PDA

View Full Version : Chilli ตายสนิทต้องทำแค่ Proxy Server แต่มันก็ไม่ทำงาน ทำผิดตรงไหนครับ?



koh
26-04-2010, 18:39
เนื่องจากลองเอา chilli spot ไปลงใส่ระบบใหญ่ซึ่งมีเครื่องมากกว่า 300+ ทำไมรันไม่ออก แจกไอพีไม่ได้ ตายสนิท จะเปลี่ยนคลาสไอพีก็กระทบกับโปรแกรมอื่น ๆ ซึ่งเก่ามากเป็นเวอร์ชั่นของ DOS จึงจำเป็นต้องทำแค่ Proxy Server เพื่อใช้เก็บแคชข้อมูลเท่านั้น

ผมจึงลง CentOS ตามลำดับขั้นตอนนี้ โดยใช้ squid กับ iptables เดิมที่ใช้กับ chilli spot
- ติดตั้ง CentOS 5.4 โดยเปิด Service ดังนี้
- DHCP 3.05
- IPTABLE 1.3.5
- SQUID 2.7
---------------------------------------------------------------------------------------
และผมกำหนดไอพีดังนี้
eth0 ซึ่งต่อกับตัวเร้าเตอร์ ผมกำหนดไอพีให้เป็น
ip/sub : 192.168.1.2 / 255.255.255.0
gateway : 192.168.1.1

eth1 ซึ่งต่อกับวงแลนภายในผมกำหนดให้ไอพีเป็น
ip/sub : 192.168.2.1 / 255.255.255.0
gateway : ไม่ได้ใส่ค่าอะไรว่างเอาไว้
-------------------------------------------------------------------------------
จากนั้นผมสั่งให้ dhcpd ทำงานโดยกำหนด Config ดังนี้

ddns-update-style ad-hoc;
subnet 192.168.2.0 netmask 255.255.255.0 {
# --- default gateway
option routers 192.168.2.1; ###### ไอพีของการ์ดแลนใบที่ 2
option subnet-mask 255.255.255.0;
option domain-name-servers 192.168.2.1;
option time-offset 25200; # Eastern Standard Time
option ntp-servers 203.185.67.114;
range dynamic-bootp 192.168.2.51 192.168.2.254;
default-lease-time 31536000;
max-lease-time 31536000; }
-------------------------------------------------------------------------------------------------
พอเชื่อมต่อดูปรากฏว่าเครื่องลูกสามารถเชื่อมต่อกับเครื่องแม่ข่ายได้ ได้รับไอพีเป็น
IP : 192.168.2.254
SUB : 255.255.255.0
GATEWAY : 192.168.2.1
DNS : 192.168.2.1
ทำการ ping 192.168.2.1 ก็มองเห็นกัน
-------------------------------------------------------------------------------------------------
จากนั้นทำการ config SQUID 2.7 ดังนี้

##SQUID 2.7 Debian ### SQUID 2.7 Clarkconnect Compile By jack of www.systemnetworkcare.com (http://www.systemnetworkcare.com)
#REF && Big Thanks
#http://www.squid-cache.org,http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube/Discussion,http://wiki.squid-cache.org/CategoryConfigExample
#http://human.network.web.id/2008/06/30/caching-youtube/
#http://h4ndr1.wordpress.com/2008/09/14/squid-26/
#http://h4ndr1.wordpress.com/2008/09/21/install-squid-27-debian-etch/
#http://www.lesismore.co.za/2008/02/squid-3-transparent-proxy.html
#http://fedora.co.in/content/youtube-caching-using-squid
#http://kulbirsaini.fedorapeople.org/stuff/youtube_cache/
#Nuke]v[ https://www.linuxthai.org
###### Tunnel By jack of www.systemnetworkcare.com (http://www.systemnetworkcare.com) ######

##PORT
http_port 8080 transparent
icp_port 3130
icp_query_timeout 0
mcast_icp_query_timeout 2000
dead_peer_timeout 10 seconds

#============================================================$
#hierarchy_stoplist cgi-bin ?
#acl QUERY urlpath_regex cgi-bin \?
#cache deny QUERY
hierarchy_stoplist cgi-bin ? .acgi .asp .cgi .css .chtml .dll .htm .html .ini .jhtml .js .jsp .perl .phtml .pl .php .php3 .php4 .shtml .xhtml .xml .xtp updatelist$ FantaTennis FantaUpdater FantaLauncher AduRenderDll AduEngineDll Court_Ad Main_Ad Loading.jpg notice_popup korea.dat thailand.dat channel.dat CrazyKartClient.dat update_list.txt UCG.exe UCGA.exe UCG.DAT version.cfg
#============================================================$

#============================================================$
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
#============================================================$
cache_dir aufs /var/spool/squid 20000 16 256
#cache_dir aufs /cache1/ 40000 16 256
#cache_dir aufs /cache2/ 40000 16 256
#cache_dir aufs /cache3/ 40000 16 256

error_directory /usr/share/squid/errors/English
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
mime_table /etc/squid/mime.conf
pid_filename /var/run/squid.pid
log_fqdn off
log_mime_hdrs off
log_ip_on_direct off
logfile_rotate 7
debug_options ALL,1
buffered_logs off
emulate_httpd_log off

#============================================================$
# FTP section
#============================================================$
ftp_user anonymous@
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on

#============================================================$
# DNS resolution section
#============================================================$
dns_nameservers 203.146.237.237 203.144.207.49 202.69.137.137 202.129.27.135
#============================================================$

quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 98
negative_ttl 3 minutes
positive_dns_ttl 53 seconds
negative_dns_ttl 29 seconds
forward_timeout 4 minutes
connect_timeout 2 minutes
peer_connect_timeout 1 minutes
pconn_timeout 120 seconds
shutdown_lifetime 10 seconds
read_timeout 15 minutes
request_timeout 5 minutes
persistent_request_timeout 1 minute
client_lifetime 60 minutes
half_closed_clients off

##ACL LIST NETWORK

# ACL BLOCK_http_access deny download all Access Virus
# ----------------------------------------------------
#Thanks sf_alpha@hotmail.com for acl bittorrent_announce
acl bittorrent_announce url_regex -i http://.+announce.+info_hash=
http_access deny bittorrent_announce
acl sex url_regex -i ro89.com 3feel.com sex.com nusde.com video.xnxx.com
http_access deny sex
acl bit url_regex -i bit.com torrent.com
http_access deny bit
acl download urlpath_regex -i \.torrent # \.exe$ \.mpg$ \.mpeg$
http_access deny download

acl virus_nimda urlpath_regex -i .*/system32/cmd\.exe.*
acl virus_nimda2 urlpath_regex -i .*/winnt/system32/cmd.exe.*
acl virus_nimda2 urlpath_regex -i .*/MSADC/root.exe..c.dir$
acl virus_nimda2 urlpath_regex -i .*/scripts/root.exe..c.dir$

http_access deny virus_nimda
http_access deny virus_nimda2

#===================================================================$
#DEFAULT ACL
#===================================================================$
acl all src 0.0.0.0/0.0.0.0
#acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl systemnetworkcare src 10.0.0.0/8 # RFC1918 possible internal network
acl systemnetworkcare src 172.16.0.0/12 # RFC1918 possible internal network
acl systemnetworkcare src 192.168.0.0/16 # RFC1918 possible internal network
acl systemnetworkcare src 192.168.2.0/24 # RFC1918 possible internal network
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow systemnetworkcare
http_access deny all
icp_access allow systemnetworkcare
icp_access deny all

#=============================================================$
##YOURTUBE + PhotoBucket CACHE
#=============================================================$
url_rewrite_children 20
acl youtube_query url_regex -i \.youtube\.com\/get_video
acl metacafe_query dstdomain v.mccont.com
acl dailymotion_query url_regex -i proxy\-[0-9][0-9]\.dailymotion\.com\/
acl google_query dstdomain vp.video.google.com
acl redtube_query dstdomain dl.redtube.com
acl xtube_query url_regex -i p[0-9a-z][0-9a-z]?[0-9a-z]?\.xtube\.com\/videos
acl vimeo_query url_regex bitcast\.vimeo\.com\/vimeo\/videos\/
acl wrzuta_query url_regex -i va\.wrzuta\.pl\/wa[0-9][0-9][0-9][0-9]?
url_rewrite_access allow youtube_query
url_rewrite_access allow metacafe_query
url_rewrite_access allow dailymotion_query
url_rewrite_access allow google_query
url_rewrite_access allow redtube_query
url_rewrite_access allow xtube_query
url_rewrite_access allow vimeo_query
url_rewrite_access allow wrzuta_query
redirector_bypass on

acl store_rewrite_list url_regex ^http://(.*?)/get_video\?
acl store_rewrite_list url_regex ^http://(.*?)/videodownload\?
acl store_rewrite_list url_regex ^http://i(.*?).photobucket.com/albums/(.*?)/(.*?)/(.*?)\?
acl store_rewrite_list url_regex ^http://vid(.*?).photobucket.com/albums/(.*?)/(.*?)\?

cache allow store_rewrite_list
cache allow all

storeurl_access allow store_rewrite_list
storeurl_access deny all
storeurl_rewrite_program /etc/squid/store_url_rewrite

acl QUERY urlpath_regex cgi-bin \? .acgi .asp .cgi .css .chtml .dll .htm .html .ini .jhtml .js .jsp .perl .phtml .pl .php .php3 .php4 .shtml .xhtml .xml .xtp updatelist$ FantaTennis FantaUpdater FantaLauncher AduRenderDll AduEngineDll Court_Ad Main_Ad Loading.jpg notice_popup korea.dat thailand.dat channel.dat CrazyKartClient.dat update_list.txt UCG.exe UCGA.exe UCG.DAT version.cfg
cache deny QUERY
#============================================================$
# Parameter Administratif $
#============================================================$
cache_mgr sncvision@hotmail.com
cache_effective_user squid
cache_effective_group squid
visible_hostname www.systemnetworkcare.com (http://www.systemnetworkcare.com)
unique_hostname jack_bennu@hotmail.com

#============================================================$
# ACCELERATOR
#============================================================$

memory_pools off
forwarded_for off
log_icp_queries off
icp_hit_stale on
minimum_direct_hops 4
minimum_direct_rtt 400
store_avg_object_size 13 KB
store_objects_per_bucket 20
client_db on
netdb_low 9900
netdb_high 10000
netdb_ping_period 30 seconds
query_icmp off
pipeline_prefetch on
#reload_into_ims on
vary_ignore_expire on
max_open_disk_fds 100
nonhierarchical_direct on
prefer_direct off

#============================================================$
# OPTIONS WHICH AFFECT THE CACHE SIZE
#============================================================$
cache_mem 256 MB
maximum_object_size 250 MB
maximum_object_size_in_memory 32 KB
cache_swap_low 98%
cache_swap_high 99%
store_dir_select_algorithm round-robin
ipcache_size 2048
ipcache_low 98
ipcache_high 99
fqdncache_size 2048
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF

#============================================================$
# SNMP
#============================================================$
acl snmpcommunity snmp_community public
snmp_port 3401
snmp_access allow snmpcommunity localhost
snmp_access deny all

#============================================================$
#ZPH
#============================================================$
#tcp_outgoing_tos 0x30 localnet
zph_mode tos
zph_local 0x30
zph_parent 0
zph_option 136

#============================================================$
# Refresh Rate
#============================================================$
#Youtube
refresh_pattern ^http://(.*?)/get_video\? 10080 90% 999999 override-expire ignore-no-cache ignore-private
refresh_pattern ^http://(.*?)/videodownload\? 10080 90% 999999 override-expire ignore-no-cache ignore-private

#Photo Bucket
refresh_pattern ^http://i(.*?).photobucket.com/albums/(.*?)/(.*?)/(.*?)\? 43200 90% 999999 override-expire ignore-no-cache ignore-private
refresh_pattern ^http://vid(.*?).photobucket.com/albums/(.*?)/(.*?)\? 43200 90% 999999 override-expire ignore-no-cache ignore-private

refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private
refresh_pattern ^http://sjl-v[0-9]+\.sjl\.youtube\.com 10080 90% 999999 ignore-no-cache override-expire ignore-private

refresh_pattern \.php\? 0 20% 1440
#=============================================================$
#image
#=============================================================$
refresh_pattern -i \.(swf|png|jpg|jpeg|bmp|tiff|png|gif) 43200 75% 129600 override-expire override-lastmod ignore-reload reload-into-ims

#=============================================================$
#dokumen
#=============================================================$
refresh_pattern -i \.(doc|xls|ppt|ods|odt|odp|pdf) 43200 75% 129600 override-expire override-lastmod ignore-reload reload-into-ims
#=============================================================$
#multimedia
#=============================================================$
refresh_pattern -i \.(mov|mpg|mpeg|flv|avi|mp3|3gp|sis|wma|3gp|mp4) 43200 75% 129600 override-expire override-lastmod ignore-reload reload-into-ims
#=============================================================$
#compression
#=============================================================$
refresh_pattern -i \.(zip|rar|ace|bz|bz2|tar|gz|exe|rpm|deb|bin|cab) 43200 75% 129600 override-expire override-lastmod ignore-reload reload-into-ims
#=============================================================$
#web default eks
#=============================================================$
refresh_pattern -i (.*html$|.*htm|.*shtml|.*aspx|.*asp|.*php) 180 35% 4320 override-expire override-lastmod ignore-reload reload-into-ims
#=============================================================$
#situs internet validasi 24 jam - lama penyimpanan 7 hari
#=============================================================$
refresh_pattern ^http://*.google.*/.* 180 100% 4320 override-expire override-lastmod ignore-reload reload-into-ims
refresh_pattern ^gopher://.*\.*$ 0 20% 1440
refresh_pattern ^http://.*\.*$ 0 20% 1440
refresh_pattern ^ftp://.*\.*$ 0 20% 1440
refresh_pattern ^ftp: 0 20% 1440
refresh_pattern ^gopher: 0 0% 1440
refresh_pattern . 0 20% 1440
-----------------------------------------------------------
จากนั้นก็ทำการ Config IPTABLE ดังนี้
IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"

#Private network
PRIVATE=192.168.2.0/24

#Squid port
SQUID=8080

#Flush all rules
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle

#Set default behaviour
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Allow releated, established and ssh on $EXTIF. Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT

#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP

#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT

#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 3306 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 5432 --syn -j ACCEPT

#Allow transparent proxy (wiboon 1/2)
$IPTABLES -A INPUT -p tcp -m tcp --dport $SQUID --syn -j ACCEPT

#Allow ICMP echo on other interfaces (input).
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT

#Allow transparent proxy (wiboon 2/2)
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp -m tcp --dport $SQUID --syn -j DROP
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp -m tcp -d 192.168.0.0/24 --dport 80 -j RETURN
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp -m tcp -d 192.168.1.0/24 --dport 80 -j RETURN
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp -m tcp -d 192.168.2.0/24 --dport 80 -j RETURN
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp -m tcp -d 172.16.0.0/12 --dport 80 -j RETURN
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp -m tcp -d 10.0.0.0/8 --dport 80 -j RETURN
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp -m tcp --dport 80 -j REDIRECT --to-ports $SQUID

#Allow 443
$IPTABLES -A FORWARD -s $PRIVATE -p tcp --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -s $PRIVATE -p udp --dport 443 -j ACCEPT

# Algo string
$IPTABLES -A FORWARD -m string --algo bm --string "BitTorrent" -j DROP
$IPTABLES -A FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP
$IPTABLES -A FORWARD -m string --algo bm --string "peer_id=" -j DROP
$IPTABLES -A FORWARD -m string --algo bm --string ".torrent" -j DROP
$IPTABLES -A FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP
$IPTABLES -A FORWARD -m string --algo bm --string "torrent" -j DROP
$IPTABLES -A FORWARD -m string --algo bm --string "announce" -j DROP
$IPTABLES -A FORWARD -m string --algo bm --string "info_hash" -j DROP
$IPTABLES -A FORWARD -m string --algo bm --string "/default.ida?" -j DROP #codered virus
$IPTABLES -A FORWARD -m string --algo bm --string ".exe?/c+dir" -j DROP #nimda virus
$IPTABLES -A FORWARD -m string --algo bm --string ".exe?/c_tftp" -j DROP #nimda virus

# bittorrent key
$IPTABLES -A FORWARD -m string --string "peer_id" --algo kmp --to 65535 -j DROP
$IPTABLES -A FORWARD -m string --string "BitTorrent" --algo kmp --to 65535 -j DROP
$IPTABLES -A FORWARD -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j DROP
$IPTABLES -A FORWARD -m string --string "bittorrent-announce" --algo kmp --to 65535 -j DROP
$IPTABLES -A FORWARD -m string --string "announce.php?passkey=" --algo kmp --to 65535 -j DROP

# DHT keyword
$IPTABLES -A FORWARD -m string --string "info_hash" --algo kmp --to 65535 -j DROP
$IPTABLES -A FORWARD -m string --string "get_peers" --algo kmp --to 65535 -j DROP
$IPTABLES -A FORWARD -m string --string "announce" --algo kmp --to 65535 -j DROP
$IPTABLES -A FORWARD -m string --string "announce_peers" --algo kmp --to 65535 -j DROP

#Block 81:442
#$IPTABLES -A FORWARD -s $PRIVATE -p tcp --dport 81:442 -j DROP
#$IPTABLES -A FORWARD -s $PRIVATE -p udp --dport 81:442 -j DROP

#Block 444:65535
#$IPTABLES -A FORWARD -s $PRIVATE -p tcp --dport 444:65535 -j DROP
#$IPTABLES -A FORWARD -s $PRIVATE -p udp --dport 444:65535 -j DROP

#Drop everything to and from $INTIF (forward)
#This means that access points can only be managed from ChilliSpot
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP



#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

#Restart firewall
service iptables save
service iptables restart
--------------------------------------------------------------------------------------------------
พอสั่ง start iptables ก็ ping หา server 192.168.2.1 ไม่เจอเลยครับ เข้าเน็ตก็ไม่ได้ด้วย ผมทำอะไรผิดครับทำไม?
1.เข้าเน็ตไม่ได้
2.ping หา server ไม่ได้
3.เป็นไปได้มั้ย ไม่ต้องใช้ iptables เลย ใช้แต่ squid อย่างเดียว เพราะตั้งใจแค่จะทำ cache server เท่านั้น

easyzonecorpdotnet
27-04-2010, 13:45
เวลารัน chilli ต้องดู log ที่ syslog ว่า ขึ้น error ว่าไงนะครับ จะได้ทราบสาเหตุครับ