SQUID issue, anyone good with squid?

[bart21]

hi

 

we have just started using our county proxy for staff and students, however we have one open ipaddress for server updates, so this ipaddress has to have a proxy.

 

We used to have an ISA server which we have now removed.

 

i have put a squid box in, and i can get out to the internet with a browser. but cant ping thgrough it or lookup dns through it. Anyone know how to enable the relevant ports for these?

 

thanks

 

nick

[tom_newton]

Squid is a proxy - you might want a NATing firewall. Do you expect to have a public IP address on one side, and a range of private IPs on t'other?

[bart21]

hi tom, thanks for your response.

 

Yes that is sort of the idea. All workstations will go through the county filter/firewall.

 

This squid box was to enable the servers (especially the ubuntu ones) to get out to a non-filtered web connection for updates etc.

 

As i said we used to use ISA server but county have now told us we have to remove it and use their filtering/firewall.

 

Basically there is only two ipaddresses that can get out through the router, these are the county filter address and our 10.46.209.4 address. The squid has that address assigned to it and other machines use it as a gateway to get out.

 

The solution needs to be free and preferably run on ubuntu server. (we have no money at all, we actually overspent)

 

I hope this makes sense as i have written it in quite a hurry. Thankyou for your help.

 

nick

[dhicks]

The solution needs to be free and preferably run on ubuntu server.

 

On your Ubuntu server you need to set up iptables rules to forward traffic to and from your external and internal networks. We currently have the following in /etc/rc.local on our Ubuntu-based, Squid-running gateway server, although the following was mainly achieved by a process of trial-and-error:

 

# First, flush any previous IPTables rules.
iptables -t filter --flush
iptables -t nat --flush

# Make sure that IP forwarding is enabled. I /think/ this is needed to get
# the FORWARD rules below working. No, I don't know why either...
echo "1" > /proc/sys/net/ipv4/ip_forward

# Forward established and related connections - i.e. if an HTTPS connection
# has been initiated from inside the firewall, then traffic coming the other
# way in reply to it is okay. This is /stateful/ packet filtering, seemingly.
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Forward any traffic to port 443 (HTTPS). Add further ports below here as
# needed. You might also need to add specific websites here - some websites
# that use cookie-based authetication for user accounts don't handle being
# cached/filtered very well, so simply add them (or their IP address) in
# here. Bear in mind that this misses out the filtering for that specific
# website, so make sure that the whole website is okay before you set this.
iptables -t filter -A FORWARD -i eth2 -p tcp --dport 443 -j ACCEPT

# Deal with data from forwarded ports, i.e. shove it through NAT so it knows
# where it's going.
# iptables -t nat -A POSTROUTING -o eth1 -d 6667 -j SNAT --to-source 10.0.9.252
iptables -t nat -A POSTROUTING -o eth3 -j SNAT --to-source 192.168.0.5

# The following line basically tells the machine to forward all incoming TCP
# traffic not already caught by the above lines to port 3128, where squid
# is listening. Squid has been compiled to support transparent proxying.
# Squid isn't set to filter/proxy/cache anything else, so any other traffic
# you want to allow through will have to be forwaded via the rules above.
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128

 

--

David Hicks

[diggory]

there is a project to make this a bit easier called FREESCO, which has NAT etc built in, used to use it for sharing a modem ages ago..

FREESCO Project

It will do NAT for you..