iptables做网关+透明代理+squid域名重定向


iptables配置

*nat
:PREROUTING ACCEPT [1322:74513]
:POSTROUTING ACCEPT [880:38720]
:OUTPUT ACCEPT [880:38720]
-A PREROUTING -s 192.168.1.26 -i eth0 -p tcp -m tcp -d 61.172.240.188 --dport 80 -j REDIRECT --to-ports 33128  //透明代理配置,源地址为1.26的到80端口的请求全部转发到squid的33128端口.
-A POSTROUTING -s 192.168.1.26 -o eth0 -j SNAT --to-source 192.168.1.218    //做网关配置,并在1.26的机器上把网关设置成该服务器的IP.
COMMIT

squid配置

http_port 0.0.0.0:33128 transparent    //透明代理模式配置为 transparent
dns_nameservers 202.106.0.20       //dns配置
cache_mgr root@ivg.com     //错误web页面上显示的邮箱
cache_dir ufs /var/log/squid 7000 16 256
cache_mem 1024 MB
cache_swap_low 90
cache_swap_high 95
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
visible_hostname localhost
client_netmask 255.255.255.255
acl all src 0.0.0.0/0.0.0.0
acl allow_lan src 192.168.1.0/24 
http_access allow allow_lan                 //允许局域网ip访问
http_access deny all                         //拒绝其它未定义的规则
url_rewrite_program /etc/squid/red.pl     //指令指定重定向程序的命令行    
url_rewrite_children 20   //指定squid应该开启多少重定向进程

acl Foo src 119.147.70.251/32
acl All src 0/0
redirector_access allow Foo
redirector_access  deny All     //squid将每个请求发送往重定向器,可以使用redirector_access规则来有选择的发送某些请求.

vi /etc/squid/red.pl      //URL重定向器的配置

#!/usr/bin/perl -wl

$|=1;  # don't buffer the output

while (<>) {

       ($uri,$client,$ident,$method) = ( );

       ($uri,$client,$ident,$method) = split;

       next unless ($uri=~ m,^http://www.taobao.com/$,);      //访问taobao(完全匹配)跳到hao123,php正则表达式详解:http://www.cnblogs.com/ximu/archive/2011/10/14/2211281.html

       $uri = "http://www.hao123.com";

} continue {

       print "$uri";

}

详细squid重定向器配置(squid权威指南):
http://blog.s135.com/book/squid/chap11.html#a44

操作系统优化

(1)加大系统的文件描述符限制:
ulimit -n
默认为1024增大为65536:
ulimit -n 65536
查看所有的系统限制:
ulimit -a
(2)加速回收TIME_WAIT的sockets:
sysctl -a|grep net.ipv4.tcp_tw
sysctl -w net.ipv4.tcp_tw_reuse=1
sysctl -w net.ipv4.tcp_tw_recycle =1
(3)加大临时端口的范围(默认是1024-4999):
echo "1024 40000" > /proc/sys/net/ipv4/ip_local_port_range
(4)如果还做NAT的话,增加NAT表的限制:
echo "65535" > /proc/sys/net/ipv4/ip_conntrack_max
---------------------------------
squidclient使用简介:
squidclient -h 127.0.0.1 -p 33128 mgr:
squidclient -h 127.0.0.1 -p 33128 mgr:client_list //查看客户端列表
squidclient -h 127.0.0.1 -p 33128 mgr:objects //取得已缓存的列表
squidclient -h 127.0.0.1 -p 33128 mgr:info     //取得运行状态
经验技巧:打开一个网址,访问一下,看看有没有Cache到
squidclient -h 127.0.0.1 -p 33128 mgr:objects | grep GET | grep xxx.com
统计cache到的总数哈:
squidclient -h 127.0.0.1 -p 33128 mgr:objects | grep GET | wc -l
squid的access.log的时间转换:
perl -pe 's/^\\d+\\.\\d+/localtime($&)/e;' access.log