当前位置: 技术问答>linux和unix
透明代理问题请教!搞了有几天了----
来源: 互联网 发布时间:2015-09-04
本文导语: 闲着没事,在学校局域网中装了一台redhat 9.0.并想尝试配置一下透明代理. redhat 9.0: IP:192.168.30.178 掩码:255.255.255.0 网关:192.168.30.1 DNS:221.228.255.1 winXP: IP:192.168.30.118 掩码:255.255.255.0 网关:192.168.30.1 DNS:221.228.255.1 两台机在...
闲着没事,在学校局域网中装了一台redhat 9.0.并想尝试配置一下透明代理.
redhat 9.0:
IP:192.168.30.178
掩码:255.255.255.0
网关:192.168.30.1
DNS:221.228.255.1
winXP:
IP:192.168.30.118
掩码:255.255.255.0
网关:192.168.30.1
DNS:221.228.255.1
两台机在同一子网内,现想实现winxp通过以linux为透明代理服务器的形式连接网络.
按照nbxmedia兄的这贴
http://www.linuxsir.org/bbs/showthr...FA+%B4%FA%C0%ED
已实现squid代理上网,即在ie中设置linux为代理.现在就是不能实现透明代理.
我在/etc/rc.local下加入如下几行:
#加载iptables的相关模块:
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#把80端口的包全部转向3128端口
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#ip转向,192.168.30.0/24为内网网段
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -o eth0 -j SNAT --to 192.168.30.178
运行/etc/rc.d/rc.local后提示:
[root@blue root]# /etc/rc.d/rc.local
iptables v1.2.7a: Need TCP or UDP with port specification
不知错在哪儿,也不知:
#把80端口的包全部转向3128端口
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#ip转向,192.168.30.0/24为内网网段
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -o eth0 -j SNAT --to 192.168.30.178
这两个规则写的对否.不理解
redhat 9.0:
IP:192.168.30.178
掩码:255.255.255.0
网关:192.168.30.1
DNS:221.228.255.1
winXP:
IP:192.168.30.118
掩码:255.255.255.0
网关:192.168.30.1
DNS:221.228.255.1
两台机在同一子网内,现想实现winxp通过以linux为透明代理服务器的形式连接网络.
按照nbxmedia兄的这贴
http://www.linuxsir.org/bbs/showthr...FA+%B4%FA%C0%ED
已实现squid代理上网,即在ie中设置linux为代理.现在就是不能实现透明代理.
我在/etc/rc.local下加入如下几行:
#加载iptables的相关模块:
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#把80端口的包全部转向3128端口
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#ip转向,192.168.30.0/24为内网网段
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -o eth0 -j SNAT --to 192.168.30.178
运行/etc/rc.d/rc.local后提示:
[root@blue root]# /etc/rc.d/rc.local
iptables v1.2.7a: Need TCP or UDP with port specification
不知错在哪儿,也不知:
#把80端口的包全部转向3128端口
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#ip转向,192.168.30.0/24为内网网段
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -o eth0 -j SNAT --to 192.168.30.178
这两个规则写的对否.不理解
|
#! /bin/sh
UPLINK="eth0"
UPIP="61.185.xxx.xxx"
LANLINK="eth1"
ROUTER="yes"
#NAT="UPIP/dynamic"
NAT="UPIP"
INTERFACES="lo eth0 eth1"
SERVICES="80 22 25 110 8000 23 20 21 3306 "
deny=""
case "$@" in
start)
echo -n "Starting firewall..."
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
iptables -P INPUT DROP
iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD DROP
iptables -A FORWARD -p tcp -m multiport --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --dport 80 -j ACCEPT
# iptables -A FORWARD -d !202.108.36.196 -p tcp -m multiport --dport 25 110 -j DROP ##09、只允许收发邮件(所有域名邮件
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #(smtp,pop3))和只能收某域名收发某域名邮件
#iptables -P OUTPUT DROP
#enable public access to certain services
for x in ${SERVICES}
do
iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
done
for y in ${deny}
do
iptables -A OUTPUT -p tcp --dport ${y} -j DROP
iptables -A OUTPUT -p udp --dport ${y} -j DROP
done
#enable system-log
#iptables -A INPUT -j LOG --log-prefix "bad input:"
iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
#iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
#explicitly disable ECN
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
#disable spoofing on all interfaces
for x in ${INTERFACES}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done
if [ "$ROUTER" = "yes" ]
then
#we're a router of some kind, enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ "$NAT" = "dynamic" ]
then
#dynamic IP address, use masquerading
iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
elif [ "$NAT" != "" ]
then
#static IP, use SNAT
# iptables -t nat -A PREROUTING -i ${LANLINK} -d !${UPIP} -j DNAT --to-ports 3128
iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}
fi
fi
echo "OK!"
exit 0
;;
stop)
echo -n "Stopping firewall..."
iptables -F INPUT
iptables -P INPUT ACCEPT
iptables -F OUTPUT
iptables -P OUTPUT ACCEPT
#turn off NAT/masquerading, if any
#iptables -t nat -F POSTROUTING
echo "OK!"
exit 0
;;
restart)
$0 stop
$0 start
;;
show)
clear
echo ">-------------------------------------------------------------------"
iptables -L
echo ">-------------------------------------------------------------------"
iptables -t nat -L POSTROUTING
exit 0
;;
*)
echo "Usage: $0 {start|stop|restart|show}"
exit 1
esac
UPLINK="eth0"
UPIP="61.185.xxx.xxx"
LANLINK="eth1"
ROUTER="yes"
#NAT="UPIP/dynamic"
NAT="UPIP"
INTERFACES="lo eth0 eth1"
SERVICES="80 22 25 110 8000 23 20 21 3306 "
deny=""
case "$@" in
start)
echo -n "Starting firewall..."
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
iptables -P INPUT DROP
iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD DROP
iptables -A FORWARD -p tcp -m multiport --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --dport 80 -j ACCEPT
# iptables -A FORWARD -d !202.108.36.196 -p tcp -m multiport --dport 25 110 -j DROP ##09、只允许收发邮件(所有域名邮件
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #(smtp,pop3))和只能收某域名收发某域名邮件
#iptables -P OUTPUT DROP
#enable public access to certain services
for x in ${SERVICES}
do
iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
done
for y in ${deny}
do
iptables -A OUTPUT -p tcp --dport ${y} -j DROP
iptables -A OUTPUT -p udp --dport ${y} -j DROP
done
#enable system-log
#iptables -A INPUT -j LOG --log-prefix "bad input:"
iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
#iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
#explicitly disable ECN
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
#disable spoofing on all interfaces
for x in ${INTERFACES}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done
if [ "$ROUTER" = "yes" ]
then
#we're a router of some kind, enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ "$NAT" = "dynamic" ]
then
#dynamic IP address, use masquerading
iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
elif [ "$NAT" != "" ]
then
#static IP, use SNAT
# iptables -t nat -A PREROUTING -i ${LANLINK} -d !${UPIP} -j DNAT --to-ports 3128
iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}
fi
fi
echo "OK!"
exit 0
;;
stop)
echo -n "Stopping firewall..."
iptables -F INPUT
iptables -P INPUT ACCEPT
iptables -F OUTPUT
iptables -P OUTPUT ACCEPT
#turn off NAT/masquerading, if any
#iptables -t nat -F POSTROUTING
echo "OK!"
exit 0
;;
restart)
$0 stop
$0 start
;;
show)
clear
echo ">-------------------------------------------------------------------"
iptables -L
echo ">-------------------------------------------------------------------"
iptables -t nat -L POSTROUTING
exit 0
;;
*)
echo "Usage: $0 {start|stop|restart|show}"
exit 1
esac