#1  
Old 9th July 2012, 12:07
sayurganja sayurganja is offline
Junior Member
 
Join Date: Jul 2012
Posts: 2
Thanks: 1
Thanked 0 Times in 0 Posts
Default Please Review my Proxy Server

Hello, please review my proxy setup

I have CentOS 5.4 setup as a Proxy + Squid 2.7 Stable9 (transparent).

Processor : Intel(R) Pentium(R) D CPU 3.00GHz, 2 cores
Ram : 1Gb + 512Mb DDR2
HDD : 250Gb
Client : 70 user using Windows XP
IP Setting on client :
IP Static
Gateway : 192.168.0.10
DNS : 192.168.2.10

Modem ADSL : 192.168.2.10
eth0 : Internet (192.168.2.20)
eth1 : LAN (192.168.0.10)
Client : 192.168.0.0/24

The following network topology that I use :
Code:
Modem ADSL -------- [eth0]CentOS 5.4[eth1] -------- PC Client
and here's my iptables
Quote:
#!/bin/sh
# squid server IP
SQUIDIP="192.168.2.20"

# Interface connected to Internet
PUBLIC="eth0"

# Interface connected to LAN
LAN="eth1"

# Squid port
SQUIDPORT="3128"

# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# For win xp ftp client
# modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $PUBLIC -m state --state ESTABLISHED,RELATED -j ACCEPT

# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $PUBLIC -j MASQUERADE
iptables --append FORWARD --in-interface $LAN -j ACCEPT

# unlimited access to LAN
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A OUTPUT -o $LAN -j ACCEPT

# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUIDPORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j DNAT --to $SQUIDIP:$SQUIDPORT

# if it is same system
iptables -t nat -A PREROUTING -i $PUBLIC -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
here's my squid.conf
Quote:
acl QUERY urlpath_regex -i cgi-bin ? localhost
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl PURGE method PURGE
acl CONNECT method CONNECT

acl SSL_ports port 443 587 110 25
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl snmppublic snmp_community public

http_access allow manager localhost
http_access deny manager
http_access allow PURGE localhost
http_access deny PURGE
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

acl localnet src 192.168.2.20 192.168.0.0/24

http_access allow localhost
http_access allow localnet
http_access deny all
http_reply_access allow all

snmp_access allow snmppublic localhost
snmp_access deny all

http_port 3128 transparent
zph_mode tos
zph_local 0
zph_parent 0
zph_option 136

hierarchy_stoplist cgi-bin localhost

cache_mem 1024 MB
maximum_object_size 50 MB
maximum_object_size_in_memory 128 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /cache1 30000 16 256
cache_dir aufs /cache2 30000 16 256
cache_dir aufs /cache3 30000 16 256
store_dir_select_algorithm least-load
cache_swap_low 98%
cache_swap_high 99%
update_headers off

access_log /var/log/access.log
cache_log /var/log/cache.log
cache_store_log /var/log/cachestore.log
logfile_rotate 5
log_ip_on_direct off
log_icp_queries off
buffered_logs off
netdb_filename none
pid_filename /var/run/squid.pid

refresh_pattern -i \.(class|css|js|gif|jpg|ps)$ 1440 50% 43200
refresh_pattern -i \.(jpe|jpeg|png|bmp|tif)$ 1440 50% 43200
refresh_pattern -i \.(tiff|mov|avi|qt|mpeg|flv|ra|rm|wmv|divx)$ 1440 50% 43200
refresh_pattern -i \.(mpg|mpe|wav|au|mid|mp3|mp4|ac4|swf)$ 1440 50% 43200
refresh_pattern -i \.(zip|gz|arj|lha|lzh|7z)$ 1440 50% 43200
refresh_pattern -i \.(rar|tgz|tar|exe|bin|rpm|iso)$ 1440 50% 43200
refresh_pattern -i \.(hqx|pdf|rtf|doc|swf|xls|ppt|pdf|docx|xlsx)$ 1440 50% 43200
refresh_pattern -i \.(inc|cab|ad|txt|dll|dat)$ 1440 50% 43200

refresh_pattern ^ftp: 1440 95% 12960 reload-into-ims
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 98
store_avg_object_size 32 KB

server_http11 on
collapsed_forwarding on
vary_ignore_expire on
header_access From deny all
header_access Server deny all
header_access Link deny all
header_access Via deny all
header_access X-Forwarded-For deny all

forward_timeout 240 seconds
connect_timeout 60 second
peer_connect_timeout 5 seconds
read_timeout 600 second
request_timeout 60 second
persistent_request_timeout 60 seconds
client_lifetime 86400 second
half_closed_clients off
pconn_timeout 60 second
shutdown_lifetime 15 second

cache_mgr krisjun
cache_effective_user squid
cache_effective_group squid
httpd_suppress_version_string on
visible_hostname krisjun

max_filedescriptors 65535

check_hostnames off
dns_timeout 30 seconds
dns_nameservers 192.168.2.10
hosts_file /etc/hosts
ipcache_size 16384
ipcache_low 98
ipcache_high 99
fqdncache_size 16384

memory_pools off
forwarded_for off
reload_into_ims on
coredump_dir /home/squid
pipeline_prefetch on

I'm confused, why squid is always TCP_MISS?
and how to block FTP using IPTables?
Reply With Quote
Sponsored Links
  #2  
Old 9th July 2012, 12:53
TiTex TiTex is offline
Senior Member
 
Join Date: Aug 2011
Location: Cluj-Napoca,Romania
Posts: 125
Thanks: 0
Thanked 17 Times in 17 Posts
Send a message via Skype™ to TiTex
Default

for the second question , assuming that eth1 is your LAN interface
Code:
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport ftp -j DROP
this will insert the rule in top of the chain
Reply With Quote
The Following User Says Thank You to TiTex For This Useful Post:
sayurganja (9th July 2012)
  #3  
Old 9th July 2012, 13:09
sayurganja sayurganja is offline
Junior Member
 
Join Date: Jul 2012
Posts: 2
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by TiTex View Post
for the second question , assuming that eth1 is your LAN interface
Code:
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport ftp -j DROP
this will insert the rule in top of the chain
ok thanks, i will try
Reply With Quote
  #4  
Old 9th July 2012, 13:21
TiTex TiTex is offline
Senior Member
 
Join Date: Aug 2011
Location: Cluj-Napoca,Romania
Posts: 125
Thanks: 0
Thanked 17 Times in 17 Posts
Send a message via Skype™ to TiTex
 
Default

ok

by the way the TCP_MISS it's normal for dynamic pages like (http://www.howtoforge.com/forums/showthread.php?p=28178)

this is my squid.conf ... i'm also getting TCP_MISS'es but only for images and dynamic pages because those are not cached

Code:
http_port 8080
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_replacement_policy lru
memory_replacement_policy lru
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
emulate_httpd_log on
log_ip_on_direct on
redirect_rewrites_host_header on
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 53          # dns
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 5050         # yahoo default port
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 192.168.1.0/24
http_access allow localhost
http_access allow lan
http_reply_access allow all
icp_access allow all
cache_mgr admin@localhost
visible_hostname localhost
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
snmp_port 0
cache_dir ufs /var/spool/squid 1024 16 256
coredump_dir /var/spool/squid
http_access deny all

Last edited by TiTex; 9th July 2012 at 13:24.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig3 mail doesn't work pehden Installation/Configuration 20 9th December 2013 14:05
Can't receive mails baicunko Server Operation 12 3rd August 2011 22:02
Not working emails (DNS and postfix problem?) shekiman Installation/Configuration 9 1st March 2011 16:25
ISPConfig3 Mail Warn Errors reason8 General 3 25th November 2009 13:58
What can be wrong martin_rudowicz Installation/Configuration 9 11th May 2008 19:42


All times are GMT +2. The time now is 12:39.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.