Linux Forums - Linux Help,Advice & support community:LinuxSolved.com
Network Troublshooting => Linux Proxy Server Support => Topic started by: aktiwari4u on January 08, 2006, 11:35:43 AM
-
hi friends
i have installed suse linux 10 .
my network requirement is that i have to provide full access to some of my clients and for rest of the other i want to use authantication method with ristricted access.
to do so i have tried to configure my server in transperent proxy mode and also applied few acl,s.
at very first instent all seems to go well .
but now i find that even if i shutdown my squid proxy even then clients can access the internet .
?????? this is a big question for me if my proxy is in picture or not .
the configuration changes what i have made are as follws .
1. enabled ip forwarding on my system through routing module.
2. made all the chages to make squid to work in transperent mode as suggested by ricky.
3. in my firewall i have done network masquerade for all sorce address of port 80 to port 8080 of my proxy server ie.
0.0.0.0/0.0.0.0:80--->192.168.0.1:8080
while 192.168.0.1 is the ip address of etho of my server .
default gatway of my clients is my linux server ie 192.168.0.1
now even if i stop my proxy even then clients can access the net . so i feel that my proxy is not in picture .
pls tell me where i have done wrong ..
-
well.. just redirect all other important port like 21, 8000, 110 etc to port 8080.
People are able to access b'cz in transparent proxy you have to do NAT and proxy .
After stopping proxy people are using NAT only.
-
thanks ricky
i added port redirection for all importent well known ports .
but still my problem is same
even i stoped my proxy at boot and tried to check it and i got that client internet access is totally governed by my firewall .
as soon as i start my firewall clients can access the net and as i stops it client can not access the net .this all happen even when the proxy is not running
in firewall i have defined my etho as the internal network.
what to do next ???
-
well.. after redirecting, also block all ports except the port 8080 for users whom you don't want to give full access. And for those you want to give full access just allow all ports for them.
-
thanks ricky but really i was totally fadeup with this situation .
so i reinstalled my os .
now pls pls tell me the shortest way for following
how to give accesss to --
1- few users without proxy direct access like gatway method
2- for rest ot the users by proxy, limited access, with authantication,stoped messangering.
ya one thing more i am a gui lamee so will try to configure all with webmin
i have a fresh copy of suse 10 installed and waiting for your reply.
i am in urgent need for this and will experiment letter thats why want your valuable help.
thanks in advane
-
well.. basically I do the following with iptables and squid combined.
As I suggested that block every port except port 3128 or whatever you are using for squid. Then for those clients whom you want to give full access, open all ports for them and you are done.
I think you have seen NCSA authentication solution given by me already for your authentication purpose. Lastly about messengers, check forum .. we have already discussed same thoroughly. Just use a little search.
For gui to maintain iptables.. give a try to "firestarter" . If its not solving your problem then I will try to give you solution over here.
I hope you understand the concept I have provided.
-
thanks ricky
u know my biggest problem is that i have installed it on suse 10 and most of the suggestion given in the forum are for earlier virsions.
while in suse 10 they have made some major changes and for my bad luck thay have also changed the firewallsetting now they have SuseFirewall2 and its configuration file are not same as of the iptables so so cant make the required changes to so that i can forward all my requests from internal network to my proxys ip and port .
pls provide the solution which can work on suse10.
-
I think gauravbajaj has done it on SuSe 10, you may ask him for further guidance.
-
Hi
Ya u can do this by using SUSEFirewall2,its default file are in /etc/sysconfig/SuSefirewall2
Just search for line
FW_REDIRECT
Change the line into like this
FW_REDIRECT 192.168.8.0/24,0/0,tcp,80,3128
it means all web requests of the network 192.168.8.0/24 will be forwarded to 3128 , that is proxy port
I think this will help you...
Gaurav Bajaj
-
Thanks a lot gaurav bhi.
i will just try this also
i have good hands on windows and now want to switchover to linux.
so i still prefer GUI thats why i tried it by yast .
but its not working
i am using masqurading.
and i added the rule that
any request from 192.168.0.0/24 for any network 0/0 for port 80 should be redirected to 192.168.0.1:8080 which is my squid proxy.
all is working fine when i boot the mechine and starts it .
now my problem is if now i stop my proxy user should not be able to access internet.
as technically any request for port 80 is directed on port 8080 which is squid proxy port and is down , so browsing should be stoped .......
but in my case result is not same as above users can still browse even my proxy is not running this is where i am stucked now.
and if i am not masqurading and just ip forwarding in that case users are not able to browse at all.even the squid is running.
any way i tried to modify my firewall rules as told by you in file manually.but invain.
basic problem is in suse10 firewall options has new parameters while all the document is avalable with old parameter which are not similer i tried to do it according its new rule parameter but its not working.
will you suggest me to go on suse 9 or older versions to make up ihis compatibility issue.
i am totally stuck in this situation. pls help me
-
Hi..
First of all check wheather the Transparent proxy is successfully setup???
It may be possible that ..ur clients are not authenticate by ur squid ..., may be acc to u , u have successfully setted up..but may be ur configration is not up to line..U know one thing in Linux...
May be it shows that
status of squid is running ok
But u know if there is some pb in squid then also it shows that squid is running ok
So acc to me ..UR CLIENT ARE NOT USING SQUID PROXY
U can check this also go to
/var/log/squid
and open file access.log ...If it shows logs of squid then its ok ..if not then
It means u haven't successfully made ur TRANSPARENT PROXY
Just open some website from clients machine like google.com and check log files wheather it shows entry of ur client with google.com there.
SO acc to me TRANSPARENT PROXY IS NOT SUCCESSFULLY SETUP
I have already said u the sol in above post...
U said that u followed the many sites for making TRANSPARENT PROXY
In many sites that are write like this
FW_TCP_REDIRECT 192.168.8.0/24,0/0,80,3128
but actually the line is like this
FW_REDIRECT 192.168.8.0/24,0/0,tcp,80,3128
which i already said u
So try these both..and definitly ur Squid will run
If u will still get a pb then contact me further
Cheers
gaurav bajaj
-
thanks gaurav bhi
Here is the problem as u asked "is Transparent proxy is successfully setup??? "
as i told u to setup this we need some modifications on firewall
and there i am not able to made those modifications. if i so pls tell me or if u have then just provide me the exect changings which is to be made in Susefirewall2.
squid configuration part to make it transperent has been done i have defined all that parameters .
but i am still not able to modify my firewall settings or u can say that i am still not able to set my iptables to make the desired changes.
i have already tried your second suggestion for ip_forward but thrugh that i clients are not able to browse .
pls help me or suggest me to degrate to suse9 :(
any way i am hopefull that that will not be needed as we will overcome this problem
thanks
-
hi
ok
Have u done the settings which i told to you in /etc/sysconfig/Susefirewall2 file ?
Gaurav Bajaj
-
yes sir i have done all that .
but client request are not fatched .
-
Dear sir
i have some experien about the configure transparent proxy on SUSE 9.1 but about your problem i hade done one time about that when i stop squid client still can surfing internet i use the command for stop SUSEfirewall :
#/etc/init.d/final stop
#/etc/init.d/init stop
#/etc/init.d/setup stop
After you type three command client can't surfing internet by it self untill you run squid & transparent proxy again .
Regard
Sothy
-
but dear i think its not the proper way as it will stop my firewall it self which is i think is not desirable.
and my problem is that scenario between suse10 and suse 9 are diffrent.
so i request all to pls have some practical experiance over this issue and also tell me the exect way to overcome this problem
i am still hanging in this problem.
-
Ha dear i could not get u.
as what ever scripts u have mentioned i could not locate those in my system. i thik u have your self written some screepts for that .
and another thing to stop the firewall does not seems logical to remove this problem as firwall is iteself a critical application which i think shuld run on the system .
i am again mentioning that there are some changes file structure of linux9 and linux 10 so i want some prectical hand on this issue.
-
Dear Sir
How ever i dont know what different between SUSE 9.1 & SUSE 10 about the file confige or scripte for use . But now day i use SUSE 9.1 and my proxy it working fine Squid and Transparent Proxy it working and like i tell you befor that i hade ever meet the problem like you one time but i try to ask everybody in forum , so i can soul this problem . so now i have one idea but i dont know it good or not :
# rcSUSEfirewall2 stop ( my susefirewall is in /etc/sysconfig/)
so every thing will stop at all and we can start like squid or transparent proxy again ..............
Sothy
-
any ways thanks a lot for your reply
but i need some thing batter in which we need not to stop our firewall service .if any body has explored it pls let me know thanks