LinuxByte » 透明代理

网吧Linux 网关设置记录补充

xiao H — Thu, 03 Nov 2011 02:23:43 +0000

很早之前写过这篇博文网吧Linux 网关设置记录，现在这台服务器终于玩完了，所以又要重新配置一台了。这次系统用的是CentOS 6 所以，有些东西变了，要记录一下。

squid.conf 中原来的 acl all src 0.0.0.0/0，现在不需要定义了，squid 3.0 以后all 字段是默认设置了。

sysctl.conf 优化中

net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 900

net.ipv4.netfilter.ip_conntrack_tcp_timeout_established 已经改名了，改为net.netfilter.nf_conntrack_tcp_timeout_established 。

其实这一系列网络参数现在都改为net.netfilter.nf 开头了，所以原来的sysctl.conf 优化语句要改一下了。
我的优化语句

net.netfilter.nf_conntrack_tcp_timeout_established= 180
net.netfilter.nf_conntrack_tcp_timeout_fin_wait= 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait= 60
net.netfilter.nf_conntrack_tcp_timeout_last_ack= 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait= 120
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.conf.all.proxy_arp = 1
net.ipv4.tcp_synack_retries = 3

另外加一条

iptables -t nat -A PREROUTING -s 192.168.0.0/24 -i eth1 -p upd --dport 53 -j REDIRECT --to-port 53

强制所有内网DNS请求都有网关解析。

与本文关系暧昧的文字

标签：iptables, nat, squid, 透明代理

Feed enhanced by Better Feed from Ozh

Squid 透明代理优化

xiao H — Wed, 02 Mar 2011 12:14:20 +0000

主要记录下用Squid 做正向代理（透明代理）时的优化设置，一切尚在调试中所以下面的优化方式未必都是正确的。

内核调整
/etc/sysctl.conf 下面添加

net.ipv4.netfilter.ip_conntrack_tcp_timeout_established =900
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.conf.all.proxy_arp = 1
net.ipv4.tcp_synack_retries = 3
net.ipv4.ip_conntrack_max = 81920
net.ipv4.tcp_fin_timeout = 5
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000

使设置生效

 /sbin/sysctl -p

文件系统设置
将squid缓存放入独立的文件系统中，文件系统格式建议用Reiserfs，挂载时使用’noatime’参数提高IO性能。

LABEL=/squid             /squid               reiserfs    defaults,noatime     0 0

squid.conf

http_port 192.168.0.254:3128 transparent
cache_mgr hew@linuxbyte.org
cache_mem 512 MB
cache_dir ufs /squid/squid 51200 12 256
maximum_object_size_in_memory 128 KB
maximum_object_size 64 MB
 
#cache_access_log /var/log/squid/access.log squid
cache_access_log none
cache_log none
cache_store_log none
#logfile_rotate 4
 
max_filedesc 6144
pipeline_prefetch on
memory_pools off
memory_pools_limit none
mime_table /etc/squid/mime.conf
 
refresh_pattern -i \.css$ 1440 50% 129600 reload-into-ims
refresh_pattern -i \.xml$ 1440 50% 129600 reload-into-ims
refresh_pattern -i \.htm$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.html$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.shtml$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.png$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.jpg$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.jpeg$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.gif$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.bmp$ 1440 90% 129600 reload-into-ims
refresh_pattern -i \.js$ 1440 90% 129600 reload-into-ims
 
refresh_pattern -i \.mp3$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.wmv$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.rm$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.swf$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.mpeg$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.wma$ 1440 50% 2880 ignore-reload
 
refresh_pattern -i \.exe$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.rar$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.zip$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.gz$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.bz2$ 1440 50% 2880 ignore-reload
refresh_pattern -i \.7z$ 1440 50% 2880 ignore-reload
 
client_lifetime 1 hours
half_closed_clients off
visible_hostname proxy.linuxbyte.org
 
cache_effective_user squid
cache_effective_group squid
 
cache_swap_low 75
cache_swap_high 95
 
dns_nameservers 192.168.0.254
 
acl QUERY urlpath_regex -i cgi-bin \?
cache deny QUERY
 
acl all src 0.0.0.0/0
acl localnet src 192.168.0.0/24
http_access allow localnet
http_access deny all

与本文关系暧昧的文字

标签：squid, 透明代理

Feed enhanced by Better Feed from Ozh

网吧Linux 网关设置记录

xiao H — Tue, 27 May 2008 05:52:04 +0000

这两天忙着网吧搬家的事，昨晚完成了网关的初步设置，用 centos 5.1下 iptables+squid 2.6 做透明代理 pdnsd 做dns cache, 所用软件除pdnsd 外都是系统自带的，eth0 192.168.0.254 内网，eth1 218.108.x.x 外网。废话少说直接上配置文件。

iptables：(/etc/sysconfig/iptables)

# Manual customization of this file is not recommended.
# nat
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j SNAT --to 218.108.x.x
COMMIT
 
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

防火墙默认规则是全部 ACCEPT 因为网吧环境里各种网络应用都有如果是全部DROP 然后开放指定端口的话要花很多时间去找，并且万一有什么新的应用还要再分析再开放很费时间，弄不好客人都跑了，所以只能放弃一些安全性了。
/etc/sysctl.conf

在 /etc/sysctl.conf 末尾加入下面语句

net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 900
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.conf.all.proxy_arp = 1
net.ipv4.tcp_synack_retries = 3

/etc/squid/squid.conf

http_port 192.168.0.123:3128 transparent
cache_mgr haibo.d@gmail.com
cache_mem 256 MB
cache_dir ufs /data/squid 500 12 256
 
cache_access_log none
cache_log none
cache_store_log none
 
maximum_object_size 4096 KB
minimum_object_size 1 KB
 
client_lifetime 1 hours
half_closed_clients off
visible_hostname proxy.linuxbyte
 
cache_effective_user squid
cache_effective_group squid
 
cache_swap_low 75
cache_swap_high 95
 
dns_nameservers 192.168.0.1
 
acl QUERY urlpath_regex -i cgi-bin \?
cache deny QUERY
 
acl all src 0.0.0.0/0
acl localnet src 192.168.0.0/24
http_access allow localnet
http_access deny all

这个配置文件是从squid 2.5 改过来的，也许不是完全符合squid 2.6 规范。
pdnsd —— dns cache

pdnsd 是一个小型的dns cache 服务器，为网吧这样的环境做dns cache 刚好够用。
从下面地址下载pdnsd 的相应包安装
http://www.phys.uu.nl/~rombouts/pdnsd/dl.html

/etc/pdnsd.conf

// Sample pdnsd configuration file. Must be customized to obtain a working pdnsd setup!
// Read the pdnsd.conf(5) manpage for an explanation of the options.
// Add or remove '#' in front of options you want to disable or enable, respectively.
// Remove '/*' and '*/' to enable complete sections.
 
global {
        perm_cache=2048;
        cache_dir="/var/cache/pdnsd";
#       pid_file = /var/run/pdnsd.pid;
        run_as="pdnsd";
        server_ip = eth0;  # Use eth0 here if you want to allow other
                                # machines on your network to query pdnsd.
        status_ctl = on;
#       paranoid=on;       # This option reduces the chance of cache poisoning
                           # but may make pdnsd less efficient, unfortunately.
        query_method=udp_tcp;
        min_ttl=60m;       # Retain cached entries at least 60 minutes.
        max_ttl=1w;        # One week.
        timeout=5;        # Global timeout option (10 seconds).
        run_ipv4=on;
}
 
# The following section is most appropriate if you have a fixed connection to
# the Internet and an ISP which provides good DNS servers.
server {
        label= "myisp";
        ip = 202.101.172.35,202.101.172.46;  # Put your ISP's DNS-server address(es) here.
        proxy_only=on;     # Do not query any name servers beside your ISP's.
                           # This may be necessary if you are behind some
                           # kind of firewall and cannot receive replies
                           # from outside name servers.
        timeout=4;         # Server timeout; this may be much shorter
                           # that the global timeout option.
        uptest=none;         # Test if the network interface is active.
        interface=eth0;    # The name of the interface to check.
        interval=10m;      # Check every 10 minutes.
        purge_cache=on;   # Keep stale cache entries in case the ISP's
                           # DNS servers go offline.
}
 
/*
# The following section is more appropriate for dial-up connections.
# Read about how to use pdnsd-ctl for dynamic configuration in the documentation.
server {
        label= "dialup";
        file = "/etc/ppp/resolv.conf";  # Preferably do not use /etc/resolv.conf
        proxy_only=on
        timeout=4;
        uptest=if;
        interface = ppp0;
        interval=10;       # Check if the interface every 10 seconds.
        purge_cache=off;
        preset=off;
}
*/
 
/*
# The servers provided by OpenDNS are fast, but they do not reply with
# NXDOMAIN for non-existant domains, instead they supply you with an
# address of one of their search engines. They also lie about the addresses of
# of the search engines of google, microsoft and yahoo.
# If you do not like this behaviour the "reject" option may be useful.
server {
        label = "opendns";
        ip = 208.67.222.222, 208.67.220.220;
        reject = 208.69.32.0/24,  # You may need to add additional address ranges
                 208.69.34.0/24,  # here if the addresses of their search engines
                 208.67.219.0/24; # change.
        reject_policy = fail;     # If you do not provide any alternative server
                                  # sections, like the following root-server
                                  # example, "negate" may be more appropriate here.
        timeout = 4;
        uptest = ping;            # Test availability using ICMP echo requests.
        ping_timeout = 100;       # ping test will time out after 10 seconds.
        interval = 15m;           # Test every 15 minutes.
        preset = off;
}
*/
 
/*
# This section is meant for resolving from root servers.
server {
        label = "root-servers";
        root_server = on;
        randomize_servers = on; # Give every root server an equal chance
                                # of being queried.
        ip =    198.41.0.4
        ,       192.228.79.201
        ,       192.33.4.12
        ,       128.8.10.90
        ,       192.203.230.10
        ,       192.5.5.241
        ,       192.112.36.4
        ,       128.63.2.53
        ,       192.36.148.17
        ,       192.58.128.30
        ,       193.0.14.129
        ,       198.32.64.12
        ,       202.12.27.33
        ;
        timeout = 5;
        uptest = query;         # Test availability using empty DNS queries.
        interval = 30m;         # Test every half hour.
        ping_timeout = 300;     # Test should time out after 30 seconds.
        purge_cache = off;
        exclude = .localdomain;
        policy = included;
        preset = off;
}
*/
 
source {
        owner=localhost;
#       serve_aliases=on;
        file="/etc/hosts";
}
 
rr {
        name=localhost;
        reverse=on;
        a=127.0.0.1;
        owner=localhost;
        soa=localhost,root.localhost,42,86400,900,86400,86400;
}
 
/*
neg {
        name=doubleclick.net;
        types=domain;   # This will also block xxx.doubleclick.net, etc.
}
*/
 
/*
neg {
        name=bad.server.com;   # Badly behaved server you don't want to connect to.
        types=A,AAAA;
}
*/

将客户机的dns 服务器全部设为 192.168.0.254 让所有dns请求都从这里转发。

其他设置
关闭IPV6

# echo 'alias ipv6 off' >> /etc/modprobe.conf

arp 绑定
网吧环境下arp 绑定是一定要做的，在确认没有arp 病毒情况下，客户机全开运行一下命令

＃nmap -sP 192.168.0.0/24
＃cat /proc/net/arp | awk '{print $1 " " $4}' |sort -t. -n +3 -4 > /etc/ethers
＃echo "arp -f" >> /etc/rc.local

一个管理用 shell
网吧像很多局域网环境一样非常痛恨那些恶意使用p2p ，在有人恶意使用p2p 工具是要能够及时找到它。
创建一个top5.sh 内容为

#!/bin/bash
cat /proc/net/ip_conntrack | cut -d ' ' -f 10 | cut -d '=' -f 2 | sort | uniq -c | sort -nr | head -n 5

在怀疑有人狂开p2p 的时候运行该脚本，可以列出打开会话数最高的前五个机子的IP 和打开的会话数。

同时最有用的管理命令
iftop 可以查看内网机子的即时流量

与本文关系暧昧的文字

标签：dns cache, iptables, nat, pdnsd, squid, 而且, 透明代理

Feed enhanced by Better Feed from Ozh