GFW 封锁了 HTTP/Socks5 代理,HTTP 代理是关键词过滤,Socks5 代理则是封锁协议。不过某些特殊的低端口并没有这么处理,已知的有 21,25。
20端口已经被封杀,21端口目前会被限速400Kbps,换算后约合50KB/S,建议使用25端口,不限速。
一、系统环境
操作系统:CentOS release 6.7 (Final)
Squid版本:squid-3.1.10-20.el6_5.3.x86_64
SELINUX=disabled
HTTP Service: stoped
二、安装Squid服务
2.1 检查squid软件是否安装
# rpm -qa|grep squid
2.2 如果未安装,则使用yum 方式安装
# yum -y install squid
2.3 设置开机自启动
# chkconfig squid on //自动运行squid服务
2.4 配置squid,修改或增加红色部分
# # Recommended minimum configuration: # acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy#http_access deny all http_access allow all # Squid normally listens to port 3128 http_port 191.101.9.188:25 transparent # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/spool/squid 5000 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 strip_query_terms off visible_hostname 191.101.9.188 cache_mgr [email protected] cache_store_log none cache_access_log none cache_mem 512 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size 128 MB maximum_object_size_in_memory 128 MB dns_nameservers 8.8.8.8 8.8.4.4 client_lifetime 1 minutes half_closed_clients off fqdncache_size 65535 ipcache_size 65535 ipcache_low 90 ipcache_high 95
三、配置防火墙
开放25端口
# iptables -I INPUT -p tcp --dport 25 -j ACCEPT # service iptables save
或编辑 vi /etc/sysconfig/iptables
# Completed on Thu May 12 13:14:52 2016 # Generated by iptables-save v1.4.7 on Thu May 12 13:14:52 2016 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [74:9756] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT COMMIT # Completed on Thu May 12 13:14:52 2016
重启 service iptables restart
ps:
http://bbs.itzmx.com/thread-8815-1-1.html
http://www.cnblogs.com/mchina/p/3812190.html
http://blog.163.com/na_llong/blog/static/1135416092013714104354316/
时间: 2024-10-12 01:09:27