How to enable squid proxy to accept webtraffic from two networks

[sdabreo]

Dear All

I have two segment of network, one is 192.168.1.0 and other one is 192.168.100.0
My Airtel broadband connection is comes under 192.168.1.0 network and net connection is
shared to users by squid proxy. I have redhat 9, where i have configured transparent squid proxy
my proxy server ip is 192.168.1.6, both the network is connected to my cisco firewall.

Enabled the access list to ping my proxy server from 192.168.100.0 network. But my clients
PC's are not able to access internet from 192.168.100.0 network.

Web traffic also enabled in firewall to pass through from 192.168.100.0 , but still i am not able to
browse.

Is't required my proxy server should be connected 192.168.100.0 to receive web traffic??
Herewith enclosed my squid.conf for your reference.


#acl all src 0.0.0.0/0.0.0.0
acl lan1_blr src 192.168.1.0/255.255.255.0
acl lan2_blr src 192.168.100.0/255.255.255.0
acl msn_hosts src "/etc/squid/msn_hosts"
acl allowed_machines src "/etc/squid/allowed_machines"
acl support_staff src "/etc/squid/support_staff"
acl callcenter src "/etc/squid/callcenter"

acl rejected_urls url_regex "/etc/squid/rejected_urls"
acl allowed_urls dstdomain "/etc/squid/allowed_urls"
acl msn dstdomain "/etc/squid/msn"

http_access allow msn_hosts msn
http_access deny rejected_urls
http_access deny !allowed_machines
http_access deny !lan1_blr !lan2_blr
#http_access allow msn_hosts msn
http_access allow callcenter allowed_urls allowed_machines
http_access allow support_staff !callcenter
http_access allow all

Can anyone help me to solve this.....

 

[sdabreo]

Pls. help me out....!!!

 

[QatQat]

is there anything from your 192.168.100. subnet re-routing to the subnet where the internet gateway is?

I think you have to create a couple of route entries on a machine on the above subnet that will re-route trsffic from 192.168.100.0 subnet to the gateway to get on the internet.

That machine needs obviouly to be connected to 192.168.1.0 as well or at least have some kind of access to the latter subnet.

QatQat

If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!

 

[sdabreo]

U mean my proxy server should be connected to 192.168.100.0 network?

in my cisco firewall having access list to allow packets only from 192.168.1.6 ( My proxy server) to outside. my web traffic from 192.168.100.0 can hit 192.168.1.6? My proxy server will be able to understand the packets from 192.168.100.0 network if don't have connection to 192.168.100.0 from my PROXY SERVER??

 

[QatQat]

I am saying that if your squid box is the gateway/proxy for the 192.168.1.0 network and its address is 192.168.1.6, that is not enough to make it available for 192.168.100.0 network.

If the two networks are phisically on the same switch then add a virtual interface on the squid box. Enable ip formarding and it will do the trick.


QatQat

If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!

 

[sdabreo]

Quiet interesting.... Can you pls. let me know how to create virtual interface and let me know how to forward from 192.168.1.0 to 192.168.100.0

 

[sdabreo]

My linux server is acting only as proxy , my firewall is acting as Gateway.

 

[QatQat]

to create a virtual interface
assuming that you want this interface to have 192.168.100.254 ip address

ifconfig eth0:0 192.168.100.254 netmask 255.255.255.0

This will create and enable the interface; it will not make it permanent though. To make it permanent copy the script from another card

cat /etc/sysconfig/network-scripts/ifcfg-eth0 > /etc/sysconfig/network-scripts/ifcfg-eth0:0

edit the new file to reflect the address 192.168.100.254

to enable ip_forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

to make this permament edit the file
/etc/sysctl.conf and set ip_forward = 1

Cheers

QatQat

If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!

 

[sdabreo]

Is there is any possiblity to find out whether my web traffic from 192.168.100.0 is hitting my proxy server or not? Is there any log file available to check the same.

Is pinging is sufficiant from 192.168.100.0 to my proxy server 192.168.1.6 to pass through the web traffic?

 

[QatQat]

while you visit pages from client machines you can execute

tail -f /var/log/squid/access.log

to interrupt the above command hit CTRL+Z
The file above is obviously the squid web access log file.

The option "-f" (follow) makes you check the log continuously.


squid log files can be overwelming; just look at the third column to check the traffic origin.

If you just want to find out whether the .100.0 net is accessing web through squid

cat /var/log/squid/access.log | grep "192.168.100"

Nothing will stop your network users disabling the proxy and going to the web directly; once again you will need iptables to force users to use squid.
Disabling port 80 outgoing traffic and allowing web traffic only through the proxy server's port 3128 is a normal procedure on networks. Alternatively you can create a transparent proxy. BOth methods are only achievable through iptables.



QatQat

If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!

 

[Annihilannic]

to interrupt the above command hit CTRL+Z

I think you meant Ctrl-C? Ctrl-Z will suspend it, but leave the process paused in the background.

Annihilannic.

 

[QatQat]

Yup, you are right; apologies for my mistake

QatQat

If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!

 

[sdabreo]

My problem sorted out, problem lies in my firewall , not enabled to port 8080 ( Proxy port) in firewall IOS. Open the port, it's working fine.

Thanks a lot guys.