`

网桥中的透明代理

阅读更多

Configuring a Transparent Proxy/Webcache in a Bridge using Squid and ebtables
 by Ariel Molina Rueda, in Tutorials - Sat, Jan 1st 2005 00:00 UTC

 

A proxy/Webcache is a computer which sits between your LAN and your Internet connection, usually in the gateway. Its job is to capture and save every Web page that the client machines in your LAN visit, so that the next time someone requests a page, the proxy/Webcache already has it and sends it to the client. This saves bandwidth and usually speeds Web navigation.

 


Copyright notice: All reader-contributed material on freshmeat.net is the property and responsibility of its author; for reprint rights, please contact the author directly.


 

 

A bridge works exactly like a two-port switch. It passes everything from one port to the other, but if we have a Linux box acting like a switch, we can do wonderful things, because we actually "see" the traffic.

Why would I need a bridge with Squid?

There are some cases in which you do not have access to the gateway, or your gateway is a piece of dedicated hardware. Furthermore, if a bridge is used, you do not have to change anything in your network, just plug in the bridge and start working. If the Linux box acting as a proxy/Webcache is eaten by a big green monster, you can just reconnect the cables, and everything goes back to normal until you replace it.

Remember to document where in your network the bridge is. Bridges do not appear in traceroutes, and that may be a bit confusing and hard to locate in a big network.

Ok, let's start.

Setting up Squid

First, get squid running. There is a lot of documentation in the Squid distribution, so I won't cover basic configuration here. On my Fedora box, I just installed the rpm, and that was all.

Check that the following lines are present in /etc/squid/squid.conf:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Also check that your network appears in the ACLs section. For example, if your network is 192.168.1.0 netmask 255.255.255.0, use:

acl our_networks src 192.168.1.0/24

For testing, you may omit the "acl" line and just comment this:

http_access deny all

and use this instead:

http_access allow all

Be careful if you don't want to allow everyone to use your Webcache. I recommend using this configuration only for testing.

Start squid. In Fedora, you can use:

bash# service squid start

Other distributions may use:

bash# /etc/init.d/squid start

or you can start it manually. The first time you run it, it will take a few moments to build its cache files. Be patient.

In Fedora, let's make sure squid starts automatically:

bash# chkconfig squid on

Configuring the bridge

This couldn't be easier:

ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1

ifconfig br0 200.1.2.3 netmask 255.255.255.0 up
route add default gw 200.1.2.254 dev br0

Potential Pitfall:

If your PC locks or kernel panics, it's because you have a bad network adapter card. Most cheap motherboards have a bad integrated NIC. Just get a better NIC; even an old Realtek should work fine.

In this example, I suppose you are using eth0 and eth1. In the ifconfig line, I assigned IP address 20.1.2.3 to the bridge so I can access it remotely. Use an IP address in your network. Don't forget it; you will need it later.

You may check that the bridge is working by using tcpdump:

bash# tcpdump -n -i eth0                         
                       ...
         (lots of funny stuff)
                       ...
bash# tcpdump -n -i eth1
                       ...
         (lots of funny stuff)
                       ...

Plug your machine into the network, and everything should work. Your Linux box is now a big, expensive two-port switch.

Configuring transparent redirection

We're able to see all the traffic in our network, because we are in the middle. Now we want to catch Web traffic and redirect it directly into Squid.

First, let's see if squid is correctly configured.

Go to a PC in your LAN and manually configure a proxy. If you use Firefox, for example, go to the Edit menu and select Preferences. Select General and click "Connection Settings", choose "Manual Proxy Configuration", and enter the IP address of your bridge. The port is 3128, unless you have changed it.

Try surfing the Web. If it works, you have squid running and working as desired. Now we'll move on to the fun stuff and build a "brouter".

First, install ebtables on the bridge machine. Then, just run these two commands:

bash# ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
        --ip-destination-port 80 -j redirect --redirect-target ACCEPT

bash# iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \
        -j REDIRECT --to-port 3128

The first command says that packets passing through the bridge going to port 80 will be redirected to the local machine, instead of being bridged. The second uses iptables to redirect those packets to local port 3128, so squid can take care of them.

Check squid's log to see whether you're catching traffic:

bash# tail -f /var/log/squid/access.log

You should see a lot of "[x]__HIT" messages, meaning that all that content is being caught.

Congratulations, you have a Transparent Proxy/Webcache!

Fine Tuning

You may want to fine-tune squid, adjusting how much memory or disk space it will use. Just edit /etc/squid/squid.conf.

Remember to create the ACLs (Access Control Lists) for your networks.

You may want to have a script to set up all of this at boot. Use something like this:

ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1

ifconfig br0 200.1.2.3 netmask 255.255.255.0 up
route add default gw 200.1.2.254 dev br0

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6  \
	--ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80  \
	-j REDIRECT --to-port 3128

Save it and put it in /var/my-start-scripts/bridgeBrouter-up.sh. chmod it to 0755 and put a line in /etc/rc.local as follows:

/var/my-start-scripts/bridgeBrouter-up.sh

Have fun!

分享到:
评论

相关推荐

    Trunk多Vlan环境下WAF网桥配置

    两台交换机之间的Trunk链路上串联了一台Web应用防火墙(WAF),该WAF工作于透明代理模式,并且绑定eth2、eth3作为网桥接口,网桥的IP地址设置为5.5.5.5。 - **配置步骤**: - 在eth2和eth3两个物理接口上创建具有...

    FreeWAF安装手册

    离线模式支持网桥透明代理、路由透明代理和反向代理的配置,而在线模式同样提供了对应的代理配置方法。 FreeWAF安装手册的文档范围、预期读者、获得帮助等信息也在前言中进行了说明。文档主要面向了解Web服务器和...

    SANGFOR_AC&SG_v6.0_2015年度渠道初级认证培训11_上网加速与代理.ppt

    - **透明代理**:用户无感知,所有流量通过SG设备转发,便于管理。 - **反向代理**:设备作为服务器的代理,对外隐藏内部网络结构。 - **单臂代理**:设备仅用一个接口与内网和外网交互,适用于带宽有限或设备接口较...

    FreeWAF使用指南

    10. 设备管理:管理员可以根据部署需求选择不同的设备管理模式,如网桥透明代理模式、路由透明代理模式、反向代理模式或离线模式。 11. 系统维护:FreeWAF提供备份和恢复功能,以及系统诊断工具和重启/关机选项,...

    网路岗7.03.35官方原版破解

     网桥通常有透明网桥和源路由选择网桥两大类。 1、透明网桥 简单的讲,使用这种网桥,不需要改动硬件和软件,无需设置地址开关,无需装入路由表或参数。只须插入电缆就可以,现有LAN的运行完全不受网桥的任何影响...

    《计算机网络》试卷二.pdf

    15. 网桥分为透明网桥和源路由网桥,它们工作在OSI的第二层,即数据链路层,负责转发和过滤数据帧。 16. TCP/IP参考模型包括网络接口层、互联网络层、传输层和应用层,其中应用层协议有HTTP、FTP、SMTP等,传输层...

    局域网组网技术讲座.ppt

    透明网桥通过学习和维护一个端口到MAC地址的映射表,自动转发数据到正确的目的地,同时防止不必要的数据传播。当接收到一个帧时,网桥会检查目的地址,如果不在站表中,会广播该帧;如果在站表中,且方向正确,就...

    新ACM上网行为管理产品投标参数(含截图).pdf

    代理功能方面,ACM产品具备http代理、https透明代理、socks5代理、DNS代理和ARP代理等多种代理服务,满足不同类型的网络访问需求,尤其是内网代理功能,能够有效地控制和审计内部网络的访问行为。 即插即用功能使得...

    McAfee SCM安全内容管理方案

    然而,透明网桥可能不支持HTTP扫描,因为客户端无需配置代理服务器信息。 McAfee ePolicy Orchestrator是整个系统的管理平台,它允许集中管理和协调McAfee SCM的所有组件,确保一致性和高效的安全策略执行。通过...

    正向WebCache配置.pdf

    1. 网桥部署:设备作为网络中的透明代理,不改变原有流量路径。 2. WCCP(Web Cache Communication Protocol)部署:通过与Cisco设备配合,将流量智能导向WebCache。 3. L4设备部署:基于第四层交换技术,根据端口和...

    BLUECOAT安全WEB网关产品及解决方案ppt课件.pptx

    透明代理模式则允许设备以透明网桥或策略路由的方式工作,无需用户配置,即可实现流量的监控和保护。 总的来说,BLUECOAT安全WEB网关产品及解决方案是企业级网络防御的重要组成部分,通过综合的策略控制、强大的...

    计算机网络试卷2.pdf

    5. 常用的网桥类型:透明网桥和源路由网桥。 6. TCP/IP参考模型的层次:网络接口层、互联网络层、传输层和应用层。 7. ICMP协议封装在IP数据报中。 8. 主机的三个唯一标识:IP地址、MAC地址和域名。 9. 发送邮件通常...

    深信服AC初级认证考试.doc

    6. **代理支持与模式**:深信服AC在不同模式(可能是透明模式、路由模式、网桥模式)下都能支持代理服务,并且在某些模式下能进行加速。值得注意的是,Socks5代理协议可能不支持加速功能。 7. **流量管理**:流量...

    如何应用Linux实现网络互联.pdf

    本文将探讨如何应用Linux操作系统实现不同层次的网络互联技术,涵盖以太网桥、IP路由器、IP代理网关以及Squid代理网关。 以太网桥是网络互联的基础性设备,它在数据链路层操作,将不同的以太网段连接在一起,使它们...

    网康、深信服上网行为管理功能对比.doc

    网康产品支持透明桥接、网关和旁路模式,并在透明网桥模式下支持双链路和双网桥部署。深信服产品则支持网关、单/双路串接、镜像旁路等部署方式,且支持通过集中管理平台进行策略管理。 代理服务功能是上网行为管理...

    ADSL桥接模式和路由模式的区别

    在桥接模式下,ADSL ROUTER 只是一个普通网桥,其功能较简单,需要代理服务器或网关设备将局域网中的通信汇聚起来再连接到外部网络上。在路由模式下,ADSL ROUTER 具有自带的 PPPoE 拨号软件,并能提供 DHCP 服务、...

    计算机通信与网络试题.doc

    7. **网桥**:透明网桥和源路由网桥是局域网中用于连接不同网段的设备,用于过滤和转发数据帧。 8. **逻辑子网和资源子网**:逻辑子网主要负责数据传输,而资源子网提供网络服务和资源共享。 9. **路由器**:在...

Global site tag (gtag.js) - Google Analytics