求教::关于Squid做透明代理的问题!

恍若如梦

环境是这样的,一台trustix-2.0Linux服务器,用来拨号上网,一个HUB,一台Windowd2000系统,很简单的一个局限网,Linux服务器的IP地址为192.168.20.1,Windows2000系统IP地址为192.168.20.2,我想让Linux做透明代理服务器,2000通过这台代理服务器上网.
我的Squid2.5版本配置如下:

http_port 8080
cache_mem 8 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
cache_dir ufs /opt/cache 100 16 256
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
dns_nameservers 219.234.32.254
unlinkd_program /usr/local/squid/libexec/unlinkd
acl allwed_hosts src 192.168.20.0/255.255.255.0
http_access allow all
cache_effective_user sjweb
cache_effective_group sjweb
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
visible_hostname www.sina.com.cn

Iptalbes脚本如下:
#begin

echo 1 > /proc/sys/net/ipv4/ip_forward

modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp

iptables -F INPUT

iptables -F FORWARD

iptables -F POSTROUTING -t nat

iptables -t nat -F

iptables -P FORWARD DROP

iptables -A FORWARD -s 192.168.20.0/24 -j ACCEPT

iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.20.0/24 -j MASQUERADE

#end

现在的问题是,在2000系统上可以ping通192.168.20.1,把网关设置成为192.168.20.1,然后用Linux拨号上网,但2000却打开不了网页,直接输入IP地址也不行,能否让大家帮帮忙,谢谢!

Snoopy

iptables需要添加规则

恍若如梦

请问如而添加呢?能帮写出来,谢谢!

faint

你的FORWARD 的 Default Policies 都drop掉了。

把倒数二三条规则换成下面的试试：
iptables -A FORWARD -i ppp0 -s 192.168.20.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp0 -d 192.168.20.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT


BTW:机器那么少，不用squid都可了:-)，学习就另当别论

faint

另外，如果你一定要squid的话，还得添加另外一二条规则:-)
自己找找.......

恍若如梦

完完全全是为了学习,按上面的方法还是不行,包括squid非透明代理都不行,提示出错:

ERROR
The requested URL could not be retrieved

--------------------------------------------------------------------------------

While trying to retrieve the URL: http://219.234.32.251/

The following error was encountered:

Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is webmaster.

--------------------------------------------------------------------------------

Generated Fri, 18 Jun 2004 01:04:54 GMT by www.lztvnet.com (squid/2.5.STABLE5)

我想请问一个问题,是不是只有sjweb用户支持squid程序才行,而root不行呢?

smile787

Access Denied.

楼上的兄弟，默认的配置是所有的squid访问都禁止。
http access allow all（不知道记错没）
打开。

恍若如梦

打开了啊,看看我的Squid的配置:

http_port 8080
cache_mem 8 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
cache_dir ufs /opt/cache 100 16 256
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
dns_nameservers 219.234.32.254
unlinkd_program /usr/local/squid/libexec/unlinkd
acl allwed_hosts src 192.168.20.0/255.255.255.0
http_access allow all
cache_effective_user sjweb
cache_effective_group sjweb
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
visible_hostname www.sina.com.cn