Results 1 to 7 of 7

Thread: Shorewall + Squid on Hardy Server Gateway / Firewall

  1. #1
    Join Date
    Apr 2008
    Beans
    6

    Shorewall + Squid on Hardy Server Gateway / Firewall

    I just upgraded from Dapper to Hardy and didn't touch the server in a while, so I'm a bit rusty...
    Hi, I've got the following problem - Shorewall is configured (I as well as LAN clients can surf the internet) and squid is working (if I manually instruct links with the command -http_proxy 127.0.0.1:3128 squid redirects the sites i want it to) but the squid configuraion is not applied to the LAN clients.
    Here is my squid.conf:

    http_port 127.0.0.1:3128
    http_port 192.168.0.100:3128
    icp_port 0
    htcp_port 0
    hierarchy_stoplist cgi-bin ? php asp
    acl QUERY urlpath_regex cgi-bin \?
    no_cache deny QUERY
    cache_mem 256 MB
    maximum_object_size 128 MB
    cache_dir ufs /var/cache/squid 1024 16 256
    access_log /var/log/squid/access.log squid
    acl all src 0.0.0.0/0.0.0.0
    acl localhost src 127.0.0.1/32
    acl manager proto cache_object
    acl ssl_ports port 443
    acl ftp_ports port 21
    acl www_ports port 80 443
    acl CONNECT method CONNECT
    acl PURGE method PURGE
    http_access allow manager localhost
    http_access deny manager
    http_access allow PURGE localhost
    http_access deny PURGE
    http_access deny !www_ports !ftp_ports
    http_access deny CONNECT !ssl_ports
    acl sdd_proxy_users src 192.168.0.100/32
    http_access allow sdd_proxy_users
    http_access allow localhost
    http_access deny all
    reply_body_max_size 102400000 allow all
    cache_mgr root@proxy.sdd.com
    visible_hostname proxy.sdd.com
    cache_effective_user proxy
    cache_effective_group proxy
    logfile_rotate 0
    buffered_logs on
    url_rewrite_program /usr/local/rejik3/redirector /usr/local/rejik3/redirector.conf

    These are my shorewall policies


    loc net ACCEPT
    loc $FW ACCEPT
    loc all REJECT info
    $FW net ACCEPT
    $FW loc ACCEPT
    $FW all REJECT info
    net $FW DROP info
    net loc DROP info
    net all DROP info
    all all REJECT info

    and my shorewall rules


    ACCEPT net $FW tcp 25
    ACCEPT net $FW tcp 443
    ACCEPT net $FW udp 6277
    DNS/ACCEPT $FW net
    ACCEPT loc $FW tcp 8080
    ACCEPT $FW net tcp 80,443
    SSH/ACCEPT loc $FW
    Ping/ACCEPT loc $FW
    Ping/REJECT net $FW
    ACCEPT $FW loc icmp
    ACCEPT $FW net icmp

    if needed, as I said, i'm a bit rusty and haven't done this for some time, I'll add my /etc/hosts

    127.0.0.1 localhost.localdomain localhost
    192.168.0.100 server.sdd.com server
    ::1 ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    ff02::3 ip6-allhosts

    and my /etc/network/interfaces

    auto lo
    iface inet lo loopback
    auto eth0
    iface eth0 inet dhcp
    auto eth1
    iface eth1 inet static
    address 192.168.1.1
    netmask 255.255.255.0
    broadcast 192.168.1.255
    network 192.168.1.0

    finally my /etc/dhcp3/dhcpd.conf

    subnet 192.168.1.0 netmask 255.255.255.0 {
    option netbios-name-servers 192.168.1.1;
    option domain-name-servers 192.168.1.1;
    option domain-name "your.domain.here";
    option broadcast-address 192.168.1.255;
    option routers 192.168.1.1;
    range 192.168.1.100 192.168.1.130;
    }

    and my /etc/default/dhcp3-server
    INTERFACES=eth1


    Ok, I think that is probably more info than you would actually need, I just posted every config I was asked for in the irc's. I'm sorry for the long post!
    I've been trying to figure out the problem for the past week and don't knwo what else to do. If someone could please help me out by telling me what to change to route all LAN traffic through the squid proxy and thereby use the url redirection I would be very grateful.

    Thank you

  2. #2
    Join Date
    Apr 2008
    Beans
    6

    Re: Shorewall + Squid on Hardy Server Gateway / Firewall

    Hi, I have updated my /etc/squid/squid.conf to the following

    # squid listens on the loopback and on
    # the internal interface (3128 port)
    http_port 3128 transparent

    # Disable ICP and HTCP queries to/from neighbor caches.
    # These features are needed only in a multi-level cache
    # environment with multiple siblings and parent caches
    icp_port 0
    htcp_port 0

    # Words defined in this tag when matched in the URLs,
    # directs squid not to query caches.
    # For example dynamic content - php or asp pages.
    hierarchy_stoplist cgi-bin ? php asp
    acl QUERY urlpath_regex cgi-bin \?
    no_cache deny QUERY

    # Specify the amount of RAM, to be used for caching the
    # so called: In-Transit objects, Hot Objects,
    # Negative-Cached objects.
    cache_mem 256 MB

    # If a file size is less than - 100 MB,
    # squid will place it in cache
    maximum_object_size 512 MB

    # Define the path to cache directory where all objects which
    # are to be cached are stored:
    # 1024 - is the amount of disk space (MB)
    # to use under /var/cache/squid directory
    # 16 - is the number of first-level subdirectories
    # which will be created under the
    # /var/cache/squid directory
    # 256 - is the number of second-level
    # subdirectories which will be created under
    # each first-level directory
    cache_dir ufs /var/cache/squid 1024 16 256

    # Log client request activities to the
    # /var/log/squid/access.log file using the squid log format
    access_log /var/log/squid/access.log squid

    # Define access control lists
    acl all src 0.0.0.0/0.0.0.0
    acl localhost src 127.0.0.1/32
    acl manager proto cache_object
    acl ssl_ports port 443
    acl ftp_ports port 21
    acl www_ports port 80 443
    acl CONNECT method CONNECT
    acl PURGE method PURGE

    # Recommended minimum configuration:
    # Only allow cachemgr access from localhost
    http_access allow manager localhost
    http_access deny manager
    # Only allow purge requests from localhost
    http_access allow PURGE localhost
    http_access deny PURGE
    # Deny requests to unknown ports
    http_access deny !ftp_ports !www_ports
    # Deny CONNECT to other than SSL ports
    http_access deny CONNECT !ssl_ports

    # Rules for our clients
    acl sdd_proxy_users src 192.168.0.100/32
    # http_redirect allow sdd_proxy_users
    http_access allow sdd_proxy_users

    # Allow the localhost to have access by default
    http_access allow localhost

    # And deny all other access to this proxy
    # http_redirect allow all
    http_access deny all

    # Prevent users from downloading very large files
    # (limit to ~100MB)
    reply_body_max_size 102400000 allow all

    # Supply an e-mail where users can send their remarks
    # or problems regarding squid
    cache_mgr Gustav

    # Define the hostname that will be shown in
    # error messages etc.
    visible_hostname proxy.sdd.com

    # Specify the UID/GID that the squid will run on
    cache_effective_user proxy
    cache_effective_group proxy

    # Squid has a built in feature for the rotation of the logs.
    # But I prefer logrotate
    logfile_rotate 0

    # Speed up the writing of some log files
    buffered_logs on

    # Redirecion
    url_rewrite_program /usr/local/rejik3/redirector /usr/local/rejik3/redirector.conf
    # redirect_program /usr/local/rejik3/redirector /usr/local/rejik3/redirector.conf

    and /etc/shorewall/rules now looks like this

    ################################################## ################################################## #########
    #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
    # PORT PORT(S) DEST LIMIT GROUP
    # PORT PORT(S) DEST LIMIT GROUP
    #
    # Accept DNS connections from the firewall to the network
    #
    ACCEPT net $FW tcp 25
    ACCEPT net $FW tcp 443
    ACCEPT net $FW udp 6277
    DNS/ACCEPT $FW net
    REDIRECT loc 3128 tcp www - !127.0.0.1
    ACCEPT $FW net tcp www
    #
    #Accept SSH connections from the local network for administration
    Ping/ACCEPT loc $FW
    #
    # Allow Ping from the local network
    #
    SSH/ACCEPT loc $FW
    #
    # Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
    #
    Ping/REJECT net $FW
    ACCEPT $FW loc icmp
    ACCEPT $FW net icmp
    #
    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

    But now it blocks all web pages and that is not what I want. But now i think it could be a squid.conf setting I did wrong.
    Every other setting I posted before remains the same.
    Does anzbody have an idea about what i´m doing wrong?

    Thank you abs512

  3. #3
    Join Date
    Nov 2007
    Beans
    4

    Re: Shorewall + Squid on Hardy Server Gateway / Firewall

    Try to access a webpage from your client and post your /var/log/messages file after the request.

  4. #4
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Beans
    1,393
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: Shorewall + Squid on Hardy Server Gateway / Firewall

    Are the clients behind 192.168.0.100 as a NAT address? You are only allowing that one ip in your squid.conf. Also check /var/log/squid/access_log for detail.

    I've never used Shorewall, so I don't know if that is a factor or not.

  5. #5
    Join Date
    Oct 2007
    Location
    West London, UK
    Beans
    65
    Distro
    Ubuntu 11.10 Oneiric Ocelot

    Re: Shorewall + Squid on Hardy Server Gateway / Firewall

    I had a look through your Shorewall rules and they seem ok, but I know nothing of Squid.

    this is from the documention examples for shorewall rules, see http://www.shorewall.net/Manpages.html

    Redirect all locally-originating www connection requests to port 3128 on the firewall (Squid running on the firewall system) except when the destination address is 192.168.2.2

    #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
    # PORT PORT(S) DEST
    REDIRECT loc 3128 tcp www - !192.168.2.2
    Last edited by ginjabunny; May 19th, 2008 at 10:07 PM.

  6. #6
    Join Date
    Apr 2008
    Beans
    6

    Re: Shorewall + Squid on Hardy Server Gateway / Firewall

    Thank you for all your replies,
    ginjabunny: I'm going to change the destination address to 192.168.2.2 when i'm @ the office tomorrow. TY
    Monicker: The DHCP-server range is from 192.168.1.100 to 192.168.1.130, eth1 (internal network) is set to 192.168.1.1. I'll cycle through the addresses and check the log. TY
    I'll be back tomorrow and tell you how it goes.

    abs512

  7. #7
    Join Date
    Apr 2008
    Beans
    6

    Re: Shorewall + Squid on Hardy Server Gateway / Firewall

    I updated the settings as told to a different NAT in acl sdd_proxy_users src, but i found no other way than to write down all the addressess manually (192.168.1.130 192.168.1.129 192.168.1.128 192.16... ), is there a more elegant way to do this, like giving the ip range (192.168.1.100 to 192.168.1.130)? But apart of that everything now seems to work!
    Thank you very much,

    abs512

    PS: if someone could just tell me how to make an acl that is no affected by the proxy, that would be great

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •