Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
> Squid+nat Server On Whitebox Linux, Whitebox Linux (or Clones)
Robert83
post May 26 2004, 11:33 AM
Post #1


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



SQUID(transparent proxy server)+SQUIDGUARD+NAT Server On Whitebox Linux 3.0
Step-By-Step [tm]


1.Get yourself a Whitebox Enterprise Linux 3.0 CD or Download it from http://www.whiteboxlinux.org/download.html .

2.Install WBEL 3.0 using the minimal install ( choose custom during install , and select minimal ),
a 30GB hard disk drive would be highly reccomended, select manual partitioning during install
and partition it as :
/boot 102MB
/ 9892MB
/proxy1 10000MB
/proxy2 10000MB

PLEASE NOTE : I assume you'll be using IP : 192.168.10.2 for the proxy / nat server
and 192.168.10.1 for the firewall
and that you have 4 ethernet cards
eth0 : 192.168.0.250
eth1 : 192.168.1.250
eth2 : 192.168.2.250
eth3 : 192.168.10.2
When you configure windows or linux :
ip adress : 192.168.0.x
gateway : 192.168.0.250
dns : use your isp's dns server or wait a little more, and Hughesjr will finish his DNS GUIDE

( I think this is a very good configuration , so you might as well use this type of setup )

3.Download the yum.conf file from here http://www.hughesjr.com/wbel/yum.conf.txt
INSTRUCTIONS :
CODE
   [root@squid root] cd /home
   [root@squid root] wget http://www.hughesjr.com/wbel/yum.conf.txt
   [root@squid root] cp yum.conf.txt /etc/yum.conf
   

at the cp yum.conf.txt /etc/yum.conf point the system will ask you if you want to overwrite the file,
type yes. And you're done with the yum.conf file.

4.Enter the following commands :

CODE
[root@squid root]# yum update

this will take a while, later you should update your system on a regular bassis

5. Now it's time to install SQUID
CODE
[root@squid root]# yum install squid

6. Once squid is done, you will need to edit the /etc/squid/squid.conf file
INSTRUCTIONS :
CODE
    [root@squid root]# /etc/init.d/squid stop
    [root@squid root]# cd /etc/squid/
    [root@squid root]# rm squid.conf
   

Here is what you need to enter (please note since you can do a lot off stuff with squid, there might be things
that wont be needed , please do check the config file, I think it's not so hard to understand once you have
something to begin from)
squid.conf
http_port 3228
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

cache_mem 32 MB
fqdncache_size 1024

cache_dir ufs /proxy1/ 8000 16 256
cache_dir ufs /proxy2/ 8000 16 256

cache_mgr someone@somedomain.com # enter your e-mail adress here
cache_effective_user nobody # I like to run squid as nobody
cache_effective_group nobody # I like to run squid as nobody

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl ftpdr proto FTP
acl localhost src 127.0.0.1/32
acl SSL_ports port 443 563
acl Safe_ports port 80 8080 21 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl subnet1 src 192.168.0.0/255.255.255.0
acl subnet2 src 192.168.1.0/255.255.255.0
acl subnet3 src 192.168.2.0/255.255.255.0
acl deny_ext urlpath_regex -i "/etc/squid/deny_ext"




http_access deny deny_ext
http_access allow subnet1 subnet2 subnet3
always_direct allow ftpdr
http_access allow subnet1
http_access allow subnet2
http_access allow subnet3
http_access deny all

ie_refresh on # this is needed because IE doesn't recognise transparent proxies properly

redirect_program /usr/bin/squidGuard
redirect_children 4

CODE
    [root@squid root]# vi squid.conf
   

MINI VI HOWTO :
In order to type in text you need to press i
Once you're finished with typing in your text press ESC and then press :w
and press ENTER
Once you did the saving type :q and press ENTER in order to quit from vi

7. When finished with the squid.conf type :
CODE
    [root@squid root]# chown nobody.nobody /proxy1
    [root@squid root]# chown nobody.nobody /proxy2
    [root@squid root]# chown nobody.nobody /var/log/squid
   

DON'T FORGET if you update squid (with yum update) it will change /var/log/squid back to
user:squid group:squid , and this will cause erros , since we use user:nobody group:nobody , just
do chown nobody.nobody /var/log/squid after you update Squid !

8. Now it's time to create the deny_ext file in /etc/squid/
CODE
    [root@squid root]# touch /etc/squid/deny_ext
   


Now you need to add this to the deny_ext file ( make sure you check what extensions are denied,
since you might want to allow some, and you might want to add some more )

.wma$
.voc$
.mp.$
.mpeg$
.mpg$
.avi$
.asf$
.rm$
.ram$
.mov$
.wav$
.ogg$
.asx$
.au$
.cda$
.wm.$
.mod$
.snd$

CODE
    [root@squid root]# vi /etc/squid/deny_ext
   


9. It's time to get SquidGuard
CODE
    [root@squid root]# cd /home
    [root@squid root]# wget http://apt.sw.be/redhat/el3/en/i386/RPMS.dag/squidguard-1.2.0-2.rhel3.dag.i386.rpm
    [root@squid root]#
    wget http://apt.sw.be/redhat/el3/en/i386/RPMS.dag/squidguard-blacklists-20040318-1.rhel3.dag.i386.rpm
    [root@squid root]# rpm -Uvh squidguard-1.2.0-2.rhel3.dag.i386.rpm
    [root@squid root]# rpm -Uvh squidguard-blacklists-20040318-1.rhel3.dag.i386.rpm
    [root@squid root]# rm /etc/squid/squidguard.conf
    [root@squid root]# vi /etc/squid/squidguard.conf
   

Add the following to your squidguard.conf , please note that this is a example, you might need to adjust
certain things , and remove a few rules.

#
# CONFIG FILE FOR SQUIDGUARD
#

dbhome /var/lib/squidguard
logdir /var/log/squidguard

src subnet1 {
ip 192.168.2.0/24
user foo bar
}
src subnet2 {
ip 192.168.1.0/24
user foo bar
}
src subnet3 {
ip 192.168.0.0/24
user foo bar
}

dest banned {
domainlist adult/domains
urllist adult/urls
}

acl {
subnet1 {
pass !banned all
redirect http://192.168.10.2
}
subnet2 {
pass !banned all
redirect http://192.168.10.2
}
subnet3 {
pass !banned all
redirect http://192.168.10.2
}
default {
pass !banned all
redirect http://192.168.10.2
}
}
This setup of SquidGuard will block pornsites ( my tests indicated that when I tried www.google.com sex
and choose a few pages (50) on random none of them managed to pass SquidGuard, so we can assume
it's quiet safe to rely on this list )

10. Phew so we are now done with configuring Squid+Squidguard, next comes the NAT, this will be done with
iptables.
CODE
     [root@squid root]# touch /home/proxy-iptables
     [root@squid root]# vi /home/proxy-iptables
     


You'll need to add these lines to your proxy-iptables file :
CODE
      iptables -A FORWARD -i eth0 -o eth1 -j DROP
      iptables -A FORWARD -i eth0 -o eth2 -j DROP
      iptables -A FORWARD -i eth1 -o eth0 -j DROP
      iptables -A FORWARD -i eth1 -o eth2 -j DROP
      iptables -A FORWARD -i eth2 -o eth0 -j DROP
      iptables -A FORWARD -i eth2 -o eth1 -j DROP
      iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3228
      iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3228
      iptables -A PREROUTING -t nat -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3228
      iptables -A POSTROUTING -t nat -s 192.168.0.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
      iptables -A POSTROUTING -t nat -s 192.168.1.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
      iptables -A POSTROUTING -t nat -s 192.168.2.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
     


Once your done typing this in ( this might take some time, depending on your cpu and memory smile.gif ),
it's time to make these iptables settings permanent.

CODE
      [root@squid root]# source /home/proxy-iptables
      [root@squid root]# iptables-save > /etc/sysconfig/iptables
     


11. Now let's make sure Squid and Iptables will start up on the next boot :
CODE
      [root@squid root]# chkconfig --list | grep iptables
     

the following result should come back
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
if for some reason iptables is not running in any of these runlevels just type
CODE
      [root@squid root]# chkconfig iptables on
     

Check if it's running again, just to make sure.
CODE
      [root@squid root]# chkconfig --list | grep squid
     

this will show this :
squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off
just do a :
CODE
      [root@squid root]# chkconfig squid on
     

and check again if squid is now starting.
Add this line to your /etc/rc.d/rc.local
echo "1" > /proc/sys/net/ipv4/ip_forward
CODE
      [root@squid root]# vi /etc/rc.d/rc.local
     


12.Now we need to get apache (to host that redirection page that we use in squidguard.conf)
CODE
      [root@squid root]# yum install httpd
      [root@squid root]# chkconfig httpd on
     

and modify the following line in /etc/httpd/conf/httpd.conf
DocumentRoot "/var/www/html"
change it to
DocumentRoot "/home"
(I like my webpages in my /home folder better then the default)
now you only need to create a index.html in /home
CODE
      [root@squid root]# touch /home/index.html
      [root@squid root]# vi /home/index.html
     

You can use this example html file if you wish, or create your own :
CODE
<html>
<head>
<title>! Porn Sites Are Banned !</title>
</head>

<body background="http://192.168.10.2/sin.jpg">

<center><B><font face="arial" color="white" size="4">WHITEBOX</B></font><B><font face="arial" color="gold" size="2"> Enterprise Linux 3.0 Final</B></font></center>
<br>
<br>
<HR>
<center><B><font face="arial" color="white" size="+2">!<font face="arial" color="gold"> PORNO</font>/<font face="arial" color="darkorange">MP3</font>/<font face="arial" color="orange">VIDEO</font> PAGES ARE BLOCKED - YOU SHOULD WORK !</font></B></center>
<HR>
<br>
<br>
<br>
<HR>
<center><B><font face="arial" color="white" size="+2">!<font face="arial" color="gold"> PORNO</font>/<font face="arial" color="darkorange">MP3</font>/<font face="arial" color="orange">VIDEO</font> LAPOK BLOKOLVA - INKABB DOLGOZZON ! </font></B></center>
<HR>
<br>
<br>
<center><font face="system" color="gold" size="+1"> Proxy / Nat Server Specifications</font></center>
<HR>
<center><font face="system" color="white" size="1"> CPU : AMD XP 1800+</font></center>
<center><font face="system" color="white" size="1"> MEMORY : 1024 MB DDR 400Mhz</font></center>
<center><font face="system" color="white" size="1"> HDD : 40GB / 2x Cache Dir 10-10GB</font></center>
<center><font face="system" color="white" size="1"> MOTHERBOARD : Gigabyte NForce2</font></center>
<center><font face="system" color="white" size="1"> LAN : 4xRealtek 10/100Mbit</font></center>
<HR>
<center><font face="arial" color="cyan" size="5"> YOUR GUARDIAN ANGEL IS : SquidGUARD[tm]</font></center>
<br>
<center><A HREF="mailto:user@somedomain .com"><font face="system" color="yellow" size="5">YOUR NAME HERE</font></A><font face="system" color="orange" size="5"><U>  MOB TEL: xxxxxxxxx</U></font></center>
<center><font face="system" color="gold" size="3">Somebody & Nobody Co.,Ltd.</font></center>

</body>


13.Okay we are done now with the configuration , so let's reboot our new (transparent)proxy+nat server :
CODE
      [root@squid root]# reboot
     

Once the system is up and running again :
a.) check if squid is running
CODE
      [root@squid root]# /etc/init.d/squid status
     

next you can check the log files
/var/log/squid/
/var/log/squidguard/
/var/log/messages
just to see if everything started up without complaining.

I think this is it, you now have a fully working (transparent)proxy+nat server.

This topic is now closed, you can ask your questions about this guide in the Technical Support Forum

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post

Posts in this topic


Closed TopicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 20th October 2017 - 07:42 AM