LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-13-2007, 04:07 PM   #1
fedix
Member
 
Registered: Oct 2005
Location: Mpumalanga, South Africa
Distribution: Fedora / CentOS 5 / Ubuntu
Posts: 100

Rep: Reputation: 17
Question HowTo setup a proxy for my home lan


I want to setup a Linux box with squid to act as a web cache/proxy server also controling access and restrict porno etc. to my LAN pc's.

I have 3 LAN pc's, and a DSL connetion to the internet

1) Do I need to install a second NIC to my Linux box?

2) If not (which I hope), what should the IP config be?
Code:
     ~~~~~~~~~~~~~~~~~~~~~~~
<--  ~(inet ip) DSL Router ~
     ~           (10.0.0.2)~
     ~~~~~~~~~~~~~~~~~~~~~~~
                         |
                      ~~~~~~~~~~~~~~~~~
                      ~(eth0 10.0.0.3)~
                      ~     squid box ~
                      ~~~~~~~~~~~~~~~~~
                              |
                           ~~~~~~~~~~~~~~
                           ~ eth Switch ~
                           ~ 10.0.0.x   ~
                           ~~~~~~~~~~~~~~
                               |       |
                          LAN client  LAN client
The clients: 10.0.0 x
Def Gateway: 10.0.0.2 (DSL router)
Proxy server: 10.0.0.3:3128 ?

Thanks
 
Old 10-13-2007, 05:12 PM   #2
kc8khl
LQ Newbie
 
Registered: May 2004
Location: Columbus, Ohio
Distribution: Gentoo, Ubuntu
Posts: 5

Rep: Reputation: 0
Squid and IPTables

The easiest way to do it and not leave any loop holes is to setup a transparent proxy that forces the traffic through the squid proxy. To do this you'll need two nics in the linux box and you'll need to install iptables. You basically set up iptables to redirect all incoming traffic on port 80 to port 3128. Then all of your machines on the lan will use your squid box as their gateway.

Check out this howto:
http://tldp.org/HOWTO/TransparentProxy.html

It is easiest to have iptables and squid run on the same box, I can't seem to get the setup in section 6 to work. (Got a question posted on that below ) Let me know if you have any more questions about it.

Mark

(Oh yeah, and check out dansguardian for content filtering)

Last edited by kc8khl; 10-13-2007 at 05:15 PM.
 
Old 10-15-2007, 03:31 AM   #3
reachjohney
LQ Newbie
 
Registered: Sep 2007
Location: kottayam
Distribution: Fedora core 6
Posts: 6

Rep: Reputation: 0
Lightbulb Basic squid proxy setup

hi,

for basic squid proxy setup, install squid, open /etc/squid.conf and edit these lines
1.
visible_hostname <your_machine_name>
http_port 3128
2. delete this line.

http_access deny all

3. In browsers of client machines set proxy ip as the ip of the proxy machine, and set port as 3128

johney
 
Old 10-17-2007, 02:36 PM   #4
fedix
Member
 
Registered: Oct 2005
Location: Mpumalanga, South Africa
Distribution: Fedora / CentOS 5 / Ubuntu
Posts: 100

Original Poster
Rep: Reputation: 17
Thumbs up Squid Config

Thanks reachjohney!

Can I do that without installing a second NIC?

What should my clients' ipconfigs then be? Gateway? ADSL router or Proxy box?

And then obvious proxy settings in their IE settings (proxy box IP:3128).
 
Old 10-18-2007, 09:03 AM   #5
reachjohney
LQ Newbie
 
Registered: Sep 2007
Location: kottayam
Distribution: Fedora core 6
Posts: 6

Rep: Reputation: 0
Post squid proxy

nay, i donot know a setup without two nic's.

with two nic's set the external interface ip in range with the subnet of external ip.

set the internal interface (nic) ip in range within subnet of internal ip. other things work fine with defaults.

if you are planning with larger netwworks do acquianted with maximum file size in memory, maximum file size in hardisk, min file size in memory etc enttries.
 
Old 11-02-2007, 12:36 AM   #6
fedix
Member
 
Registered: Oct 2005
Location: Mpumalanga, South Africa
Distribution: Fedora / CentOS 5 / Ubuntu
Posts: 100

Original Poster
Rep: Reputation: 17
Question Squid still not working :--<

Thanks for all the great help.

But, ny setup isn't working. Please help.

I've installed a second NIC.
eth0 is set to static 10.0.0.1 255.0.0.0 DG 10.0.0.2 (the DSL router's IP) and connected to one of the ports on the DSL router.
eth1 is set to static 10.0.0.10 255.0.0.0 DG 10.0.0.2 and connected to the router of my local LAN (range 10.0.0.0/8)

The contents of my squid file looks like this:
Quote:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl home_network src 10.0.0.0/8
acl BadSites dstdomain "usr/local/etc/restricted-sites.squid"
acl ncsa_users proxy_auth REQUIRED

http_access allow ncsa_users
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny BadSites
http_access allow home_network
http_access allow localhost
http_access deny all

icp_access allow all

http_port 3128 transparent

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

visible_hostname localhost

coredump_dir /var/spool/squid
I've left a lot of the settings on default. I've followed a lot of the recommendations from an article on Linux Home networking (http://www.linuxhomenetworking.com/w...ess_with_Squid).

My problems were:
1) I've lost internet connectivity from the squid box as well as from all the clients.
2) The squid's network config seemed as if it was losing an IP. When I ifconfiged, it showed as set above. After pinging several ips in my network, ifconfig suddenly reported eth1 as 169.254 ip (apipa address). How and/or why does eth1's static IP get changed to an APIPA address?
3) Is my default gateway correct as being the DSL router (10.0.0.2).
4) Should the proxy settings in my clients browsers be eth1 (internal) or eth0 (dsl router)?
5) Do I need to set iptables and firewall as described in above article? I don't need to use transparant proxy?
6) Where do I change the hostname of my squid box, which is now set to localhost?
7) Will someone also confirm that my squid.conf is correct. I did setup the ncsa_authorisations.

Thanks for all the help so long.
 
Old 11-02-2007, 08:34 AM   #7
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,203
Blog Entries: 3

Rep: Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433Reputation: 1433
Hi,

First as root from the cli;

Code:
~#ifconfig -a                    #get known devices
~#route -n                       #get the route table
The above commands will show you where you are going now. The wrong way!

Looks like the server(proxy) should be connected to the DSL with eth0 and the eth1 should go to the LAN. Make sure to plug eth1 into the router LAN ports not the WAN.

You will need to enable masquerading, you can use this guide.

Quote:
excerpt from IP Masquerading/Utilities/IPtables;

Under Linux kernel 2.4.x, packet mangling has considerably changed. This includes the masquerading, firewalling, and port forwarding features. This document assumes you're using modules, if you're not, disregard the code in the following script that tests for the loaded module. The following is a self contained script that enables and sets basic masquerading (assuming kernel kernel support already exists) at boot time. You may use this example, or modify existing init scripts to include the code.
You can look at the code snippet to see what you need to adapt.

Once you have the NAT working then you can modify for the proxy. A simple LQ search or GOOGLE will get you loads of howto and setup information. Use it!

Last edited by onebuck; 11-02-2007 at 08:53 AM. Reason: false enter
 
Old 11-02-2007, 08:55 AM   #8
lsteacke
Member
 
Registered: Jul 2007
Distribution: Ubuntu
Posts: 99

Rep: Reputation: 16
Fedix are you planning on configuring the browsers on each of the PC's on the LAN to proxy to your squid box? Or are you going to set the default gateway of all your machines to your squid box and use iptables to redirect traffic to port 3128? Next what does the non dsl-router config look like? I'm assuming this is what is causing eth1 to lose the static ip.

As for setting a new hostname, you can do that any number of ways starting with editing etc/hosts.

You could also try in etc/sysconfig/network and look for
HOSTNAME=

or try the hostname command
hostname [new hostname] (this is only temporary however)

Your squid config looks fine btw, I think this may be a topology configuration issue.
 
Old 11-03-2007, 12:23 AM   #9
reachjohney
LQ Newbie
 
Registered: Sep 2007
Location: kottayam
Distribution: Fedora core 6
Posts: 6

Rep: Reputation: 0
hi,

I scanned your configuration, and feel theres some problem. I assume You wrote DG for gateway.

I am speaking in terms of the configuration schema i am using in my 50+ lab, but alternate schemes may work better.
1. Donot put Dg for the internal lan card, eth1 put it blank
2.I think the second nics dg should be set to the ip given by your service provider. If thats the ip given to the router then it will be okay.
3. Forward traffic from external nic to internal nic using masquerading . Put the code in rc.local file, thats easy.

Apart from these configuration changes ,have a look at the squid.conf file. change the http_access deny all line to http_access deny none. change visible_hostname localhost to visible_hostname <my_system_name> where my_system_name is the name of your system.

Do let me know if it works / not works
 
Old 11-03-2007, 04:18 AM   #10
fedix
Member
 
Registered: Oct 2005
Location: Mpumalanga, South Africa
Distribution: Fedora / CentOS 5 / Ubuntu
Posts: 100

Original Poster
Rep: Reputation: 17
Replies

Thanks everybody!

It looks as if the APIPA changes has gone. My eth0 & 1 now "stay" on its set static addresses.

onebuck :
Quote:
You will need to enable masquerading, you can use this guide.
Do I need to? Can I do the same with iptables as discussed in http://www.linuxhomenetworking.com/w...ss_with_Squid? Thats the only thing I didnt apply in my squid installation.
------------------
lsteacke :
Quote:
Fedix are you planning on configuring the browsers on each of the PC's on the LAN to proxy to your squid box? Or are you going to set the default gateway of all your machines to your squid box and use iptables to redirect traffic to port 3128?
Don't know. Which is the best? The default gateway (DG) of my machines is currently set to the DSL router (10.0.0.2 of above config). This is the one part I still don't get right.
-------------------
reachjohney :
Quote:
2.I think the second nics dg should be set to the ip given by your service provider.
My DSL router gets a dynamic IP when authenticating to my internet service provider. But the lan side of the DSL router is set to 10.0.0.2. Can 10.0.0.2 then be the DG? It worked that way before squid.

I've read the masquearading document (http://linux.ardynet.com/ipmasq/ipmasq.php3) but don't know which to use?
1) Must I first download and install masquerade, or is it part of the kernell?
2) Do I use "Simple IPTABLES masquerade commands" sample, or other samples?
3) I also do want to implement a firewall for security. Is the firewall of masquerading (Ipfwadm) sufficient?

Sorry of I sound stupid,

 
  


Reply

Tags
connection, internet, linux, networking, proxy, sharing, squid


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid as Reverse Proxy and LAN proxy? zivota Linux - Security 2 02-26-2007 05:00 PM
howto setup vpn server within the lan gv_rajasekhar Linux - Networking 1 08-31-2006 01:35 AM
Home LAN Setup bLaDe Linux - Networking 3 04-28-2006 07:03 AM
howto use slapt-get with a proxy changcheh VectorLinux 2 08-18-2005 09:57 PM
Advice for home LAN setup dkaplowitz Linux - Networking 7 08-09-2003 06:02 PM


All times are GMT -5. The time now is 03:54 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration