Instalando squid

[root@localhost ~]# urpmi squid

ftp://ftp.rediris.es/pub/linux/distributions/mandrakelinux/official/updates/2006.0/main_updates/squid-2.5.STABLE1010.4.20060mdk.i586.rpm
ftp://ftp.rediris.es/pub/linux/distributions/mandrakelinux/official/2006.0/i586/media/main/perl-Authen-Smb-0.916mdk.i586.rpm
Fri Apr 13 17:16:37 2007 /var/cache/urpmi/rpms/squid-2.5.STABLE10-10.4.20060mdk.i586.rpm
/var/cache/urpmi/rpms/perl-Authen-Smb-0.91-6mdk.i586.rpm
Preparando...
#############################################
1/2: perl-Authen-Smb
#############################################
2/2: squid
#############################################
[root@localhost ~]#
[root@localhost ~]# /etc/init.d/squid start
Iniciando squid: /etc/init.d/squid: line 53: 3108 Abortado
(core dumped) $SQUID $SQUID_OPTS
>>/var/log/squid/squid.out 2>&1
[FALL ]
[root@localhost ~]# tail -f /var/log/messages
Apr 14 09:58:58 localhost kernel: 8: @c13c2700 length 8000004a status 0c01004a
Apr 14 09:58:58 localhost kernel: 9: @c13c27a0 length 80000036 status 00010036
Apr 14 09:58:58 localhost kernel: 10: @c13c2840 length 800002f6 status 0c0102f6
Apr 14 09:58:58 localhost kernel: 11: @c13c28e0 length 8000014e status 0c01014e
Apr 14 09:58:58 localhost kernel: 12: @c13c2980 length 80000036 status 00010036
Apr 14 09:58:58 localhost kernel: 13: @c13c2a20 length 80000386 status 8c010386
Apr 14 09:58:58 localhost kernel: 14: @c13c2ac0 length 80000054 status 0c010054
Apr 14 09:58:58 localhost kernel: 15: @c13c2b60 length 8000008a status 0c01008a
Apr 14 09:59:34 localhost squid: Could not determine fully qualified hostname. Please set 'visible_hostname'

Agregar en el archivo /etc/squid/squid.conf:

# TAG: visible_hostname
#
If you want to present a special hostname in error messages, etc,
#
define this. Otherwise, the return value of gethostname()
#
will be used. If you have multiple caches in a cluster and
#
get errors about IP-forwarding you must set them to have individual
#
names with this setting.
#
#Default:
# none
visible_hostname pcmandriva

Iniciar el servidor proxy

[root@localhost ~]# /etc/init.d/squid start
Iniciando squid: .
[ OK ]
[root@localhost ~]#

Parte del archivo de configuracin /etc/squid/squid.conf

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl redlocal src 192.168.1.0/24
acl webprohibidas url_regex "/etc/squid/webprohibidas"
acl contenido url_regex "/etc/squid/contenido"
acl descargas urlpath_regex -i \.mp3$ \.zip$ \.exe$
acl msn req_mime_type -i ^application/x-msn-messenger$
acl msn1 urlpath_regex gateway.dll
acl msn2 url_regex e-messenger.net webmessenger.msn.com
acl SSL_ports port 443 563
acl Safe_ports port 80
# http
acl Safe_ports port 21
# ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70
# gopher
acl Safe_ports port 210
# wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280
# http-mgmt
acl Safe_ports port 488
# gss-http
acl Safe_ports port 591
# filemaker
acl Safe_ports port 777
# multiling http
acl CONNECT method CONNECT
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
http_access deny descargas
http_access deny webprohibidas
http_access deny contenido
http_access deny msn
http_access deny msn1
http_access deny msn2
http_access allow redlocal

# And finally deny all other access to this proxy

http_access allow localhost
http_access deny all

Archivos de configuracin adicionales:

[root@localhost ~]# cat /etc/squid/webprohibidas
youtube.com
gmail.com
hotmail.com
[root@localhost ~]#
[root@localhost ~]# cat /etc/squid/contenido
sexo
pornografia
cisco
[root@localhost ~]#

Configurando los clientes

Navegador konqueror:

AMSN:

Funcionamiento del servidor proxy

[root@localhost ~]# tail -f /var/log/squid/access.log
1176538770.568 195 192.168.1.4 TCP_DENIED/403 1324 GET http://gmail.com/ - NONE/- text/html
1176538773.646 4 192.168.1.4 TCP_DENIED/403 1346 GET http://gmail.com/favicon.ico - NONE/- text/html
1176538799.979 12 192.168.1.4 TCP_DENIED/403 1336 GET http://www.youtube.com/ - NONE/- text/html
1176538800.937 91 192.168.1.4 TCP_DENIED/403 1358 GET http://www.youtube.com/favicon.ico - NONE/- text/html
1176538818.162 11 192.168.1.4 TCP_DENIED/403 1336 GET http://www.hotmail.com/ - NONE/- text/html
1176538819.070 82 192.168.1.4 TCP_DENIED/403 1358 GET http://www.hotmail.com/favicon.ico - NONE/- text/html

[root@localhost ~]# tail -f /var/log/squid/access.log

1176540897.266 11 192.168.1.4 TCP_DENIED/403 1409 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll? - NONE/- text/html
1176540905.490 9 192.168.1.4 TCP_DENIED/403 1409 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll? - NONE/- text/html
1176540916.494 8 192.168.1.4 TCP_DENIED/403 1409 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll? - NONE/- text/html
1176540925.476 9 192.168.1.4 TCP_DENIED/403 1409 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll? - NONE/- text/html
1176540935.491 1 192.168.1.4 TCP_DENIED/403 1409 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll? - NONE/- text/html
1176540945.750 10 192.168.1.4 TCP_DENIED/403 1409 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll? - NONE/- text/html
1176540954.219 9 192.168.1.4 TCP_DENIED/403 1409 POST
http://gateway.messenger.hotmail.com/gateway/gateway.dll? - NONE/- text/html

[root@localhost ~]# tail -f /var/log/squid/access.log

1176545204.119 12738 192.168.1.4 TCP_MISS/301 600 GET http://www.linuxchixperu.org/archivo/red DIRECT/208.113.148.218 text/html
1176545204.737 333 192.168.1.4 TCP_MISS/200 664 GET http://www.linuxchixperu.org/archivo/red/ DIRECT/208.113.148.218 text/html
1176545206.078 254 192.168.1.4 TCP_MISS/404 584 GET http://www.linuxchixperu.org/favicon.ico DIRECT/208.113.148.218 text/html
1176545211.712 4 192.168.1.4 TCP_DENIED/403 1412 GET
http://www.linuxchixperu.org/archivo/red/NetSupport%20School%208.5%20By%20ROB.zip - NONE/- text/html

Modificar el archivo /etc/squid/squid.conf para que los mensajes de error se muestren en espaol:
# TAG: error_directory
#
If you wish to create your own versions of the default
#
(English) error files, either to customize them to suit your
#
language or company copy the template English files to another
#
directory where the error files are read from.
#
/usr/lib/squid/errors contains sets of error files
#
in different languages. The default error directory
#
is /etc/squid/errors, which is a link to one of these
#
error sets.
#
#
If you wish to create your own versions of the error files,
#
either to customize them to suit your language or company,
#
copy the template English files to another
#
directory and point this tag at them.
#
#error_directory /usr/lib/squid/errors/English
#
#Default:
error_directory /usr/lib/squid/errors/Spanish

Reiniciar el servidor proxy

[root@localhost ~]# /etc/init.d/squid restart
Deteniendo squid: .
[ OK ]
Iniciando squid: .
[ OK ]
[root@localhost ~]#

Configurar Proxy Transparente

Modificar en el archivo /etc/squid/squid.conf el parmetro http_port:

http_port 3128 transparent

Para versiones antiguas del squid tener las siguientes lneas descomentadas:
http_port 10.0.0.1:3128
acl redlocal src 10.0.0.0/8
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_wiht_proxy on
httpd_accel_uses_host_header on

Configurando el redireccionamiento del puerto 80 al puert0 3128

Instalar iptables
[root@localhost squid]# urpmi iptables
ftp://ftp.rediris.es/pub/linux/distributions/mandrakelinux/official/2006.0/i586/media/main/iptables-1.3.3-3mdk.i586.rpm
instalando iptables-1.3.3-3mdk.i586.rpm desde
/var/cache/urpmi/rpms
Preparando...
#############################################
1/1: iptables
#############################################
[root@localhost squid]#

Ejecutar los siguientes comandos:

[root@localhost squid]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@localhost squid]# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j REDIRECT --to-port 3128
[root@localhost squid]# iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j MASQUERADE
[root@localhost squid]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source
destination
REDIRECT tcp -- anywhere
anywhere
tcp dpt:http redir ports 3128
Chain POSTROUTING (policy ACCEPT)
target prot opt source
destination
MASQUERADE all -- 10.0.0.0/8
anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source
destination
[root@localhost squid]#
[root@localhost squid]# /etc/init.d/squid restart
Deteniendo squid: .
[ OK ]
Iniciando squid: .
[ OK ]
[root@localhost squid]#

NOTA: Tambien se podria usar el siguiente comando en reemplazo del: iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j
MASQUERADE
[root@localhost squid]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.3
[root@localhost squid]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source
destination
REDIRECT tcp -- anywhere
anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source
destination
SNAT
all -- anywhere
anywhere

tcp dpt:http redir ports 3128

to:192.168.1.3

Chain OUTPUT (policy ACCEPT)

target prot opt source
destination
[root@localhost squid]#

Configurando las estaciones de trabajo

Definir como gateway predeterminado la direccin IP del proxy transparente.

Probando el proxy transparente

[root@localhost squid]# tail -f /var/log/squid/access.log

1176554676.279 1515 10.0.0.2 TCP_MISS/503 1352 GET http://66.132.203.183/dm.gif? - NONE/- text/html
1176554677.183 1867 10.0.0.2 TCP_MISS/200 332 GET http://66.132.221.51/adserver/adlog.php? DIRECT/66.132.221.51 image/gif
1176554677.964 1766 10.0.0.2 TCP_MISS/200 2115 GET http://www.rpp.com.pe/images/portada/deportes/128283_m.jpg
- DIRECT/68.142.121.184 image/jpeg
1176554678.676 2035 10.0.0.2 TCP_MISS/200 676 GET http://www.rpp.com.pe/javascript/certifica-js14.js DIRECT/68.142.121.184 application/x-javascript
1176554679.161 4487 10.0.0.2 TCP_MISS/200 37204 GET http://www.rpp.com.pe/imagenes/logo_felicidad.gif DIRECT/68.142.121.184 image/gif
1176554679.630 5357 10.0.0.2 TCP_MISS/200 35332 GET http://www.rpp.com.pe/imagenes/logo_oxigeno.gif DIRECT/68.142.121.184 image/gif
1176554680.192 5004 10.0.0.2 TCP_MISS/200 48298 GET http://66.132.221.51/adserver/media//boton300_secre.gif DIRECT/66.132.221.51 image/gif
1176554680.511 1126 10.0.0.2 TCP_MISS/200 10069 GET http://www.rpp.com.pe/javascript/certifica.js DIRECT/68.142.121.184 application/x-javascript
1176554682.117 390 10.0.0.2 TCP_MISS/200 436 GET http://hits.e.cl/cert/hit.dll? - DIRECT/200.41.115.150 image/gif
1176554773.780 3 10.0.0.2 TCP_DENIED/403 1331 GET http://www.cisco.com/ - NONE/- text/html
[root@localhost squid]#