|
|
对学校电脑教师来说,学校机房管理是一个大问题,虽然每台电脑都装了还原系统,但是其它盘还是要中毒,还有上课的时候学生经常下载游戏,软件。这些对于我们如何管理成了一个问题!
用linux用iptable与squid是一个很好的解决方法
eth0是我外网网卡,eth1是我内网网卡
1.建立静态IP/MAC捆绑
方法:建立/etc/ethers文件,其中包含正确的IP/MAC对应关系,格式如下:
[root@test2 root]# more /etc/ethers
192.168.10.18 00:10:DC:6B:C6:31
192.168.10.111 00:10:5C:C0:2B:C1
192.168.10.13 4C:00:10:A3:38:5D
192.168.10.113 00:E0:4C:00:0C:2B
192.168.10.166 00:10:DC:61:B4:78
192.168.10.10 78:06:18:25:88:40
192.168.10.173 00:0F:1F:4D:EC:99
192.168.10.212 00:10:DC:6A:C0:C0
192.168.10.23 00:07:95:D8:C6:39
然后在/etc/rc.d/rc.local最后添加:arp -f即可实现IP/MAC捆绑
2.编写假包上网脚本
[root@test2 root]# cat /etc/xxx
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
INET_IFACE="eth0"
INET_IP="210.75.18.36"
LAN_IFACE="eth1"
LAN_IP="192.168.10.2"
LAN_IP_RANGE="192.168.10.0/24"
IPT="/sbin/iptables"
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_state
/sbin/modprobe ipt_LOG
for TABLE in filter nat mangle ; do
$IPT -t $TABLE -F
$IPT -t $TABLE -X
done
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 192.168.10.18 -m mac --mac-source 00:10:DC:6B:C6:31 -j ACCEPT #MAC、IP地址绑定校验
iptables -A FORWARD -s 192.168.10.111 -m mac --mac-source 00:10:5C:C0:2B:C1 -j ACCEPT
iptables -A FORWARD -s 192.168.10.13 -m mac --mac-source 4C:00:10:A3:38:5D -j ACCEPT
iptables -A FORWARD -s 192.168.10.113 -m mac --mac-source 00:E0:4C:00:0C:2B -j ACCEPT
iptables -A FORWARD -s 192.168.10.166 -m mac --mac-source 00:10:DC:61:B4:78 -j ACCEPT
iptables -A FORWARD -s 192.168.10.10 -m mac --mac-source 78:06:18:25:88:40 -j ACCEPT
iptables -A FORWARD -s 192.168.10.173 -m mac --mac-source 00:0F:1F:4D:EC:99 -j ACCEPT
iptables -A FORWARD -s 192.168.10.212 -m mac --mac-source 00:10:DC:6A:C0:C0 -j ACCEPT
iptables -A FORWARD -s 192.168.10.23 -m mac --mac-source 00:07:95:D8:C6:39 -j ACCEPT
iptables -A FORWARD -s 192.168.10.52 -m mac --mac-source 00:02:A5:2E:B9:56 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp --dport 6881:6890 -j DROP #限制BT下载
/sbin/iptables -A INPUT -p tcp --dport 6881:6890 -j DROP
/sbin/iptables -A OUTPUT -p tcp --dport 6881:6890 -j DROP
iptables -A FORWARD -p tcp -j LOG --log-level info --log-prefix "INPUT packets" #加入iptables LOG信息,注意,要启用
if [ "$INET_IFACE" = ppp0 ] ; then iptables LOG需要在/etc/syslog.conf
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE 中加入kern.=info /var/log/iptables
else 并重启syslog服务
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to $INET_IP
fi
3. 启动SQUID
修改/etc/squid/squid.conf配置文件
将53行的# http_port 3128修改为http_port 3128
在1975行加入visible_hostname xxx #也可以写机器名
修改cache_mem 8 MB 为 cache_mem 170 MB #在480行,大约使用内存的1/3
修改cache_dir ufs /var/spool/squid 100 16 256 为 cache_dir ufs /var/spool/squid 512 24 256 #在679行,512代表缓存空间容量,24 代表第一层目录数,256代表第二层目录数
在1699行加入acl myclient src 192.168.10.0/24 #定义ip网段代码
在1760行加入http_access allow myclient #在http_access allow localhost http_access deny all 两行配置之前加入该配置
将错误信息页面链接到简体中文
[root@test2 squid]# cd /etc/squid/
[root@test2 squid]# rm -f errors
[root@test2 squid]# ln -s /usr/share/squid/errors/Simplify_Chinese/ errors
[root@test2 squid]# ll -d errors
lrwxrwxrwx 1 root root 41 3月 17 10:11 errors -> /usr/share/squid/errors/Simplify_Chinese/
[root@test2 squid]#
初始化和启动squid
[root@test2 squid]# squid -z #创建squid缓存目录
2005/03/17 10:27:44| Creating Swap Directories
[root@test2 squid]# service squid start #启动squid
启动 squid:. [ 确定 ]
4.设置透明代理
编辑/etc/squid/squid.conf
在2067行添加以下配置
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
重新启动squid
[root@test2 squid]# service squid restart
停止 squid:.. [ 确定 ]
启动 squid:. [ 确定 ]
修改/etc/xxx iptables脚本,加入
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 3128
[root@test2 squid]# cat /etc/xxx
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
INET_IFACE="eth0"
INET_IP="210.75.18.36"
LAN_IFACE="eth1"
LAN_IP="192.168.10.2"
LAN_IP_RANGE="192.168.10.0/24"
IPT="/sbin/iptables"
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_state
/sbin/modprobe ipt_LOG
for TABLE in filter nat mangle ; do
$IPT -t $TABLE -F
$IPT -t $TABLE -X
done
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 192.168.10.18 -m mac --mac-source 00:10:DC:6B:C6:31 -j ACCEPT
iptables -A FORWARD -s 192.168.10.111 -m mac --mac-source 00:10:5C:C0:2B:C1 -j ACCEPT
iptables -A FORWARD -s 192.168.10.13 -m mac --mac-source 4C:00:10:A3:38:5D -j ACCEPT
iptables -A FORWARD -s 192.168.10.113 -m mac --mac-source 00:E0:4C:00:0C:2B -j ACCEPT
iptables -A FORWARD -s 192.168.10.166 -m mac --mac-source 00:10:DC:61:B4:78 -j ACCEPT
iptables -A FORWARD -s 192.168.10.10 -m mac --mac-source 78:06:18:25:88:40 -j ACCEPT
iptables -A FORWARD -s 192.168.10.173 -m mac --mac-source 00:0F:1F:4D:EC:99 -j ACCEPT
iptables -A FORWARD -s 192.168.10.212 -m mac --mac-source 00:10:DC:6A:C0:C0 -j ACCEPT
iptables -A FORWARD -s 192.168.10.23 -m mac --mac-source 00:07:95:D8:C6:39 -j ACCEPT
iptables -A FORWARD -s 192.168.10.52 -m mac --mac-source 00:02:A5:2E:B9:56 -j ACCEPT
/sbin/iptables -A FORWARD -p tcp --dport 6881:6890 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 6881:6890 -j DROP
/sbin/iptables -A OUTPUT -p tcp --dport 6881:6890 -j DROP
iptables -A FORWARD -p tcp -j LOG --log-level info --log-prefix "INPUT packets"
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 3128
if [ "$INET_IFACE" = ppp0 ] ; then
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
else
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to $INET_IP
fi
再执行/etc/xxx即可
5.限制下载BT文件
修改/etc/squid/squid.conf
在444行增加acl BT urlpath_regex -i \.torrent$ #如果还需禁止下载mp3等等,可以设定为acl BT urlpath_regex -i \.torrent$ \.mp3$
在1762行增加http_access deny BT #注意:必须放在http_access allow myclients http_access allow localhost
http_access deny all 三句配置之前
重新启动squid
[root@test2 squid]# service squid restart
停止 squid:. [ 确定 ]
启动 squid:. [ 确定 ]
|
|
|
|
|
|
|
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2018-12-26 10:37:15
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡