背景环境:开发人员不能上外网,但又有一些比较特殊的站点需要用到,所有用squid进行透明代理上网,之前想到haproxy,后来查阅资料貌似haproxy只能转发不能代理上网。
搭建前提:squid搭建透明代理上网,理论上需要两张网卡,两个Ip,两个ip在不同的网段,一个ip可以连接外网上网,一个ip连接内网。
[root@linux-virsh-106 log]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:E1:9A:69
inet addr:192.168.1.107 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee1:9a69/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:382562 errors:0 dropped:0 overruns:0 frame:0
TX packets:65671 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:78070930 (74.4 MiB) TX bytes:5258206 (5.0 MiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:E1:9A:73
inet addr:192.168.10.26 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee1:9a73/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:320136 errors:0 dropped:0 overruns:0 frame:0
TX packets:81908 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22754485 (21.7 MiB) TX bytes:59173280 (56.4 MiB)
这里我选用了eth0 192.168.1.107可以和外网联通,eth1 192.168.10.26和内网联通
关于ip的配置在/etc/sysconfig/network-scripts/修改 ifcfg-eth0和ifcfg-eth1即可 修改完重启网卡就行了。
[root@linux-virsh-106 network-scripts]# cat ifcfg-eth0
# Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
DEVICE=eth0
BOOTPROTO=static
#BROADCAST=192.168.1.255
HWADDR=00:0C:29:E1:9A:69
IPADDR=192.168.1.107
IPV6INIT=yes
IPV6_AUTOCONF=yes
NETMASK=255.255.255.0
#NETWORK=192.168.1.0
GATEWAY=192.168.1.1
ONBOOT=yes
[root@linux-virsh-106 network-scripts]# cat ifcfg-eth1
# Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
DEVICE=eth1
BOOTPROTO=static
ONBOOT=yes
#HWADDR=00:0c:29:e1:9a:73
IPADDR=192.168.10.26
NETMASK=255.255.255.0
网卡设置好了,开始设置iptables的参数
[root@linux-virsh-106 network-scripts]# echo "1" >> /proc/sys/net/ipv4/ip_forward
[root@linux-virsh-106 network-scripts]# service iptables start
[root@linux-virsh-106 network-scripts]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@linux-virsh-106 network-scripts]# iptables -F
[root@linux-virsh-106 network-scripts]# iptables -t nat -F
[root@linux-virsh-106 network-scripts]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@linux-virsh-106 network-scripts]# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 192.168.1.107
[root@linux-virsh-106 network-scripts]# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
[root@linux-virsh-106 network-scripts]# service iptables save
将当前规则保存到 /etc/sysconfig/iptables: [确定]
[root@linux-virsh-106 network-scripts]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.10.0/24 anywhere to:192.168.1.107
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
安装squid
[root@linux-virsh-106 network-scripts]# yum install squid
配置squid