Hello, please review my proxy setup
I have CentOS 5.4 setup as a Proxy + Squid 2.7 Stable9 (transparent).
Processor : Intel(R) Pentium(R) D CPU 3.00GHz, 2 cores
Ram : 1Gb + 512Mb DDR2
HDD : 250Gb
Client : 70 user using Windows XP
IP Setting on client :
IP Static
Gateway : 192.168.0.10
DNS : 192.168.2.10
Modem ADSL : 192.168.2.10
eth0 : Internet (192.168.2.20)
eth1 : LAN (192.168.0.10)
Client : 192.168.0.0/24
The following network topology that I use :
Code:
Modem ADSL -------- [eth0]CentOS 5.4[eth1] -------- PC Client
and here's my iptables
Quote:
#!/bin/sh
# squid server IP
SQUIDIP="192.168.2.20"
# Interface connected to Internet
PUBLIC="eth0"
# Interface connected to LAN
LAN="eth1"
# Squid port
SQUIDPORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
# modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $PUBLIC -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $PUBLIC -j MASQUERADE
iptables --append FORWARD --in-interface $LAN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A OUTPUT -o $LAN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUIDPORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j DNAT --to $SQUIDIP:$SQUIDPORT
# if it is same system
iptables -t nat -A PREROUTING -i $PUBLIC -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
|
here's my squid.conf
Quote:
acl QUERY urlpath_regex -i cgi-bin ? localhost
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl PURGE method PURGE
acl CONNECT method CONNECT
acl SSL_ports port 443 587 110 25
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl snmppublic snmp_community public
http_access allow manager localhost
http_access deny manager
http_access allow PURGE localhost
http_access deny PURGE
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl localnet src 192.168.2.20 192.168.0.0/24
http_access allow localhost
http_access allow localnet
http_access deny all
http_reply_access allow all
snmp_access allow snmppublic localhost
snmp_access deny all
http_port 3128 transparent
zph_mode tos
zph_local 0
zph_parent 0
zph_option 136
hierarchy_stoplist cgi-bin localhost
cache_mem 1024 MB
maximum_object_size 50 MB
maximum_object_size_in_memory 128 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /cache1 30000 16 256
cache_dir aufs /cache2 30000 16 256
cache_dir aufs /cache3 30000 16 256
store_dir_select_algorithm least-load
cache_swap_low 98%
cache_swap_high 99%
update_headers off
access_log /var/log/access.log
cache_log /var/log/cache.log
cache_store_log /var/log/cachestore.log
logfile_rotate 5
log_ip_on_direct off
log_icp_queries off
buffered_logs off
netdb_filename none
pid_filename /var/run/squid.pid
refresh_pattern -i \.(class|css|js|gif|jpg|ps)$ 1440 50% 43200
refresh_pattern -i \.(jpe|jpeg|png|bmp|tif)$ 1440 50% 43200
refresh_pattern -i \.(tiff|mov|avi|qt|mpeg|flv|ra|rm|wmv|divx)$ 1440 50% 43200
refresh_pattern -i \.(mpg|mpe|wav|au|mid|mp3|mp4|ac4|swf)$ 1440 50% 43200
refresh_pattern -i \.(zip|gz|arj|lha|lzh|7z)$ 1440 50% 43200
refresh_pattern -i \.(rar|tgz|tar|exe|bin|rpm|iso)$ 1440 50% 43200
refresh_pattern -i \.(hqx|pdf|rtf|doc|swf|xls|ppt|pdf|docx|xlsx)$ 1440 50% 43200
refresh_pattern -i \.(inc|cab|ad|txt|dll|dat)$ 1440 50% 43200
refresh_pattern ^ftp: 1440 95% 12960 reload-into-ims
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 98
store_avg_object_size 32 KB
server_http11 on
collapsed_forwarding on
vary_ignore_expire on
header_access From deny all
header_access Server deny all
header_access Link deny all
header_access Via deny all
header_access X-Forwarded-For deny all
forward_timeout 240 seconds
connect_timeout 60 second
peer_connect_timeout 5 seconds
read_timeout 600 second
request_timeout 60 second
persistent_request_timeout 60 seconds
client_lifetime 86400 second
half_closed_clients off
pconn_timeout 60 second
shutdown_lifetime 15 second
cache_mgr krisjun
cache_effective_user squid
cache_effective_group squid
httpd_suppress_version_string on
visible_hostname krisjun
max_filedescriptors 65535
check_hostnames off
dns_timeout 30 seconds
dns_nameservers 192.168.2.10
hosts_file /etc/hosts
ipcache_size 16384
ipcache_low 98
ipcache_high 99
fqdncache_size 16384
memory_pools off
forwarded_for off
reload_into_ims on
coredump_dir /home/squid
pipeline_prefetch on
|
I'm confused, why squid is always TCP_MISS?
and how to block FTP using IPTables?
English | 
Deutsch
Please Review my Proxy Server
Linear Mode
Recent comments
1 day 7 hours ago
1 day 12 hours ago
1 day 13 hours ago
1 day 14 hours ago
1 day 16 hours ago
1 day 20 hours ago
1 day 21 hours ago
1 day 23 hours ago
2 days 12 hours ago
2 days 14 hours ago