frech wrote:
Hi Amos,
thank you so much for your reply!!
I still have some questions.
Amos Jeffries-2 wrote:
The port-forwarding already setup is external coming in.
Squid is internal going out. right?
--> right!
So ensure that the -i option is used by both rules.
-i takes the NIC name (eth0, eth1 etc) where the new connections the
rule applies to are coming into the firewall.
--> I have the problem, that I can't configure the firewall as I have no
access. For Squid there is an rule on the firewall directing port 8080 to
the squid server, so if I set up temporally apache to listen on port 8080
I can reach the squid server from www ;-) I don't know in the moment, if
there is also a rule for 8080 going out. But I have no problem to ping and
use lynx from the squid servers shell.
The defaults on Lenny should be fine to start with. Define the
"localnet" settings to your Internal network range and squid3 'just
works'.
--> Sorry, I thought to have squid3, but it is the stable 2.7 ... I
restarted using the example from ../doc/squid/examples
and only change the http_port to the ip of the servers internal
eth1-address:
http_port 192.168.3.2:3128
Ah, okay. Almost as easy. Just a lot of wading through the config file
to find things. :(
IIRC the ACL name there is "our_networks" or something. It still needs
to be set to the internal network range to let clients use Squid.
There is a file at /usr/share/squid/QUICKSTART I think. Which has the
full list of things to check and set for your version before first use.
WARNING: Interception is less commonly named "man-in-middle security
attack". Beware of many problems; least of which is HTTPS and
authentication completely non-compatible.
--> I don't want to do to much ;-) It is just, that I don't know to
configure it in a better way ...
PART 1:
The routing on Squid box is normal two routes, with 192.168.1.1 as
default gateway and 192.168.1.2 as gateway back to 192.168.3.0.
--> so, how to set the route correct?
The original:
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.3.0 * 255.255.255.0 U 0 0 0
eth1
localnet * 255.255.255.0 U 0 0 0
eth0
default 192.168.1.1 0.0.0.0 UG 0 0 0
eth0
Do I have to change the first line or to append a new one?
Is it
192.168.3.0 192.168.1.2 255.255.255.0 UG 0 0 0
eth1
OR
192.168.3.0 192.168.1.2 255.255.255.0 UG 0 0 0
eth0
(so eth0 or eth1 at the end??)
Um, Reading on I think I make a fatal assumption that tainted most of
what I said.
Interception should be kept as a last resort. If a full outbound block
is not possible but when you still require the proxy as a filter for
port-80. I recommend the following:
--> There is no real need for Interception if I can configure a running
squid ;-)
Your config with Squid in 192.168.1.* and clients in 192.168.3.* sounds
like a DMZ setup to me.
--> Problem which resulted in this setup:
I work in a project in Africa. Bandwidth is very low there. Now we had to
set up a workgroup for some extra work to do. This workgroup resists
outside the normal company-building and is connected to the main building
by wlan. We have one server (with data and licence-server) and three
workstations in the extra building.
Now we had problems in the network stability (access to the workgroup
server was interrupted by something coming outoff the intranet ...) and
working with software needing big updates, I thought, it might be helpful
to setup a proxy. Now, the three workstations and the server are connected
by a small hub. The hub is connected to the official switch.
I changed the "extra" network from the companys 192.168.1.0 to the new
192.168.3.0, because I need static IPs for the workstations and the
company network uses an DHCP on the firewall.
Um, oooh, Ahhhh.
You don't mention a router between Squid and the clients in that
description. My bad assumption.
Let me just get this right in my head. Squid is the box with 2 NICs,
Everything else is currently hung of a switch (and a chained hub) with a
firewall facing the Internet?
Like So:
workstation1--|
workstation2--|
workstation3--|
workstation*--|--Hub-----Switch---Firewall
data server---|
Now where does the squid box sit?
(a)
workstation*--|--Hub-----Switch---Firewall
data server---| | |
|--Squid--|
OR (b):
workstation*--|--Hub---Squid---Switch---Firewall
data server---|
On the Squid box is where the DNAT intercept actually happens. As per
this config:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
(use a second http_port for the intercept traffic).
So all I need, is a simple and working squid configuration to start with ;-)
But until now, I did not manage to set it up ;-(
If I understand correct, all I have to do, is to create the correct route of
interfaces to start with the sample squid.conf. Is this correct?
Yes. Regardless of my mistake earlier, this is still true.
The "restricted" port 8080 which is redirected from the firewall to my squid
server has no effect ... And, it might work without any port redirected to
my squid??
Yes.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
Current Beta Squid 3.1.0.10 or 3.1.0.11
