Deploying Suse Linux Enterprise Server
 |
Purchase "Deploying Suse Linux Enterprise Server" at Lulu.com |
Configuring the Firewall
- Firewall Yast Module
- Masquerading and Port Forwarding
- Utilizing a Proxy Server
- Internet Filtering and Reporting
Utilizing the Squid Proxy Server
Now that we have the firewall completely configured for your enviornment, we can now cover how to implemement a "Proxy Server" to complement your firewall. A Proxy Server allows you to improve the Internet speed by "cacheing" all the data for faster retrieval, as well as allow you to apply Access Control Lists for Internet traffic, block access to certain sites, as well as utilize the statistics to create advanced usage reports. For more advanced networks you can even configure multiple Proxy Servers together to "load-balance" your Internet connection.
The proxy server that Suse Linux Enterprise Server utilizes is called "Squid" and is available on the installation media. As of this writing, Novell has not implemented a "Yast Module" to configure Squid, but one is being developed (and is already implemented into OpenSuse 10.3). Fortunately, squid is not that difficult to manually configure, so it is relatively easy to get it up and running on Suse Linux Enterprise Server.
Once you get Squid installed (ex. "yast -i squid") it is relatively easy to adjust it to fit into your network. The main configuration file is located at "/etc/squid/squid.conf" and the defaults should suffice as a good starting point. However, you will need to grant your workstations the ability to utilize the Squid proxy server. To do this, you must add an "Access Control List" that includes your local network. For instance simply adjust the configuration file (around line number 1873) to include something similar to:
acl our_network src 192.186.1.0/24 http_access allow our_network
Then, simply launch (or restart squid) with "/etc/init.d/squid restart" or "rcsquid restart" to allow your clients to access the Internet through squid. Also make sure that you ensure Squid will start when the computer boots up with: "chkconfig squid on".
Note: The ACL implemented above is a very simple control list. Squid gives you the opportunity to implement very complex and advanced Access Control Lists (including user authentication) if your enviornment calls for it. See the Squid documentation for more information on how to implement advanced ACLs.
By default, Squid will utilize port 3128 on your server. To be able to use Squid, you must manually configure all of your Internet Clients (Internet Explorer, Firefox, etc.) to utilize your proxy server through port 3128. Alternatively, you could also configure your firewall to automatically use the Squid Proxy Server for all HTTP traffic. This is called implementing a "Transparent Proxy".
Enabling a Transparent Proxy
To enable a "Transparent Proxy" you must first configure Squid to be used as a transparent proxy. To do this simply open the squid configuration file at "/etc/squid/squid.conf" and ensure that the following options are enabled (restart squid after implemented).
httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on
Then you need to change your firewall settings to redirect any HTTP traffic coming from your network to the proxy server. To do this, you must open the "/etc/sysconfig Editor" Yast Module (located under the System section). Then browse to "Network - Firewall - SuSEfirewall2" and find the "FW_REDIRECT" option. This must be set to something similar to the following (also restart the firewall once this is configured).
192.168.1.0/24,0/0,tcp,80,3128
Squid should now be configured as a "Transparent Proxy" and all HTTP traffic coming from your network should automatically be redirected through your Squid Proxy Server.
|
Purchase "Deploying Suse Linux Enterprise Server" at Lulu.com |
