RadHat AS5+Squid2.6.19+ASA 5520 8.2 透明代理

寫前：

透明代理：客戶端無需要手工設置代理，網絡系統自動重定向到代理服務上。

WCCP協議：Cisco專有協議，在Cisco的路由器、中高端交換機、某些Cache中支持，相關廠家也支持，本文配置的Squid 軟件也支持；四層交換機和普通代理服務器也可實現透明代理。

用戶有這麼需求，同時ASA防火牆做了NAT以後，內存佔用很多，對性能要求很高，建議用透明代理增加帶寬，同時配置透明代理來較少客戶端的配置工作。

對Linux的Iptables瞭解有限，網站詳細能實現的案例是在少的可憐，以下詳細配置實屬不易….

1、網絡拓撲

2、環境

2.1 防火牆版本

InternetFireWall# sh ver

Cisco Adaptive Security Appliance Software Version 8.0(3)

Device Manager Version 6.0(3)

Compiled on Tue 06-Nov-07 22:59 by builders

System image file is "disk0:/asa803-k8.bin"

Config file at boot was "startup-config"

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

2.2、Linux的版本

[admin@netproxy ~]$ uname -a

Linux netproxy 2.6.18-53.el5xen #1 SMP Wed Oct 10 17:06:12 EDT 2007 i686 i686 i386 GNU/Linux

[admin@netproxy ~]$

2.3、squid的版本及編譯參數(沒有系統自帶的squid，重新安裝）

[admin@netproxy sbin]$ ./squid -v

Squid Cache: Version 2.6.STABLE19

configure options: '--prefix=/usr/local/squid' '--enable-dlmalloc' '--with-pthreads' '--enable-poll' '--disable-internal-dns' '--enable-stacktrace' '--enable-removal-policies=heap,lru' '--enable-delay-pools' '--enable-storeio=aufs,coss,diskd,ufs'

[admin@netproxy sbin]$

3、AS5 編輯

3.1編輯 /etc/sysctl.conf 文件

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

3.2 編輯 squid.conf 文件

/usr/local/squid/etc/squid.conf

http_port 3128 transparent
wccp2_router 192.168.205.1
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1

#查找 acl，確保需要上網的網段放開

acl all src 0.0.0.0/0.0.0.0
http_access allow all

建立GRE（參考資料說也可採用IP-wccp ，兩者只能用一個，AS5 自帶GRE模塊，Ip-wccp需要在squid網站下載安裝）

modprobe ip_gre

ifconfig gre0 127.0.0.3 up

iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.0.0 -d ! 192.168.0.0/255.255.0.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to 192.168.205.4:3128

iptables -t nat -A PREROUTING -s 172.16.0.0/255.255.0.0 -d ! 172.16.0.0/255.255.0.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to 192.168.205.4:3128

[root@netproxy usr]# ifconfig
eth0      Link encap:Ethernet HWaddr 00:1A:64:0A:B3:98
          inet addr:192.168.205.4 Bcast:192.168.205.7 Mask:255.255.255.248
          inet6 addr: fe80::21a:64ff:fe0a:b398/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:59335758 errors:0 dropped:0 overruns:0 frame:0
          TX packets:60489065 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1517502610 (1.4 GiB) TX bytes:1056225077 (1007.2 MiB)

gre0      Link encap:UNSPEC HWaddr
00-00-00-00-DA-BF-A8-35-00-00-00-00-00-00-00-00
          inet addr:127.0.0.3 Mask:255.0.0.0
          UP RUNNING NOARP MTU:1476 Metric:1
          RX packets:22683975 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1214455678 (1.1 GiB) TX bytes:0 (0.0 b)

3.3 驗證

[root@netproxy etc]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp -- 192.168.0.0/16        !192.168.0.0/16        tcp dpt:http
to:192.168.205.4:3128
DNAT       tcp -- 172.16.0.0/16       !172.16.0.0/16       tcp dpt:http
to:192.168.205.4:3128

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE all -- 192.168.122.0/24     anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@netproxy etc]#

4、ASA上的配置

4.1 接口

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 61.x.x.x 255.255.255.252
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.205.1 255.255.255.248

4.2 NAT

global (outside) 1 1x.x.x.66-70
nat (inside) 1 0.0.0.0 0.0.0.0

4.3 WCCP-ACL

（注意：擴展列表，僅爲www，其他不要，否則出問題，也可將UDP 8000 轉過來，否則可能影響QQ）

access-list wccpacl extended permit tcp 192.168.0.0 255.255.0.0 any eq www
access-list wccpacl extended permit tcp 172.16.0.0 255.255.0.0 any eq www

4.4 WCCP

wccp web-cache redirect-list wccpacl
wccp interface inside web-cache redirect in

5、驗證如下

InternetFireWall# sh wccp web-cache view

WCCP Routers Informed of:

61.x.x.x

WCCP Cache Engines Visible:

192.168.205.4

WCCP Cache Engines NOT Visible:

-none-

InternetFireWall# sh wccp web-cache service

WCCP service information definition:

Type: Standard

Id: 0

Priority: 240

Protocol: 6

Options: 0x00000512

--------

Hash: DstIP

Alt Hash: SrcIP SrcPort

Ports: Destination:: 80 0 0 0 0 0 0 0

InternetFireWall# sh wccp web-cache detail

WCCP Cache-Engine information:

Web Cache ID: 192.168.205.4

Protocol Version: 2.0

State: Usable

Initial Hash Info: 00000000000000000000000000000000

00000000000000000000000000000000

Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Hash Allotment: 256 (100.00%)

Packets Redirected: 363329

Connect Time: 00:20:30

InternetFireWall# sh mem

Free memory: 207303064 bytes (39%)

Used memory: 329567848 bytes (61%)

------------- ----------------

Total memory: 536870912 bytes (100%)

InternetFireWall# sh wccp

Global WCCP information:

Router information:

Router Identifier: 61.x.x.x （防火牆外口爲路由標識）

Protocol Version: 2.0

Service Identifier: web-cache

Number of Cache Engines: 1

Number of routers: 1

Total Packets Redirected: 679038

Redirect access-list: wccpacl

Total Connections Denied Redirect: 0

Total Packets Unassigned: 58

Group access-list: -none-

Total Messages Denied to Group: 0

Total Authentication failures: 0

Total Bypassed Packets Received: 0

InternetFireWall# sh wccp interfaces detail

WCCP interface configuration details:

GigabitEthernet0/1

Output services: 0

Input services: 1

Static: Web-cache

Dynamic: None

Mcast services: 0

Exclude In: FALSE

InternetFireWall# sh wccp web-cache view

WCCP Routers Informed of:

61.x.x.x

WCCP Cache Engines Visible:

192.168.205.4

WCCP Cache Engines NOT Visible:

-none-

InternetFireWall# sh wccp web-cache detail

WCCP Cache-Engine information:

Web Cache ID: 192.168.205.4

Protocol Version: 2.0

State: Usable

Initial Hash Info: 00000000000000000000000000000000

00000000000000000000000000000000

Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Hash Allotment: 256 (100.00%)

Packets Redirected: 701985

Connect Time: 00:26:41

InternetFireWall# sh wccp web-cache b

WCCP hash bucket assignments:

Index Cache Engine:

00 192.168.205.4

FF NOT ASSIGNED

XX| 0 1 2 3 4 5 6 7 8 9 A B C D E F

--|-------------------------------------------------

00| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

10| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

20| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

30| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

40| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

50| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

60| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

70| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

80| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

90| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

A0| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

B0| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

C0| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

D0| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

E0| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

F0| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

寫後：

本來想在Cisco 4500 系列交換機4代引擎上實現，但是交換機上支持L2-redirect，不支持GRE，測試N多次，沒有成功。

關於在交換機測試，還在繼續，但願哪天搞定….

RadHat AS5+Squid2.6.19+ASA 5520 8.2 透明代理

lightdb hash index的性能和限制

我的友情鏈接

SQL Server 同步複製測試

Cisco 交換機、路由器多CPU深入分析

RadHat AS5+Squid2.6.19+ASA 5520 8.2 透明代理

華爲路由器AUX端口撥號配置

Mac下配置sublime實現LaTeX

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結