*********************
I'm writing this guide in the hope that it will be usefull to System admins and Cablenet operators who are trying to eliminate ISA Server and Windows based solutions and transfer their insfrastructure to Linux Squid Caching Proxy server.
This guide assumes that you had already used ISA Server or any other proxy server and have basic networking knowledge.
In this guide I'm using following envoinment :
=> Redhat Linux 9 with Squid and Iptables installed .
=> Linux machine have the IP address 192.168.0.1 and netmask 255.255.255.0
=> Linux machine is using Dial-up to connect to internet i.e Outgoing interface is ppp0 with dynamic IP.
=> All clients are using MS Windows 9x/NT/XP
Difference B/W ISA SERVER and SQUID
==============================
Most of the system admins nowadays use ISA SERVER to build up their network since it is easily available ( At least in Pakistan ) and easy to configure.
Like most of the MS Softwares it has a pretty GUI Interface which can be really helpfull for a novice System admin to setup , also it doesn't require complicated configuration to run. By installing Firewall Client on all the Client computers it saves you from the overhead of some configuration at the client side like manually entering Gateway and DNS settings. But it lacks some of the major features which most of the other competing products are providing like Real time monitoring and Antivirus Integration. To get these fuctionalities you have to use third party softwares most of which require you to spend money.
Now on the other hand Squid is a open source product which develops by the co-operation of thousands of programmings contributing and testing the code .
It is also the most widely used proxy caching server on ISP end ( In Pakistan ). It is also a robust software which can operate under fewer resources and heavy loads.
That is why it is popular among the IPS's.
There are some MAJOR diffrences between the two products. Some of them are follows :
=> MS ISA Server is Caching + Firewall software , however Squid is only a caching proxy software.
=> To achieve the Firewall fuctionality we will use IPTABLES which is a standard firewall solution under Linux and is flexible and powerfull , however not very user-friendly ( You really need to learn the syntax but u can also use QUICKTABLES to set it up , which you'll find it at http://qtables.radom.org/ )
This means that to achieve the full functionality you will use Squid with Iptables ( It seems difficult , but it is not
).SETTING LINUX SERVER
================
First of all we will assign the IP address to Linux machine which will be 192.168.0.1. An easy way to do this by typing "setup" ( Assuming that we are using Redhat or Fedora core ) , then select network configuration , then select manual settings and then enter the IP address . All the other fields will be automatically filled in by Linux , just accept it.
Now again at the setup menu select "Firewall configuration" and select "Enable firewall" and then checkmark the services "http" , "ftp" and "ssh". Apply the rules.
You can build stronger firewall rules but since this guide is not about security , thats why Im using pre-built rules just to make things simpler.
Now its time to set up the Masquerading or NAT . ( In ISA Server envoinment it is called SecureNAT and Linux calls it IP Masquerading )
The following command will enable the Masquerading for the current session. If the computer restarts this setting will lost and you have to again execute this command.
echo 1 > /proc/sys/net/ipv4/ip_forward
To enable it permenetly , open the file /etc/sysctl.conf and find the line " net.ipv4.ip_forward = 0 " and change the zero to one like this :
net.ipv4.ip_forward = 1
CONFIGURING SQUID
==============
To setup Squid you will need to edit the squid configuration file which resides in the /etc/squid directory. The absolute path is /etc/squid/squid.conf.
Im supposing that you are familiar with the syntax of linux files like the lines starting up with # are comments etc.
Open up your favorite text editor like vi or kedit , gedit etc. and start editing it . I'm only covering the minimum basic options that will let you start squid. For Squid's full functionality you will find Hundreds of tutorials on the web but a comprehensive guide is available at www.LinuxPakistan.net . Just find it.
Here are some options you will set according to your envoirnment but for testing Squid it is enough to just accept the defaults.
http_port 8080 # This is the port on which squid listens for client requests. This is also ISA Servers Default port.
cache_mem 16 MB # Squid will usethis memory to cache hot objects. If you have tons of memory than allocate more
cache_dir ufs /cache 200 16 256 # The directory and the size Squid will use to cache object. Set it accordingly.
acl localnet src 192.168.1.0/255.255.255.0 # This line reflects your network . Change it if you are using other private IP sets.
acl localhost src 127.0.0.1/255.255.255.255
acl Safe_ports port 80 443 210 119 70 21 1025-65535 # These are the ports squid will proxy. Remember it has nothing to do with IM ports.
Leave rest of the options as is , but add this line after the following lines.
http_access allow localnet
http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT
http_access deny all
http_access allow all # THIS LINE
I think this is enough , you can now start the squid service , but wait first you have to create cache directories . Type the following line at Shell.
squid -z
This will create the directories. You will get the prompt back , but if it gives error about any line in the squid.conf files then you havn't set the file correctly.
Recheck the file and please read the tutorials from other websites on how to tune the file. You will be surprised by the features squid offers.
Now connect to the internet ( Assuming that you are using good old Dial-up ) and run the following command.
squid &
If it executes without any error than everything is OK. Now check that squid is working fine by opening your favorite web browser ( Remember that we are still doing everything on the machine running squid NOT on the client . We will set it up later ) , entering the proxy address in the browsers settings and open your favorite website. Hope that it will show up without problems.
Congragualtions ! You have setup your linux proxy server , but wait we haven't setup the clients.....
CLIENT CONFIGURATION
=====================
Now if the internet is working on the server , it is time to set up the clients. Remember that we don't have any " Firewall Client " type of software in Linux like in ISA Server envoirnment , we have to enter the settings manually.
You need to know the following settings in order to build a perfect LAN envoinment.
=> Gateway Address : This will typically be the IP address of your Linux box i.e 192.168.0.1 according to our guide.
=> Hostname : This will be the hostname of your Linux box which you have already assigned it during the installation of Linux. If you forget it then type "hostname" at shell on the Linux machine and it will show you your hostname. We will need this when entering DNS settings on the client computers.
=> DNS Address : This will be the DNS address of your ISP or if you are using BIND to setup your own DNS server then this will typically be the address of your Linux machine ie 192.168.0.1 , but I'm not covering this topic here that how to setup BIND . However setting up BIND will save you from lot of trouble that if you change your ISP , you have to change the DNS entries on all of the clients ! Since every ISP have its own DNS address.
To find the DNS address of your ISP , connect to the internet and after connecting open the file /etc/resolv.conf and there you will find the IP address of your ISP's DNS server.
NOTE : ALTHOUGH ENTERING THE DNS SETTINGS IS OPTIONAL , THAT IS IF YOU DON'T ENTER DNS SETTINGS , YOUR CLIENTS WILL STILL BE ABLE TO BROWSE THE INTERNET , HOWEVER THESE SETTINGS ARE MUST IF YOUR CLIENTS WANTS THE YAHOO VOICE-CHAT AND WEBCAM FACILITY.
Since your clients are using MS Windows , I'm defining them here.
"FOR Windows 9x Clients"
R-Click on the Network Neibourhood icon and select Properties . Then select your Lan card which will be showing there and select Properties .
Now enter the IP address of the machine which maybe 192.168.0.2 and enter the Subnet which maybe 255.255.255.0 .
Now click on the Gateway Tab and enter the IP address of your squid machine which is 192.168.0.1.
There is another tab which is named DNS . Click it , select "Enable DNS" , enter the hostname of your Linux machine and then enter the IP address of your ISP DNS server which you found earlier then click Add.
Apply the changes and restart the computer.
After restarting open Internet Explorer , select Tools, select Internet options then goto Connections tab and click Lan settings.
Check the box which says something like " Use proxy server " in the lower end and in the Address field enter the IP address of the Squid machine
which is 192.168.0.1 and on the Port field type 8080 , since this is the port squid will be listening for connections ( which we have defined in the
squid.conf ). Now apply the changes and try to open the website . Hope it will open perfectly.
"FOR Windows NT/XP/2K"
R-Click on My Network Places and select Properties . R-Click on the Local area network icon and select Properties . Select Internet Protocol
and again click properties. Enter the IP address which may be 192.168.0.2 and Subnet will be automatically filled in by Windows . Also fill the
Gateway and DNS settings. Apply the changes. Open Internet Explorer and apply the same procedure which is defined in the Win9x Case.
Try to browse all the websites which you will remember at that time . Now it seems that everything works fine , but wait we have skipped one
thing and that is the messengers. If you try to login using Yahoo or MSN Messenger , Yahoo will work on " Network with no proxies " option
and MSN will work without any changing , but if you try to do Yahoo Voice chat and Webcam sessions it wont work and gives you the error
about being behind a firewall.
Most of the Admins think that Squid is responsible for this , but remember what I said earlier ? I said that SQUID IS ONLY A CACHING PROXY
SERVER AND NOT A FIREWALL LIKE MS ISA SERVER IN WHICH FIREWALL FUNCTIONALITY IS INTEGRATED .
SETTING IPTABLES
=============
Now we will use Linux firewall "IPTABLES" to allow voice chat and webcam sessions .
Open up the shell on the Linux machine and type the following commands.
iptables -t nat -A POSTROUTING -p tcp --dport 5050 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -p udp --dport 5050 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp --dport 5051 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp --dport 5000 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -p udp --dport 5000 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp --dport 5100 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -p udp --dport 5100 -o ppp0 -j MASQUERADE
Now on the client computer open up Yahoo messenger and in the connection settings select "No proxies" option . Now it should Sign In without giving any error about setting up proxy and voice chat will be working too. You can test it by going into any chat room.
You can also use the above commands to open any ports on your firewall if some software is not working.
END
====
I think that i had covered everything about squid in this guide , however the most weakest part of this guide is about editing the squid.conf . You will
find plenty of tutorials on the web and it is not very difficult to configure.
I will INSHALLAH include more detailed information about squid in near fulture , but for now it is enough.
The information used in this guide is collected from various sources including Linuxpakistan.net . It is not my sole effort and I thank everyone from whom I learned all this information.
Best Regards,
Rahil Sarwar Khan.
.
