Teach you to build high-performance Linux double firewall

4. create ramdisk uses the following two commands: (1) establish directory mkdir/squid "/squid".

(2) mkfs/dev/ramdisk create a file system. (3) mount/dev/ramdisk/squid will mount the ramdisk to/squid directory. Since the ramdisk on every reboot will disappear, therefore, in order to allow the system to automatically set up well, we can establish an automatic load ramdisk batch commands: mkfs/dev/ramdiskmount/dev/ramdisk/squid <　　将这两条命令写到一个文件中，我们暂且用myautoexec.bat作为文件名，为了方便起见，我们建立/admin目录，然后将myautoexec.bat文件保存在/admin下，并加给可执行的权限：chmod+xmyautoexec.bat.但这样系统启动时并不会被调用，所以我们还要做一件事：编辑/etc/rc.local文件，在文件末尾插入一行：/admin/myautoexec.bat，这样，系统就会自动调用myautoexec.bat了。　　> 5. initialize the squid remember "cache_dirufs/squid25616256" this parameter? initialization process is actually a squid in specified cache_dir, establishing a specified level directory (16), and each level directory build 256-level directory. Use the command is: "squid-z". But now, then enter the command system will report an error, because the owner/squid now is root, squid does not have permission to operate root files, so also put/squid directory assigned to squid user, use the "chownsquid.squid/squid." Again, run the "squid-z", not a second time to complete. If the process is on disk rather than in the ramdisk, typically work tens of seconds. Again, this step is set to: chownsquid.squid/squidsquid – z <　　两条命令写到myautoexec.bat中，最后加上一条“squid”，就是启动squid服务进程。> Here, the settings of the squid. 6. set the NAT and firewall rules for your convenience, build files, the rules are/admin/myfirwall write to file: #------initialization section iptables-iptables-tnat-modprobeip_tablesmodprobeiptable_natmodprobeiptable_filtermodprobeip_conntrack_tpmodprobeip_nat_tpmodprobeipt_state # — initialize end #-STARTNAT <让地址为10.27.0.0/16的内部计算机可以伪装上因特网。> Iptables-tnat-APOSTROUTING-oeth1-s10.3.37.0/24-jMASQUERADE # > > > > > endNAT # port translation, all sent to the external network request port 80 will go to 3128, let squid, this #--is the key to a transparent proxy > > > > > > end port translation # <这里要根据你的要求来定了iptables-ainput-ieth1-s0.0.0.0><　　以上两条分别是将所有从外网进来的ping包都统统丢弃，将所有由外网发起的非80端口的请求都统统丢弃，意思就是只不允许从外网向内网发ping，只允许外网访问内网的http服务。> firewall rules A complete firewall rule must according to your network security requirements to enact, here only for reference. Description: all the lines beginning with # are not written to indicate that the file is saved as/admin/myfirewall and "chmod + x/admin/myfirewall" so that it can perform. Edit/admin/myautoexec.bat, joined "/admin/myfirewall" in the last row. At this point, our good performance firewall all the configuration is complete, run the reboot cycle to work.