Network Troublshooting > General Networking Support in Linux

dhcpd, squid, iptables and outlook express

(1/2) > >>

kenchix1:
Hi, I read your post regarding Configuring Squid Outlook to access Remote mail server , and somehow, I guess i have the same problem. I am new to Linux. Our setup is like this, we have 1 linux server running samba as log on server, and also DHCP and DNS services. We have another server which runs squid with 2 NICs, 1 for internal network another that goes out to the internet. I was able to connect the client (win98) to the internet using HTTP and HTTPS but clients can't retrieve email using eudora and outlook. But as from what I read, what I need to a problem like this is transparent proxy. I just have a few questions regarding the NAT scripts .


--- Quote ---#!/bin/sh

iptables=/sbin/iptables


iptables --flush -t nat


iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE

--- End quote ---
should i replace the ppp0 to eth0 ? since the eth0 is the one connected to the internet.



--- Quote ---iptables --append FORWARD --in-interface eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
--- End quote ---
should i replace eth0 with eth1 since it is the one connected to the internal network ?



--- Quote ---Now in your clients make sure you have set the gatway as the ip of your computer which is connected directly to internet and also that you have entered right nameserver (DNS) in the dns list of clients.
Now you should be able to share internet after executing this script.
--- End quote ---
we have more than 100 computers, more than a quarter are accessing the internet, should i really need to put the ip of the squid as a gateway to every computer ?


--- Quote ---NOTE :: When you run this script you should also use a good firewall.
--- End quote ---

currently we don't have a firewall, can i still use this NAT ?

thank you very much in advance.

Ricky:

--- Quote ---should i replace the ppp0 to eth0 ? since the eth0 is the one connected to the internet.
--- End quote ---
Yes, you have to change ppp0 to eth0.

--- Quote ---
--- Quote ---iptables --append FORWARD --in-interface eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward  
--- End quote ---
should i replace eth0 with eth1 since it is the one connected to the internal network ?
--- End quote ---
Yes here again you guessed it right.

--- Quote ---
--- Quote ---Now in your clients make sure you have set the gatway as the ip of your computer which is connected directly to internet and also that you have entered right nameserver (DNS) in the dns list of clients.
Now you should be able to share internet after executing this script.
--- End quote ---
we have more than 100 computers, more than a quarter are accessing the internet, should i really need to put the ip of the squid as a gateway to every computer ?
--- End quote ---
Here.. If you have simple proxy using squid then you have to configure your each clients browser to use proxy.
But if you go for NAT and you have dhcp server then simply assign gateway, DNS using your dhcp server. Same for Transparent Proxy.

--- Quote ---currently we don't have a firewall, can i still use this NAT ?
--- End quote ---
When you use NAT you simply make your network wide open to the hackers as it then allow every thing to pass through it. So i have suggested to use firewall. For dialup networks it is not a big deal but for the static network ... you should have it.
I will soon provide a firewall script to fit the transparent proxy.

kenchix1:
Thank you sir for your reply.
I tried the NAT script and change the squid.conf but it didn't work. Client can surf (HTTP,HTTPS) the internet if i specify the name of the proxy in my browser but i can't still retrieve and send email. If i don't specify any proxy in my browser, I can't browse the net at all.

I hope you won't mind me posting several of my conf file for you to see.

This is my squid.conf

--- Quote ---http_port 3128
cache_mem 16 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8192 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_dir ufs /usr/local/squid/cache 2048 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log


as is.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp:      1440   20%   10080
refresh_pattern ^gopher:   1440   0%   1440
refresh_pattern .      0   20%   4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443 563   # https, snews
acl Safe_ports port 70      # gopher
acl Safe_ports port 210      # wais
acl Safe_ports port 1025-65535   # unregistered ports
acl Safe_ports port 280      # http-mgmt
acl Safe_ports port 488      # gss-http
acl Safe_ports port 591      # filemaker
acl Safe_ports port 777      # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports


acl our_network_ip src 192.168.100.0/24
http_access allow our_network_ip

http_access allow localhost
http_access deny all
visible_hostname SERVER1
unique_hostname SERVER1




httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_reply_access allow all

icp_access allow all
cache_effective_user squid
cache_effective_group squid

--- End quote ---

This is the NAT script that I copied and modified.

--- Quote ---
iptables=/sbin/iptables
iptables --flush -t nat
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT


iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo 1 > /proc/sys/net/ipv4/ip_forward

--- End quote ---

This is what service iptables status said after running the NAT script

--- Quote ---Table: filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere          

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
Table: nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
REDIRECT   tcp  --  anywhere             anywhere           tcp dpt:http redir ports 3128

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
MASQUERADE  all  --  anywhere             anywhere          

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

--- End quote ---

this is my dhcpd.conf file

--- Quote ---default-lease-time 86400;
max-lease-time 86400;

option domain-name "domain1";
ddns-update-style interim;
ddns-updates on;
deny client-updates;
allow unknown-clients;

subnet 192.168.100.0 netmask 255.255.255.0 {
   range 192.168.100.10 192.168.100.250;
   option subnet-mask 255.255.255.0;
   option broadcast-address 192.168.100.255;
   option routers 192.168.100.1;

               #option routers 192.168.100.5
               #option routers aaa.bbb.ccc.ddd
   option domain-name-servers 192.168.100.1;
}


host pc1 {
  hardware ethernet 01:10:4B:15:95:E2;
  fixed-address 192.168.100.5;
 }

--- End quote ---

this is the ifcfg-eth0 of the proxy, the one that goes out to the internet.

--- Quote ---DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=aaa.bbb.ccc.ddd
NETMASK=255.255.255.252
GATEWAY=aaa.bbb.ccc.dcf

--- End quote ---

thank you very for your help sir.

Ricky:
First make sure that iptable NAT script is executed ie. it is running.

Well i think your problem is ..
--- Code: ---option domain-name-servers 192.168.100.1;
--- End code ---
r u running domain name server locally ?
Try to put the dns of your ISP here..
Also give a look to it.. http://www.linuxsolved.com/forums/viewtopic.php?t=16

kenchix1:

--- Quote ---First make sure that iptable NAT script is executed ie. it is running.

--- End quote ---

Im sure it was executed. I put it inside /etc/rc.d, modified rc.local and added the line /etc/rc.d/rc.nat and then I chmod 755 the rc.nat.


--- Quote ---Well i think your problem is ..


--- Quote ---Code:
option domain-name-servers 192.168.100.1;

--- End quote ---

r u running domain name server locally ?
Try to put the dns of your ISP here..

--- End quote ---

yes, I am running domain name server locally and let dhcpd update the zone file automatically. the 192.168.100.1 is the log on server (samba), DHCP and DNS server.

I'll try to put the nameserver of our ISP then I''ll post what happened.

Thank you very much for your time sir.

Navigation

[0] Message Index

[#] Next page

Go to full version