OK, when we have configured everything, we must make sure everything under /opt/squid and /cache directories belongs to user ’squid’.
# mkdir /var/log/squid/
# chown squid:squid /var/log/squid/
# chmod 770 /var/log/squid/
# chown −R squid:squid /opt/squid/
# chown −R squid:squid /cache/
Now everything is ready to run Squid. When we do it for the first time, we have to create its cache directories:
# /opt/squid/bin/squid −z
We run Squid and check if everything is working with IPTraf, make sure you have set the appropriate proxy in your web browsers (192.168.1.1, port 8080 in our example):
# /opt/squid/bin/squid
If everything is working, we add /opt/squid/bin/squid line to the end of our initializing scripts. Usually, it can be /etc/rc.d/rc.local.
You can also copy cachemgr.cgi to the cgi−bin directory of your WWW server, to make use of a useful Cache Manager.
OK, we have installed Squid and configured it to use delay pools. I bet nobody wants to be restricted, especially our clever LAN users. They will likely try to avoid our limitations, just to download their favorite mp3s a little faster (and thus causing your headache).
I assume that you use IP−masquerade on your LAN so that your users could use IRC, ICQ, email, etc. That’s OK, but we must make sure that our LAN users will use our delay pooled Squid to access web pages and use ftp. We can solve most of these problems by using ipchains or iptables.
Linux 2.2.x kernels (ipchains)
We must make sure that nobody will try to cheat and use a proxy server other than ours. Public proxies usually run on 3128 and 8080 ports:
/sbin/ipchains −A input −s 192.168.1.1/24 −d ! 192.168.1.1 3128 −p TCP −j REJECT
/sbin/ipchains −A input −s 192.168.1.1/24 −d ! 192.168.1.1 8080 −p TCP −j REJECT
We must also make sure that nobody will try to cheat and connect to the internet directly (IP−masquerade) to download web pages:
/sbin/ipchains −A input −s 192.168.1.1/24 −d ! 192.168.1.1 80 −p TCP −j REDIRECT 8080
If everything is working, we add these lines to the end of our initializing scripts. Usually, it can be /etc/rc.d/rc.local.
Linux 2.4.x kernels (iptables)
We must make sure that nobody will try to cheat and use a proxy server other than ours. Public proxies usually run on 3128 and 8080 ports:
/sbin/iptables −A FORWARD −s 192.168.1.1/24 −d ! 192.168.1.1 −−dport 3128 −p TCP −j DROP
/sbin/iptables −A FORWARD −s 192.168.1.1/24 −d ! 192.168.1.1 −−dport 8080 −p TCP −j DROP
We must also make sure that nobody will try to cheat and connect to the internet directly (IP−masquerade) to download web pages:
/sbin/iptables −t nat −A PREROUTING −i eth0 −p tcp −−dport 80 −j REDIRECT −−to−port 8080
If everything is working, we add these lines to the end of our initializing scripts. Usually, it can be /etc/rc.d/rc.local.
Dealing with Other Bandwidth consuming Protocols Using CBQ
We must remember that our LAN users can spoil our efforts if they use Napster, Kazaa or RealAudio. We must also remember that we didn’t block ftp traffic. We will achieve it in a different way −− not by limiting downloading directly, but rather, indirectly. If our internet device is ppp0 and LAN device is eth0, we will limit outgoing traffic on interface eth0, and thus, limit incoming traffic to ppp0.
To do it, we will get familiar with CBQ and cbq.init script. Download cbq.init−v0.6.2 and put it in /etc/rc.d/. You will also need iproute2 installed. Now look in your /etc/sysconfig/cbq/ directory. There, you should have an example file, which should work with cbq.init. If it isn’t there, you probably don’t have it compiled in your kernel or it isn’t present as modules. Well, in any case, just make that directory, put example files provided below, and see if it’d work for you.
Tags: bandwidth, bandwidth limiting, ipchains, iptables, limiting bandwidth, limiting proxy, proxy limiting, proxy server, squid, squid pool, squid proxy
