http://www.lamolabs.org/blog/282/how-to-setup-a-dns-server-on-centos-5/

find public_html/ -type f -exec sed -i ‘/H3qqea3ur6p/d’ {} \;

iptables -t nat -A PREROUTING -p tcp -i eth1 –dport 5222 -j DNAT –to 192.168.1.20:5222

iptables –table nat -A POSTROUTING -o eth0 -j MASQUERADE

Y’day I got a chance to play with Squid and iptables. My job was simple : Setup Squid proxy as a transparent server.

Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies.

My Setup:

i) System: HP dual Xeon CPU system with 8 GB RAM (good for squid).
ii) Eth0: IP:192.168.1.1
iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network (around 150 windows XP systems))
iv) OS: Red Hat Enterprise Linux 4.0 (Following instruction should work with Debian and all other Linux distros)

Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.

Server Configuration

• Step #1 : Squid configuration so that it will act as a transparent proxy
• Step #2 : Iptables configuration
  • a) Configure system as router
  • b) Forward all http requests to 3128 (DNAT)
• Step #3: Run scripts and start squid service

First, Squid server installed (use up2date squid) and configured by adding following directives to file:
# vi /etc/squid/squid.conf

Modify or add following squid directives:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan

Where,

• httpd_accel_host virtual: Squid as an httpd accelerator
• httpd_accel_port 80: 80 is port you want to act as a proxy
• httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
• httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
• acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid
• http_access allow localhost: Squid access to LAN and localhost ACL only
• http_access allow lan: — same as above —

Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'

OR, try out sed (thanks to kotnik for small sed trick)
# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'

Output:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myclient.hostname.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid

Iptables configuration

Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Here is complete shell script. Script first configure Linux system as router and forwards all http request to port 3128 (Download the fw.proxy shell script):
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Save shell script. Execute script so that system will act as a router and forward the ports:
# chmod +x /etc/fw.proxy
# /etc/fw.proxy
# service iptables save
# chkconfig iptables on

Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid on

Desktop / Client computer configuration

Point all desktop clients to your eth1 IP address (192.168.2.1) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies.

How do I test my squid proxy is working correctly?

See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log

Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.

Problems and solutions

(a) Windows XP FTP Client

All Desktop client FTP session request ended with an error:
Illegal PORT command.

I had loaded the ip_nat_ftp kernel module. Just type the following command press Enter and voila!
# modprobe ip_nat_ftp

Please note that modprobe command is already added to a shell script (above).

(b) Port 443 redirection

I had block out all connection request from our router settings except for our proxy (192.168.1.1) server. So all ports including 443 (https/ssl) request denied. You cannot redirect port 443, from debian mailing list, “Long answer: SSL is specifically designed to prevent “man in the middle” attacks, and setting up squid in such a way would be the same as such a “man in the middle” attack. You might be able to successfully achive this, but not without breaking the encryption and certification that is the point behind SSL“.

Therefore, I had quickly reopen port 443 (router firewall) for all my LAN computers and problem was solved.

(c) Squid Proxy authentication in a transparent mode

You cannot use Squid authentication with a transparently intercepting proxy.

Further reading:

• How do I use Iptables connection tracking feature?
• How do I build a Simple Linux Firewall for DSL/Dial-up connection?
• Update: Forum topic discussion: Setting up a transparent proxy with Squid peering to ISP squid server
• Squid, a user’s guide
• Squid FAQ
• Transparent Proxy with Linux and Squid mini-HOWTO

Updated for accuracy.

<!– –>

HOWTO – http(Apache) + Subversion on FC7

This is a howto on getting subversion (multiple repositories) + http on FC7.

We will be logged in as root for quite a few tasks – make sure that you have read relevant documentation/tutorials before trying this HOWTO.

Keep an eye on 2 important things:

• id of logged in user
• pwd – present working directory

Both of these will be apparent in the prompt – I have used the standard prompt on
any Linux system – [user@machine ‘pwd’]

1. Install svn and mod_dav_svn via yum

2. Log in as root and create your directory structure for holding the repo:
[root@rknowsys2 var]# mkdir -p /var/subversion/repos

3. The repository has to be owned by apache to enable apache to read and write to this directory:
[root@rknowsys2 var]# chown -R apache:apache /var/subversion

4. Create your repo –
[root@rknowsys2 var]# svnadmin create /var/subversion/repos/

5. Import you source files into the repo – My source files are in directory “/root/kc/for-svn/iRunway” ——
[root@rknowsys2 var]# svn import /root/kc/for-svn/iRunway file:///var/subversion/repos/iRunway -m “initial import”
You will see stuff like this……..
Adding /root/kc/for-svn/iRunway/trunk/public/application-help.html
Adding /root/kc/for-svn/iRunway/trunk/public/favicon.ico
………………
…………..
……………………………..
Committed revision 1.

6. Now ensure that /var/subversion is owned by apache – Since I ran the ‘svn create’ and ‘svn import’ as root, I am not sure who owns the repo – The below command is to remove these doubts:
[root@rknowsys2 for-svn]# chown -R apache:apache /var/subversion

7. Now lets configure apache to work with subversion
refer this link: http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html
Edit the conf file and add the content at the end of the file:
[root@rknowsys2 junk]# vi /etc/httpd/conf/httpd.conf
# kc start configuring apache for subversion 07-aug-07
# Instructions from:
# http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html
# The above page is also saved to /root/admin-functions/subversion-stuff
# already loaded – kc LoadModule dav_svn_module modules/mod_dav_svn.so

DAV svn
SVNPath /var/subversion/repos/
#ServerName svn-rknowsys.no-ip.info
#ServerName 192.168.0.13 server name given in orig location above!!!!

# how to authenticate a user
AuthType Basic
AuthName “Subversion repository”
AuthUserFile /etc/svn-auth-file

# only authenticated users may access the repository
Require valid-user

CustomLog logs/svn_logfile “%t %u %{SVN-ACTION}e” env=SVN-ACTION
# kc end subversion stuff 07-aug-07

8. Now create subversion users:
[root@rknowsys2 junk] htpasswd -cm /etc/svn-auth-file kcr
New password: *****
Re-type new password: *****
Adding password for user kcr

9. Restart the httpd server
[root@rknowsys2 for-svn]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]

10. Start using the repo
[root@rknowsys2 junk]# svn list http://192.168.0.13/repos/iRunway
Authentication realm: Subversion repository
Password for ‘root’:
Authentication realm: Subversion repository
Username: kcr
Password for ‘kcr’:
branches/
tags/
trunk/
[root@rknowsys2 junk]#

11. And now start creating subversion users using the htpasswd command shown above. – You are ready to roll it out to users.

12. Making multiple subversion repositories:
Let us do this in directory:/var/subversion/repos1
[root@rknowsys2 ~]# sudo -u apache mkdir -p /var/subversion/repos1
[root@rknowsys2 ~]# svnadmin create /var/subversion/repos1/ideaexchage
[root@rknowsys2 ~]# svnadmin create /var/subversion/repos1/tourism
[root@rknowsys2 ~]# svn import /root/kc/for-svn/ideaXchange/ file:///var/subversion/repos1/ideaexchage/ -m “Initial import”
Adding ……..
………………………………………………….
Committed revision 1.
[root@rknowsys2 ~]# svn import /root/kc/for-svn/tourism/ file:///var/subversion/repos1/tourism/ -m “Initial import”
Committed revision 1.

13. Now need to modify apache conf file:
Put this in the apache dir:
# kc start configuring apache for multiple repos in subversion 22-aug-07
# Instructions from:
# http://svn.haxx.se/users/archive-2004-09/1190.shtml
# http://cheminfo.informatics.indiana.edu/~rguha/misc/svnapache.html
# The above page is also saved to /root/admin-functions/subversion-stuff
# already loaded – kc LoadModule dav_svn_module modules/mod_dav_svn.so

DAV svn
SVNParentPath /var/subversion/repos1/

# how to authenticate a user
AuthType Basic
AuthName “Subversion repository”
AuthUserFile /etc/svn-auth-file

# only authenticated users may access the repository
Require valid-user

# kc end subversion stuff 22-aug-07

14. Restart the apache server
[root@rknowsys2 ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]

15. Verify that the new repos are accessible
[root@rknowsys2 ~]# svn list http://192.168.0.12/repos1/tourism
Authentication realm: Subversion repository
Password for ‘root’:
Authentication realm: Subversion repository
Username: kcr
Password for ‘kcr’:
branches/
tags/
trunk/
[root@rknowsys2 ~]#

WORKING FINE………..
The problem was I typed ‘repo1’ instead of ‘repos1’

[Dialer Defaults]
Modem = /dev/ttyUSB0
Baud = 57600
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2
Phone = #777
Username =internet
Password =internet
Ask Password = 0
Stupid Mode = 1
Idle Seconds = 500
ISDN = 0
Auto DNS = 1