HPE Community
Operating System - Linux
1827620 Members
3345 Online
109966 Solutions
New Discussion

Re: Squid ???

 
Fiza
Occasional Contributor

‎04-08-2003 01:47 PM

‎04-08-2003 01:47 PM

Squid ???

I am using 2 NICs on my RH 8.0 Box. eth0 uses dynamic IP from Internet and eth1 uses static e.g. 192.168.0.1/24. Both cards are up and running. I configured

squid.conf as follows:

1) Networking Option:
http_port 3128
2) Access control
acl mynet src 192.168.0.0 255.255.255.0
-INSERT YOUR OWN RULES-
http_access allow mynet

How would I configure NAT for this scenario? I can get static IP from the ISP for eth0 if the helper recommends. Please also let me know if my squid.conf is ok.
0 Kudos
Reply
8 REPLIES 8
Stuart Browne
Honored Contributor

‎04-08-2003 07:52 PM

‎04-08-2003 07:52 PM

Re: Squid ???

You've not really told us that clearly what you are trying to achieve.

Are you wanting this RH8 box to be a gateway to the Internet only?

Do you wanting this RH8 box to "Transparent Proxy" all web requests that go out?

As for your squid config, for the tiny portion shown, it looks ok, but the rest we'd have to see to give a real point of view.

As for the first two questions, IP Tables rules which look something simlar to the following should help.

1)

iptables -t nat -A POSTROUTING -j MASQ -o eth0 -s 192.168.1.0/24
iptables -I FORWARD -j ACCEPT -i eth1 -o eth0
iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED

Use the 'MASQ' target (used for dynamically assigned real-world ip addresses) to allow all PC's on the internal network of 192.168.1.0/24 access to the Internet.

Also allow the inbound packets back in (the --state line) for connections initiated from inside the network.

If you are using an ACCEPT based FORWARD chain, then those two rules aren't needed.

2)

iptabes -t nat -A PREROUTING -j REDIRECT -i eth1 -p tcp --dport 80 --to 3128

or some such. Redirect all outbout tranffic destined for pot 80 (http traffic) to the local Squid proxy.
One long-haired git at your service...
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎04-08-2003 10:31 PM

‎04-08-2003 10:31 PM

Re: Squid ???

Hi,

eth1 is your Internal Network Interface ( since you use 192.168.0.x which is a private pool ) .

eth0 will be your External interface getting Dynamically assigned public IP address from your ISP.


This rule is ok

acl mynet src 192.168.0.0 255.255.255.0

As the above rule speaks about source access list . That is 192.168.0.x network since all internal clients in internal network will be browsing internet thru squid . so the source IP address will be in 192.168.0.x.


If you want to access control the destination then also you wont have any problem with DHCP.

acl blacklist dst www.xxx.com xx.xxx.xxx.xx www.ssdsds.com
http_access deny blacklist

There is no problem with your current squid.conf acl lists.

regards,
U.SivaKumar
Innovations are made when conventions are broken
0 Kudos
Reply
Fiza
Occasional Contributor

‎04-09-2003 01:51 PM

‎04-09-2003 01:51 PM

Re: Squid ???

Thanks a lot for your response Mr. Browne and Kumar. I am replacing MS-Winproxy on Win2k with squid on RH8 at a cyber caf??. Thre are 48 clients all running win2k-pro. I was just able to configure the squid.conf but even the squid daemon was not starting, maybe because NAT wasn???t configured properly. The RH8 box will be the network gateway , tranparent proxy and DHCP (giving out 192.168.0.x). And ofcourse a firewall. So, there is a lot of responsibility on this machine. As my problem is specified clearly now I???ll be very thankful if you can help me out more precisely.
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎04-09-2003 03:40 PM

‎04-09-2003 03:40 PM

Re: Squid ???

Squid not starting will not have anything to do with your NAT rules not being in place.

To find out why Squid isn't starting, you'll need to check some things out.

1)

chkconfig --list squid

Make sure that beside 2,3,4,5 (usually) is the keyword 'on'. If it isn't, then issue:

chkconfig --level 2345 squid on
service squid start

2)

If the above is alright, you'll need to see what is in the Squid logs. On a RH8 system, the log you will need to check is '/var/logs/squid/cache.log'.

The issue with squid starting will be either the first point, or will be detailed in the log. Just reading through the log should tell you what needs to be done to fix that.

As for the overall situation, a combination of the lines put in my original post, along with some more advanced firewall rules should be enough to get things up and working.

Have you ever done any firewalling using 'iptables' under Linux before?
One long-haired git at your service...
0 Kudos
Reply
Fiza
Occasional Contributor

‎04-10-2003 04:19 PM

‎04-10-2003 04:19 PM

Re: Squid ???

Thanks again Stuart for your concern. I did check logs and all that and there is nothing at all mentioned related to the failure. When I removed eth1 the daemon started. When I put it back it doesn't. There is nothing wrong with the hardware cos the same machine was giving results on Win2k. I am experienced with win2k and cisco but new to linux. I haven't used iptables or firewall on linux before. Any suggestion?
0 Kudos
Reply
Fiza
Occasional Contributor

‎04-10-2003 05:16 PM

‎04-10-2003 05:16 PM

Re: Squid ???

BUNDLES OF THANX STUART. The machine is up and runing and things are working fine. Squid started this time with both network ifs (still don???t know what went wrong earlier, but after several resarts its all well). Just one more favor. Win2k-pro would pick up the IP from the range of IP being used on the netwok. I am not sure if iptables has done something like DHCP. Do I need to configure DHCP seperately or like NAT in win2k it becomes DHCP automatically? What exactly iptables is used for and what is Masquerading? How to verify the iptables is doing its job? What are the memory concerns (swap size) of a cache machine on linux? Thank you so much again even if you don???t answer this time :)
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎04-10-2003 06:21 PM

‎04-10-2003 06:21 PM

Re: Squid ???

Umm.. whoa.. ok, lets see.

The 'cache.log' should have come up with an error of some description, even if it was something simple like "cannot talk to interface". I'm picking the reason why it wasn't working earlier was because the eth1 didn't have a valid IP address at the moment Squid tried starting.

As for the rest.. well, eek..

Quick lesson..

IP Tables is what's known as a Packet Filter. It is most often employed to do two functions, as a Firewall, and as a NAT tool.

It can be configured to be highly maulable, and with the right user-space tools can even be fully dynamic (am SO not going into that here!).

Most people, including you, just need to use the most basic parts of it.

THe rules that were in the first post from me should be sufficient to do most of what you require.

As for memory requirements, with 48 PC's, if you've got more than 256MB, I'm picking you've got mroe than enough.

If you want your Linux box to be a 'dhcp server', then you will also need to configure '/etc/dhcpd.conf' (example in the /usr/share/doc/dhcpd-*/ somewhere), so that client PC's can also grab an IP dynamically. If you've already got a Win2K box doing this (that isn't going to go) then leave it as it is 'cause it's working.

To find out what is and is not going through the firewall (iptables) rules, there are a few things you can do. You can use the standard linux packet sniffer (tcpdump, or helper tools like ethereal), and also the LOG functions of IP Tables it's self.

To find out mroe about IP Tables and how to make good firewall's, I sugest you go looking at the HOWTO's at www.netfilter.org. They go into great depth and detail about how things can be done, but also have some entry-level documents to get you started quickly.

HOpe this helps. if there's something else, let us know. I'm sure people here will be willing to help for a few points thrown their way ;)
One long-haired git at your service...
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎04-10-2003 08:15 PM

‎04-10-2003 08:15 PM

Re: Squid ???

Hi,

iptables is can be used for firewalling and port redirecting

In squid case , you use iptables for transparent proxying that is using port redirecting feauture.

now what is transparent proxying ? With transparent proxying users need not configure their Internet browser with proxy server information. But they will able to browse internet transparently. For this to work you have confrigure iptables redirection to squid's running port.

And put the squid server's internal ip address as default gateway in all your windows clients.
run a DNS caching server in squid server and point this squid internet ip address as DNS server in all windows clients.

So if client tries to access www.hotmail.com the client contacts the DNS server ( squid server ) and get the hosts ip address and initiates a connection to the ip address for port 80.

since IP address of www.hotmail.com will not certainly in local network the client sends the packet to its default gateway squid server.

The iptables in squid server is configured such a way that it forward all packets which it receives with destination port 80 will be redirected to squid port. so now the squid proxy will receive the request and connnect to www.hotmail.com and delivers the content back to the requesting client.

For running squid proxy there is not need for iptables. In case you dont want to use transparent proxying , then there is no need for adding default gateway in all clients.

you have to configure proxy section of web browser in all internal clients.

regards,
U.SivaKumar

Innovations are made when conventions are broken
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.