Squid 配置文件
hierarchy_stoplist -i ^https:\\ ?
acl QUERY urlpath_regex -i cgi-bin \? \.asp \.php \.jsp \.cgi
acl denyssl urlpath_regex -i ^https:\\
no_cache deny QUERY
no_cache deny denyssl
maximum_object_size 20000 KB
maximum_object_size_in_memory 4096 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
emulate_httpd_log on
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
ftp_user Squid@
ftp_passive on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
coredump_dir /var/squid/cache
logfile_rotate 90
cache_dir ufs /var/squid/cache 4096 16 256
cache_mem 256 MB
cache_swap_low 80
cache_swap_high 95
cache_effective_user squid
cache_effective_group squid
http_port 3128 transparent
#acl tianya referer_regex -i tianya
#http_access deny tianya
#deny_info tianya
acl AntiBaidu req_header User-Agent Baiduspider
http_access deny AntiBaidu
acl Manager proto cache_object
acl Localhost src 127.0.0.1 192.168.1.251
http_access allow Manager Localhost
http_access deny Manager
acl Safe_ports port 80 # http
acl Safe_ports port 443
http_access deny !Safe_ports
acl all src 0.0.0.0/0.0.0.0
http_access allow all
visible_hostname mwww.squid.com
cache_mgr admin@root.com
cache_effective_user squid
cache_effective_group squid
tcp_recv_bufsize 65535 bytes
error_directory /usr/local/squid/share/errors/Simplify_Chinese
icp_port 0
IPTABLES 配置文件
#!/bin/sh
modprobe ip_tables
modprobe iptable_nat
modprobe iptable_filter
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_nat_pptp
modprobe ipt_connlimit
modprobe ipt_time
modprobe ipt_ipp2p
modprobe ipt_layer7
################################################
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=1800
echo "1" > /proc/sys/net/ipv4/ip_forward
echo 268435456 > /proc/sys/kernel/shmall
echo 268435456 > /proc/sys/kernel/shmmax
echo "1024 65000" > /proc/sys/net/ipv4/ip_local_port_range
echo "268435456" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
echo "600" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 3 > /proc/sys/net/ipv4/tcp_synack_retries
echo 3 > /proc/sys/net/ipv4/tcp_syn_retries
echo 40960 > /proc/sys/net/ipv4/route/max_size
#echo "100 1200 128 512 15 5000 500 1884 2" >/proc/sys/vm/bdflush
echo "1024 65000" > /proc/sys/net/ipv4/ip_local_port_range
echo "1" > /proc/sys/net/ipv4/tcp_window_scaling
echo 100 > /proc/sys/net/ipv4/route/gc_timeout
echo 1024 > /proc/sys/net/ipv4/route/gc_thresh
echo 10 > /proc/sys/net/ipv4/route/gc_interval
echo 15 > /proc/sys/net/ipv4/neigh/default/gc_interval
################################################################
export IPT=/sbin/iptables
##############Clean#################
$IPT -F
$IPT -t nat -F
#############DROP#############
$IPT -P OUTPUT DROP
$IPT -P INPUT DROP
#############ALLOW############
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o eth0 -j ACCEPT
$IPT -A INPUT -i eth0 -j ACCEPT
$IPT -A OUTPUT -o eth1 -p tcp --sport 1024:65534 -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp --dport 1024:65534 -j ACCEPT
$IPT -A OUTPUT -o eth1 -p udp --sport 1024:65534 -j ACCEPT
$IPT -A INPUT -i eth1 -p udp --dport 1024:65534 -j ACCEPT
$IPT -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -o eth1 -p udp --sport 53 -j ACCEPT
################proxy################
#$IPT -t nat -A PREROUTING -s 172.16.0.0/21 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128
$IPT -t nat -I POSTROUTING -j MASQUERADE
##########################################
$IPT -A INPUT -i eth1 -p tcp --dport 1723 -j ACCEPT
$IPT -A OUTPUT -o eth1 -p tcp --sport 1723 -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp --dport 47 -j ACCEPT
$IPT -A OUTPUT -o eth1 -p tcp --sport 47 -j ACCEPT
$IPT -A INPUT -i eth1 -p gre -j ACCEPT
$IPT -A OUTPUT -o eth1 -p gre -j ACCEPT
echo "Fire wall is running!!!"
