Redhat 6.2 Installation Howto -Basic Proxy and Transparent

This is a guide document although very detailed in some sections. It assumes you have a have an idea about installing RH and working with Linux. Some will find it very tedious others will be grateful.

1) Installation

Pre install

Decide if you are going to do basic proxy behind the firewall (one nic needed)

Proxy as firewall or transparent proxy (two nics needed)

a) Disk partitions

Swap area set this equal or greater to the size of the ram. Minimum 128 Meg.

Create a /boot partition of 30 meg

/ (Root) to fill the rest of the drive (or minimum 4 gig) or partition for /home and /var.

b) Video setup

Choose the Compaq 171FS - works for most monitor types.

Be VERY SURE to create a boot disk just in case something goes wrong. I recommend installing EVERYTHING. It never fails you always need the one thing you forgot to put on.

2) Post install

Linuxconf

a) Network

(for internal interface)

Set hostname proxy.domain.org

IP address - (192.168.0.1)

Subnet - 255.255.255.0

Device name - eth0

Kernel module - 3c509 (or whatever has been detected)

Second NIC (if transparent )

Ask you ISP or use DHCP

IP address (216.174.182.1)

Subnet 255.255.255.0

Device name - eth1

Kernel Module 3c509 (or whatever has been detected)

b) DNS

Domain nlsd113.org

Dns 142.165.5.2, 142.165.21.5 supplied by ISP or DHCP

c) Routes

If DHCP just enable forwarding.

Gateway 192.168.0.254 if internal or supplied by ISP

Enable routing (forwarding)

d) Hosts

Cd /etc

Vi hosts

Add this line 192.168.0.1 proxy.domain.org proxy

:wq

3) Upgrades

It is very wise to download all the patches for 6.2 from a web site and burn them to a CD.

There are allot of patches almost 300 megabytes worth. Some of these patches are required before you can install DG so you better get them

Also get the latest Dansguardian, blacklists and your favorite bannedphrase list. I highly recommend Webmin as well as you will be providing a restart button

Through the webmin interface a little later. Also this install guide is based on Webmin on RH 6.2

Adding patches (insert the patches CD Rom)

Mount /dev/cdrom

Cd /mnt/cdrom

Using rpm -U a*.rpm install the following groups of packages in the order listed.

example. Rpm -U d*.rpm

d, Rp, a, b, y, x, w, v, t, o, e, f, p, l, m, n, k, g, j, s, uc, um, us, rh, rm, imap-2000-,imap-devel- 2000, imap-2000c, imap-devel-2000c, in, ip, ir, ipspell-3.1, up

Ls |less

Rpm -U DansGua*.rpm

Rpm -U SysVinit*

Rpm -U X*.rpm

Cp blacklists*.gz /etc/dansguardian

Cp ban*.zip /etc/dansguardian

Tar -zxpf blacklist*.gz

Mv bannedphraselist bannedphraselist.old

Unzip bannedphraselist2.zip

Cd /etc

Vi lilo.conf

Change the line with vmlinuz...... to be just vmlinuz

:wq

Type Lilo <enter>

Restart the system with shutdown -r now

4) DG

Startx if it runs O.K. at a good resolution the move on else exit and run Xconfigurator

If gnome crashes then use ps -ax to find the pid (number) for gnome session and kill it.

5) Setup with Webmin

a) System

Bootup and Shutdown

Set the following applications to boot on startup

Dansguardian

Httpd

Dhcpd

Named

Squid

b) Servers

Apache
Configure
Networking set port to 81 save and apply (or start)
DHCP
Add a new subnet
Network address 192.168.0.0 netmask 255.255.255.0
Address range 192.168.0.50 192.168.0.200
Save
Edit client options

Default routers 192.168.0.254

Dns servers 192.168.0.1, 142.165.5.2

Save

Control alt F3 login

Cd /etc

Vi dhcpd.conf

Find the line with domain name servers set to 192.168.0.1,142.165.5.2

:wq

Squid
Misc (Set these option only if you will be using transparent proxy)

Http accel host "virtual" (make sure to DESELECT default)

http accel port 80

http accel with proxy on

http accel user header yes

Access Control

Select <client address> and click <Create New ACL>

Acl name localnetwork

192.168.0.1 192.168.0.254 255.255.255.0

save

Add proxy restriction

Select allow

And select the name localnetwork and save

Move the restriction to the top of the list

Return to squid menu

Initialize the cache as squid (if this has not been done)

Start squid or apply changes

Hardware -> network configuration
Network interface

6) Runlevel Setup

Startx if not already started

Use system -> control panel

Make sure that DG starts at number 99 and squid at 87 on runlevels 3 and 5

Squid must load first

7) Configure DG

Control alt F3 and login if not already done

Cd /etc/dansguardian

Dansguardian.conf

Vi dansguardian.conf

Change YOUR-SERVER to 192.168.0.1:81

Change reporting level and log level to taste. (log level is best it is only records violations.

Prefered log settings, only log violations, and reporting only level 1.

:wq

cp dansguardian.conf dansguardian.good

(this is upgrade protection. Upgrades WILL erase this file)

Bannedurllist

Vi bannedurllist

Remove leading # (comment) characters from entries except the line containing proxy (it may not be in your blacklist and Dg will fail to start)

:wq

Restart DG

/etc/rc.d/init.d/dansguardian restart

8) Webmin Setup

1) Open Webmin

Notes: These setups are made to allow teachers to log in and restart the internet if it should shutdown for some reason.

http://192.168.0.1:10000 if not already done.

Log in with root xxxxxx

Goto webmin -> webmin configuration

Goto webmin modules

Set module to clone to custom commands

Set the name to Dansguardian restart

Clone the module

Webmin index -> Others -> Dansguardian Restart

Create a new custom command

Description -> Internet Restart

Command -> /etc/rc.d/init.d/dansguardian restart

Run as user -> root

Save

Webmin index -> Webmin -> Webmin Users

Create a new webmin user

Username -> user

Password -> password

Modules -> select dansguardian restart

save

9) Test your proxy

Set your client for both ports 8080 and 3128

8080 should be filtered and 3128 unfiltered.

10) Transparent proxy

Many thanks to bkahuna2k@usa.net whoever you may be ;-) for this fine info.

vi /etc/rc.d/init.d/rc.firewall
if using ipchains add...
/sbin/ipchains -A input -p tcp -d 0.0.0.0/0 80 -j REDIRECT 8080

/sbin/ipchains -A input
if using ipfwadm add...
/sbin/ipfwadm -I -a accept -P tcp -D 0.0.0.0/0 80 -r 8080

For Masquerading Add

/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_quake 26000,27000,27910,27960
/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_vdolive

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ