Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Hello, I have a strange setup and I'm not getting anywhere with it. I've have a DSL router, which is connected to the gateway, which manages the network, dhcp, dns and so on. Now there is in the network a squid server which should be used as a transparent proxy for http (not https).
gateway server ip's:
eth0 (10.0.10.2) internet
eth1 (192.168.10.1) intranet - dhcp server
squid server ip:
There are 2 networks, 192.168.10.0/24 (ethernet) and 192.168.2.0/24 (wifi), both this networks should use the squid server for http as a transparent proxy.
Here is the iptables setup on the gateway:
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
-A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 127.0.0.0/8 -i ! lo -j DROP
-A INPUT -j DROP
Can anyone tell me the iptable rules which I should add to the gateway so it would properly forward all traffic to the squid proxy server and give it properly to the clients.
...but that qualifies as a really ugly hack that would also invalidate any logs on the Squid server (all traffic would appear to come from 192.168.10.1).
That was the long answer. The short answer: You need to either redesign your network slightly, so that the Squid server ends up on a different subnet, or you could use the Web Proxy Autodiscovery Protocol (WPAD) to serve out a PAC file and force all HTTP traffic through Squid (and then block all other TCP/80 traffic in the firewall).
Simply put, this works. I can browse web pages on the Internet. If I stop the squid process, there's no web access via HTTP. If I try to reach a valid but currently unavailable web site, I get an error page from squid.
What exactly happens when you attempt this setup? Where does the "access denied" message come from? What's in the logs?
With this exact setup there is nothing happening. The requests don't go to the squid server, there is nothing in the squid logs. Note that I have an extra MASQUERADE rule "-A POSTROUTING -o eth0 -j MASQUERADE" which may screw the situation, but anyway, the above setup doesn't redirect the requests to the squid server, for whatever reason, which I don't know.
Here is the squid proxy conf:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.10.0/24 192.168.2.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl purge method PURGE
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_reply_access allow all
dns_nameservers 192.168.10.1 10.0.10.2
maximum_object_size_in_memory 4096 KB
cache_mem 1024 MB
minimum_object_size 0 KB
maximum_object_size 2048 KB
quick_abort_min 0 KB
positive_dns_ttl 15 minutes
negative_dns_ttl 1 minutes
icp_access allow all
http_port 3128 transparent
http_reply_access allow all
hierarchy_stoplist cgi-bin ?
cache_dir aufs /array/md4/squid 41960 16 256
access_log /var/log/squid3/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern -i (.*jpg$|.*gif$) 0 50% 28800
refresh_pattern -i (.*html$|.*htm|.*shtml) 0 20% 1440
refresh_pattern (http://.*/$) 0 20% 1440
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl FTP proto FTP
always_direct allow FTP
no_cache deny QUERY
dead_peer_timeout 5 seconds
client_lifetime 1 day
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
NOTE: with this configuration the squid proxy works if I set it up in firefox.