Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i have internet speed of 8mb and installed squid proxy server as well as transparent on centos 5.6 i-e
http_port 10.10.10.10.:3128 transparent
its working properly for all my clients.Now i want to seperate my clients browsing speed,bandwidth control,websites restriction i want to make a pool of IP's for example
1) 10.10.1.1 to 10.10.1.255 can access internet withoun restriction as they are my senior staff and can use bandwidth of 4mb from 8mb and no website block
2) rest of my clients can browse internet with 1mb bandwidth and they cannot use facebook,orkit,twitter,youtube and messengers like yahoo,skype online video streaming and mp3 downloading or playing online
3)all my clients cannot use P2P(torrent downloading)
4)if one of my client ask permission for an IP which is free from all restrictions how will i allow him
currently my squid config file is simple by just
http_port 10.10.10.10:3128 transparent
http_access allow all
visible_hostname idirao-server
i have iptables command of
iptables -t nat -A POSTROUTING -o eth- -j MASQUERADE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 10.10.10.10:3128
i have internet speed of 8mb and installed squid proxy server as well as transparent on centos 5.6 i-e
http_port 10.10.10.10.:3128 transparent its working properly for all my clients.Now i want to seperate my clients browsing speed,bandwidth control,websites restriction i want to make a pool of IP's for example
1) 10.10.1.1 to 10.10.1.255 can access internet withoun restriction as they are my senior staff and can use bandwidth of 4mb from 8mb and no website block
Put those users into their own ACL group that has no restrictions
Quote:
2) rest of my clients can browse internet with 1mb bandwidth and they cannot use facebook,orkit,twitter,youtube and messengers like yahoo,skype online video streaming and mp3 downloading or playing online
Set up a second ACL group with a delay pool and a blacklist of those sites
Quote:
3)all my clients cannot use P2P(torrent downloading)
...and Squid can't block torrents AT ALL. This has been covered on here many times. You can block the .torrent filetype from being downloaded, but you can't block someone from copying the URL and pasting it into a torrent client. You need a layer-7 filter.
Quote:
4)if one of my client ask permission for an IP which is free from all restrictions how will i allow him
You modify the ACL the client is in. Based on what you have posted, you'll have two ACL's..one for senior staff, and another for everyone else. If you have someone ask permission, and they're NOT senior staff, the answer would then be 'no', wouldn't it?
Quote:
currently my squid config file is simple by just
http_port 10.10.10.10:3128 transparent
http_access allow all
visible_hostname idirao-server
i have iptables command of
iptables -t nat -A POSTROUTING -o eth- -j MASQUERADE
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 10.10.10.10:3128
i have a range of IP addresses and i want to make ACL as follows
IP range from 10.0.1.1 to 10.0.1.255 can browse internet and
IP range from 10.0.2.1 to 10.0.5.255 cannot browse internet i have made ACL as
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl my-clients src 10.0.1.1/8 10.0.1.255/8
acl bound src 10.0.2.1/8 10.0.5.255/8
http_access allow my-clients
http_access deny bound
http_access deny all
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
and when i restart squid following error occurs
[root@idirao ~]# service squid restart
Stopping squid: 2013/07/31 12:06:29| aclParseIpData: WARNING: Netmask masks away part of the specified IP in '10.0.1.1/8'
2013/07/31 12:06:29| aclParseIpData: WARNING: Netmask masks away part of the specified IP in '10.0.1.255/8'
2013/07/31 12:06:29| WARNING: '10.0.0.0/255.0.0.0' is a subnetwork of '10.0.0.0/255.0.0.0'
2013/07/31 12:06:29| WARNING: because of this '10.0.0.0/255.0.0.0' is ignored to keep splay tree searching predictable
2013/07/31 12:06:29| WARNING: You should probably remove '10.0.0.0/255.0.0.0' from the ACL named 'my-clients'
2013/07/31 12:06:29| aclParseIpData: WARNING: Netmask masks away part of the specified IP in '10.0.2.1/8'
2013/07/31 12:06:29| aclParseIpData: WARNING: Netmask masks away part of the specified IP in '10.0.5.255/8'
2013/07/31 12:06:29| WARNING: '10.0.0.0/255.0.0.0' is a subnetwork of '10.0.0.0/255.0.0.0'
2013/07/31 12:06:29| WARNING: because of this '10.0.0.0/255.0.0.0' is ignored to keep splay tree searching predictable
2013/07/31 12:06:29| WARNING: You should probably remove '10.0.0.0/255.0.0.0' from the ACL named 'bound'
. [ OK ]
Starting squid: . [ OK ]
both my IP ranges can browse internet what i will do to make ACL my-clients for browse internet and ACl bound will not browse
i have a range of IP addresses and i want to make ACL as follows
IP range from 10.0.1.1 to 10.0.1.255 can browse internet and
IP range from 10.0.2.1 to 10.0.5.255 cannot browse internet i have made ACL as
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl my-clients src 10.0.1.1/8 10.0.1.255/8
acl bound src 10.0.2.1/8 10.0.5.255/8
http_access allow my-clients
http_access deny bound
http_access deny all
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
and when i restart squid following error occurs
[root@idirao ~]# service squid restart
Stopping squid: 2013/07/31 12:06:29| aclParseIpData: WARNING: Netmask masks away part of the specified IP in '10.0.1.1/8'
2013/07/31 12:06:29| aclParseIpData: WARNING: Netmask masks away part of the specified IP in '10.0.1.255/8'
2013/07/31 12:06:29| WARNING: '10.0.0.0/255.0.0.0' is a subnetwork of '10.0.0.0/255.0.0.0'
2013/07/31 12:06:29| WARNING: because of this '10.0.0.0/255.0.0.0' is ignored to keep splay tree searching predictable
2013/07/31 12:06:29| WARNING: You should probably remove '10.0.0.0/255.0.0.0' from the ACL named 'my-clients'
2013/07/31 12:06:29| aclParseIpData: WARNING: Netmask masks away part of the specified IP in '10.0.2.1/8'
2013/07/31 12:06:29| aclParseIpData: WARNING: Netmask masks away part of the specified IP in '10.0.5.255/8'
2013/07/31 12:06:29| WARNING: '10.0.0.0/255.0.0.0' is a subnetwork of '10.0.0.0/255.0.0.0'
2013/07/31 12:06:29| WARNING: because of this '10.0.0.0/255.0.0.0' is ignored to keep splay tree searching predictable
2013/07/31 12:06:29| WARNING: You should probably remove '10.0.0.0/255.0.0.0' from the ACL named 'bound'
. [ OK ]
Starting squid: . [ OK ]
both my IP ranges can browse internet what i will do to make ACL my-clients for browse internet and ACl bound will not browse
So did you read what you posted??? Squid is telling you there are problems with your syntax, and is even telling you what to remove (see the bolded part). Doesn't get much more clear than that. You're specifying your addresses incorrectly...go back and read the documentation again.
i am previous in the organization where only 10 to 15 systems were present and now i am shifted to new organization the number of systmes now move to round about 500 i am with the idea of previous simple installation of centos and configuration say i have ideo of MASQUERADE and iptables command to bring my eth1 local systems to my squid proxy server
now as the number of pcs increased and this need more traffic on my eth0 card mean more internet load will be on my centos os server so what should i do now i have basic squid settings as
will any body guide me in detail what i will need more so that server will up for 24/7 and there will be no problem for it to hang or no working or it will not be overload what cache and what steps necessary to keep my server all time active.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.