• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 719
  • Last Modified:

How to configure squid

I need to configure squid on linux enterprise 5. My important purpose is to monitor daily bandwidth that how much bandwidh office has used, Secondly squid creates list of logs that which system has seen which websites? Third share internet through squid. I am new with linux and want to share internet through squid. Please help me. There are 2 ethernet cards in my linux system. DHCP is configured on windows server 2008 enterprise. (192.168.2.1 to 192.168.2.200 is ip range set in server 2008). one cable from DSL is directly connected with one ethernet interface of linux (dhcp is also configured in dsl i.e 192.168.2.1 to 192.168.2.200). IP Address of that interface is 192.168.2.100. Other ethernet cable is directly connected with swith and other ethernet port of linux machine. Please guide me how can I configure squid now. I dont want to give proxy on every machine. Please do needfull and tell me step by step that how can i configure squid.
0
imz-ez
Asked:
imz-ez
  • 7
  • 7
  • 2
1 Solution
 
imz-ezAuthor Commented:
Above mentioned links didnt resolve my problem. Please read question in detail
0
 
stetorCommented:
imz-ez,

For your monitor of bandwith and usage of squid, search and install calamaris with your packet manager

0
Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
stetorCommented:
sorry, i've readed now the other part (step by step squid configuration) but it's not clear ...
please tell me :
1) the hot (internet) interface and ip/subnet on the linux box
2) the cold (LAN) interface and ip/subnet  on the linux box
3) the range of ip that you would allow or lock
or
3) if the statement "I dont want to give proxy on every machine." it'snt for allow/deny but it's for "i don't want to configure proxy on every machine" then you need the transparent proxy
0
 
farzanjCommented:

1)  Assumption is that there is a routing box (at least for internet purpose).  This server has two network cards--one that connects to www (hot) and the other one  to LAN.  You can only control internet traffic if all the traffic in the LAN passes through this box.  Otherwise how would you force computers in the network to use your Squid.
2)  As explained above, this NIC is connected to the switch that connects to all the computers in the LAN.
3)  What is the local IP address range.  For example your live IP may be something like 100.100.10.10.  However the LAN machines have some kind of private IP address range like 192.168.0.XX, so that would be your range.  If I have 10 computers and I want them to have IPs like 192.168.0.1 to 192.168.0.10
 
0
 
imz-ezAuthor Commented:
the hot interface ip is 192.168.2.100 and other interface ip address (lan) 192.168.2.101.
all range of ips are allow. Yes I dont want to give proxy on every machine in internet explorer. how to configure tansparent proxy.
0
 
stetorCommented:
imz-ez,

You need to separe the hot and cold network ... you can't do what you request if both the interface are on the same subnet. In this situation also you can't be sure that someone can put the "other" gateway and not your linux box, bypassing every rules and the proxy.
Reconfigure the WAN side with one class out of the LAN class (es. 10.0.0.x/255.255.255.0 if you want another private class)
0
 
imz-ezAuthor Commented:
Ok now my one lan card ip is 192.168.1.2 and other lancard ip is 192.168.2.1. now tell me how can i do the task?
0
 
stetorCommented:
ok, it's not really clear what is the hot and the cold interface anyway
i assume the following situation
eth0 (wan) 192.168.2.1
eth1 (lan) 192.168.1.2


first note that with transparent proxy you can handle the normal http but not the https nor the squid authentication.
I assume that you have alredy installed tha package squid and already configured a base rule for iptables

set the lan dhcp so the gateway is 192.168.1.2


now, edit the squid conf file
vi /etc/squid.conf
and add/change the following line (these are the minimum to add/change at the default config)
http_port 192.168.1.2:3128
log_fqdn on
# near the acl line 
acl ipfree src 192.168.1.0/255.255.255.0
# before the  http_access deny all
http_access allow ipfree
http_access allow localhost
#
tcp_outgoing_address 192.168.2.1

Open in new window


restart the squid service

after that, modify the iptables rules adding the following
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.2:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

save and restart iptables

for your "secondly" request: yes squid creates list of logs with detail and ip to name resolution (see log_fqdn on)

for your primary request (monitor daily bandwidth) install the package
calamaris.
The default configuration may be already sufficient

bye
0
 
stetorCommented:
sorry, in the hurry i've missing an important parameter in the squid configuration ;-)
append "transparent" in the http_port option so the complete line is

http_port 192.168.1.2:3128 transparent

Open in new window


bye
0
 
imz-ezAuthor Commented:
Will microsoft outlook work?
0
 
imz-ezAuthor Commented:
ms outlook is not working please guide me
0
 
stetorCommented:
Hi imz-ez,

Microsoft outlook does not use http at all but have a propritary protocol.
Outlook use http only if you have configured the remote connection to an exchange server with rpc thru http ... it's this your case ?
Where is locate your exchange server in your network map ?

0
 
imz-ezAuthor Commented:
out exchange server is located in U.K and we are in another country. My MS outlook is not working. we are using smtp 587 and pop3 995 ports. what should I do now?
0
 
stetorCommented:
Hi imz-ez,

then you are in one of the following situation :
1) If you are using smtp 587 e pop3s 995 directly then the problem is out of the squid control
but it's in your firewall. You need to configure the appropriate rules for
these port or the internal lan forward/natting (and I think this is another question ...).
2) If the outlook try to connect with rpc thru http then you cannot have success for
what i've already said in my reply n.35718228
first note that with transparent proxy you can handle the normal http but not the https nor the squid authentication.
you need to know that the port 995 and 587 use the SSL (Secure Socket Layer) like the https and these cannot work with "transparent proxy" but only with the "standard proxy" (the software need to know that are using a proxy).
0
 
imz-ezAuthor Commented:
Good ans. It has resolved my issue
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 7
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now