Bagaimana mambuat Transparent proxy ?

i) Eth0: IP:192.168.1.1
iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network (around 150 windows XP systems))
iv) OS: Red Hat Enterprise Linux 4.0 (Following instruction should work with Debian and all other Linux distros)

Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.
Server Configuration

* Step #1 : Squid configuration so that it will act as a transparent proxy
* Step #2 : Iptables configuration
o a) Configure system as router
o b) Forward all http requests to 3128 (DNAT)
* Step #3: Run scripts and start squid service

First, Squid server installed (use up2date squid) and configured by adding following directives to file:
# vi /etc/squid/squid.conf

Modify or add following squid directives:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan

Where,

* httpd_accel_host virtual: Squid as an httpd accelerator
* httpd_accel_port 80: 80 is port you want to act as a proxy
* httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
* httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
* acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid
* http_access allow localhost: Squid access to LAN and localhost ACL only
* http_access allow lan: — same as above –

Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):
# grep -v “^#” /etc/squid/squid.conf | sed -e ‘/^$/d’

OR, try out sed (thanks to kotnik for small sed trick)
# cat /etc/squid/squid.conf | sed ‘/ *#/d; /^ *$/d’

Output:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myclient.hostname.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid
Iptables configuration

Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :
iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j DNAT –to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128

Here is complete shell script. Script first configure Linux system as router and forwards all http request to port 3128 (Download the fw.proxy shell script):
#!/bin/sh
# squid server IP
SQUID_SERVER=“192.168.1.1″
# Interface connected to Internet
INTERNET=“eth0″
# Interface connected to LAN
LAN_IN=“eth1″
# Squid port
SQUID_PORT=“3128″
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Save shell script. Execute script so that system will act as a router and forward the ports:
# chmod +x /etc/fw.proxy
# /etc/fw.proxy
# service iptables save
# chkconfig iptables on

Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid on
Desktop / Client computer configuration

Point all desktop clients to your eth1 IP address (192.168.2.1) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies.
How do I test my squid proxy is working correctly?

See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log

Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.
Problems and solutions
(a) Windows XP FTP Client

All Desktop client FTP session request ended with an error:
Illegal PORT command.

I had loaded the ip_nat_ftp kernel module. Just type the following command press Enter and voila!
# modprobe ip_nat_ftp

Please note that modprobe command is already added to a shell script (above).
(b) Port 443 redirection

I had block out all connection request from our router settings except for our proxy (192.168.1.1) server. So all ports including 443 (https/ssl) request denied. You cannot redirect port 443, from debian mailing list, “Long answer: SSL is specifically designed to prevent “man in the middle” attacks, and setting up squid in such a way would be the same as such a “man in the middle” attack. You might be able to successfully achive this, but not without breaking the encryption and certification that is the point behind SSL“.

Therefore, I had quickly reopen port 443 (router firewall) for all my LAN computers and problem was solved.

Instalasi Squid, Banner Filter, Porn Filter, Limit Bandwith, Transparan Proxy

1. Instalasi Banner Filter
Penempatan direktori Banner Filter harus didalam direktori www kita. misal saya di /usr/local/apache/htdocs .download souce Banner Filter di http://phroggy.com/files/unix/bannerfilter-1.21.tar.gz

[root@PROXY sman1]# wget http://phroggy.com/files/unix/bannerfilter-1.21.tar.gz

Ekstrak source bannerfilter-1.21.tar.gz :
[root@PROXY sman1]# tar -xzvf bannerfilter-1.21.tar.gz

Kemudian pindahkan hasil exstrak bannerfilter-1.21.tar.gz ke dalam /usr/local/apache/htdocs
[root@PROXY sman1]# mv bannerfilter-1.21 /usr/local/apache/htdocs/bannerfilter
[root@PROXY sman1]# cd /usr/local/apache/htdocs/bannerfilter

Edit file bannerfilter.conf
[root@PROXY bannerfilter]# mv bannerfilter.conf /etc
[root@PROXY bannerfilter]# vi /etc/bannerfilter.conf

Contoh isi bannerfilter.conf saya :
# Path to the directory containing the data files:
$DATA=’/usr/local/apache/htdocs/bannerfilter’;

# URL of the directory containing the HTML and graphics files
# (this must be accessible by the machine running Squid; it does
# not need to be accessible to the client machines):
$WWW=’http://www.rsds.or.id/bannerfilter/www’;

# Path to the banner log file if you want one, or leave empty (if
# specified, Squid must have write access to this file):
$LOG=”;

# $LOG=’/tmp/bannerlog.txt’;
# If you prefer not to see “Blocked”, use null.gif instead of
# banner.gif:
$BANNERGIF=’banner.gif’;

Penambahan script bannerfilter nantinya akan diletakan didalam squid.conf
redirect_program /usr/local/apache/htdocs/bannerfilter/redirector.pl

2. Instalasi Squid
Sebelum installasi squid, pastikan daemon squid yang asli dari redhat harus anda stop atau musnahkan !!
caranya :
[root@PROXY sman1]# /etc/rc.d/init.d/squid stop
[root@PROXY sman1]# for a in `rpm -qa | grep squid`; do rpm -e –nodeps $a; done

Sekarang kita mendownload source squid. Saya menggunakan squid-2.6.STABLE6 Download source squid di http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE6.tar.gz

[root@PROXY sman1]# wget http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE6.tar.gz

Ekstrak source squid-2.6.STABLE6.tar.gz :
[root@PROXY sman1]# tar -xzvf squid-2.6.STABLE6.tar.gz
[root@PROXY sman1]# cd squid-2.6.STABLE6

Buat user untuk menjalankan squid, nama usernya adalah squid
Guna meningkatkan keamanan server kita, maka user squid tidak bisa digunakan untuk login
[root@PROXY squid-2.6.STABLE6]# useradd -d /usr/local/squid/ -r -s /dev/null squid > /dev/null 2>&1

Kompilasi dan install Squid :
[root@PROXY squid-2.6.STABLE6]# ./configure –prefix=/usr/local/squid –exec-prefix=/usr/local/squid \
> –enable-delay-pools –enable-cache-diggests –enable-poll \
> –disable-ident-lookups –enable-async-io=16 \
> –enable-auth-modules –enable-removal-policies –enable-snmp

[root@PROXY squid-2.6.STABLE6]# make all
Biasanya proses make all ini berlangsung lama, alangkah baiknya kita ambil sebatang rokok lalu di bakar betapa indahnya dunia ini !!

[root@PROXY squid-2.6.STABLE6]# make install

Sekarang kita masuk dalam tahap meng-edit konfigurasi ke dalam file squid.conf
[root@PROXY squid-2.6.STABLE6]# cd /usr/local/squid/etc

Anda bisa membaca terlebih dahulu http://www.squid-cache.org/Doc/FAQ/FAQ.html (Ambil sebatang rokok lagi agar ketegangan anda mereda !!)
Dalam meng-edit konfigurasi squid, anda bisa membaca readme yang sudah ada di dalam file squid.conf atau anda juga bisa melihat atau mengambil, file yang sudah saya edit http://www.rsds.or.id/linux/squid.conf.sman1

[root@PROXY etc]# wget http://www.rsds.or.id/linux/squid.conf.sman1
[root@PROXY etc]# vi squid.conf.sman1

kemudian carilah kata-kata dalam file squid.conf.sman1 seperti keterangan dibawah ini yang berhurup bold italic :
ftp_user name@domain-anda.com
dns_nameservers IP-Address-DNS-ISP-Anda
acl user src 192.168.0.0/255.255.255.0
(ip192.168.0.0 adalah ranges ip address client kita mulai 192.168.0.0 sampai 192.168.0.255)

Didalam file squid.conf.sman1, sudah saya tambahkan script untuk menjalankan Banner Filter dan Porn Filter :
redirect_program /usr/local/apache/htdocs/bannerfilter/redirector.pl
acl porn url_regex “/usr/local/squid/etc/porn.txt”
http_access deny porn

“Jika anda tidak menginginkan Banner Filter atau Porn Filter berjalan, maka pada awal script Banner Filter atau Porn Filter dalam file squid.conf.sman1 harus di beri tanda ” # ” :
#redirect_program /usr/local/apache/htdocs/bannerfilter/redirector.pl
#acl porn url_regex “/usr/local/squid/etc/porn.txt”
#http_access deny porn

3. Limit Bandwith
Dalam file squid.conf.sman1, juga sudah saya tambahkan script untuk menggunakan delay pool :

#———————— DELAY POLL KONFIGURASI SMAN1 —————————
#This is the most important part for shaping incoming traffic with Squid
#For detailed description see squid.conf file or docs at http://www.squid-cache.org
#We don’t want to limit downloads on our local network
acl magic_words1 url_regex -i 192.168.
#We want to limit downloads of these type of files
#Put this all in one line
acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav
#We don’t block .html, .gif, .jpg and similar files, because they
#generally don’t consume much bandwith
#We have two different delay_pools
delay_pools 2
#First delay pool
#W don’t want to delay our local traffic
#There are three pool classes; here we will deal only with the second
delay_class 1 2
#-1/-1 mean that there are no limits
delay_parameters 1 -1/-1 -1/-1
#magic_words1: 192.168
delay_access 1 allow magic_words1
#Second delay pool
#we want to delay downloading files mentioned in magic_words2
delay_class 2 2
#The numbers here are values in bytes;
#we must remember that Squid doesn’t consider start/stop bits
#5000/150000 are values for the whole network
#5000/120000 are values for the single IP
#after downloaded files exceed about 150000 bytes,
#(or even twice or three times as much)
#they will continue to download at about 5000 bytes/s
delay_parameters 2 5000/150000 5000/120000
delay_access 2 allow magic_words2
#——————————————————————————–

“Jika anda tidak menginginkan Limit Bandwith berjalan, maka pada awal script delay poll dalam file squid.conf.sman1 harus diberi tanda ” # “
#———————— DELAY POLL KONFIGURASI SMAN1 —————————
#This is the most important part for shaping incoming traffic with Squid
#For detailed description see squid.conf file or docs at http://www.squid-cache.org
#We don’t want to limit downloads on our local network
#acl magic_words1 url_regex -i 192.168.
#We want to limit downloads of these type of files
#Put this all in one line
acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav
#We don’t block .html, .gif, .jpg and similar files, because they
#generally don’t consume much bandwith
#We have two different delay_pools
#delay_pools 2
#First delay pool
#W don’t want to delay our local traffic
#There are three pool classes; here we will deal only with the second
#delay_class 1 2
#-1/-1 mean that there are no limits
#delay_parameters 1 -1/-1 -1/-1
#magic_words1: 192.168
#delay_access 1 allow magic_words1
#Second delay pool
#we want to delay downloading files mentioned in magic_words2
#delay_class 2 2
#The numbers here are values in bytes;
#we must remember that Squid doesn’t consider start/stop bits
#5000/150000 are values for the whole network
#5000/120000 are values for the single IP
#after downloaded files exceed about 150000 bytes,
#(or even twice or three times as much)
#they will continue to download at about 5000 bytes/s
#delay_parameters 2 5000/150000 5000/120000
#delay_access 2 allow magic_words2
#——————————————————————————–

Merubah nama file squid..conf yang asli dari komputer anda ke nama file lain. (sebagai back-up)
Dan merubah squid.conf.sman1 menjadi squid.conf
[root@PROXY etc]# mv squid.conf squid.conf.punyaku
[root@PROXY etc]# mv squid.conf.sman1 squid.conf

4. Instalasi Porn Filter
Buatlah terlebih dahulu file dengan nama porn.txt
[root@PROXY etc]# touch porn.txt

Isikan file porn.txt dengan site-site yang hendak anda tutup, misal www.17tahun.com
[root@PROXY etc]# vi porn.txt
isikan dengan kata 17tahun

Menjalankan squid
Memberi hak direktori squid dan bannerfilter agar proses berjalan lancar :
[root@PROXY etc]# chown -R squid.squid /usr/local/squid
[root@PROXY etc]# chown -R squid.squid /usr/local/apache/htdocs/bannerfilter

Aktifkan cache squid anda terlebih dahulu:
[root@PROXY etc]# /usr/local/squid/sbin/squid -z

Jika muncul permission denied pada saat pembuatan cache, cek dulu owner dan permission untuk directory cache :
[root@PROXY etc]# chmod 777 /usr/local/squid/var/logs/

Sampai tahap ini jika ada pesan error mohon email ke sman1@rsds.or.id

Jalankan daemon squid anda :
[root@PROXY etc]# /usr/local/squid/sbin/squid

Cek squid anda apakah jalan atau tidak :
[root@PROXY etc]# netstat -pln | grep squid
tcp 0 0 0.0.0.0 :8080 0.0.0.0:* LISTEN 777/(squid)
udp 0 0 0.0.0.0 :32771 0.0.0.0:* 777/(squid)
udp 0 0 0.0.0.0 :3130 0.0.0.0:* 777/(squid)

Jika keluar seperti hal diatas, maka squid anda telah berjalan !! rokokan dulu ah…: )

Test Squid Dari Komputer Client
Lakukan penge-test ping antar network anda, misal server anda mempunyai ip 192.168.0.1 dan ip windows client anda 192.168.1.2 :
[root@PROXY etc]# ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) from 192.168.0.1 : 56(84) bytes of data.
Warning: time of day goes back, taking countermeasures.
64 bytes from 192.168.0.2: icmp_seq=0 ttl=255 time=233 usec
64 bytes from 192.168.0.2: icmp_seq=1 ttl=255 time=161 usec

Jika anda mempunyai client dengan operating system windows 98 atau windows me atau windows XP, pada software internet explorer coba isikan proxy dengan ip server anda dan port 8080 (misal ip server saya 192.168.0.1 maka pengisian proxy adalah 192.168.0.1 : 8080)

Coba anda buka situs-situs berikut ini dalam masing-masing new windows internet explorer :
http://www.yahoo.com , http://www.17tahun.com , http://zdads.e-media.com

1. Bila situs http://www.yahoo.com terbuka maka artinya pengerjaan squid anda sampai tahap ini berjalan lancar.

2. Bila situs http://www.17tahun.com tidak terbuka dan hanya bertulisakan ACCESS DENIED maka Porn Firter anda berjalan lancar. Anda bisa menambahkan situs-situs yang ingin anda tutup, dengan meng-edit kembali file porn.txt
[root@PROXY sman1]# vi /usr/local/squid/etc/porn.txt

3. Bila situs http://zdads.e-media.com tidak berbuka dan hanya bergambar BLOCKED AREA maka Banner Filter anda berjalan lancar.

5. Transparan Proxy
Agar lebih mudah kita akan menggunakan iptables
[root@PROXY sman1]# /sbin/iptables -F -t nat
[root@PROXY sman1]# /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -s 192.168.0.0/255.255.255.0 \
> –dport 80 -j DNAT –to 192.168.0.1:8080

keterangan iptables diatas :
1. eth1 adalah interface lancard untuk ip gateway client.
2. 192.168.0.0/255.255.255.0 adalah ip client kita mulai dari 192.168.0.0 sampai 192.168.0.255.
3. –dport 80 -j DNAT –to 192.168.0.1:8080 adalah bila ada request port 80 (biasanya browsing), akan di paksa masuk ke squid dengan ip 192.168.0.1 port 8080.

Jika anda mempunyai client dengan operating system windows 98 atau windows me atau windows XP, pada software internet explorer, pastikan tidak terisi proxy. Dan pastikan pengisian ip client dan ip gateway client anda adalah benar adanya !!!
(Misal ip client saya mempunyai ip 192.168.0.2 dan ip gateway 192.168.0.1)

Coba anda buka situs-situs berikut ini dalam masing-masing new windows internet explorer :
http://www.yahoo.com , http://www.17tahun.com , http://zdads.e-media.com

1. Bila situs http://www.yahoo.com terbuka maka artinya pengerjaan squid anda sampai tahap ini berjalan lancar.

2. Bila situs http://www.17tahun.com tidak terbuka dan hanya bertulisakan ACCESS DENIED maka Porn Firter anda berjalan lancar. Anda bisa menambahkan situs-situs yang ingin anda tutup, dengan meng-edit kembali file porn.txt
[root@PROXY sman1]# vi /usr/local/squid/etc/porn.txt

3. Bila situs http://zdads.e-media.com tidak berbuka dan hanya bergambar BLOCKED AREA maka Banner Filter anda berjalan lancar.

Autorun Squid dan Transparan Proxy
Bila server squid kita restart dan kita tidak ingin mengulangi command2x seperti hal-hal pada artikel di atas, maka masukan script pada /etc/rc.local :
[root@PROXY sman1]# vi /etc/rc.local

isikan dengan :
#Menjalankan Transparan Proxy
/sbin/iptables -F -t nat
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -s 192.168.0.0/255.255.255.0 –dport 80 -j DNAT –to 192.168.0.1:8080

#Menghidupkan Squid
/bin/rm /usr/local/squid/var/logs/squid.pid
/usr/local/squid/sbin/squid

6. Lain-Lain
Bila kita inggin melihat siapa saja yang sedang mengunakan squid kita dan situs-situs apa saja yang mereka buka, anda bisa menggunakan:
[root@PROXY sman1]# tail -f /usr/local/squid/var/logs/access.log

Bila anda merubah isi file squid.conf dan ingin mencoba apakah squid.conf yang kita rubah bisa sesuai yang kita inginkan :
[root@PROXY sman1]# /usr/local/squid/sbin/squid -k reconfigure

7. ChangeLog
24 Maret 2003
Penambahan permission pada direktory cache (dani@bisnisweb.com)

24 Maret 2003
Penulisan tutorial ini dimulai (sman1@rsds.or.id)

8. Referensi
1. http://www.squid-cache.org/
2. http://www.tldp.org/HOWTO/mini/TransparentProxy.html
3. http://jateng.linux.or.id/index.html
4. http://netfilter.samba.org/
5. http://phroggy.com/bannerfilter/

dikutip dari http//www.funkeyz.inc.md

MySQL yeuh

Instalasi dan konfigurasi mysql-5.0.45
1. login sebagai root dan buat group mysql untuk menjalankan aplikasi:
[root@webserver /]# ./usr/sbin/groupadd mysql
2. Buat user mysql untuk menjalankan aplikasi
[root@webserver /]# ./usr/sbin/useradd -g mysql mysql
3. Extract file mysql-5.0.45-linux
[root@webserver local]# gunzip /home/gunawan/mysql-5.0.45-linux-i686-glibc23.tar.gz | tar xvf -
4. Buat link file
[root@webserver local]# ln -s /home/gunawan/mysql-5.0.45-linux-i686-glibc23 mysql
[root@webserver local]# cd mysql
5. Rubah kepemilikan user
[root@webserver mysql]# chown -R mysql .
6. Rubah kepemilikan group
[root@webserver mysql]# chgrp -R mysql .
7. Jalankan script untuk mengaktifkan mysql
[root@webserver mysql]# scripts/mysql_install_db –user=mysql
Neither host ‘webserver’ nor ‘localhost’ could be looked up with ./bin/resolveip
Please configure the ‘hostname’ command to return a correct hostname.
If you want to solve this at a later stage, restart this script with the –force option
[root@webserver mysql]# scripts/mysql_install_db –force –user=mysql
Installing MySQL system tables…
OK
Filling help tables…
OK

Setelah semuanya di install, kita harus melakukan testing

[root@webserver mysql]# ./support-files/mysql.server status
MySQL running (7585) [ OK ]

8. Agar mysql dijalankan pada saat server/mesin berjalan lakukan konfigurasi pada file /etc/rc.local
[root@webserver mysql]# vi /etc/rc.local

—sesuaikan path-nya dengan direktori instalasi anda
./home/gunawan/mysql-5.0.45-linux-i686-glibc23/bin/mysqld_safe –user=mysql &

Instalasi MySQL