Networking Help!

[voidmain]

If you take a stock squid.conf file (from a fresh squid install) all you should have to do to get it working is right above the line:

http_access allow manager localhost

insert the line:

http_access allow all

so it looks like this:

Code: [Select]

and it should work (assuming you can browse from the browser on the server, lynx is sufficient to check that).  I set these things up all the time, and in fact just set another one up at work today on RedHat 7.2 and this worked just fine. Also, after you make a change to the config file you must restart Squid by typing:

/etc/rc.d/init.d/squid restart

If this does not work, tell me exactly the behavior you are getting on the client. Do you get an HTML error page from Squid? Does it just hang?  What browser are you using that you have the proxy configured? What exactly do you have for the proxy settings? Is 192.168.0.1 really the IP address of your inside interface? Some browsers require a URL for the proxy (http://192.168.0.1) and some require just the address (192.168.0.1) and the port 3128 should be set for "http" proxy port.

If you do not get an HTML error page with Squid somewhere on the page you either have the client configured wrong or your ipchains are configured wrong. To check if it's an ipchains issue you should be able to just remove all the chains by:

/sbin/ipchains -F
/sbin/ipchains -X

ipchains should not restrict inbound port 3128 on your inside interface and it should not restrict outbound port 80 on your outside interface.  Can you even ping your server's inside interface from your client?

[ April 23, 2002: Message edited by: VoidMain ]

[Master of Reality]

i will try that tomorrow, i may even re-install squid so that i have a fresh install. I pretty sure my internet was going off and on for a while during the day (the TV was screwing around too) so i'm not sure if any of my problems were accurate, or if the internet was down when i tested it.

[voidmain]

I also notice I made a statement that isn't totally true. You don't have to actually restart Squid, just have it reload the config file which can be done by:

/etc/rc.d/init.d/squid reload

among other ways..

[Master of Reality]

this is quite odd, i started squid with a fresh install, i changed it to accept all using webmin, then i setup netscapeon my computer to use a proxy, i turned on the proxy and tried netscape, it says: "connection refused".

[Master of Reality]

!!!!!!!!!!!!!!!!!!!!!!!!!!
i just got it to work!!!!!!!!!
yay!!!!!!!!!!
it actually works now.
I changed something, i'm not sure what it did.... OH! i changed what IP address squid was on, at first i set it to 192.168.0.0 and now i tried it with 192.168.0.1 and it works!

[Master of Reality]

now i cant get it to just allow my network (192.168.0.1-192.168.0.5/255.255.255.0) using webmin. It says: netmask masks part of IP address (or something like that)

[voidmain]

quote:Originally posted by Master of Reality:
!!!!!!!!!!!!!!!!!!!!!!!!!!
i just got it to work!!!!!!!!!
yay!!!!!!!!!!
it actually works now.
I changed something, i'm not sure what it did.... OH! i changed what IP address squid was on, at first i set it to 192.168.0.0 and now i tried it with 192.168.0.1 and it works!

Uhhh that would definately fix it. 192.168.0.0 is a network address, not an IP address. You had this configured in your client?

[Master of Reality]

quote:Originally posted by VoidMain:


Uhhh that would definately fix it. 192.168.0.0 is a network address, not an IP address. You had this configured in your client?

on my server.
i just downloaded adzap and am about to install it

[voidmain]

Code: [Select]

Then your rule would be:

Code: [Select]

Remember that the last rule (the one at the bottom of the list) should be "http_access deny all".  The rules are checked from top to bottom, just like with ipchains.  As soon as a rule is matched the rest of the rules are ignored. If no rules are matched it falls through to the "deny all" rule and the machine/user is not granted access to any web sites.

I actually use proxy authentication rather than source IP addresses most of the time for allowing/denying access to the entire net, or portions of it.  I have used the htpasswd type of auth and I have also have some servers set up to authenticate against NT Domain controllers so users can use their windows logon ID/password to authenticate and they are restricted/allowed accordingly.

[ April 24, 2002: Message edited by: VoidMain ]

[Master of Reality]

quote:Originally posted by VoidMain:

Code: [Select]

Then your rule would be:

Code: [Select]

Remember that the last rule (the one at the bottom of the list) should be "http_access deny all".  The rules are checked from top to bottom, just like with ipchains.  As soon as a rule is matched the rest of the rules are ignored. If no rules are matched it falls through to the "deny all" rule and the machine/user is not granted access to any web sites.

[ April 24, 2002: Message edited by: VoidMain ][/b]

cant i put (i did put and it worked):

Code: [Select]

[voidmain]

That may work as well, you will find that Squid is very flexible in how you define rules. Now are you sure it works? You checked that it allowed one of those addresses, and did not allow an address outside of that range? It's good always to test if it is indeed working as you intended. Sometimes you might think you have it restricted to only specific addresses and then check later to find that your other addresses also have access because the rules you set up may not have actually worked as you intended. Once you do a few it gets easier to understand.

[voidmain]

And like I mentioned two posts ago, I use authentication rather than IP addresses to restrict. The main reason is, an IP address can be changed on the client by anyone who's computer smart and if they change it to an allowed address, they've bypassed your security. They can't bypass authentication.

I do use IP addresses for "dst" though, along with domain names.  That is, dst is used to determine where people are allowed to go based on who they authenticated as.

[ April 24, 2002: Message edited by: VoidMain ]

[Master of Reality]

i need to do some customization of squid so i have a few questions:
should i use an authentication program with squid?
how do i set it up to block certain website (eg. microsoft.com)?

the adzapper thing works well, how do i get it to auto update?

[ April 24, 2002: Message edited by: Master of Reality ]

[voidmain]

Authentication is totally up to your requirements. For me, authentication is a requirement because I don't want my children to have access to the *entire* internet. Authentication is the only way to nearly garantee that. So when they authenticate with their ID they are allowed access to only selected sites.  You'll need a program to do your authentication, I believe by default Squid comes with "ncsa_auth" which should be defined in the squid.conf under the tag "authentication_program". Read the docs. Then right under that tag you would have a tag that looks like this:

Code: [Select]

As far as who is allowed to go where I have my Squid configuration somewhat customized from the norm.  I have all of my rules set up in the squid.conf in such a way that they never have to be changed. I keep a list of users in separate files and I keep a list of domains/addresses in a separate file that will get used by squid to determine who is allowed to go where.  I have written a web based utility to edit those files so they can easily be managed.  But for the normal and a good start for you might be:

Code: [Select]

If you want to keep your restricted users and sites in files rather right in the squid.conf file you would set your rules to look something like this:

Code: [Select]

Now a sample of each of the dat files.  
unrestrictedusers.dat:

Code: [Select]

bannedsites.dat:

Code: [Select]

A huge advantage of breaking users and addresses out into files is your list of users or hosts could get quite long and it gets difficult very quickly to keep it straight in the squid.conf file.  The web based program I wrote can edit each of the files and when you add something to the file it will keep the file sorted and it will perform a "/etc/rc.d/init.d/squid reload" as squid needs to be signaled that it's configuration has changed.

[ April 24, 2002: Message edited by: VoidMain ]

[Master of Reality]

i tireid this but it didnt work:

Code: [Select]

shouldnt that block my machines from going to microsoft.com or msn.com?