做网关服务器的机器必须要有两个网卡,用于一个连接外网,一个连接内网。
使用FreeBSD做网关,首先要开启pf防火墙,并配置FreeBSD为网关模式。
在rc.conf中我们需要添加如下配置
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_program="/sbin/pfctl"
pf_flags=""
pflog_enable="NO"
pflog_logfile="/var/log/pflog"
pflog_program="/sbin/pflogd"
pflog_flags=""
pfsync_enable="NO"
gateway_enable="YES"
接着我们需要配置pf防火墙,其中我们假定em0是外网接口,em1是内网接口
在pf.conf中我们需要添加如下配置
lan_net = "192.168.20.0/24"
ext_if1="em0"
lan_if1="em1"
tcp_services = "{22}"
icmp_types = "echoreq"
set block-policy return
set skip on {lo0}
#NAT
nat on $ext_if1 from {$lan_net } to any -> ($ext_if1)
#Transparent proxy
rdr pass inet proto tcp from $lan_net to any port 80 -> 127.0.0.1 port 3129
#Allow ssh
pass proto tcp to port $tcp_services
#LAN use ICMP
pass in quick on $lan_if1 proto icmp from $lan_net to any icmp-type $icmp_types
pass in on $lan_if1 from $lan_if1:network to any keep state
pass out on $lan_if1 from any to $lan_if1:network keep state
#Allow all traffic out via external interface
pass out on $ext_if1 proto tcp all modulate state flags S/SA
pass out on $ext_if1 proto { udp, icmp } all keep state
接着配置Squid使用pf来做透明代理。
squid.conf的配置如下
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 3129 transparent
cache_mem 512 MB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/squid/cache 10000 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname *******(替换为自己的主机名)
接着更新devfs.conf,改变pf句柄权限
own pf root:squid
perm pf 0640
更新rc.conf,将squid加入启动
squid_enable="yes"
在/var/squid/cache/目录下执行squid -z来生成缓存目录。
如果需要在内网端使用DHCP,请参考以下配置
rc.conf
dhcpd_enable="yes"
dhcpd_ifaces="em1"
dhcp.conf
option domain-name-servers 8.8.8.8;
default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;
ddns-update-style none;
subnet 192.168.20.0 netmask 255.255.255.0 {
range 192.168.20.100 192.168.20.200;
option routers 192.168.20.1;
option subnet-mask 255.255.255.0;
}