Monday, April 25, 2011

Updated my template

Just made a few changes in the design of my Blog UI by using the available templates here in google blogs and also reposted my transparent squid article.

Hope you people liked it! Cheers!!!
Posted by at No comments:

DHCP for transparent Squid


And last but not the least the DHCP server
# aptitude install dhcp3-server
Then to edit the configuration file...
# vim /etc/dhcp3/dhcpd.conf

here are the content:

ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "verZion.com";

option domain-name-servers 8.8.8.8, 8.8.4.4;
default-lease-time 600; max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local 
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file
log-facility local7;

# gateway on your internal interface
option routers 192.168.1.1;

# This is a very basic subnet declaration.
subnet 192.168.1.0 netmask 255.255.255.0 { 
range 192.168.1.150 192.168.1.250;
}

=== End of file

After placing all the basic setting now let's get it on!!!
# /etc/init.d/dhcp3-server restart
And that's it! All client PC will have their own IP assigned by the server and they should be able use the invisible proxy on your server without any need to configure every PC.
Posted by at No comments:
Labels:

IPTABLES for transparent Squid

In this post I created an iptables script and I name the file as fw.sh 

here's the sample content:
#!/bin/bash
#
#iptables ko... by verzion

# init string
ipt="/sbin/iptables"
SQUID_SERVER="ip_addr of your squid server"
WAN="eth0"
LAN="eth1"
SQUID_PORT="3128"

# how to use:
# $ipt -F
# rather than...
# /sbin/iptables -F

# Flush all config
$ipt -t filter -F
$ipt -t nat -F

# Policy settings
$ipt -P INPUT ACCEPT
$ipt -P FORWARD DROP
$ipt -P OUTPUT DROP

# Enabling IP forwarding.
echo "1" > /proc/sys/net/ipv4/ip_forward

# no firewall for LAN
$ipt -A INPUT -i $LAN -p all -j ACCEPT
$ipt -A OUTPUT -o $LAN -p all -j ACCEPT

# Allow SSH. Uncomment if you wish to use SSH
$ipt -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow ICMP. Zero (0) is for echo-reply. Eight (8) is for echo-request.
$ipt -A INPUT -p icmp --icmp-type 8 -j ACCEPT

# Allow internet connection to this PC.
$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN
$ipt --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
$ipt --append FORWARD --in-interface $LAN -j ACCEPT
$ipt -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

# save settings to iptables (uncomment either of the two lines below to save the firewall settings)
#$ipt -L
#iptables-save
=== End of file

then make the script executable
# chmod a+x fw.sh

then to execute the script
# ./fw,sh

This ends the IPTABLES to forward the port 80 (www) requests to 3128 (squid). Now to automatically set the client PC's to have their own network IP by using DHCP

There is an update for this post. see http://linuxverzion.blogspot.com/2013/09/update-for-my-iptables-for-transparent.html
Cheers!
Posted by at No comments:
Labels:

Transparent SQUID proxy setup

Just got transparent proxy to work in Ubuntu and here's the basic configuration of what I did...

Squid Setup

1. Download and Install The Squid Package.
# aptitude install squid

2. Configure the /etc/squid/squid.conf file.
# vim etc/squid/squid.conf

Here's the contents:
visible_hostname SQDverZion
http_port 3128 transparent

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

access_log /var/log/squid/access.log squid
#logformat Squid %>h

# Input here your DNS server
dns_nameservers 8.8.8.8

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# restriction list
#acl GoodSites dstdomain "/etc/squid/allowed-sites.squid"
#acl BadSites dstdomain "/etc/squid/blocked-sites.squid"

# blocking a site
acl facebooksite dstdomain .facebook.com
http_access deny facebooksite

# if you wish the site is not to be cached #
#acl site01 dstdomain google.com
#always_direct allow site01

# globaly allowed sites #
acl yahoosite dstdomain www.yahoo.com

# No Limit users by range #
#acl nolimitusers src 192.168.1.1-192.168.1.20
#http_access allow nolimitusers

# users with restrictions set #
# Below is sample how to use restriction list to users
#acl user01 src 192.168.1.100
#http_access deny user01 BadSites
#http_access allow user01 GoodSites

=== End of Squid.conf file

to start the squid just type:
# /etc/init.d/squid start

other commands that can be used is "stop" and "restart" with the command above.
Also to reconfigure squid without restarting just issue...
# squid -k reconfigure

See the next post regarding IPTABLES to redirect port 80 requests to 3128
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)