-----Original Message----- From: Phillip Deackes [SMTP:gsmh@gmx.co.uk] Sent: Sunday, September 24, 2000 10:58 AM To: suse-linux-uk-schools@suse.com Subject: [suse-linux-uk-schools] Setting up a web proxy server (disclaimer: Most of this is off the top of my head and is not a complete description)

I have seen some messages on the list about setting up a web proxy server. I am ICT Coordinator in a Leicestershire High School and we are about to take delivery of a new RM PC which I would like to set up as a proxy server. I understand I would use squid. I have never set up anything like this before - I can install and configure Linux on an internet connected workstation standing on my head, but I still view networking as something of a black art!

Everything's a black art until you've done it twice - once to learn, once for it to work. Please don't be put off by the length of this response - I tend to waffle. The first problem you will come across is that Linux will only auto-detect the 1st NIC that it sees. You will have to tell it about the other one. In fact you will have to tell it about both because if you tell it about one it will not try to detect the other. You will need to tell it the IRQ and address for both cards. Unfortunately, the easiest way to do this is to boot DOS. Most NIC's come with a DOS diag disk. Simply boot DOS, run the diag program and write down the settings. To pass these details to the Linux kernel you need to add a line to /etc/lilo.conf and then re-run /sbin/lilo to apply the updates. An example line is : append="ether=12,0x300,eth0 ether=11,0x6600,eth1" I always use the same type of card as well, although as the example above shows (one is an ISA card, one is PCI) this is not essential. As you need to update/run Lilo this is best done after the Linux install. However, this will mean that Lilo has already configured one of the NIC's, so check which one it is, and make sure that you make this eth0 in Lilo. Once you have done the above steps and re-booted, you should then be able to use LinuxConf/Control Panel etc to configure both NICs. If you can't then you will have to do it manually. You will need to go the /etc/sysconfig/network-scripts and clone all the eth0 files for eth1 making appropriate changes. Next, you will need to set up a default route pointing to the ISDN router. It does not need a route to your network as it's already on it. You should now have a Linux box that itself can now access your internal network and can access the internet. However, the two networks cannot talk to each other.

We currently run an RM 2.3 Connect network - 1 Windows NT server and around 40 Windows 95 workstations, most are Pentium 100 with 16 MB RAM (and don't we know it!!). As I understand it, I need two network cards on the new machine, one connected directly to our ISDN router, the other to our current network. I configure the new machine to talk to the router and all other machines on the network to talk to the new machine, hence all requests pass through the proxy server rather than directly to our ISP. I assume non-web traffic would pass through transparently.

Your basic idea is correct. Here is *MY* suggested way to proceed - there are many other. I don't know the RM Connect setup and you haven't supplied much in the way of config details so I'll have to make some assumtions. There are three possible setups that I can see you having: 1) each PC has a public IP address and talk directly to the ISDN Router 2) each PC has a private IP address and all traffic goes through the NT Server which perform Network Address Transaltion (NAT/Masquarading). 3) each PC has a private IP address and talks directly to the ISDN Router which does the NAT. If you have setup 1 then you will have big security problems as each and every PC will be accessable (read attackable) from the internet. Setup 2 and 3 will hide your PC's and present only one PC to the internet. My method will give you a network similar to setup 2 except that you will be using a Linux box instead of the NT box. To enable traffic to pass between the public (internet) and private (internal) networks you will need to turn on IP forwarding. Even if each PC has a public IP address I would still turn on IP Masquarading for the reason given above. The exact way to do this has changed between kernel 1 (ipfwadm) and kernel 2 (ipchains) releases so you will need to look up in the howto's how to do this, although I think it can now be done in Linuxconf. Once you've turned on IP forwarding for all services, you then need to turn it off again for www services (port 80, 8080, 8081) otherwise people will try to bypass your squid. Actually installing squid should be the easiest part. Either get the package for your distribution (.deb, .rpm etc.) or get the sources and compile it. Remember to add it to you start-up services so that if you reboot the PC it restarts squid. To do this, use Linuxconf or look at the /etc/rc.d tree structure. All you should need to do now it go to each PC and reconfigure the network gateway and turn on the proxy settings in internet explorer. That's it - all should be done.

Excuse me if this is a little simplistic - I will have the use of a technician from another school for a few hours, although he knows very little about Linux. He is more knowledgeable about networking generally though.

You have not mentioned the other services that you want to use. Have you looked at setting up a caching DNS service? What do you use for email? There are excelent howto's for setting these up on your Linux server. I would also strongly suggest that you install Port Sentry which is a deamon which looks out for incoming connections that look like possible attacks, and blocks that site's access. Reading the Security Howto is another must do.

I would appreciate it if anyone could let me know of any useful web sites on this topic - I am sure some members of the list set up a help page for this sort of thing.

The squid web site is http://www.squid-cache-org. The Howto's should be on the distribution CD and in /usr/doc if you chose to install the documentation.

Many thanks indeed for any help list members are able to offer.

-- Phillip Deackes Gartree High School, Oadby Leicester

----------------------------------------- Gary Stainburn. Work: http://www.ringways.co.uk mailto:gary.stainburn@ringways.co.uk REVCOM: http://www.revcom.org.uk mailto:gary.stainburn@revcom.org.uk ----------------------------------------- Murphy's Laws: (327) Build a system that even a fool can use, and only a fool will use it. -----------------------------------------