Proxy server configuration pattern required

[oracletest]

Hi friends

I am a newbie to Linux, and currently is messed up while creating a proxy server for linux using squid.
I hav connected my Linux machine with a static IP connection and also with a switch connected to my office LAN. Now all i want is to create a Proxy server, so that my other office (Window) machines can access internet too through Linux machine.
Can anybody provide me a step by step configuration for this kinda proxy server, along with guidance to wat i need to do with my network settings.
Mentionable:- M using two network cards on my system, one with Static IP and another with LAN, and both connections are working fine.

thanks in Advance....

[df6269]

Which Linux distro you are using?
Did you want to configure squid to be a transport proxy server?

[syd05]

Hi,

The basic setup for a working squid would be to configure your ACL's and then allow access to the ACL

Create an ACL like (replace 192.168.1.0/24 with your own internal subnet):

Code:

acl mynetwork src 192.168.1.0/24

then

Code:

http_access allow mynetwork

Add the above lines to the relevant sections in the file; http_access line perhaps after the line http_access allow localnet

Ensure that traffic to port 3128 (default squid port) is allowed in iptables. Also configure proxy settings in the web browser on clients...

You could further tweak your config files to set up time based / host based restrictions, restrict websites that can be surfed etc....

--Syd

[oracletest]

Hi

yes m using squid, and applied the ACL n all that stuff too, but i read somewhere, that i need to masquerade my ip in order to let my LAN get connected to internet thats running on the server. M trying for that only, but still not able to crack through..

Any ideas, wat to do, n how??

thanks for all your present and future kind help..

[syd05]

Hi,

You would need to masquerade your local network if you want the systems on the LAN to access the net directly without the squid functionality. This would route all incoming traffic to the internet by substituting the local IP with public IP before sending the packets out on the internet.

If you want to configure transparent proxy then you would need to configure some REDIRECT rules in iptables and change some settings in the squid.conf file.

But for basic squid functionality the steps mentioned previously should work. Some extracts from my working squid config file - just two lines that i've added

Code:

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl mynetwork src 192.168.1.0/24 (i've added this)

Code:

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow mynetwork (i've added this)

You could disable firewall to rule out iptables issue. Also ensure that

Code:

cat /proc/sys/net/ipv4/ip_forward

gives you an output of 1. This enables forwarding of traffic from one NIC to other

[oracletest]

hi friends,

the issue with Squid is resolved, i was giving wrong IP range

thanks alot for uy kind support, but.....B U T..but...i hav another issue..he he

m trying to configure iptables, to get the server access without proxy, and applied these 2 commands

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

whre eth1 is connected to LAN and eth0 connected to WAN, and 3128 is the default port
Can anybody guide for iptable configuration as wel...

thanks

[andrescamino]

Hi oracletest....

what are the lines that you have added to your squid configuration? do you want your proxy to be transparent, or do you want your windows machine to configure their web browser with the proxy configurations? what linux do you have...centos, ubuntu?

i can give you a step by step configuration but you need to help me with this info first

[oracletest]

hi andrescamino

i hav configured the squid now, but i want my proxy to be transparent. M using proxy server, with my client browsers configured with proxy. But all i want is a transparent proxy, so i hav not to configure my client browser b4 using internet.
I am using centOS at my server end and windows XP at clients.

[andrescamino]

Hi oracletest

Okay, so if squid is working fine, you added the word "transparent" after the port 3128 right?
if you did that, you also created an acl with the name of the lan and also the http_access for that lan.....
also the cache_mem and cache_dir ufs (for memory capabilities)

If you haven't done that let me know so I can help you with those lines

Okay the second thing is to make your iptables work fine, you first have to flush all of your iptable configurations, go in the terminal and write these commands

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
service iptables save

once you do that you make sure your iptables look something like this:
*filter
:INPUT ACCEPT [15259:8575015]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [15294:8577259]
COMMIT
# Completed on Wed Oct 7 16:58:38 2009
# Generated by iptables-save v1.3.5 on Wed Oct 7 16:58:38 2009
*nat
:PREROUTING ACCEPT [7:2296]
:POSTROUTING ACCEPT [141:10027]
:OUTPUT ACCEPT [144:10697]

and if they look like this go again to the terminal and write these two lines

iptables -t nat -A PREROUTING -s 192.168.2.0/255.255.255.0 -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -j MASQUERADE
service iptables save

by the way I am assuming that you have the 192.168.2.0 network for your entire lan, and off course this must be the same lan created in the acl of your squid.conf

you should see those two lines in your iptables after you save them

you also have to change your network forward in /etc/sysctl.conf and change ipv4/ip_forward=0 to ipv4/ip_forward=1 (that's how you enable forwarding packets)

then restart your squid and you should be good
another thing is that you have to make sure that your windows computer have the network configuration right in the 192.168.2.0 network and with default gateway 192.168.2.1 (off course assuming that your ethernet card connected to the lan has that ip address) and also you should enter the same DNS as your proxy machine has

and that's how is done....i hope it's not too messy, but if you got stucked at some point let me know it and I'll explain with more details

best regards