HowTo setup a proxy for my home lan

fedix · 10-13-2007, 05:07 PM

I want to setup a Linux box with squid to act as a web cache/proxy server also controling access and restrict porno etc. to my LAN pc's.

I have 3 LAN pc's, and a DSL connetion to the internet

1) Do I need to install a second NIC to my Linux box?

2) If not (which I hope), what should the IP config be?

Code:

     ~~~~~~~~~~~~~~~~~~~~~~~
<--  ~(inet ip) DSL Router ~
     ~           (10.0.0.2)~
     ~~~~~~~~~~~~~~~~~~~~~~~
                         |
                      ~~~~~~~~~~~~~~~~~
                      ~(eth0 10.0.0.3)~
                      ~     squid box ~
                      ~~~~~~~~~~~~~~~~~
                              |
                           ~~~~~~~~~~~~~~
                           ~ eth Switch ~
                           ~ 10.0.0.x   ~
                           ~~~~~~~~~~~~~~
                               |       |
                          LAN client  LAN client

The clients: 10.0.0 x
Def Gateway: 10.0.0.2 (DSL router)
Proxy server: 10.0.0.3:3128 ?

Thanks

kc8khl · 10-13-2007, 06:12 PM

The easiest way to do it and not leave any loop holes is to setup a transparent proxy that forces the traffic through the squid proxy. To do this you'll need two nics in the linux box and you'll need to install iptables. You basically set up iptables to redirect all incoming traffic on port 80 to port 3128. Then all of your machines on the lan will use your squid box as their gateway.

Check out this howto:
http://tldp.org/HOWTO/TransparentProxy.html

It is easiest to have iptables and squid run on the same box, I can't seem to get the setup in section 6 to work. (Got a question posted on that below

) Let me know if you have any more questions about it.

Mark

(Oh yeah, and check out dansguardian for content filtering)

reachjohney · 10-15-2007, 04:31 AM

hi,

for basic squid proxy setup, install squid, open /etc/squid.conf and edit these lines
1.
visible_hostname <your_machine_name>
http_port 3128
2. delete this line.

http_access deny all

3. In browsers of client machines set proxy ip as the ip of the proxy machine, and set port as 3128

johney

fedix · 10-17-2007, 03:36 PM

Thanks reachjohney!

Can I do that without installing a second NIC?

What should my clients' ipconfigs then be? Gateway? ADSL router or Proxy box?

And then obvious proxy settings in their IE settings (proxy box IP:3128).

reachjohney · 10-18-2007, 10:03 AM

nay, i donot know a setup without two nic's.

with two nic's set the external interface ip in range with the subnet of external ip.

set the internal interface (nic) ip in range within subnet of internal ip. other things work fine with defaults.

if you are planning with larger netwworks do acquianted with maximum file size in memory, maximum file size in hardisk, min file size in memory etc enttries.

fedix · 11-02-2007, 01:36 AM

Thanks for all the great help.

But, ny setup isn't working. Please help.

I've installed a second NIC.
eth0 is set to static 10.0.0.1 255.0.0.0 DG 10.0.0.2 (the DSL router's IP) and connected to one of the ports on the DSL router.
eth1 is set to static 10.0.0.10 255.0.0.0 DG 10.0.0.2 and connected to the router of my local LAN (range 10.0.0.0/8)

The contents of my squid file looks like this:

Quote:

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl home_network src 10.0.0.0/8
acl BadSites dstdomain "usr/local/etc/restricted-sites.squid"
acl ncsa_users proxy_auth REQUIRED

http_access allow ncsa_users
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny BadSites
http_access allow home_network
http_access allow localhost
http_access deny all

icp_access allow all

http_port 3128 transparent

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

visible_hostname localhost

coredump_dir /var/spool/squid

I've left a lot of the settings on default. I've followed a lot of the recommendations from an article on Linux Home networking (http://www.linuxhomenetworking.com/w...ess_with_Squid).

My problems were:
1) I've lost internet connectivity from the squid box as well as from all the clients.
2) The squid's network config seemed as if it was losing an IP. When I ifconfiged, it showed as set above. After pinging several ips in my network, ifconfig suddenly reported eth1 as 169.254 ip (apipa address). How and/or why does eth1's static IP get changed to an APIPA address?
3) Is my default gateway correct as being the DSL router (10.0.0.2).
4) Should the proxy settings in my clients browsers be eth1 (internal) or eth0 (dsl router)?
5) Do I need to set iptables and firewall as described in above article? I don't need to use transparant proxy?
6) Where do I change the hostname of my squid box, which is now set to localhost?
7) Will someone also confirm that my squid.conf is correct. I did setup the ncsa_authorisations.

Thanks for all the help so long.

onebuck · 11-02-2007, 09:34 AM

Hi,

First as root from the cli;

Code:

~#ifconfig -a                    #get known devices
~#route -n                       #get the route table

The above commands will show you where you are going now. The wrong way!

Looks like the server(proxy) should be connected to the DSL with eth0 and the eth1 should go to the LAN. Make sure to plug eth1 into the router LAN ports not the WAN.

You will need to enable masquerading, you can use this guide.

Quote:

excerpt from IP Masquerading/Utilities/IPtables;

Under Linux kernel 2.4.x, packet mangling has considerably changed. This includes the masquerading, firewalling, and port forwarding features. This document assumes you're using modules, if you're not, disregard the code in the following script that tests for the loaded module. The following is a self contained script that enables and sets basic masquerading (assuming kernel kernel support already exists) at boot time. You may use this example, or modify existing init scripts to include the code.

You can look at the code snippet to see what you need to adapt.

Once you have the NAT working then you can modify for the proxy. A simple LQ search or GOOGLE will get you loads of howto and setup information. Use it!

lsteacke · 11-02-2007, 09:55 AM

Fedix are you planning on configuring the browsers on each of the PC's on the LAN to proxy to your squid box? Or are you going to set the default gateway of all your machines to your squid box and use iptables to redirect traffic to port 3128? Next what does the non dsl-router config look like? I'm assuming this is what is causing eth1 to lose the static ip.

As for setting a new hostname, you can do that any number of ways starting with editing etc/hosts.

You could also try in etc/sysconfig/network and look for
HOSTNAME=

or try the hostname command
hostname [new hostname] (this is only temporary however)

Your squid config looks fine btw, I think this may be a topology configuration issue.

reachjohney · 11-03-2007, 01:23 AM

hi,

I scanned your configuration, and feel theres some problem. I assume You wrote DG for gateway.

I am speaking in terms of the configuration schema i am using in my 50+ lab, but alternate schemes may work better.
1. Donot put Dg for the internal lan card, eth1 put it blank
2.I think the second nics dg should be set to the ip given by your service provider. If thats the ip given to the router then it will be okay.
3. Forward traffic from external nic to internal nic using masquerading . Put the code in rc.local file, thats easy.

Apart from these configuration changes ,have a look at the squid.conf file. change the http_access deny all line to http_access deny none. change visible_hostname localhost to visible_hostname <my_system_name> where my_system_name is the name of your system.

Do let me know if it works / not works

fedix · 11-03-2007, 05:18 AM

Thanks everybody!

It looks as if the APIPA changes has gone. My eth0 & 1 now "stay" on its set static addresses.

onebuck :

Quote:

You will need to enable masquerading, you can use this guide.

Do I need to? Can I do the same with iptables as discussed in http://www.linuxhomenetworking.com/w...ss_with_Squid? Thats the only thing I didnt apply in my squid installation.
------------------
lsteacke :

Quote:

Fedix are you planning on configuring the browsers on each of the PC's on the LAN to proxy to your squid box? Or are you going to set the default gateway of all your machines to your squid box and use iptables to redirect traffic to port 3128?

Don't know. Which is the best? The default gateway (DG) of my machines is currently set to the DSL router (10.0.0.2 of above config). This is the one part I still don't get right.
-------------------
reachjohney :

Quote:

2.I think the second nics dg should be set to the ip given by your service provider.

My DSL router gets a dynamic IP when authenticating to my internet service provider. But the lan side of the DSL router is set to 10.0.0.2. Can 10.0.0.2 then be the DG? It worked that way before squid.

I've read the masquearading document (http://linux.ardynet.com/ipmasq/ipmasq.php3) but don't know which to use?
1) Must I first download and install masquerade, or is it part of the kernell?
2) Do I use "Simple IPTABLES masquerade commands" sample, or other samples?
3) I also do want to implement a firewall for security. Is the firewall of masquerading (Ipfwadm) sufficient?

Sorry of I sound stupid,