imz-ez
asked on
How to configure squid
I need to configure squid on linux enterprise 5. My important purpose is to monitor daily bandwidth that how much bandwidh office has used, Secondly squid creates list of logs that which system has seen which websites? Third share internet through squid. I am new with linux and want to share internet through squid. Please help me. There are 2 ethernet cards in my linux system. DHCP is configured on windows server 2008 enterprise. (192.168.2.1 to 192.168.2.200 is ip range set in server 2008). one cable from DSL is directly connected with one ethernet interface of linux (dhcp is also configured in dsl i.e 192.168.2.1 to 192.168.2.200). IP Address of that interface is 192.168.2.100. Other ethernet cable is directly connected with swith and other ethernet port of linux machine. Please guide me how can I configure squid now. I dont want to give proxy on every machine. Please do needfull and tell me step by step that how can i configure squid.
ASKER
Above mentioned links didnt resolve my problem. Please read question in detail
imz-ez,
For your monitor of bandwith and usage of squid, search and install calamaris with your packet manager
For your monitor of bandwith and usage of squid, search and install calamaris with your packet manager
sorry, i've readed now the other part (step by step squid configuration) but it's not clear ...
please tell me :
1) the hot (internet) interface and ip/subnet on the linux box
2) the cold (LAN) interface and ip/subnet on the linux box
3) the range of ip that you would allow or lock
or
3) if the statement "I dont want to give proxy on every machine." it'snt for allow/deny but it's for "i don't want to configure proxy on every machine" then you need the transparent proxy
please tell me :
1) the hot (internet) interface and ip/subnet on the linux box
2) the cold (LAN) interface and ip/subnet on the linux box
3) the range of ip that you would allow or lock
or
3) if the statement "I dont want to give proxy on every machine." it'snt for allow/deny but it's for "i don't want to configure proxy on every machine" then you need the transparent proxy
1) Assumption is that there is a routing box (at least for internet purpose). This server has two network cards--one that connects to www (hot) and the other one to LAN. You can only control internet traffic if all the traffic in the LAN passes through this box. Otherwise how would you force computers in the network to use your Squid.
2) As explained above, this NIC is connected to the switch that connects to all the computers in the LAN.
3) What is the local IP address range. For example your live IP may be something like 100.100.10.10. However the LAN machines have some kind of private IP address range like 192.168.0.XX, so that would be your range. If I have 10 computers and I want them to have IPs like 192.168.0.1 to 192.168.0.10
ASKER
the hot interface ip is 192.168.2.100 and other interface ip address (lan) 192.168.2.101.
all range of ips are allow. Yes I dont want to give proxy on every machine in internet explorer. how to configure tansparent proxy.
all range of ips are allow. Yes I dont want to give proxy on every machine in internet explorer. how to configure tansparent proxy.
imz-ez,
You need to separe the hot and cold network ... you can't do what you request if both the interface are on the same subnet. In this situation also you can't be sure that someone can put the "other" gateway and not your linux box, bypassing every rules and the proxy.
Reconfigure the WAN side with one class out of the LAN class (es. 10.0.0.x/255.255.255.0 if you want another private class)
You need to separe the hot and cold network ... you can't do what you request if both the interface are on the same subnet. In this situation also you can't be sure that someone can put the "other" gateway and not your linux box, bypassing every rules and the proxy.
Reconfigure the WAN side with one class out of the LAN class (es. 10.0.0.x/255.255.255.0 if you want another private class)
ASKER
Ok now my one lan card ip is 192.168.1.2 and other lancard ip is 192.168.2.1. now tell me how can i do the task?
ok, it's not really clear what is the hot and the cold interface anyway
i assume the following situation
eth0 (wan) 192.168.2.1
eth1 (lan) 192.168.1.2
first note that with transparent proxy you can handle the normal http but not the https nor the squid authentication.
I assume that you have alredy installed tha package squid and already configured a base rule for iptables
set the lan dhcp so the gateway is 192.168.1.2
now, edit the squid conf file
vi /etc/squid.conf
and add/change the following line (these are the minimum to add/change at the default config)
restart the squid service
after that, modify the iptables rules adding the following
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
save and restart iptables
for your "secondly" request: yes squid creates list of logs with detail and ip to name resolution (see log_fqdn on)
for your primary request (monitor daily bandwidth) install the package
calamaris.
The default configuration may be already sufficient
bye
i assume the following situation
eth0 (wan) 192.168.2.1
eth1 (lan) 192.168.1.2
first note that with transparent proxy you can handle the normal http but not the https nor the squid authentication.
I assume that you have alredy installed tha package squid and already configured a base rule for iptables
set the lan dhcp so the gateway is 192.168.1.2
now, edit the squid conf file
vi /etc/squid.conf
and add/change the following line (these are the minimum to add/change at the default config)
http_port 192.168.1.2:3128
log_fqdn on
# near the acl line
acl ipfree src 192.168.1.0/255.255.255.0
# before the http_access deny all
http_access allow ipfree
http_access allow localhost
#
tcp_outgoing_address 192.168.2.1
restart the squid service
after that, modify the iptables rules adding the following
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
save and restart iptables
for your "secondly" request: yes squid creates list of logs with detail and ip to name resolution (see log_fqdn on)
for your primary request (monitor daily bandwidth) install the package
calamaris.
The default configuration may be already sufficient
bye
sorry, in the hurry i've missing an important parameter in the squid configuration ;-)
append "transparent" in the http_port option so the complete line is
bye
append "transparent" in the http_port option so the complete line is
http_port 192.168.1.2:3128 transparent
bye
ASKER
Will microsoft outlook work?
ASKER
ms outlook is not working please guide me
Hi imz-ez,
Microsoft outlook does not use http at all but have a propritary protocol.
Outlook use http only if you have configured the remote connection to an exchange server with rpc thru http ... it's this your case ?
Where is locate your exchange server in your network map ?
Microsoft outlook does not use http at all but have a propritary protocol.
Outlook use http only if you have configured the remote connection to an exchange server with rpc thru http ... it's this your case ?
Where is locate your exchange server in your network map ?
ASKER
out exchange server is located in U.K and we are in another country. My MS outlook is not working. we are using smtp 587 and pop3 995 ports. what should I do now?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Good ans. It has resolved my issue
http://magazine.redhat.com/2007/04/11/squid-in-5-minutes/
http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/chap-Managing_Confined_Services-Squid_Caching_Proxy.html