tvlad Posted December 27, 2002 Report Share Posted December 27, 2002 I am part of a network that has eight computers.We are planing of buying an old pc to use it as a server.The server will have the ip 192.168.0.1 and the rest of us 192.168.0.* Since not all of us pay for cable net we want to be able to restrict acces to the net and because we have a limit for downloads that aren't from Romania (if we go over 300 mb bye bye net ) i want to configure the server to go through a metropolitan proxy but i have no idea how to do that or how to allow acces to the net only if the user gives a username and password. I know how to share the net between the computers and how to make a decent firewall, because i have several examples, like IP-MASQ HOWTO etc.... WHAT I DON'T KNOW is how to make the server use a proxy for all the traffic, so that a user isn't required to setup his own aplication to use a proxy (because some of the guys in my network don't and this results in trafic), the only thing he has to do is to put the server's local ip as a gateway and dns server, and from his point of view there isn't anything more to configure. ALSO i want to enable net acces based on a username and password. PLEASE, let me know if u have any ideas. Quote Link to comment Share on other sites More sharing options...
paul Posted December 28, 2002 Report Share Posted December 28, 2002 My idea. Use Mandrake MNF .. setup with your external proxy (it asks you during setup if you want to use a proxy) then configure Proxy Authentication on the MNF box, so access is username / password restricted. I haven't setup Proxy on my MNF ... but I've read the docs, and it all looks pretty easy Quote Link to comment Share on other sites More sharing options...
tvlad Posted December 28, 2002 Author Report Share Posted December 28, 2002 I thought of doing that, but it will take some time until i download MNF and i still want to know how to do it on a normal linux distro. Quote Link to comment Share on other sites More sharing options...
tvlad Posted January 12, 2003 Author Report Share Posted January 12, 2003 Please, other ideas ???? Quote Link to comment Share on other sites More sharing options...
tvlad Posted January 14, 2003 Author Report Share Posted January 14, 2003 I posted the same subject on another forum and someone told me to redirect the trafic to squid. After i redirect the trafic to squid, shouldn't i configure squid to redirect the traffic to a proxy of my choosing ???? Quote Link to comment Share on other sites More sharing options...
AA Posted January 14, 2003 Report Share Posted January 14, 2003 Squid is a proxy if I'm not mistaken. I think you might be looking for something called squid guard. It's a controller for squid. Thats what my old school used to control it's internet usage... http://www.squidguard.org/ At the time when I was just a user it used to really grate my carrot. Actually, I might download it and start using it myself. Users on this network can really tick me off at times, especially when they do things I asked them not to do. Anyways, check it out. Quote Link to comment Share on other sites More sharing options...
johnnyv Posted January 14, 2003 Report Share Posted January 14, 2003 At the time when I was just a user it used to really grate my carrot. Actually, I might download it and start using it myself. Users on this network can really tick me off at times, especially when they do things I asked them not to do. Anyways, check it out. But thats what users are for! Too provide hours of entertainment for administrators :P Quote Link to comment Share on other sites More sharing options...
AA Posted January 14, 2003 Report Share Posted January 14, 2003 How True, How True....!! I can just hear them now: Can you please fix my computer. I can't download mp3's Quote Link to comment Share on other sites More sharing options...
tvlad Posted January 15, 2003 Author Report Share Posted January 15, 2003 Don't get me the wrong way guys(AA, johnyv), but look at my original post and what u told me. Quote Link to comment Share on other sites More sharing options...
AA Posted January 16, 2003 Report Share Posted January 16, 2003 Yeah sorry tvlad. Did you check out squidguard...? Quote Link to comment Share on other sites More sharing options...
tvlad Posted January 16, 2003 Author Report Share Posted January 16, 2003 I knew of squidguard, but it's only useful if u want to block acces to sites and perhaps user authentification, but i don't want to do that and concernig user authentification i found out how to do that with squid, What i still don't know exactly is how to do the proxy part. I'm thinking of doing it this way : adding this to my firewall iptables -t nat -A PREROUTING -i eth0 -p tcp -d localhost --dport 80 -j REJECT iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.0/24 --dport 80-jACCEPT iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 and this to squid cache_peer parentcache.METROPOLITAN_PROXY_IP parent 3128 0 no-query default acl all src 0.0.0.0/0.0.0.0 never_direct allow all This will make all the request to port 80 to be transfered to 3128 where squid is and then squid will send the traffic to a metropolitan proxy. Did i get it right ????? :roll: [/b][/i] Quote Link to comment Share on other sites More sharing options...
tvlad Posted January 16, 2003 Author Report Share Posted January 16, 2003 Or shoud i do it like this : iptables -t nat -A PREROUTING -i eth0 -p tcp -d localhost --dport 80 -j REJECT iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.0/24 --dport 80-jACCEPT iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -p tcp --dport 3128 -i eth0 -j DNAT --to PROXY:8080 they should send all the requests to 3128( where squid is) and allow me to do user authentification and the send the requests to PROXY , right ? would this allow me to do transparent proxying ? I've read the trans proxy howto, but it doesn't tell me one thing, after i make the request go to squid, squid will send them directly, and i want squid to send them to a metroploitan proxy because i have trafic limit. Quote Link to comment Share on other sites More sharing options...
AA Posted January 16, 2003 Report Share Posted January 16, 2003 OK, I have no idea. I've never had to do anything like that. I thought squidguard might be able to help, but I guess not. Someone else might maybe know. But when you eventually find out how to do it please will you document it and I'll put it up on my site. Quote Link to comment Share on other sites More sharing options...
tvlad Posted January 16, 2003 Author Report Share Posted January 16, 2003 I think this is what i should add to a normal firewall config : iptables -t nat -A PREROUTING -i eth0 -p tcp -d localhost --dport 80 -j REJECT iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.0/24 --dport 80-jACCEPT iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -p tcp --dport 3128 -i eth0 -j DNAT --to PROXY:8080 . I also have to enable trasnparent proxying in squid as written in http://en.tldp.org/HOWTO/mini/TransparentProxy-4.html WHAT I HOPE THESE LINES DO IS: Let's say one of the network pc's tryies to make a connection to www.tomshardware.com The connection will arive to the server on port 80 and be redirected to squid (that's on the same server).Then when squid tryies to send the conection directly to the net, the last line of my config will send it to an ip of my choice. I'M STILL NOT SURE of one thing: when the request arrives to squid, should i use iptables afterwards to redirect all requests made through 3128 to whatever ip i want, or should i configure squid to send the request to another IP. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.