Shulou(Shulou.com)06/01 Report--

How to understand the Suse kernel transparent proxy, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

As Suse receives more and more attention from the majority of users, its problems also increase. How can we better apply Suse? In the future, we will elaborate on the issue of configuring transparent proxies one by one. Is to first explain why a transparent proxy should be configured.

In fact, only configuring squid can achieve the proxy function, but for the client, you must set proxy server in the browser, and for other tools, such as FlashGet, CuteFTP, and so on, you must also set them one by one, which is very troublesome. However, if a transparent proxy is set, then the client only needs to set a gateway in the network configuration, and no other programs need to be set up separately. This is the temptation to set up a transparent proxy, of course, it's just for me, in fact, iptables has a more powerful firewall function, which is the use of it. However, this configuration does not involve firewalls, if you are interested, please see the iptables howto posted.

one. Assuming that the firewall support option has been compiled into our linux, you can go to the kernel source directory and confirm it with make menuconfig.

two. Install squid. Generally, for each Linux distribution, it should have already been installed if it is fully installed. Of course, you can also download and install it from the following URL:

Http://www.squid-cache.org/

three. Whether it is reinstalled or already in the system, because the location of the configuration file for squid may vary from distribution to distribution, use the find command to confirm the exact location of the squid.conf file. If it is a rpm installation, you can also use the rpm command to confirm: rpm-ql [squidrpmname.rpm] | grep squid.conf

four. Edit the squid.conf file to ensure that the following exists:

Httpd_accel_host virtual

Httpd_accel_port 80

Httpd_accel_with_proxy on

Httpd_accel_uses_host_header on

Cache_effective_user nobody

Cache_effective_group nobody

Http_access allow all

Cache_dir ufs / usr/local/squid/cache 100 16 256

Note: * the sentence is cache directory, which needs to be created below. You can change it to the directory where your local squid is located. The penultimate sentence means that we allow all requests, which is very insecure, you can create a group yourself, and then allow this group, and deny all, take a closer look at squid.conf for specific settings, there are very detailed explanations and examples

five. Create a cache directory (if not) and change the directory owner to nobody

Chown nobody:nobody / pathname/cache

six. Look at the default log directory in the configuration file and change the owner of that directory to nobody to ensure that log can write to

seven. Create cache: squid-z

eight. Start squid: squid-D

Squid's site maintains a very detailed FAQ, which basically has answers to all the questions you need to ask. For example, you can first use squid-NCd1 to start in debug mode, so that if there is an error, it will be reported. Generally, if it is dialed by ADSL, it will make an error if you start squid before dialing (FATAL: ipcache_init: DNS name lookup tests failed), because squid starts to check some commonly used DNS. But at this time, you did not connect to internet, so you naturally made an error, so we need not check DNS at startup, which requires adding the-D option to start squid.

nine. After the startup is successful, we can test it by setting proxy in the client's browser. If we can connect to internet, then the squid is set up successfully.

ten. Another follow-up work is to confirm whether squid starts automatically on boot. Generally speaking, there is a squid script in / etc/init.d. All we need to do is ln it to the appropriate rc.d directory. For example, if I start it by default with runlevel5, then I will execute:

Ln-s / etc/init.d/squid / etc/init.d/rc5.d/S99squid

Ln-s / etc/init.d/squid / etc/init.d/rc5.d/K01squid

This is under SuSE, if it is RedHat, then the rc.d directory is under / etc, not under / etc/init.d.

The OK,squid setup is over, so let's start configuring iptables

Configure iptables

You can use the configuration tool mentioned earlier, but I haven't tried it, so I did it directly with the iptables command.

You can view help on man iptables.

We put the iptables setup command in a script file, assuming the script file name is firewall, then store this file in / etc/init.d, and run the script in the startup file. Here are the steps

one. Touch / etc/init.d/firewall

two. Vi / etc/init.d/firewall

Add the following:

#! / bin/sh

Echo "Enabling IP Forwarding..."

Echo 1 > / proc/sys/net/ipv4/ip_forward

Echo "Starting iptables rules..."

# Refresh all chains

/ sbin/iptables-F-t nat

Iptables-t nat-A PREROUTING-I eth0-p tcp-m tcp

-- dport 80-j REDIRECT-- to-ports 3128

Iptables-t nat-A POSTROUTING-s 192.168.1.0 Universe 24-o

Ppp0-j MASQUERADE

The above command is explained as follows:

/ proc/sys/net/ipv4/ip_forward must be set to 1 (the default is 0) to use the routing feature.

/ sbin/iptables-F-t nat empties all existing rules in nat table.

Eth0: the network card in the Linux machine.

3128: the default listening port in squid.

Ppp0: is the ADSL device in linux (ppp0 in SuSE, possibly dsl0 in redhat).

MASQUERADE: suitable for dial-up servers, because there is no static IP address, for servers with static IP, you can use SNAT-to-source ipadress instead.

Note: the above command does not involve a firewall, please refer to the configuration yourself, and the above command does not delete the rules in filter table, that is, if you have previously set up a firewall, it will not be affected.

three. Chmod uplix firewall, change the file properties so that it can be executed

four. Edit the / etc/init.d/boot.local file, add / etc/init.d/firewall to * *, and make sure to execute this script when you boot.

Note: in SuSE is boot.local, for redhat, you need to edit the / etc/rc.d/rc.local file.

five. Run firewall, and the rules take effect immediately.

This is the end of all configurations. It is quite common for Suse to configure transparent proxies.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.