7.06.2011

Setting "Standard" Proxy Squid pada Ubuntu 10.04.1 LTS

Lagi malas ngutak-atik kompi yang mau dijadiin server ....
Test patch untuk Ipcop ... not running. ClearOS juga sama, akhirnya jadinya pake Ubuntu cos Pfsense rada sering crash,... ngak tau knp.
Untuk mempersingat waktu, kita asumsikan eth0 adalah link internet, sedangkan eth1 adalah link ke client.
1. Setting ip :
Setting ip pada interfaces :  sudo vim /etc/network/interfaces
auto eth0
iface eth0 inet static
        address 192.168.1.70
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1
#       post-up iptables-restore < /etc/iptables.up.rules
        # dns-* options are implemented by the resolvconf package, if installed
#       dns-nameservers 202.134.0.155

#post-up iptables-restore < /etc/iptables.up.rules

auto eth1
iface eth1 inet static
        address 192.168.0.1
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.1.7
2. Install squid  dan setting squid : sudo apt-get install squid
# Squid normally listens to port 3128
http_port 3128 transparent

acl our_networks src 192.168.0.0/24
acl localnet src 127.0.0.1/255.255.255.255
http_access allow our_networks
http_access allow localnet

#Recommended minimum configuration:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl our_networks src 192.168.0.0/24
acl localnet src 127.0.0.1/255.255.255.255

#Default:
# http_access deny all
http_access allow our_networks
http_access allow localnet

#  TAG: access_log
#       These files log client request activities. Has a line every HTTP or
#       ICP request. The format is:
#       access_log  [ [acl acl ...]]
#       access_log none [acl acl ...]]
#
#       Will log to the specified file using the specified format (which
#       must be defined in a logformat directive) those entries which match
#       ALL the acl's specified (which must be defined in acl clauses).
#       If no acl is specified, all requests will be logged to this file.
#
#       To disable logging of a request use the filepath "none", in which case
#       a logformat name should not be specified.
#
#       To log the request via syslog specify a filepath of "syslog":
#
#       access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]]
#       where facility could be any of:
#       authpriv, daemon, local0 .. local7 or user.
#
#       And priority could be any of:
#       err, warning, notice, info, debug.
access_log /var/log/squid/access.log
        gateway 192.168.1.7
3. Selanjutnya copy script berikut : sudo vim /etc/fw.proxy
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.1.70"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
#ssh agar server bisa diremote dari ip segmen ini
iptables -A INPUT -p TCP -s 202.58.180.0/24 --dport 22 -j ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
4. Rubah permisi file tersebut : chmod +x /etc/fw.proxy
5. Masukkan path tersebut ke rc.local : sudo vim /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

/etc/fw.proxy
6. Lanjutkan dengan mengecek hasil settingan  pada log : tail -f /var/log/squid/access.log
1294469829.027    220 192.168.0.49 TCP_MISS/200 1032 GET http://scr.kliksaya.com/js-ad.php? - DIRECT/203.211.149.124 text/html
1294469829.115   3620 192.168.0.49 TCP_MISS/200 532 GET http://router.infolinks.com/gsd/1294469817940.0? - DIRECT/74.200.228.171 text/javascript
1294469829.360    562 192.168.0.49 TCP_MISS/200 910 GET http://a.tribalfusion.com/j.ad? - DIRECT/204.11.109.22 application/x-javascript
1294469829.536    154 192.168.0.49 TCP_MISS/200 1030 GET http://scr.kliksaya.com/js-ad.php? - DIRECT/203.211.149.124 text/html
1294469829.642     83 192.168.0.49 TCP_MISS/200 1132 GET http://scr5.kliksaya.com/ifr-ba.php? - DIRECT/203.211.149.120 text/html
1294469829.657    103 192.168.0.49 TCP_MISS/200 719 GET http://www.stafaband.info/embed-34924.html - DIRECT/49.0.4.68 text/html
1294469829.715    172 192.168.0.49 TCP_MISS/200 5246 GET http://scr3.kliksaya.com/ifr-ad.php? - DIRECT/203.211.149.126 text/html
1294469829.758    142 192.168.0.49 TCP_MISS/200 1402 GET http://stafaband.info/digital.php - DIRECT/49.0.4.68 text/html
1294469829.804    221 192.168.0.49 TCP_MISS/200 3220 GET http://scr3.kliksaya.com/ifr-ad.php? - DIRECT/203.211.149.126 text/html
1294469829.810    191 192.168.0.49 TCP_MISS/200 472 GET http://www.google-analytics.com/__utm.gif? - DIRECT/209.85.175.100 image/gif
1294469830.056    356 192.168.0.49 TCP_MISS/200 281 GET http://www.facebook.com/extern/login_status.php? - DIRECT/69.63.181.15 text/html
1294469830.533    700 192.168.0.49 TCP_MISS/200 4101 GET http://www.facebook.com/plugins/like.php? - DIRECT/69.63.181.15 text/html
1294469830.666    804 192.168.0.49 TCP_MISS/200 4281 GET http://www.facebook.com/plugins/like.php? - DIRECT/69.63.181.15 text/html
1294469830.706    948 192.168.0.49 TCP_MISS/200 6882 GET http://www.facebook.com/plugins/comments.php? - DIRECT/69.63.181.15 text/html
1294469831.171    312 192.168.0.49 TCP_MISS/200 800 GET http://www.facebook.com/campaign/impression.php? - DIRECT/69.63.181.15 image/gif
1294469831.502    315 192.168.0.49 TCP_MISS/200 800 GET http://www.facebook.com/campaign/impression.php? - DIRECT/69.63.181.15 image/gif
1294469831.886    701 192.168.0.49 TCP_MISS/200 1421 GET http://api.recaptcha.net/challenge? - DIRECT/64.34.251.151 text/javascript
1294469832.234    324 192.168.0.49 TCP_MISS/200 706 GET http://www.google.com/recaptcha/api/challenge? - DIRECT/209.85.175.99 text/javascript
1294469832.427    172 192.168.0.49 TCP_MISS/200 3784 GET http://www.google.com/recaptcha/api/image? - DIRECT/209.85.175.99 image/jpeg
1294469833.433   1533 192.168.0.49 TCP_MISS/200 707 GET http://www.facebook.com/ajax/captcha/recaptcha_log_actions.php? - DIRECT/69.63.

7. Selesai.

Tidak ada komentar: