Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
> Squid+nat Server On Whitebox Linux, Whitebox Linux (or Clones)
Robert83
post May 26 2004, 11:33 AM
Post #1


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



SQUID(transparent proxy server)+SQUIDGUARD+NAT Server On Whitebox Linux 3.0
Step-By-Step [tm]


1.Get yourself a Whitebox Enterprise Linux 3.0 CD or Download it from http://www.whiteboxlinux.org/download.html .

2.Install WBEL 3.0 using the minimal install ( choose custom during install , and select minimal ),
a 30GB hard disk drive would be highly reccomended, select manual partitioning during install
and partition it as :
/boot 102MB
/ 9892MB
/proxy1 10000MB
/proxy2 10000MB

PLEASE NOTE : I assume you'll be using IP : 192.168.10.2 for the proxy / nat server
and 192.168.10.1 for the firewall
and that you have 4 ethernet cards
eth0 : 192.168.0.250
eth1 : 192.168.1.250
eth2 : 192.168.2.250
eth3 : 192.168.10.2
When you configure windows or linux :
ip adress : 192.168.0.x
gateway : 192.168.0.250
dns : use your isp's dns server or wait a little more, and Hughesjr will finish his DNS GUIDE

( I think this is a very good configuration , so you might as well use this type of setup )

3.Download the yum.conf file from here http://www.hughesjr.com/wbel/yum.conf.txt
INSTRUCTIONS :
CODE
   [root@squid root] cd /home
   [root@squid root] wget http://www.hughesjr.com/wbel/yum.conf.txt
   [root@squid root] cp yum.conf.txt /etc/yum.conf
   

at the cp yum.conf.txt /etc/yum.conf point the system will ask you if you want to overwrite the file,
type yes. And you're done with the yum.conf file.

4.Enter the following commands :

CODE
[root@squid root]# yum update

this will take a while, later you should update your system on a regular bassis

5. Now it's time to install SQUID
CODE
[root@squid root]# yum install squid

6. Once squid is done, you will need to edit the /etc/squid/squid.conf file
INSTRUCTIONS :
CODE
    [root@squid root]# /etc/init.d/squid stop
    [root@squid root]# cd /etc/squid/
    [root@squid root]# rm squid.conf
   

Here is what you need to enter (please note since you can do a lot off stuff with squid, there might be things
that wont be needed , please do check the config file, I think it's not so hard to understand once you have
something to begin from)
squid.conf
http_port 3228
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

cache_mem 32 MB
fqdncache_size 1024

cache_dir ufs /proxy1/ 8000 16 256
cache_dir ufs /proxy2/ 8000 16 256

cache_mgr someone@somedomain.com # enter your e-mail adress here
cache_effective_user nobody # I like to run squid as nobody
cache_effective_group nobody # I like to run squid as nobody

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl ftpdr proto FTP
acl localhost src 127.0.0.1/32
acl SSL_ports port 443 563
acl Safe_ports port 80 8080 21 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl subnet1 src 192.168.0.0/255.255.255.0
acl subnet2 src 192.168.1.0/255.255.255.0
acl subnet3 src 192.168.2.0/255.255.255.0
acl deny_ext urlpath_regex -i "/etc/squid/deny_ext"




http_access deny deny_ext
http_access allow subnet1 subnet2 subnet3
always_direct allow ftpdr
http_access allow subnet1
http_access allow subnet2
http_access allow subnet3
http_access deny all

ie_refresh on # this is needed because IE doesn't recognise transparent proxies properly

redirect_program /usr/bin/squidGuard
redirect_children 4

CODE
    [root@squid root]# vi squid.conf
   

MINI VI HOWTO :
In order to type in text you need to press i
Once you're finished with typing in your text press ESC and then press :w
and press ENTER
Once you did the saving type :q and press ENTER in order to quit from vi

7. When finished with the squid.conf type :
CODE
    [root@squid root]# chown nobody.nobody /proxy1
    [root@squid root]# chown nobody.nobody /proxy2
    [root@squid root]# chown nobody.nobody /var/log/squid
   

DON'T FORGET if you update squid (with yum update) it will change /var/log/squid back to
user:squid group:squid , and this will cause erros , since we use user:nobody group:nobody , just
do chown nobody.nobody /var/log/squid after you update Squid !

8. Now it's time to create the deny_ext file in /etc/squid/
CODE
    [root@squid root]# touch /etc/squid/deny_ext
   


Now you need to add this to the deny_ext file ( make sure you check what extensions are denied,
since you might want to allow some, and you might want to add some more )

.wma$
.voc$
.mp.$
.mpeg$
.mpg$
.avi$
.asf$
.rm$
.ram$
.mov$
.wav$
.ogg$
.asx$
.au$
.cda$
.wm.$
.mod$
.snd$

CODE
    [root@squid root]# vi /etc/squid/deny_ext
   


9. It's time to get SquidGuard
CODE
    [root@squid root]# cd /home
    [root@squid root]# wget http://apt.sw.be/redhat/el3/en/i386/RPMS.dag/squidguard-1.2.0-2.rhel3.dag.i386.rpm
    [root@squid root]#
    wget http://apt.sw.be/redhat/el3/en/i386/RPMS.dag/squidguard-blacklists-20040318-1.rhel3.dag.i386.rpm
    [root@squid root]# rpm -Uvh squidguard-1.2.0-2.rhel3.dag.i386.rpm
    [root@squid root]# rpm -Uvh squidguard-blacklists-20040318-1.rhel3.dag.i386.rpm
    [root@squid root]# rm /etc/squid/squidguard.conf
    [root@squid root]# vi /etc/squid/squidguard.conf
   

Add the following to your squidguard.conf , please note that this is a example, you might need to adjust
certain things , and remove a few rules.

#
# CONFIG FILE FOR SQUIDGUARD
#

dbhome /var/lib/squidguard
logdir /var/log/squidguard

src subnet1 {
ip 192.168.2.0/24
user foo bar
}
src subnet2 {
ip 192.168.1.0/24
user foo bar
}
src subnet3 {
ip 192.168.0.0/24
user foo bar
}

dest banned {
domainlist adult/domains
urllist adult/urls
}

acl {
subnet1 {
pass !banned all
redirect http://192.168.10.2
}
subnet2 {
pass !banned all
redirect http://192.168.10.2
}
subnet3 {
pass !banned all
redirect http://192.168.10.2
}
default {
pass !banned all
redirect http://192.168.10.2
}
}
This setup of SquidGuard will block pornsites ( my tests indicated that when I tried www.google.com sex
and choose a few pages (50) on random none of them managed to pass SquidGuard, so we can assume
it's quiet safe to rely on this list )

10. Phew so we are now done with configuring Squid+Squidguard, next comes the NAT, this will be done with
iptables.
CODE
     [root@squid root]# touch /home/proxy-iptables
     [root@squid root]# vi /home/proxy-iptables
     


You'll need to add these lines to your proxy-iptables file :
CODE
      iptables -A FORWARD -i eth0 -o eth1 -j DROP
      iptables -A FORWARD -i eth0 -o eth2 -j DROP
      iptables -A FORWARD -i eth1 -o eth0 -j DROP
      iptables -A FORWARD -i eth1 -o eth2 -j DROP
      iptables -A FORWARD -i eth2 -o eth0 -j DROP
      iptables -A FORWARD -i eth2 -o eth1 -j DROP
      iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3228
      iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3228
      iptables -A PREROUTING -t nat -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3228
      iptables -A POSTROUTING -t nat -s 192.168.0.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
      iptables -A POSTROUTING -t nat -s 192.168.1.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
      iptables -A POSTROUTING -t nat -s 192.168.2.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
     


Once your done typing this in ( this might take some time, depending on your cpu and memory smile.gif ),
it's time to make these iptables settings permanent.

CODE
      [root@squid root]# source /home/proxy-iptables
      [root@squid root]# iptables-save > /etc/sysconfig/iptables
     


11. Now let's make sure Squid and Iptables will start up on the next boot :
CODE
      [root@squid root]# chkconfig --list | grep iptables
     

the following result should come back
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
if for some reason iptables is not running in any of these runlevels just type
CODE
      [root@squid root]# chkconfig iptables on
     

Check if it's running again, just to make sure.
CODE
      [root@squid root]# chkconfig --list | grep squid
     

this will show this :
squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off
just do a :
CODE
      [root@squid root]# chkconfig squid on
     

and check again if squid is now starting.
Add this line to your /etc/rc.d/rc.local
echo "1" > /proc/sys/net/ipv4/ip_forward
CODE
      [root@squid root]# vi /etc/rc.d/rc.local
     


12.Now we need to get apache (to host that redirection page that we use in squidguard.conf)
CODE
      [root@squid root]# yum install httpd
      [root@squid root]# chkconfig httpd on
     

and modify the following line in /etc/httpd/conf/httpd.conf
DocumentRoot "/var/www/html"
change it to
DocumentRoot "/home"
(I like my webpages in my /home folder better then the default)
now you only need to create a index.html in /home
CODE
      [root@squid root]# touch /home/index.html
      [root@squid root]# vi /home/index.html
     

You can use this example html file if you wish, or create your own :
CODE
<html>
<head>
<title>! Porn Sites Are Banned !</title>
</head>

<body background="http://192.168.10.2/sin.jpg">

<center><B><font face="arial" color="white" size="4">WHITEBOX</B></font><B><font face="arial" color="gold" size="2"> Enterprise Linux 3.0 Final</B></font></center>
<br>
<br>
<HR>
<center><B><font face="arial" color="white" size="+2">!<font face="arial" color="gold"> PORNO</font>/<font face="arial" color="darkorange">MP3</font>/<font face="arial" color="orange">VIDEO</font> PAGES ARE BLOCKED - YOU SHOULD WORK !</font></B></center>
<HR>
<br>
<br>
<br>
<HR>
<center><B><font face="arial" color="white" size="+2">!<font face="arial" color="gold"> PORNO</font>/<font face="arial" color="darkorange">MP3</font>/<font face="arial" color="orange">VIDEO</font> LAPOK BLOKOLVA - INKABB DOLGOZZON ! </font></B></center>
<HR>
<br>
<br>
<center><font face="system" color="gold" size="+1"> Proxy / Nat Server Specifications</font></center>
<HR>
<center><font face="system" color="white" size="1"> CPU : AMD XP 1800+</font></center>
<center><font face="system" color="white" size="1"> MEMORY : 1024 MB DDR 400Mhz</font></center>
<center><font face="system" color="white" size="1"> HDD : 40GB / 2x Cache Dir 10-10GB</font></center>
<center><font face="system" color="white" size="1"> MOTHERBOARD : Gigabyte NForce2</font></center>
<center><font face="system" color="white" size="1"> LAN : 4xRealtek 10/100Mbit</font></center>
<HR>
<center><font face="arial" color="cyan" size="5"> YOUR GUARDIAN ANGEL IS : SquidGUARD[tm]</font></center>
<br>
<center><A HREF="mailto:user@somedomain .com"><font face="system" color="yellow" size="5">YOUR NAME HERE</font></A><font face="system" color="orange" size="5"><U>  MOB TEL: xxxxxxxxx</U></font></center>
<center><font face="system" color="gold" size="3">Somebody & Nobody Co.,Ltd.</font></center>

</body>


13.Okay we are done now with the configuration , so let's reboot our new (transparent)proxy+nat server :
CODE
      [root@squid root]# reboot
     

Once the system is up and running again :
a.) check if squid is running
CODE
      [root@squid root]# /etc/init.d/squid status
     

next you can check the log files
/var/log/squid/
/var/log/squidguard/
/var/log/messages
just to see if everything started up without complaining.

I think this is it, you now have a fully working (transparent)proxy+nat server.

This topic is now closed, you can ask your questions about this guide in the Technical Support Forum

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
 
Start new topic
Replies
Robert83
post Jun 15 2004, 01:55 PM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

I just wanted to add this extra info which might save sime time for Internet Explorer users,

since our proxy is transparent and since Squid is not really a ftp proxy .

If you get errors with Internet Explorer 6 when trying to open up ftp sites

do this :

1. Open Up Internet Explorer
2. Click on Tools
3. Click on Internet Options
4. Click on Advenced
and uncheck the following
Enable folder view of FTP sites
and check the following
Use Passive FTP ( for firewall and DSL modem compatiblity )

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post

Posts in this topic


Closed TopicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 19th October 2017 - 07:59 AM