Добрый день,
Планируется замена прокси сервера.
Установил на ПК Ubuntu 14.04 Server, поставил squid3.
Настроил согласно
http://faqpc.ru/nastrojka-squid3-na-ubuntu-server-14-04-1/Только в моем случае выбрано eth0 адрес из нашей рабочей подсети, eth1 - собственная тестовая подсеть-
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group defaul t
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNO WN group default qlen 1000
link/ether 00:60:97:ab:ef:fe brd ff:ff:ff:ff:ff:ff
inet 172.16.2.71/16 brd 172.16.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::260:97ff:feab:effe/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP gr oup default qlen 1000
link/ether 00:11:d8:81:d9:0c brd ff:ff:ff:ff:ff:ff
inet 172.16.20.10/24 brd 172.16.20.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::211:d8ff:fe81:d90c/64 scope link
valid_lft forever preferred_lft forever
ip r
default via 172.16.2.1 dev eth0
172.16.0.0/16 dev eth0 proto kernel scope link src 172.16.2.71
172.16.20.0/24 dev eth1 proto kernel scope link src 172.16.20.10
Интернет на проксе есть -
nslookup ya.ru
Server: 172.16.0.50
Address: 172.16.0.50#53
Non-authoritative answer:
Name: ya.ru
Address: 213.180.204.3
Name: ya.ru
Address: 213.180.193.3
Name: ya.ru
Address: 93.158.134.3
Squid работает -
sudo service squid3 status
[sudo] password for proxi:
squid3 start/running, process 1121
netstat -lt | grep 3128
tcp 0 0 172.16.20.10:3128 *:* LISTEN
Конфигурация squid -
grep -v "^#\|^$" /etc/squid3/squid.conf
acl localnet src 172.16.20.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 172.16.20.10:3128 intercept
cache_mem 512 MB
maximum_object_size_in_memory 512 KB
cache_dir ufs /var/spool/squid3 512 32 256
minimum_object_size 2 KB
maximum_object_size 8 MB
cache_swap_low 90
cache_swap_high 90
access_log daemon:/var/log/squid3/access.log squid
logfile_rotate 31
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
cache_effective_user adminproxi
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_effective_group adminproxi
sudo iptables-save
# Generated by iptables-save v1.4.21 on Wed Mar 25 14:33:44 2015
*nat
:PREROUTING ACCEPT [425:33597]
:INPUT ACCEPT [239:15121]
:OUTPUT ACCEPT [18:1173]
:POSTROUTING ACCEPT [18:1173]
-A POSTROUTING -s 172.16.20.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.20.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Mar 25 14:33:44 2015
# Generated by iptables-save v1.4.21 on Wed Mar 25 14:33:44 2015
*filter
:INPUT ACCEPT [500:37958]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [448:40688]
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Wed Mar 25 14:33:44 2015
Здесь почему-то повторилось несколько раз.
А так конфиги вот -
/etc/network/interfaces
auto eth0
iface eth0 inet static
address 172.16.2.71
netmask 255.255.0.0
gateway 172.16.2.1
dns-nameservers 172.16.0.50 172.16.0.21
# post-up iptables-restore < /etc/iptables.up.rules
# iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 172.16.20.10
netmask 255.255.255.0
# dns-nameservers
# iface eth1 inet dhcp
#routes
up route add -net 172.16.0.0 netmask 255.255.0.0 gw 10.12.0.2
# The loopback network interface
auto lo
iface lo inet loopback
post-up /etc/nat
и вот - /etc/nat
#! /bin/sh
#Включаем форвардинг пакетов
echo 1 > /proc/sys/net/ipv4/ip_forward
#Разрешаем траффик на l0
iptables -A INPUT -i lo -j ACCEPT
#Разрешаем доступ из внутренней сети наружу
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
#Включаем NAT
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.20.0/24 -j MASQUERADE
#Разрешаем ответы из внешней сети
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#запрещаем доступ снаружи во внутреннюю сеть
iptables -A FORWARD -i eth0 -o eth1 -j REJECT
#Заворачиваем http на прокси
iptables -t nat -A PREROUTING -i eth1 ! -d 172.16.20.0/24 -p tcp -m multiport --dport 80, 8080 -j $
При этом NAT похоже работает - выход в интернет с ноутбука, подключенного в свитч (в свою очередь, подключенный через eth1 прокси) работает. При этом настройки на ноутбуке -
IP 172.16.20.5/24 и шлюз 172.16.20.10 (eth1)
Работает и при остановленном squid.
Если же я прописываю проксю через браузер на клиенте то инета нет.
Также если я впрямую прописываю dns сервера на клиенте - ноутбуке (172.16.0.50 и 21) то инет по именам работает и пинги на ya.ru ходят. Убираю явно прописанные dns адреса и пинги ходят только по IP, т.е. DNS сервера прописанные на проксе он не видит.
В cache.log squid идет ошибка
2015/03/25 14:16:20| Starting Squid Cache version 3.3.8 for i686-pc-linux-gnu...
2015/03/25 14:16:20| Process ID 1121
2015/03/25 14:16:20| Process Roles: master worker
2015/03/25 14:16:20| With 65536 file descriptors available
2015/03/25 14:16:20| Initializing IP Cache...
2015/03/25 14:16:20| DNS Socket created at [::], FD 5
2015/03/25 14:16:20| DNS Socket created at 0.0.0.0, FD 6
2015/03/25 14:16:20| Adding nameserver 172.16.0.50 from /etc/resolv.conf
2015/03/25 14:16:20| Adding nameserver 172.16.0.21 from /etc/resolv.conf
2015/03/25 14:16:21| Logfile: opening log daemon:/var/log/squid3/access.log
2015/03/25 14:16:21| Logfile Daemon: opening log /var/log/squid3/access.log
2015/03/25 14:16:21| Unlinkd pipe opened on FD 12
2015/03/25 14:16:21| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2015/03/25 14:16:21| Store logging disabled
2015/03/25 14:16:21| Swap maxSize 524288 + 524288 KB, estimated 80659 objects
2015/03/25 14:16:21| Target number of buckets: 4032
2015/03/25 14:16:21| Using 8192 Store buckets
2015/03/25 14:16:21| Max Mem size: 524288 KB
2015/03/25 14:16:21| Max Swap size: 524288 KB
2015/03/25 14:16:21| Rebuilding storage in /var/spool/squid3 (dirty log)
2015/03/25 14:16:21| Using Least Load store dir selection
2015/03/25 14:16:21| Set Current Directory to /var/spool/squid3
2015/03/25 14:16:21| ERROR: No forward-proxy ports configured.
строка повторяется много раз
2015/03/25 14:16:23| Loaded Icons.
2015/03/25 14:16:23| HTCP Disabled.
2015/03/25 14:16:23| Pinger socket opened on FD 17
2015/03/25 14:16:23| Squid plugin modules loaded: 0
2015/03/25 14:16:23| Adaptation support is off.
2015/03/25 14:16:23| Accepting NAT intercepted HTTP Socket connections at local=172.16.20.10:3128 remote=[::] FD 15 flags=41
2015/03/25 14:16:23| Done reading /var/spool/squid3 swaplog (0 entries)
2015/03/25 14:16:23| Store rebuilding is 0.00% complete
2015/03/25 14:16:23| Finished rebuilding storage from disk.
2015/03/25 14:16:23| 0 Entries scanned
2015/03/25 14:16:23| 0 Invalid entries.
2015/03/25 14:16:23| 0 With invalid flags.
2015/03/25 14:16:23| 0 Objects loaded.
2015/03/25 14:16:23| 0 Objects expired.
2015/03/25 14:16:23| 0 Objects cancelled.
2015/03/25 14:16:23| 0 Duplicate URLs purged.
2015/03/25 14:16:23| 0 Swapfile clashes avoided.
2015/03/25 14:16:23| Took 1.71 seconds ( 0.00 objects/sec).
2015/03/25 14:16:23| Beginning Validation Procedure
2015/03/25 14:16:23| Completed Validation Procedure
2015/03/25 14:16:23| Validated 0 Entries
2015/03/25 14:16:23| store_swap_size = 0.00 KB
2015/03/25 14:16:23| ERROR: No forward-proxy ports configured.
2015/03/25 14:16:23| storeLateRelease: released 0 objects
2015/03/25 14:16:23| pinger: Initialising ICMP pinger ...
2015/03/25 14:16:23| pinger: ICMP socket opened.
2015/03/25 14:16:23| pinger: ICMPv6 socket opened
Access.log squid пустой.
Можете посоветовать что-нибудь?
Тема: Не работает сеть через squid (Прочитано 3096 раз)
