LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-05-2013, 05:34 AM   #1
s4starb4boy
LQ Newbie
 
Registered: Jun 2013
Posts: 20

Rep: Reputation: Disabled
Problem Deploying SQUID as Transparent Proxy Server on CentOS 6.4


Hi to all,
well I am new bie here I want to deploy squid as transparent proxy server I've followed many tutorials but unable to find teh solution for my problem. I mean I am able to brows the internet on client machine but I've to setup proxy server addres on my browser and I also want to use outlook express to send and recieve mail but I coundn't letme shwo you my configuration.

DEVICE=eth0
HWADDR=00:27:0E:23:E3:E8
TYPE=Ethernet
UUID=94f80279-f5e2-42d4-ab0f-a58a10a5c6d8
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=static
IPADDR=192.168.1.51
NETMASK=255.255.255.0
GATEWAY=192.168.1.
---------------------------------------

DEVICE=eth1
HWADDR=00:0D:88:F7:66:55
TYPE=Ethernet
UUID=9cd8c9f5-a61e-4e0b-9e57-2b8b0b705d7a
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=static
IPADDR=192.168.0.253
NETMASK=255.255.255.0
-------------------------------------
/etc/squid/squid.conf

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl asg src 192.168.0.0/24
acl blocked_site url_regex -i src "/etc/squid/blocked_site.conf"
http_access deny blocked_site
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT





#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost


# And finally deny all other access to this proxy
http_access deny all
http_access allow asg



# Squid normally listens to port 3128
http_port 3128 intercept

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname asg.proxy.srv
---------------------------------------------
iptables configuration

# Generated by iptables-save v1.4.7 on Mon Jun 3 16:59:37 2013
*nat
:PREROUTING ACCEPT [886:92870]
:POSTROUTING ACCEPT [10:1367]
:OUTPUT ACCEPT [8:521]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.253:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT
# Completed on Mon Jun 3 16:59:37 2013
# Generated by iptables-save v1.4.7 on Mon Jun 3 16:59:37 2013
*filter
:INPUT ACCEPT [161:46738]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7928:10036929]
-A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i eth1 -j ACCEPT
COMMIT
# Completed on Mon Jun 3 16:59:37 2013
-------------------------------
/etc/resolve.conf

# Generated by NetworkManager


# No nameservers found; try putting DNS servers into your
# ifcfg files in /etc/sysconfig/network-scripts like so:
#
# DNS1=xxx.xxx.xxx.xxx
# DNS2=xxx.xxx.xxx.xxx
# DOMAIN=lab.foo.com bar.foo.com
nameserver 8.8.8.8
-------------------------------------
/etc/networks

default 0.0.0.0
loopback 127.0.0.0
link-local 169.254.0.0
----------------------------------------
/etc/hosts
127.0.0.1 asg.proxy.srv localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
----------------------------------------
cat /proc/sys/net/ipv4/ip_forward
1
----------------------------------------

what information else you need to fix my problem? please letme know.

what I want??
I want to browse internet on client machine without setting proxy in the abpve stated scenario I am able to use internet on all clients successfully but with the setting of proxy on browser.I've tried to give the gateway(192.168.0.253) on my clients but no way.I also want to send and recieve mails via outlook express POP3. I cant I mean I am unable to do so. please guide me how to set it up?
I can provide all info you need to set it up please help me.
 
Old 06-05-2013, 07:46 PM   #2
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
Quote:
I want to browse internet on client machine without setting proxy in the abpve stated scenario I am able to use internet on all clients successfully but with the setting of proxy on browser.
my iptables rules have...
Code:
## --- INPUT CHAIN --- ##
	# Stateful inspection -- Allow packets in from connections already established

	$IPTABLES -A INPUT -i $EXT_IF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

## --- FORWARD CHAIN --- ##
#

	# Stateful inspection -- Forward in connections already established

	$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	# Forward out all traffic

	$IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT
## --- OUTPUT CHAIN --- ##
#

	# Follows policy

#
## --- NAT --- ##
#

	# Enable masquerade

	$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -j MASQUERADE

#
## -- Transparent proxy to Squid --- ##

	$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128

# Environment variables, change these values accordingly

	EXT_IF=eth0
	INT_IF=eth1
	INT_NET=10.0.0.15/8

	ANY=0.0.0.0/0

	IPTABLES=/sbin/iptables
	MODPROBE=/sbin/modprobe
just a snippet of my atomic.firewall.sh

there are some replicas here but I think the order of running these rules matters. (opening and closing doors and windows)

I think the last 2 rules are whats missing.

Hope this helps.

I don't know about outlook. sry

Last edited by GlennsPref; 06-05-2013 at 07:48 PM. Reason: the point is...quote
 
Old 06-07-2013, 01:29 AM   #3
s4starb4boy
LQ Newbie
 
Registered: Jun 2013
Posts: 20

Original Poster
Rep: Reputation: Disabled
Thanks for your quick response against my query. I'll apply the setting and let you know the result.
 
Old 06-07-2013, 06:13 AM   #4
s4starb4boy
LQ Newbie
 
Registered: Jun 2013
Posts: 20

Original Poster
Rep: Reputation: Disabled
I've given your command in this order and the way you described with no luck still working but with settings. well is there any command to know either request made by any browser are reaching there(squid server) or how can we check if it is ready to listen or entertain the browser request? tell me I'll show you its out put.


iptables -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT (done)


iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.0/24 -d 192.168.0.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT (done)


iptables -A FORWARD -i eth1 -d 192.168.0.0/24 -j ACCEPT (done)


iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE (done)


iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 (done)


IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe

Last edited by s4starb4boy; 06-07-2013 at 06:15 AM.
 
Old 06-07-2013, 08:14 PM   #5
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
you don't have to use this bit, it just helps to explain the lines.
Quote:
# Environment variables, change these values accordingly

EXT_IF=eth0
INT_IF=eth1
INT_NET=10.0.0.15/8

ANY=0.0.0.0/0

IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
try some of these...
ensure the redirector is running, the squid service status, and the log (atm my log is empty, but the command worked for the old copy at /var/log/squid/access.log.1)
Code:
sudo ps ax | grep squid
service squid status
sudo tail /var/log/squid/access.log
squid may store the log someplace else, to find it try
Code:
locate access.log
check the iptables and portforward...

check FW, nat Chain PREROUTING for squid port activity"
Code:
sudo iptables -t nat -nvL
if the output is huge try grep to see the lines you want to check
Code:
sudo iptables -t nat -nvL | grep 3128
Hope this helps, Glenn

ps, have you seen this howto?

Last edited by GlennsPref; 06-07-2013 at 08:20 PM. Reason: link to helpfull squid info
 
Old 06-07-2013, 08:28 PM   #6
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
Quote:
...but I've to setup proxy server addres on my browser...
your squid.conf does not refer to a server, just a port.
Quote:
# Squid normally listens to port 3128
http_port 3128 intercept
Take the server address from the browser and put it here. stop and start squid.
Code:
service squid stop
service squid start
(service restart squid may not look for the new .conf, just use the one that loaded at the last start.squid)

Just a tip.
 
Old 06-08-2013, 01:11 AM   #7
s4starb4boy
LQ Newbie
 
Registered: Jun 2013
Posts: 20

Original Poster
Rep: Reputation: Disabled
again no luck

here is out put of all configurations I've changed port setting as per you said...

"our squid.conf does not refer to a server, just a port.
Quote:
# Squid normally listens to port 3128
http_port 3128 intercept "

-----------------------------------------
now it is /etc/squid/squid.conf
-----------------------------------------

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl asg src 192.168.0.0/24
acl blocked_site url_regex -i src "/etc/squid/blocked_site.conf"
http_access deny blocked_site
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT





#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost
http_access allow asg
# And finally deny all other access to this proxy
http_access deny all




# Squid normally listens to port 3128
http_port 192.168.0.253:3128 intercept

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname asg.proxy.srv
--------------------------------------------------------------------------------------------------------------------

-----------------------------------
sudo ps ax | grep squid
-----------------------------------

1929 ? Ss 0:00 squid -f /etc/squid/squid.conf
1931 ? S 0:01 (squid) -f /etc/squid/squid.conf
3240 pts/1 S+ 0:00 tail -f /var/log/squid/access.log
3498 pts/0 S+ 0:00 grep squid
-----------------------------------------------------------------------------------------------------------------------------

-----------------------------------
service iptables status
-----------------------------------
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 192.168.0.0/24 192.168.0.0/24 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 0.0.0.0/0 192.168.0.0/24

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
-----------------------------------------------------------------------------------------------------------------------------

--------------------------------------
sudo iptables -t nat -nvL
--------------------------------------

Chain PREROUTING (policy ACCEPT 610 packets, 80967 bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128

Chain POSTROUTING (policy ACCEPT 1 packets, 1500 bytes)
pkts bytes target prot opt in out source destination
648 40641 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 649 packets, 42141 bytes)
pkts bytes target prot opt in out source destination
----------------------------------------------------------------------------------------------------------------------------


--------------------------------------
sudo iptables -t nat -nvL | grep 3128
--------------------------------------
0 0 REDIRECT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128

-----------------------------------------------------------------------------------------------------------------------------

-------------------------------
service squid status
-------------------------------

squid (pid 1931) is running...

-----------------------------------------------------------------------------------------------------------------------------

-------------------------------
access.log file location is "#/var/log/squid/access.log" adn here is its output which wonly works when I setup proxy setting in any browser of client machine.
-----------------------------------
tail -f /var/log/squid/access.log
-----------------------------------

1370662725.717 796 192.168.0.111 TCP_MISS/200 292627 GET http://upgrade.bitdefender.com/v2/re...d86499ec1.gzip - DIRECT/93.184.221.133 text/plain
1370662726.274 538 192.168.0.111 TCP_MISS/200 140488 GET http://upgrade.bitdefender.com/v2/re...eae426ae8.gzip - DIRECT/93.184.221.133 text/plain
1370662727.632 1254 192.168.0.111 TCP_MISS/200 178442 GET http://upgrade.bitdefender.com/v2/re...f1411b1ce.gzip - DIRECT/93.184.221.133 text/plain
1370662728.749 1079 192.168.0.111 TCP_MISS/200 341032 GET http://upgrade.bitdefender.com/v2/re...699a37f63.gzip - DIRECT/93.184.221.133 text/plain
1370662729.528 755 192.168.0.111 TCP_MISS/200 256213 GET http://upgrade.bitdefender.com/v2/re...c9ad9a87b.gzip - DIRECT/93.184.221.133 text/plain
1370662730.475 927 192.168.0.111 TCP_MISS/200 286104 GET http://upgrade.bitdefender.com/v2/re...885cb0b55.gzip - DIRECT/93.184.221.133 text/plain
1370662759.267 1652 192.168.0.111 TCP_MISS/200 60129 GET http://update5.mwti.net/sendinfo/dirlist.txt - DIRECT/193.45.10.144 text/plain
1370662761.195 1300 192.168.0.111 TCP_MISS/200 238588 GET http://update5.mwti.net/pub/update/vsign2.avs - DIRECT/193.45.10.144 text/plain
1370662797.496 264 192.168.0.111 TCP_CLIENT_REFRESH_MISS/200 376 HEAD http://update5.mwti.net/sendinfo/ - DIRECT/193.45.10.144 text/html
1370662797.779 264 192.168.0.111 TCP_MISS/200 582 GET http://update5.mwti.net/sendinfo/ - DIRECT/193.45.10.144 text/html

---------------------------------------------------------------------------------------------------------------------------

I am really thanksfull to you for showing concern to fix my problem. I've show you all output an dconfiguration if you still need something else ask for me I'll provide you.I really want to fix this issue.
 
Old 06-08-2013, 10:07 PM   #8
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
I have no idea. I'll need to look it over a few (more) times......

Was the link enlightening in any way? http://www.linuxhomenetworking.com/w...arent_To_Users

Have you used the command "squid -z" to setup and/or confirm the cache_dir is ready?

(usually done on first install of squid, there are default settings, I set 4gig avail)
I'm concerned about the "cache_dir" line in your squid conf, here's what mine looks like....

I am currently trying different "add blocks".....with squid and iptables (iproxy on a different machine)

/etc/squid/squid.conf
Code:
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
acl localhost src 10.0.0.0/8
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# adzap
redirect_program /usr/local/bin/squid_redirect

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access allow localhost

# Squid normally listens to port 3128, added localhost 3/4/2013 and visible_hostname
#http_port 3128 transparent
http_port 127.0.0.1:3128 intercept connection-auth=off
http_port 10.0.0.15:3128 intercept connection-auth=off

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 4096 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320
shutdown_lifetime 5 seconds
cache_effective_user squid
cache_effective_group squid
cache_mgr root@Squid.GlennsPref.net
visible_hostname Squid.GlennsPref.net
/etc/rc.d/init.d/atomic.firewall
Code:
#!/bin/sh
#
# Atomic IPTables firewall script v1.2
#
# Simple but effective firewall written for
# the Atomic Uber Linux box guide,
# Issue 21, Oct 2002
#
# Updated May 2003 for bandwidth shaping
#
# Ashton Mills
# amills@iinet.com.au

# Environment variables, change these values accordingly

	EXT_IF=eth0
	INT_IF=eth1
	INT_NET=10.0.0.15/8

	ANY=0.0.0.0/0

	IPTABLES=/sbin/iptables
	MODPROBE=/sbin/modprobe

#
## You shouldn't need to touch anything below here
#

# Load appropriate iptables modules, others will be loaded dynamically on demand

	$MODPROBE ip_tables
	$MODPROBE iptable_filter
	$MODPROBE ip_nat_ftp
	$MODPROBE ip_conntrack
	$MODPROBE ip_conntrack_ftp

# Set proc values for TCP/IP. In order:
#
# Disable IP spoofing attacks
# Ignore broadcast pings
# Block source routing
# Kill redirects
# Set acceptable local port range
# Allow dynamic IP addresses
# Enable forwarding (gateway)

	echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
	echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
	echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
	echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
	echo "1600 61000" > /proc/sys/net/ipv4/ip_local_port_range
	echo "1" > /proc/sys/net/ipv4/ip_dynaddr
	echo "1" > /proc/sys/net/ipv4/ip_forward

# Flush everything

	$IPTABLES -F INPUT
	$IPTABLES -F OUTPUT
	$IPTABLES -F FORWARD
	$IPTABLES -t nat -F
	$IPTABLES -t mangle -F

#
## --- DEFAULT POLICY --- ##
#

	# Drop everything on INPUT and FORWARD chains, accept OUTPUT

	$IPTABLES -P INPUT DROP
	$IPTABLES -P FORWARD DROP
	$IPTABLES -P OUTPUT ACCEPT

#
## --- INPUT CHAIN --- ##
#nfs-server
	$IPTABLES -I INPUT -m conntrack --ctstate NEW -p tcp -m multiport --dport 111,892,2049,32803 -s 10.0.0.16/8 -j ACCEPT
 
	$IPTABLES -I INPUT -m conntrack --ctstate NEW -p udp -m multiport --dport 111,892,2049,32769 -s 10.0.0.16/8 -j ACCEPT
	# Allow Telstra hearbeat -- BPA users uncomment this

#	$IPTABLES -A INPUT -p udp --sport 5050 -j ACCEPT
#	$IPTABLES -A INPUT -p udp --sport 5051 -j ACCEPT

	# Allow local net browsing avahi/Zeroconf

	$IPTABLES -A INPUT -p udp --sport 3128 -j ACCEPT
	$IPTABLES -A INPUT -p udp --sport 5353 -j ACCEPT
	
	# Allow bootp port -- Optus and some ADSL users need this

#	$IPTABLES -A INPUT -p udp -d 255.255.255.255 --dport 68 -j ACCEPT


	# Allow access to services on this (the gateway) machine


	# SSH
	$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

	# Teamspeak
#	$IPTABLES -A INPUT -p udp --dport 8767 -j ACCEPT

	# Half Life server
	$IPTABLES -A INPUT -p udp --dport 27015 -j ACCEPT
	$IPTABLES -A INPUT -p udp --dport 27010 -j ACCEPT

	# FTP
	$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
	$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT

	# Bittorrent
	$IPTABLES -A INPUT -p tcp --dport 6881:6969 -j ACCEPT
	$IPTABLES -A INPUT -p udp --dport 6881:6969 -j ACCEPT
	$IPTABLES -A INPUT -p udp --dport 4444 -j ACCEPT

	# Accept all connections on local and internal interfaces

	$IPTABLES -A INPUT -i lo -j ACCEPT
	$IPTABLES -A INPUT -i $INT_IF -j ACCEPT

	# cups
	$IPTABLES -A INPUT -p tcp -m tcp --sport 631 -j ACCEPT

	$IPTABLES -A OUTPUT -p tcp -o tcp --dport 631 -j ACCEPT

	$IPTABLES -A INPUT -p udp -m udp --sport 631 -j ACCEPT

	$IPTABLES -A OUTPUT -p udp -o udp --dport 631 -j ACCEPT

	# Stateful inspection -- Allow packets in from connections already established

	$IPTABLES -A INPUT -i $EXT_IF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


	# Drop packets from invalid sources (reserved networks and localhost)

	$IPTABLES -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP
	$IPTABLES -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
	$IPTABLES -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
	$IPTABLES -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j DROP
	$IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP


	# Don't log igmp, web or ssl. More noise we don't need to log.

	$IPTABLES -A INPUT -p igmp -j DROP
	$IPTABLES -A INPUT -p tcp --dport 80 -j DROP
	$IPTABLES -A INPUT -p tcp --dport 443 -j DROP


	# Log everything else

	$IPTABLES -A INPUT -i $EXT_IF -j LOG --log-prefix "|iptables -- "

#
## -- BANDWIDTH SHAPING  -- ##
#

#
# EGRESS (upstream)
#

	# TOS marked packets (we'll just work with minimise-delay and maximise-throughput)
	$IPTABLES -t mangle -A POSTROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 10
	$IPTABLES -t mangle -A POSTROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 30

	# UDP (most games, including all Half Life mods as well as DNS, IM clients and more)
	$IPTABLES -t mangle -A POSTROUTING -p udp -j MARK --set-mark 10

	# Games that use DirectPlay from DirectX (note UDP traffic already matched above)
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 47624 -j MARK --set-mark 10
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10

	# Place other games here
	# EVE online
#	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 26000 -j MARK --set-mark 10

	# ICMP (ping)
	$IPTABLES -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 10

	# SSH
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 22 -j MARK --set-mark 10

	# Web, SSL
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 80 -j MARK --set-mark 20
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 443 -j MARK --set-mark 20

	# ACKs
	$IPTABLES -t mangle -A POSTROUTING -p tcp -m length --length :64 -j MARK --set-mark 20

	#
	# No need for catchall for class 30, handled by HTB root qdisc initilisation
	#

#
# INGRESS (downstream)
#

	# Only prioritise class 10 traffic

	# Don't police high priority UDP, game, ping and SSH packets
	$IPTABLES -t mangle -A PREROUTING -p udp -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 47624 -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p icmp -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 22 -j MARK --set-mark 10

	# Place other games here
	# EVE online
#	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 26000 -j MARK --set-mark 10

	# Catchall, police everything else
	$IPTABLES -t mangle -A PREROUTING -m mark --mark 0 -j MARK --set-mark 30

	#
	# NOTE: It's a good idea -not- to add HTTP to be let through the police filter even
	# for browsing as many P2P programs, not to mention your HTTP file downloads, will
	# flood the link unpoliced, causing delays with high priority (class 10) packets.
	# Shape HTTP going out, but let it be bulk coming in.
	#
	# Read the note at the end of the atomic.shaper script for more on INGRESS shaping.
	#

#
## --- FORWARD CHAIN --- ##
#

	# Stateful inspection -- Forward in connections already established

	$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


	#---------------------------------------------------------------
	# Allow outbound DNS queries from the FW and the replies too
	#
	# - Interface eth0 is the internet interface
	#
	# Zone transfers use TCP and not UDP. Most home networks
	# / websites using a single DNS server won't require TCP statements
	#
	#---------------------------------------------------------------

# Printer port
#
#	$IPTABLES -A INPUT -p udp -i eth0 --sport 127.0.0.1:9100 --dport 1024:65535 -j ACCEPT
#	$IPTABLES -A INPUT -p tcp -i eth1 --sport 127.0.0.1:9100 --dport 1024:65535 -j ACCEPT
#
#	$IPTABLES -A INPUT -p udp -i eth1 --sport 127.0.0.1:9100 --dport 1024:65535 -j ACCEPT
#	$IPTABLES -A INPUT -p tcp -i eth0 --sport 127.0.0.1:9100 --dport 1024:65535 -j ACCEPT
#
#
	$IPTABLES -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT

	$IPTABLES -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT


# Forwards for software running on Windows/Linux machines behind the firewall

	# Kazaa Lite (change destination IP accordingly)

#	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 1214 -j DNAT --to-dest 10.0.0.15
#	$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 1214 -d 10.0.0.15 -j ACCEPT

	# Bittorrent

	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6881:6969 -j DNAT --to-dest 10.0.0.15
	$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 6881:6969 -d 10.0.0.15 -j ACCEPT

	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 6881:6969 -j DNAT --to-dest 10.0.0.15
	$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 6881:6969 -d 10.0.0.15 -j ACCEPT

	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 4444 -j DNAT --to-dest 10.0.0.15
	$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 4444 -d 10.0.0.15 -j ACCEPT

	# Forwards for hosting DirectPlay games

#	$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --dport 47624 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#	$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 47624 -j DNAT --to-destination 10.0.0.15:47624
#	$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --dport 2300:2400 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#	$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 2300:2400 -j DNAT --to-destination 10.0.0.15:2300-2400
#	$IPTABLES -A FORWARD -i eth0 -o eth1 -p udp --dport 2300:2400 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#	$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 2300:2400 -j DNAT --to-destination 10.0.0.15:2300-2400


	# Forward out all traffic

	$IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT

#
## --- OUTPUT CHAIN --- ##
#
# List of ad server hostnames for use as iptables commands
#
# For more information about this list, see: http://pgl.yoyo.org/adservers/
# ----
# last updated:   Wed, 05 Jun 2013 15:13:51 GMT
# entries:        2546
# format:         iptables (iptables -- as list of iptables commands)
# credits:        Peter Lowe - pgl@yoyo.org - http://pgl.yoyo.org/
# this URL:       http://pgl.yoyo.org/adservers/serverlist.php?hostformat=iptables&showintro=1
# other formats:  http://pgl.yoyo.org/adservers/formats.php
#
#	$IPTABLES -A OUTPUT -o eth0 -d 101com.com -j REJECT
#	$IPTABLES -A OUTPUT -o eth0 -d 101order.com -j REJECT
#	$IPTABLES -A OUTPUT -o eth0 -d 103bees.com -j REJECT
#........2k lines removed for clarity, file here...primary URL: http://www.dshield.org/feeds/suspiciousdomains_High.txt
	# Follows policy

#
## --- NAT --- ##
#

	# Enable masquerade

	$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -j MASQUERADE

#
## -- Transparent proxy to Squid --- ##

	$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128
talk soon. Glenn
 
Old 06-10-2013, 12:28 AM   #9
s4starb4boy
LQ Newbie
 
Registered: Jun 2013
Posts: 20

Original Poster
Rep: Reputation: Disabled
"
Have you used the command "squid -z" to setup and/or confirm the cache_dir is ready?

(usually done on first install of squid, there are default settings, I set 4gig avail)
I'm concerned about the "cache_dir" line in your squid conf, here's what mine looks like....
"
I didn't use this command "squid-z" I think it is for creating cache directory huh? I am using binary package I think so(not sure) it is self created while installing squid(again not sure). by the way could this be a reason? I've also read some article on the net saying thats to deploy squid as Transparet Proxy server we need to complie it from source code. is it true? why we cant use binary package to gain such capability? still searching the solution and waiting.......
 
Old 06-10-2013, 03:48 AM   #10
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
Quote:
I didn't use this command "squid-z" I think it i
It won't hurt to try. You may need to hit enter at the end to get your prompt back.

Quote:
I've also read some article on the net saying thats to deploy squid as Transparet Proxy server we need to complie it from source code. is it true?
I don't think it's true anymore. Old good information lives.
 
Old 06-12-2013, 12:03 AM   #11
s4starb4boy
LQ Newbie
 
Registered: Jun 2013
Posts: 20

Original Poster
Rep: Reputation: Disabled
Quote:
It won't hurt to try. You may need to hit enter at the end to get your prompt back.
root@asg ~]# squid -z
2013/06/12 09:00:32| Squid is already running! Process ID 1924
----------------------------------------------------------------------------

Still not working....
 
Old 06-12-2013, 08:24 PM   #12
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
OK, you'll need to stop squid first, for squid -z,
Code:
service squid stop
squid -z
service squid status
restart squid if not running.

Another command I came across...
Code:
squid -k parse
squid -k parse shows the loading of squid.conf and any errors etc.
 
Old 06-13-2013, 03:22 AM   #13
s4starb4boy
LQ Newbie
 
Registered: Jun 2013
Posts: 20

Original Poster
Rep: Reputation: Disabled
Here is teh output of commands you gave me


[root@asg ~]# squid -z
2013/06/13 12:10:56| Creating Swap Directories
2013/06/13 12:10:56| /var/spool/squid exists
2013/06/13 12:10:56| /var/spool/squid/00 exists
2013/06/13 12:10:56| Making directories in /var/spool/squid/00
2013/06/13 12:10:56| /var/spool/squid/01 exists
2013/06/13 12:10:56| Making directories in /var/spool/squid/01
2013/06/13 12:10:56| /var/spool/squid/02 exists
2013/06/13 12:10:56| Making directories in /var/spool/squid/02
2013/06/13 12:10:56| /var/spool/squid/03 exists
2013/06/13 12:10:56| Making directories in /var/spool/squid/03
2013/06/13 12:10:56| /var/spool/squid/04 exists
2013/06/13 12:10:56| Making directories in /var/spool/squid/04
2013/06/13 12:10:56| /var/spool/squid/05 exists
2013/06/13 12:10:56| Making directories in /var/spool/squid/05
2013/06/13 12:10:56| /var/spool/squid/06 exists
2013/06/13 12:10:56| Making directories in /var/spool/squid/06
2013/06/13 12:10:56| /var/spool/squid/07 exists
2013/06/13 12:10:56| Making directories in /var/spool/squid/07
2013/06/13 12:10:56| /var/spool/squid/08 exists
2013/06/13 12:10:56| Making directories in /var/spool/squid/08
2013/06/13 12:10:56| /var/spool/squid/09 exists
2013/06/13 12:10:56| Making directories in /var/spool/squid/09
2013/06/13 12:10:56| /var/spool/squid/0A exists
2013/06/13 12:10:56| Making directories in /var/spool/squid/0A
2013/06/13 12:10:56| /var/spool/squid/0B exists
2013/06/13 12:10:56| Making directories in /var/spool/squid/0B
2013/06/13 12:10:56| /var/spool/squid/0C exists
2013/06/13 12:10:56| Making directories in /var/spool/squid/0C
2013/06/13 12:10:56| /var/spool/squid/0D exists
2013/06/13 12:10:56| Making directories in /var/spool/squid/0D
2013/06/13 12:10:56| /var/spool/squid/0E exists
2013/06/13 12:10:56| Making directories in /var/spool/squid/0E
2013/06/13 12:10:56| /var/spool/squid/0F exists
2013/06/13 12:10:56| Making directories in /var/spool/squid/0F
[root@asg ~]# squid -k parse
2013/06/13 12:11:14| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2013/06/13 12:11:14| Starting Authentication on port [::]:3128
2013/06/13 12:11:14| Disabling Authentication on port [::]:3128 (interception enabled)
2013/06/13 12:11:14| Disabling IPv6 on port [::]:3128 (interception enabled)
2013/06/13 12:11:14| Initializing https proxy context
[root@asg ~]#

but still unable to browse teh internet without giving proxy setting in browser.

I am not sure but I think so that this problem is related to iptables(net-filter)firewall. I've applied diffrent rule sets one by one but none of them working for me.let me tell you some of them I've recently applied and checkd

iptables-save
# Generated by iptables-save v1.4.7 on Thu Jun 13 12:17:04 2013
*filter
:INPUT ACCEPT [154907:7951467]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [284459:403259813]
COMMIT
# Completed on Thu Jun 13 12:17:04 2013
# Generated by iptables-save v1.4.7 on Thu Jun 13 12:17:04 2013
*nat
:PREROUTING ACCEPT [862:116609]
:POSTROUTING ACCEPT [54:5092]
:OUTPUT ACCEPT [195:13549]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.253:3128
-A POSTROUTING -o eth0 -p tcp -j MASQUERADE
COMMIT
# Completed on Thu Jun 13 12:17:04 2013

------------------------------------
netstat -antp | grep 80
tcp 0 0 0.0.0.0:35806 0.0.0.0:* LISTEN 1637/rpc.statd
tcp 0 0 192.168.1.51:45642 77.67.96.198:80 ESTABLISHED 2420/clock-applet
-------------------------------------
cat /proc/sys/net/ipv4/ip_forward
1
-------------------------------------
cat /etc/hosts
127.0.0.1 asg.proxy.srv localhost localhost.localdomain
-------------------------------------
hostname
asg.proxy.srv
-------------------------------------
cat /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
-----------------------------------------------------------

,, help help help help help please....
 
Old 06-13-2013, 05:50 AM   #14
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
My host file contains more...10.0.0.15 Squid.GlennsPref.net Squid
Code:
glenn@GamesBox:~  cat /etc/hosts  
# generated by drakconnect
127.0.0.1 GamesBox.GlennsPref.net GamesBox
127.0.0.1 localhost
10.0.0.15 Squid.GlennsPref.net Squid
10.0.0.13 DigiBox.GlennsPref.net DigiBox
glenn@GamesBox:~ 
Speaking of hosts, hosts.allow
Code:
glenn@GamesBox:~  cat /etc/hosts.allow
#
127.0.0.1       localhost local lo
127.0.0.1       GamesBox.GlennsPref.net GamesBox localhost
10.0.0.15       Squid.GlennsPref.net Squid
10.0.0.16       GamesBox.GlennsPref.net GamesBox
10.0.0.13       DigiBox.GlennsPref.net DigiBox
sysctl.conf... Mine has this set to 1, yours is 0 (off)
Code:
#---------------------------------------------------------------
# Enable IP routing. Required if your firewall is protecting a
# network, NAT included
#---------------------------------------------------------------

net/ipv4/ip_forward = 1
here is the rest of my /etc/sysctl.conf
Code:
glenn@GamesBox:~  cat /etc/sysctl.con            (13-06 19:48)
zsh: correct '/etc/sysctl.con' to '/etc/sysctl.conf' [nyae]? y
#---------------------------------------------------------------
# Enable IP routing. Required if your firewall is protecting a
# network, NAT included
#---------------------------------------------------------------

net/ipv4/ip_forward = 1


#---------------------------------------------------------------
# Disable responding to ping broadcasts
#---------------------------------------------------------------

net/ipv4/icmp_echo_ignore_broadcasts = 1


#---------------------------------------------------------------
# Disable routing triangulation. Respond to queries out
# the same interface, not another. Helps to maintain state
# Also protects against IP spoofing
#---------------------------------------------------------------

net/ipv4/conf/all/rp_filter = 1

#---------------------------------------------------------------
# Enable logging of packets with malformed IP addresses
#---------------------------------------------------------------

net/ipv4/conf/all/log_martians = 1

#---------------------------------------------------------------
# Disable redirects
#---------------------------------------------------------------

net/ipv4/conf/all/send_redirects = 0

#---------------------------------------------------------------
# Disable source routed packets
#---------------------------------------------------------------

net/ipv4/conf/all/accept_source_route = 0

#---------------------------------------------------------------
# Disable acceptance of ICMP redirects
#---------------------------------------------------------------

net/ipv4/conf/all/accept_redirects = 0

#---------------------------------------------------------------
# Turn on protection from Denial of Service (DOS) attacks
#---------------------------------------------------------------

net/ipv4/tcp_syncookies = 1
net.ipv4.conf.all.rp_filter=1
net.ipv4.tcp_window_scaling=1
net.ipv4.tcp_timestamps=1
net.ipv4.conf.all.log_martians=1
net.ipv4.icmp_echo_ignore_all=0
net.ipv4.icmp_echo_ignore_broadcasts=0
net.ipv4.icmp_ignore_bogus_error_responses=1
glenn@GamesBox:~ 

I'm at a loss as to why your output in post one says,
Quote:
....
----------------------------------------
/etc/hosts
127.0.0.1 asg.proxy.srv localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
----------------------------------------
cat /proc/sys/net/ipv4/ip_forward
1
----------------------------------------

what info.....
but your sysctl has it off??

Also, squid -k parse outputs every line in squid.conf, and your output did not represent that, mine looks like this,
Code:
glenn@GamesBox:~  sudo squid -k parse                                                                                                 (13-06 20:02)
2013/06/13 20:03:03| Startup: Initializing Authentication Schemes ...
2013/06/13 20:03:03| Startup: Initialized Authentication Scheme 'basic'
2013/06/13 20:03:03| Startup: Initialized Authentication Scheme 'digest'
2013/06/13 20:03:03| Startup: Initialized Authentication Scheme 'negotiate'
2013/06/13 20:03:03| Startup: Initialized Authentication Scheme 'ntlm'
2013/06/13 20:03:03| Startup: Initialized Authentication.
2013/06/13 20:03:03| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2013/06/13 20:03:03| Processing: acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
2013/06/13 20:03:03| Processing: acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
2013/06/13 20:03:03| Processing: acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
2013/06/13 20:03:03| Processing: acl localnet src fc00::/7       # RFC 4193 local private network range
2013/06/13 20:03:03| Processing: acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
2013/06/13 20:03:03| Processing: acl SSL_ports port 443
2013/06/13 20:03:03| Processing: acl Safe_ports port 80         # http
2013/06/13 20:03:03| Processing: acl Safe_ports port 21         # ftp
2013/06/13 20:03:03| Processing: acl Safe_ports port 443                # https
2013/06/13 20:03:03| Processing: acl Safe_ports port 70         # gopher
2013/06/13 20:03:03| Processing: acl Safe_ports port 210                # wais
2013/06/13 20:03:03| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2013/06/13 20:03:03| Processing: acl Safe_ports port 280                # http-mgmt
2013/06/13 20:03:03| Processing: acl Safe_ports port 488                # gss-http
2013/06/13 20:03:03| Processing: acl Safe_ports port 591                # filemaker
2013/06/13 20:03:03| Processing: acl Safe_ports port 777                # multiling http
2013/06/13 20:03:03| Processing: acl CONNECT method CONNECT
2013/06/13 20:03:03| Processing: acl localhost src 10.0.0.0/8
2013/06/13 20:03:03| Processing: http_access allow localhost manager
2013/06/13 20:03:03| Processing: http_access deny manager
2013/06/13 20:03:03| Processing: http_access deny !Safe_ports
2013/06/13 20:03:03| Processing: http_access deny CONNECT !SSL_ports
2013/06/13 20:03:03| Processing: http_access deny to_localhost
2013/06/13 20:03:03| Processing: redirect_program /usr/local/bin/squid_redirect
2013/06/13 20:03:03| Processing: http_access allow localnet
2013/06/13 20:03:03| Processing: http_access allow localhost
2013/06/13 20:03:03| Processing: http_access allow localhost
2013/06/13 20:03:03| Processing: http_port 127.0.0.1:3128 intercept connection-auth=off
2013/06/13 20:03:03| Starting Authentication on port 127.0.0.1:3128
2013/06/13 20:03:03| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2013/06/13 20:03:03| Disabling IPv6 on port 127.0.0.1:3128 (interception enabled)
2013/06/13 20:03:03| Processing: http_port 10.0.0.15:3128 intercept connection-auth=off
2013/06/13 20:03:03| Starting Authentication on port 10.0.0.15:3128
2013/06/13 20:03:03| Disabling Authentication on port 10.0.0.15:3128 (interception enabled)
2013/06/13 20:03:03| Disabling IPv6 on port 10.0.0.15:3128 (interception enabled)
2013/06/13 20:03:03| Processing: cache_dir ufs /var/spool/squid 4096 16 256
2013/06/13 20:03:03| Processing: coredump_dir /var/spool/squid
2013/06/13 20:03:03| Processing: refresh_pattern ^ftp:          1440    20%     10080
2013/06/13 20:03:03| Processing: refresh_pattern ^gopher:       1440    0%      1440
2013/06/13 20:03:03| Processing: refresh_pattern -i (/cgi-bin/|\?) 0    0%      0
2013/06/13 20:03:03| Processing: refresh_pattern .              0       20%     4320
2013/06/13 20:03:03| Processing: shutdown_lifetime 5 seconds
2013/06/13 20:03:03| Processing: cache_effective_user squid
2013/06/13 20:03:03| Processing: cache_effective_group squid
2013/06/13 20:03:03| Processing: cache_mgr root@Squid.GlennsPref.net
2013/06/13 20:03:03| Processing: visible_hostname Squid.GlennsPref.net
2013/06/13 20:03:03| Initializing https proxy context
glenn@GamesBox:~ 
I'm also using a package, squid-cachemgr

Last edited by GlennsPref; 06-13-2013 at 06:08 AM. Reason: More questions, not luck, something is wrong. squid -k parse
 
Old 06-16-2013, 03:09 AM   #15
s4starb4boy
LQ Newbie
 
Registered: Jun 2013
Posts: 20

Original Poster
Rep: Reputation: Disabled
Quote:
cat /proc/sys/net/ipv4/ip_forward
1
well this section might be at the time when I did it using this command...
echo 1 > /proc/sys/net/ipv4/ip_forward

I've tried both 1 and 0 for that purpose ....
none of them working though...

by the way now I've compiled the squid proxy server from source code... with "--enable-net-filter" option which is used for transparent proxy. again with no luck. I am still finding the solution and I'll must let you know.....waiting for miracle .I'll keep try lets see how far is it...

Last edited by s4starb4boy; 06-16-2013 at 03:10 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with rules in transparent squid proxy server hainguyenle89 Linux - Newbie 5 11-23-2011 02:54 AM
Squid as Transparent Proxy Server sudhirmhrj Linux - Newbie 8 07-01-2010 10:13 AM
squid proxy server and transparent issue kwaslee Linux - Server 1 04-13-2010 05:00 AM
Deploying a transparent socks 5 proxy on network hostmaster Linux - Software 0 02-14-2007 12:10 AM
transparent squid proxy server alvi2 Linux - Networking 4 02-24-2005 02:18 PM


All times are GMT -5. The time now is 04:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration