Squid Newbie Problem

**Tomcool** · 16.02.02, 10:14

Hi Freunde der Sonne,
ich habe jetzt auf meinen funktionierenten SuSE7.2 Router/Gateway (ISDN) Squid installiert und mit Webmin 0.92 eingestellt und gestartet (was heißt eingestelt, eigentlich nur gestartet) und nun kommt diese fehlermeldung wenn ich vom Windoof im IE ihn einstelle und eine Adresse anwähle:

ERROR
The requested URL could not be retrieved

--------------------------------------------------------------------------------

While trying to retrieve the URL: http://www.web.de/

The following error was encountered:

Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is webmaster.

--------------------------------------------------------------------------------
Generated Sat, 16 Feb 2002 10:12:49 GMT by router.local (Squid/2.3.STABLE4-hno.CVS)

Was muss ich einstellen? Wegen denn Access Denied bestimmt irgendwas?? oder?? AHHHH

Mfg.

Tom

**SAdemar** · 16.02.02, 10:32

Du must erst die Acl's ( Benutzer ) festlegen !
Bsp.:
acl Lan src 192.168.0.0/255.255.255.0

Dann den ACL den Zugriff erlauben :
Bsp.:
http_access allow Lan

öffne doch die squid.conf in einen Editor (geht auch über webmin).
hoffe ich konnte dir helfen!

**Tomcool** · 16.02.02, 11:31

jo, sie funktioniert (fast). Nächstes Problem, sobald ich jetzt noch mein IPTABLES skript aktiviere geht sie nicht mehr, aber ohne firewall geht squid.
was muss ich änderen im skript: mein skript:

#!/bin/bash
#
# Firewallscript
#
# erstmal ein paar Variablen setzen
#
echo
echo Firewall wird gestartet
echo Bitte warten...
echo
IPTABLES=/sbin/iptables
NET_LOC="192.168.0.0/24"
BCAST_LOC="192.168.0.255"
IF_LOC=eth0
IF_EXT=ippp0
#
# Module laden
#
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ipt_MASQUERADE
modprobe ipt_MIRROR
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
#
#
# keine Antwort auf Broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# keine Antwort auf unsinnige Fehlermeldungen
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# einige Timeouts setzen
echo "5" > /proc/sys/net/ipv4/icmp_destunreach_rate
echo "5" > /proc/sys/net/ipv4/icmp_echoreply_rate
echo "5" > /proc/sys/net/ipv4/icmp_paramprob_rate
echo "10" > /proc/sys/net/ipv4/icmp_timeexceed_rate
# keine sourcegerouteten Pakete akzeptieren
echo "0" > /proc/sys/net/ipv4/conf/$IF_EXT/accept_source_route
# keine ICMP-Redirects akzeptieren
echo "0" > /proc/sys/net/ipv4/conf/$IF_EXT/accept_redirects
# Reverse-Path_Filtering aktivieren
echo "1" > /proc/sys/net/ipv4/conf/$IF_EXT/rp_filter
# loggen falscher Pakete aktivieren
echo "1" > /proc/sys/net/ipv4/conf/$IF_EXT/log_martians
# bootp-Relay deaktivieren
echo "0" > /proc/sys/net/ipv4/conf/$IF_EXT/bootp_relay
#
# IP-Forwarding aktivieren
echo "1" > /proc/sys/net/ipv4/ip_forward
# wenn dynamische Adresszuweisung durch den ISP, aktivieren
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# Regeln
#
# evtl. vorhanden Regeln löschen
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
# Standardregeln auf DROP setzen
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# Zugriff auf Loopback-Device zulassen
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
#
# alle Pakete, die von aussen kommen und vorgeben von innen zu sein abweisen
$IPTABLES -A INPUT -i $IF_EXT -s $NET_LOC -j REJECT
# Merkwürdige Pakete vernichten
$IPTABLES -t nat -A PREROUTING -i $IF_EXT -s 192.168.202.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i $IF_EXT -s 10.0.0.0/8 -j DROP
$IPTABLES -t nat -A PREROUTING -i $IF_EXT -s 172.16.0.0/12 -j DROP
# Pakete wie ungültige Header, illegale Kombination von TCP-Flags, illegale
# TCP/IP-Optionen, Ping of Death u.a. löschen
$IPTABLES -A INPUT -m unclean -j DROP
$IPTABLES -A FORWARD -m unclean -j DROP
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
#
#
# Einige Ports die von innen nach aussen wollen werden gesperrt und geloggt
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 20034 -m limit -j LOG --log-prefix "Netbus von innen "
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 20034 -j DROP
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 79 -m limit -j LOG --log-prefix "Finger von innen "
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 79 -j DROP
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 30 -m limit -j LOG --log-prefix "Tracerout von innen "
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 30 -j DROP
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 6670 -m limit -j LOG --log-prefix "Deepthroat von innen "
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 6670 -j DROP
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 1234 -m limit -j LOG --log-prefix "Sub 7 von innen "
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 1234 -j DROP
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 6711:6713 -m limit -j LOG --log-prefix "Sub 7 von innen "
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 6711:6713 -j DROP
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 12345:12346 -m limit -j LOG --log-prefix "Netbus von innen "
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 12345:12346 -j DROP
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 31337 -m limit -j LOG --log-prefix "Back Orifice von innen "
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 31337 -j DROP
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 6000 -m limit -j LOG --log-prefix "X-Windows von innen "
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 6000 -j DROP
#$IPTABLES -A FORWARD -i eth0 -p tcp --dport 21 -m limit -j LOG --log-prefix "FTP von innen "
#$IPTABLES -A FORWARD -i eth0 -p tcp --dport 80 -j DROP
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 33434:33523 -m limit -j LOG --log-prefix "X-Windows von innen"
$IPTABLES -A FORWARD -i eth0 -p tcp --dport 33434:33523 -j DROP
#
# Server alles verbieten
$IPTABLES -A FORWARD -i eth0 -s 192.168.2x.x -m limit -j LOG --log-prefix "online versuch"
$IPTABLES -A FORWARD -i eth0 -s 192.168.2x.x -j DROP
#
# unbeschränkten Verkehr von innen nach aussen zulassen
$IPTABLES -A INPUT -i $IF_LOC -s $NET_LOC -j ACCEPT
$IPTABLES -A FORWARD -i $IF_LOC -s $NET_LOC -j ACCEPT
$IPTABLES -A FORWARD -o $IF_EXT -i $IF_LOC -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Verkehr von innen nach innen zulassen
$IPTABLES -A OUTPUT -o $IF_LOC -d $NET_LOC -j ACCEPT
# Verkehr von aussen nach innen blocken
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Schutz gegen Ping-Flood
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# keine Pings ins interne Netz forwarden
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $IF_LOC -j REJECT
# kein Ping auf Broadcast zulassen
$IPTABLES -A INPUT -p icmp -d $BCAST_LOC -j DROP
# andere ICMP zulassen
$IPTABLES -A INPUT -p icmp -j ACCEPT
# eingehende Antworten zulassen
$IPTABLES -A FORWARD -i $IF_EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SMB nach aussen sperren
$IPTABLES -A FORWARD -o $IF_EXT -p tcp --dport 137:139 -j LOG --log-prefix "SMB scan ueber tcp "
$IPTABLES -A FORWARD -o $IF_EXT -p tcp --dport 137:139 -j REJECT
$IPTABLES -A FORWARD -o $IF_EXT -p udp --dport 137:139 -j LOG --log-prefix "SMB scan ueber udp "
$IPTABLES -A FORWARD -o $IF_EXT -p udp --dport 137:139 -j REJECT
#
# einige Ports werden komplett abgedichtet aber geloggt
$IPTABLES -A INPUT -p tcp --dport 22 -m limit -j LOG --log-prefix "SSH versuch "
$IPTABLES -A INPUT -p tcp --dport 22 -j DROP
$IPTABLES -A INPUT -p tcp --dport 79 -m limit -j LOG --log-prefix "Finger versuch "
$IPTABLES -A INPUT -p tcp --dport 79 -j DROP
$IPTABLES -A INPUT -p tcp --dport 23 -m limit -j LOG --log-prefix "Telnet versuch "
$IPTABLES -A INPUT -p tcp --dport 23 -j DROP
$IPTABLES -A INPUT -p tcp --dport 30 -m limit -j LOG --log-prefix "Tracerout versuch "
$IPTABLES -A INPUT -p tcp --dport 30 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6670 -m limit -j LOG --log-prefix "Deepthroat scan "
$IPTABLES -A INPUT -p tcp --dport 6670 -j DROP
$IPTABLES -A INPUT -p tcp --dport 1243 -m limit -j LOG --log-prefix "Trojaner sub7 scan "
$IPTABLES -A INPUT -p tcp --dport 1243 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6711:6713 -m limit -j LOG --log-prefix "Subseven scan "
$IPTABLES -A INPUT -p tcp --dport 6711:6713 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12345:12346 -m limit -j LOG --log-prefix "Netbus scan "
$IPTABLES -A INPUT -p tcp --dport 12345:12346 -j DROP
$IPTABLES -A INPUT -p tcp --dport 20034 -m limit -j LOG --log-prefix "Netbus scan "
$IPTABLES -A INPUT -p tcp --dport 20034 -j DROP
$IPTABLES -A INPUT -p tcp --dport 31337 -m limit -j LOG --log-prefix "Back Orifice Scan "
$IPTABLES -A INPUT -p tcp --dport 31337 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6000 -m limit -j LOG --log-prefix "X-Windows Port "
$IPTABLES -A INPUT -p tcp --dport 6000 -j DROP
# Traceroutes benötigen zugemachten Port, deswegen kein Antworten von diesen
$IPTABLES -A INPUT -p udp --dport 33434:33523 -j DROP
#
# und zu guter letzt Masquerading aktivieren
$IPTABLES -t nat -A POSTROUTING -o $IF_EXT -j MASQUERADE
echo Färtsch.....
echo

Danke

Tom

**SAdemar** · 16.02.02, 11:49

Dein Lan hat die IP 192.168.0.0/24 richtig oder?
____________________________________________
$IPTABLES -A FORWARD -i eth0 -s 192.168.2x.x -m limit -j--log-prefix"online versuch" "online versuch"
$IPTABLES -A FORWARD -i eth0 -s 192.168.2x.x -j DROP
---warum trägst du hier nicht für -s 192.168.0.0/24 ein?

wenn ich das richtig verstehe willst du damit erreichen das dein dein Server keine Verbindungen selber nach außen aufbaut oder?

**Tomcool** · 16.02.02, 12:00

ne, darum gehts ja garnicht. ist nur dazu da das die IP xx nicht nach draußen soll. Hauptproblem ist das Squid nicht mit diesem Skript geht.WARUM?

**SAdemar** · 16.02.02, 12:21

gehen dann andere Seiten???
Kann es sein das es an deine Squid.conf liegt?
Kannst die ja mal posten. Lass aber das was hinterm # weg.
oder besser sende sie mal per Email. siehe Profil.

**Tomcool** · 16.02.02, 12:30

hier auch mal meine squid.conf.

http_port 80
http_port 8080
http_port 3128

# TAG: icp_port
# The port number where Squid sends and receives ICP queries to
# and from neighbor caches. Default is 3130. To disable use
# "0". May be overridden with -u on the command line.
#
#icp_port 3130

# TAG: htcp_port
# The port number where Squid sends and receives HTCP queries to
# and from neighbor caches. Default is 4827. To disable use
# "0".
#
# To enable this option, you must use --enable-htcp with the
# configure script.
#htcp_port 4827

# TAG: mcast_groups
# This tag specifies a list of multicast groups which your server
# should join to receive multicasted ICP queries.
#
# NOTE! Be very careful what you put here! Be sure you
# understand the difference between an ICP _query_ and an ICP
# _reply_. This option is to be set only if you want to RECEIVE
# multicast queries. Do NOT set this option to SEND multicast
# ICP (use cache_peer for that). ICP replies are always sent via
# unicast, so this option does not affect whether or not you will
# receive replies from multicast group members.
#
# You must be very careful to NOT use a multicast address which
# is already in use by another group of caches.
#
# If you are unsure about multicast, please read the Multicast
# chapter in the Squid FAQ (http://squid.nlanr.net/Squid/FAQ/).
#
# Usage: mcast_groups 239.128.16.128 224.0.1.20
#
# By default, Squid doesn't listen on any multicast groups.
#
#mcast_groups 239.128.16.128

# TAG: tcp_outgoing_address
# TAG: udp_incoming_address
# TAG: udp_outgoing_address
# Usage: tcp_incoming_address 10.20.30.40
# udp_outgoing_address fully.qualified.domain.name
#
# tcp_outgoing_address is used for connections made to remote
# servers and other caches.
# udp_incoming_address is used for the ICP socket receiving packets
# from other caches.
# udp_outgoing_address is used for ICP packets sent out to other
# caches.
#
# The default behavior is to not bind to any specific address.
#
# NOTE, udp_incoming_address and udp_outgoing_address can not
# have the same value (unless it is 0.0.0.0) since they both use
# port 3130.
#
# NOTE, tcp_incoming_address has been removed. You can now
# specify IP addresses on the 'http_port' line.
#
#tcp_outgoing_address 0.0.0.0
#udp_incoming_address 0.0.0.0
#udp_outgoing_address 0.0.0.0

# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------

# TAG: cache_peer
# To specify other caches in a hierarchy, use the format:
#
# hostname type http_port icp_port
#
# For example,
#
# # proxy icp
# # hostname type port port options
# # -------------------- -------- ----- ----- -----------
# cache_peer parent.foo.net parent 3128 3130 [proxy-only]
# cache_peer sib1.foo.net sibling 3128 3130 [proxy-only]
# cache_peer sib2.foo.net sibling 3128 3130 [proxy-only]
#
# type: either 'parent', 'sibling', or 'multicast'.
#
# proxy_port: The port number where the cache listens for proxy
# requests.
#
# icp_port: Used for querying neighbor caches about
# objects. To have a non-ICP neighbor
# specify '7' for the ICP port and make sure the
# neighbor machine has the UDP echo port
# enabled in its /etc/inetd.conf file.
#
# options: proxy-only
# weight=n
# ttl=n
# no-query
# default
# round-robin
# multicast-responder
# closest-only
# no-digest
# no-netdb-exchange
# no-delay
# login=user

assword
# connect-timeout=nn
# digest-url=url
#
# use 'proxy-only' to specify that objects fetched
# from this cache should not be saved locally.
#
# use 'weight=n' to specify a weighted parent.
# The weight must be an integer. The default weight
# is 1, larger weights are favored more.
#
# use 'ttl=n' to specify a IP multicast TTL to use
# when sending an ICP queries to this address.
# Only useful when sending to a multicast group.
# Because we don't accept ICP replies from random
# hosts, you must configure other group members as
# peers with the 'multicast-responder' option below.
#
# use 'no-query' to NOT send ICP queries to this
# neighbor.
#
# use 'default' if this is a parent cache which can
# be used as a "last-resort." You should probably
# only use 'default' in situations where you cannot
# use ICP with your parent cache(s).
#
# use 'round-robin' to define a set of parents which
# should be used in a round-robin fashion in the
# absence of any ICP queries.
#
# 'multicast-responder' indicates that the named peer
# is a member of a multicast group. ICP queries will
# not be sent directly to the peer, but ICP replies
# will be accepted from it.
#
# 'closest-only' indicates that, for ICP_OP_MISS
# replies, we'll only forward CLOSEST_PARENT_MISSes
# and never FIRST_PARENT_MISSes.
#
# use 'no-digest' to NOT request cache digests from
# this neighbor.
#
# 'no-netdb-exchange' disables requesting ICMP
# RTT database (NetDB) from the neighbor.
#
# use 'no-delay' to prevent access to this neighbor
# from influencing the delay pools.
#
# use 'login=user

assword' if this is a personal/workgroup
# proxy and your parent requires proxy authentication.
#
# use 'connect-timeout=nn' to specify a peer
# specific connect timeout (also see the
# peer_connect_timeout directive)
#
# use 'digest-url=url' to tell Squid to fetch the cache
# digest (if digests are enabled) for this host from
# the specified URL rather than the Squid default
# location.
#
# NOTE: non-ICP neighbors must be specified as 'parent'.
#
#cache_peer hostname type 3128 3130

# TAG: cache_peer_domain
# Use to limit the domains for which a neighbor cache will be
# queried. Usage:
#
# cache_peer_domain cache-host domain [domain ...]
# cache_peer_domain cache-host !domain
#
# For example, specifying
#
# cache_peer_domain parent.foo.net .edu
#
# has the effect such that UDP query packets are sent to
# 'bigserver' only when the requested object exists on a
# server in the .edu domain. Prefixing the domainname
# with '!' means that the cache will be queried for objects
# NOT in that domain.
#
# NOTE: * Any number of domains may be given for a cache-host,
# either on the same or separate lines.
# * When multiple domains are given for a particular
# cache-host, the first matched domain is applied.
# * Cache hosts with no domain restrictions are queried
# for all requests.
# * There are no defaults.
# * There is also a 'cache_peer_access' tag in the ACL
# section.

# TAG: neighbor_type_domain
# usage: neighbor_type_domain parent|sibling domain domain ...
#
# Modifying the neighbor type for specific domains is now
# possible. You can treat some domains differently than the the
# default neighbor type specified on the 'cache_peer' line.
# Normally it should only be necessary to list domains which
# should be treated differently because the default neighbor type
# applies for hostnames which do not match domains listed here.
#
#EXAMPLE:
# cache_peer parent cache.foo.org 3128 3130
# neighbor_type_domain cache.foo.org sibling .com .net
# neighbor_type_domain cache.foo.org sibling .au .de

# TAG: icp_query_timeout (msec)
# Normally Squid will automatically determine an optimal ICP
# query timeout value based on the round-trip-time of recent ICP
# queries. If you want to override the value determined by
# Squid, set this 'icp_query_timeout' to a non-zero value. This
# value is specified in MILLISECONDS, so, to use a 2-second
# timeout (the old default), you would write:
#
# icp_query_timeout 2000
#
#icp_query_timeout 0

# TAG: maximum_icp_query_timeout (msec)
# Normally the ICP query timeout is determined dynamically. But
# sometimes it can lead to very large values (say 5 seconds).
# Use this option to put an upper limit on the dynamic timeout
# value. Do NOT use this option to always use a fixed (instead
# of a dynamic) timeout value.
#
# If 'icp_query_timeout' is set to zero, then this value is
# ignored.
#maximum_icp_query_timeout 2000

# TAG: mcast_icp_query_timeout (msec)
# For Multicast peers, Squid regularly sends out ICP "probes" to
# count how many other peers are listening on the given multicast
# address. This value specifies how long Squid should wait to
# count all the replies. The default is 2000 msec, or 2
# seconds.
#
#mcast_icp_query_timeout 2000

# TAG: dead_peer_timeout (seconds)
# This controls how long Squid waits to declare a peer cache
# as "dead." If there are no ICP replies received in this
# amount of time, Squid will declare the peer dead and not
# expect to receive any further ICP replies. However, it
# continues to send ICP queries, and will mark the peer as
# alive upon receipt of the first subsequent ICP reply.
#
# This timeout also affects when Squid expects to receive ICP
# replies from peers. If more than 'dead_peer' seconds have
# passed since the last ICP reply was received, Squid will not
# expect to receive an ICP reply on the next query. Thus, if
# your time between requests is greater than this timeout, you
# will see a lot of requests sent DIRECT to origin servers
# instead of to your parents.
#
#dead_peer_timeout 10 seconds

# TAG: hierarchy_stoplist
# A list of words which, if found in a URL, cause the object to
# be handled directly by this cache. In other words, use this
# to not query neighbor caches for certain objects. You may
# list this option multiple times.
#
# The default is to directly fetch URLs containing 'cgi-bin' or '?'.
#
#hierarchy_stoplist cgi-bin ?

# TAG: no_cache
# A list of ACL elements which, if matched, cause the reply to
# immediately removed from the cache. In other words, use this
# to force certain objects to never be cached.
#
# You must use the word 'DENY' to indicate the ACL names which should
# NOT be cached.
#
# There is no default. We recommend you uncomment the following
# two lines.
#
#acl QUERY urlpath_regex cgi-bin \?
#no_cache deny QUERY

# OPTIONS WHICH AFFECT THE CACHE SIZE
# -----------------------------------------------------------------------------

# TAG: cache_mem (bytes)
# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS
# SIZE. IT PLACES A LIMIT ON ONE ASPECT OF SQUID'S MEMORY
# USAGE. SQUID USES MEMORY FOR OTHER THINGS AS WELL.
# YOUR PROCESS WILL PROBABLY BECOME TWICE OR THREE TIMES
# BIGGER THAN THE VALUE YOU PUT HERE
#
# 'cache_mem' specifies the ideal amount of memory to be used
# for:
# * In-Transit objects
# * Hot Objects
# * Negative-Cached objects
#
# Data for these objects are stored in 4 KB blocks. This
# parameter specifies the ideal upper limit on the total size of
# 4 KB blocks allocated. In-Transit objects take the highest
# priority.
#
# In-transit objects have priority over the others. When
# additional space is needed for incoming data, negative-cached
# and hot objects will be released. In other words, the
# negative-cached and hot objects will fill up any unused space
# not needed for in-transit objects.
#
# If circumstances require, this limit will be exceeded.
# Specifically, if your incoming request rate requires more than
# 'cache_mem' of memory to hold in-transit objects, Squid will
# exceed this limit to satisfy the new requests. When the load
# decreases, blocks will be freed until the high-water mark is
# reached. Thereafter, blocks will be used to store hot
# objects.
#
# The default is 8 Megabytes.
#
cache_mem 50 MB

# TAG: cache_swap_low (percent, 0-100)
# TAG: cache_swap_high (percent, 0-100)
#
# The low- and high-water marks for cache object replacement.
# Replacement begins when the swap (disk) usage is above the
# low-water mark and attempts to maintain utilization near the
# low-water mark. As swap utilization gets close to high-water
# mark object eviction becomes more aggressive. If utilization is
# close to the low-water mark less replacement is done each time.
#
# Defaults are 90% and 95%. If you have a large cache, 5% could be
# hundreds of MB. If this is the case you may wish to set these
# numbers closer together.
#
cache_swap_low 90
cache_swap_high 95

# TAG: maximum_object_size (bytes)
# Objects larger than this size will NOT be saved on disk. The
# value is specified in kilobytes, and the default is 4MB. If
# you wish to get a high BYTES hit ratio, you should probably
# increase this (one 32 MB object hit counts for 3200 10KB
# hits). If you wish to increase speed more than your want to
# save bandwidth you should leave this low.
#
# NOTE: if using the LFUDA replacement policy you should increase
# this value to maximize the byte hit rate improvement of LFUDA!
# See replacement_policy below for a discussion of this policy.
#
maximum_object_size 14096 KB

# TAG: minimum_object_size (bytes)
# Objects smaller than this size will NOT be saved on disk. The
# value is specified in kilobytes, and the default is 0 KB, which
# means there is no minimum.
#minimum_object_size 0 KB

# TAG: ipcache_size (number of entries)
# TAG: ipcache_low (percent)
# TAG: ipcache_high (percent)
# The size, low-, and high-water marks for the IP cache.
#
ipcache_size 1024
ipcache_low 90
ipcache_high 95

# TAG: fqdncache_size (number of entries)
# Maximum number of FQDN cache entries.
#fqdncache_size 1024

# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# -----------------------------------------------------------------------------

# TAG: cache_dir
# Usage:
#
# cache_dir Type Directory-Name Mbytes Level-1 Level2
#
# You can specify multiple cache_dir lines to spread the
# cache among different disk partitions.
#
# Type specifies the kind of storage system to use. Most
# everyone will want to use "ufs" as the type. If you are using
# Async I/O (--enable async-io) on Linux or Solaris, then you may
# want to try "asyncufs" as the type. Async IO support may be
# buggy, however, so beware.
#
# 'Directory' is a top-level directory where cache swap
# files will be stored. If you want to use an entire disk
# for caching, then this can be the mount-point directory.
# The directory must exist and be writable by the Squid
# process. Squid will NOT create this directory for you.
#
# If no 'cache_dir' lines are specified, the following
# default will be used: /var/squid/cache.
#
# 'Mbytes' is the amount of disk space (MB) to use under this
# directory. The default is 100 MB. Change this to suit your
# configuration.
#
# 'Level-1' is the number of first-level subdirectories which
# will be created under the 'Directory'. The default is 16.
#
# 'Level-2' is the number of second-level subdirectories which
# will be created under each first-level directory. The default
# is 256.
#
cache_dir ufs /var/squid/cache 100 16 256

# TAG: cache_access_log
# Logs the client request activity. Contains an entry for
# every HTTP and ICP queries received.
#
cache_access_log /var/squid/logs/access.log

# TAG: cache_log
# Cache logging file. This is where general information about
# your cache's behavior goes. You can increase the amount of data
# logged to this file with the "debug_options" tag below.
#
cache_log /var/squid/logs/cache.log

# TAG: cache_store_log
# Logs the activities of the storage manager. Shows which
# objects are ejected from the cache, and which objects are
# saved and for how long. To disable, enter "none". There are
# not really utilities to analyze this data, so you can safely
# disable it.
#
cache_store_log /var/squid/logs/store.log

# TAG: cache_swap_log
# Location for the cache "swap.log." This log file holds the
# metadata of objects saved on disk. It is used to rebuild the
# cache during startup. Normally this file resides in the first
# 'cache_dir' directory, but you may specify an alternate
# pathname here. Note you must give a full filename, not just
# a directory. Since this is the index for the whole object
# list you CANNOT periodically rotate it!
#
# If you have more than one 'cache_dir', these swap logs will
# have names such as:
#
# cache_swap_log.00
# cache_swap_log.01
# cache_swap_log.02
#
# The numbered extension (which is added automatically)
# corresponds to the order of the 'cache_dir' lines in this
# configuration file. If you change the order of the 'cache_dir'
# lines in this file, then these log files will NOT correspond to
# the correct 'cache_dir' entry (unless you manually rename
# them). We recommend that you do NOT use this option. It is
# better to keep these log files in each 'cache_dir' directory.
#
#cache_swap_log

# TAG: emulate_httpd_log on|off
# The Cache can emulate the log file format which many 'httpd'
# programs use. To disable/enable this emulation, set
# emulate_httpd_log to 'off' or 'on'. The default
# is to use the native log format since it includes useful
# information that Squid-specific log analyzers use.
#
#emulate_httpd_log off

# TAG: mime_table
# Pathname to Squid's MIME table. You shouldn't need to change
# this, but the default file contains examples and formatting
# information if you do.
#
#mime_table /usr/share/squid/mime.conf

# TAG: log_mime_hdrs on|off
# The Cache can record both the request and the response MIME
# headers for each HTTP transaction. The headers are encoded
# safely and will appear as two bracketed fields at the end of
# the access log (for either the native or httpd-emulated log
# formats). To enable this logging set log_mime_hdrs to 'on'.
#
#log_mime_hdrs off

# TAG: useragent_log
# If configured with the "--enable-useragent_log" configure
# option, Squid will write the User-Agent field from HTTP
# requests to the filename specified here. By default
# useragent_log is disabled.
#
#useragent_log none

# TAG: pid_filename
# A filename to write the process-id to. To disable, enter "none".
#
#pid_filename /var/run/squid.pid

# TAG: debug_options
# Logging options are set as section,level where each source file
# is assigned a unique section. Lower levels result in less
# output, Full debugging (level 9) can result in a very large
# log file, so be careful. The magic word "ALL" sets debugging
# levels for all sections. We recommend normally running with
# "ALL,1".
#
debug_options ALL,1

# TAG: log_fqdn on|off
# Turn this on if you wish to log fully qualified domain names
# in the access.log. To do this Squid does a DNS lookup of all
# IP's connecting to it. This can (in some situations) increase
# latency, which makes your cache seem slower for interactive
# browsing.
#
#log_fqdn off

# TAG: client_netmask
# A netmask for client addresses in logfiles and cachemgr output.
# Change this to protect the privacy of your cache clients.
# A netmask of 255.255.255.0 will log all IP's in that range with
# the last digit set to '0'.
#
#client_netmask 255.255.255.255

# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
# -----------------------------------------------------------------------------

# TAG: ftp_user
# If you want the anonymous login password to be more informative
# (and enable the use of picky ftp servers), set this to something
# reasonable for your domain, like wwwuser@somewhere.net
#
# The reason why this is domainless by default is that the
# request can be made on the behalf of a user in any domain,
# depending on how the cache is used.
# Some ftp server also validate that the email address is valid
# (for example perl.com).
#
#ftp_user Squid@

# TAG: ftp_list_width
# Sets the width of ftp listings. This should be set to fit in
# the width of a standard browser. Setting this too small
# can cut off long filenames when browsing ftp sites.
#
#ftp_list_width 32

# TAG: ftp_passive
# If your firewall does not allow Squid to use passive
# connections, then turn off this option.
##ftp_passive on

# TAG: cache_dns_program
# Specify the location of the executable for dnslookup process.
#
#cache_dns_program /usr/sbin/dnsserver

# TAG: dns_children
# The number of processes spawn to service DNS name lookups.
# For heavily loaded caches on large servers, you should
# probably increase this value to at least 10. The maximum
# is 32. The default is 5.
#
# You must have at least one dnsserver process.
#
#dns_children 5

# TAG: dns_retransmit_interval
# Initial retransmit interval for DNS queries. The interval is
# doubled each time all configured DNS servers have been tried.
#

# TAG: dns_timeout
# DNS Query timeout. If no response is received to a DNS query
# within this time then all DNS servers for the queried domain
# is assumed to be unavailable.

# TAG: dns_defnames on|off
# Normally the 'dnsserver' disables the RES_DEFNAMES resolver
# option (see res_init(3)). This prevents caches in a hierarchy
# from interpreting single-component hostnames locally. To allow
# dnsserver to handle single-component names, enable this
# option.
#
#dns_defnames off

# TAG: dns_nameservers
# Use this if you want to specify a list of DNS name servers
# (IP addresses) to use instead of those given in your
# /etc/resolv.conf file.
#
# Example: dns_nameservers 10.0.0.1 192.172.0.4
#
#dns_nameservers none

# TAG: unlinkd_program
# Specify the location of the executable for file deletion process.
# This isn't needed if you are using async-io since it's handled by
# a thread.
#
#unlinkd_program /usr/sbin/unlinkd

# TAG: pinger_program
# Specify the location of the executable for the pinger process.
# This is only useful if you configured Squid (during compilation)
# with the '--enable-icmp' option.
#
#pinger_program /usr/sbin/pinger

# TAG: redirect_program
# Specify the location of the executable for the URL redirector.
# Since they can perform almost any function there isn't one included.
# See the Release-Notes for information on how to write one.
# By default, a redirector is not used.
#
#redirect_program none

# TAG: redirect_children
# The number of redirector processes to spawn. If you start
# too few Squid will have to wait for them to process a backlog of
# URLs, slowing it down. If you start too many they will use RAM
# and other system resources.
#
#redirect_children 5

# TAG: redirect_rewrites_host_header
# By default Squid rewrites any Host: header in redirected
# requests. If you are running a accelerator then this may
# not be a wanted effect of a redirector.
#redirect_rewrites_host_header on

# TAG: redirector_access
# If defined, this access list specifies which requests are
# sent to the redirector processes. By default all requests
# are sent.

# TAG: authenticate_program
# Specify the command for the external authenticator. Such a
# program reads a line containing "username password" and replies
# "OK" or "ERR" in an endless loop. If you use an authenticator,
# make sure you have 1 acl of type proxy_auth. By default, the
# authenticator_program is not used.
#
# If you want to use the traditional proxy authentication,
# jump over to the ../auth_modules/NCSA directory and
# type:
# % make
# % make install
#
# Then, set this line to something like
#
# authenticate_program /usr/bin/ncsa_auth /usr/etc/passwd
#
#authenticate_program none

# TAG: authenticate_children
# The number of authenticator processes to spawn (default 5). If you
# start too few Squid will have to wait for them to process a backlog
# of usercode/password verifications, slowing it down. When password
# verifications are done via a (slow) network you are likely to need
# lots of authenticator processes.
#
#authenticate_children 5

# TAG: authenticate_ttl
# The time a checked username/password combination remains cached
# (default 3600). If a wrong password is given for a cached user,
# the user gets removed from the username/password cache forcing
# a revalidation.
#
#authenticate_ttl 3600

# TAG: authenticate_ip_ttl
# With this option you control how long a proxy authentication
# will be bound to a specific IP address. If a request using
# the same user name is received during this time then access
# will be denied and both users are required to reauthenticate
# them selves. The idea behind this is to make it annoying
# for people to share their password to their friends, but
# yet allow a dialup user to reconnect on a different dialup
# port.
#
# The default is 0 to disable the check. Recommended value
# if you have dialup users are no more than 60 (seconds). If
# all your users are stationary then higher values may be
# used.
#
#authenticate_ip_ttl 0

# OPTIONS FOR TUNING THE CACHE
# -----------------------------------------------------------------------------

# TAG: wais_relay_host
# TAG: wais_relay_port
# Relay WAIS request to host (1st arg) at port (2 arg).
#
#wais_relay_host localhost
#wais_relay_port 8000

# TAG: request_header_max_size (KB)
# This specifies the maximum size for HTTP headers in a request.
# Request headers are usually relatively small (about 512 bytes).
# Placing a limit on the request header size will catch certain
# bugs (for example with persistent connections) and possibly
# buffer-overflow or denial-of-service attacks.
#request_header_max_size 10 KB

# TAG: request_body_max_size (KB)
# This specifies the maximum size for an HTTP request body.
# In other words, the maximum size of a PUT/POST request.
# A user who attempts to send a request with a body larger
# than this limit receives an "Invalid Request" error message.
# If you set this parameter to a zero, there will be no limit
# imposed.
#request_body_max_size 1 MB

# TAG: reply_body_max_size (KB)
# This option specifies the maximum size of a reply body. It
# can be used to prevent users from downloading very large files,
# such as MP3's and movies. The reply size is checked twice.
# First when we get the reply headers, we check the
# content-length value. If the content length value exists and
# is larger than this parameter, the request is denied and the
# user receives an error message that says "the request or reply
# is too large." If there is no content-length, and the reply
# size exceeds this limit, the client's connection is just closed
# and they will receive a partial reply.
#
# NOTE: downstream caches probably can not detect a partial reply
# if there is no content-length header, so they will cache
# partial responses and give them out as hits. You should NOT
# use this option if you have downstream caches.
#
# If you set this parameter to zero (the default), there will be
# no limit imposed.
#reply_body_max_size 0

# TAG: refresh_pattern
# usage: refresh_pattern [-i] regex min percent max [options]
#
# By default, regular expressions are CASE-SENSITIVE. To make
# them case-insensitive, use the -i option.
#
# 'Min' is the time (in minutes) an object without an explicit
# expiry time should be considered fresh. The recommended
# value is 0, any higher values may cause dynamic applications
# to be erroneously cached unless the application designer
# has taken the appropriate actions.
#
# 'Percent' is a percentage of the objects age (time since last
# modification age) an object without explicit expiry time
# will be considered fresh.
#
# 'Max' is an upper limit on how long objects without an explicit
# expiry time will be considered fresh.
#
# options: override-expire
# override-lastmod
# reload-into-ims
# ignore-reload
#
# override-expire enforces min age even if the server
# sent a Expires: header. Doing this VIOLATES the HTTP
# standard. Enabling this feature could make you liable
# for problems which it causes.
#
# override-lastmod enforces min age even on objects
# that was modified recently.
#
# reload-into-ims changes client no-cache or ``reload''
# to If-Modified-Since requests. Doing this VIOLATES the
# HTTP standard. Enabling this feature could make you
# liable for problems which it causes.
#
# ignore-reload ignores a client no-cache or ``reload''
# header. Doing this VIOLATES the HTTP standard. Enabling
# this feature could make you liable for problems which
# it causes.
#
# Please see the file doc/Release-Notes-1.1.txt for a full
# description of Squid's refresh algorithm. Basically a
# cached object is: (the order is changed from 1.1.X)
#
# FRESH if expires < now, else STALE
# STALE if age > max
# FRESH if lm-factor < percent, else STALE
# FRESH if age < min
# else STALE
#
# The refresh_pattern lines are checked in the order listed here.
# The first entry which matches is used. If none of the entries
# match, then the default will be used.
#
#Default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

# TAG: replacement_policy
# The cache replacement policy parameter determines which
# objects are evicted (replaced) when disk space is needed.
# Squid used to have only a single replacement policy, LRU.
# But when built with -DHEAP_REPLACEMENT you can choose
# between two new, enhanced policies:
#
# GDSF: Greedy-Dual Size Frequency
# LFUDA: Least Frequently Used with Dynamic Aging
#
# Both of these policies are frequency based rather than recency
# based, and perform better than LRU.
#
# The GDSF policy optimizes object hit rate by keeping smaller
# popular objects in cache so it has a better chance of getting a
# hit. It achieves a lower byte hit rate than LFUDA though since
# it evicts larger (possibly popular) objects.
#
# The LFUDA policy keeps popular objects in cache regardless of
# their size and thus optimizes byte hit rate at the expense of
# hit rate since one large, popular object will prevent many
# smaller, slightly less popular objects from being cached.
#
# Both policies utilize a dynamic aging mechanism that prevents
# cache pollution that can otherwise occur with frequency-based
# replacement policies.
#
# NOTE: if using the LFUDA replacement policy you should increase
# the value of maximum_object_size above its default of 4096 KB to
# to maximize the potential byte hit rate improvement of LFUDA.
#
# For more information about these cache replacement policies see
# http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html and
# http://fog.hpl.external.hp.com/techr...L-98-173.html.
#
#replacement_policy LFUDA

# TAG: reference_age
# As a part of normal operation, Squid performs Least Recently
# Used removal of cached objects. The LRU age for removal is
# computed dynamically, based on the amount of disk space in
# use. The dynamic value can be seen in the Cache Manager 'info'
# output.
#
# The 'reference_age' parameter defines the maximum LRU age. For
# example, setting reference_age to '1 week' will cause objects
# to be removed if they have not been accessed for a week or
# more. The default value is one year.
#
# Specify a number here, followed by units of time. For example:
# 1 week
# 3.5 days
# 4 months
# 2.2 hours
#
# NOTE: this parameter is not used when using the enhanced
# replacement policies, GDSH or LFUDA.
#
#reference_age 1 year

# TAG: quick_abort_min (KB)
# TAG: quick_abort_max (KB)
# TAG: quick_abort_pct (percent)
# The cache can be configured to continue downloading aborted
# requests. This may be undesirable on slow (e.g. SLIP) links
# and/or very busy caches. Impatient users may tie up file
# descriptors and bandwidth by repeatedly requesting and
# immediately aborting downloads.
#
# When the user aborts a request, Squid will check the
# quick_abort values to the amount of data transfered until
# then.
#
# If the transfer has less than 'quick_abort_min' KB remaining,
# it will finish the retrieval. Setting 'quick_abort_min' to -1
# will disable the quick_abort feature.
#
# If the transfer has more than 'quick_abort_max' KB remaining,
# it will abort the retrieval.
#
# If more than 'quick_abort_pct' of the transfer has completed,
# it will finish the retrieval.
#
#quick_abort_min 16 KB
#quick_abort_max 16 KB
#quick_abort_pct 95

# TAG: negative_ttl time-units
# Time-to-Live (TTL) for failed requests. Certain types of
# failures (such as "connection refused" and "404 Not Found") are
# negatively-cached for a configurable amount of time. The
# default is 5 minutes. Note that this is different from
# negative caching of DNS lookups.
#
#negative_ttl 5 minutes

# TAG: positive_dns_ttl time-units
# Time-to-Live (TTL) for positive caching of successful DNS lookups.
# Default is 6 hours (360 minutes). If you want to minimize the
# use of Squid's ipcache, set this to 1, not 0.
#
#positive_dns_ttl 6 hours

# TAG: negative_dns_ttl time-units
# Time-to-Live (TTL) for negative caching of failed DNS lookups.
#
#negative_dns_ttl 5 minutes

# TAG: range_offset_limit (bytes)
# Sets a upper limit on how far into the the file a Range request
# may be to cause Squid to prefetch the whole file. If beyond this
# limit then Squid forwards the Range request as it is and the result
# is NOT cached.
#
# This is to stop a far ahead range request (lets say start at 17MB)
# from making Squid fetch the whole object up to that point before
# sending anything to the client.
#
# A value of -1 causes Squid to always fetch the object from the
# beginning so that it may cache the result. (2.0 style)
#
# A value of 0 causes Squid to never fetch more than the client
# client requested. (default)
#
#range_offset_limit 0 KB

# TIMEOUTS
# -----------------------------------------------------------------------------

# TAG: connect_timeout time-units
# Some systems (notably Linux) can not be relied upon to properly
# time out connect(2) requests. Therefore the Squid process
# enforces its own timeout on server connections. This parameter
# specifies how long to wait for the connect to complete. The
# default is two minutes (120 seconds).
#
#connect_timeout 120 seconds

# TAG: peer_connect_timeout time-units
# This parameter specifies how long to wait for a pending TCP
# connection to a peer cache. The default is 30 seconds. You
# may also set different timeout values for individual neighbors
# with the 'connect-timeout' option on a 'cache_peer' line.
#peer_connect_timeout 30 seconds

# TAG: siteselect_timeout time-units
# For URN to multiple URL's URL selection
#
#siteselect_timeout 4 seconds

# TAG: read_timeout time-units
# The read_timeout is applied on server-side connections. After
# each successful read(), the timeout will be extended by this
# amount. If no data is read again after this amount of time,
# the request is aborted and logged with ERR_READ_TIMEOUT. The
# default is 15 minutes.
#
#read_timeout 15 minutes

# TAG: request_timeout
# How long to wait for the first HTTP request after connection
# establishment.
#
# For persistent connections idle timeout, see pconn_timeout.
#
#request_timeout 5 minutes

# TAG: client_lifetime time-units
# The maximum amount of time that a client (browser) is allowed to
# remain connected to the cache process. This protects the Cache
# from having a lot of sockets (and hence file descriptors) tied up
# in a CLOSE_WAIT state from remote clients that go away without
# properly shutting down (either because of a network failure or
# because of a poor client implementation). The default is one
# day, 1440 minutes.
#
# NOTE: The default value is intended to be much larger than any
# client would ever need to be connected to your cache. You
# should probably change client_lifetime only as a last resort.
# If you seem to have many client connections tying up
# filedescriptors, we recommend first tuning the read_timeout,
# request_timeout, pconn_timeout and quick_abort values.
#
#client_lifetime 1 day

# ACCESS CONTROLS
# -----------------------------------------------------------------------------

#Defaults:
acl Lan src 192.168.202.0/255.255.255.0
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

http_access allow Lan
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access allow localhost
#http_access deny all

# TAG: icp_access
# Reply to all ICP queries we receive
#
icp_access allow all

miss_access allow all

**SAdemar** · 16.02.02, 12:55

in deinen Iptables script legst du die Ip's mit 192.168.0.0/24 fest.
deswegen must du in dein squid.conf auch die Benutzer (ACL')
so festlegen!
denn wenn du da als -- acl Lan src 192.168.202.0/255.255.255.0
festlegst-- können nur alle Clienten die aus dem Subnetz 192.168.202.0/24
deinen Proxi nutzen!
Willst du aber das deine Clienten aus dem Subnetz 192.168.0.0/24 den Proxy nutzen sollen dann gebe sie per ACL frei.
---- achte auch darauf das alle deine Clients sich im gleichen Subnetz befinden!

**SAdemar** · 16.02.02, 13:06

etwa so:

internet - ---Router(192.168.0.1) -----LAN (192.168.0.0/24)

zu squid
ich sehe du willst es als Trazparentes Proxy machen:
http_port 80 ist da so nicht richtig!

ändere wie folgt:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_wiht_proxy on
httpd_accel_uses_host_header on

**Tomcool** · 16.02.02, 14:47

nein, also: mein LAN hatt die IP 192.168.202.X
die Netzwerkkarte des Routers hatt 192.168.202.3 und die fritzcard die 192.168.0.99 (aber dies wird ja eh von t-online vergeben). aber daranliegt ja jetzt nicht das problem (glaubsch). sondern vielmehr darin das wenn ich mich bei t-online einwähle und squid starte dann funtzt alles, sprich er speichert alles mit (halt proxy). ABER wenn ich nun mein firewallskript einschalte dann komm ich nicht mehr raus. Ich weiß nicht warum, kann es sein das squid irgendwelche ports braucht. aber eigentlich sind ja ale von innen nach außen offen.???
Tom

**SAdemar** · 16.02.02, 20:48

wenn dein Lan die Ip`s hat (192.168.202.0/24) da ändere dein Eintrag in dem Iptaples!
Jetzt : NET_LOC="192.168.0.0/24"
ändere auf: NET_LOC="192.168.202.0/24"
Vorschlag: Ändere mal deine Proxyeinstellung im Browser (192.168.202.3 Port 8080) und teste ob er läuft!
Wenn nein, da geh auf Webmin - Server -squid - Lerre Cache und Baue neu auf - und poste die Ausgabe!
wenn es jetzt immer noch nicht geht warte bis Montag und ich schreibe dir ein Laufendes IPTABLES script!!!

**nesh** · 16.02.02, 21:29

Hallo,
Ersmal eines vorweg zu deiner squid.conf

Du hast 3 mal hintereinenader http_port angegeben, aber nur der letzte ist gültig da er die anderen überschreibt !
Also "hört" dein squid am port 3128

Da Squid ja ein lokaler Prozess ist der nach "drausen" will, geht er über die OUTPUT chain. Diese ist bei dir aber (fast) zu und darum kann Squid nicht mehr "raus".

Damit squid funktioniert, musst du also die noch ein paar regeln in deine OUTPUT chain stellen.

Da man in der OUTPUT chain mit user ids arbeiten kann würde ich vorschlagen der user id vom squid (ist bei mir 31 siehe /etc/passwd)
alles zu erlauben:

iptables -A OUTPUT -m owner --uid-owner 31 -j ACCEPT

falls du squid aber nicht alles erlauben möchtest, dann kannst du auch nur die einzelnen Ports in der OUTPUT chain "aufmachen".
http 80
https 143
und nicht vergessen auch DNS zu erlauben
Port 53 UDP
Falls squid auch ftp machen soll dann auch
Port 20:21
Jetzt must du noch der INPUT chain sagen bestehende Pakete zu erlauben damit squid auch eine Antwort von den WEB und DNS servern erhält.

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT oder genauer:
$IPTABLES -A INPUT -i $IF_EXT -m state --state ESTABLISHED,RELATED -j ACCEPT

Ich galube das löst dein problem.... jedenfalls glaube ich verstanden zu haben was du meinst.....
Noch etwas zu deiner INPUT chain.

deine Versuche die Angriffe der Standarttrojaner in der INPUT chain zu loggen und die entsrechenden Ports zu sperren werden garnicht beachtet.
Schau mal folgendes:

IPTABLES -A INPUT -i $IF_LOC -s $NET_LOC -j ACCEPT
IPTABLES -A INPUT -i $IF_LOC -s $NET_LOC -p tcp --dport 22 -j DROP

Wenn du glaubst das SSH jetzt nicht funktioniert hast du da weit gefehlt.
das Paket kommt erst garnicht bei der DROP Regel an da du ja schon vorher alles aus dem localen Netz erlaubst. Und somit das Paket gleich weitergeleitet wird.

Die LOG und DROP versuche der standart Trojaner und Dienste am ende deines Scripts werden also keine ergebnisse liefern weil ganz am anfang schon
IPTABLES -A INPUT -i $IF_LOC -s $NET_LOC -j ACCEPT
steht

**Tomcool** · 16.02.02, 22:19

vielen dank für die mühen. werde ich morgen gleich testen.
MfG.
Tom

**SAdemar** · 17.02.02, 12:28

Denke ja Anhand des letzten Tips wurde dir auf die Sprünge geholfen! Wenn nein Frage weiter!

MFG SAdemar

**Tomcool** · 22.02.02, 21:24

OK, ich habe nun mein Skript geändert. aber nun kommt diese fehlermeldung:

router:/ # ./firewall_on

Firewall wird gestartet
Bitte warten...

iptables v1.2.1a: Couldn't load match `--state':/usr/lib/iptables/libipt_--state
.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
Färtsch.....

muss ich da was nachinstallieren. wenn ja was und woher.
Danke.
Tom