Membuat routing dengan Iptables sebagai catatan pribadiku, sapa tau lupa
pas berada di lokasi, masalah bener apa enggak nya silakan di cross cek
lagie. yang penting ini sudah jalan di beberapa server yang telah aku
buat.
Asumsi linux centos sudah teristall.
1.Edit file 'sysctl.conf' dengan cara #vim /etc/sysctl.conf
2.Aktifkan perintah untuk memforward if dengan cara edit filesysctl.conf dan cari bari berikut
# Controls IP packet forwarding
net.ipv4.ip_forward = 1 (semula 0 menjadi 1)
3.Kemudian jalankan perintah #iptables -t nat -A POSTROUTING -d 0/0 -s 192.168.1.0/24 -j MASQUERADE
jaringan dengan alamat ip 192.168.1.0/24 (1- 254) diforwardkan ke network 0/0
silakan beri alamat ip komputer client sesuai dengan alamat network sourcenya.
PROXY TRANSPARENT
1. Pertama yang dilakukan cek apakah squid telah terpasang atau belom
# rpm -qa |grep squid
squid-2.6.STABLE6-4.el5
2.
Kalau sudah terinstall tinggal ke langkah selanjutnya, apabila belom
terpasang maka bisa download paket rpm na kemudian di install.
3. Lakukan edit file squid.conf
# vim /etc/squid/squid.conf
http_port 192.168.1.254:3128 transparent
ssl_unclean_shutdown off
icp_port 3130
icp_query_timeout 2000
maximum_icp_query_timeout 2000
dead_peer_timeout 10 seconds
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
cache_vary on
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 64 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 500 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 32 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LRU
cache_dir aufs /cache1 1500 16 256
cache_dir aufs /cache2 1500 16 256
cache_dir aufs /cache3 1500 16 256
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
emulate_httpd_log off
log_ip_on_direct on
mime_table /etc/squid/mime.conf
log_mime_hdrs off
pid_filename /var/run/squid.pid
debug_options ALL,1
log_fqdn off
client_netmask 255.255.255.0
ftp_user Squid@
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
ftp_telnet_protocol on
check_hostnames on
allow_underscore on
dns_nameservers 127.0.0.1 222.222.22.22
hosts_file /etc/hosts
refresh_pattern ^ftp: 10080 95% 241920 reload-into-ims override-lastmod
refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 98
negative_ttl 1 minutes
positive_dns_ttl 6 hours
negative_dns_ttl 1 minute
collapsed_forwarding off
refresh_stale_hit 3600 seconds
client_lifetime 1 day
half_closed_clients on
pconn_timeout 120 seconds
ident_timeout 10 seconds
shutdown_lifetime 10 seconds
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl admin src 192.168.1.253/255.255.255.255
acl LOCALNET src 192.168.1.0/24
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl SITUSELIK url_regex survey-poll.com jopenqc.com 51.la voicefive.com adshuffle.com
http_access deny SITUSELIK
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow admin
http_access allow LOCALNET
miss_access allow localhost
http_access deny all
http_reply_access allow all
miss_access allow LOCALNET
miss_access allow localhost
miss_access deny all
cache_mgr cache@domain.com
cache_effective_user squid
cache_effective_group squid
httpd_suppress_version_string off
visible_hostname domain.com
logfile_rotate 7
memory_pools off
via on
forwarded_for on
cachemgr_passwd domain shutdown
cachemgr_passwd domain info stats/objects
cachemgr_passwd disable all
icon_directory /usr/share/squid/icons/
error_directory /usr/share/squid/errors/English
coredump_dir /var/spool/squid
high_response_time_warning 2000
ie_refresh on
pipeline_prefetch on
vary_ignore_expire on
buffered_logs none
acl
FILEBESAR url_regex -i att get.php .\swf \.cab \.flv \.msi \.pdf \.rtf
\.wav \.tif \.acx \.raw \.iso \.rm \.ram \.qt \.ocx \.mpe \.avi \.zip
\.rar \.rpm \.vqf \.mov \.exe \.gz \.tar.gz \.gz2 \.tar.gz2 \.tgz \.m1v
\.mpeg \.mpg \.m2v \.vob \.mpa \.mp2 \.mp3 \.aac \.dat \.bin \.asf \.wma
\.asx \.wmv \.ram \.ra \.rm \.rnx \.viv \.vivo \.scr \.chm
delay_pools 2
delay_class 1 1
delay_parameters 1 -1/-1
delay_access 1 allow admin
delay_access 1 deny all
delay_class 2 1
delay_parameters 2 5000/5000 10000/10000
delay_access 2 allow LOCALNET FILEBESAR
delay_access 2 deny all
4. Untuk redirect ke transparant proxy port3128 menggunakan perintah
#iptables -t nat -A PREROUTING -i eth1(eth ke client) -p tcp --dport 80 -j REDIRECT --to-port 3128
5. Buat directory /cache sesuai dengan setingan di squid.conf
6. squid -D
7. #chown -R squid:squid /cache
8. squid -Z
9. service squid start
SERVER DHCP
1. Lakukan pengecekan paket dhcp apakah sudah/belum terinstall
# rpm -qa dhcp
dhcp-3.0.5-7.el5
2. Lakukan proses editing pada httpd.conf
# vim /etc/dhcpd.conf
3. isi dhcpd.conf
ddns-update-style interim;
ignore client-updates;
subnet 192.168.1.0 netmask 255.255.255.0 {
# --- default gateway
option routers 192.168.1.254;
option subnet-mask 255.255.255.0;
option nis-domain "uny.ac.id";
option domain-name "labkom.uny";
option domain-name-servers 192.168.167.254, 172.17.255.254;
option time-offset -18000;
# Eastern Standard Time#
option ntp-servers 192.168.1.1;
# option netbios-name-servers 192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don`t change
this unless# -- you understand Netbios very well# option
netbios-node-type 2;
range dynamic-bootp 192.168.1.1 192.168.1.253;
default-lease-time 21600;
max-lease-time 43200; # we want the nameserver to appear at a fixed address
#host ns { next-server marvin.redhat.com; hardware ethernet 12:34:56:78:AB:CD;
#fixed-address 207.175.42.254;
#pembagian alamat ip tertentu
host kom1 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.2;
}
host Kom2 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.1;
}
}
4. # service dhcpd start
5. Finish