30 มี.ค. 2555
Alway the right time to do the right thing
เป็นเวลาที่ถูกต้องเสมอถ้าอยากทำสิ่งที่ถูกต้อง ไม่มีคำว่าสาย ตอนนั้นเรียนมาอย่างแต่ไม่ชอบ อาจารย์ที่สอนบอกอย่างนี้ ชีวิตคนแปลกมากไม่เหมือนการทำธุรกิจและไม่เหมือนการทำอะไรทั้งนั้น ตรงที่มันเริ่มต้นใหม่ได้ทุกวัน จะเริ่มใหม่วันนี้หรือเดี๋ยวนี้ก็ทำได้ทั้งนั้น
http://203.155.220.217/pdd/magazine/07_50/07_04.htm
2 มี.ค. 2555
Install SARG on squid3 at Ubuntu 11.10
Sarg เป็นเครื่องมือที่ช่วยวิเคราะห์ข้อมูลการใช้งานอินเตอร์เน็ตของ User ได้ดีมากๆ หลังจากประเมินผมก็เอาข้อมูลที่ได้เหล่านี้มา Shape Bandwidth ต่อ แต่วันนี้เอาแค่รายงานมาดูก่อน
apt-get install sarg |
ติดตั้งเสร็จแล้วก็มา Config กันต่อ:
เอา Comment ออกตามบรรทัดเหล่านี้ครับ:
ต่อไปจะเป็นการสร้างคำสั่งให้ Sarg สร้างรายงานอัตโนมัติ และให้ Cron เป็นตัวเรียก คำสั่ง Sarg ที่เพิ่งสร้างนี้ มารันตามเวลาที่ตั้งไว้:
และก็มาขั้นตอนการตั้งเวลาสร้างรายงานผ่านทาง Cron:
ถ้าอยากลองรันเพื่อทดสอบก็พิมพ์คำสั่งตามนี้:
สุดท้ายครับวิธีการดูรายงาน :
http://ip_address_server/squid-reports
cp /etc/sarg/sarg.conf /etc/sarg/sarg.conf.original nano /etc/sarg/sarg.conf |
เอา Comment ออกตามบรรทัดเหล่านี้ครับ:
access_log /var/log/squid3/access.log #ระบุตำแหน่งที่เก็บ log ของ squid graphs yes output_dir /var/www/squid-reports #เปลี่ยนที่เก็บได้ตามใจเลยครับ |
ต่อไปจะเป็นการสร้างคำสั่งให้ Sarg สร้างรายงานอัตโนมัติ และให้ Cron เป็นตัวเรียก คำสั่ง Sarg ที่เพิ่งสร้างนี้ มารันตามเวลาที่ตั้งไว้:
nano /usr/sbin/sarg-daily-report |
TODAY=$(date +%d/%m/%Y) YESTERDAY=$(date –date “1 day ago” +%d/%m/%Y) sarg /var/log/squid/access.log -o /var/www/squid-reports/daily -z -d $YESTERDAY-$TODAY /usr/sbin/squid -k rotate exit 0 |
nano /usr/sbin/sarg-weekly-report |
TODAY=$(date +%d/%m/%Y) YESTERDAY=$(date –date “1 month ago” +%d/%m/%Y) sarg /var/log/squid/access.log -o /var/www/squid-reports/monthly -z -d $YESTERDAY-$TODAY /usr/sbin/squid -k rotate exit 0 |
chmod 755 /usr/sbin/sarg-daily-report chmod 755 /usr/sbin/sarg-weekly-report chmod 755 /usr/sbin/sarg-monthly-report |
และก็มาขั้นตอนการตั้งเวลาสร้างรายงานผ่านทาง Cron:
crontab -e |
00 00 * * * /usr/sbin/sarg-daily-report 00 01 * * 1 /usr/sbin/sarg-weekly-report 03 02 1 * * /usr/sbin/sarg-monthly-report |
ถ้าอยากลองรันเพื่อทดสอบก็พิมพ์คำสั่งตามนี้:
/usr/sbin/sarg-daily-report /usr/sbin/sarg-weekly-report /usr/sbin/sarg-monthly-report |
/etc/init.d/cron restart |
สุดท้ายครับวิธีการดูรายงาน :
http://ip_address_server/squid-reports
1 มี.ค. 2555
How to setup Transparent Proxy with Squid3 and dhcp3-server on Ubuntu Oneiric Ocelot
Squid is a very well known and vastly used cache proxy server for the common web protocols such as HTTP, HTTPS, FTP and more. It caches frequently accessed web pages and thus reduces bandwidth and response time. Squid is available for almost all the platforms including Windows. It is open source and available under GNU/GPL.
Advantages of setting up Squid as Transparent Proxy include the fact that you don't need to configure all the machines on your LAN to connect to Squid manually. All the traffic would be redirected to the Squid Listening Port automatically and your Ubuntu Box would act like a Router.
Follow these steps to set up a Transparent Proxy Server with Squid3 on Ubuntu 11.10 (Oneiric Ocelot)
1. Install Ubuntu Oneiric Ocelot Server or Desktop on your computer.
2. Change your network interfaces from DHCP to Static
Delete all the text and paste this text in your interfaces file:
Where 192.168.0.12 is the IP address of your WAN interface and 192.168.2.1 is the IP address of your LAN interface.
Paste this text in the file that opens up:
when one sees "127.0.0.1" in the list of DNS servers it
suggests that one is running a local, caching-only name server.
3. Install squid3:
4. Make a backup of your squid.conf for future reference. Squid.conf has nearly all the options listed and it is recommended to go through that file to know more about squid options.
Configure squid3.
Remove all the text and paste this text in your squid.conf file:
Where 192.168.2.0/24 is the range of your LAN interface. The last line in that file is defining a cache directory for squid3 to use. Here, the first number denotes the size of cache in MB, 20 GB in this case.
Save and close this file.
6. Restart squid3:
7. Edit /etc/sysctl.conf:
In this file, uncomment the lines that enable packet forwarding for IPv4 and IPv6:
Save and close this file.
8. Define IPTABLE rules for port forwarding.
Paste this text in the file that opens up:
Block torrent
Save and close this file.
Change Mode
9. Edit /etc/rc.local:
Paste this text at the end of the file that opens up but before "exit 0":
Save and close this file.
10. Reboot your server.
If you don't want to go to each machine on your Network and configure it for a Static IP, you can use dhcp3-server to assign Dynamic IPs to all the computers on your LAN and make them forward all there internet traffic to your squid box.
11. Install dhcp3-server:
12. Edit /etc/default/dhcp3-server:
Type eth1 in between the quotes in this line:
Save and close this file.
13. Make a backup of your original /etc/dhcp/dhcpd.conf:
14. Edit /etc/dhcp/dhcpd.conf:
Delete all the text and paste this text in the file that opens up
We are using True (ISP in Thailand) DNS in this example. You can use your own DNS Server if you've configured one on your network.
Save and close this file.
Make sure all the cables on your network are plugged in and the devices are powered on.
15. Start dhcp3-server:
16. Reboot your server.
Delete all the text and paste this text in the file that opens up:
Advantages of setting up Squid as Transparent Proxy include the fact that you don't need to configure all the machines on your LAN to connect to Squid manually. All the traffic would be redirected to the Squid Listening Port automatically and your Ubuntu Box would act like a Router.
Follow these steps to set up a Transparent Proxy Server with Squid3 on Ubuntu 11.10 (Oneiric Ocelot)
1. Install Ubuntu Oneiric Ocelot Server or Desktop on your computer.
2. Change your network interfaces from DHCP to Static
nano /etc/network/interfaces |
Delete all the text and paste this text in your interfaces file:
auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.0.12 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.3 auto eth1 iface eth1 inet static address 192.168.2.1 netmask 255.255.255.0 network 192.168.2.0 broadcast 192.168.2.255 |
Where 192.168.0.12 is the IP address of your WAN interface and 192.168.2.1 is the IP address of your LAN interface.
nano /etc/resolv.conf |
Paste this text in the file that opens up:
nameserver 127.0.0.1 |
suggests that one is running a local, caching-only name server.
3. Install squid3:
sudo apt-get install squid3 |
4. Make a backup of your squid.conf for future reference. Squid.conf has nearly all the options listed and it is recommended to go through that file to know more about squid options.
cp /etc/squid3/squid.conf /etc/squid3/squid.conf.original |
Configure squid3.
nano /etc/squid3/squid.conf |
Remove all the text and paste this text in your squid.conf file:
http_port 3128 transparent acl LAN src 192.168.2.0/24 acl localnet src 127.0.0.1/255.255.255.255 # Limited file download < 250 MB reply_body_max_size 250 MB http_access allow LAN http_access allow localnet # No cache anything no_cache deny all |
Where 192.168.2.0/24 is the range of your LAN interface. The last line in that file is defining a cache directory for squid3 to use. Here, the first number denotes the size of cache in MB, 20 GB in this case.
Save and close this file.
6. Restart squid3:
/etc/init.d/squid3 restart |
7. Edit /etc/sysctl.conf:
nano /etc/sysctl.conf |
In this file, uncomment the lines that enable packet forwarding for IPv4 and IPv6:
net.ipv4.ip_forward=1 |
Save and close this file.
8. Define IPTABLE rules for port forwarding.
nano /etc/fw.proxy |
Paste this text in the file that opens up:
#!/bin/sh # squid server IP SQUID_SERVER="192.168.2.1" # Interface connected to Internet INTERNET="eth0" # Interface connected to LAN LAN_IN="eth1" # Squid port SQUID_PORT="3128" # DO NOT MODIFY BELOW # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp # For win xp ftp client #modprobe ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT iptables -I INPUT -p tcp -m tcp --dport 53 --syn -j ACCEPT iptables -I INPUT -p tcp -m tcp --dport 82 --syn -j ACCEPT # Algo string iptables -I FORWARD -m string --algo bm --string "BitTorrent" -j DROP iptables -I FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP iptables -I FORWARD -m string --algo bm --string "peer_id=" -j DROP iptables -I FORWARD -m string --algo bm --string ".torrent" -j DROP iptables -I FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP iptables -I FORWARD -m string --algo bm --string "torrent" -j DROP iptables -I FORWARD -m string --algo bm --string "announce" -j DROP iptables -I FORWARD -m string --algo bm --string "tracker." -j DROP iptables -I FORWARD -m string --algo bm --string "info_hash" -j DROP iptables -I FORWARD -m string --algo bm --string "/default.ida?" -j DROP #codered virus iptables -I FORWARD -m string --algo bm --string ".exe?/c+dir" -j DROP #nimda virus iptables -I FORWARD -m string --algo bm --string ".exe?/c_tftp" -j DROP #nimda virus # bittorrent key iptables -I FORWARD -m string --string "peer_id" --algo kmp --to 65535 -j DROP iptables -I FORWARD -m string --string "BitTorrent" --algo kmp --to 65535 -j DROP iptables -I FORWARD -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j DROP iptables -I FORWARD -m string --string "bittorrent-announce" --algo kmp --to 65535 -j DROP iptables -I FORWARD -m string --string "announce.php?passkey=" --algo kmp --to 65535 -j DROP # DHT keyword iptables -I FORWARD -m string --string "info_hash" --algo kmp --to 65535 -j DROP iptables -I FORWARD -m string --string "get_peers" --algo kmp --to 65535 -j DROP iptables -I FORWARD -m string --string "announce" --algo kmp --to 65535 -j DROP iptables -I FORWARD -m string --string "announce_peers" --algo kmp --to 65535 -j DROP iptables -I INPUT -s 0.0.0.0/0 -m string --string "info_hash" --algo bm -j DROP iptables -I INPUT -s 0.0.0.0/0 -m string --string "announce" --algo bm -j DROP iptables -I INPUT -s 0.0.0.0/0 -m string --string "torrent" --algo bm -j DROP iptables -I INPUT -s 0.0.0.0/0 -m string --string "sumotracker" --algo bm -j DROP iptables -I INPUT -p tcp -m tcp --dport 22222 --dst $SQUID_SERVER -j ACCEPT iptables -I INPUT -p tcp -m tcp --dport 22222 --dst 192.168.0.12 -j ACCEPT iptables -A INPUT -j LOG --log-level info --log-prefix "INPUT " iptables -A OUTPUT -j LOG --log-level info --log-prefix "OUTPUT " iptables -A FORWARD -j LOG --log-level info --log-prefix "FORWARD " # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP |
Save and close this file.
Change Mode
chmode +x /etc/fw.proxy |
9. Edit /etc/rc.local:
nano /etc/rc.local |
Paste this text at the end of the file that opens up but before "exit 0":
/etc/fw.proxy |
Save and close this file.
10. Reboot your server.
If you don't want to go to each machine on your Network and configure it for a Static IP, you can use dhcp3-server to assign Dynamic IPs to all the computers on your LAN and make them forward all there internet traffic to your squid box.
11. Install dhcp3-server:
apt-get install dhcp3-server |
12. Edit /etc/default/dhcp3-server:
nano /etc/default/isc-dhcp-server |
Type eth1 in between the quotes in this line:
INTERFACES="" |
Save and close this file.
13. Make a backup of your original /etc/dhcp/dhcpd.conf:
cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.original |
14. Edit /etc/dhcp/dhcpd.conf:
nano /etc/dhcp/dhcpd.conf |
Delete all the text and paste this text in the file that opens up
ddns-update-style none; log-facility local7; subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.100 192.168.2.200; option domain-name-servers 192.168.2.1; option routers 192.168.2.1; option broadcast-address 192.168.2.255; default-lease-time 600; max-lease-time 7200; } |
We are using True (ISP in Thailand) DNS in this example. You can use your own DNS Server if you've configured one on your network.
Save and close this file.
Make sure all the cables on your network are plugged in and the devices are powered on.
15. Start dhcp3-server:
service dhcp3-server start |
16. Reboot your server.
17. Install Bind9 if you didn't install it
apt-get install bind9 dnsutils |
Install dnsutils for dig command.
Edit conf file for Caching
nano /etc/bind/named.conf.options |
Delete all the text and paste this text in the file that opens up:
options { directory "/var/cache/bind"; forwarders { 203.144.207.29; 203.144.207.49; }; auth-nxdomain no; allow-query { any; }; }; |
สมัครสมาชิก:
บทความ (Atom)