what is wrong in my configuration in squid + dhcp3 + iptables + wpad.dat

bideshp · 09-04-2009, 12:47 PM

Hi ma dear frnds..

Can u find a correct way to solv dis problem.

Iam a beginner in Ubuntu networking.
I hav installed a proxy server using ubuntu 9.04 jaunty with squid 2.7 stable3.
iam having two networkcards eth0 ( wan ip ) eth1 (lan ip)
eth1 is configured with dhcp so that the clients will obtain ip adress dynamicaly.Also i hav a user authentication for the client mechines that wen they browse to internet a username n passwd will b asked.

if i set proxy settings in ie of clients it is asking for the username n passwd and i can surf through net easily. but wen i try to giv some iptable rules to forward port 80 to 3128, users can access the internet without any proxy settings also..

these are my config files.

for squid

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid.passwd
auth_param basic children 5
auth_param basic realm NFYE Squid proxy-caching web server
auth_param basic credentialsttl 3 hours
auth_param basic casesensitive off

acl all src all
acl wsmc src 192.168.68.0/24
acl users proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl blockfiles url_regex -i "/etc/squid/blocks.files.acl"

acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl sectionx proxy_auth REQUIRED
acl purge method PURGE
acl CONNECT method CONNECT

http_access deny blockfiles
deny_info ERR_BLOCKED_FILES blockfiles
http_access allow manager localhost
http_access allow users
http_access allow wsmc
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all

http_port 192.168.68.1:3128 transparent
hierarchy_stoplist cgi-bin ?

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
visible_hostname gigza.smc.com.sa
cache_mgr bidesh@smc.com.sa
hosts_file /etc/hosts
coredump_dir /var/spool/squid

dhcp3

ddns-update-style none;
option domain-name "w.smc.com.sa";
option domain-name-servers 192.168.1.254, ns2.example.org;
default-lease-time 3600;
max-lease-time 15000;
log-facility local7;

option subnet-mask 255.255.255.0;
option broadcast-address 192.168.68.255;
option routers 192.168.68.1;
option custom-proxy-server code 252 = text;
option custom-proxy-server "http://192.168.68.1/wpad.dat";
option domain-name-servers 192.168.1.254;
option domain-name "w.smc.com.sa";
subnet 192.168.68.0 netmask 255.255.255.0{
range 192.168.68.50 192.168.68.200;
}

Apache

ServerRoot "/etc/apache2"
LockFile /var/lock/apache2/accept.lock
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15

<IfModule mpm_prefork_module>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
</IfModule>

<IfModule mpm_worker_module>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

AccessFileName .htaccess

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

DefaultType text/plain

HostnameLookups Off
ErrorLog /var/log/apache2/error.log
LogLevel warn
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
Include /etc/apache2/httpd.conf
Include /etc/apache2/ports.conf

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined

Include /etc/apache2/conf.d/
Include /etc/apache2/sites-enabled/

/var/www/wpad.dat

function FindProxyForURL(url, host)
{
if (isInNet(host, "192.168.68.0", "255.255.255.0"))
return "PROXY 192.168.68.1:3128";

}

ipforwarding =1
eth0 : 192.168.1.10
eth1 : 192.168.68.1
nameserver : 192. ...

squid,dhcp,apache is working.

MY QUESTIONS

1 but the clients are not automaticaly applying proxy settings..why ?
2 How can i forward all requests coming in eth1 to port 3128 ?
How can i make my clients detect the proxy settings automatically ?
How can i avoid users connecting without i add their mac address ?

If u can say me any way plzz help me..

GlennsPref · 09-05-2009, 10:44 PM

Hi, a quick solution maybe...

Code:

http_port 192.168.68.1:3128 transparent
hierarchy_stoplist cgi-bin ?

move to top of file....

The order of these lines are important.

You don't mention the iptables firewall you are using,

you'll need a line in there too to make it work.

This page explains it in more detail.
http://www.linuxhomenetworking.com/w...nsparent_Proxy
Hope that helps.

bideshp · 09-06-2009, 03:48 PM

thanks for ur reply GlennsPref /...

i tried to do it but i cant solv my problem.
i dint give any iptables now.it is left blank.
eth0 is wan going to internet and eth1 is local network connected to switch.

i want to forward all request coming in eth1 to the squid port 3128.And also i hav to block the users which dont hav proxy setings in their ie.i want to giv access to the users having proxy settings in their computer..or else i want to inform them using a error msg..can u say me how.

the problem is how i'll giv iptables.i dont know how to make iptables in UBuntu 9.04..
i tried some but i was able to do port blocking iprules only.
can someone say me how to put iptables in ubuntu. jst like rc.local in fedora/redhat.
soo dat it'll startup from the boot.
or try to say me how to redirect the requests in eth1 to port 3128 of squid.

GlennsPref · 09-06-2009, 05:42 PM

Hi, you need this in

/etc/sysctl.conf

Code:

#---------------------------------------------------------------
# Enable IP routing. Required if your firewall is protecting a
# network, NAT included
#---------------------------------------------------------------
# Activate IP forwarding
net.ipv4.ip_forward = 1

You'll need to reboot to see the effect.

the firewall does the routing, squid does the caching, sysctl does the (kernel-level) forwarding

you may need to read this....
http://www.linuxhomenetworking.com/w...Using_iptables

http://www.linuxhomenetworking.com/w...nsparent_Proxy

to be sure where iptables runs from....
type....
locate iptables

we're looking for a script that should be in /etc somewhere....

on my system it is here...
/etc/rc.d/init.d/iptables

if you want to start from the beginning, clean,

do....
http://easyfwgen.morizot.net/

Quote:

Generate a Firewall Script

Use Easy Firewall Generator now to create your own custom iptables script. The generator will take your options and return a plain text script you can save and use for your firewall. (Make sure you save it as a text file!)

test your firewall with grc's sheilds-up

https://www.grc.com/x/ne.dll?bh0bkyd2

cheers, Glenn