RED9 IPTABLES防火墙和SQUID代理各自分开,[color=darkred:28e91ce9db]但不能在线升级系统补丁,WEB新发带附件邮件出错!感觉是不能上传附件![/color:28e91ce9db]
SQUID代理服务器本身直接在防火墙用NAT出去。
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.10.1 -j snat --to x.x.x.x
上面192.168.10.1 是SQUID服务器对外网卡地址,ETH1是防火墙的对内网卡。测试NAT没问题的。
SQUID代理服务器的ETH1网卡做了VLAN配置,对应内网的几个网段。这样主要是可用MAC地址做访问控制。配置如下,请大家帮忙找问题所在,多谢!
http_port 192.168.1.1:3128
http_port 192.168.2.1:3128
http_port 192.168.3.1:3128
http_port 192.168.4.1:3128
http_port 192.168.5.1:3128
icp_port 0
ssl_unclean_shutdown off
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \? asp php shtml php3 cgi
acl cache_prevent url_regex Servlet
acl mmx urlpath_regex -i \.mp3$ \.avi$
no_cache deny QUERY
no_cache deny cache_prevent
no_cache deny mmx
#acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
hierarchy_stoplist cgi-bin ?
cache_mem 200 MB
cache_swap_low 80
cache_swap_high 100
half_closed_clients off
maximum_object_size 1024 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
dns_nameservers x.x.x.x x.x.x.x
dns_timeout 1 minutes
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
redirect_rewrites_host_header off
cache_dir aufs /cache/cache 4096 16 1024
cache_access_log /cache/squidlog/access.log
cache_log /cache/squidlog/cache.log
cache_store_log none
mime_table /usr/local/squid/etc/mime.conf
pid_filename /cache/squidlog/squid.pid
logfile_rotate 100
log_icp_queries off
buffered_logs on
emulate_httpd_log on
cache_effective_user squid
cache_effective_group squid
visible_hostname proxy
cache_mgr administrator@server
error_directory /usr/local/squid/share/errors/Simplify_Chinese
icon_directory /usr/local/squid/share/icons
unlinkd_program /usr/local/squid/libexec/unlinkd
redirect_children 5
redirect_rewrites_host_header off
ftp_list_width 32
ftp_passive on
log_icp_queries off
buffered_logs on
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl proto proto HTTP FTP Gopher SSL WAIS
acl method method GET POST
acl CONNECT method CONNECT
acl localhost src 127.0.0.1
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 20 # ftp-data
acl Safe_ports port 21 # ftp
acl Safe_ports port 22 # ssl
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080 8081 8180 8181
http_access allow manager localhost
http_access deny manager
http_access deny to_localhost
http_access deny CONNECT !SSL_ports
acl ss time AS
acl work1 time MTWHF 08:00-12:00
acl work2 time MTWHF 14:00-17:00
acl mac arp "/etc/mac"
acl macall arp "/etc/macall"
acl to_ghip dst x.x.x.x
acl outip src x.x.x.x x.x.x.x
http_access allow to_ghip
http_access allow outip
http_access deny !Safe_ports
http_access allow mac
http_access deny macall work1
http_access deny macall work2
http_access allow macall
http_access deny all
http_reply_access allow all
snmp_port 3401
acl aclsnmp snmp_community public
snmp_access allow aclsnmp localhost
snmp_access deny all
snmp_incoming_address 0.0.0.0
snmp_outgoing_address 0.0.0.0
digest_generation on
digest_rebuild_period 1 hour
digest_rewrite_period 1 hour
digest_swapout_chunk_size 4096 bytes
digest_rebuild_chunk_percentage 10
以上配置在防火墙和代理同在一台机器上时没这样的问题。这可是我经过优化得到的比较满意的配置了。请各路朋友帮忙找找问题所在,拜托了!