how to setup squid in RHEL 5

have a look this one

good tutorial

http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html

but can your internal client  pc browse  by usign this Server ??

you need to enable masquarde in Iptables [ which i guess you already done ]

no i have not done masquarade in iptables. currently iptables is off. how to enable this option ?

have a look to this one , just change the IP as you need eth1 and eho2

http://fosiul.co.uk/KnowledgeCategories.php?CID=79

you can start iptables liek this

service iptables start   or service iptables restart

it will show you someting like this

-bash-3.2# service iptables start
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter nat                [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]
 

my public ip is 210.x.x.x
subnet is 255.255.255.252
gateway is 210.x.x.13
DNS is 203.x.x.x


local ip is 10.50.3.93
subnet is 255.255.252.0
gateway should be ?
DNS is ? for local lan

at first tel me

what Ip eth0 is getting

and what Ip eth1 is getting


better past the output of

ifconfig

here

[root@squid ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:00:E8:50:0A:5F  
          inet addr:10.50.3.92  Bcast:10.50.3.255  Mask:255.255.252.0
          inet6 addr: fe80::200:e8ff:fe50:a5f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:48236 errors:0 dropped:0 overruns:0 frame:0
          TX packets:272 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:7430032 (7.0 MiB)  TX bytes:33953 (33.1 KiB)
          Interrupt:137 Base address:0xc000

eth1      Link encap:Ethernet  HWaddr 00:50:BA:CD:60:38  
          inet addr:210.7.74.14  Bcast:210.7.74.15  Mask:255.255.255.252
          inet6 addr: fe80::250:baff:fecd:6038/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:50299 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3018 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9628812 (9.1 MiB)  TX bytes:517090 (504.9 KiB)
          Interrupt:153 Base address:0xa000

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:10666 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10666 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:13762143 (13.1 MiB)  TX bytes:13762143 (13.1 MiB)

Ok so eth1 is conected to Isp

and eth0 is connected  is internal network

Check if  IPv4 forwarding is ON or OFF :
cat /proc/sys/net/ipv4/ip_forward
if result = 0 then will have to On it by this command :

echo "1" > /proc/sys/net/ipv4/ip_forward

Now have to enable Enable IP masquerading by adding rules in iptables
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
[  Now all internet request will go via eth1]


Now Test from a Client Pc to see if client pc can ping any out side world
here Client pc will get ip from eth0 , so Ip of client pc would be 10.50.3.X

ping www.google.com 


NOte : you should of spilit this question in 2 , because 1)you need to share internet betwenn gateway and client pc

2) then squid setup

Now I have configured squid according to ur steps but squid is not working..

Access log below..

[root@squid ~]# tail -f /var/log/squid/access.log
1234177100.798    706 10.50.3.89 TCP_MISS/304 278 GET https://www.experts-exchange.com/images/email/buttonViewThisQuestion.gif - DIRECT/64.156.132.140 -
1234177100.808    657 10.50.3.89 TCP_MISS/304 279 GET https://www.experts-exchange.com/images/email/bodyBG_guylistening.gif - DIRECT/64.156.132.140 -
1234177103.368    310 10.50.3.89 TCP_MISS/304 278 GET https://www.experts-exchange.com/images/email/eeLogo2.gif - DIRECT/64.156.132.140 -
1234177104.098    585 10.50.3.89 TCP_MISS/304 278 GET https://www.experts-exchange.com/images/email/eeLogo2.gif - DIRECT/64.156.132.140 -
1234177104.108    329 10.50.3.89 TCP_MISS/304 278 GET https://www.experts-exchange.com/images/email/buttonViewThisQuestion.gif - DIRECT/64.156.132.140 -
1234177104.429    646 10.50.3.89 TCP_MISS/304 279 GET https://www.experts-exchange.com/images/email/bodyBG_guylistening.gif - DIRECT/64.156.132.140 -

Ok have you followed by previous post about Iptables and the tutorial i have sent

http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html

Note : for squid you need to forward port from 80 to 3128 , did you do all these ??

Attached is squid conf file.

Please suggest.

Yes We did all that u told...

Now Should i enable proxy on client side as 10.50.3.92:3128

At first, have you done everything ??

and also your htttpd.conf is not attached

now squid is working on port 8080 that we have assign.

Thanx for this help..

But ping is not working and we are not able to connect external ftp from client site from web browser.
ftp is noly accessing through leech ftp but directory listing is not permited by squid.

please suggest


Error is :  

so you saying

now you can browse by using squid ??

yes .

But ftp is not connecting through browser. But able to connect through ftp clint software i.e . leach, ftp.

and also not able to ping any site from client pc.

for this one , please open anotehr qustion
But ftp is not connecting through browser. But able to connect through ftp clint software i.e . leach, ftp.


but for ping problem you need to add this line in iptables
Edit your iptables files which should be in /etc/sysconfig/iptables
add this


A RH-Firewall-1-INPUT -d 192.168.2.1 -p udp -m udp --dport 53 -j ACCEPT

or
or from command line
IPtables -A input -p udp --dport 53 -j ACCEPT

but before that check the output of iptables file[ /etc/sysconfig/iptables] see you got RH or just normal iptables rules

see the output of iptables



*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [1:56]
:OUTPUT ACCEPT [2027:581753]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A FORWARD -i eth0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
COMMIT
# Completed on Mon Feb  9 16:33:40 2009
# Generated by iptables-save v1.3.5 on Mon Feb  9 16:33:40 2009
*nat
:PREROUTING ACCEPT [4575:645139]
:POSTROUTING ACCEPT [1:32]
:OUTPUT ACCEPT [210:12720]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 210.7.74.14:3128
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Mon Feb  9 16:33:40 2009
# Generated by iptables-save v1.3.5 on Mon Feb  9 16:33:40 2009
*mangle
:PREROUTING ACCEPT [13652:3762350]
:INPUT ACCEPT [13526:3748329]
:FORWARD ACCEPT [82:3215]
:OUTPUT ACCEPT [2068:585083]
:POSTROUTING ACCEPT [2156:588490]
COMMIT
     

Where i have to put below line in my iptables file
A RH-Firewall-1-INPUT -d 192.168.2.1 -p udp -m udp --dport 53 -j ACCEPT

ok runt this one

IPtables -A input -p udp --dport 53 -j ACCEPT

but one thing is wired
you have this one

-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

but you are trying to access squid port 8080 !!!

so currently you are not doing transparent proxy is not it ??
if in future you want to do transparent proxy,
change this line

-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

to

-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

also for ftp problrem

check if you have these 2 lines in squid.conf or not

acl ftp proto FTP
http_access allow ftp

when we restart squid services we seem these line...

[root@squid ~]# service squid restart
Stopping squid: 2009/02/09 17:15:49| parseConfigFile: line 2948 unrecognized: 'httpd_accel_host virtual'
2009/02/09 17:15:49| parseConfigFile: line 2949 unrecognized: 'httpd_accel_port 80'
2009/02/09 17:15:49| parseConfigFile: line 2950 unrecognized: 'httpd_accel_with_proxy on'
2009/02/09 17:15:49| parseConfigFile: line 2951 unrecognized: 'httpd_accel_uses_host_header on'
...............                                            [  OK  ]
Starting squid: ..                                         [  OK  ]



Plz suggest>>>

whats the output of

grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'

and can you attached the squid.conf file here

ouput of this command is here

[root@squid ~]# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
http_port 8080
 
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
authenticate_ip_ttl 1 hours
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl ncsa_users proxy_auth REQUIRED
acl alok src 10.50.3.89 10.50.3.90 10.50.0.214 10.50.3.41
acl abhi max_user_ip -s 1
acl restrict dstdomain .yahoo.com .orkut.com .gmail.com .aol.com .rediffmail.com .msn.com .naukri.com .timesjobs.com .monsterindia.com .freshers.com .in.com .wayn.com .hi5.com .facebook.com .ibibo.com .myspace.com
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow alok
http_access deny abhi
http_access deny restrict
http_access allow ncsa_users
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname squid
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 210.7.74.14 10.50.0.0/22
http_access allow lan
                acl FTP proto FTP
                always_direct allow FTP
coredump_dir /var/spool/squid



attached is squid conf file..

but you said, proxy was working fine, so what happended suddently ??

also, after configuring the squid, didnot you restart squid before ??

Yes proxy is working fine..
but at the time of restrat proxy that lines are also appearing..
Why?

Thanx for ur great help for.

working squid configuration file

ok,

you can uncommented those line and try again

what happended i am gussing

you are not using transparent proxy, you are typing proxy address by hand in browser is not it ??

but there is someting wrong in your squid configuraiton,

because you using 8080 for proxy address, but its not defined anywhere in squid.conf ...

which is wired

anyway , uncomented those line, and try again,

i will be back after 1 and half hour alter
will see the

i have got solution after consulting this expert

Got the answer. Thanks for Help!