|
作者: wfjxx [wfjxx] | 登录 |
NAT和透明代理的应用 Private Network: 192.168.0.0/24 External Network (DMZ): 202.0.0.0/28 CISCO Router (2600): Ethernet0/0: 192.168.0.4 Etnernet0/1: 202.0.0.14 Serial0/0: HDLC (WAN) The Internet Server1: 202.0.0.1 (DNS, SMTP, POP3, PROXY) The Internet Server2: 202.0.0.2 (DNS, WWW, SYSLOG, NTP) __________________ gw-dit#show running-config Building configuration... Current configuration : 3424 bytes ! version 12.1 service nagle no service pad service timestamps debug datetime msec localtime show-timezone service timestamps log uptime service password-encryption ! hostname gw-dit ! boot system flash logging buffered 8192 debugging aaa new-model aaa authentication login default local enable enable secret 5 12345678901234567890 ! username user1 password 7 12345678901234567890 username user2 password 7 12345678901234567890 username user3 password 7 12345678901234567890 ! ! ! ! clock timezone BST 6 ip subnet-zero no ip source-route ip domain-list test.gov.bt ip domain-name test.gov.bt ip name-server 202.0.0.1 ip name-server 202.0.0.2 ! ! ! ! interface Ethernet0/0 description Private LAN ip address 192.168.0.4 255.255.255.0 no ip redirects no ip proxy-arp ip accounting access-violations ip nat inside no ip mroute-cache ip policy route-map proxy-redirect no cdp enable ! interface Serial0/0 description 64K HDLC link to DrukNet bandwidth 64 ip unnumbered Ethernet0/1 ip access-group 100 in ip access-group 101 out no ip redirects no ip proxy-arp ip accounting access-violations ip nat outside no ip mroute-cache down-when-looped no cdp enable ! interface Ethernet0/1 description External (DMZ) LAN ip address 202.0.0.14 255.255.255.240 no ip redirects no ip proxy-arp ip accounting access-violations no ip mroute-cache no cdp enable ! ip nat inside source list 1 interface Ethernet0/1 overload ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 no ip http server ! logging facility local1 logging source-interface Ethernet0/1 logging 202.0.0.1 access-list 1 permit 192.168.0.0 0.0.0.255 access-list 100 permit icmp any 202.0.0.0 0.0.0.15 access-list 100 permit tcp any 202.0.0.0 0.0.0.15 established access-list 100 permit tcp any 202.0.0.0 0.0.0.15 gt 1023 access-list 100 permit udp any 202.0.0.0 0.0.0.15 gt 1023 access-list 100 permit tcp any 202.0.0.1 0.0.0.0 eq domain access-list 100 permit udp any 202.0.0.1 0.0.0.0 eq domain access-list 100 permit tcp any 202.0.0.2 0.0.0.0 eq domain access-list 100 permit udp any 202.0.0.2 0.0.0.0 eq domain access-list 100 permit tcp any 202.0.0.1 0.0.0.0 eq smtp access-list 100 permit tcp any 202.0.0.1 0.0.0.0 eq pop3 access-list 100 permit tcp any 202.0.0.2 0.0.0.0 eq www access-list 100 deny tcp any 202.0.0.0 0.0.0.15 eq 2049 log access-list 100 deny udp any 202.0.0.0 0.0.0.15 eq 2049 log access-list 100 deny tcp any 202.0.0.0 0.0.0.15 eq 6000 log access-list 100 deny ip any any log access-list 101 permit ip 202.0.0.0 0.0.0.15 any access-list 101 deny ip any any log access-list 102 permit ip 202.0.0.0 0.0.0.15 any access-list 102 permit ip 192.168.0.0 0.0.0.255 any access-list 102 deny ip any any log access-list 110 deny tcp any any neq www access-list 110 deny tcp host 202.0.0.1 any access-list 110 permit tcp any any no cdp run route-map proxy-redirect permit 10 match ip address 110 set ip next-hop 202.0.0.1 ! snmp-server community public RO banner login ^C Welcome ^C ! line con 0 line aux 0 line vty 0 4 access-class 102 in exec-timeout 0 0 password 7 11111C0A19 transport input telnet transport output none ! ntp server 202.144.158.193 end __________________ On a Linux system with IPTables, and the proxy software installed locally you would simply need: iptables -A PREROUTING -s 192.168.0.0/28 -p tcp -m tcp \ --dport 80 -j REDIRECT --to-ports 8080 Or if the proxy is on a different system: iptables -t nat -A PREROUTING -p tcp --dport 80 \ -i eth0 -j DNAT --to 202.0.0.2:8080 If you are using squid, you should give these in /etc/squid/squid.conf httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on |
地主 发表时间: 04-01-08 16:47 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号