Setting "Standard" Proxy Squid pada Ubuntu 10.04.1 LTS

Lagi malas ngutak-atik kompi yang mau dijadiin server ....
Test patch untuk Ipcop ... not running. ClearOS juga sama, akhirnya jadinya pake Ubuntu cos Pfsense rada sering crash,... ngak tau knp.
Untuk mempersingat waktu, kita asumsikan eth0 adalah link internet, sedangkan eth1 adalah link ke client.
1. Setting ip :
Setting ip pada interfaces :  sudo vim /etc/network/interfaces
auto eth0
iface eth0 inet static
#       post-up iptables-restore < /etc/iptables.up.rules
        # dns-* options are implemented by the resolvconf package, if installed
#       dns-nameservers

#post-up iptables-restore < /etc/iptables.up.rules

auto eth1
iface eth1 inet static
2. Install squid  dan setting squid : sudo apt-get install squid
# Squid normally listens to port 3128
http_port 3128 transparent

acl our_networks src
acl localnet src
http_access allow our_networks
http_access allow localnet

#Recommended minimum configuration:
acl all src all
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl our_networks src
acl localnet src

# http_access deny all
http_access allow our_networks
http_access allow localnet

#  TAG: access_log
#       These files log client request activities. Has a line every HTTP or
#       ICP request. The format is:
#       access_log  [ [acl acl ...]]
#       access_log none [acl acl ...]]
#       Will log to the specified file using the specified format (which
#       must be defined in a logformat directive) those entries which match
#       ALL the acl's specified (which must be defined in acl clauses).
#       If no acl is specified, all requests will be logged to this file.
#       To disable logging of a request use the filepath "none", in which case
#       a logformat name should not be specified.
#       To log the request via syslog specify a filepath of "syslog":
#       access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]]
#       where facility could be any of:
#       authpriv, daemon, local0 .. local7 or user.
#       And priority could be any of:
#       err, warning, notice, info, debug.
access_log /var/log/squid/access.log
3. Selanjutnya copy script berikut : sudo vim /etc/fw.proxy
# squid server IP
# Interface connected to Internet
# Interface connected to LAN
# Squid port
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
#ssh agar server bisa diremote dari ip segmen ini
iptables -A INPUT -p TCP -s --dport 22 -j ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
4. Rubah permisi file tersebut : chmod +x /etc/fw.proxy
5. Masukkan path tersebut ke rc.local : sudo vim /etc/rc.local
#!/bin/sh -e
# rc.local
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
# In order to enable or disable this script just change the execution
# bits.
# By default this script does nothing.

6. Lanjutkan dengan mengecek hasil settingan  pada log : tail -f /var/log/squid/access.log
1294469829.027    220 TCP_MISS/200 1032 GET http://scr.kliksaya.com/js-ad.php? - DIRECT/ text/html
1294469829.115   3620 TCP_MISS/200 532 GET http://router.infolinks.com/gsd/1294469817940.0? - DIRECT/ text/javascript
1294469829.360    562 TCP_MISS/200 910 GET http://a.tribalfusion.com/j.ad? - DIRECT/ application/x-javascript
1294469829.536    154 TCP_MISS/200 1030 GET http://scr.kliksaya.com/js-ad.php? - DIRECT/ text/html
1294469829.642     83 TCP_MISS/200 1132 GET http://scr5.kliksaya.com/ifr-ba.php? - DIRECT/ text/html
1294469829.657    103 TCP_MISS/200 719 GET http://www.stafaband.info/embed-34924.html - DIRECT/ text/html
1294469829.715    172 TCP_MISS/200 5246 GET http://scr3.kliksaya.com/ifr-ad.php? - DIRECT/ text/html
1294469829.758    142 TCP_MISS/200 1402 GET http://stafaband.info/digital.php - DIRECT/ text/html
1294469829.804    221 TCP_MISS/200 3220 GET http://scr3.kliksaya.com/ifr-ad.php? - DIRECT/ text/html
1294469829.810    191 TCP_MISS/200 472 GET http://www.google-analytics.com/__utm.gif? - DIRECT/ image/gif
1294469830.056    356 TCP_MISS/200 281 GET http://www.facebook.com/extern/login_status.php? - DIRECT/ text/html
1294469830.533    700 TCP_MISS/200 4101 GET http://www.facebook.com/plugins/like.php? - DIRECT/ text/html
1294469830.666    804 TCP_MISS/200 4281 GET http://www.facebook.com/plugins/like.php? - DIRECT/ text/html
1294469830.706    948 TCP_MISS/200 6882 GET http://www.facebook.com/plugins/comments.php? - DIRECT/ text/html
1294469831.171    312 TCP_MISS/200 800 GET http://www.facebook.com/campaign/impression.php? - DIRECT/ image/gif
1294469831.502    315 TCP_MISS/200 800 GET http://www.facebook.com/campaign/impression.php? - DIRECT/ image/gif
1294469831.886    701 TCP_MISS/200 1421 GET http://api.recaptcha.net/challenge? - DIRECT/ text/javascript
1294469832.234    324 TCP_MISS/200 706 GET http://www.google.com/recaptcha/api/challenge? - DIRECT/ text/javascript
1294469832.427    172 TCP_MISS/200 3784 GET http://www.google.com/recaptcha/api/image? - DIRECT/ image/jpeg
1294469833.433   1533 TCP_MISS/200 707 GET http://www.facebook.com/ajax/captcha/recaptcha_log_actions.php? - DIRECT/69.63.

7. Selesai.

Tidak ada komentar: