架設高效能NAT


簡易高效能NAT,內含NAT、Proxy、DHCP

【NAT】

設為預設值
vi /etc/sysctl.conf
# 啟動 IP 轉送
net.ipv4.ip_forward=1
net.ipv4.tcp_syncookies=1
# 防止超量攻擊
------------------------------

 設定開機自動載入
vi /etc/rc.d/rc.local

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -Z
iptables -X
iptables -F -t nat
iptables -Z -t nat
iptables -X -t nat
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
***iptables -t nat -A PREROUTING -i eth1 -p tcp -s 192.168.1.0/24 --dport 80  -j REDIRECT --to-ports 3128***

最後一行如果squid還沒有安裝,不可以有這一行,NAT會無法外出。

#第三片網卡之後,同樣只要設定該網卡負責的網段
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.0/24 -j MASQUERADE

【DHCP】

一、安裝程式
yum -y install dhcp*

二、設定檔案(如附件dhcpd.conf)
vi /etc/dhcpd.conf

----------------------------------------------

ddns-update-style interim;
ignore client-updates;

注意,網路卡全都要設定

subnet 163.32.x.0 netmask 255.255.255.0 {
}

subnet 192.168.1.0 netmask 255.255.255.0 {
}

subnet 192.168.2.0 netmask 255.255.255.0 {

# --- default gateway
        option routers                      192.168.1.1;
        option subnet-mask              255.255.255.0;
        option broadcast-address      192.168.1.255;

        option domain-name                 "dns.xxx.kh.edu.tw";
        option domain-name-servers      163.32.x.1,140.117.11.1,168.95.1.1;
        option netbios-name-servers      163.32.x.1;
        option time-offset                    -18000; # Eastern Standard Time
        option netbios-node-type 8;
        range dynamic-bootp 192.168.1.11 192.168.1.239;
        default-lease-time 216000;
        max-lease-time 432000;

# we want the nameserver to appear at a fixed address固定主機IP

host shsps00001{
hardware ethernet 00:13:d4:9c:3d:6a;
fixed-address 163.32.x.10;
}

}

----------------------------------------------

預設GATEWAY

Normal 0 0 2 false false false MicrosoftInternetExplorer4

vi /etc/sysconfig/network

NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=hostname.kh.edu.tw

GATEWAY=163.32.x.254
 

 

設定完成後,重新啟動網路

service network restart

查伺服器租約檔
vi /var/lib/dhcpd/dhcpd.leases

【PROXY】

yum -y install squid*
cp /etc/squid/squid.conf /etc/squid/squid.conf.bak
vi /etc/squid/squid.conf

#請視使用人數和硬碟狀況加大 cache 資料夾容量
cache_dir ufs /var/spool/squid 1000 16 256

#限制允許連線範圍,請依自己學校狀況修改
acl our_networks src 192.168.1.0/24

http_access deny all
http_access allow localhost
http_access allow trc

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#限制允許連線範圍,請依自己學校狀況修改

service squid restart

 transparent proxy

NAT 與 Proxy 透過 transparent proxy 設定加快網路傳輸

#Fedora core 7 新的 squid 版本 Transparent Proxy 設定簡化,整合到 http_port 的 option 內了。
vi /etc/squid/squid.conf
http_port 3128 transparent
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

service squid restart

--------------------------------------------
#Fodora Core 6 以前的版本 squid Transparent Proxy 設定在 squid 設定檔內加上如下四行
vi /etc/squid/squid.conf
httpd_accel_host ha.shsps.kh.edu.tw
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

--------------------------------------