- 浏览: 1318620 次
- 性别:
- 来自: 广州
文章分类
- 全部博客 (351)
- Java General (37)
- .net General (2)
- Linux Toy (55)
- Oracle (81)
- Mysql (11)
- Programer Career (12)
- Oh, my living ! (2)
- Shell Script (8)
- Web Service (0)
- Linux Server (22)
- Php/Python/Perl (3P) (2)
- Javascript General (5)
- Saleforce Apex Dev (2)
- Web General (5)
- Xen & VM tech. (17)
- PSP (13)
- OpenSolaris (34)
- php (1)
- RAI/flex/action script (16)
- asterisk/CTI (7)
- 交互设计 (6)
- English (3)
- Lucene (1)
最新评论
-
GuolinLee:
markmark
JVM调优总结 -Xms -Xmx -Xmn -Xss -
di1984HIT:
写的太好啊。
JVM调优总结 -Xms -Xmx -Xmn -Xss -
javajdbc:
javajdbc 写道
JVM调优总结 -Xms -Xmx -Xmn -Xss -
javajdbc:
...
JVM调优总结 -Xms -Xmx -Xmn -Xss -
alvin198761:
非常感谢,国外的被封杀了,你这里还有一份
How to Convert An Image-Based Guest To An LVM-Based Guest
Configuring a Transparent Proxy/Webcache in a Bridge using Squid and ebtables
by Ariel Molina Rueda, in Tutorials - Sat, Jan 1st 2005 00:00 UTC
A proxy/Webcache is a computer which sits between your LAN and your Internet connection, usually in the gateway. Its job is to capture and save every Web page that the client machines in your LAN visit, so that the next time someone requests a page, the proxy/Webcache already has it and sends it to the client. This saves bandwidth and usually speeds Web navigation.
Copyright notice: All reader-contributed material on freshmeat.net is the property and responsibility of its author; for reprint rights, please contact the author directly.
A bridge works exactly like a two-port switch. It passes everything from one port to the other, but if we have a Linux box acting like a switch, we can do wonderful things, because we actually "see" the traffic.
Why would I need a bridge with Squid?
There are some cases in which you do not have access to the gateway, or your gateway is a piece of dedicated hardware. Furthermore, if a bridge is used, you do not have to change anything in your network, just plug in the bridge and start working. If the Linux box acting as a proxy/Webcache is eaten by a big green monster, you can just reconnect the cables, and everything goes back to normal until you replace it.
Remember to document where in your network the bridge is. Bridges do not appear in traceroutes, and that may be a bit confusing and hard to locate in a big network.
Ok, let's start.
Setting up Squid
First, get squid running. There is a lot of documentation in the Squid distribution, so I won't cover basic configuration here. On my Fedora box, I just installed the rpm, and that was all.
Check that the following lines are present in /etc/squid/squid.conf
:
httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on
Also check that your network appears in the ACLs section. For example, if your network is 192.168.1.0 netmask 255.255.255.0, use:
acl our_networks src 192.168.1.0/24
For testing, you may omit the "acl" line and just comment this:
http_access deny all
and use this instead:
http_access allow all
Be careful if you don't want to allow everyone to use your Webcache. I recommend using this configuration only for testing.
Start squid. In Fedora, you can use:
bash# service squid start
Other distributions may use:
bash# /etc/init.d/squid start
or you can start it manually. The first time you run it, it will take a few moments to build its cache files. Be patient.
In Fedora, let's make sure squid starts automatically:
bash# chkconfig squid on
Configuring the bridge
This couldn't be easier:
ifconfig eth0 0.0.0.0 promisc up ifconfig eth1 0.0.0.0 promisc up brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ifconfig br0 200.1.2.3 netmask 255.255.255.0 up route add default gw 200.1.2.254 dev br0
Potential Pitfall:
If your PC locks or kernel panics, it's because you have a bad network adapter card. Most cheap motherboards have a bad integrated NIC. Just get a better NIC; even an old Realtek should work fine.
In this example, I suppose you are using eth0 and eth1. In the ifconfig line, I assigned IP address 20.1.2.3 to the bridge so I can access it remotely. Use an IP address in your network. Don't forget it; you will need it later.
You may check that the bridge is working by using tcpdump:
bash# tcpdump -n -i eth0 ... (lots of funny stuff) ... bash# tcpdump -n -i eth1 ... (lots of funny stuff) ...
Plug your machine into the network, and everything should work. Your Linux box is now a big, expensive two-port switch.
Configuring transparent redirection
We're able to see all the traffic in our network, because we are in the middle. Now we want to catch Web traffic and redirect it directly into Squid.
First, let's see if squid is correctly configured.
Go to a PC in your LAN and manually configure a proxy. If you use Firefox, for example, go to the Edit menu and select Preferences. Select General and click "Connection Settings", choose "Manual Proxy Configuration", and enter the IP address of your bridge. The port is 3128, unless you have changed it.
Try surfing the Web. If it works, you have squid running and working as desired. Now we'll move on to the fun stuff and build a "brouter".
First, install ebtables on the bridge machine. Then, just run these two commands:
bash# ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \ --ip-destination-port 80 -j redirect --redirect-target ACCEPT bash# iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \ -j REDIRECT --to-port 3128
The first command says that packets passing through the bridge going to port 80 will be redirected to the local machine, instead of being bridged. The second uses iptables to redirect those packets to local port 3128, so squid can take care of them.
Check squid's log to see whether you're catching traffic:
bash# tail -f /var/log/squid/access.log
You should see a lot of "[x]__HIT
" messages, meaning that all that content is being caught.
Congratulations, you have a Transparent Proxy/Webcache!
Fine Tuning
You may want to fine-tune squid, adjusting how much memory or disk space it will use. Just edit /etc/squid/squid.conf
.
Remember to create the ACLs (Access Control Lists) for your networks.
You may want to have a script to set up all of this at boot. Use something like this:
ifconfig eth0 0.0.0.0 promisc up ifconfig eth1 0.0.0.0 promisc up brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ifconfig br0 200.1.2.3 netmask 255.255.255.0 up route add default gw 200.1.2.254 dev br0 ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \ --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \ -j REDIRECT --to-port 3128
Save it and put it in /var/my-start-scripts/bridgeBrouter-up.sh
. chmod it to 0755 and put a line in /etc/rc.local
as follows:
/var/my-start-scripts/bridgeBrouter-up.sh
Have fun!
发表评论
-
Cygwin 中 xwin 的启动参数
2010-11-20 14:21 2746不知为何现在装的cygwin xwin没有startxwin ... -
三种数据库,取随机记录的方法
2010-09-16 12:23 1244mysql:select * from tablename o ... -
用 grep 恢复误删的文本文件
2010-08-26 14:34 2010作为长期的电脑使用者,肯定会有误删文件的经历,在 Mac ... -
使用TELNET手工操作 SMTP/POP 收发邮件
2010-08-09 21:44 2478说明:手工录入的用蓝色字体表示,#后的为注释,不可录入。= ... -
关于 port forward 的一个实例
2010-07-07 09:25 1585tomcat 服务于 8080端口,但不想在前面加 apach ... -
ubuntu 半虚拟化domU的安装方法
2010-06-05 21:12 2512ubuntu还没有通过http://方法安装,不像redh ... -
mount 硬盘镜像的一般问题。
2010-06-01 12:33 25871. 要搞清楚文件是 是由整个分区来的,还是整个硬盘来的 ... -
通过 ulimit 改善系统性能
2010-05-22 09:07 1389http://www.ibm.com/developer ... -
lvm 的一些笔记
2010-03-22 22:50 2894今天,不得不面对lvm了,毕竞是公司用的. ... -
mencoder来提取电影mp3文件
2009-12-16 21:45 2064假如在欣赏电影过程中出现了一段美妙的插曲(特别是印度电影,一般 ... -
netcat usage sample
2009-11-28 18:33 1287This page documents various t ... -
dd 建立一个没有内容的大文件
2009-11-22 09:36 1989dd if=/dev/zero of=sparse-file ... -
Mounting a filesystem located on a partition of an image of a disk
2009-10-24 17:52 1645Mou ... -
将光盘镜像CentOS-5.3-i386-bin-DVD.iso设置成为yum源
2009-09-28 07:43 3739#mkdir /centos5.3.dvd (随便起个文件夹名 ... -
拷贝指定的文件出来但保持目录结构
2009-09-18 08:39 3076抽取当前目录以下的所有logo1.* 或 logo2.* 到 ... -
定制 bt4 frefinal live cd ( ubuntu)
2009-08-21 10:01 2610Customising the BackTrack 4 Pre ... -
linux 下查看 iso 文件信息
2009-08-21 09:55 2282root@feng-desktop:/media/sda5/i ... -
copy file over ssh with tar
2009-08-15 08:57 1450tar is usually used for achiv ... -
copy file using cpio
2009-08-11 17:38 1471http://bradthemad.org/tech/note ... -
copy file using tar
2009-08-11 17:22 1192We assume /source/dir is a file ...
相关推荐
两台交换机之间的Trunk链路上串联了一台Web应用防火墙(WAF),该WAF工作于透明代理模式,并且绑定eth2、eth3作为网桥接口,网桥的IP地址设置为5.5.5.5。 - **配置步骤**: - 在eth2和eth3两个物理接口上创建具有...
离线模式支持网桥透明代理、路由透明代理和反向代理的配置,而在线模式同样提供了对应的代理配置方法。 FreeWAF安装手册的文档范围、预期读者、获得帮助等信息也在前言中进行了说明。文档主要面向了解Web服务器和...
- **透明代理**:用户无感知,所有流量通过SG设备转发,便于管理。 - **反向代理**:设备作为服务器的代理,对外隐藏内部网络结构。 - **单臂代理**:设备仅用一个接口与内网和外网交互,适用于带宽有限或设备接口较...
10. 设备管理:管理员可以根据部署需求选择不同的设备管理模式,如网桥透明代理模式、路由透明代理模式、反向代理模式或离线模式。 11. 系统维护:FreeWAF提供备份和恢复功能,以及系统诊断工具和重启/关机选项,...
网桥通常有透明网桥和源路由选择网桥两大类。 1、透明网桥 简单的讲,使用这种网桥,不需要改动硬件和软件,无需设置地址开关,无需装入路由表或参数。只须插入电缆就可以,现有LAN的运行完全不受网桥的任何影响...
然而,现有的Linux内核仅部分实现了透明网桥功能,并不支持完整的网络管理。 作者提出了一种创新的方法,即在数据链路层创建一个守护进程(MIB Daemon)来管理路由器的网络功能。这个守护进程采用主/子代理模式运行...
本文主要探讨了如何利用Linux操作系统实现不同层次的网络互联技术,包括以太网桥、IP路由器、IP代理网关和Squid代理网关。这些技术对于构建和维护网络连接至关重要,特别是在中小规模的网络环境中。 首先,以太网桥...
15. 网桥分为透明网桥和源路由网桥,它们工作在OSI的第二层,即数据链路层,负责转发和过滤数据帧。 16. TCP/IP参考模型包括网络接口层、互联网络层、传输层和应用层,其中应用层协议有HTTP、FTP、SMTP等,传输层...
透明网桥通过学习和维护一个端口到MAC地址的映射表,自动转发数据到正确的目的地,同时防止不必要的数据传播。当接收到一个帧时,网桥会检查目的地址,如果不在站表中,会广播该帧;如果在站表中,且方向正确,就...
代理功能方面,ACM产品具备http代理、https透明代理、socks5代理、DNS代理和ARP代理等多种代理服务,满足不同类型的网络访问需求,尤其是内网代理功能,能够有效地控制和审计内部网络的访问行为。 即插即用功能使得...
然而,透明网桥可能不支持HTTP扫描,因为客户端无需配置代理服务器信息。 McAfee ePolicy Orchestrator是整个系统的管理平台,它允许集中管理和协调McAfee SCM的所有组件,确保一致性和高效的安全策略执行。通过...
1. 网桥部署:设备作为网络中的透明代理,不改变原有流量路径。 2. WCCP(Web Cache Communication Protocol)部署:通过与Cisco设备配合,将流量智能导向WebCache。 3. L4设备部署:基于第四层交换技术,根据端口和...
透明代理模式则允许设备以透明网桥或策略路由的方式工作,无需用户配置,即可实现流量的监控和保护。 总的来说,BLUECOAT安全WEB网关产品及解决方案是企业级网络防御的重要组成部分,通过综合的策略控制、强大的...
5. 常用的网桥类型:透明网桥和源路由网桥。 6. TCP/IP参考模型的层次:网络接口层、互联网络层、传输层和应用层。 7. ICMP协议封装在IP数据报中。 8. 主机的三个唯一标识:IP地址、MAC地址和域名。 9. 发送邮件通常...
6. **代理支持与模式**:深信服AC在不同模式(可能是透明模式、路由模式、网桥模式)下都能支持代理服务,并且在某些模式下能进行加速。值得注意的是,Socks5代理协议可能不支持加速功能。 7. **流量管理**:流量...
网康产品支持透明桥接、网关和旁路模式,并在透明网桥模式下支持双链路和双网桥部署。深信服产品则支持网关、单/双路串接、镜像旁路等部署方式,且支持通过集中管理平台进行策略管理。 代理服务功能是上网行为管理...
在桥接模式下,ADSL ROUTER 只是一个普通网桥,其功能较简单,需要代理服务器或网关设备将局域网中的通信汇聚起来再连接到外部网络上。在路由模式下,ADSL ROUTER 具有自带的 PPPoE 拨号软件,并能提供 DHCP 服务、...