from http://amyhost.com/data/1.jpg
and ...
#logformat squid %>a [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
http_port 2210 transparent
icp_port 3130
snmp_port 3401
cache_mgr admin
emulate_httpd_log off
#cache_peer ip.sumber.squid parent 3128 3130 proxy-only
#cache_peer ip.yang.numpang sibling 3128 3130 proxy-only
#cache_peer 192.168.1.253 sibling 2210 3130 proxy-only
#cache_peer it.gpi-g.com parent 2210 0 no-query default
#cache_peer 202.169.51.119 parent 2210 0 no-query no-digest
no-netdb-exchange default
#cache_peer 125.160.0.0/255.255.0.0 sibling 2210 3130 proxy-only
#cache_peer 202.182.0.0/255.255.0.0 sibling 2210 3130 proxy-only
#cache_peer 203.128.72.226/255.255.255.255 sibling 2210 3130 proxy-only
cache_replacement_policy heap LFUDA
maximum_object_size_in_memory 50 KB
maximum_object_size 50 MB
#minimum_object_size 1 KB
dead_peer_timeout 10 seconds
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
visible_hostname gpi-g.com
cache_mem 5 MB
memory_pools off
log_icp_queries on
buffered_logs on
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 95
#never_direct allow all
cache_swap_low 70%
cache_swap_high 90%
#cache_dir aufs /var/spool/squid 40000 16 256
cache_dir aufs /var/spool/squid 4000 16 256
cache_dir aufs /var/spool/squid1 4000 16 256
cache_dir aufs /var/spool/squid2 4000 16 256
cache_dir aufs /var/spool/squid3 4000 16 256
#cache_dir diskd /var/spool/squid 4800 8 64 max-size=-1 Q1=64 Q2=72
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
pid_filename /var/run/squid.pid
forwarded_for on
half_closed_clients off
cache_effective_user proxy
cache_effective_group proxy
cache_mgr mirza.k_at_gpi-g.com
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl website dstdomain "/etc/website"
acl domain dstdomain .gpi-g.com
acl gator dstdomain .gator.com
acl gohip dstdomain .gohip.com
acl kazaa dstdomain .kazaa.com
acl real dstdomain .real.com
acl pornsite url_regex 220.73.222.254
acl LAN src 192.168.222.0/255.255.255.0
acl LAN3 src 192.168.0.0/255.255.0.0
acl LAN2 src 172.16.0.0/255.255.0.0
acl NOC src 125.160.0.0/255.255.0.0
#acl GPI src 202.169.51.0/255.255.255.0
acl snmpcommunity snmp_community nama_snmpcommunity
acl all src 0.0.0.0/0.0.0.0
#acl IIX dst_as 7597
#always_direct allow IIX
acl manager proto cache_object
acl localhost src 127.0.0.1
acl SSL_ports port 443 563
acl Safe_ports port 21 80 81 53 143 2443 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
#acl INSIDE dstdomain .it.gpi-g.com
#always_direct allow INSIDE
#never_direct allow all
#acl INSIDE_IP dst 172.16.0.2
#always_direct allow INSIDE_IP
#never_direct allow all
#header_access User-Agent deny all
#header_replace User-Agent Mozilla/5.0 (X11; U; Linux 2.6.8 DEC Alpha)
#follow_x_forwarded_for allow localhost
#log_uses_indirect_client on
#acl_uses_indirect_client on
#delay_pool_uses_indirect_client on
acl acceleratedHost dst 202.169.51.0/255.255.255.0
acl acceleratedPort port 2210
#httpd_accel_single_host off
http_access allow manager localhost LAN LAN3
http_access deny !Safe_ports
http_access deny pornsite
http_access deny CONNECT !SSL_ports
snmp_access allow snmpcommunity
http_access deny website
http_access deny gator
http_access deny gohip
http_access deny real
http_access deny kazaa
http_access allow domain
http_access allow LAN
http_access allow LAN3
http_access allow LAN2
http_access allow NOC
#http_access allow GPI
http_access allow localhost
http_access allow acceleratedHost
http_access deny all
snmp_access deny all
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
cachemgr_passwd nasigoreng manager
negative_ttl 1 minutes
####
#acl local-host src 192.168.222.2
#acl my_other_proxy src 192.168.222.2
#follow_x_forwarded_for allow local-host
#follow_x_forwarded_for allow my_other_proxy
#acl_uses_indirect_client on
#delay_pool_uses_indirect_client on
#log_uses_indirect_client on
===
with rc.local :
echo "1" > /proc/sys/net/ipv4/ip_forward
/etc/init.d/networking restart
#-----------------------------------------------------
# eth0 = WAN1 = 202.169.51.119
# eth1 = DMZ = 192.168.222.1 ( Konek ke MAILSERVER & WEBSERVER -
sementara simulai hanya mailserver )
# eth2 = LAN = 192.168.222.2 ( Konek ke PROXY SERVER - sementara di
simulai PROXY SERVER = CLIENT )
#------------------------------------------------------
# Tukang sapu
/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain
/sbin/iptables -F -t nat
# masqurade
/sbin/iptables --table nat --append POSTROUTING --out-interface eth0
-j MASQUERADE
/sbin/iptables --append FORWARD --in-interface eth0 -j ACCEPT
# Jembatan gantung DMZ <=> LAN
iptables -A FORWARD -i eth2 -o eth1 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# Jembatan gantung DMZ <=> Mail Server & Webserver
iptables -A FORWARD -i eth1 -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
# Jembatan gantung WAN1 <=> LAN
iptables -A FORWARD -i eth2 -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
## Forward port 25 ke mail server
#### SEMENTARA #iptables -t nat -A PREROUTING -p tcp -i eth0 -d
202.169.51.119 --dport 25 -j DNAT --to-destination 172.16.0.2
## Forward port 80 ke mail server
#### SEMENTARA #iptables -t nat -A PREROUTING -p tcp -i eth0 -d
202.169.51.119 --dport 80 -j DNAT --to-destination 172.16.0.2
## Forward port 80 ke HRD
#iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.169.51.120
--dport 80 -j DNAT --to-destination 172.16.0.4
#### TEST
iptables -t nat -A PREROUTING -i eth0 -d 202.169.51.119 -j DNAT
--to-destination 172.16.0.2
#iptables -t nat -A PREROUTING -i eth0 -d 202.169.51.120 -j DNAT
--to-destination 172.16.0.4
########
## Forward port 110 ke mail server
#### SEMENTARA #iptables -t nat -A PREROUTING -p tcp -i eth0 -d
202.169.51.119 --dport 110 -j DNAT --to-destination 172.16.0.2
## Forward port 2810 ke mail server
#### SEMENTARA #iptables -t nat -A PREROUTING -p tcp -i eth0 -d
202.169.51.119 --dport 2810 -j DNAT --to-destination 172.16.0.2
#### SEMENTARA #iptables -t nat -A PREROUTING -p tcp -i eth0 -d
202.169.51.119 --dport 4810 -j DNAT --to-destination 172.16.0.3
## REDIRECT
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 8080
#transparant proxy - WARNING INI SEMENTARA - LIHAT eth2
/sbin/iptables -t nat -A PREROUTING -i eth2 -p tcp -s
192.168.222.0/255.255.255.0 --dport 80 -j DNAT --to 192.168.222.2:2210
=======================================
problem :
i cant browse domain that hosted at webserver ( 172.16.0.3 - at the
picture that is wrong ip - the correct one is 172.16.0.3 )
how to solved this
access denied
-- -=-=-=-=Received on Fri Sep 26 2008 - 03:28:24 MDT
This archive was generated by hypermail 2.2.0 : Fri Sep 26 2008 - 12:00:03 MDT