NET SERVER CONFIG QUESTIONS.

[tvlad]

I am part of a network that has eight computers.We are planing of buying an old pc to use it as a server.The server will have the ip 192.168.0.1 and the rest of us 192.168.0.*

 

Since not all of us pay for cable net we want to be able to restrict acces to the net and because we have a limit for downloads that aren't from Romania (if we go over 300 mb bye bye net ) i want to configure the server to go through a metropolitan proxy but i have no idea how to

do that or how to allow acces to the net only if the user gives a username and password.

 

I know how to share the net between the computers and how to make a decent firewall, because i

have several examples, like IP-MASQ HOWTO etc....

 

WHAT I DON'T KNOW is how to make the server use a proxy for all the traffic, so that a user isn't required to setup his own aplication to use a proxy (because some of the guys in my network don't and this results in trafic), the only thing he has to do is to put the server's local ip as a gateway and dns server, and from his point of view there isn't anything more to configure.

 

ALSO i want to enable net acces based on a username

and password.

 

PLEASE, let me know if u have any ideas.

[paul]

My idea.

Use Mandrake MNF .. setup with your external proxy (it asks you during setup if you want to use a proxy)

then configure Proxy Authentication on the MNF box, so access is username / password restricted.

I haven't setup Proxy on my MNF ... but I've read the docs, and it all looks pretty easy

[tvlad]

I thought of doing that, but it will take some time until i download MNF and i still want to know how to do it on a normal linux distro.

[tvlad]

Please, other ideas ????

[tvlad]

I posted the same subject on another forum and someone told me to redirect the trafic to squid.

 

After i redirect the trafic to squid, shouldn't i configure squid to redirect the traffic to a proxy of my choosing ????

[AA]

Squid is a proxy if I'm not mistaken. I think you might be looking for something called squid guard. It's a controller for squid. Thats what my old school used to control it's internet usage...

 

http://www.squidguard.org/

 

At the time when I was just a user it used to really grate my carrot. Actually, I might download it and start using it myself. Users on this network can really tick me off at times, especially when they do things I asked them not to do.

 

Anyways, check it out.

[johnnyv]

At the time when I was just a user it used to really grate my carrot. Actually, I might download it and start using it myself. Users on this network can really tick me off at times, especially when they do things I asked them not to do.

 

Anyways, check it out.

 

But thats what users are for!

Too provide hours of entertainment for administrators :P

[AA]

How True, How True....!!

 

I can just hear them now:

 

Can you please fix my computer. I can't download mp3's

 

[tvlad]

Don't get me the wrong way guys(AA, johnyv), but look at my original post and what u told me.

[AA]

Yeah sorry tvlad.

 

Did you check out squidguard...?

[tvlad]

I knew of squidguard, but it's only useful if u want to block acces to sites and perhaps user authentification, but i don't want to do that and concernig user authentification i found out how to do that with squid,

 

What i still don't know exactly is how to do the proxy part.

 

I'm thinking of doing it this way :

 

adding this to my firewall

 

iptables -t nat -A PREROUTING -i eth0 -p tcp -d localhost --dport 80 -j REJECT

iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.0/24 --dport 80-jACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

 

and this to squid

 

cache_peer parentcache.METROPOLITAN_PROXY_IP parent 3128 0 no-query default

acl all src 0.0.0.0/0.0.0.0

never_direct allow all

 

 

This will make all the request to port 80 to be transfered to 3128 where squid is and then squid will send the traffic to a metropolitan proxy.

 

Did i get it right ????? :roll: [/b][/i]

[tvlad]

Or shoud i do it like this :

 

iptables -t nat -A PREROUTING -i eth0 -p tcp -d localhost --dport 80 -j REJECT

iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.0/24 --dport 80-jACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

iptables -t nat -A PREROUTING -p tcp --dport 3128 -i eth0 -j DNAT --to PROXY:8080

 

they should send all the requests to 3128( where squid is) and allow me to do user authentification and the send the requests to PROXY , right ?

 

would this allow me to do transparent proxying ?

 

I've read the trans proxy howto, but it doesn't tell me one thing, after i

make the request go to squid, squid will send them directly, and i want squid to send them to a metroploitan proxy because i have trafic limit.

[AA]

OK, I have no idea. I've never had to do anything like that. I thought squidguard might be able to help, but I guess not.

 

Someone else might maybe know.

 

But when you eventually find out how to do it please will you document it and I'll put it up on my site.

[tvlad]

I think this is what i should add to a normal firewall config :

 

iptables -t nat -A PREROUTING -i eth0 -p tcp -d localhost --dport 80 -j REJECT

iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.0/24 --dport 80-jACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

iptables -t nat -A PREROUTING -p tcp --dport 3128 -i eth0 -j DNAT --to PROXY:8080 . I also have to enable trasnparent proxying in squid as written in http://en.tldp.org/HOWTO/mini/TransparentProxy-4.html

 

WHAT I HOPE THESE LINES DO IS:

 

Let's say one of the network pc's tryies to make a connection to www.tomshardware.com The connection will arive to the server on port 80 and be redirected to squid (that's on the same server).Then when squid tryies to send the conection directly to the net, the last line of my config will send it to an ip of my choice.

 

 

I'M STILL NOT SURE of one thing: when the request arrives to squid, should i use iptables afterwards to redirect all requests made through 3128 to whatever ip i want, or should i configure squid to send the request to another IP.