+ Post New Thread
Results 1 to 5 of 5
Internet Related/Filtering/Firewall Thread, SQUID issue, anyone good with squid? in Technical; hi we have just started using our county proxy for staff and students, however we have one open ipaddress for ...
  1. #1
    bart21's Avatar
    Join Date
    Aug 2009
    Location
    peterborough
    Posts
    404
    Thank Post
    77
    Thanked 54 Times in 52 Posts
    Rep Power
    19

    SQUID issue, anyone good with squid?

    hi

    we have just started using our county proxy for staff and students, however we have one open ipaddress for server updates, so this ipaddress has to have a proxy.

    We used to have an ISA server which we have now removed.

    i have put a squid box in, and i can get out to the internet with a browser. but cant ping thgrough it or lookup dns through it. Anyone know how to enable the relevant ports for these?

    thanks

    nick

  2. #2


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,461
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    Squid is a proxy - you might want a NATing firewall. Do you expect to have a public IP address on one side, and a range of private IPs on t'other?

  3. #3
    bart21's Avatar
    Join Date
    Aug 2009
    Location
    peterborough
    Posts
    404
    Thank Post
    77
    Thanked 54 Times in 52 Posts
    Rep Power
    19
    hi tom, thanks for your response.

    Yes that is sort of the idea. All workstations will go through the county filter/firewall.

    This squid box was to enable the servers (especially the ubuntu ones) to get out to a non-filtered web connection for updates etc.

    As i said we used to use ISA server but county have now told us we have to remove it and use their filtering/firewall.

    Basically there is only two ipaddresses that can get out through the router, these are the county filter address and our 10.46.209.4 address. The squid has that address assigned to it and other machines use it as a gateway to get out.

    The solution needs to be free and preferably run on ubuntu server. (we have no money at all, we actually overspent)

    I hope this makes sense as i have written it in quite a hurry. Thankyou for your help.

    nick

  4. #4

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,613
    Thank Post
    1,229
    Thanked 772 Times in 670 Posts
    Rep Power
    234
    Quote Originally Posted by bart21 View Post
    The solution needs to be free and preferably run on ubuntu server.
    On your Ubuntu server you need to set up iptables rules to forward traffic to and from your external and internal networks. We currently have the following in /etc/rc.local on our Ubuntu-based, Squid-running gateway server, although the following was mainly achieved by a process of trial-and-error:

    Code:
    # First, flush any previous IPTables rules.
    iptables -t filter --flush
    iptables -t nat --flush
    
    # Make sure that IP forwarding is enabled. I /think/ this is needed to get
    # the FORWARD rules below working. No, I don't know why either...
    echo "1" > /proc/sys/net/ipv4/ip_forward
    
    # Forward established and related connections - i.e. if an HTTPS connection
    # has been initiated from inside the firewall, then traffic coming the other
    # way in reply to it is okay. This is /stateful/ packet filtering, seemingly.
    iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Forward any traffic to port 443 (HTTPS). Add further ports below here as
    # needed. You might also need to add specific websites here - some websites
    # that use cookie-based authetication for user accounts don't handle being
    # cached/filtered very well, so simply add them (or their IP address) in
    # here. Bear in mind that this misses out the filtering for that specific
    # website, so make sure that the whole website is okay before you set this.
    iptables -t filter -A FORWARD -i eth2 -p tcp --dport 443 -j ACCEPT
    
    # Deal with data from forwarded ports, i.e. shove it through NAT so it knows
    # where it's going.
    # iptables -t nat -A POSTROUTING -o eth1 -d 6667 -j SNAT --to-source 10.0.9.252
    iptables -t nat -A POSTROUTING -o eth3 -j SNAT --to-source 192.168.0.5
    
    # The following line basically tells the machine to forward all incoming TCP
    # traffic not already caught by the above lines to port 3128, where squid
    # is listening. Squid has been compiled to support transparent proxying.
    # Squid isn't set to filter/proxy/cache anything else, so any other traffic
    # you want to allow through will have to be forwaded via the rules above.
    iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128
    --
    David Hicks

  5. Thanks to dhicks from:

    bart21 (21st April 2010)

  6. #5
    diggory's Avatar
    Join Date
    Sep 2008
    Location
    Bristol
    Posts
    85
    Thank Post
    36
    Thanked 11 Times in 10 Posts
    Rep Power
    13
    there is a project to make this a bit easier called FREESCO, which has NAT etc built in, used to use it for sharing a modem ages ago..
    FREESCO Project
    It will do NAT for you..

SHARE:
+ Post New Thread

Similar Threads

  1. [Ubuntu] Squid and NTLM
    By localzuk in forum *nix
    Replies: 7
    Last Post: 28th July 2010, 07:09 PM
  2. How to squid
    By Potato-Peeler in forum Internet Related/Filtering/Firewall
    Replies: 9
    Last Post: 4th February 2010, 08:25 AM
  3. Squid - Transparent - HTTPS Issue
    By ahuxham in forum *nix
    Replies: 1
    Last Post: 25th May 2008, 11:04 AM
  4. Squid and RM proxies
    By HodgeHi in forum Wireless Networks
    Replies: 6
    Last Post: 1st November 2006, 11:02 AM
  5. Squid beginner
    By nightowl in forum *nix
    Replies: 11
    Last Post: 19th June 2006, 08:20 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •