WEB proxy packet filtering and double-effect one. Realized by the iptables packet filtering by the LINUX famous squid combination to achieve transparent WEB NAT proxy. SQUID proxy performance itself is already the leader in the proxy server, the system will play the extreme performance: The ramdisk technology that allows the SQUID cahce page into memory so that you visit the page, but the first need to get on the network, after all from memory! Here's how to use methods and procedures to implement the RedHat 7.2.
(1) choose a more stable computer, fitted with two network cards, 256 or 512M memory, hard drive 10G (Note: The first piece of card access network, a second network card connected to external networks.)
(2) installation of Red Hat 7.2, select the server mode installation, automatic partitioning
(3) in about 10-15 minutes after the system is installed, reboot into the system, start configuring the system
1, open the packet forwarding
Edit /etc/sysctl.conf, will net.ipv4.ip_forward = 0 This is net.ipv4.ip_forward = 1, save your changes. Its purpose is to allow the LINUX kernel IP packet forwarding to do: allow IP packets from one network interface to another through a network interface, the only way to have the system acts as a packet filtering firewall conditions.
2, activation RamDisk
# Boot = / dev / sda
default = 0
timeout = 10
splashimage = (hd0,0) /grub/splash.xpm.gz
title Red Hat Linux (2.4.7-10)
kernel /vmlinuz-2.4.7-10 ro root = / dev / sda6 ramdisk = 268435
Ramdisk = 268435 is where we want to add the content, purpose is to tell the system default size of the ramdisk is 268435k, that is 256M. Note should never write directly to 256M, so the system is not known, it must be replaced by K the job! (Groping for several months of experience!), So set a good restart after the system automatically generates a return 256M virtual disk. Of course, you want to set the parameters according to their memory size, if you do not run XWINDOWS, provided half the total memory you no problem, because the LINUX system itself does not require a lot of memory.
3, set the parameters squid
Edit /etc/squid/squid.conf, at the end add the following entry:
http_access allow all
cache_dir ufs / squid 256 16 256
Front four parameters enable squid proxy provider to provide transparent basis. "Http_access allow all" representation allows all client machines can access agent; special emphasis here is the last "cache_dir ufs / squid 256 16 256",
squid cache_dir default is "/ var / spool / squid", because we want squid cache contents into memory, so here is first changed / squid, next to ramdisk alluding to the / squid directory.
4, the establishment ramdisk. With the following two commands to complete:
(1) mkdir / squid create the directory "/ squid"
(2) mkfs / dev / ramdisk create a file system
(3) mount / dev / ramdisk / squid will mount the ramdisk to / squid directory.
Since the ramdisk will disappear after each restart, therefore, in order to allow the system to automatically build a good start, we can create a batch command automatically loaded ramdisk:
mkfs / dev / ramdisk
mount / dev / ramdisk / squid
These two commands in a file, we for the time being with myautoexec.bat as the file name, for convenience, we have created / admin directory, and then save the file in myautoexec.bat / admin, and add to the executable privileges : chmod + x myautoexec.bat
But this system is up and will not be called, so we have to do one thing: Edit /etc/rc.local file, insert a line in the end of the file: /admin/myautoexec.bat, so that the system will automatically call myautoexec .bat up.
5, initialization squid.
Remember "cache_dir ufs / squid 256 16 256" this parameter? Initialization process is actually squid established in the specified cache_dir specified a directory (here is 16), and then create 256 a secondary directory in each directory. The command is: "squid -z". But now the system will then enter the command reports an error because the / squid is now the owner is root, squid not have permission to operate root file, so even first / squid squid directory assigned to the user, with the "chown squid.squid / squid . " Once again, run "squid -z", it can be completed in less than one second. If this process is on disk rather than on the ramdisk, generally the work of tens of seconds.
Again, this step should also set
chown squid.squid / squid
Wrote myautoexec.bat two commands, and finally add a "squid", it is to start the squid service process. Here, squid setup completed.
6, set up NAT and firewall rules.
For convenience, create a file / admin / myfirwall, the rules are written to the file:
# ------ Initialization part
iptables -t nat -F
The initialization - #
# -START NAT < < < < < let address internal computer 10.27.0.0/16 can camouflage on the Internet.
iptables -t nat -A POSTROUTING -o eth1 -s 10.3.37.0/24 -j MASQUERADE
# >>>>> End NAT
# Port switch, all requests sent to the external network port is 80 to 3128 are to allow squid to deal with this
# - Of the key < < < < < < transparent proxy
iptables -t nat -A PREROUTING -i eth0 -d! 10.27.0.0/16 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
# >>>>>>> End port switch
# Firewall rules < < < < < < < here according to your requirements to be a
iptables -A INPUT -i eth1 -s 0.0.0.0/0 -p ICMP -j DROP
iptables -A INPUT -i eth1 -s 0.0.0.0/0 -p TCP -port! 80 -j DROP
# The above two are all coming from the external network ping packets are all dropped, all the non-initiated by the external network port 80
# All requests are discarded, meaning that only allowed from the outside inwards network development network ping, only allows access within the network outside the network
#HTTP Service. Complete firewall rules according to your network security requirements to develop here only for reference.
Note: All lines starting with # an explanation, do not write to a file, save it as / admin / myfirewall, with "chmod + x / admin / myfirewall" so that it can perform. Edit /admin/myautoexec.bat, added "/ admin / myfirewall" in the last line.
So far, all of our good performance firewall configuration is complete, run the reboot after reboot, can work.