20CN网络安全小组论坛 - 系统集成 - NAT和透明代理的应用

论坛: 系统集成标题: NAT和透明代理的应用

作者: wfjxx [wfjxx]

NAT和透明代理的应用
Private Network: 192.168.0.0/24
External Network (DMZ): 202.0.0.0/28
CISCO Router (2600): Ethernet0/0: 192.168.0.4
Etnernet0/1: 202.0.0.14
Serial0/0: HDLC (WAN)

The Internet Server1: 202.0.0.1 (DNS, SMTP, POP3, PROXY)
The Internet Server2: 202.0.0.2 (DNS, WWW, SYSLOG, NTP)

__________________
gw-dit#show running-config
Building configuration...

Current configuration : 3424 bytes
!
version 12.1
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log uptime
service password-encryption
!
hostname gw-dit
!
boot system flash
logging buffered 8192 debugging
aaa new-model
aaa authentication login default local enable
enable secret 5 12345678901234567890
!
username user1 password 7 12345678901234567890
username user2 password 7 12345678901234567890
username user3 password 7 12345678901234567890
!
!
!
!
clock timezone BST 6
ip subnet-zero
no ip source-route
ip domain-list test.gov.bt
ip domain-name test.gov.bt
ip name-server 202.0.0.1
ip name-server 202.0.0.2
!
!
!
!
interface Ethernet0/0
description Private LAN
ip address 192.168.0.4 255.255.255.0
no ip redirects
no ip proxy-arp
ip accounting access-violations
ip nat inside
no ip mroute-cache
ip policy route-map proxy-redirect
no cdp enable
!
interface Serial0/0
description 64K HDLC link to DrukNet
bandwidth 64
ip unnumbered Ethernet0/1
ip access-group 100 in
ip access-group 101 out
no ip redirects
no ip proxy-arp
ip accounting access-violations
ip nat outside
no ip mroute-cache
down-when-looped
no cdp enable
!
interface Ethernet0/1
description External (DMZ) LAN
ip address 202.0.0.14 255.255.255.240
no ip redirects
no ip proxy-arp
ip accounting access-violations
no ip mroute-cache
no cdp enable
!
ip nat inside source list 1 interface Ethernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
!
logging facility local1
logging source-interface Ethernet0/1
logging 202.0.0.1
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 permit icmp any 202.0.0.0 0.0.0.15
access-list 100 permit tcp any 202.0.0.0 0.0.0.15 established
access-list 100 permit tcp any 202.0.0.0 0.0.0.15 gt 1023
access-list 100 permit udp any 202.0.0.0 0.0.0.15 gt 1023
access-list 100 permit tcp any 202.0.0.1 0.0.0.0 eq domain
access-list 100 permit udp any 202.0.0.1 0.0.0.0 eq domain
access-list 100 permit tcp any 202.0.0.2 0.0.0.0 eq domain
access-list 100 permit udp any 202.0.0.2 0.0.0.0 eq domain
access-list 100 permit tcp any 202.0.0.1 0.0.0.0 eq smtp
access-list 100 permit tcp any 202.0.0.1 0.0.0.0 eq pop3
access-list 100 permit tcp any 202.0.0.2 0.0.0.0 eq www
access-list 100 deny tcp any 202.0.0.0 0.0.0.15 eq 2049 log
access-list 100 deny udp any 202.0.0.0 0.0.0.15 eq 2049 log
access-list 100 deny tcp any 202.0.0.0 0.0.0.15 eq 6000 log
access-list 100 deny ip any any log
access-list 101 permit ip 202.0.0.0 0.0.0.15 any
access-list 101 deny ip any any log
access-list 102 permit ip 202.0.0.0 0.0.0.15 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 deny ip any any log
access-list 110 deny tcp any any neq www
access-list 110 deny tcp host 202.0.0.1 any
access-list 110 permit tcp any any
no cdp run
route-map proxy-redirect permit 10
match ip address 110
set ip next-hop 202.0.0.1
!
snmp-server community public RO
banner login ^C
Welcome
^C
!
line con 0
line aux 0
line vty 0 4
access-class 102 in
exec-timeout 0 0
password 7 11111C0A19
transport input telnet
transport output none
!
ntp server 202.144.158.193
end

__________________

On a Linux system with IPTables, and the proxy software installed locally you would simply need:
iptables -A PREROUTING -s 192.168.0.0/28 -p tcp -m tcp \
--dport 80 -j REDIRECT --to-ports 8080

Or if the proxy is on a different system:
iptables -t nat -A PREROUTING -p tcp --dport 80 \
-i eth0 -j DNAT --to 202.0.0.2:8080

If you are using squid, you should give these in /etc/squid/squid.conf
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

地主发表时间: 04-01-08 16:47

论坛: 系统集成