Re: [squid-users] Help about iptable squid
erarchy_stoplist cgi-bin ? # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/squid/var/cache 4096 16 256 # Leave coredumps in the first cache dir coredump_dir /var/squid/var/cache # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 - Original Message - From: "Amos Jeffries" To: Sent: Thursday, April 22, 2010 1:27 PM Subject: Re: [squid-users] Help about iptable squid kavin wrote: Dear All: Linux has three card: One is 192.168.1.250 (Internet) by 192.168.1.1 The other two are: 192.168.2.1, 192.168.3.1 Client: 192.168.2.100-192.168.2.200 / IP 192.168.3.100-192.168.3.200 I have a few questions 1: I'm in the allocation of time, add squid --enable-underscore options But on a visit to the site is still has underlined That made no sense at all. Can you please describe the problem it another way? 2: why Teamviever software from external links, always break, then cannot connect But, I have broken the network ,configuration files below Again. Is that a question? Something called "teamviewer" does not work after you broke it? Please explain some more. httpd_accel_host virtual Squid 2.5 config. Please upgrade your software. 1) We have not supported 2.5 since more than 3 years now. 2) reverse proxy is quite difficult in that version. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
Re: [squid-users] Help about iptable squid
Dear All: iptables squid -v Squid Cache: Version 3.1.1 configure options: '--prefix=/var/squid' '--sysconfdir=/etc' '--enable-arp-acl' '--enable-linux-netfilter' '--enable-pthreads' '--enable-err-language=Simplify_Chinese' '--enable-storeio=ufs' '--enable-default-err-language=Simplify_Chinese' '--enable-auth=basic' '--enable-baisc-auth-helpers=NCSA' '--enable-underscore' --with-squid=/usr/local/src/squid-3.1.1 --enable-ltdl-convenience Why not Transparent proxy Help Me! Thanks! squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localhost src ::1/128 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl to_localhost dst ::1/128 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 192.168.2.100-192.168.2.200/32 # RFC1918 possible internal network #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.3.100-192.168.3.200/32 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines #acl SSL_ports port 443 #acl Safe_ports port 80 # http #acl Safe_ports port 21 # ftp #acl Safe_ports port 443# https #acl Safe_ports port 70 # gopher #acl Safe_ports port 210# wais #acl Safe_ports port 1025-65535 # unregistered ports #acl Safe_ports port 280# http-mgmt #acl Safe_ports port 488# gss-http #acl Safe_ports port 591# filemaker #acl Safe_ports port 777# multiling http #acl CONNECT method CONNECT cache_effective_user squid cache_effective_group squid dns_nameservers 192.168.1.10 dns_nameservers 168.95.1.1 dns_nameservers 168.95.192.1 dns_nameservers 211.72.67.226 dns_nameservers 216.146.35.35 dns_nameservers 216.146.36.36 ipcache_size 1024 ipcache_low 90 ipcache_high 95 cache_mem 128 MB cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log visible_hostname gw.efc.cory cache_mgr ka...@everfocus.com.cn # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports #http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports #http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost allow_underscore on # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/squid/var/cache 4096 16 256 # Leave coredumps in the first cache dir coredump_dir /var/squid/var/cache # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 ----- Original Message - From: "Amos Jeffries" To: Sent: Thursday, April 22, 2010 1:27 PM Subject: Re: [squid-users] Help about iptable squid > kavin wrote: >> Dear All: >> >> Linux has three card: >> One is 192.168.1.250 (Internet) by 192.168.1.1 >> The other two are: 192.168.2.1, 192.168.3.1 >> Client: 192.168.2.100-192.168.2.200 / IP 192.168.3.100-192.168.3.200 >> >> I have a few questions >> 1: I'm in the allocation of time, add squid --enable-underscore options >> But on a visit to the site is still has underlined > > That made no sense at all. > Can you please describe the problem it another way? > >> 2: why Teamviever software from external links, always break, then cannot >> connect >> But, I have broken the network ,configuration files below > > Again. Is that a question? > > Something called "teamviewer" does not work after you broke it? > > Please explain some more. > > > >> >> httpd_accel_host virtual >> > > Squid 2.5 config. Please upgrade your software. > > 1) We have not supported 2.5 since more than 3 years now. > > 2) reverse proxy is quite difficult in that version. > > > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.1 >
Re: [squid-users] Help about iptable squid
kavin wrote: Dear All: Linux has three card: One is 192.168.1.250 (Internet) by 192.168.1.1 The other two are: 192.168.2.1, 192.168.3.1 Client: 192.168.2.100-192.168.2.200 / IP 192.168.3.100-192.168.3.200 I have a few questions 1: I'm in the allocation of time, add squid --enable-underscore options But on a visit to the site is still has underlined That made no sense at all. Can you please describe the problem it another way? 2: why Teamviever software from external links, always break, then cannot connect But, I have broken the network ,configuration files below Again. Is that a question? Something called "teamviewer" does not work after you broke it? Please explain some more. httpd_accel_host virtual Squid 2.5 config. Please upgrade your software. 1) We have not supported 2.5 since more than 3 years now. 2) reverse proxy is quite difficult in that version. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
[squid-users] Help about iptable squid
Dear All: Linux has three card: One is 192.168.1.250 (Internet) by 192.168.1.1 The other two are: 192.168.2.1, 192.168.3.1 Client: 192.168.2.100-192.168.2.200 / IP 192.168.3.100-192.168.3.200 I have a few questions 1: I'm in the allocation of time, add squid --enable-underscore options But on a visit to the site is still has underlined 2: why Teamviever software from external links, always break, then cannot connect But, I have broken the network ,configuration files below http_port 3128 ipcache_size 1024 ipcache_low 90 ipcache_high 95 cache_mem 128 MB cache_dir ufs /var/spool/squid 4096 16 256 cache_effective_user squid cache_effective_group squid dns_nameservers 192.168.1.10 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log visible_hostname gw.efc.cory cache_mgr ka...@everfocus.com.cn acl 2 src 192.168.2.100-192.168.2.200/32 http_access allow 2 acl 3 src 192.168.3.100-192.168.3.200/32 http_access allow 3 acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 http_access allow localhost http_access deny all *mangle :PREROUTING ACCEPT [11949307:8517837757] :INPUT ACCEPT [61863944:9774933638] :FORWARD ACCEPT [11730595:8495305567] :OUTPUT ACCEPT [40941:4437279] :POSTROUTING ACCEPT [11214754:8468974725] COMMIT *nat :PREROUTING ACCEPT [694231:44896066] :POSTROUTING ACCEPT [71812:4199611] :OUTPUT ACCEPT [1788:412902] -A POSTROUTING -m iprange --src-range 192.168.3.100-192.168.3.200 -o eth0 -j SNAT --to-source 192.168.1.250 -A POSTROUTING -m iprange --src-range 192.168.2.100-192.168.2.200 -o eth0 -j SNAT --to-source 192.168.1.250 -A PREROUTING -i eth2 -p tcp -m iprange --src-range 192.168.3.100-192.168.3.200 --dport 80 -j REDIRECT --to-ports 3128 -A PREROUTING -i eth1 -p tcp -m iprange --src-range 192.168.2.100-192.168.2.200 --dport 80 -j REDIRECT --to-ports 3128 COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [37276:4032229] -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m multiport --dports 53,123,161,162,500,1701,1194,1993 -j ACCEPT -A INPUT -p tcp -m multiport --dports 80,53,8080,3128,9101,9102,9103 -j ACCEPT -A INPUT -s 168.95.1.1 -j ACCEPT -A INPUT -s 168.95.192.1 -j ACCEPT -A INPUT -s 211.72.67.226 -j ACCEPT -A INPUT -s 216.146.35.35 -j ACCEPT -A INPUT -s 216.146.36.36 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 168.95.1.1 -j ACCEPT -A FORWARD -s 168.95.192.1 -j ACCEPT -A FORWARD -s 211.72.67.226 -j ACCEPT -A FORWARD -s 216.146.35.35 -j ACCEPT -A FORWARD -s 216.146.36.36 -j ACCEPT -A FORWARD -d 168.95.1.1 -j ACCEPT -A FORWARD -d 168.95.192.1 -j ACCEPT -A FORWARD -d 211.72.67.226 -j ACCEPT -A FORWARD -d 216.146.35.35 -j ACCEPT -A FORWARD -d 216.146.36.36 -j ACCEPT -A FORWARD -m iprange --src-range 192.168.2.100-192.168.2.200 -d 192.168.1.176 -j ACCEPT -A FORWARD -s 192.168.10.0/24 -j ACCEPT -A FORWARD -s 192.168.11.0/24 -j ACCEPT -A FORWARD -d 192.168.10.0/24 -j ACCEPT -A FORWARD -d 192.168.11.0/24 -j ACCEPT -A FORWARD -s 10.8.0.0/24 -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A FORWARD -d 211.157.108.130 -j ACCEPT -A FORWARD -d 220.128.204.167 -j ACCEPT -A FORWARD -d 211.72.67.227 -j ACCEPT -A FORWARD -d 211.72.67.226 -j ACCEPT -A FORWARD -d 220.128.204.163 -j ACCEPT -A FORWARD -d 61.66.137.4 -j ACCEPT -A FORWARD -d 61.66.137.3 -j ACCEPT -A FORWARD -d 61.66.137.5 -j ACCEPT -A FORWARD -p udp -m multiport --dports 53,123,137,138 -j ACCEPT -A FORWARD -p tcp -m multiport --dports 20,21,53,139,445,1863,5900,3128,8080 -j ACCEPT -A FORWARD -m iprange --src-range 192.168.3.100-192.168.3.200 -p tcp -m multiport --dports 80,443,25,110 -j ACCEPT -A FORWARD -m iprange --src-range 192.168.2.100-192.168.2.200 -p tcp -m multiport --dports 80,443,25,110 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT Hope everybody to help me to solve it Thank Kavin