用Debain实现NAT透明代理和流量监控

用Debain实现NAT透明代理和流量监控

先交代一下网络环境；公司用两套局域网，光纤接入路由器，从路由器出来的是192.168.10.X网段，作为对外服务外网，部署了www/ftp/mail等服务器；192.168.10.2 是外网的一台主机，内部局域网192.168.0.X网段，通过10.2这台机器上网；哈哈，不知道说清楚了没有，比较少见吧。

（1）安装 Debian 基本系统(5.0.1)
（2）链接网络，配置网卡
firewall:/# vi /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0 eth1
iface eth0 inet static
   address 192.168.10.2
   netmask 255.255.255.0
   network 192.168.10.0
   broadcast 192.168.10.255
   gateway 192.168.10.1
   # dns-* options are implemented by the resolvconf package, if installed
   dns-nameservers 192.168.10.1

iface eth1 inet static
   address 192.168.0.254
   netmask 255.255.255.0
   network 192.168.0.0
   broadcast 192.168.0.255

（3）配置DNS，是本机可上网
firewall:/# vi /etc/resolv.conf

nameserver 202.99.166.4

（4）测试是否能上网
firewall:/# wget http://www.sohu.com/
--2009-05-06 10:39:57-- http://www.sohu.com/
正在解析主机 www.sohu.com... 61.135.133.38, 61.135.133.88, 61.135.133.89, ...
Connecting to www.sohu.com|61.135.133.38|:80... 已连接。
已发出 HTTP 请求，正在等待回应... 200 OK
长度：227936 (223K) [text/html]
Saving to: `index.html'

100%[====================================================================================>] 227,936 45.5K/s in 4.9s

2009-05-06 10:40:02 (45.7 KB/s) - `index.html' saved [227936/227936]

（5）配置apt的镜像站点（我这里使用的是韩国的 http://ftp.kr.debian.org/ 当时cn99上好像没有5.0.1版本）
firewall:/# vi /etc/apt/sources.list

#
# deb cdrom:[Debian GNU/Linux 5.0.1 _Lenny_ - Official i386 CD Binary-1 20090413-00:10]/ lenny main
# deb cdrom:[Debian GNU/Linux 5.0.1 _Lenny_ - Official i386 CD Binary-1 20090413-00:10]/ lenny main

deb http://ftp.kr.debian.org/debian/ stable main
deb-src http://ftp.kr.debian.org/debian/ stable main

（6）更新apt列表（根据网速，时间不等，我大概用2个多小时）
firewall:/# apt-get update

（7）安装 SSH （安装后，将自动启动 SSH，并自动加入到 rc2.d 链接，自动启动）
firewall:/# apt-get install openssh-server

启动，停止 SSH 的命令脚本（注意，必须使用绝对路径，或在 /etc/init.d 目录下执行）
firewall:/# ./etc/init.d/ssh
Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart|try-restart|status}.

（8）安装 squid3
firewall:/# apt-get install squid3

启动，停止 squid3 的命令脚本
firewall:/# ./etc/init.d/squid3
Usage: /etc/init.d/squid3 {start|stop|reload|force-reload|restart}

安装后，先修改 squid3 配置文件
firewall:/# vi /etc/squid3/squid.conf

# squid3 config
#

http_port 3128 transparent
reply_header_max_size 100 KB

cache_mem 1024 MB
cache_swap_low 90
cache_swap_high 98

maximum_object_size_in_memory 1024 KB
memory_replacement_policy heap GDSF

strip_query_terms off
emulate_httpd_log on
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

#access_log none
access_log /var/log/squid3/access.log combined
cache_log /var/log/squid3/cache.log

#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Purge method PURGE
acl CONNECT method CONNECT

acl myip src 192.168.0.16/32
http_access allow myip

http_access allow manager localhost
http_access allow Purge localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

http_access deny all

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0       0%      0
refresh_pattern .               0       20%     4320

icp_port 3130

cache_replacement_policy heap GDSF

error_directory /usr/share/squid3/errors/Simplify_Chinese
cache_dir ufs /var/spool/squid3 18432 32 256
coredump_dir /var/spool/squid3

cache_store_log none
visible_hostname squidtest

执行 firewall:/# squid3 -z 创建缓存目录，创建前先查看是否存放缓存目录
我这里用的 /var/spool/squid3 ，如果不存在用下面命令创建，并修改权限

firewall:/# mkdir -p /var/spool/squid3
firewall:/# chmod -R 777 /var/spool/squid3/

最后启动 squid ，可以用 netstat -ltn 来查看是否已启动

firewall:/# netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN

（9）编辑 firewall 和 flowctrl 两个脚本文件，分别用于NAT和流量控制

firewall:/# vi /etc/init.d/firewall
firewall:/# vi /etc/init.d/flowctrl

设置可执行属性
firewall:/# chmod +x /etc/init.d/firewall
firewall:/# chmod +x /etc/init.d/flowctrl

创建自动启动链接
firewall:/# ln -s /etc/init.d/firewall /etc/rc2.d/S50firewall
firewall:/# ln -s /etc/init.d/flowctrl /etc/rc2.d/S51flowctrl

防火墙脚本，局域网NAT上网，squid透明代理，IP地址MAC地址管理

#!/bin/sh

echo "Starting firewall script."
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ip_tables
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

iptables -F
iptables -t nat -F

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

iptables -t nat -A PREROUTING -s 192.168.0.0/24 -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE

# ip & mac

# iptables -A FORWARD -s 192.168.0.5 -m mac --mac-source 00:17:31:98:a2:2a -j ACCEPT
# gong cheng bu
iptables -A FORWARD -s 192.168.0.16 -m mac --mac-source 00:24:8c:03:bf:69 -j ACCEPT
iptables -A FORWARD -s 192.168.0.18 -m mac --mac-source 00:0a:eb:1f:6e:bf -j ACCEPT

# kai fa bu
iptables -A FORWARD -s 192.168.0.21 -m mac --mac-source 00:23:54:f5:88:1a -j ACCEPT
iptables -A FORWARD -s 192.168.0.22 -m mac --mac-source 00:23:54:f5:88:6a -j ACCEPT
iptables -A FORWARD -s 192.168.0.25 -m mac --mac-source 00:0a:eb:1f:91:c2 -j ACCEPT
iptables -A FORWARD -s 192.168.0.27 -m mac --mac-source 00:03:0d:6d:d2:4d -j ACCEPT
iptables -A FORWARD -s 192.168.0.29 -m mac --mac-source 00:16:17:16:6a:aa -j ACCEPT
iptables -A FORWARD -s 192.168.0.32 -m mac --mac-source 00:23:54:f5:88:53 -j ACCEPT
iptables -A FORWARD -s 192.168.0.34 -m mac --mac-source 00:0a:eb:22:66:59 -j ACCEPT
iptables -A FORWARD -s 192.168.0.35 -m mac --mac-source 00:0a:eb:1f:91:78 -j ACCEPT
iptables -A FORWARD -s 192.168.0.39 -m mac --mac-source 00:23:54:f5:84:23 -j ACCEPT
iptables -A FORWARD -s 192.168.0.41 -m mac --mac-source 00:0a:eb:51:09:37 -j ACCEPT
....(其他需要上网的ip和mac地址)

iptables -A FORWARD -s 192.168.0.0/24 -j DROP

echo "Firewall script load ok"

流量控制脚本，给局域网的每个IP限速，采用的最简单和傻瓜的方式

#!/bin/sh
#

echo "Load TC script ..."

tc qdisc del dev eth1 root 2>/dev/null
tc qdisc add dev eth1 root handle 10: htb default 255
tc class add dev eth1 parent 10: classid 10:1 htb rate 12500kbps ceil 12500kbps

# speed

SPEED1=250kbps
SPEED2=250kbps
SPEED3=500kbps
SPEED4=64kbps
SPEED5=32kbps

tc class add dev eth1 parent 10:1 classid 101 htb rate $SPEED1 ceil $SPEED1 prio 1
tc class add dev eth1 parent 10:1 classid 102 htb rate $SPEED2 ceil $SPEED2 prio 2
tc class add dev eth1 parent 10:1 classid 103 htb rate $SPEED3 ceil $SPEED3 prio 3
tc class add dev eth1 parent 10:1 classid 104 htb rate $SPEED4 ceil $SPEED4 prio 4
tc class add dev eth1 parent 10:1 classid 105 htb rate $SPEED5 ceil $SPEED5 prio 5

tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.2/32 classid 10:101
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.3/32 classid 10:101
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.4/32 classid 10:101
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.5/32 classid 10:101
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.6/32 classid 10:101
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.7/32 classid 10:101
tc filter add dev eth1 parent 10: protocol ip prio 1 u32 match ip dst 192.168.0.8/32 classid 10:101
.....(自己重复吧，方法傻点，实用)

echo "OK"

（10）安装 bandwidthd 进行流程检测，同时需要一个http服务器支持，我用的 mini-httpd

firewall:/# apt-get install bandwidthd
firewall:/# apt-get install mini-httpd

先配置 bandwidthd

firewall:/# vi /etc/bandwidthd/bandwidthd.conf
####################################################
# Bandwidthd.conf
#
# Commented out options are here to provide
# documentation and represent defaults

# Subnets to collect statistics on. Traffic that
# matches none of these subnets will be ignored.
# Syntax is either IP Subnet Mask or CIDR
#subnet 192.168.0.0/24

subnet 192.168.0.0/24
# subnet 192.168.10.0/24

# Device to listen on
# Bandwidthd listens on the first device it detects
# by default. Run "bandwidthd -l" for a list of
# devices.
#dev "eth0"

dev "eth1"

###################################################
# Options that don't usually get changed

# An interval is 2.5 minutes, this is how many
# intervals to skip before doing a graphing run
#skip_intervals 0

# Graph cutoff is how many k must be transfered by an
# ip before we bother to graph it
graph_cutoff 1024

#Put interface in promiscuous mode to score to traffic
#that may not be routing through the host machine.
promiscuous true

#Log data to cdf file htdocs/log.cdf
#output_cdf false
output_cdf true

#Set the cdf log output directory
#log_dir "/var/lib/bandwidthd"

#Read back the cdf file on startup
recover_cdf true

#Libpcap format filter string used to control what bandwidthd see's
#Please always include "ip" in the string to avoid strange problems
filter "ip"

#Draw Graphs - This default to true to graph the traffic bandwidthd is recording
#Usually set this to false if you only want cdf output or
#you are using the database output option. Bandwidthd will use very little
#ram and cpu if this is set to false.
#graph true

#Set META REFRESH for static pages in seconds(default 150, use 0 to disable).
#meta_refresh 150

meta_refresh 150

#Set the static html output directory
htdocs_dir "/var/lib/bandwidthd/htdocs"

注意：我的 htdocs 目录是：/var/lib/bandwidthd/htdocs ，因此需要配置 httpd 的文档目录

firewall:/# vi /etc/mini-httpd.conf

# Example config for mini_httpd.
# Author: Marvin Stark <marv@der-marv.de>

# Uncomment this line for turning on ssl support.
#ssl

# On which host mini_httpd should bind?
host=0.0.0.0

# On which port mini_httpd should listen?
port=80

# Which user mini_httpd should use?
user=root

# Run in chroot mode?
chroot # yes
# nochroot # no

# Working directory of mini_httpd.
#dir=<work_dir>

# We are the web files stored?
# Please change this to your needs.
data_dir=/var/lib/bandwidthd/htdocs/

# Which certificate to use?
#certfile=<certfile>

# Which logfile to use?
logfile=/var/log/mini-httpd.log

# Which pidfile to use?
pidfile=/var/run/mini-httpd.pid

# Which charset to use?
charset=iso-8859-1

在启动 httpd 之前，会提示你修改配置 /etc/default/mini-httpd 将 START=0 改为 1

firewall:/# vi /etc/default/mini-httpd

# Defaults for mini_httpd initscript
# Author: Marvin Stark <marv@der-marv.de>

# Start daemon?
# 0 = no
# 1 = yes
START=1

# Additional options that are passed to the Daemon.
DAEMON_OPTS="-C /etc/mini-httpd.conf"

最后，启动 mini-httpd 和 bandwidthd 脚本文件在 init.d目录下

firewall:/# ./etc/init.d/bandwidthd
Usage: /etc/init.d/bandwidthd {start|stop|restart|rotate|force-reload}

firewall:/# ./etc/init.d/mini-httpd
Usage: /etc/init.d/mini-httpd {start|stop|restart|force-reload}

From site : http://blog.chinaunix.net/u1/45779/showart_1919517.html

本站仅提供存储服务，所有内容均由用户发布，如发现有害或侵权内容，请点击举报。