Networking Help!

[Master of Reality]

quote:Originally posted by VoidMain:
Hey, I just figured out why RedHat installed "ipchains".  Because ipchains is compiled as a module.  Try using ipchains instead of iptables by first unloading the iptables kernel module and then inserting the ipchains module:

/sbin/rmmod iptable_filter
/sbin/modprobe ipchains

Then run your ipchains commands as you intended originally.

the module for ipchains comes already in the kernel. They work fine, but you can only use one ipchains OR iptables.

[Master of Reality]

where can i find an RPM for the Squid proxy. I searched google and couldnt find one. I went to the squid website, and they have only the ".tar.gz" file. I went to rpmfind.net and couldnt download it from their FTP server using wget or ftp. Some kind of problem (cant remember what exactly), but i tried yesterday and today and couldnt dl it from rpmfind.net


ps.
Webmin kicks ass.

[voidmain]

It's on your RedHat CD.

[Master of Reality]

quote:Originally posted by VoidMain:
It's on your RedHat CD.

how do i get RPMs off the CD?

[voidmain]

1) Stick disk 1 in the CD
2) mount /mnt/cdrom
3) rpm -Uvh /mnt/cdrom/RedHat/RPMS/squid*

[Master of Reality]

should i make a new user, such as squid, and use that UID to run the proxy server?
-------------
I like using Webmin, but i might edit the squid.conf file manually to configure some more options.
when editing the file i do: # vi /etc/squid/squid.conf
how do i save/exit vim? I couldnt find out how in the man page for VIM.
-----------
what do i need to do on the client machines in order for them to use a proxy?

[ April 17, 2002: Message edited by: Master of Reality ]

[ April 17, 2002: Message edited by: Master of Reality ]

[voidmain]

When you install the RPM it should automatically create a "squid" user and when squid starts it will run under this ID (as long as it is started using the bootup script in /etc/rc.d/init.d).

To use the proxy just go into any browser's proxy settings and put your squid machines address or name in and set the port to "3128" if that is the port you have squid configured to run under.

Oh, there are a couple of ways to save and quit in vim but I usually use "<ESC>:wq".  You can also do "<ESC>ZZ". You only have to press <ESC> if you are in "insert" mode. If you are in "command" mode you just press ":wq" and <ENTER> *or* "ZZ".

[ April 17, 2002: Message edited by: VoidMain ]

[Master of Reality]

on the server computer, dont i have to make/modify ipchains so that it redirects requests on the gateway to port 3128 on the proxy? or something like that?
something like this is an educated guess)

Code: [Select]

...if i did it this way wouldn't this be a transparent proxy?

[ April 17, 2002: Message edited by: Master of Reality ]

[Master of Reality]

ok... i could take off the default gateway and DNS from the clients, and tell them to use proxy port 3128 OR i could leave the default gateway and DNS set on the clients and use ipchains (like above) on the server to redirect it through the proxy?

I'm starting to understand some things (i hope).

[voidmain]

You don't want to change the default gateway or DNS on the clients as you may want other protocols to be just MASQ'ed.  If you are like me, port 80 (http) is the one I am mainly concerned with.

You are correct, of you redirect 80 to the squid port you do not need to set the "proxy" configuration on the client. If you get it to work with IP chains let me know how you did it. I tried to get it working with IP chains when I first set it up a couple of years back but didn't have much luck. It would be easier that way, especially for my laptop which I use at work and at home. When I plug into my home network I have to check the "proxy" box when I want to go to my favorite anti M$ site.  Maybe I'll check into doing this again.  

There are other ways to do the transparent proxy as well. I ran accross a utility on freshmeat that looked like it was just the ticket about a year ago. I was going to use that at work. I was planning on inserting a dual NIC Linux box in front of the main internet router running this redirector but I never did get around to it. It was just as easy automatically set the win clients proxy configurations via a policy but that's a whole other topic that would require talking about Windows, and I don't really want to do that.

[Master of Reality]

i couldnt get the transparent proxy working yet, but i use the ipchains to block doubleclick.net and microsoft.com. I believe you did this using the proxy to block them.

I found out that to do the proper forwrding using iptables all i would have to do is:

Code: [Select]

i am considering using iptables instead of chains, but i would have to recompile the kernel on a different computer due to lack of space for kernel source. Can i recompile the kernel on another (this) computer then burn it onto a CD and install it on my server?


I found this howto on setting up a transparent proxy using squid and iptables: http://www.tldp.org/HOWTO/mini/TransparentProxy.html

[ April 18, 2002: Message edited by: Master of Reality ]

[ April 18, 2002: Message edited by: Master of Reality ]

[voidmain]

Actually it's difficult to block *.microsoft.com, *.msn.com, *.doubleclick.net, *.hitbox.com, etc at the firewall because you have to use IP address/ranges. Doubleclick is always on the move and they have servers on *many* networks so there are two ways I do blocking to entire domains. For microsoft I create my own .microsoft.com DNS zone on my DNS server but I don't add any records in the zone.  As far as my computers can tell, there *is* no microsoft.com.  For the rest (doubleclick, hitbox, etc) I use Squid. Why do I do it two different ways you ask?  Well if you do it in Squid, it's only effective for "http" traffic.  Doing it in your DNS server it effects *all* TCP/IP ports. No phone home programs can work, unless they have IP addresses hard coded into the software, which they never do. They can't use a hard coded IP address because then they can never change their network around..

Of course if you do have a reliable list of IP ranges, it would be good to use ipchains as well. There is nothing stopping them from using alternate domain names to point to their servers..

Yes you can compile the kernel on a different box, but don't forget to copy the modules and you may have to create a new "initrd.img" if you have any required modules that need to be loaded prior to mounting the filesystem. I guess after compiling you could copy the entire kernel source tree to CD and just do a "make install;make modules_install; (etc)" from the CD.  But I'm not sure if there is enough room on a CD to hold an entire compiled kernel source tree. After compile just "cd /usr/src/linux", then "du -sk ." to see how much space would be required (assuming your source tree is in "/usr/src/linux".

You would also have to take care to preserve the modification date/times on everything when copying to CD if you want to be able to "make install".  If it detects that the object files are older than the source or Makefiles it would try and recompile. That certainly wouldn't be fun on a CD.    Not to mention the read only problem.  

[ April 18, 2002: Message edited by: VoidMain ]

[Master of Reality]

i believe to setup a transparent proxy with chains it is something like:

Code: [Select]

i will try this.

to block microsoft and other places cant i block my network from asking information from the domain name (ie. microsoft.com)
i put down:
# ipchains -A output -d microsoft.com -j REJECT
that should prevent my network from trying to initiate a tcp connection with microsoft.com even if they change their IP address.

[ April 19, 2002: Message edited by: Master of Reality ]

[Master of Reality]

i did those chain commands. I configured the proxy just like the howto told me to. Now when i tried to start squid, its says: fatal: cannot determine fully qualified hostname. Please set visible_host.
So i set the visible hostname in the squid.conf file to "server" and it still gives me the same message. I cant figure out how to fix this. got any ideas?
my computer hostname is set to server too.

[ April 18, 2002: Message edited by: Master of Reality ]

[voidmain]

I actually got it to work! I used your chain rules and uncommented the http_accel* stuff in chapter 4 of the howto (and set the host name) and it worked. But I still can't use it. I lost my authentication when using transparent proxying. I guess I could still use it but restrict where you are allowed to go when not authenticated. I can't do an "allow all" because that would defeat the purpose of what I need it for at home.  If you find anything that would allow authentication+transparency let me know.

I also added "-i eth1" (my inside interface) to each of the IP chains rules you gave me so that it would only redirect inside machines. I have a web site on my outside interface on port 80 and without adding the "-i" I would lose that web site.

Also, you can not use domains in ipchains rules. You *can* use hostnames, but not entire domains. I'll let you know if I can get the authentication part to work with transparent proxy.