Stop Microsoft
Operating Systems => Linux and UNIX => Topic started by: Master of Reality on 15 April 2002, 19:37
-
this Lynx is hard to get used to...
I just installed FreeBSD on my server and after my thwarted attempts at connecting to... anything (LAN or internet) and lack of documentation at my access, i decided to install Red Hat 7.2 instead (i even installed 32 MB RAM to get it to work this time) . I can only get one of my ethernet cards to work, luckily its the one to the internet (obviously), but i need the other ethernet card to work in order to do IP masquerading. How should i go about trying to get this second ethernet card to work?
Is there any good HOWTO on networking (i'll try linuxdoc.org too).
Oh yeah, In windows both ethernet card were using the same (or close to the same drivers) although they were different ethernet cards. I could install two of the same ethernet cards.I happen to have 4 ethernet cards that are the same as the one i am using right now for the internet. Would it be better to use two of the same brand/driver or two different cards?
[ April 15, 2002: Message edited by: Master of Reality ]
[ April 15, 2002: Message edited by: Master of Reality ]
-
I trudged through some of the HOWTOs at www.linuxdoc.org (http://www.linuxdoc.org) but none of them will help me right now.
Perhaps i will try out a different network card, since no one has replied with a suggestion yet, and i'm bored.
---
I just did a couple circles (installing different NICs) and now i seem to have it bassically setup. Both interfaces show up in 'ifconfig' and under 'netstat -rn' it shows their settings, etc.
Now all i gotta do is setup a firewall, ipchains, and IP masquerading. Do i have to do any recompiling of the kernel to setup ny of those or are they already in kernel 2.4.7 ?
[ April 15, 2002: Message edited by: Master of Reality ]
[ April 15, 2002: Message edited by: Master of Reality ]
-
How the hell do i set up a Proxy or IP masquerading. I went through all the HOWTOs and online guides at www.linuxdoc.org (http://www.linuxdoc.org) None of them told me what exactly i have to do to setup IP masquerading, they tell me what IP masquerading is, but i know what it is, I want to run IP masquerading. There is absolutely no HOWTO for setting up a Proxy server there.
So far, i can get my clients to ping the server ethernet adapter and the servers internet adapter, But they cant ping anything on the internet yet. Can anyone help with this?
I wanna set-up a proxy server, whats a good proxy, squid?
[ April 15, 2002: Message edited by: Master of Reality ]
-----------
I downloaded and installed squid. I still found little to no documentation on setting up a Proxy server, so it looks like i will go searching some more.
what command do i use to edit the config file (/usr/local/squid/etc/squid.conf)??
I did "vi /usr/local/squid/etc/squid.conf" but the file didnt have anything in it!
[ April 15, 2002: Message edited by: Master of Reality ]
[ April 15, 2002: Message edited by: Master of Reality ]
-
where's VoidMain when you need him, he runs a proxy.
-
"IP Masq" and "Proxy" are two completely different things but I will give you some basic information and configuration later this evening. Got to check my son's homework first...
-
Regarding your question about if it is better to use two network cards of the same model. Sometimes it's actually easier to use two different network cards. I have had problems running multiple 3com 3c905 cards but have never had a problem running cards of different types. You define which interface name (eth0,eth1,eth2 etc) is assigned to which card in the /etc/conf.modules. Normally "kudzu" will set this up for you at boot time with no problems. But when you have:
alias eth0 3c59x
alias eth1 3c59x
Instead of:
alias eth0 3c59x
alias eth1 eepro100
in your conf.modules you can see where different types of NICs can be less confusing (which card is eth0 when using the same driver?). And you usually have to pass other parameters "io_addr" etc to the driver when using two of the same type to distinguish them. Having said this, there is nothing wrong with using the same card types, in fact many may argue that it is better that way. And if kudzu does it's job you should not have to mess with this file.
On to IP Masq. This is extremely easy to configure. First you need to make sure it's compiled into the kernel and most if not all distros ship that way by default. But rather than going into detail I just found a HOWTO for you:
http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/ (http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/)
If you have any questions after going through this DOC let me know and I'll help you out.
On to Proxy Servers. Squid is a VERY powerful and configurable caching proxy server. Install the Squid RPM. You will find the configuration file in /etc/squid/squid.conf, however if you are fairly new to Linux and are new to Squid you might install the "Webmin" RPM (http://www.webmin.com) to help you configure it graphically. It might help you undstand the concepts more quickly. And the Squid web site is:
http://www.squid-cache.org/ (http://www.squid-cache.org/)
I use both IP Masq and Squid and IP Chains for firewalling. I do not allow any port 80 traffic out of my house without authentication. The proxy server does the authentication and I can restrict what users are allowed to go where on the internet. For instance, my wife and I are allowed to browse anywhere but my kids are restricted. I use ipchains in my firewall script to allow no outbound port 80 traffic, except from my proxy server. This forces any machine on my internal network to go through my proxy server if they want to browse the net. Squid does the authentication and browsing rules. In addition Squid blocks specific sites for me so those specific sites will never be accessed by a machine at my house (.microsoft.com, .msn.com, .goosencherryclock.com, zombie.somefreehost.com, etc).
In addition to this basic authentication and blocking, Squid caches content so if multiple machines on my network go to the same site, the content only comes off the internet the first time on the first machine. The second machine pulls it from the proxy cache.
And one of the best additions I've made to my Squid proxy is a 3rd party redirector script called "squid_redirect". This script filters out all the banner adds, graphics, and popup advertizements. I update the script automatically once a week from cron. You can find out more information about this redirector at:
http://www.zip.com.au/~cs/adzap/index.html (http://www.zip.com.au/~cs/adzap/index.html)
I have also written a custom web based utility to modify my squid blocked sites, manage squid users and groups, etc. When I say "custom", I mean it's tailored to me and it would take some work to make it generic enough for public consumption. I actually wrote it for work to manage several squid servers and around 2000 users.
Good luck and feel free to ask any questions, after reading the HOWTOs of course.
-
so, i need/should use a proxy and ip masquerading.
I think i just need to enter:
I do have two different ethernet cards now.
I cant use webmin due to lack of browser (i am running strictly from console with very little free space left), the only broswer i have is lynx.
I setup my server as a gateway by doing this:
whats a good port to run a proxy on? the default is 3128, i heard somewhere to use 8080. Does it really matter what port?
-
Your MASQ stuff looks like it should work although it's not exactly the params I use. And you may need to add another line right under where you set your "ip_forward" to "1" if your internet card is configured via DHCP from your provider:
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
As far as your "ifconfig" commands, I can't imagine that would work. It looks like you are trying to use "ifconfig" to add routes and you should be using the "route" command. Actually you normally don't configure the cards manually like you are doing although you certainly can do that. Normally your interface settings would go in:
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/sysconfig/network-scripts/ifcfg-eth1
/etc/sysconfig/network
and for you they might look like this:
ifcfg-eth0:
DEVICE=eth0
BOOTPROTO=dhcp
IPADDR=0.0.0.0
NETMASK=0.0.0.0
BROADCAST=0.255.255.255
NETWORK=0.0.0.0
USRCTL=no
ONBOOT=yes
ifcfg-eth1
DEVICE=eth1
BOOTPROTO=none
IPADDR=192.168.0.1
NETMASK=255.255.255.0
BROADCAST=192.168.0.255
NETWORK=192.168.0.0
USERCTL=no
ONBOOT=yes
network
NETWORKING=yes
FORWARD_IPV4=yes
HOSTNAME=yourhostname.yourdomain.org
GATEWAYDEV=
GATEWAY=
Then you should be able to bring each interface up or down by issuing these commands:
ifup eth0
ifup eth1
or
ifdown eth0
ifdown eth1
Then type "/sbin/ifconfig" to see if they are configured properly. With the configs I gave you above they should be automatically configured at boot time. The "ifup/ifdown" scripts will take care of setting up the proper routes. You can look at your routes by typing "netstat -nr" or "/sbin/route".
[ April 15, 2002: Message edited by: VoidMain ]
-
do i need/should to use iptables instead of ipchains? something like this perhaps:?
I wonder if it'll work?
[ April 15, 2002: Message edited by: Master of Reality ]
[ April 16, 2002: Message edited by: Master of Reality ]
-
Whoops, I changed my message since you quoted it, might want to reread it (added /etc/sysconfig/network file and explaination).
As far as ipchains vs iptables I forgot that RedHat now ships iptables as the default firewalling command rather than ipchains. I'm still using ipchains but iptables configuration should be similar. I have not done MASQ with iptables so I can't give you for sure instructions. I just checked my Laptop and it appears ipchains is installed on my machine but support is not compiled in to the default kernel (why install it if it's not supported RedHat? I don't remember manually installing it..). I would suggest finding the equivelant command in iptables and use it rather than recompiling. Remember, my firewall box is still running RedHat 6.1. I'll see what I can come up with on iptables.
[ April 16, 2002: Message edited by: VoidMain ]
-
WHenever i try to put something in the iptabls (ie. "iptables -P input accept") it says that that resource is in use or busy for some reason.
How should i go about making it "not busy"?
My kernel still supports ipchains, so i tried those ipchains i mentioned above.
(edit)its because i set up my kernel to use ipchains instead of iptables when i put in he first "ipchains" command.(/edit)
[ April 16, 2002: Message edited by: Master of Reality ]
[ April 18, 2002: Message edited by: Master of Reality ]
-
The ipchains work good enough to provide internet access to my main computer, where i can actuall see what i'm postin a lot easier. No more of this damn lynx.
Tomorrow i shall begin the venture to setup a proxy server, but for now i am happy with the ip masquerading finally working!
(http://smile.gif) (http://smile.gif) (http://smile.gif) (http://smile.gif)
-
Hey, I just figured out why RedHat installed "ipchains". Because ipchains is compiled as a module. Try using ipchains instead of iptables by first unloading the iptables kernel module and then inserting the ipchains module:
/sbin/rmmod iptable_filter
/sbin/modprobe ipchains
Then run your ipchains commands as you intended originally.
-
Guess we posted at the same time. Also regarding webmin.. You can use your browser on one of your desktops on your other machines to connect to your firewall running webmin to configure squid:
http://192.168.0.1:10000 (http://192.168.0.1:10000)
after installing webmin on your firewall box and if your inside firewall ip address is 192.168.0.1. Note for security. It's best to block port 10000 from the outside world and only allow access to it from your inside machines. If not at least configure it to use SSL.
Also, I would *not* put Squid on port 8080. If anything pick a random available port between 3128 and 8080 otherwise leave it on 3128. 8080 is a common port for proxy, thus it's the first one hackers scan for. The more obscure you can be the better. Although it would be very wise to block inbound connections to whatever port you put Squid on so then it wouldn't matter one way or the other.
[ April 16, 2002: Message edited by: VoidMain ]
-
There's nothing wrong with that...
-
quote:
Originally posted by VoidMain:
Hey, I just figured out why RedHat installed "ipchains". Because ipchains is compiled as a module. Try using ipchains instead of iptables by first unloading the iptables kernel module and then inserting the ipchains module:
/sbin/rmmod iptable_filter
/sbin/modprobe ipchains
Then run your ipchains commands as you intended originally.
the module for ipchains comes already in the kernel. They work fine, but you can only use one ipchains OR iptables.
-
where can i find an RPM for the Squid proxy. I searched google and couldnt find one. I went to the squid website, and they have only the ".tar.gz" file. I went to rpmfind.net and couldnt download it from their FTP server using wget or ftp. Some kind of problem (cant remember what exactly), but i tried yesterday and today and couldnt dl it from rpmfind.net
ps.
Webmin kicks ass.
-
It's on your RedHat CD.
-
quote:
Originally posted by VoidMain:
It's on your RedHat CD.
how do i get RPMs off the CD?
-
1) Stick disk 1 in the CD
2) mount /mnt/cdrom
3) rpm -Uvh /mnt/cdrom/RedHat/RPMS/squid*
-
should i make a new user, such as squid, and use that UID to run the proxy server?
-------------
I like using Webmin, but i might edit the squid.conf file manually to configure some more options.
when editing the file i do: # vi /etc/squid/squid.conf
how do i save/exit vim? I couldnt find out how in the man page for VIM.
-----------
what do i need to do on the client machines in order for them to use a proxy?
[ April 17, 2002: Message edited by: Master of Reality ]
[ April 17, 2002: Message edited by: Master of Reality ]
-
When you install the RPM it should automatically create a "squid" user and when squid starts it will run under this ID (as long as it is started using the bootup script in /etc/rc.d/init.d).
To use the proxy just go into any browser's proxy settings and put your squid machines address or name in and set the port to "3128" if that is the port you have squid configured to run under.
Oh, there are a couple of ways to save and quit in vim but I usually use "<ESC>:wq". You can also do "<ESC>ZZ". You only have to press <ESC> if you are in "insert" mode. If you are in "command" mode you just press ":wq" and <ENTER> *or* "ZZ".
[ April 17, 2002: Message edited by: VoidMain ]
-
on the server computer, dont i have to make/modify ipchains so that it redirects requests on the gateway to port 3128 on the proxy? or something like that?
something like :( this is an educated guess)
...if i did it this way wouldn't this be a transparent proxy?
[ April 17, 2002: Message edited by: Master of Reality ]
-
ok... i could take off the default gateway and DNS from the clients, and tell them to use proxy port 3128 OR i could leave the default gateway and DNS set on the clients and use ipchains (like above) on the server to redirect it through the proxy?
I'm starting to understand some things (i hope).
-
You don't want to change the default gateway or DNS on the clients as you may want other protocols to be just MASQ'ed. If you are like me, port 80 (http) is the one I am mainly concerned with.
You are correct, of you redirect 80 to the squid port you do not need to set the "proxy" configuration on the client. If you get it to work with IP chains let me know how you did it. I tried to get it working with IP chains when I first set it up a couple of years back but didn't have much luck. It would be easier that way, especially for my laptop which I use at work and at home. When I plug into my home network I have to check the "proxy" box when I want to go to my favorite anti M$ site. Maybe I'll check into doing this again.
There are other ways to do the transparent proxy as well. I ran accross a utility on freshmeat that looked like it was just the ticket about a year ago. I was going to use that at work. I was planning on inserting a dual NIC Linux box in front of the main internet router running this redirector but I never did get around to it. It was just as easy automatically set the win clients proxy configurations via a policy but that's a whole other topic that would require talking about Windows, and I don't really want to do that.
-
i couldnt get the transparent proxy working yet, but i use the ipchains to block doubleclick.net and microsoft.com. I believe you did this using the proxy to block them.
I found out that to do the proper forwrding using iptables all i would have to do is:
I found this howto on setting up a transparent proxy using squid and iptables: http://www.tldp.org/HOWTO/mini/TransparentProxy.html (http://www.tldp.org/HOWTO/mini/TransparentProxy.html)
[ April 18, 2002: Message edited by: Master of Reality ]
[ April 18, 2002: Message edited by: Master of Reality ]
-
Actually it's difficult to block *.microsoft.com, *.msn.com, *.doubleclick.net, *.hitbox.com, etc at the firewall because you have to use IP address/ranges. Doubleclick is always on the move and they have servers on *many* networks so there are two ways I do blocking to entire domains. For microsoft I create my own .microsoft.com DNS zone on my DNS server but I don't add any records in the zone. As far as my computers can tell, there *is* no microsoft.com. For the rest (doubleclick, hitbox, etc) I use Squid. Why do I do it two different ways you ask? Well if you do it in Squid, it's only effective for "http" traffic. Doing it in your DNS server it effects *all* TCP/IP ports. No phone home programs can work, unless they have IP addresses hard coded into the software, which they never do. They can't use a hard coded IP address because then they can never change their network around..
Of course if you do have a reliable list of IP ranges, it would be good to use ipchains as well. There is nothing stopping them from using alternate domain names to point to their servers..
Yes you can compile the kernel on a different box, but don't forget to copy the modules and you may have to create a new "initrd.img" if you have any required modules that need to be loaded prior to mounting the filesystem. I guess after compiling you could copy the entire kernel source tree to CD and just do a "make install;make modules_install; (etc)" from the CD. But I'm not sure if there is enough room on a CD to hold an entire compiled kernel source tree. After compile just "cd /usr/src/linux", then "du -sk ." to see how much space would be required (assuming your source tree is in "/usr/src/linux".
You would also have to take care to preserve the modification date/times on everything when copying to CD if you want to be able to "make install". If it detects that the object files are older than the source or Makefiles it would try and recompile. That certainly wouldn't be fun on a CD. (http://smile.gif) Not to mention the read only problem. (http://smile.gif)
[ April 18, 2002: Message edited by: VoidMain ]
-
i believe to setup a transparent proxy with chains it is something like:
to block microsoft and other places cant i block my network from asking information from the domain name (ie. microsoft.com)
i put down:
# ipchains -A output -d microsoft.com -j REJECT
that should prevent my network from trying to initiate a tcp connection with microsoft.com even if they change their IP address.
[ April 19, 2002: Message edited by: Master of Reality ]
-
i did those chain commands. I configured the proxy just like the howto told me to. Now when i tried to start squid, its says: fatal: cannot determine fully qualified hostname. Please set visible_host.
So i set the visible hostname in the squid.conf file to "server" and it still gives me the same message. I cant figure out how to fix this. got any ideas?
my computer hostname is set to server too.
[ April 18, 2002: Message edited by: Master of Reality ]
-
I actually got it to work! I used your chain rules and uncommented the http_accel* stuff in chapter 4 of the howto (and set the host name) and it worked. But I still can't use it. I lost my authentication when using transparent proxying. I guess I could still use it but restrict where you are allowed to go when not authenticated. I can't do an "allow all" because that would defeat the purpose of what I need it for at home. If you find anything that would allow authentication+transparency let me know.
I also added "-i eth1" (my inside interface) to each of the IP chains rules you gave me so that it would only redirect inside machines. I have a web site on my outside interface on port 80 and without adding the "-i" I would lose that web site.
Also, you can not use domains in ipchains rules. You *can* use hostnames, but not entire domains. I'll let you know if I can get the authentication part to work with transparent proxy.
-
well... isnt this surprising, the master of reality telling VoidMain how to do something... and it working!
i still cant get squid started because it says : "fatal: cant determine fully qualified hostname. Please setup visible_hostname."
and i then set the "visible_hostname" in the squid.conf file, and i still get the same error when trying to start it.
At the console it says "root@server" meaning that the hostname is set to server.
do ya know where the problem may be?
-
"Ahh grasshopper, when you can take the pebble from my hand." (you are probably too young to know what that quote means).
Sounds like it's trying to look up the fully qualified host name for your local IP address and you don't have it set up. You might try giving your inside address a fully qualified host name in /etc/hosts like this:
127.0.0.1 localhost.localdomain localhost
192.168.0.1 proxy.masterofreality.home proxy
If that doesn't work, you should be able to set the visible_hostname in squid.conf to something like:
visible_hostname proxy.masterofreality.home
[ April 19, 2002: Message edited by: VoidMain ]
-
quote:
Originally posted by VoidMain:
"Ahh grasshopper, when you can take the pebble from my hand." (you are probably too young to know what that quote means).
Surely you jest? The quote comes from an indelible icon in American culture, it is timeless, and rife ith meaning and relevance :D
All though I allways wonder "what if Bruce Lee got the part?"
[ April 19, 2002: Message edited by: psyjax ]
-
you under-estimate me, i may be 15 years of age, but i now of that saying. I am one with the past, My favorite band is Black Sabbath, my favorite car is a late 60's to early 70's Hemi-Cuda.Both of which have stopped production. (although the members have made a few "solo" albums since the 80's)
I have seen the movie "the shining" several times. I am kearning the language of old lore, it was made in 1920's, its called Quenta, the elvish language made by tolkien. Fore i may be of youth, but nonetheless i know all too well of the past.
-
i am using lynx from the server now.
I set the host in /etc/hosts and now squid is started. I did those ipchains mentioned earlier, i also have already configured squid properly in the squid.conf file. Now my computers can find the ip address of the website they want to find, but now they cant connect to the site. When my computers on the network try to ping a friend of mine's comp (on the internet) it works fine, but when i tried to ping "www.fuckmicrosoft.com" he couldnt get it.
got any ideas?
[ April 19, 2002: Message edited by: Master of Reality ]
-
quote:
Originally posted by psyjax:
Surely you jest? The quote comes from an indelible icon in American culture, it is timeless, and rife ith meaning and relevance :D
All though I allways wonder "what if Bruce Lee got the part?"
I haven't seen that movie in 20 years but I still pull that line out every once in a while.
-
quote:
Originally posted by Master of Reality:
you under-estimate me, i may be 15 years of age, but i now of that saying. I am one with the past, My favorite band is Black Sabbath, my favorite car is a late 60's to early 70's Hemi-Cuda.Both of which have stopped production. (although the members have made a few "solo" albums since the 80's)
According to the BS web site they've been fairly active off on on all the way up to this year:
http://www.black-sabbath.com/personnel/lineups.html (http://www.black-sabbath.com/personnel/lineups.html)
I think the first song I learned on my first electric guitar was Smoke on the Water. (http://smile.gif) Either that or Stairway to Heaven. And I've always been more into Chevy. I had a '68 Camaro, a '76 Camaro and currently a '96 Camaro that I bought new, 'bout time for a new one, but they're stopping production. :( Sounds like you probably even have the Elvis sideburns going. (http://smile.gif)
quote:
I have seen the movie "the shining" several times. I am kearning the language of old lore, it was made in 1920's, its called Quenta, the elvish language made by tolkien. Fore i may be of youth, but nonetheless i know all too well of the past.
Uh, that's before my time. (http://smile.gif)
[ April 20, 2002: Message edited by: VoidMain ]
-
quote:
Originally posted by Master of Reality:
When my computers on the network try to ping a friend of mine's comp (on the internet) it works fine, but when i tried to ping "www.fuckmicrosoft.com" he couldnt get it.
got any ideas?
Yeah, fuckmicrosoft.com must be filtering port 9. I can't ping it from any machine, probably to keep away the DoS kiddies. So it sounds like your setup is working properly.
-
quote:
Originally posted by VoidMain:
According to the BS web site they've been fairly active off on on all the way up to this year:
http://www.black-sabbath.com/personnel/lineups.html (http://www.black-sabbath.com/personnel/lineups.html)
I think the first song I learned on my first electric guitar was Smoke on the Water. Either that or Stairway to Heaven. And I've always been more into Chevy. I had a '68 Camaro, a '76 Camaro and currently a '96 Camaro that I bought new, 'bout time for a new one, but they're stopping production. Sounds like you probably even have the Elvis sideburns going
[ April 20, 2002: Message edited by: VoidMain ]
the first song i learned on electric guitar was smoke on the water by Deep Purple , or maybe it was Sweet Dreams by the Eurythmics, i learned both of them the same day.
My band is even gonna play electric funeral.
I know one thing that really would have been cool to go to would have been The Wall Live Show, by Pink Floyd. Its too bad i wasnt alive then.
My dad has had several Chevy Impalas, that was before me too.
And pong and space invaders are the best games on earth
[ April 20, 2002: Message edited by: Master of Reality ]
[ April 20, 2002: Message edited by: Master of Reality ]
-
My clients browser says "resolving host" and just sits there like that until it times out. I have no clue how to fix this. any ideas?
(epoxy works great on those damn win keys)50
-
quote:
Originally posted by Master of Reality:
the first song i learned on electric guitar was smoke on the water by Deep Purple , or maybe it was Sweet Dreams by the Eurythmics, i learned both of them the same day.
My band is even gonna play electric funeral.
I know one thing that really would have been cool to go to would have been The Wall Live Show, by Pink Floyd. Its too bad i wasnt alive then.
My dad has had several Chevy Impalas, that was before me too.
And pong and space invaders are the best games on earth
Man, talk about making someone feel old. Pink Floyd is a "new" group. (http://smile.gif) I had "The Wall" Laser Video Disk. The Laser Video Disk player just came out about the same time and I got the first one. I believe it was about 1983 or 1984. I never really got in to Pink Floyd though. I did learn a few of their songs on the guitar though for some of the bands I've been in over the years. My favoritest bands of all time are late 70's, early 80's rock bands like early Van Halen, Rush, Boston, .38 Special, Skynyrd etc... But I also really like a lot of the '90s rock.
It's been at least a year since my last band sort of dissolved and I haven't played much since.. I find myself listening to more talk radio and less music which I believe is a sign of old age. I had a pretty good garage jam set up for practicing. My garage was sound proofed, I have a Mackie SR24 mixer (http://www.sweetwater.com/publications/sweetnotes/sn-summer95/Sum95_01.html), 1400i power amp, many effects, a Roland TD-7 electric drum kit, several electric guitars and basses and for practice we used a head phone amp which allowed everyone to get great sound through headphones and we didn't have to power up the Amps and piss off the neighbors...
[ April 20, 2002: Message edited by: VoidMain ]
-
quote:
Originally posted by Master of Reality:
My clients browser says "resolving host" and just sits there like that until it times out. I have no clue how to fix this. any ideas?
(epoxy works great on those damn win keys)50
Epoxy is great stuff. (http://smile.gif) As far as the "resolving host" thing. Is this with your client's proxy configured to point to "http://192.168.0.1" port 3128? Did you add an access rule in your squid.conf to temporarily allow all to see if it works? I usually put an "http_access allow all" right above the line in squid.conf called "http_access allow manager" which basically opens it up wide open.
Then from one of your clients try to telnet to port 3128:
telnet 192.168.0.1 3128
Then type some garbage in followed by <ENTER> twice which should get some HTML error message and exit.
That would tell if you are talking to squid or not from the client. But I suspect it's more an ipchains rule that is blocking the traffic. That's what it acts like if it just appears to hang. Also is DNS client working properly on your squid server? You need to be able to do things like "nslookup www.fuckmicrosoft.com" (http://www.fuckmicrosoft.com) and get an address back. Squid will do all your name resolution when you browse, not the client.
-
quote:
Originally posted by VoidMain:
Epoxy is great stuff. (http://smile.gif) As far as the "resolving host" thing. Is this with your client's proxy configured to point to "http://192.168.0.1" port 3128? Did you add an access rule in your squid.conf to temporarily allow all to see if it works? I usually put an "http_access allow all" right above the line in squid.conf called "http_access allow manager" which basically opens it up wide open.
Then from one of your clients try to telnet to port 3128:
telnet 192.168.0.1 3128
Then type some garbage in followed by <ENTER> twice which should get some HTML error message and exit.
That would tell if you are talking to squid or not from the client. But I suspect it's more an ipchains rule that is blocking the traffic. That's what it acts like if it just appears to hang. Also is DNS client working properly on your squid server? You need to be able to do things like "nslookup www.fuckmicrosoft.com" (http://www.fuckmicrosoft.com) and get an address back. Squid will do all your name resolution when you browse, not the client.
(i gave up on the idea of a transparent proxy for now)
How should i go about properly configuring the DNS settings on squid? I believe it is that which is stooping me.
I cant telnet to there either, and i dont think my server is going through squid to get to the internet (i am on it right now).
[ April 23, 2002: Message edited by: Master of Reality ]
[ April 23, 2002: Message edited by: Master of Reality ]
-
You don't have to configure DNS specifically for Squid, it just has to be configured properly on the server that Squid runs on, and just be a DNS client, doesn't have to be a DNS server. So the only thing you need to do is adjust your /etc/resolv.conf file to contain your domain name and the DNS servers you use. It should look something like this:
And is Squid actually running? When you do a "ps auxwww | grep squid" do you see it in the process list?
-
quote:
Originally posted by VoidMain:
You don't have to configure DNS specifically for Squid, it just has to be configured properly on the server that Squid runs on, and just be a DNS client, doesn't have to be a DNS server. So the only thing you need to do is adjust your /etc/resolv.conf file to contain your domain name and the DNS servers you use. It should look something like this:
And is Squid actually running? When you do a "ps auxwww | grep squid" do you see it in the process list?[/b]
my resolv.conf file is configured properly i checked it earlier, squid is running ( i did ps -A and squid was there).
I configured my browser to go through proxy on 192.168.0.1 port 3128.
I went into linux internet connectio nwizard and set it to go through the proxy.
I took off the changes to the host_accel stuff i did to try out the transparent proxy, i set access to 192.168.0.2-.192.168.0.4 (through webmin) then i changed it to allow all and tried it.
i still cant get it to work.
-
If you take a stock squid.conf file (from a fresh squid install) all you should have to do to get it working is right above the line:
http_access allow manager localhost
insert the line:
http_access allow all
so it looks like this:
and it should work (assuming you can browse from the browser on the server, lynx is sufficient to check that). I set these things up all the time, and in fact just set another one up at work today on RedHat 7.2 and this worked just fine. Also, after you make a change to the config file you must restart Squid by typing:
/etc/rc.d/init.d/squid restart
If this does not work, tell me exactly the behavior you are getting on the client. Do you get an HTML error page from Squid? Does it just hang? What browser are you using that you have the proxy configured? What exactly do you have for the proxy settings? Is 192.168.0.1 really the IP address of your inside interface? Some browsers require a URL for the proxy (http://192.168.0.1) and some require just the address (192.168.0.1) and the port 3128 should be set for "http" proxy port.
If you do not get an HTML error page with Squid somewhere on the page you either have the client configured wrong or your ipchains are configured wrong. To check if it's an ipchains issue you should be able to just remove all the chains by:
/sbin/ipchains -F
/sbin/ipchains -X
ipchains should not restrict inbound port 3128 on your inside interface and it should not restrict outbound port 80 on your outside interface. Can you even ping your server's inside interface from your client?
[ April 23, 2002: Message edited by: VoidMain ]
-
i will try that tomorrow, i may even re-install squid so that i have a fresh install. I pretty sure my internet was going off and on for a while during the day (the TV was screwing around too) so i'm not sure if any of my problems were accurate, or if the internet was down when i tested it.
-
I also notice I made a statement that isn't totally true. You don't have to actually restart Squid, just have it reload the config file which can be done by:
/etc/rc.d/init.d/squid reload
among other ways..
-
this is quite odd, i started squid with a fresh install, i changed it to accept all using webmin, then i setup netscapeon my computer to use a proxy, i turned on the proxy and tried netscape, it says: "connection refused".
-
!!!!!!!!!!!!!!!!!!!!!!!!!!
i just got it to work!!!!!!!!!
yay!!!!!!!!!!
it actually works now.
I changed something, i'm not sure what it did.... OH! i changed what IP address squid was on, at first i set it to 192.168.0.0 and now i tried it with 192.168.0.1 and it works!
-
now i cant get it to just allow my network (192.168.0.1-192.168.0.5/255.255.255.0) using webmin. It says: netmask masks part of IP address (or something like that)
-
quote:
Originally posted by Master of Reality:
!!!!!!!!!!!!!!!!!!!!!!!!!!
i just got it to work!!!!!!!!!
yay!!!!!!!!!!
it actually works now.
I changed something, i'm not sure what it did.... OH! i changed what IP address squid was on, at first i set it to 192.168.0.0 and now i tried it with 192.168.0.1 and it works!
Uhhh that would definately fix it. 192.168.0.0 is a network address, not an IP address. You had this configured in your client?
-
quote:
Originally posted by VoidMain:
Uhhh that would definately fix it. 192.168.0.0 is a network address, not an IP address. You had this configured in your client?
on my server.
i just downloaded adzap and am about to install it
-
Remember that the last rule (the one at the bottom of the list) should be "http_access deny all". The rules are checked from top to bottom, just like with ipchains. As soon as a rule is matched the rest of the rules are ignored. If no rules are matched it falls through to the "deny all" rule and the machine/user is not granted access to any web sites.
I actually use proxy authentication rather than source IP addresses most of the time for allowing/denying access to the entire net, or portions of it. I have used the htpasswd type of auth and I have also have some servers set up to authenticate against NT Domain controllers so users can use their windows logon ID/password to authenticate and they are restricted/allowed accordingly.
[ April 24, 2002: Message edited by: VoidMain ]
-
quote:
Originally posted by VoidMain:
Remember that the last rule (the one at the bottom of the list) should be "http_access deny all". The rules are checked from top to bottom, just like with ipchains. As soon as a rule is matched the rest of the rules are ignored. If no rules are matched it falls through to the "deny all" rule and the machine/user is not granted access to any web sites.
[ April 24, 2002: Message edited by: VoidMain ][/b]
cant i put (i did put and it worked):
-
That may work as well, you will find that Squid is very flexible in how you define rules. Now are you sure it works? You checked that it allowed one of those addresses, and did not allow an address outside of that range? It's good always to test if it is indeed working as you intended. Sometimes you might think you have it restricted to only specific addresses and then check later to find that your other addresses also have access because the rules you set up may not have actually worked as you intended. Once you do a few it gets easier to understand.
-
And like I mentioned two posts ago, I use authentication rather than IP addresses to restrict. The main reason is, an IP address can be changed on the client by anyone who's computer smart and if they change it to an allowed address, they've bypassed your security. They can't bypass authentication.
I do use IP addresses for "dst" though, along with domain names. That is, dst is used to determine where people are allowed to go based on who they authenticated as.
[ April 24, 2002: Message edited by: VoidMain ]
-
i need to do some customization of squid so i have a few questions:
should i use an authentication program with squid?
how do i set it up to block certain website (eg. microsoft.com)?
the adzapper thing works well, how do i get it to auto update?
[ April 24, 2002: Message edited by: Master of Reality ]
-
Authentication is totally up to your requirements. For me, authentication is a requirement because I don't want my children to have access to the *entire* internet. Authentication is the only way to nearly garantee that. So when they authenticate with their ID they are allowed access to only selected sites. You'll need a program to do your authentication, I believe by default Squid comes with "ncsa_auth" which should be defined in the squid.conf under the tag "authentication_program". Read the docs. Then right under that tag you would have a tag that looks like this:
If you want to keep your restricted users and sites in files rather right in the squid.conf file you would set your rules to look something like this:
Now a sample of each of the dat files.
unrestrictedusers.dat:
bannedsites.dat:
A huge advantage of breaking users and addresses out into files is your list of users or hosts could get quite long and it gets difficult very quickly to keep it straight in the squid.conf file. The web based program I wrote can edit each of the files and when you add something to the file it will keep the file sorted and it will perform a "/etc/rc.d/init.d/squid reload" as squid needs to be signaled that it's configuration has changed.
[ April 24, 2002: Message edited by: VoidMain ]
-
i tireid this but it didnt work:
-
did you remove the "http_access allow all" from anywhere above those lines? Remember from top to bottom an "allow all" would match anything and never get to your rule.
-
quote:
Originally posted by VoidMain:
did you remove the "http_access allow all" from anywhere above those lines? Remember from top to bottom an "allow all" would match anything and never get to your rule.
i put http_access DENY all below these lines
-
Now I just added the same rules and it worked fine for me. Did you tell squid to reload it's configuration after making the changes? "/etc/rc.d/init.d/squid reload". If you did and it still doesn't work can you stick a copy of your squid.conf on your web site so I can take a look at it? Also make sure you do your tests on the client machines and not on the server. You'll notice that "http_access allow localhost" is a default rule that if above your other rules would have allowed access to anywhere. If you want the rule to apply to the server as well just add the "!bansites" to the end of "http_access allow localhost". And your "acl" definitions should be above your "http_access" rules which it looks like you have done.
[ April 24, 2002: Message edited by: VoidMain ]
-
okay... it seems to work now, its succesfully blocking microsoft.com.
-
I was just browsing around fuckmicrosoft... and suddenly it says connection refused from fuckmicrosoft.com. It says this to every website i go to. I can still ping the outside world, so i turned off the proxy in Mozilla and it works again. This has happend before, but it started working again. The proxy always works fine with my windows computer. Now i have my server just masqing my linux computer and not sending it through the proxy. I restarted squid and that didnt work either. Does anyone have any clue at all what the hell could be causing this?
-
I installed Debian, but it couldnt find either of my ethernet cards, then i tried to install FreeBSD instead, but after booting off the CD it said there was no CDROM. So i installed red hat 7.2 on my server again. But this time it cant find my second ethernet card. I have RH7.2 and RH7.3 on my server. RH7.3 recognizes both ethernet cards fine. RH7.2 used to recognize both my ethernet cards... but then a re-installed it. Got any ideas on how i could try to find my ethernet card?
-
Since i also have Red Hat 7.3 installed and it recognizes both cards why dont i use it?
Squid gives me this error when i try to start it in either RH7.2 or RH7.3:
Squid cache (Version 2.4.STABLE6): terminated abnormally.
CPU usage: 0.050 seconds = 0.040 user + 0.010 sys
Maximum Resident Size: 0K
Page Faults with physical i/o: 286
Aborted.
Anyone know what the means or how to fix it??
I really had better turn my 'puter off now... there is a huge ass storm, and lightning just struck about 100 metres from my house.
-
Try:
# /etc/rc.d/init.d/squid stop
# rm -rf /var/spool/squid/*
# /etc/rc.d/init.d/squid start
-
I get the same error when i did that.
-
I forgot to set the visible_hostname. It seems to be working now.
-
success!!
it works now... I even got ssh to work internally, I'm gonna block it externally.. finally (i couldnt get it to work before)
-
try to go to http://chatroom.fuckmicrosoft.com (http://chatroom.fuckmicrosoft.com) and tell me what happens...
I am running it on another version of Linux now.
-
I just made a .dat file for my bansites. I did an nslookup for microsoft, msn, hotmail and put the ipaddresses in the file. Then i put
oh yeah... where can i find that adzapper dealy? I forgot to back it up when i took off RH7.2.
[ June 27, 2002: Message edited by: Master of Reality / Bob ]