from http://amyhost.com/data/1.jpg and ... #logformat squid %>a [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh http_port 2210 transparent icp_port 3130 snmp_port 3401 cache_mgr admin emulate_httpd_log off #cache_peer ip.sumber.squid parent 3128 3130 proxy-only #cache_peer ip.yang.numpang sibling 3128 3130 proxy-only #cache_peer 192.168.1.253 sibling 2210 3130 proxy-only #cache_peer it.gpi-g.com parent 2210 0 no-query default #cache_peer 202.169.51.119 parent 2210 0 no-query no-digest no-netdb-exchange default #cache_peer 125.160.0.0/255.255.0.0 sibling 2210 3130 proxy-only #cache_peer 202.182.0.0/255.255.0.0 sibling 2210 3130 proxy-only #cache_peer 203.128.72.226/255.255.255.255 sibling 2210 3130 proxy-only cache_replacement_policy heap LFUDA maximum_object_size_in_memory 50 KB maximum_object_size 50 MB #minimum_object_size 1 KB dead_peer_timeout 10 seconds acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY visible_hostname gpi-g.com cache_mem 5 MB memory_pools off log_icp_queries on buffered_logs on quick_abort_min 0 KB quick_abort_max 0 KB quick_abort_pct 95 #never_direct allow all cache_swap_low 70% cache_swap_high 90% #cache_dir aufs /var/spool/squid 40000 16 256 cache_dir aufs /var/spool/squid 4000 16 256 cache_dir aufs /var/spool/squid1 4000 16 256 cache_dir aufs /var/spool/squid2 4000 16 256 cache_dir aufs /var/spool/squid3 4000 16 256 #cache_dir diskd /var/spool/squid 4800 8 64 max-size=-1 Q1=64 Q2=72 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log pid_filename /var/run/squid.pid forwarded_for on half_closed_clients off cache_effective_user proxy cache_effective_group proxy cache_mgr mirza.k@xxxxxxxxx refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl website dstdomain "/etc/website" acl domain dstdomain .gpi-g.com acl gator dstdomain .gator.com acl gohip dstdomain .gohip.com acl kazaa dstdomain .kazaa.com acl real dstdomain .real.com acl pornsite url_regex 220.73.222.254 acl LAN src 192.168.222.0/255.255.255.0 acl LAN3 src 192.168.0.0/255.255.0.0 acl LAN2 src 172.16.0.0/255.255.0.0 acl NOC src 125.160.0.0/255.255.0.0 #acl GPI src 202.169.51.0/255.255.255.0 acl snmpcommunity snmp_community nama_snmpcommunity acl all src 0.0.0.0/0.0.0.0 #acl IIX dst_as 7597 #always_direct allow IIX acl manager proto cache_object acl localhost src 127.0.0.1 acl SSL_ports port 443 563 acl Safe_ports port 21 80 81 53 143 2443 443 563 70 210 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT #acl INSIDE dstdomain .it.gpi-g.com #always_direct allow INSIDE #never_direct allow all #acl INSIDE_IP dst 172.16.0.2 #always_direct allow INSIDE_IP #never_direct allow all #header_access User-Agent deny all #header_replace User-Agent Mozilla/5.0 (X11; U; Linux 2.6.8 DEC Alpha) #follow_x_forwarded_for allow localhost #log_uses_indirect_client on #acl_uses_indirect_client on #delay_pool_uses_indirect_client on acl acceleratedHost dst 202.169.51.0/255.255.255.0 acl acceleratedPort port 2210 #httpd_accel_single_host off http_access allow manager localhost LAN LAN3 http_access deny !Safe_ports http_access deny pornsite http_access deny CONNECT !SSL_ports snmp_access allow snmpcommunity http_access deny website http_access deny gator http_access deny gohip http_access deny real http_access deny kazaa http_access allow domain http_access allow LAN http_access allow LAN3 http_access allow LAN2 http_access allow NOC #http_access allow GPI http_access allow localhost http_access allow acceleratedHost http_access deny all snmp_access deny all httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on cachemgr_passwd nasigoreng manager negative_ttl 1 minutes #### #acl local-host src 192.168.222.2 #acl my_other_proxy src 192.168.222.2 #follow_x_forwarded_for allow local-host #follow_x_forwarded_for allow my_other_proxy #acl_uses_indirect_client on #delay_pool_uses_indirect_client on #log_uses_indirect_client on === with rc.local : echo "1" > /proc/sys/net/ipv4/ip_forward /etc/init.d/networking restart #----------------------------------------------------- # eth0 = WAN1 = 202.169.51.119 # eth1 = DMZ = 192.168.222.1 ( Konek ke MAILSERVER & WEBSERVER - sementara simulai hanya mailserver ) # eth2 = LAN = 192.168.222.2 ( Konek ke PROXY SERVER - sementara di simulai PROXY SERVER = CLIENT ) #------------------------------------------------------ # Tukang sapu /sbin/iptables --flush /sbin/iptables --table nat --flush /sbin/iptables --delete-chain /sbin/iptables --table nat --delete-chain /sbin/iptables -F -t nat # masqurade /sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE /sbin/iptables --append FORWARD --in-interface eth0 -j ACCEPT # Jembatan gantung DMZ <=> LAN iptables -A FORWARD -i eth2 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT # Jembatan gantung DMZ <=> Mail Server & Webserver iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Jembatan gantung WAN1 <=> LAN iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ## Forward port 25 ke mail server #### SEMENTARA #iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.169.51.119 --dport 25 -j DNAT --to-destination 172.16.0.2 ## Forward port 80 ke mail server #### SEMENTARA #iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.169.51.119 --dport 80 -j DNAT --to-destination 172.16.0.2 ## Forward port 80 ke HRD #iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.169.51.120 --dport 80 -j DNAT --to-destination 172.16.0.4 #### TEST iptables -t nat -A PREROUTING -i eth0 -d 202.169.51.119 -j DNAT --to-destination 172.16.0.2 #iptables -t nat -A PREROUTING -i eth0 -d 202.169.51.120 -j DNAT --to-destination 172.16.0.4 ######## ## Forward port 110 ke mail server #### SEMENTARA #iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.169.51.119 --dport 110 -j DNAT --to-destination 172.16.0.2 ## Forward port 2810 ke mail server #### SEMENTARA #iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.169.51.119 --dport 2810 -j DNAT --to-destination 172.16.0.2 #### SEMENTARA #iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.169.51.119 --dport 4810 -j DNAT --to-destination 172.16.0.3 ## REDIRECT # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 #transparant proxy - WARNING INI SEMENTARA - LIHAT eth2 /sbin/iptables -t nat -A PREROUTING -i eth2 -p tcp -s 192.168.222.0/255.255.255.0 --dport 80 -j DNAT --to 192.168.222.2:2210 ======================================= problem : i cant browse domain that hosted at webserver ( 172.16.0.3 - at the picture that is wrong ip - the correct one is 172.16.0.3 ) how to solved this access denied -- -=-=-=-=
