dhcpd, squid, iptables and outlook express

[kenchix1]

Hi, I read your post regarding Configuring Squid Outlook to access Remote mail server , and somehow, I guess i have the same problem. I am new to Linux. Our setup is like this, we have 1 linux server running samba as log on server, and also DHCP and DNS services. We have another server which runs squid with 2 NICs, 1 for internal network another that goes out to the internet. I was able to connect the client (win98) to the internet using HTTP and HTTPS but clients can't retrieve email using eudora and outlook. But as from what I read, what I need to a problem like this is transparent proxy. I just have a few questions regarding the NAT scripts .

#!/bin/sh

iptables=/sbin/iptables


iptables --flush -t nat


iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE

should i replace the ppp0 to eth0 ? since the eth0 is the one connected to the internet.

iptables --append FORWARD --in-interface eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

should i replace eth0 with eth1 since it is the one connected to the internal network ?

Now in your clients make sure you have set the gatway as the ip of your computer which is connected directly to internet and also that you have entered right nameserver (DNS) in the dns list of clients.
Now you should be able to share internet after executing this script.

we have more than 100 computers, more than a quarter are accessing the internet, should i really need to put the ip of the squid as a gateway to every computer ?

NOTE :: When you run this script you should also use a good firewall.

currently we don't have a firewall, can i still use this NAT ?

thank you very much in advance.

[Ricky]

should i replace the ppp0 to eth0 ? since the eth0 is the one connected to the internet.

Yes, you have to change ppp0 to eth0.

iptables --append FORWARD --in-interface eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward  

should i replace eth0 with eth1 since it is the one connected to the internal network ?

Yes here again you guessed it right.

Now in your clients make sure you have set the gatway as the ip of your computer which is connected directly to internet and also that you have entered right nameserver (DNS) in the dns list of clients.
Now you should be able to share internet after executing this script.

we have more than 100 computers, more than a quarter are accessing the internet, should i really need to put the ip of the squid as a gateway to every computer ?

Here.. If you have simple proxy using squid then you have to configure your each clients browser to use proxy.
But if you go for NAT and you have dhcp server then simply assign gateway, DNS using your dhcp server. Same for Transparent Proxy.

currently we don't have a firewall, can i still use this NAT ?

When you use NAT you simply make your network wide open to the hackers as it then allow every thing to pass through it. So i have suggested to use firewall. For dialup networks it is not a big deal but for the static network ... you should have it.
I will soon provide a firewall script to fit the transparent proxy.

[kenchix1]

Thank you sir for your reply.
I tried the NAT script and change the squid.conf but it didn't work. Client can surf (HTTP,HTTPS) the internet if i specify the name of the proxy in my browser but i can't still retrieve and send email. If i don't specify any proxy in my browser, I can't browse the net at all.

I hope you won't mind me posting several of my conf file for you to see.

This is my squid.conf

http_port 3128
cache_mem 16 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 8192 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_dir ufs /usr/local/squid/cache 2048 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log


as is.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp:      1440   20%   10080
refresh_pattern ^gopher:   1440   0%   1440
refresh_pattern .      0   20%   4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443 563   # https, snews
acl Safe_ports port 70      # gopher
acl Safe_ports port 210      # wais
acl Safe_ports port 1025-65535   # unregistered ports
acl Safe_ports port 280      # http-mgmt
acl Safe_ports port 488      # gss-http
acl Safe_ports port 591      # filemaker
acl Safe_ports port 777      # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports


acl our_network_ip src 192.168.100.0/24
http_access allow our_network_ip

http_access allow localhost
http_access deny all
visible_hostname SERVER1
unique_hostname SERVER1




httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_reply_access allow all

icp_access allow all
cache_effective_user squid
cache_effective_group squid

This is the NAT script that I copied and modified.

iptables=/sbin/iptables
iptables --flush -t nat
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT


iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo 1 > /proc/sys/net/ipv4/ip_forward

This is what service iptables status said after running the NAT script

Table: filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere          

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
Table: nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
REDIRECT   tcp  --  anywhere             anywhere           tcp dpt:http redir ports 3128

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
MASQUERADE  all  --  anywhere             anywhere          

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

this is my dhcpd.conf file

default-lease-time 86400;
max-lease-time 86400;

option domain-name "domain1";
ddns-update-style interim;
ddns-updates on;
deny client-updates;
allow unknown-clients;

subnet 192.168.100.0 netmask 255.255.255.0 {
   range 192.168.100.10 192.168.100.250;
   option subnet-mask 255.255.255.0;
   option broadcast-address 192.168.100.255;
   option routers 192.168.100.1;

               #option routers 192.168.100.5
               #option routers aaa.bbb.ccc.ddd
   option domain-name-servers 192.168.100.1;
}


host pc1 {
  hardware ethernet 01:10:4B:15:95:E2;
  fixed-address 192.168.100.5;
 }

this is the ifcfg-eth0 of the proxy, the one that goes out to the internet.

DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=aaa.bbb.ccc.ddd
NETMASK=255.255.255.252
GATEWAY=aaa.bbb.ccc.dcf

thank you very for your help sir.

[Ricky]

First make sure that iptable NAT script is executed ie. it is running.

Well i think your problem is ..

Code: [Select]

option domain-name-servers 192.168.100.1; r u running domain name server locally ?
Try to put the dns of your ISP here..
Also give a look to it.. http://www.linuxsolved.com/forums/viewtopic.php?t=16

[kenchix1]

First make sure that iptable NAT script is executed ie. it is running.

Im sure it was executed. I put it inside /etc/rc.d, modified rc.local and added the line /etc/rc.d/rc.nat and then I chmod 755 the rc.nat.

Well i think your problem is ..

Code:
option domain-name-servers 192.168.100.1;

r u running domain name server locally ?
Try to put the dns of your ISP here..

yes, I am running domain name server locally and let dhcpd update the zone file automatically. the 192.168.100.1 is the log on server (samba), DHCP and DNS server.

I'll try to put the nameserver of our ISP then I''ll post what happened.

Thank you very much for your time sir.

[kenchix1]

first, I added the DNS of our ISP in the dhcpd.conf

option domain-name-servers 192.168.100.1, aaa.bbb.ccc.eee, aaa.bbb.ccc.eef

still, i can't browse and can't retrieve email.

then I replace (dhcpd.conf) the router from 192.168.100.1 to 192.168.100.5 (the computer with two network cards, from which one of those cards goes out to the internet).

then after that, i can retrieve and send email and surf the internet without specifying any proxy server in the browser, and definitely I am very happy!

Thank you very much sir!!!  

now, with this kind of setup, a few problem will arise, my problems are :
1) all users can connect to the internet whenever they want
2) I don't really know what'll be the effect to our network if I assign the 192.168.100.5 as the router
3) I don't know what'll be the effect to our network if I add the DNS server of the ISP.
4) can I use hostname in acl ? like acl src kenchix1.domain1/24 so i'll just put the hostname of the user instead of the ip address ?
5) Im all mixed up on how i can block unauthorized users of the internet in our network.

Thank you very much sir for your help.

[Ricky]

Well first is that given is right copy paste from ur dhcpd configuaration file ?

Code: [Select]

option domain-name-servers 192.168.100.1, aaa.bbb.ccc.eee, aaa.bbb.ccc.eef b'cause it has no ";" in the end so dhcdp server shoudl be giving error .. may that's y it don't work on ur fist server but when u set it on second put the right pattern.

Ok.. secondly use squid .. and see other thread about squid here.. u can restrict users at time basis , usage basis. and also use a good iptable firewall on your cmputer which is connected to ISP.
Lastly if u are having cache name server on ur lan then u can specify it as primary nameserver and secondry as ur ISPs.. having nameserver locally will increase the performance of internet on LAN.