frech wrote:
> Hi Amos,
> thank you so much for your reply!!
> I still have some questions.
>
>
> Amos Jeffries-2 wrote:
>> The port-forwarding already setup is external coming in.
>> Squid is internal going out. right?
>>
>> --> right!
>>
>> So ensure that the -i option is used by both rules.
>> -i takes the NIC name (eth0, eth1 etc) where the new connections the
>> rule applies to are coming into the firewall.
>>
>> --> I have the problem, that I can't configure the firewall as I have no
>> access. For Squid there is an rule on the firewall directing port 8080 to
>> the squid server, so if I set up temporally apache to listen on port 8080
>> I can reach the squid server from www ;-) I don't know in the moment, if
>> there is also a rule for 8080 going out. But I have no problem to ping and
>> use lynx from the squid servers shell.
>>
>> The defaults on Lenny should be fine to start with. Define the
>> "localnet" settings to your Internal network range and squid3 'just
>> works'.
>> --> Sorry, I thought to have squid3, but it is the stable 2.7 ... I
>> restarted using the example from ../doc/squid/examples
>> and only change the http_port to the ip of the servers internal
>> eth1-address:
>> http_port 192.168.3.2:3128
Ah, okay. Almost as easy. Just a lot of wading through the config file
to find things. :(
IIRC the ACL name there is "our_networks" or something. It still needs
to be set to the internal network range to let clients use Squid.
There is a file at /usr/share/squid/QUICKSTART I think. Which has the
full list of things to check and set for your version before first use.
>>
>> WARNING: Interception is less commonly named "man-in-middle security
>> attack". Beware of many problems; least of which is HTTPS and
>> authentication completely non-compatible.
>> --> I don't want to do to much ;-) It is just, that I don't know to
>> configure it in a better way ...
>>
>> PART 1:
>>
>> The routing on Squid box is normal two routes, with 192.168.1.1 as
>> default gateway and 192.168.1.2 as gateway back to 192.168.3.0.
>>
>> --> so, how to set the route correct?
>> The original:
>> Destination Gateway Genmask Flags Metric Ref Use
>> Iface
>> 192.168.3.0 * 255.255.255.0 U 0 0 0
>> eth1
>> localnet * 255.255.255.0 U 0 0 0
>> eth0
>> default 192.168.1.1 0.0.0.0 UG 0 0 0
>> eth0
>>
>> Do I have to change the first line or to append a new one?
>> Is it
>> 192.168.3.0 192.168.1.2 255.255.255.0 UG 0 0 0
>> eth1
>> OR
>> 192.168.3.0 192.168.1.2 255.255.255.0 UG 0 0 0
>> eth0
>> (so eth0 or eth1 at the end??)
Um, Reading on I think I make a fatal assumption that tainted most of
what I said.
>>
>> Interception should be kept as a last resort. If a full outbound block
>> is not possible but when you still require the proxy as a filter for
>> port-80. I recommend the following:
>> --> There is no real need for Interception if I can configure a running
>> squid ;-)
>>
>> Your config with Squid in 192.168.1.* and clients in 192.168.3.* sounds
>> like a DMZ setup to me.
>> --> Problem which resulted in this setup:
>> I work in a project in Africa. Bandwidth is very low there. Now we had to
>> set up a workgroup for some extra work to do. This workgroup resists
>> outside the normal company-building and is connected to the main building
>> by wlan. We have one server (with data and licence-server) and three
>> workstations in the extra building.
>> Now we had problems in the network stability (access to the workgroup
>> server was interrupted by something coming outoff the intranet ...) and
>> working with software needing big updates, I thought, it might be helpful
>> to setup a proxy. Now, the three workstations and the server are connected
>> by a small hub. The hub is connected to the official switch.
>> I changed the "extra" network from the companys 192.168.1.0 to the new
>> 192.168.3.0, because I need static IPs for the workstations and the
>> company network uses an DHCP on the firewall.
Um, oooh, Ahhhh.
You don't mention a router between Squid and the clients in that
description. My bad assumption.
Let me just get this right in my head. Squid is the box with 2 NICs,
Everything else is currently hung of a switch (and a chained hub) with a
firewall facing the Internet?
Like So:
workstation1--|
workstation2--|
workstation3--|
workstation*--|--Hub-----Switch---Firewall
data server---|
Now where does the squid box sit?
(a)
workstation*--|--Hub-----Switch---Firewall
data server---| | |
|--Squid--|
OR (b):
workstation*--|--Hub---Squid---Switch---Firewall
data server---|
>>
>> On the Squid box is where the DNAT intercept actually happens. As per
>> this config:
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
>> (use a second http_port for the intercept traffic).
>>
>
> So all I need, is a simple and working squid configuration to start with ;-)
> But until now, I did not manage to set it up ;-(
>
> If I understand correct, all I have to do, is to create the correct route of
> interfaces to start with the sample squid.conf. Is this correct?
Yes. Regardless of my mistake earlier, this is still true.
> The "restricted" port 8080 which is redirected from the firewall to my squid
> server has no effect ... And, it might work without any port redirected to
> my squid??
Yes.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.10 or 3.1.0.11Received on Mon Jul 20 2009 - 14:25:15 MDT
This archive was generated by hypermail 2.2.0 : Mon Jul 20 2009 - 12:00:02 MDT