squid: Don't want to set Browser's setting

anandnenwani · 11-02-2011, 03:37 AM

As I configured squid proxy now, but i don't want to set browser's proxy settings as there is 150 clients on the windows xp.

and what is prerequisites.

Please help.

Thanku

fukawi1 · 11-02-2011, 04:28 AM

You will need to configure some port forwards on the router, to transparently redirect traffic on port 80 destined for the internet, to the squid server port 3128.

deep27ak · 11-02-2011, 07:08 AM

Quote:

Originally Posted by anandnenwani

As I configured squid proxy now, but i don't want to set browser's proxy settings as there is 150 clients on the windows xp.

and what is prerequisites.

Please help.

Thanku

do you check replies after asking questions?

http://www.linuxquestions.org/questi...orking-909475/

check your last post

anandnenwani · 11-02-2011, 07:17 AM

I did the same but it is accessible after changing browser's settings. and as i made those changes what u told me , but still blocked sites are accessible.

m not getting properly if everything is ok.

My eth0 has 192.168.0.59
and eth1 has 10.230.1.1

and there is my another FTP server too at 192.168.0.60 and after these am not able to access FTP from clients.

Please Help me how to do..?

deep27ak · 11-02-2011, 07:26 AM

Quote:

Originally Posted by anandnenwani

I did the same but it is accessible after changing browser's settings. and as i made those changes what u told me , but still blocked sites are accessible.

m not getting properly if everything is ok.

My eth0 has 192.168.0.59
and eth1 has 10.230.1.1

Please Help me how to do..?

Code:

#cat /etc/squid/squid.conf

post the output

Code:

#iptables -L

post the output

anandnenwani · 11-03-2011, 01:17 AM

acl of /etc/squid/squid.conf

Quote:

acl all src 0.0.0.0/0.0.0.0
acl my_network src 192.168.0.59 10.230.1.1
acl to_my_network src 10.230.1.0
acl mp myport 3128
acl manager proto cache_object
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl blocksites url_regex "/etc/squid/block-url.acl"

# TAG: http_access
http_access deny all
http_access allow !SSL_ports
http_access deny blocksites
http_access allow manager localhost to_localhost

http_access allow !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow to_localhost

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access allow all
http_access allow mp

iptables -L output

Quote:

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:squid
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

and there is my FTP and http 192.168.0.60 i want to access FTP from this
This is my output ..Please reply ..Thank You

anandnenwani · 11-13-2011, 12:38 PM

As i posted the output of iptables as well. my iptables is still not forwarding port, and what i have to set for FTP server 192.168.x.x,

Please reply me soon..!!!

deep27ak · 11-13-2011, 10:50 PM

Quote:

Originally Posted by anandnenwani

As i posted the output of iptables as well. my iptables is still not forwarding port, and what i have to set for FTP server 192.168.x.x,

Please reply me soon..!!!

I tried to look for a solution but the I place where I work, I can't mesh with iptables

That is the reason I didn't replied

I am sure some one will help you further
Sorry

fukawi1 · 11-14-2011, 01:07 AM

You REALLY need to provide more information about your network topology.

I am guessing the host running squid, is not acting as a gateway/router to the internet? (based on the two NIC's with private IP's)
Assuming this is true, you need to create iptables/firewall rules, on the gateway/router, to redirect traffic on port 80, to the squid server, on port 3128.

This is what gives you a "transparent" proxy, where by the client machines, are unaware they are being sent through a proxy, and also saves having to configure every host to use a manual proxy configuration.

anandnenwani · 11-14-2011, 03:07 AM

Well Deepak Thanks for that much u told ....

don't say sorry ...

anandnenwani · 11-16-2011, 06:41 AM

This is My network map, I don't want to do every client's browser's settings as well. and there is my FTP/Http server i want to get access from my client's also.

as i did iptables prerouting redirect command too. but i think i m leaving something, please Reply me.

anandnenwani · 11-19-2011, 11:39 PM

Quote:

Originally Posted by deep27ak

I tried to look for a solution but the I place where I work, I can't mesh with iptables

That is the reason I didn't replied

I am sure some one will help you further
Sorry

I did it in OpenSuSE 11.4, and it's working but why it's not working in RHEL..??
Thank You So much Deepak

deep27ak · 11-21-2011, 02:57 AM

Quote:

Originally Posted by anandnenwani

I did it in OpenSuSE 11.4, and it's working but why it's not working in RHEL..??
Thank You So much Deepak

It must be IPtables in that case

I guess you should start a new thread in networking thread so that other's can look after if you are not getting any response

aazkan · 11-21-2011, 10:58 AM

Hi,

On the host that runs the squid, can you show output for:

iptables -L -nv -t nat

also

sysctl -a|grep forward

if the squid runs on a host acting as a gateway/router it should quite straight forward, if it's not i'm guessing its still possible to transparently intercept http somehow.

anandnenwani · 11-28-2011, 12:11 PM

sysctl -a | grep forward

Quote:

net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.ip_forward = 1

iptables -L -nv -t nat

Quote:

Chain PREROUTING (policy ACCEPT 77 packets, 9535 bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128
0 0 REDIRECT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128

Chain POSTROUTING (policy ACCEPT 211 packets, 12849 bytes)
pkts bytes target prot opt in out source destination
2 181 MASQUERADE all -- * * 10.0.0.0/24 !10.0.0.0/24
0 0 MASQUERADE all -- * * 10.0.0.0/24 10.0.0.0

Chain OUTPUT (policy ACCEPT 213 packets, 13030 bytes)
pkts bytes target prot opt in out source destination

This is the output.

I want to block IDM HTTP-GET and bittorrent. How to do it..?

Thank You Soo much