LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-20-2003, 01:59 PM   #1
JRago
LQ Newbie
 
Registered: Feb 2003
Location: Detroit, MI USA
Distribution: RedHat 8.0
Posts: 14

Rep: Reputation: Disabled
Internet Proxy Server


I just replaced a MS NT 4.0 SBS server with RedHat 8.0.

Everything is great EXCEPT I cannot figure out how to replace the internet proxy functionality that the old server had.

My client has 12 Win2K workstations that need to access the web AND POP email through a dial-up modem on the server on demand.

I set up Squid and that works for the web but not for POP.

Is there something else I should be doing to allow this type of access?

Whatever the solution is it needs to autodial when there is a need for internet service.

I REALLY don't want to go back to MS
 
Old 02-20-2003, 02:17 PM   #2
Pcghost
Senior Member
 
Registered: Feb 2003
Location: The Real Washington
Distribution: Debian, Android
Posts: 1,819

Rep: Reputation: 46
So what you are saying is that the client machines need to get their pop based email through the proxy? Or is the proxy machine to double as a pop server itself? I can help you here but I need a little more info..

The autodial feature is a mouse click in Kppp.
I operate two dial-up based squid servers at home..
 
Old 02-20-2003, 02:29 PM   #3
JRago
LQ Newbie
 
Registered: Feb 2003
Location: Detroit, MI USA
Distribution: RedHat 8.0
Posts: 14

Original Poster
Rep: Reputation: Disabled
The clients are trying to access an ISP POP server.

The Linux box will NOT be a POP server.

With the old server setup, the workstations would start their web browser or POP email client and were configured to go through the WinNT 4.0 server as an internet proxy.

The server would autodial the ISP and the workstaiton would have access to the internet for browsing or POP.

Multiple workstations could access the internet at the same time. (This would be slow with the dial-up line but it's what the client can afford and wants)
 
Old 02-20-2003, 05:28 PM   #4
rohang
Member
 
Registered: Aug 2002
Location: Sydney, Australia
Distribution: Redhat, Open BSD, SuSe, Debian, CentOS
Posts: 177

Rep: Reputation: 30
Squid can (as far as I'm aware) only proxy web traffic - not POP traffic.

What IP addressing are you using on the LAN? If it's private (RFC 1918) addressing, then you can use IP Masquarding on the linux box to allow the internal hosts to directly access the ISP's POP server.

Last edited by rohang; 02-20-2003 at 05:32 PM.
 
Old 02-20-2003, 08:36 PM   #5
JRago
LQ Newbie
 
Registered: Feb 2003
Location: Detroit, MI USA
Distribution: RedHat 8.0
Posts: 14

Original Poster
Rep: Reputation: Disabled
Yes that is what I'm thinking.

Everything I've been able to find and my experience with trying this says that Squid only works with web traffic.

I've considered IP masquerading but I'm unsure if I will be able to initiate an autodial on demand.

Is there anything else that I should be looking at?

A SOCKS proxy?

Something else?
 
Old 02-20-2003, 09:18 PM   #6
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
Doesn't squid have an addin/plugin/configuration/module/extra thingy to proxy mail?

SOCKS is just a type of proxy, I think you can set up squid to be SOCKS compliant?

dial on demand can be set up to work with IP masquerading.
 
Old 02-21-2003, 10:24 AM   #7
Pcghost
Senior Member
 
Registered: Feb 2003
Location: The Real Washington
Distribution: Debian, Android
Posts: 1,819

Rep: Reputation: 46
Squid CAN be set up to be SOCKS compliant. As for pop forwarding, why not just forward port 110 to and from the LAN via the routing tables/firewall. Iptables can bounce pop3 email anywhere you would like.
 
Old 02-21-2003, 01:46 PM   #8
JRago
LQ Newbie
 
Registered: Feb 2003
Location: Detroit, MI USA
Distribution: RedHat 8.0
Posts: 14

Original Poster
Rep: Reputation: Disabled
I am now setting up iptables for masquerading to accomplish this.

I followed the HOW-TO located at http://www.linuxhomenetworking.com/i...m#_Toc32287197 with modifications to match my site.

I am getting mixed results.

I can do nslookups to the ISP DNS server.

I can ping internet servers.

I CANNOT access the web with a browser.

I CANNOT access my ISP POP server.

ARRGGHHH!!!!!

my iptables init script is as follows:

#!/bin/bash
#---------------------------------------------------------------
# Initialize all the chains by removing all the rules
# tied to them
#---------------------------------------------------------------
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
#---------------------------------------------------------------
# Now that the chains have been initialized, the user defined
# chains should be deleted. We'll recreate them in the next step
#---------------------------------------------------------------
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
#---------------------------------------------------------------
# If a packet doesn't match one of the built in chains, then
# The policy should be to drop it
#---------------------------------------------------------------
#iptables --policy INPUT DROP
#iptables --policy OUTPUT DROP
#iptables --policy FORWARD DROP
#---------------------------------------------------------------
# The loopback interface should accept all traffic
# Necessary for X-Windows and other socket based services
#---------------------------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#---------------------------------------------------------------
# Allow all bidirectional traffic from your firewall to the protected network
# - Interface eth0 is the private network interface
#---------------------------------------------------------------
iptables -A INPUT -j ACCEPT -p all -s 10.0.0.0/24 -i eth0
iptables -A OUTPUT -j ACCEPT -p all -d 10.0.0.0/24 -o eth0
#---------------------------------------------------------------
# Load the NAT module
#---------------------------------------------------------------
modprobe iptable_nat
#---------------------------------------------------------------
# Allow masquerading
# Enable routing by modifying the ip_forward /proc filesystem file
# - Interface ppp0 is the internet interface
# - Interface eth0 is the private network interface
#---------------------------------------------------------------
iptables -A POSTROUTING -t nat -o ppp0 -s 10.0.0.0/24 -d 0/0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
#---------------------------------------------------------------
# Prior to masquerading, the packets are routed via the filter
# table's FORWARD chain.
# Allowed outbound: New, established and related connections
# Allowed inbound : Established and related connections
#---------------------------------------------------------------
iptables -A FORWARD -t filter -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

HELP!
 
Old 02-21-2003, 04:18 PM   #9
Pcghost
Senior Member
 
Registered: Feb 2003
Location: The Real Washington
Distribution: Debian, Android
Posts: 1,819

Rep: Reputation: 46
Ok, since a few of the entries in your script made very little sense to me (I am no iptables expert btw), I figured I would post my recently created and highly successful script as a good example. It is production tested and works great. Hope it helps....

#!/bin/sh
#
# This is a basic locked-down Iptables firewall. Written February 20th 2003 by Pcghost.
# Distribute freely under the terms of the GPL.
#
# Shutting Down the firewall!!
#
/etc/init.d/iptables stop
#
# Firewall Disabled..
#
# Deleting old iptables rule file from /etc/sysconfig/
rm /etc/sysconfig/iptables
#
# Flushing Current Firewall Rules From Memory!
iptables -F
#
# Begin new ruleset creation...
#---------------------------------------------------------------------------------------------------
# Define variables/interfaces here..
EXTINT="ppp0"
LOOP="lo"
INTINT="eth0"
INTRA="192.168.66.0/24"
SARUMAN="192.168.66.6"
#-------Done----------------------------------------------------------------------------------------
#
# Enabling Port Forwarding Support Module in Kernel...
echo 1 > /proc/sys/net/ipv4/ip_forward
#
#------Done-----------------------------------------------------------------------------------------
#
# Establishing default policies for the various tables.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#
#------Done-----------------------------------------------------------------------------------------
#
# Set firewall to allow all local traffic.
iptables -A INPUT -i $LOOP -j ACCEPT
iptables -A OUTPUT -i $LOOP -j ACCEPT
#
#------Done----------------------------------------------------------------------------------------
#
# Allow all traffic between Server and Internal Network.
iptables -A INPUT -i $INTINT -s $INTRA -j ACCEPT
iptables -A OUTPUT -o $INTINT -d $INTRA -j ACCEPT
#
#------Done-----------------------------------------------------------------------------------------
# Explicitly allow Pcanywhere connections on ports 5631tcp and 5632udp. COMMENTED FOR SECURITY CONCERNS.
# UNCOMMENT TO ENABLE.
#iptables -A INPUT -p UDP -i $EXTINT -s 0/0 --destination-port 5632 -j ACCEPT
#iptables -A INPUT -p TCP -i $EXTINT -s 0/0 --destination-port 5631 -j ACCEPT
#
#-----Done--------------------------------------------------------------------------------------------
#
# Allow routing of connections from internal network to the Internet.
iptables -A OUTPUT -o $EXTINT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $INTINT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
#-----Done--------------------------------------------------------------------------------------------
#
# Explicitly allow forwarding of connections from Internet to LAN for ftp etc..
# NOT REQUIRED FOR SQUID FUNCTIONALITY.
iptables -A INPUT -i $EXTINT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $INTINT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
#-----Done-------------------------------------------------------------------------------------------
#
# Explicitly allow forwarding from LAN to Internet and back again..
# NOT REQUIRED FOR SQUID FUNCTIONALITY.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! $EXTINT -j ACCEPT
#
#-----Done-------------------------------------------------------------------------------------------
#
# Masquerade all outbound connections to the servers external IP address...
iptables -t nat -A POSTROUTING -o $EXTINT -j MASQUERADE
#
#-----Done-------------------------------------------------------------------------------------------
#
# Protect against "packet spoofing".
iptables -t nat -A PREROUTING -i $EXTINT -s 192.168.0.0/24 -j DROP
#
#-----Done-------------------------------------------------------------------------------------------
#
# Allow Squid Server to obtain DNS from Internet..
iptables -t nat -A OUTPUT -o $EXTINT -p udp --dport 53 -j ACCEPT
#
#-----Done--------------------------------------------------------------------------------------------
# Any additional port forwarding should be done here. An example is commented below..
#
# Section 1 - Prerouting instructions.
#
#iptables -t nat -A PREROUTING -p tcp --dport 25 -d $EXTIP -j DNAT --to-destination 192.168.66.6:25
#
# Section 2 - Forward table instructions.
#
#iptables -A FORWARD -p tcp --dport 25 -d $IPCLIENT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
# Section 3 - Postrouting table instructions.
#
#iptables -t nat -A POSTROUTING -p tcp -d $IPCLIENT --dport 25 -j SNAT --to-source $INTIP
#
# Section 4 - Output table instructions.
#
#iptables -t nat -A OUTPUT -p tcp --dport 25 -d $EXTIP -j DNAT --to-destination $IPCLIENT:25
#
#-----Done--------------------------------------------------------------------------------------------------
#
# Allow Server to ping the outside world..
iptables -t filter -A OUTPUT -o $EXTINT -p icmp -j ACCEPT
#
#-----Done--------------------------------------------------------------------------------------------------
#
# TEMPORARILY ALLOW THE OUTSIDE TO PING THE SERVER FOR TESTING THE FIREWALL. COMMENT WHEN TESTING COMPLETE!
iptables -t filter -A INPUT -i $EXTINT -p icmp -j ACCEPT
#
#-----Done----------------------------------------------------------------------------------------------------
#
# Logging - To activate connection tracking and packet logging uncomment the following lines.
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP:"
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP:"
iptables -A FORWARD -j LOG --log-prefix "FORWARD_DROP:"
#
#-----Done----------------------------------------------------------------------------------------------------
#
# Saving all rules to /etc/sysconfig/iptables for implementation..
iptables-save > /etc/sysconfig/iptables
#
#-----Done----------------------------------------------------------------------------------------------------
#
# Starting the Firewall. Please stand back...:-)
/etc/init.d/iptables start
#
#----Done-----------------------------------------------------------------------------------------------------
# Don't forget to port scan to test the rules or go to pcflank.com and run the advanced test....
#
# End of Script....
#-------------------------------------------------------------------------------------------------------------
 
Old 03-02-2003, 10:23 PM   #10
ashutosh
LQ Newbie
 
Registered: Apr 2001
Location: India
Distribution: Red Hat 7.1, Mandrake 8.2, Debian - Potato
Posts: 8

Rep: Reputation: 0
Dear Pcghost
Please tell us how to make squid demand dial, when a client tries to connect to internet.
I'll be grateful to you for the same.
Best Wishes.
ash.
 
Old 03-11-2003, 01:17 PM   #11
JRago
LQ Newbie
 
Registered: Feb 2003
Location: Detroit, MI USA
Distribution: RedHat 8.0
Posts: 14

Original Poster
Rep: Reputation: Disabled
I finally resolved this problem.

It was a Microsoft problem and NOT a Linux probelm. (Big supprise)

The client workstations still had the MS proxy CLIENT loaded on them and it was interfering with the connection to the Linux server.

Everything works fine now with the following iptables initialization script:

#!/bin/bash
#---------------------------------------------------------------
# Initialize all the chains by removing all the rules
# tied to them
#---------------------------------------------------------------
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
#---------------------------------------------------------------
# Now that the chains have been initialized, the user defined
# chains should be deleted. We'll recreate them in the next step
#---------------------------------------------------------------
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
#---------------------------------------------------------------
# If a packet doesn't match one of the built in chains, then
# The policy should be to drop it
#---------------------------------------------------------------
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
#---------------------------------------------------------------
# The loopback interface should accept all traffic
# Necessary for X-Windows and other socket based services
#---------------------------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#---------------------------------------------------------------
# If the Linux firewall is the caching DNS server for the network
# then allow outbound DNS queries from the FW and the replies too
#---------------------------------------------------------------
iptables -A OUTPUT -p udp -o ppp0 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i ppp0 --sport 53 --dport 1024:65535 -j ACCEPT
#---------------------------------------------------------------
# Allow all bidirectional traffic from your firewall to the protected network
# - Interface eth0 is the private network interface
#---------------------------------------------------------------
iptables -A INPUT -j ACCEPT -p all -s 10.0.0.0/24 -i eth0
iptables -A OUTPUT -j ACCEPT -p all -d 10.0.0.0/24 -o eth0
#---------------------------------------------------------------
# Load the NAT module
#---------------------------------------------------------------
modprobe iptable_nat
#---------------------------------------------------------------
# Allow masquerading
# Enable routing by modifying the ip_forward /proc filesystem file
# - Interface ppp0 is the internet interface
# - Interface eth0 is the private network interface
#---------------------------------------------------------------
iptables -A POSTROUTING -t nat -o ppp0 -s 10.0.0.0/24 -d 0/0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
#---------------------------------------------------------------
# Prior to masquerading, the packets are routed via the filter
# table's FORWARD chain.
# Allowed outbound: New, established and related connections
# Allowed inbound : Established and related connections
#---------------------------------------------------------------
iptables -A FORWARD -t filter -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# Log and drop all other packets to file /var/log/messages
# Without this we could be crawling around in the dark
#---------------------------------------------------------------
#iptables -A OUTPUT -j LOG
#iptables -A OUTPUT -j LOG
#iptables -A FORWARD -j LOG
#iptables -A INPUT -j LOG
#iptables -A INPUT -j LOG
#iptables -A FORWARD -j LOG

Thanks for all of the help.
 
Old 03-11-2003, 02:08 PM   #12
Pcghost
Senior Member
 
Registered: Feb 2003
Location: The Real Washington
Distribution: Debian, Android
Posts: 1,819

Rep: Reputation: 46
Actually it is not squids responcibility to dial the internet in Red Hat 8. That duty belongs to kppp. If you select dial-on-demand in kppp anytime squid needs a connection it will make a port 80 request, triggering kppp to dial the internet.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
squid proxy server configuration & distribution of internet without proxy gaurav_gupta082 Linux From Scratch 2 07-31-2010 11:25 AM
global proxy server for internet LancerNZ Linux - Networking 1 03-12-2005 03:03 AM
how to browse internet in mozilla using proxy server sanu Linux - Newbie 1 09-28-2004 03:25 AM
Linux as proxy/internet server FNC Linux - Networking 1 07-06-2002 05:24 PM
Linux as a proxy/internet server FNC Linux - Networking 0 07-05-2002 07:51 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration