Linux-Squid service allows a station is only within the network client host mode can smoothly access the Internet

This blog aims to how to make a virtual machine in master mode can only access the Internet! ! !
It is well known network connection has three modes: bridging, NAT, only the host , and NAT modes bridged by means of a physical machine can link to external networks, but not only the host mode, the host mode may only communicate only within the LAN.
Plan Focus: Want to make host-only mode virtual machine access, you can helpsquid代理缓存服务

squid proxy cache service

1, Squid is the most popular Linux system, a high-performance proxy service software, Web sites usually used as pre-caching service, the user can request instead of page data to the server and cached. [To request a re-answer]

2, Squid service program asks the user requests received in accordance with the required data pages, images and so on to the website source server, the server and the server returns the data stored in the service program run Squid. When the user re-requests the same data, the storage server may be directly delivered to the user data locally, thus reducing the waiting time for users.

3, Squid service program has a simple configuration, high efficiency, feature-rich features, it supports data caching multiple protocols HTTP, FTP, SSL, etc., may perform content-based access control list (ACL) and access lists (ARL) filtration and privilege management functionality that can also be based on a variety of conditions prohibit users from accessing the site there is a threat or inappropriate resources, thereby protecting the enterprise network security, improve the user's web experience, to help save network bandwidth. , But also ease the pressure load web server. [A request, a response request again, no response]

4, due to the caching proxy service will not only consume more server CPU computing performance, memory and hard drives and other hardware resources, but also requires a large network bandwidth to guarantee data transmission efficiency, which will result in greater network bandwidth overhead. Therefore, many domestic IDC service provider or CDN nodes caching proxy server will be placed in the second and third tier cities in order to reduce operating costs.

5, forward proxy mode : Refers to allow users to access web pages and other resources by Squid service program, visit the Web site user behavior and to restrict the access control list (ACL) function. [Standard proxy mode + transparent proxy mode]
forward proxy mode may be used in the enterprise LAN, allows business users to unified service access Internet resources through Squid, so not only can reduce the cost of the public network bandwidth, to a certain extent, but also user access to web content will be regulatory restrictions, once the internal network users to access websites and content rules match ban will be automatically blocked sites. First with [Reload]

6, reverse proxy mode : generally provide caching services for medium to large sites, it is the site of a static resource conservation in the country more than one node in the engine room, when a user initiates a static resource access request, can be close to assign users node and transmission resources, so it has been widely used in medium and large sites. [Pre-existing] then
reverse proxy mode may use more than one node hosts reverse caching Web site data, thus speeding user access speed. Because in general, the site will generally load a lot of text, images and other static resources, but they are relatively more stable data when the user initiates a web page to access these static resource requests, we can use Squid reverse proxy mode service program provides to respond. Moreover, if the reverse proxy server happens to have a static resource to be accessed by the user, it will be sent directly to cache these static resources to the user, which can not only speed up the user's site access speed, reducing the server also to some extent load pressure.

To better understand proxy caching service, you have to carefully read the above.

Deployment lab environment

Dual card configuration
① Host Configuration :
Squid server:192.168.10.10

Squid client: 192.168.10.20

the above are set to host host only模式
② configure squid server dual NIC [not only access the Internet, but also access to the network]
external network card: 桥接dhcp模式
network card: host only模式, IP address:192.168.10.10

#服务端网卡配置文件
[root@linuxfwd network-scripts]# cat ifcfg-eno16777728 
HWADDR=00:0C:29:50:48:2E
TYPE=Ethernet
BOOTPROTO=none
NAME=eno16777728
IPADDR=192.168.10.10
PREFIX=24
UUID=a42737cf-ba2b-4dcc-9b61-d835e9afff46
ONBOOT=yes
[root@linuxfwd network-scripts]# cat ifcfg-eno33554968 
HWADDR=00:0c:29:50:48:38
TYPE=Ethernet
BOOTPROTO=dhcp
NAME=eno33554968
UUID=227eb5d6-92da-4329-b5dc-e260ede785a6
ONBOOT=yes

#客户端网卡配置文件
[root@linuxkhd network-scripts]# cat ifcfg-eno16777728 
HWADDR=00:0C:29:4F:3A:8A
TYPE=Ethernet
NAME=eno16777728
IPADDR=192.168.10.20
PREFIX=24
UUID=e8d8cd0d-e264-4941-9a93-c0bb25a959d5
ONBOOT=yes

③ Test network connectivity
server and the external network can be the network communication

may communicate with a client server

may communicate with the external network server

Configuring network solutions to common problems:

If you have problems when you configure dual-card, you can use the following methods to troubleshoot network:
① check the two network cards configuration file is clerical error [ 两张网卡], 看是否使用了正确的网卡文件it is best to delete irrelevant NIC configuration file, retaining only the network card configuration to be used file.
② Network Service Restart [ systemctl restart network]
③ Check the IP address of the server VMnet1 physical machine in which a card is in the same network segment, and the network mode is dhcp 【自动获取】【ifocnfig】
whether ④ to view the client's IP address with another server on the same network cards network, and the network model are in the host only mode【固定分配】【ifconfig】
⑤ generally do not turn off the firewall also possible, if the above methods will not work, you can try turning off the firewall try.
⑥ restart the virtual machine, the virtual machine sometimes just have to restart obedient! ! !

After the above-configured network environment, do not forget to take a snapshot of the virtual machine, if you want to configure it again every time it does not matter.

Deployment squid caching proxy services

yum -y install squid

Restart the squid service and add it to boot from Kai items in

the main configuration file:/etc/squid/squid.conf

First with forward proxy service [reload]

1, the standard forward proxy services

The client can not go outside the network

Method 1: all browsers can use the standard forward proxy server access

Standard forward proxy server address: 192.168.10.10The default squid service occupied port number: 3128

If you want to use a different port number, you can modify the main configuration file squid service, as follows:

also need to set security policy to allow the port selinux squid services:

Empty server iptables policy and save the current iptablse strategy

can be seen only under a virtual machine host mode you can also get online! ! !

Method 2: Specify a browser can use a standard forward proxy server access

Act 1 is the use of the browser's default proxy cache server is configured to use a proxy server system
first cancellation system proxy cache server is configured

to open firefox, configure the browser's unique proxy cache server parameters [many online blog did not say linux system where the firefox configure a proxy server! ! ! ]:


Empty server iptables policy and save the current iptablse strategy

can be seen in the virtual machine in the host-only mode can also get online! ! !

2, transparent forward proxy services

In 标准正向代理服务case, if the network has 100 clients, it would need 100 hosts this setting proxy service, so very convenient. And 透明正向代理服务, on their own without the user on the browser setting, by the DHCP server to assign network configuration information to the client host. So long as the user opens the browser will automatically use a transparent forward proxy service.
SNAT技术It forwards data, allowing the data to the client host Squid proxy server, and then forwarded to the external network by the latter. In simple terms, it is to make Squid server as a middleman, the data transmission between the network and the external network client host.
① configure client network environment, you can see the network client is unable to resolve www.baidu.comthe

[root@linuxkhd network-scripts]# cat ifcfg-eno16777728 
TYPE=Ethernet
NAME=eno16777728
UUID=e8d8cd0d-e264-4941-9a93-c0bb25a959d5
ONBOOT=yes
HWADDR=00:0C:29:4F:3A:8A
BOOTPROTO=none
IPADDR0=192.168.10.20
PREFIX0=24
GATEWAY0=192.168.10.10
DNS1=8.8.8.8
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no

② configure the server so that the bridge card supports port forwarding function SNAT

iptables -F  #清空防火墙策略
service iptables save
iptables -t nat  -A POSTROUTING -p udp --dport 53 -o eno33554968 -j MASQUERADE   
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf    #允许squid服务转发ipv4数据包
sysctl -p   #/etc/sysctl.conf里面的转发参数立即生效

③ test whether the client can ping outside the network can be found, it is able to resolve, but can not ping

④ configuration squid master configuration file services/etc/squid/squid.conf

If you encounter an error, configure / etc / hosts file

squid -k parse[Check the main configuration file for errors]
squid -z[initialization squid transparent proxy cache service routine]

Restart the squid service systemctl restart squid
⑤ continue to configure SNAT server port forwarding, so that the client requests to Web site port 80 forwarding to the 3128 port.
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eno33554968 -j SNAT --to 192.168.124.18
service iptables save
⑥ can be seen only in host mode clients can already access the

#解读SNAT和iptables防火墙：
#SNAT技术使得多个内网的用户通过同一个外网IP接入Internet
#将访问网卡eno33554968的53号端口(DNS服务)的请求，进行伪装。
iptables -t nat  -A POSTROUTING -p udp --dport 53 -o eno33554968 -j MASQUERADE

#将访问服务器的80端口的请求，转发到服务器的3128。
iptables -t nat -A PREROUTING  -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

#将来自192.168.10.0/24网段的请求，转发到网卡eno33554968的IP地址192.168.124.18
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eno33554968 -j SNAT --to 192.168.124.18

If you feel that the use iptablesto configure the firewall lot of trouble, can be used firewall-configto configure ✔ marked on the line.

Reverse Proxy Service [pre-existing] then

1. Web page consists of static and dynamic resources with the composition of [static resources (more stable): site architecture CSS files, pictures, video and other data] [Dynamic Resource (easy to change)]
2. If you can put these resources to pull away from a static website pages out, and then deploy throughout the country node cache static resources, which can not only enhance the speed of the user access to the site, but the site also because the existence of these source server cache node and reduce the load .
3. Reverse proxy mode Squid is an important service program, the principle is part of the original launch of the website source server to a user request to the server Squid cache node to handle.
4. Many websites are currently banned by default reverse proxy functionality. Opened a website CDN (Content Delivery Network) services also can avoid this theft.

① services configuration squid master configuration file:

59 http_port 桥接网卡IP地址:80 vhost
60 cache_peer 网站源服务器IP地址 parent 80 0 originserver

② restart the squid service [ systemctl restart squid]
effect: When the input local bridge network adapter IP address, enter the source server to the site corresponding to the site! ! ! [Stealing traffic or less as a wonderful thing, it is recommended to use their own website to do the test! ! ! As a white, do not have a website or have a domain name blog, here is not introduced! ! ! ]
Can Baidu, how are prohibited by the anti generation! ! !

Now we can comfortably use only the host mode virtual machines access it! ! !