Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Squid / IPTables configuration: Dynamic IP Address provided by ISP

234 views
Skip to first unread message

Swiftguy121

unread,
Nov 4, 2009, 9:38:45 AM11/4/09
to
Hello,

I have a network with a broadband connection with dynamic ip address
(external ip address provided by the ISP). How do I configure the
squid proxy as the ISP ip addresses is changing everytime we login.
Please click on the following link to view our network diagram
http://www.dotweb.in/share-both.jpg
I tried to configure the iptables (based on advice given on the web),
basically this was done to enable NAT and Masquerade.

Please note that Im able to ping from the client system(192.168.0.30)
to the proxy server(192.168.0.20).
Kindly help me out, Thanks in advance

Im getting the following error from client browser
----------------------------------------------------------
**************************************************
The proxy server is refusing connections
Firefox is configured to use a proxy server that is refusing
connections.
* Check the proxy settings to make sure that they are correct.
* Contact your network administrator to make sure the proxy server
is
working.
***************************************************


Following are the commands I ran before i started the squid daemon
-------------------------------------------------------------------------------------
1. Enable packet forwarding . Make it permanent by adding
"net.ipv4.ip_forward = 1" to /etc/sysctl.conf

echo "1" > /proc/sys/net/ipv4/ip_forward

2. Enable iptables to handle NAT. ( eth0 is the public connection )

/sbin/iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.20 -o
eth0 -j MASQUERADE

3. Save iptables settings

service iptables save

My current IPTables rules
===================
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere
anywhere
ACCEPT all -- anywhere
anywhere
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ssh
REJECT all -- anywhere anywhere reject-
with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-
with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# ^C
[root@localhost ~]#


This is my current squid.conf, kindly update me if any errors in the
file.
--------------------------------------------------------------------------------------
# The port on which squid will listen for requests
http_port 8080

visible_hostname localhost

# If 'cgi-bin' or '?' is in query, squid should not check with
neighbours'/parents' cache
# and should go to target web-server.
hierarchy_stoplist cgi-bin ?

# If url contains 'cgi-bin' or '?', then it must not be cached
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
# broken_vary_encoding allow apache

# Absolute path to squid access log.
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

# Access control list to control every IP address
acl all src 0.0.0.0/0.0.0.0

# Access control list for source machine in LAN
acl lan_src src 192.168.0.0/16

# Access control list for destination machine in LAN
acl lan_dst dst 192.168.0.0/16

# Access control list to manage squid cache
acl manager proto cache_object

# Access control list to define IP address allowed for source
localhost
acl localhost src 127.0.0.1/255.255.255.255

# Access control list to define IP addresses allowed for localhost as
destination
acl to_localhost dst 127.0.0.0/8

# Access control list to define Safe ports that should be allowed by
default
acl SSL_ports port 443 563 1863 5190 5222 5050 6667
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# Allow cache management only from localhost
http_access allow manager localhost

# Deny cache management from remote hosts
http_access deny manager

# Deny http access via all the ports which are not listed as safe
http_access deny !Safe_ports

# Deny all connections via all ports which are not listed as safe
http_access deny CONNECT !SSL_ports

# Allow http access from localhost
http_access allow localhost

# Allow http access from machines on LAN
http_access allow lan_src
http_access deny all
http_reply_access allow all
icp_access allow all

# Deny caching for everyone so that there is not caching at all
cache deny all
coredump_dir /var/spool/squid

# Never allow direct connection to machines on the internet
prefer_direct off
never_direct allow all

# Allow direct connetion if the destination machine is on LAN
always_direct allow lan_dst

# Delete this line if you don't have /etc/hosts file
hosts_file /etc/hosts

# Allow AIM connections
# Delete the following 9 lines if you don't want people to connect to
AIM
acl AIM_ports port 5190 9898 6667
acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com .freenode.net
acl AIM_domains dstdomain .messaging.aol.com .aim.com
acl AIM_hosts dstdomain login.oscar.aol.com
login.glogin.messaging.aol.com toc.oscar.aol.com irc.freenode.net
acl AIM_nets dst 64.12.0.0/255.255.0.0
acl AIM_methods method CONNECT
http_access allow AIM_methods AIM_ports AIM_nets
http_access allow AIM_methods AIM_ports AIM_hosts
http_access allow AIM_methods AIM_ports AIM_domains

# Allow connections to Yahoo Messenger
# Delete the following 6 lines if you don't want people to connect to
Yahoo Messenger
acl YIM_ports port 5050
acl YIM_domains dstdomain .yahoo.com .yahoo.co.jp
acl YIM_hosts dstdomain scs.msg.yahoo.com cs.yahoo.co.jp
acl YIM_methods method CONNECT
http_access allow YIM_methods YIM_ports YIM_hosts
http_access allow YIM_methods YIM_ports YIM_domains

# Allow connections to Google Talk
# Delete the following 6 lines if you don't want people to connect to
Google Talk
acl GTALK_ports port 5222 5050
acl GTALK_domains dstdomain .google.com
acl GTALK_hosts dstdomain talk.google.com
acl GTALK_methods method CONNECT
http_access allow GTALK_methods GTALK_ports GTALK_hosts
http_access allow GTALK_methods GTALK_ports GTALK_domains

# Allow connections to MSN
# Delete the following 6 lines if you don't want people to connect to
Google Talk
acl MSN_ports port 1863 443 1503
acl MSN_domains
dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com
acl MSN_hosts dstdomain messenger.hotmail.com
acl MSN_nets dst 207.46.111.0/255.255.255.0
acl MSN_methods method CONNECT
http_access allow MSN_methods MSN_ports MSN_hosts

0 new messages