Dzień dobry.
chciałbym na ubuntu 10.04 udostępniać internet oraz filtrować treść udostępnianym komputerom. W tym celu zainstalowałem squida i dansguardiana.
sieć wygląda tak:
intrnet (dhcp) --> eth1 --> squid + dansg. --> eth0 --> lan
po wpisaniu w konsoli:
sudo /etc/init.d/squid start
dostaję:
Squid is already running! Process ID 870
i dla dansguardiana:
I seem to be running already!
czyli niby ok. Internet na SERWERZE jest reszta brak....
podam może moje confy.
squid.conf
Kod:
ilosc ramu
cache_mem 1000 MB
# Maksymalny rozmiar pliku
maximum_object_size 65536 KB
maximum_object_size_in_memory 20 KB
ipcache_size 10240
ipcache_low 90
ipcache_high 95
cache_access_log /var/log/squid/access.log
http_port 8080 transparent
error_directory /usr/share/squid/errors/pl
visible_hostname kris
log_fqdn on
log_mime_hdrs on
#ident_lookup_access allow all localhost SSL_ports Safe_ports CONNECT
#6GB dysku dla squida
cache_dir ufs /var/spool/squid 6144 12 256
#na jakim poziomie zapełnienia ma pracowaæ cache dyskowe
cache_swap_low 90
cache_swap_high 95
###########################################################
acl all src 193.167.0.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 21 70 80 210 443 563 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow all
icp_access allow all
miss_access allow all
ident_lookup_access allow all localhost SSL_ports Safe_ports CONNECT
cache_mgr administrator(at)kris.pl
######################################################
vary_ignore_expire on
relaxed_header_parser on
request_header_max_size 50 KB
refresh_pattern -i \.(gif|jpg|jpeg|png|html|bmp) 4320 90% 43200 reload-into-ims
refresh_pattern -i \.(zip|gz|bz2|exe|rar|mp3|mpg|avi|wmv|vqf|ogg) 43200 100% 43200 reload-into-ims
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll) 43200 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll) 43200 100% 43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll) 43200 100% 43200 reload-into-ims
refresh_pattern symantecliveupdate.com/.*\.(zip|exe) 43200 100% 43200 reload-into-ims
refresh_pattern windowsupdate.com/.*\.(cab|exe) 43200 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe) 43200 100% 43200 reload-into-ims
refresh_pattern avast.com/.*\.(vpu|vpaa) 43200 100% 43200 reload-into-ims
refresh_pattern . 0 90% 43200 reload-into-ims
collapsed_forwarding off
refresh_stale_hit 100 seconds
half_closed_clients on
ident_timeout 1 seconds
/etc/dansguardian/dansguadian.conf
Kod:
# DansGuardian config file for version 2.10.1.1
# **NOTE** as of version 2.7.5 most of the list files are now in dansguardianf1.conf
#UNCONFIGURED - Please remove this line after configuration
reportinglevel = 3
languagedir = '/etc/dansguardian/languages'
language = 'polish'
loglevel = 2
logexceptionhits = 2
logfileformat = 1
# Network Settings
filterip =
# the port that DansGuardian listens to.
filterport = 3128
# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 127.0.0.1
# the port DansGuardian connects to proxy on
proxyport = 8080
accessdeniedaddress = '/etc/dansguardian/stop.html'
nonstandarddelimiter = off
usecustombannedimage = on
custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif'
filtergroups = 1
filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'
# Authentication files location
bannediplist = '/etc/dansguardian/lists/bannediplist'
exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'
showweightedfound = on
weightedphrasemode = 2
urlcachenumber = 1000
urlcacheage = 900
scancleancache = on
phrasefiltermode = 2
preservecase = 0
hexdecodecontent = off
forcequicksearch = off
reverseaddresslookups = off
reverseclientiplookups = off
logclienthostnames = off
createlistcachefiles = off
maxuploadsize = -1
maxcontentfiltersize = 256
maxcontentramcachescansize = 256
maxcontentfilecachescansize = 20000
filecachedir = '/tmp'
deletedownloadedtempfiles = on
initialtrickledelay = 20
trickledelay = 10
downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf'
downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf'
recheckreplacedurls = off
forwardedfor = on
usexforwardedfor = off
logconnectionhandlingerrors = on
logchildprocesshandling = off
maxchildren = 120
minchildren = 8
minsparechildren = 4
preforkchildren = 6
maxsparechildren = 32
maxagechildren = 500
maxips = 0
# Process options
ipcfilename = '/tmp/.dguardianipc'
urlipcfilename = '/tmp/.dguardianurlipc'
ipipcfilename = '/tmp/.dguardianipipc'
nodaemon = off
nologger = off
logadblocks = off
loguseragent = off
softrestart = off
/etc/init.d/firewall
Kod:
#!/bin/bash
# wlaczenie w kernelu forwardowania
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
# czyszczenie starych regul
iptables -F
iptables -X
iptables -t nat -X
iptables -t nat -F
iptables -t mangle -F
iptables -t mangle -X
# ustawienie domyslnej polityki
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#puszczamy pętle lokalna
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#przekierowanie ruchu na DG
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 3128
#przekierowanie ruchu na 8080 squida
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
# utrzymanie polaczen nawiazanych
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
# udostepniaie internetu w sieci lokalnej
iptables -t nat -A POSTROUTING -s 193.167.0.0/24 -j MASQUERADE
iptables -A FORWARD -s 193.167.0.0/24 -j ACCEPT
plik /etc/dhcp3/dhcpd.conf
Kod:
#
# Sample configuration file for ISC dhcpd for Debian
#
# Attention: If /etc/ltsp/dhcpd.conf exists, that will be used as
# configuration file instead of this file.
#
# $Id: dhcpd.conf,v 1.1.1.1 2002/05/21 00:07:44 peloy Exp $
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;
default-lease-time 600;
max-lease-time 7200;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.fugue.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}
subnet 193.167.0.0 netmask 255.255.255.0 {
range 193.167.0.10 193.167.0.200;
option domain-name-servers 194.204.152.34 , 194.204.159.1;
option domain-name "tm.net.my";
option routers 193.167.0.1;
option broadcast-address 193.167.0.255;
default-lease-time 86400;
max-lease-time 86400;
}
to wszystko co przychodzi mi do głowy. pomocy!
Szukaj
Użytkownicy
Kalendarz
Pomoc
Blog UbuCentrum.net
