📄 成功使用squid+iptables配置透明代理 - chinaunix博客馆.htm
字号:
<TD class=quote><BR>acl Safe_ports port 53 #
dns</TD></TR></TBODY></TABLE><SPAN
class=postbody><BR><BR><FONT size=2>故障依旧 <BR><BR>执行:
<BR></FONT></SPAN>
<TABLE cellSpacing=1 cellPadding=3 width="90%" align=center
border=0>
<TBODY>
<TR>
<TD><SPAN class=genmed><B><FONT
size=2>引用:</FONT></B></SPAN></TD></TR>
<TR>
<TD class=quote>iptables -A FORWARD -p udp --dport 53 -j
ACCEPT</TD></TR></TBODY></TABLE><SPAN class=postbody><FONT
size=2>故障依旧
<BR><BR>后来我在代理服务器上面运行setup,重新配置防火墙,在自定义端口那里写了53,然后重启iptables,重新运行自己的firewall脚本问题解决,squid都没有重启,成功!也就是说只是在代理服务器上面增开了53端口。因为没有启动bind服务,用nmap扫描服务器并没有发现53端口开放。
<BR><BR>准备测试一些acl的限制,于是在squid.conf里面增加: <BR></FONT></SPAN>
<TABLE cellSpacing=1 cellPadding=3 width="90%" align=center
border=0>
<TBODY>
<TR>
<TD><SPAN class=genmed><B><FONT
size=2>引用:</FONT></B></SPAN></TD></TR>
<TR>
<TD class=quote>acl mmxfile urlpath_regex -i \.mp3$
\.avi$ <BR>http_access deny
mmxfile</TD></TR></TBODY></TABLE><SPAN
class=postbody><BR><BR><FONT size=2>squid.conf里面本来有:
<BR></FONT></SPAN>
<TABLE cellSpacing=1 cellPadding=3 width="90%" align=center
border=0>
<TBODY>
<TR>
<TD><SPAN class=genmed><B><FONT
size=2>引用:</FONT></B></SPAN></TD></TR>
<TR>
<TD class=quote>acl QUERY urlpath_regex -i cgi-bin \?
\.exe$ \.zip$ \.mp3$ \.mp2$ \.rm$ \.avi$ <BR>no_cache
deny QUERY</TD></TR></TBODY></TABLE><SPAN
class=postbody><BR><FONT
size=2>重启squid,可是客户端仍然可以下载mp3,不过只下载了前面一部分就停了,已经下载的一部分可以播放,不知道是squid的问题还是网络的问题。
<BR><BR></FONT></SPAN>
<TABLE cellSpacing=1 cellPadding=3 width="90%" align=center
border=0>
<TBODY>
<TR>
<TD><SPAN class=genmed><B><FONT
size=2>引用:</FONT></B></SPAN></TD></TR>
<TR>
<TD class=quote>[root@amd squid]# tail access.log
<BR>1109905921.282 30003 192.168.30.2 TCP_MISS/206
306468 GET <A
href="http://www.joyhero.net/down/music/barn/0052.mp3"
target=_blank>http://www.joyhero.net/down/music/barn/0052.mp3</A>
- DIRECT/202.102.246.240 audio/mpeg <BR>1109905957.105
2134 192.168.30.2 TCP_MISS/302 664 GET <A
href="http://autoupdate.windowsmedia.com/update/update.asp?"
target=_blank>http://autoupdate.windowsmedia.com/update/update.asp?</A>
- DIRECT/207.46.248.96 text/html <BR>1109905967.471
10365 192.168.30.2 TCP_MISS/200 10689 GET <A
href="http://autoupdate.windowsmedia.com/update/CHS/control.xml"
target=_blank>http://autoupdate.windowsmedia.com/update/CHS/control.xml</A>
- DIRECT/207.46.248.96 text/xml <BR>1109905982.264 29696
192.168.30.2 TCP_MISS/200 354348 GET <A
href="http://www.joyhero.net/down/music/barn/0012.mp3"
target=_blank>http://www.joyhero.net/down/music/barn/0012.mp3</A>
- DIRECT/202.102.246.240 audio/mpeg <BR>1109906054.122
1155 192.168.30.2 TCP_MISS/304 202 GET <A
href="http://www.joyhero.net/down/music/barn/0052.mp3"
target=_blank>http://www.joyhero.net/down/music/barn/0052.mp3</A>
- DIRECT/202.102.246.240 -</TD></TR></TBODY></TABLE><SPAN
class=postbody><BR><BR><FONT
size=2>仔细查看squid.conf,找到限制下载没有成功的原因所在了,是因为在squid.conf里面定义的我的客户端网络为our_networks,这一行:
<BR><BR></FONT></SPAN>
<TABLE cellSpacing=1 cellPadding=3 width="90%" align=center
border=0>
<TBODY>
<TR>
<TD><SPAN class=genmed><B><FONT
size=2>引用:</FONT></B></SPAN></TD></TR>
<TR>
<TD class=quote>http_access allow
our_networks</TD></TR></TBODY></TABLE><SPAN
class=postbody><BR><BR><FONT size=2>位置在这一行前面:
<BR><BR></FONT></SPAN>
<TABLE cellSpacing=1 cellPadding=3 width="90%" align=center
border=0>
<TBODY>
<TR>
<TD><SPAN class=genmed><B><FONT
size=2>引用:</FONT></B></SPAN></TD></TR>
<TR>
<TD class=quote>http_access deny
mmxfile</TD></TR></TBODY></TABLE><SPAN
class=postbody><BR><BR><FONT size=2>所以mp3文件已经先通过了,不会再被阻止。<SPAN
style="COLOR: red">这也是配置squid的acl最常犯的错误,acl规则的顺序问题!!!</SPAN>
<BR><BR>更改acl顺序后客户端无法下载mp3,这是影音传送带显示的记录: <BR></FONT></SPAN>
<TABLE cellSpacing=1 cellPadding=3 width="90%" align=center
border=0>
<TBODY>
<TR>
<TD><SPAN class=genmed><B><FONT
size=2>引用:</FONT></B></SPAN></TD></TR>
<TR>
<TD class=quote><BR>2005-03-04 14:45:42.796 正在连接
dn.clubhi.com:80 <BR>2005-03-04 14:45:42.796 正在连接
61.129.67.121:80 <BR>2005-03-04 14:45:42.812 已连接
<BR>2005-03-04 14:45:42.812 GET /2005.mp3 HTTP/1.1
<BR>2005-03-04 14:45:42.812 Host: dn.clubhi.com
<BR>2005-03-04 14:45:42.812 Accept: */* <BR>2005-03-04
14:45:42.812 User-Agent: Mozilla/4.0 (compatible; MSIE
5.00; Windows 9icon_cool.gif <BR>2005-03-04 14:45:42.812
Connection: Keep-Alive <BR>2005-03-04 14:45:42.843
HTTP/1.0 403 Forbidden <BR>2005-03-04 14:45:42.843
Server: squid/2.5.STABLE6 <BR>2005-03-04 14:45:42.843
Mime-Version: 1.0 <BR>2005-03-04 14:45:42.843 Date: Fri,
04 Mar 2005 06:45:19 GMT <BR>2005-03-04 14:45:42.843
Content-Type: text/html <BR>2005-03-04 14:45:42.843
Content-Length: 1144 <BR>2005-03-04 14:45:42.843
Expires: Fri, 04 Mar 2005 06:45:19 GMT <BR>2005-03-04
14:45:42.843 X-Squid-Error: ERR_ACCESS_DENIED 0
<BR>2005-03-04 14:45:42.843 X-Cache: MISS from
amd.zzzx.net.cn <BR>2005-03-04 14:45:42.843 Connection:
keep-alive <BR>2005-03-04 14:45:42.859 等待 5 秒后重试
<BR>2005-03-04 14:45:44.812 用户暂停在
0</TD></TR></TBODY></TABLE><SPAN
class=postbody><BR><BR></SPAN>
<TABLE cellSpacing=1 cellPadding=3 width="90%" align=center
border=0>
<TBODY>
<TR>
<TD><SPAN class=genmed><B><FONT
size=2>引用:</FONT></B></SPAN></TD></TR>
<TR>
<TD class=quote>[root@amd squid]# tail access.log
<BR>1109918593.578 1 192.168.30.2 TCP_DENIED/403 1436
GET <A href="http://dn.clubhi.com/2005.mp3"
target=_blank>http://dn.clubhi.com/2005.mp3</A> - NONE/-
text/html <BR>1109918606.563 46 192.168.30.2
TCP_DENIED/403 1436 GET <A
href="http://dn.clubhi.com/2005.mp3"
target=_blank>http://dn.clubhi.com/2005.mp3</A> - NONE/-
text/html <BR>1109918611.604 25 192.168.30.2
TCP_DENIED/403 1436 GET <A
href="http://dn.clubhi.com/2005.mp3"
target=_blank>http://dn.clubhi.com/2005.mp3</A> - NONE/-
text/html <BR>1109918616.666 24 192.168.30.2
TCP_DENIED/403 1436 GET <A
href="http://dn.clubhi.com/2005.mp3"
target=_blank>http://dn.clubhi.com/2005.mp3</A> - NONE/-
text/html</TD></TR></TBODY></TABLE><SPAN
class=postbody><BR><BR><FONT
size=2>当我从另外不经过代理的机器下载这个mp3时,速度飞快,几MB的文件时间还没有显示出来就已经下载完了。</FONT></SPAN><SPAN
class=postbody><BR><BR></SPAN></P>
<TR>
<TD align=right width="10%" height=30><FONT color=#999999>by
fz-L(2005年03月09日,17时25分) 本文已被浏览 588 次 <A
href="http://blog.chinaunix.net/index/article.php?articleId=14783&blogId=2496">评论[0]</A></FONT>
| [ <A class=nav
href="javascript:d=document;t=d.selection?(d.selection.type!='None'?d.selection.createRange().text:''):(d.getSelection?d.getSelection():'');void(vivi=window.open('http://vivi.sina.com.cn/collect/icollect.php?pid=19&title='+escape(d.title)+'&url='+escape(d.location.href)+'&desc='+escape(t),'vivi','scrollbars=no,width=480,height=480,left=75,top=20,status=no,resizable=yes'));vivi.focus();">收藏此页到新浪ViVi</A>
]
</TD></TR><!-- END alcyc --></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE><!---正文 结束------------>
<TABLE cellSpacing=0 cellPadding=3 width="100%" align=center border=0>
<TBODY>
<TR>
<TD vAlign=top align=left bgColor=#ffffff>
<SCRIPT language=JavaScript
src="成功使用squid+iptables配置透明代理 - ChinaUnix博客馆.files/help.html"></SCRIPT>
</TR></TBODY></TABLE><!---评论 开始------------->
<TABLE cellSpacing=1 cellPadding=0 width=750>
<TBODY>
<TR>
<TD
style="BORDER-RIGHT: #dddddd 1px solid; BORDER-TOP: #dddddd 1px solid; BORDER-LEFT: #dddddd 1px solid; BORDER-BOTTOM: #dddddd 1px solid"
vAlign=top>
<TABLE cellSpacing=0 cellPadding=3 width="100%" align=center border=0>
<TBODY>
<TR>
<TD height=5></TD></TR>
<TR>
<TD vAlign=center bgColor=#ffffff height=30><B>网友评论</B> </TD></TR>
<TR>
<TD vAlign=top align=middle bgColor=#ffffff>
<TABLE cellSpacing=5 cellPadding=0 width="95%" border=0>
<TBODY></TBODY></TABLE></TD></TR>
<TR>
<TD height=5></TD></TR>
<TR>
<TD bgColor=#ffffff height=30><B>发表评论</B></TD></TR>
<TR>
<TD vAlign=top align=middle bgColor=#ffffff>
<TABLE cellSpacing=0 cellPadding=0 width="95%" border=0>
<TBODY>
<TR>
<TD>
<FORM name=NewComment action=comment.php
method=post><STRONG>标题</STRONG><BR><INPUT
name=commentTopic><BR><STRONG>正文</STRONG><BR><TEXTAREA name=commentText rows=10 cols=50></TEXTAREA><BR><STRONG>您的姓名</STRONG><BR><INPUT
name=userName><BR><STRONG>您的电子邮件信箱</STRONG><BR><INPUT
name=userEmail><BR><STRONG>您的个人网页</STRONG><BR><INPUT
name=userUrl><BR><INPUT type=submit value=发表 name=Add><BR><BR><INPUT
type=hidden value=AddComment name=op> <INPUT type=hidden
value=1 name=commentEnable> <INPUT type=hidden value=14783
name=articleId> <INPUT type=hidden value=2496 name=blogId>
<INPUT type=hidden name=parentId>
</FORM></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE><!---评论 结束------------><BR><BR>
<TABLE cellSpacing=0 cellPadding=0 width=750 align=center>
<TBODY>
<TR>
<TD align=middle>Powered by <A href="http://www.chinaunix.net/"
target=_blank>ChinaUnix.net</A>
</TD></TD></TR></TBODY></TABLE></CENTER></BODY></HTML>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -