I just replaced a MS NT 4.0 SBS server with RedHat 8.0.

Everything is great EXCEPT I cannot figure out how to replace the internet proxy functionality that the old server had.

My client has 12 Win2K workstations that need to access the web AND POP email through a dial-up modem on the server on demand.

I set up Squid and that works for the web but not for POP.

Is there something else I should be doing to allow this type of access?

Whatever the solution is it needs to autodial when there is a need for internet service.

I REALLY don't want to go back to MS

So what you are saying is that the client machines need to get their pop based email through the proxy? Or is the proxy machine to double as a pop server itself? I can help you here but I need a little more info..

The autodial feature is a mouse click in Kppp.
I operate two dial-up based squid servers at home..

The clients are trying to access an ISP POP server.

The Linux box will NOT be a POP server.

With the old server setup, the workstations would start their web browser or POP email client and were configured to go through the WinNT 4.0 server as an internet proxy.

The server would autodial the ISP and the workstaiton would have access to the internet for browsing or POP.

Multiple workstations could access the internet at the same time. (This would be slow with the dial-up line but it's what the client can afford and wants)

Squid can (as far as I'm aware) only proxy web traffic - not POP traffic.

What IP addressing are you using on the LAN? If it's private (RFC 1918) addressing, then you can use IP Masquarding on the linux box to allow the internal hosts to directly access the ISP's POP server.

Yes that is what I'm thinking.

Everything I've been able to find and my experience with trying this says that Squid only works with web traffic.

I've considered IP masquerading but I'm unsure if I will be able to initiate an autodial on demand.

Is there anything else that I should be looking at?

A SOCKS proxy?

Something else?

Doesn't squid have an addin/plugin/configuration/module/extra thingy to proxy mail?

SOCKS is just a type of proxy, I think you can set up squid to be SOCKS compliant?

dial on demand can be set up to work with IP masquerading.

Squid CAN be set up to be SOCKS compliant. As for pop forwarding, why not just forward port 110 to and from the LAN via the routing tables/firewall. Iptables can bounce pop3 email anywhere you would like.

I am now setting up iptables for masquerading to accomplish this.

I followed the HOW-TO located at http://www.linuxhomenetworking.com/i...m#_Toc32287197 with modifications to match my site.

I am getting mixed results.

I can do nslookups to the ISP DNS server.

I can ping internet servers.

I CANNOT access the web with a browser.

I CANNOT access my ISP POP server.

ARRGGHHH!!!!!

my iptables init script is as follows:

#!/bin/bash
#---------------------------------------------------------------
# Initialize all the chains by removing all the rules
# tied to them
#---------------------------------------------------------------
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
#---------------------------------------------------------------
# Now that the chains have been initialized, the user defined
# chains should be deleted. We'll recreate them in the next step
#---------------------------------------------------------------
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
#---------------------------------------------------------------
# If a packet doesn't match one of the built in chains, then
# The policy should be to drop it
#---------------------------------------------------------------
#iptables --policy INPUT DROP
#iptables --policy OUTPUT DROP
#iptables --policy FORWARD DROP
#---------------------------------------------------------------
# The loopback interface should accept all traffic
# Necessary for X-Windows and other socket based services
#---------------------------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#---------------------------------------------------------------
# Allow all bidirectional traffic from your firewall to the protected network
# - Interface eth0 is the private network interface
#---------------------------------------------------------------
iptables -A INPUT -j ACCEPT -p all -s 10.0.0.0/24 -i eth0
iptables -A OUTPUT -j ACCEPT -p all -d 10.0.0.0/24 -o eth0
#---------------------------------------------------------------
# Load the NAT module
#---------------------------------------------------------------
modprobe iptable_nat
#---------------------------------------------------------------
# Allow masquerading
# Enable routing by modifying the ip_forward /proc filesystem file
# - Interface ppp0 is the internet interface
# - Interface eth0 is the private network interface
#---------------------------------------------------------------
iptables -A POSTROUTING -t nat -o ppp0 -s 10.0.0.0/24 -d 0/0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
#---------------------------------------------------------------
# Prior to masquerading, the packets are routed via the filter
# table's FORWARD chain.
# Allowed outbound: New, established and related connections
# Allowed inbound : Established and related connections
#---------------------------------------------------------------
iptables -A FORWARD -t filter -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

HELP!

Ok, since a few of the entries in your script made very little sense to me (I am no iptables expert btw), I figured I would post my recently created and highly successful script as a good example. It is production tested and works great. Hope it helps....

#!/bin/sh
#
# This is a basic locked-down Iptables firewall. Written February 20th 2003 by Pcghost.
# Distribute freely under the terms of the GPL.
#
# Shutting Down the firewall!!
#
/etc/init.d/iptables stop
#
# Firewall Disabled..
#
# Deleting old iptables rule file from /etc/sysconfig/
rm /etc/sysconfig/iptables
#
# Flushing Current Firewall Rules From Memory!
iptables -F
#
# Begin new ruleset creation...
#---------------------------------------------------------------------------------------------------
# Define variables/interfaces here..
EXTINT="ppp0"
LOOP="lo"
INTINT="eth0"
INTRA="192.168.66.0/24"
SARUMAN="192.168.66.6"
#-------Done----------------------------------------------------------------------------------------
#
# Enabling Port Forwarding Support Module in Kernel...
echo 1 > /proc/sys/net/ipv4/ip_forward
#
#------Done-----------------------------------------------------------------------------------------
#
# Establishing default policies for the various tables.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#
#------Done-----------------------------------------------------------------------------------------
#
# Set firewall to allow all local traffic.
iptables -A INPUT -i $LOOP -j ACCEPT
iptables -A OUTPUT -i $LOOP -j ACCEPT
#
#------Done----------------------------------------------------------------------------------------
#
# Allow all traffic between Server and Internal Network.
iptables -A INPUT -i $INTINT -s $INTRA -j ACCEPT
iptables -A OUTPUT -o $INTINT -d $INTRA -j ACCEPT
#
#------Done-----------------------------------------------------------------------------------------
# Explicitly allow Pcanywhere connections on ports 5631tcp and 5632udp. COMMENTED FOR SECURITY CONCERNS.
# UNCOMMENT TO ENABLE.
#iptables -A INPUT -p UDP -i $EXTINT -s 0/0 --destination-port 5632 -j ACCEPT
#iptables -A INPUT -p TCP -i $EXTINT -s 0/0 --destination-port 5631 -j ACCEPT
#
#-----Done--------------------------------------------------------------------------------------------
#
# Allow routing of connections from internal network to the Internet.
iptables -A OUTPUT -o $EXTINT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $INTINT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
#-----Done--------------------------------------------------------------------------------------------
#
# Explicitly allow forwarding of connections from Internet to LAN for ftp etc..
# NOT REQUIRED FOR SQUID FUNCTIONALITY.
iptables -A INPUT -i $EXTINT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $INTINT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
#-----Done-------------------------------------------------------------------------------------------
#
# Explicitly allow forwarding from LAN to Internet and back again..
# NOT REQUIRED FOR SQUID FUNCTIONALITY.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! $EXTINT -j ACCEPT
#
#-----Done-------------------------------------------------------------------------------------------
#
# Masquerade all outbound connections to the servers external IP address...
iptables -t nat -A POSTROUTING -o $EXTINT -j MASQUERADE
#
#-----Done-------------------------------------------------------------------------------------------
#
# Protect against "packet spoofing".
iptables -t nat -A PREROUTING -i $EXTINT -s 192.168.0.0/24 -j DROP
#
#-----Done-------------------------------------------------------------------------------------------
#
# Allow Squid Server to obtain DNS from Internet..
iptables -t nat -A OUTPUT -o $EXTINT -p udp --dport 53 -j ACCEPT
#
#-----Done--------------------------------------------------------------------------------------------
# Any additional port forwarding should be done here. An example is commented below..
#
# Section 1 - Prerouting instructions.
#
#iptables -t nat -A PREROUTING -p tcp --dport 25 -d $EXTIP -j DNAT --to-destination 192.168.66.6:25
#
# Section 2 - Forward table instructions.
#
#iptables -A FORWARD -p tcp --dport 25 -d $IPCLIENT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
# Section 3 - Postrouting table instructions.
#
#iptables -t nat -A POSTROUTING -p tcp -d $IPCLIENT --dport 25 -j SNAT --to-source $INTIP
#
# Section 4 - Output table instructions.
#
#iptables -t nat -A OUTPUT -p tcp --dport 25 -d $EXTIP -j DNAT --to-destination $IPCLIENT:25
#
#-----Done--------------------------------------------------------------------------------------------------
#
# Allow Server to ping the outside world..
iptables -t filter -A OUTPUT -o $EXTINT -p icmp -j ACCEPT
#
#-----Done--------------------------------------------------------------------------------------------------
#
# TEMPORARILY ALLOW THE OUTSIDE TO PING THE SERVER FOR TESTING THE FIREWALL. COMMENT WHEN TESTING COMPLETE!
iptables -t filter -A INPUT -i $EXTINT -p icmp -j ACCEPT
#
#-----Done----------------------------------------------------------------------------------------------------
#
# Logging - To activate connection tracking and packet logging uncomment the following lines.
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP:"
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP:"
iptables -A FORWARD -j LOG --log-prefix "FORWARD_DROP:"
#
#-----Done----------------------------------------------------------------------------------------------------
#
# Saving all rules to /etc/sysconfig/iptables for implementation..
iptables-save > /etc/sysconfig/iptables
#
#-----Done----------------------------------------------------------------------------------------------------
#
# Starting the Firewall. Please stand back...:-)
/etc/init.d/iptables start
#
#----Done-----------------------------------------------------------------------------------------------------
# Don't forget to port scan to test the rules or go to pcflank.com and run the advanced test....
#
# End of Script....
#-------------------------------------------------------------------------------------------------------------

Dear Pcghost
Please tell us how to make squid demand dial, when a client tries to connect to internet.
I'll be grateful to you for the same.
Best Wishes.
ash.

I finally resolved this problem.

It was a Microsoft problem and NOT a Linux probelm. (Big supprise)

The client workstations still had the MS proxy CLIENT loaded on them and it was interfering with the connection to the Linux server.

Everything works fine now with the following iptables initialization script:

#!/bin/bash
#---------------------------------------------------------------
# Initialize all the chains by removing all the rules
# tied to them
#---------------------------------------------------------------
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
#---------------------------------------------------------------
# Now that the chains have been initialized, the user defined
# chains should be deleted. We'll recreate them in the next step
#---------------------------------------------------------------
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
#---------------------------------------------------------------
# If a packet doesn't match one of the built in chains, then
# The policy should be to drop it
#---------------------------------------------------------------
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
#---------------------------------------------------------------
# The loopback interface should accept all traffic
# Necessary for X-Windows and other socket based services
#---------------------------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#---------------------------------------------------------------
# If the Linux firewall is the caching DNS server for the network
# then allow outbound DNS queries from the FW and the replies too
#---------------------------------------------------------------
iptables -A OUTPUT -p udp -o ppp0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i ppp0 --sport 53 --dport 1024:65535 -j ACCEPT
#---------------------------------------------------------------
# Allow all bidirectional traffic from your firewall to the protected network
# - Interface eth0 is the private network interface
#---------------------------------------------------------------
iptables -A INPUT -j ACCEPT -p all -s 10.0.0.0/24 -i eth0
iptables -A OUTPUT -j ACCEPT -p all -d 10.0.0.0/24 -o eth0
#---------------------------------------------------------------
# Load the NAT module
#---------------------------------------------------------------
modprobe iptable_nat
#---------------------------------------------------------------
# Allow masquerading
# Enable routing by modifying the ip_forward /proc filesystem file
# - Interface ppp0 is the internet interface
# - Interface eth0 is the private network interface
#---------------------------------------------------------------
iptables -A POSTROUTING -t nat -o ppp0 -s 10.0.0.0/24 -d 0/0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
#---------------------------------------------------------------
# Prior to masquerading, the packets are routed via the filter
# table's FORWARD chain.
# Allowed outbound: New, established and related connections
# Allowed inbound : Established and related connections
#---------------------------------------------------------------
iptables -A FORWARD -t filter -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# Log and drop all other packets to file /var/log/messages
# Without this we could be crawling around in the dark
#---------------------------------------------------------------
#iptables -A OUTPUT -j LOG
#iptables -A OUTPUT -j LOG
#iptables -A FORWARD -j LOG
#iptables -A INPUT -j LOG
#iptables -A INPUT -j LOG
#iptables -A FORWARD -j LOG

Thanks for all of the help.

Actually it is not squids responcibility to dial the internet in Red Hat 8. That duty belongs to kppp. If you select dial-on-demand in kppp anytime squid needs a connection it will make a port 80 request, triggering kppp to dial the internet.