Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Based on network infrastructure, an administrator will assign
manually IP address to Computer
client and Proxy Server. In this case, LAN clients need access to
internet by using a proxy
service, ensure that Clients cannot access facebook, youtube and
movies website during working time except Manager with IP address
10.10.xx.1/24 can access to the internet directly
without enable proxy service on web browser.
Note: All client have access to cross the firewall policy.
Working time:
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
B. LAN Server can ping to Proxy/Firewall Server
C. LAN Server can remote to Proxy/Firewall Server
D. LAN Server can access to Internet without using Proxy
Server
2. Client
B. IP address from 10.10.xx.1 can access internet without
using proxy.
a. . Block website (social network or video/movie websites)
b. . Block download extension (.mp3, .mp4, .exe)
c. . All staffs can access any website beside of working
time.
d. . Make sure clients cannot access websites that are not good on
squidguard and shallalist
file.
e. For Shallalist Deny only folder name: sex, gamble, movies,
hacking and dating.
f. . Allow LAN staffs can access any websites beside of working
time by allowing on
squidguard service.
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Firewall and Proxy: HDD:50-100 GB, RAM: 1-2 GB, OS linux
Client : RAM:521, HDD=50-100 GB, OS windows 7
You must create ip address for your firewall and proxy . you just
type command
yast lan then assign IP and enable routing.
This step you must assign gateway and enable routing because you
must all ip interface realize and can communication another
network.
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
This IP that we just completed there are three interface and
network.
After we configure enable routing and assign IP address ready you
need to
add DNS ISP to RESOLVE. Example: vi /etc/resolve.conf.
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
1. Server
A. Proxy/Firewall Server Can access internet Before you configure
firewall, make sure your interface and Ethernet
same to interface lanserver and lanstaff. One more thing you must
allow lanserver can request DNS from ISP, so your lanserver can
translate IP to Hostname easy access to internet. Start create file
that
have extension .sh command touch or vim.
Example: touch firewall.sh or vim firewall.sh
The result that firewall access to internet
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
B. LAN Server can ping to Proxy/Firewall Server When you allow
lanserver can ping to firewall you make sure your server has IP
address, Default gateway and DNS. For my server I just installed
DNS and AD already.
There is role that we allow lanserver ping to firewall .
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
The result ping to firewall, but firewall cannot ping to
server.
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
Result firewall ping to lanserver because we set role only server
can ping to firewall
C. LAN Server can remote to Proxy/Firewall Server . When you allow
lanserver can remote to firewall you need create
role and specific user and IP address to remote because you must
security your firewall. Now I decide to choose ssh remote
firewall.
The result for remote ssh
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
After I remote ssh I copy folder name BL to firewall
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
D. LAN Server can access to Internet without using Proxy Server For
server can access to internet without proxy server we need to
create
NAT for allow server use internet. And allow lanserver access only
firewall indirect to internet, In addition, you think upon DNS
server ISP because it importation for translation IP to hostname.
Let’s see its bellow steps by steps. Recommend you should type
command: echo 1 > /proc/sys/net/ipv4/ip_forward.
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
The result server access to internet without proxy.
E. Local DNS Server request DNS from ISP This step you must allow
DNS server request DNS from ISP because you
need let lanserver access to internet. If you don’t allow DNS from
ISP , so
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
your server cannot translate name host website that you want to
reached. Bellow this syntax that you must create.
This is result that lanserver request DNS from DSN ISP.
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
2. Client
A. LAN-staffs request DNS from Local DNS Server For lan-staff if
you want allow staff can access to internet, you must allow
lan-staff got DNS from ISP, so your staff can access with hostname
(DNS).
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
This is result that we allow lan-staff request DNS from DNS from
ISP.
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
B. IP address from 10.10.xx.1 can access internet without using
proxy server.
Now I need allow range ip address lan-staff 10.10.34.1 can access
to internet without using proxy server.
One more thing you must your lan-staff request DNS from ISP already
that your staff can use internet
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
The result that we allow lanstaff can access to internet without
proxy.
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
C. LAN-staffs IP from 10.10.xx.2-10.10.xx.253/24 have to use proxy
for accessing
internet by blocking: For allow lan-staff access to internet use
proxy you need to know about
service that you must install for providing to proxy run. Now you
follow this step: command yast –i squid or yast –i then you
must
type cd /etc/squid then ls for view file vi squid.conf. After you
configure you don’t forget restart service.
Install squid and squidguard.
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
This step you must assign IP proxy or firewall (proxy+firewall)
than access to internet you take IP address proxy put on browser so
the show bellow.
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
This is result that we allow lan-staff access internet using
proxy.
a. Block website (social network or video/movie websites) Now I
will block social network videos movie websites like:
youtube.com,
123movies.to, facebook.com……..
So you just create syntax for block social network and involve
to
information that you allow or deny.
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
Let’s testing using staff access any website that we determine
permission.
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
b. Block download extension (.mp3, .mp4, .exe) After we block any
websites now we test block download extension
file as above.
The result test block extension files. This picture file .mp3 need
by proxy block.
c. All staffs can access any website beside of working time. This
step mean that all staff can access to internet use entertainment
after they finished working time. Make sure your days that you
allow all staff can access with time on proxy server.
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
a. Make sure clients cannot access websites that are not good on
squidguard and shallalist file.
Before you allow user access any website please you be sure all
user don’t access to not good website.
For configure file you must install ready with squid.
You just type command vi /etc/squidguard.conf then create role
bellow.
Now I redirect website blacklist genera to gmail.com.
You know directory that contain domain blacklist that we need to
block.
Then vi domains for view hostname blacklist.
When you configure already you must type command such as:
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
We must type command bellow for create database, delegates to
another
manage and delegate to new user full manage directory.
1. Command : squidGuard –d –b –C all 2. Command : chown squid *
(delegate owner ship)
3. Command : chown squid /usr/sbin/squidGuard 4. Command : chown –R
squid /var/lib/squidGuard/db/
Let’s test website backlist, so it generate to gmail.com or not
gmail.com.
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Generate to Gmail
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
a. For Shallalist Deny only folder name: sex, gamble, movies,
hacking and dating.
When we Deny folder you must copy main folder that contain
subfolders to directory /var/lib/squidGuard/bd.
We main folder name BL that contain these subfolders.
After we copy subfolders we need to create syntax in
/etc/squidguard.conf.
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
The result generate to gamil.com
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]
Submit: Google Classroom
Allow LAN staffs can access any websites beside of working time by
allowing on
squidguard service
You just create new syntax that you want to allow staff access to
any websites
when they free time.
Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00
[email protected]