Borgia
Full Member | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору Dr_Spectre вот результат t@test ~]# traceroute www.linux.org.ru traceroute to www.linux.org.ru (217.76.32.61), 30 hops max, 38 byte packets 1 192.168.20.1 (192.168.20.1) 0.716 ms 0.548 ms 0.557 ms 2 * * * 3 * * * вот пинг на гатвеи этой подсети ping 192.168.20.1 PING 192.168.20.1 (192.168.20.1) 56(84) bytes of data. 64 bytes from 192.168.20.1: icmp_seq=0 ttl=64 time=0.626 ms 64 bytes from 192.168.20.1: icmp_seq=1 ttl=64 time=0.612 ms (oK) а вот на карточку которая смотрит на ружу ]# ping 192.168.1.240 PING 192.168.1.240 (192.168.1.240) 56(84) bytes of data. 64 bytes from 192.168.1.240: icmp_seq=0 ttl=64 time=0.688 ms (OK) а вот если даю пинг на сервер который (server 01) выходит в интернет ]# ping 192.168.1.1 PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. --- 192.168.1.1 ping statistics --- 39 packets transmitted, 0 received, 100% packet loss, time 37994ms тоесть получается что пинг не проходит двумя серверами Добавлено Организация Небольшой сети на linux Fedore Core3 Часть четвертая конфигурирование Сервера PROXY (squid) И так с роутингом мы более менее разобрались , Приступаем к прокси в данном случае squid. Ну во первых напоминаю что squid у нас уже установлен ( при выборе программ при установке он находится в разделе WEB Server) .Значит нам его нужно отконфигурировать и запустить. Конфигурационный фаил squid.conf лежит в директории /etc/squid Открываем его в редакторе VI и тихо сползаем со стула со словами .. мама дорогая ,, потому как он просто огромный . Честно говоря я долго думал как мне его уменьшить и сильно старался - не хотелось при этом потерять информативность тех значений которые я выбрал . Описывать те значения которые я выбрал тоже нет смысла так как там очень четко все описано и я решил сделать так . Я здесь запощу свой конфиг фаил чтоб можно было его критиковать или брать за пример , а также дам сылки на саиты где уже все давно описано и куда я сам обращался Краткое введение: Squid http://www.softportal.com/articles/item.php?id=91&lang=ru Настраиваем squid http://linux.yaroslavl.ru/docs/serv/squid/squid_tune.html Как поставить/настроить squid? http://www.linuxrsp.ru/docs/squid.html Базовая настройка SQUID http://www.getinfo.ru/article417.html Squid FAQ http://faqs.org.ru/softw/inetsoft/squid.htm Squid (кеширующий прокси для http): установка, настройка и использование http://www.bog.pp.ru/work/squid.html http://linux.irk.ru/18.01.1999.phtml Зона особого внимания: Squid http://squid.opennet.ru/ http://www.siliconvalleyccie.com/linux-adv/squid.htm Кстати по поводу самого конфига - несмотря на то что он такой больщой , в большинстве своем там можно выбрать предложеное по умолчанию и этого вполне достаточно . Большинство вариантов можно вообще не выбирать или ограничится самым минимум. (Очень много параметров по тюнингу кеша и по разным логам, я всетаки решил их выбрать в конце концов их можно будет позакрывать во вторых мне было интересно посмотреть как это будет так сказать вертется в полном варианте) Есть несколько параметров на которые да нужно обратить внимание ( и подстраивать под себя) 1. #DNS TAG: dns_nameservers - это где мы прописываем наши dns сервера 2. # TAG: cache_peer- это наши соседние прокси 3. # ACCESS CONTROLS - это где мы даем разрешения кому что ( я не стал сильно углублятся так как здесь можно извращатся очень много и долго а наша задача была дать двум нашим подсетям выход в интернет. 4. #TRANSPARENT ROXY - Хм вначале я решил ограничится просто прокси так как мне казалось что TRANSPARENT ROXY это достаточно сложно и я думал это отложить на потом. Но столкнулся с тем что работать через просто прокси достаточно муторно - по мимо браузера нужно прописывать прокси в любой проге которая выходит в интернет и не всегда это можно сделать в самой программе часто нужно заходить в конфиг фаил и там менять настройки - например WGET . Меня это огорчило настолько что я все таки решил разобраться с TRANSPARENT ROXY и как оказалось все не так страшно . И так основные команды для запуска и остановки сервиса Squid service squid start service squid stop service squid restart А теперь сам конфиг ******************************************************************** #WELCOME TO SQUID 2 #------------------ # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port #Default: http_port 3128 # TAG: ssl_unclean_shutdown #Some browsers (especially MSIE) bugs out on SSL shutdown #messages. # #Default: ssl_unclean_shutdown off # TAG: icp_port #The port number where Squid sends and receives ICP queries to #and from neighbor caches. Default is 3130. To disable use #"0". May be overridden with -u on the command line. # #Default: icp_port 3130 # TAG: htcp_port # htcp_port 4827 # TAG: udp_incoming_address # TAG: udp_outgoing_address #udp_incoming_addressis used for the ICP socket receiving packets #from other caches. #udp_outgoing_addressis used for ICP packets sent out to other #caches. udp_incoming_address 0.0.0.0 udp_outgoing_address 255.255.255.255 # TAG: cache_peer cache_peer proxy1.bezeqint.net parent 8080 3130 [proxy-only] cache_peer daf.borgia.local sibling 3128 3130 [proxy-only] # TAG: no_cache #A list of ACL elements which, if matched, cause the request to #not be satisfied from the cache and the reply to not be cached. #In other words, use this to force certain objects to never be cached. # #You must use the word 'DENY' to indicate the ACL names which should #NOT be cached. # #We recommend you to use the following two lines. acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY #TRANSPARENT ROXY #******************************************************** httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on # OPTIONS WHICH AFFECT THE CACHE SIZE # ----------------------------------------------------------------------------- # TAG: cache_mem(bytes) #Default: cache_mem 8 MB # TAG: cache_swap_low(percent, 0-100) # TAG: cache_swap_high(percent, 0-100) #Default: cache_swap_low 90 cache_swap_high 95 # TAG: maximum_object_size(bytes) #Default: maximum_object_size 4096 KB # TAG: minimum_object_size(bytes) #Default: minimum_object_size 0 KB # TAG: maximum_object_size_in_memory(bytes) #Default: maximum_object_size_in_memory 8 KB # TAG: ipcache_size(number of entries) # TAG: ipcache_low(percent) # TAG: ipcache_high(percent) #The size, low-, and high-water marks for the IP cache. # #Default: ipcache_size 1024 ipcache_low 90 ipcache_high 95 # TAG: fqdncache_size(number of entries) #Maximum number of FQDN cache entries. # #Default: fqdncache_size 1024 # TAG: cache_replacement_policy #The cache replacement policy parameter determines which #objects are evicted (replaced) when disk space is needed. # # lru : Squid's original list based LRU policy # heap GDSF : Greedy-Dual Size Frequency # heap LFUDA: Least Frequently Used with Dynamic Aging # heap LRU : LRU policy implemented using a heap # #Default: cache_replacement_policy lru # TAG: memory_replacement_policy #The memory replacement policy parameter determines which #objects are purged from memory when memory space is needed. # #Default: memory_replacement_policy lru # LOGFILE PATHNAMES AND CACHE DIRECTORIES # ----------------------------------------------------------------------------- # TAG: cache_dir #Default: cache_dir ufs /var/spool/squid 100 16 256 #LOGS #******************************************************** # TAG: cache_access_log #Logs the client request activity. Contains an entry for #every HTTP and ICP queries received. To disable, enter "none". # #Default: cache_access_log /var/log/squid/access.log # TAG: cache_log #Cache logging file. This is where general information about #your cache's behavior goes. You can increase the amount of data #logged to this file with the "debug_options" tag below. # #Default: cache_log /var/log/squid/cache.log # TAG: emulate_httpd_logon|off #The Cache can emulate the log file format which many 'httpd' #programs use. To disable/enable this emulation, set #emulate_httpd_log to 'off' or 'on'. The default #is to use the native log format since it includes useful #information Squid-specific log analyzers use. # #Default: emulate_httpd_log off # TAG: log_ip_on_directon|off #Log the destination IP address in the hierarchy log tag when going #direct. Earlier Squid versions logged the hostname here. If you #prefer the old way set this to off. # #Default: log_ip_on_direct on # TAG: mime_table #Pathname to Squid's MIME table. You shouldn't need to change #this, but the default file contains examples and formatting #information if you do. # #Default: mime_table /etc/squid/mime.conf # TAG: log_mime_hdrson|off #The Cache can record both the request and the response MIME #headers for each HTTP transaction. The headers are encoded #safely and will appear as two bracketed fields at the end of #the access log (for either the native or httpd-emulated log #formats). To enable this logging set log_mime_hdrs to 'on'. # #Default: log_mime_hdrs off # TAG: pid_filename #A filename to write the process-id to. To disable, enter "none". # #Default: pid_filename /var/run/squid.pid # TAG: debug_options #Default: debug_options ALL,1 # TAG: log_fqdnon|off #Turn this on if you wish to log fully qualified domain names #in the access.log. To do this Squid does a DNS lookup of all #IP's connecting to it. This can (in some situations) increase #latency, which makes your cache seem slower for interactive #browsing. # #Default: log_fqdn off # TAG: client_netmask #A netmask for client addresses in logfiles and cachemgr output. #Change this to protect the privacy of your cache clients. #A netmask of 255.255.255.0 will log all IP's in that range with #the last digit set to '0'. # #Default: client_netmask 255.255.255.255 # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS # ----------------------------------------------------------------------------- # TAG: ftp_user #Default: ftp_user anonymous@ # TAG: ftp_list_width #Sets the width of ftp listings. This should be set to fit in #the width of a standard browser. Setting this too small #can cut off long filenames when browsing ftp sites. # #Default: ftp_list_width 32 # TAG: ftp_passive #If your firewall does not allow Squid to use passive #connections, turn off this option. # #Default: ftp_passive on # TAG: ftp_sanitycheck #For security and data integrity reasons Squid by default performs #sanity checks of the addresses of FTP data connections ensure the #data connection is to the requested server. If you need to allow #FTP connections to servers using another IP address for the data #connection turn this off. # #Default: ftp_sanitycheck on # TAG: ftp_telnet_protocol #Default: ftp_telnet_protocol on #DNS #***************************************************** # TAG: dns_retransmit_interval #Initial retransmit interval for DNS queries. The interval is #doubled each time all configured DNS servers have been tried. # # #Default: dns_retransmit_interval 5 seconds # TAG: dns_timeout #DNS Query timeout. If no response is received to a DNS query #within this time all DNS servers for the queried domain #are assumed to be unavailable. # #Default: dns_timeout 2 minutes # TAG: dns_nameservers #Use this if you want to specify a list of DNS name servers #(IP addresses) to use instead of those given in your #/etc/resolv.conf file. #On Windows platforms, if no value is specified here or in #the /etc/resolv.conf file, the list of DNS name servers are #taken from the Windows registry, both static and dynamic DHCP #configurations are supported. # #Example: dns_nameservers 10.0.0.1 192.172.0.4 # #Default: dns_nameservers 192.168.20.1 192.168.30.1 192.168.1.1 192.115.106.31 192.115.106.35 # TAG: hosts_file #Default: hosts_file /etc/hosts # TAG: diskd_program #Specify the location of the diskd executable. #Note that this is only useful if you have compiled in #diskd as one of the store io modules. # #Default: diskd_program /usr/lib/squid/diskd # TAG: unlinkd_program #Specify the location of the executable for file deletion process. # #Default: unlinkd_program /usr/lib/squid/unlinkd #************************************************ # TAG: auth_param #This is used to define parameters for the various authentication #schemes supported by Squid. #Recommended minimum configuration: #auth_param digest program <uncomment and complete this line> #auth_param digest children 5 #auth_param digest realm Squid proxy-caching web server #auth_param digest nonce_garbage_interval 5 minutes #auth_param digest nonce_max_duration 30 minutes #auth_param digest nonce_max_count 50 #auth_param ntlm program <uncomment and complete this line to activate> #auth_param ntlm children 5 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 2 minutes #auth_param ntlm use_ntlm_negotiate off #auth_param basic program <uncomment and complete this line> auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off # TAG: authenticate_cache_garbage_interval #The time period between garbage collection across the username cache. #This is a tradeoff between memory utilisation (long intervals - say #2 days) and CPU (short intervals - say 1 minute). Only change if you #have good reason to. # #Default: authenticate_cache_garbage_interval 1 hour # TAG: authenticate_ttl #The time a user & their credentials stay in the logged in user cache #since their last request. When the garbage interval passes, all user #credentials that have passed their TTL are removed from memory. # #Default: authenticate_ttl 1 hour # TAG: authenticate_ip_ttl #If you use proxy authentication and the 'max_user_ip' ACL, this #directive controls how long Squid remembers the IP addresses #associated with each user. Use a small value (e.g., 60 seconds) if #your users might change addresses quickly, as is the case with #dialups. You might be safe using a larger value (e.g., 2 hours) in a #corporate LAN environment with relatively static address assignments. # #Default: authenticate_ip_ttl 0 seconds # OPTIONS FOR TUNING THE CACHE # ----------------------------------------------------------------------------- # TAG: wais_relay_host # TAG: wais_relay_port #Relay WAIS request to host (1st arg) at port (2 arg). # #Default: wais_relay_port 0 # TAG: request_header_max_size(KB) #This specifies the maximum size for HTTP headers in a request. #Request headers are usually relatively small (about 512 bytes). #Placing a limit on the request header size will catch certain #bugs (for example with persistent connections) and possibly #buffer-overflow or denial-of-service attacks. # #Default: request_header_max_size 10 KB # TAG: request_body_max_size(KB) #This specifies the maximum size for an HTTP request body. #In other words, the maximum size of a PUT/POST request. #A user who attempts to send a request with a body larger #than this limit receives an "Invalid Request" error message. #If you set this parameter to a zero (the default), there will #be no limit imposed. # #Default: request_body_max_size 0 KB # TAG: refresh_pattern #Suggested default: refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern .020%4320 # TAG: quick_abort_min(KB) # TAG: quick_abort_max(KB) # TAG: quick_abort_pct(percent) #Default: quick_abort_min 16 KB quick_abort_max 16 KB quick_abort_pct 95 # TAG: negative_ttltime-units #Time-to-Live (TTL) for failed requests. #Default: negative_ttl 5 minutes # TAG: positive_dns_ttltime-units #Default: positive_dns_ttl 6 hours # TAG: negative_dns_ttltime-units #Default: negative_dns_ttl 1 minute # TIMEOUTS # ----------------------------------------------------------------------------- # TAG: forward_timeouttime-units #Default: #forward_timeout 4 minutes # TAG: connect_timeouttime-units #Default: # connect_timeout 1 minute # TAG: peer_connect_timeouttime-units #Default: # peer_connect_timeout 30 seconds # TAG: read_timeouttime-units #Default: # read_timeout 15 minutes # TAG: request_timeout #Default: # request_timeout 5 minutes # TAG: persistent_request_timeout #Default: # persistent_request_timeout 1 minute # TAG: client_lifetimetime-units #Default: client_lifetime 1 day # TAG: half_closed_clients #Default: half_closed_clients on # TAG: pconn_timeout #Default: # pconn_timeout 120 seconds # TAG: ident_timeout #Default: # ident_timeout 10 seconds # TAG: shutdown_lifetimetime-units #Default: shutdown_lifetime 30 seconds # ACCESS CONTROLS # ----------------------------------------------------------------------------- #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443 563# https, snews acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT # TAG: http_access #Allowing or Denying access based on defined access lists # #Access to the HTTP port: #http_access allow|deny [!]aclname ... # #NOTE on default values: # #If there are no "access" lines present, the default is to deny #the request. # #If none of the "access" lines cause a match, the default is the #opposite of the last line in the list. If the last line was #deny, the default is allow. Conversely, if the last line #is allow, the default will be deny. For these reasons, it is a #good idea to have an "deny all" or "allow all" entry at the end #of your access lists to avoid potential confusion. # #Default: # http_access deny all # #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # Example rule allowing access from your local networks. Adapt # to list your (internal) IP networks from where browsing should # be allowed acl our_networks01 src 192.168.20.0/24 acl our_networks02 src 192.168.30.0/24 http_access allow our_networks01 http_access allow our_networks02 # And finally deny all other access to this proxy http_access allow localhost http_access deny all # TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. # # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow #all replies # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules # with an "allow all" or "deny all" entry. # #Default: http_reply_access allow all # #Recommended minimum configuration: # # Insert your own rules here. # # # and finally allow by default http_reply_access allow all # TAG: icp_access #Allowing or Denying access to the ICP port based on defined #access lists # #icp_access allow|deny [!]aclname ... # #See http_access for details # #Default: # icp_access deny all # #Allow ICP queries from everyone icp_access allow all # TAG: miss_access #Use to force your neighbors to use you as a sibling instead of #a parent. For example: # #acl localclients src 172.16.0.0/16 #miss_access allow localclients #miss_access deny !localclients # #This means only your local clients are allowed to fetch #MISSES and all other clients can only fetch HITS. # #By default, allow all clients who passed the http_access rules #to fetch MISSES from us. # #Default setting: # miss_access allow all # TAG: ident_lookup_access #Default: # ident_lookup_access deny all # TAG: reply_body_max_sizebytes allow|deny acl acl... #Default: # reply_body_max_size 0 allow all ******************************************************************************* На этом настройка TRANSPARENT ROXY еще не закончена продолжение в часте о файрволе | Всего записей: 545 | Зарегистр. 25-08-2001 | Отправлено: 22:53 15-12-2004 | Исправлено: Borgia, 13:52 17-12-2004 |
|