[K12OSN] K12LTSP, Squid & SquidGuard

Mike Rambo mrambo at lsd.k12.mi.us
Wed Mar 10 08:11:00 UTC 2004


On Tue, 2004-03-09 at 17:16, John Pace wrote:
> I have a small test network setup with the DG/Squid box, a switch, and a
> client. Still have not got it working yet. I think part of my problem is
> that I do not truly understand the way the two NICs in the DG/Squid box
> relate to the DG and Squid services that are running.
> 
> Is this general statement correct? "The client computers send their traffic
> to DG, and if approved it is then relayed to Squid, and if approved Squid
> sends the request through the gateway, which in my case is an IPCop
> firewall."
> 

Seems reasonable.

> Client questions:
> 
> 1. Configuring TCP/IP on the client (Gateway): To send requests through DG,
> which NIC IP on the DG/Squid box do I use as the default gateway on the
> client? I think I should use the IP of the  NIC on the "green" side, not the
> IP of the NIC that has direct internet access. Correct?
> 

Yes. The traffic needs to pass _through_ the box running squid. That
involves having ip forwarding enabled and some iptables configurations.
You can check forwarding by 'cat /proc/sys/net/ipv4/ip_forward'. It
should be '1'. The iptables stuff is dependant on network setup.

> 2. Configuring TCP/IP on the client (DNS): My firewall handles DNS, do I use
> it's IP for name resolution?
> 

Yes - and your squid box should also use that dns server.

> DG/Squid NIC questions:
> 
> 1. Do the NICs use different gateways?
> 

The box has a gateway - not the netcards. The default gateway for the
box should be on the same subnet as the second (outbound) nic though.

Here is the routing table on our box. We use SquidGuard rather than DG
but the principle is the same.

[mrambo at squid2 mrambo]$ /sbin/route -n
Kernel IP routing table
Destination   Gateway         Genmask         Flags Metric Ref Use Iface
192.168.189.8 0.0.0.0         255.255.255.248 U     0      0    0  eth0
192.168.189.0 0.0.0.0         255.255.255.248 U     0      0    0  eth1
192.168.0.0   192.168.189.14  255.255.0.0     UG    1      0    0  eth0
10.0.0.0      192.168.189.14  255.0.0.0       UG    1      0    0  eth0
127.0.0.0     0.0.0.0         255.0.0.0       U     0      0    0  lo
0.0.0.0       192.168.189.1   0.0.0.0         UG    0      0    0  eth1

The default gateway on the box is the last line. 'G' on the flags means
it's a gateway - the zero's for destination means everything. We do have
two other gateway's but they are for traffic from specific internal
networks that may make it to the cache and needs a way back. Don't let
the ip addresses on the two network cards (top two lines) fool you. The
subnet mask puts them on different subnets.

> If so, does the red NIC (the one facing the internet) use my firewall as the
> gateway IP? That is the IP our clients are currently using as their gateway.
> 

See above.

> Does the green (network side) use the IP of the red NIC as it's gateway? Is
> one NIC funneling traffic to another the way my firewall does?
> 

See above.

> 2. Do the NICs use different DSN IPs? Do they use my firewall IP since it
> handles DNS?
> 

See above. The _box_ should use the same dns as the rest of your
network. Netcards don't need dns.

> DG specific questions and info: (I am using Webmin to configure DG)
> 
> I can find 4 settings that relate to IP/Ports in the "View / edit Config"
> option. Filter IP and Filter Port which I have set to 192.168.1.60:8080. IP
> ".60" is the IP of the NIC facing the internet, or should this be
> 192.168.1.61:8080? IP ".61) is the NIC facing the network/clients. The other
> two setting are Proxy Ip and Proxy Port which I have left to the default of
> 127.0.0.1:3128
> 
> Squid specific questions and info: (I am using Webmin to configure Squid)
> 
> Under the "Ports and Networking" I found "Proxy Addresses and Ports" which
> is set to 127.0.0.1:3128
> 

I don't use webmin for these config's but 3128 looks more like a
squidGuard port rather than DG. Isn't DG 8080 by default?

> Whew... lot of questions.

's ok.

> 
> Also, should I be able to "ping" the DG/Squid box? I can't. The cable is
> good and if I physically bypass the DG box I can access the internet.
> 

Definitely (unless you are blocking icmp at a managed switch/router). If
you can't it explains why the setup doesn't work. I think you need to
start with the basic network setup. Until you can ping the squid box and
the device at the next hop thereafter it's not going to work. Are you
using an out-of-the-box squid/network config from k12ltsp? What subnets
are your clients, the squid box, and the IPCOP gateway using? Are you
trying to transparent proxy? Sorry if some of this has been addressed
and I missed it.

I'd suggest ignoring both squid and DG for now. Just concentrate on
getting the squid box itself to be accessible (ping) and then
successfully route traffic to your gateway. Then add back squid with the
transparent proxy (if that is what you want). Last add in DG.


-- 
Mike Rambo
mrambo at lsd.k12.mi.us

Computers are a lot like air conditioners.
They don't work well with windows open...





More information about the K12OSN mailing list