局域网只有一台服务器可以上互联网,其他机器需要使用代理上网,windows下可以用ccproxy,linux建议使用squid(dns解析需要配合iptables)
1、安装squid
yum install squid.x86_64
2、配置squid配置文件。
vi /etc/squid/squid.conf
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8# RFC1918 possible internal network
#acl localnet src 172.16.0.0/12# RFC1918 possible internal network
acl localnet src 192.168.0.0/16# RFC1918 possible internal network 允许192.168.0.0/16网段
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128 端口修改为808端口
http_port 808
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern -i (/cgi-bin/|\?) 00%0
refresh_pattern .020%4320
到这里squid就配置完了。
由于客户端pc的dns解析都没有权限,所以还要把客户端的dns解析也由squid服务器这台主机转发出去。
1) echo "1" > /proc/sys/net/ipv4/ip_forward
2)iptables 配置
iptables -t nat -A PREROUTING -s -p udp --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -A POSTROUTING -p udp --dport 53 -j SNAT --to 192.168.144.49
iptables -A FORWARD -j ACCEPT
客户端配置
export http_proxy=http://192.168.144.49:808
export https_proxy=https://192.168.144.49:808
客户端配置dns
chattr -i /etc/resolv.conf (ubuntu)
vi /etc/resolv.conf
nameserver 192.168.144.49
验证一下
root@host-192-168-145-197:~# ping www.sina.com
PING wwwus.sina.com (66.102.251.33) 56(84) bytes of data.
ok,dns可以用了。
curl www.sina.com
返回一大串代理,OK,代理配置成功了。
https的配置需要生成证书,可以参考以下文章。
http://www.linuxidc.com/Linux/2017-02/140398.htm
本文出自 “高迪的个人博客” 博客,请务必保留此出处http://gaodi2002.blog.51cto.com/5940761/1953459
原文地址:http://gaodi2002.blog.51cto.com/5940761/1953459
