hew 2008-6-4 15:43
网吧Linux 网关设置记录
这两天忙着网吧搬家的事,昨晚完成了网关的初步设置,用 centos 5.1下 iptables+squid2.6 做透明代理 pdnsd 做dns cache, 所用软件除pdnsd 外都是系统自带的,eth0 192.168.0.254内网,eth1 218.108.x.x 外网。废话少说直接上配置文件。
iptables:(/etc/sysconfig/iptables)
# Manual customization of this file is not recommended.
# nat
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -s 192.168.0.0/24 -i eth0 -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 3128
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j SNAT –to 218.108.x.x
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
防火墙默认规则是全部 ACCEPT 因为网吧环境里各种网络应用都有如果是全部DROP 然后开放指定端口的话要花很多时间去找,并且万一有什么新的应用还要再分析再开放很费时间,弄不好客人都跑了,所以只能放弃一些安全性了。
/etc/sysctl.conf
在 /etc/sysctl.conf 末尾加入下面语句
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 900
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.conf.all.proxy_arp = 1
net.ipv4.tcp_synack_retries = 3
/etc/squid/squid.conf
http_port 192.168.0.123:3128 transparent
cache_mgr [email=haibo.d@gmail.com]haibo.d@gmail.com[/email]
cache_mem 256 MB
cache_dir ufs /data/squid 500 12 256
cache_access_log none
cache_log none
cache_store_log none
maximum_object_size 4096 KB
minimum_object_size 1 KB
client_lifetime 1 hours
half_closed_clients off
visible_hostname proxy.[wiki]linux[/wiki]byte
cache_effective_user squid
cache_effective_group squid
cache_swap_low 75
cache_swap_high 95
dns_nameservers 192.168.0.1
acl QUERY urlpath_regex -i cgi-bin \?
cache deny QUERY
acl all src 0.0.0.0/0
acl localnet src 192.168.0.0/24
http_access allow localnet
http_access deny all
这个配置文件是从squid 2.5 改过来的,也许不是完全符合squid 2.6 规范。
pdnsd —— dns cache
pdnsd 是一个小型的dns cache 服务器,为网吧这样的环境做dns cache 刚好够用。
从下面地址下载pdnsd 的相应包安装
[url=http://www.phys.uu.nl/%7Erombouts/pdnsd/dl.html]http://www.phys.uu.nl/~rombouts/pdnsd/dl.html[/url]
/etc/pdnsd.conf
// Sample pdnsd configuration file. Must be customized to obtain a working pdnsd setup!
// Read the pdnsd.conf(5) manpage for an explanation of the options.
// Add or remove ‘#’ in front of options you want to disable or enable, respectively.
// Remove ‘/*’ and ‘*/’ to enable complete sections.
global {
perm_cache=2048;
cache_dir=”/var/cache/pdnsd”;
# pid_file = /var/run/pdnsd.pid;
run_as=”pdnsd”;
server_ip = eth0; # Use eth0 here if you want to allow other
# machines on your network to query pdnsd.
status_ctl = on;
# paranoid=on; # This option reduces the chance of cache poisoning
# but may make pdnsd less efficient, unfortunately.
query_method=udp_tcp;
min_ttl=60m; # Retain cached entries at least 60 minutes.
max_ttl=1w; # One week.
timeout=5; # Global timeout option (10 seconds).
run_ipv4=on;
}
# The following section is most appropriate if you have a fixed connection to
# the Internet and an ISP which provides good DNS servers.
server {
label= “myisp”;
ip = 202.101.172.35,202.101.172.46; # Put your ISP’s DNS-server address(es) here.
proxy_only=on; # Do not query any name servers beside your ISP’s.
# This may be necessary if you are behind some
# kind of firewall and cannot receive replies
# from outside name servers.
timeout=4; # Server timeout; this may be much shorter
# that the global timeout option.
uptest=none; # Test if the network interface is active.
interface=eth0; # The name of the interface to check.
interval=10m; # Check every 10 minutes.
purge_cache=on; # Keep stale cache entries in case the ISP’s
# DNS servers go offline.
}
/*
# The following section is more appropriate for dial-up connections.
# Read about how to use pdnsd-ctl for dynamic configuration in the documentation.
server {
label= “dialup”;
file = “/etc/ppp/resolv.conf”; # Preferably do not use /etc/resolv.conf
proxy_only=on
timeout=4;
uptest=if;
interface = ppp0;
interval=10; # Check if the interface every 10 seconds.
purge_cache=off;
preset=off;
}
*/
/*
# The servers provided by OpenDNS are fast, but they do not reply with
# NXDOMAIN for non-existant domains, instead they supply you with an
# address of one of their search engines. They also lie about the addresses of
# of the search engines of google, microsoft and yahoo.
# If you do not like this behaviour the “reject” option may be useful.
server {
label = “opendns”;
ip = 208.67.222.222, 208.67.220.220;
reject = 208.69.32.0/24, # You may need to add additional address ranges
208.69.34.0/24, # here if the addresses of their search engines
208.67.219.0/24; # change.
reject_policy = fail; # If you do not provide any alternative server
# sections, like the following root-server
# example, “negate” may be more appropriate here.
timeout = 4;
uptest = ping; # Test availability using ICMP echo requests.
ping_timeout = 100; # ping test will time out after 10 seconds.
interval = 15m; # Test every 15 minutes.
preset = off;
}
*/
/*
# This section is meant for resolving from root servers.
server {
label = “root-servers”;
root_server = on;
randomize_servers = on; # Give every root server an equal chance
# of being queried.
ip = 198.41.0.4
, 192.228.79.201
, 192.33.4.12
, 128.8.10.90
, 192.203.230.10
, 192.5.5.241
, 192.112.36.4
, 128.63.2.53
, 192.36.148.17
, 192.58.128.30
, 193.0.14.129
, 198.32.64.12
, 202.12.27.33
;
timeout = 5;
uptest = query; # Test availability using empty DNS queries.
interval = 30m; # Test every half hour.
ping_timeout = 300; # Test should time out after 30 seconds.
purge_cache = off;
exclude = .localdomain;
policy = included;
preset = off;
}
*/
source {
owner=localhost;
# serve_aliases=on;
file=”/etc/hosts”;
}
rr {
name=localhost;
reverse=on;
a=127.0.0.1;
owner=localhost;
soa=localhost,root.localhost,42,86400,900,86400,86400;
}
/*
neg {
name=doubleclick.net;
types=domain; # This will also block xxx.doubleclick.net, etc.
}
*/
/*
neg {
name=bad.server.com; # Badly behaved server you don’t want to connect to.
types=A,AAAA;
}
*/
将客户机的dns 服务器全部设为 192.168.0.254 让所有dns请求都从这里转发。
其他设置
关闭IPV6
# echo ‘alias ipv6 off’ >> /etc/modprobe.conf
arp 绑定
网吧环境下arp 绑定是一定要做的,在确认没有arp 病毒情况下,客户机全开运行一下命令
#nmap -sP 192.168.0.0/24
#cat /proc/net/arp | awk ‘{print $1 ” ” $4}’ |sort -t. -n +3 -4 > /etc/ethers
#echo “arp -f” >> /etc/rc.local
一个管理用 shell
网吧像很多局域网环境一样非常痛恨那些恶意使用p2p ,在有人恶意使用p2p 工具是要能够及时找到它。
创建一个top5.sh 内容为
#!/bin/bash
cat /proc/net/ip_conntrack | cut -d ‘ ‘ -f 10 | cut -d ‘=’ -f 2 | sort | uniq -c | sort -nr | head -n 5
在怀疑有人狂开p2p 的时候运行该脚本,可以列出打开会话数最高的前五个机子的IP 和打开的会话数。
