Linux+iptables+squid策略路由实施说明
Linux+iptables+squid策略路由实施说明
1、环境
网络接入:2根线路(1根CT+1根CNC)
内网用户:上网等应用需求
2、网络拓扑
/--------> eth1: 10.10.10.23/24
eth0(192.168.0.1)---> Proxy
\ ________> eth2: 10.0.0.75/24
3、IP地址
4、硬件
HP PC机/3块网卡
5、流程
5.1、安装操作系统
5.1.1、linux:RedHat AS 5或CentOS 5
5.1.2、查看已经安装以下安装包
[root@off-proxy /]# rpm -qa | grep iptables
iptables-ipv6-1.3.5-1.2.1
iptables-1.3.5-1.2.1
LINUX PROXY
CT ROUTE
CNC ROUTE
INTERNET
INTRANET
LINUX PROXY
CT ROUTE
CNC ROUTE
INTERNET
INTRANET
ETH1:10.10.10.23/24/10.10.10.254
ETH2:10.0.0.75/24/10.0.0.254
ETH0:192.168.0.X/24/192.168.0.1
[root@off-proxy /]# rpm -qa | grep iproute
iproute-2.6.18-4.el5
[root@off-proxy /]# rpm -qa | grep squid
squid-2.6.STABLE6-4.el5
5.2、网卡IP设置:
5.2.1、Vi /etc/sysconfig/network-scripts/ifcfg-eth0
# Intel Corporation 82562ET/EZ/GT/GZ - PRO/100 VE (LOM) Ethernet Controller
DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.0.255
HWADDR=00:16:76:58:5C:23
IPADDR=192.168.0.1
IPV6ADDR=
IPV6PREFIX=
IPV6_AUTOCONF=yes
NETMASK=255.255.255.0
NETWORK=192.168.0.0
ONBOOT=yes
5.2.2、Vi /etc/sysconfig/network-scripts/ifcfg-eth1
# ADMtek NC100 Network Everywhere Fast Ethernet 10/100
DEVICE=eth1
BOOTPROTO=static
BROADCAST=10.10.10.255
HWADDR=00:E0:4C:B0:68:A0
IPADDR=10.10.10.23
IPV6ADDR=
IPV6PREFIX=
IPV6_AUTOCONF=yes
NETMASK=255.255.255.0
NETWORK=10.10.10.0
ONBOOT=yes
5.2.3、Vi /etc/sysconfig/network-scripts/ifcfg-eth1
# Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+
DEVICE=eth2
BOOTPROTO=static
BROADCAST=10.0.0.255
HWADDR=00:E0:4C:E0:C0:A4
IPADDR=10.0.0.75
IPV6ADDR=
IPV6PREFIX=
IPV6_AUTOCONF=yes
NETMASK=255.255.255.0
NETWORK=10.0.0.0
ONBOOT=yes
5.2.4、检测
[root@off-proxy /]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:76:58:5C:23
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::216:76ff:fe58:5c23/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:745 errors:0 dropped:0 overruns:0 frame:0
TX packets:609 errors:0 dropped:0 overruns:0 carrier:0
collisions:66 txqueuelen:1000
RX bytes:147143 (143.6 KiB) TX bytes:100574 (98.2 KiB)
eth1 Link encap:Ethernet HWaddr 00:E0:4C:B0:68:A0
inet addr:10.10.10.23 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:4cff:feb0:68a0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3634 errors:0 dropped:0 overruns:0 frame:0
TX packets:2278 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3176716 (3.0 MiB) TX bytes:250080 (244.2 KiB)
Interrupt:225 Base address:0xcc00
eth2 Link encap:Ethernet HWaddr 00:E0:4C:E0:C0:A4
inet addr:10.0.0.75 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:4cff:fee0:c0a4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11231 errors:0 dropped:0 overruns:0 frame:0
TX packets:1086 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9363025 (8.9 MiB) TX bytes:100008 (97.6 KiB)
Interrupt:177 Base address:0xab00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1762 errors:0 dropped:0 overruns:0 frame:0
TX packets:1762 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3110536 (2.9 MiB) TX bytes:3110536 (2.9 MiB)
[root@off-proxy /]# ping 10.10.10.23
PING 10.10.10.23 (10.10.10.23) 56(84) bytes of data.
64 bytes from 10.10.10.23: icmp_seq=1 ttl=64 time=0.119 ms
64 bytes from 10.10.10.23: icmp_seq=2 ttl=64 time=0.061 ms
64 bytes from 10.10.10.23: icmp_seq=3 ttl=64 time=0.062 ms
[1]+ Stopped ping 10.10.10.23
[root@off-proxy /]# ping 10.0.0.75
PING 10.0.0.75 (10.0.0.75) 56(84) bytes of data.
64 bytes from 10.0.0.75: icmp_seq=1 ttl=64 time=0.062 ms
64 bytes from 10.0.0.75: icmp_seq=2 ttl=64 time=0.061 ms
64 bytes from 10.0.0.75: icmp_seq=3 ttl=64 time=0.062 ms
[2]+ Stopped ping 10.0.0.75
[root@off-proxy /]# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.066 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.063 ms
[3]+ Stopped ping 192.168.0.1
5.3、路由:
[root@off-proxy /]# ip route ls
10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.75
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1
10.10.10.0/24 dev eth1 proto kernel scope link src 10.10.10.23
169.254.0.0/16 dev eth2 scope link
default via 10.10.10.254 dev eth1(增加)
命令:ip route add default via 10.10.10.254 dev eth1 (增加网关,目的是为了能使本机上网,一般情况下,增加这一条,本机就能打开网页。)
[root@off-proxy /]# cat /etc/iproute2/rt_tables
命令:[root@off-proxy /]# vi /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
100 CT(增加)
# local
#
#1 inr.ruhep
命令:[root@off-proxy /]#ip route add default via 10.0.0.254 dev eth2 table 100
[root@off-proxy /]# ip rule ls
0: from all lookup 255
32763: from all to 192.168.183.0/24 lookup CT(增加)
32764: from all to 60.0.0.0/13 lookup CT(增加)
32765: from 192.168.0.10 lookup CT(增加)
32766: from all lookup main
32767: from all lookup default
5.4、路由检测:
[root@off-proxy /]# ping 192.168.0.99(内网PC)
PING 192.168.0.99 (192.168.0.99) 56(84) bytes of data.
64 bytes from 192.168.0.99: icmp_seq=1 ttl=128 time=0.316 ms
64 bytes from 192.168.0.99: icmp_seq=2 ttl=128 time=0.325 ms
64 bytes from 192.168.0.99: icmp_seq=3 ttl=128 time=0.322 ms
[6]+ Stopped ping 192.168.0.99
[root@off-proxy /]# ping 10.10.10.254(CT网关)
PING 10.10.10.254 (10.10.10.254) 56(84) bytes of data.
64 bytes from 10.10.10.254: icmp_seq=1 ttl=255 time=0.704 ms
64 bytes from 10.10.10.254: icmp_seq=2 ttl=255 time=7.83 ms
64 bytes from 10.10.10.254: icmp_seq=3 ttl=255 time=0.706 ms
[7]+ Stopped ping 10.10.10.254
[root@off-proxy /]# ping 10.0.0.254(CNC网关)
PING 10.0.0.254 (10.0.0.254) 56(84) bytes of data.
64 bytes from 10.0.0.254: icmp_seq=1 ttl=255 time=12.1 ms
64 bytes from 10.0.0.254: icmp_seq=2 ttl=255 time=1.20 ms
64 bytes from 10.0.0.254: icmp_seq=3 ttl=255 time=1.03 ms
64 bytes from 10.0.0.254: icmp_seq=4 ttl=255 time=9.86 ms
[8]+ Stopped ping 10.0.0.254
5.5、IPTABLES设置:
5.5.1、编辑脚本
命令:[root@off-proxy /]# chmod 755 /etc/rc.d/firewall.sh (修改firewall的文件属性)
命令:[root@off-proxy /]# vi /etc/rc.d/firewall.sh (用vi 命令打开firewall文件进行编辑)
Iptables脚本内容:
#!/bin/sh
#
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 161 -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -A INPUT -i eth1 -p udp -m multiport --dports 53 -j ACCEPT
/sbin/iptables -A INPUT -i eth2 -p udp -m multiport --dports 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 10.10.10.23
/sbin/iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 10.0.0.75
ip route add 0/0 via 10.10.10.254
ip route add 0/0 via 10.0.0.254 table 100
ip rule add from 192.168.0.10 table 100
ip rule add to 60.0.0.0/13 table 100
ip rule add to 192.168.183.0/24 table 100
5.5.2、启动脚本编辑
[root@off-proxy rc.d]# cat rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
/etc/rc.d/firewall.sh(增加)
touch /var/lock/subsys/local
jwang 于 2011-05-28 07:15:44发表:
good solution!
xiang5206267 于 2011-02-12 17:15:25发表:
哪里有linux学习的QQ交流群。
默念那份爱 于 2010-02-23 17:19:18发表:
谢谢分享
hepinp 于 2010-01-30 09:26:33发表:
好
yuefeng_2003 于 2010-01-13 12:20:28发表:
看不太懂,要是搂主能加以详细解释就好了!
szlfeng 于 2009-12-15 21:08:06发表:
谢谢分享。支持~
zw3312096 于 2009-12-05 11:48:47发表:
来学习的