LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-15-2005, 07:15 PM   #1
Balkce
LQ Newbie
 
Registered: Sep 2003
Posts: 9

Rep: Reputation: 0
Squid as Web Filter + Web Server in other machine


Hi,

I know that FreeBSD is not Linux, but I have gone to various forums, and I haven't gotten this answered thoroughly, so please bare with me.

I have a network that involves a gateway with FreeBSD on it and an internal Windows server running IIS (I know, I know, hate it too, but was part of the job) and some other services like Exchange. The server resides on the same subnetwork as the users' computers.

I have put Squid on the gateway as a webfilter, but somehow, when I start the squid service, I cannot access the web server that resides on the windows box from outside the network nor does it receive any mail from the outside.

[EDIT: thanks born4linux for typo in the last paragraph]

I have read many HOWTO's, but Squid can do so much that right now I'm getting very confused with the terminology... so, my question is: is it possible that Squid be on a gateway serving as just a webfilter (if it's a web cache, I don't mind, better for me) and let packets go through an internal server?

If so, my squid.conf is as follows:

http_port 3128
icp_port 3130
cache_swap_low 75
cache_swap_high 85
memory_pools off
cache_mgr admin@domain.com #changed for security reasons
maximum_object_size 4096 KB
cache_dir ufs /usr/local/squid/cache 50 16 256
cache_access_log /dev/null
cache_log none
cache_store_log /dev/null
logfile_rotate 7
client_netmask 255.255.255.0
visible_hostname gateway.domain.com #changed for security reasons

httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255

acl my_network src 192.168.3.0/255.255.255.0 #changed for security reasons
acl priviledge_user arp 00:01:02:03:04:05 #changed for security reasons
acl unpriviledge_user_with_mail arp 00:01:02:03:04:06 #changed for security reasons

acl SSLPORT port 443 563
acl SAFEPORT port 21 70 80 210 443 563 1025-65535
#ftp gopher http wais https snews unregistered
acl SAFEPORT port 280 #http-mgmt
acl SAFEPORT port 488 #gss-http
acl SAFEPORT port 591 #filemaker
acl SAFEPORT port 777 #multiling http
acl CONNECT method CONNECT

acl ADSDOM url_regex "/usr/local/etc/squid/block/blacklists/ads/domains"
acl ADSURL url_regex "/usr/local/etc/squid/block/blacklists/ads/urls"
acl AGGRESSIVEDOM url_regex "/usr/local/etc/squid/block/blacklists/aggressive/domains"
acl AGGRESSIVEURL url_regex "/usr/local/etc/squid/block/blacklists/aggressive/urls"
acl AVDOM url_regex "/usr/local/etc/squid/block/blacklists/audio-video/domains"
acl AVURL url_regex "/usr/local/etc/squid/block/blacklists/audio-video/urls"
acl DRUGDOM url_regex "/usr/local/etc/squid/block/blacklists/drugs/domains"
acl DRUGURL url_regex "/usr/local/etc/squid/block/blacklists/drugs/urls"
acl GAMBLINGDOM url_regex "/usr/local/etc/squid/block/blacklists/gambling/domains"
acl HACKDOM url_regex "/usr/local/etc/squid/block/blacklists/hacking/domains"
acl HACKURL url_regex "/usr/local/etc/squid/block/blacklists/hacking/urls"
acl MAILDOM url_regex "/usr/local/etc/squid/block/blacklists/mail/domains"
acl PORNDOM url_regex "/usr/local/etc/squid/block/blacklists/porn/domains"
acl PORNURL url_regex "/usr/local/etc/squid/block/blacklists/porn/urls"
acl PROXYDOM url_regex "/usr/local/etc/squid/block/blacklists/proxy/domains"
acl VIOLENCEDOM url_regex "/usr/local/etc/squid/block/blacklists/violence/domains"
acl WAREZDOM url_regex "/usr/local/etc/squid/block/blacklists/warez/domains"
acl WAREZURL url_regex "/usr/local/etc/squid/block/blacklists/warez/urls"

http_access allow manager localhost
http_access deny manager
http_access deny !SAFEPORT
http_access deny CONNECT !SSLPORT

http_access allow priviledged_user
http_access allow unpriviledged_user_with_mail MAILDOM
http_access deny all SPAMMER
http_access deny all ADSDOM
http_access deny all ADSURL
http_access deny all AGGRESSIVEDOM
http_access deny all AGGRESSIVEURL
http_access deny all AVDOM
http_access deny all AVURL
http_access deny all DRUGDOM
http_access deny all DRUGURL
http_access deny all GAMBLINGDOM
http_access deny all HACKDOM
http_access deny all HACKURL
http_access deny all MAILDOM
http_access deny all PORNDOM
http_access deny all PORNURL
http_access deny all PROXYDOM
http_access deny all VIOLENCEDOM
http_access deny all WAREZDOM
http_access deny all WAREZURL
http_access allow demiurgo
http_access allow localhost
http_access allow my_network

http_access deny all

Last edited by Balkce; 12-17-2005 at 02:27 PM.
 
Old 12-15-2005, 08:00 PM   #2
born4linux
Senior Member
 
Registered: Sep 2002
Location: Philippines
Distribution: Slackware, RHEL&variants, AIX, SuSE
Posts: 1,127

Rep: Reputation: 49
SNAT might solve it:

http://www.faqs.org/docs/iptables/ta...BLE.DNATTARGET
 
Old 12-15-2005, 08:13 PM   #3
Balkce
LQ Newbie
 
Registered: Sep 2003
Posts: 9

Original Poster
Rep: Reputation: 0
oops... grammatical mistake of mine

Thanks born4linux, but it seems that my writing wasn't exactly correct (english isn't my first language)...

what i meant to say is: that i cannot access the webserver from outside the network... i can access it from inside (the DNS in the gateway and the fact that they're both, the client and the web server, in the same network makes it possible for the client to connect directly to the server without the need of NAT). I know that the NAT is setup correctly, because when I take Squid out of the picture I can connect to the web server outside of the network using the gateway's external IP without any problems.

Thanks again, and I'll edit that out, jeje...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Looking for web filter for linux server? TongueTied Linux - Software 12 07-03-2008 04:42 PM
Can anyone please help me out on building a DNS and web Server on my machine FC2 babyboss Linux - Networking 5 08-05-2005 04:40 PM
Transperant Proxy and web server on one machine = issue ... sys7em Linux - Networking 2 06-16-2005 03:29 PM
web filter tools for squid alnreddy Linux - Networking 4 03-28-2005 09:14 AM
Will this machine do for a web server? TheSwine Linux - General 6 01-05-2004 08:14 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration