 dropped:0 overruns:0 frame:0 TX packets:609 errors:0 dropped:0 overruns:0 carrier:0 collisions:66 txqueuelen:1000 RX bytes:147143 (143.6 KiB) TX bytes:100574 (98.2 KiB) eth1 Link encap:Ethernet HWaddr 00:E0:4C:B0:68:A0 inet addr:10.10.10.23 Bcast:10.10.10.255 Mask:255.255.255.0 inet6 addr: fe80::2e0:4cff:feb0:68a0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3634 errors:0 dropped:0 overruns:0 frame:0 TX packets:2278 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3176716 (3.0 MiB) TX bytes:250080 (244.2 KiB) Interrupt:225 Base address:0xcc00 eth2 Link encap:Ethernet HWaddr 00:E0:4C:E0:C0:A4 inet addr:10.0.0.75 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::2e0:4cff:fee0:c0a4/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11231 errors:0 dropped:0 overruns:0 frame:0 TX packets:1086 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:9363025 (8.9 MiB) TX bytes:100008 (97.6 KiB) Interrupt:177 Base address:0xab00 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1762 errors:0 dropped:0 overruns:0 frame:0 TX packets:1762 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3110536 (2.9 MiB) TX bytes:3110536 (2.9 MiB) [root@off-proxy /]# ping 10.10.10.23 PING 10.10.10.23 (10.10.10.23) 56(84) bytes of data. 64 bytes from 10.10.10.23: icmp_seq=1 ttl=64 time=0.119 ms 64 bytes from 10.10.10.23: icmp_seq=2 ttl=64 time=0.061 ms 64 bytes from 10.10.10.23: icmp_seq=3 ttl=64 time=0.062 ms [1]+ Stopped ping 10.10.10.23 [root@off-proxy /]# ping 10.0.0.75 PING 10.0.0.75 (10.0.0.75) 56(84) bytes of data. 64 bytes from 10.0.0.75: icmp_seq=1 ttl=64 time=0.062 ms 64 bytes from 10.0.0.75: icmp_seq=2 ttl=64 time=0.061 ms 64 bytes from 10.0.0.75: icmp_seq=3 ttl=64 time=0.062 ms [2]+ Stopped ping 10.0.0.75 [root@off-proxy /]# ping 192.168.0.1 PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. 64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.066 ms 64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.063 ms [3]+ Stopped ping 192.168.0.1 5.3、路由: [root@off-proxy /]# ip route ls 10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.75 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1 10.10.10.0/24 dev eth1 proto kernel scope link src 10.10.10.23 169.254.0.0/16 dev eth2 scope link default via 10.10.10.254 dev eth1(增加) 命令:ip route add default via 10.10.10.254 dev eth1 (增加网关,目的是为了能使本机上网,一般情况下,增加这一条,本机就能打开网页。) [root@off-proxy /]# cat /etc/iproute2/rt_tables 命令:[root@off-proxy /]# vi /etc/iproute2/rt_tables # # reserved values # 255 local 254 main 253 default 0 unspec # 100 CT(增加) # local # #1 inr.ruhep 命令:[root@off-proxy /]#ip route add default via 10.0.0.254 dev eth2 table 100 [root@off-proxy /]# ip rule ls 0: from all lookup 255 32763: from all to 192.168.183.0/24 lookup CT(增加) 32764: from all to 60.0.0.0/13 lookup CT(增加) 32765: from 192.168.0.10 lookup CT(增加) 32766: from all lookup main 32767: from all lookup default 5.4、路由检测: [root@off-proxy /]# ping 192.168.0.99(内网PC) PING 192.168.0.99 (192.168.0.99) 56(84) bytes of data. 64 bytes from 192.168.0.99: icmp_seq=1 ttl=128 time=0.316 ms 64 bytes from 192.168.0.99: icmp_seq=2 ttl=128 time=0.325 ms 64 bytes from 192.168.0.99: icmp_seq=3 ttl=128 time=0.322 ms [6]+ Stopped ping 192.168.0.99 [root@off-proxy /]# ping 10.10.10.254(CT网关) PING 10.10.10.254 (10.10.10.254) 56(84) bytes of data. 64 bytes from 10.10.10.254: icmp_seq=1 ttl=255 time=0.704 ms 64 bytes from 10.10.10.254: icmp_seq=2 ttl=255 time=7.83 ms 64 bytes from 10.10.10.254: icmp_seq=3 ttl=255 time=0.706 ms [7]+ Stopped ping 10.10.10.254 [root@off-proxy /]# ping 10.0.0.254(CNC网关) PING 10.0.0.254 (10.0.0.254) 56(84) bytes of data. 64 bytes from 10.0.0.254: icmp_seq=1 ttl=255 time=12.1 ms 64 bytes from 10.0.0.254: icmp_seq=2 ttl=255 time=1.20 ms 64 bytes from 10.0.0.254: icmp_seq=3 ttl=255 time=1.03 ms 64 bytes from 10.0.0.254: icmp_seq=4 ttl=255 time=9.86 ms [8]+ Stopped ping 10.0.0.254 5.5、IPTABLES设置: 5.5.1、编辑脚本 命令:[root@off-proxy /]# chmod 755 /etc/rc.d/firewall.sh (修改firewall的文件属性) 命令:[root@off-proxy /]# vi /etc/rc.d/firewall.sh (用vi 命令打开firewall文件进行编辑) Iptables脚本内容: #!/bin/sh # /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -X /sbin/iptables -t nat -X /sbin/iptables -t mangle -F iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -p ICMP --icmp-type 8 -j ACCEPT iptables -A INPUT -p ICMP --icmp-type 11 -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp --dport 161 -j ACCEPT echo "1" > /proc/sys/net/ipv4/ip_forward /sbin/iptables -A INPUT -i eth1 -p udp -m multiport --dports 53 -j ACCEPT /sbin/iptables -A INPUT -i eth2 -p udp -m multiport --dports 53 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 10.10.10.23 /sbin/iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 10.0.0.75 ip route add 0/0 via 10.10.10.254 ip route add 0/0 via 10.0.0.254 table 100 ip rule add from 192.168.0.10 table 100 ip rule add to 60.0.0.0/13 table 100 ip rule add to 192.168.183.0/24 table 100 5.5.2、启动脚本编辑 [root@off-proxy rc.d]# cat rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. /etc/rc.d/firewall.sh(增加) touch /var/lock/subsys/local |