Installing Squid on Red Hat Linux 8.0

I will be building a Squid Web proxy/cache server with Red Hat 8.0 on a Compaq ProLiant 6500. The server has dual Pentium Pro 200 processors, 1.1 GB of RAM, five 9.1 GB SCSI disks, and two 100BaseTX-FD network interfaces.

Within Compaq's array configuration utility, I mirrored the operating system disk, leaving three Squid cache disks. After searching the Squid mailing lists, it appears that RAID striping is not recommended on the Squid cache disks, as Squid itself caches across multiple disks. Also, if one of the disks used for the Squid cache fails, the cache server will continue to operate if the disks are not in a striped configuration.

I will use the Reiser file system (ReiserFS) for the Squid cache disks, and use ext3 for the operating system disk. This link shows a performance comparison of ReiserFS vs. ext3 vs. ext2. For file systems containing thousands of small files, such as file systems used as a Web cache server, ReiserFS should noticeably outperform ext3. Make sure to mount the ReiserFS file systems with the noatime and notail flags for maximum performance.

I chose a Customized Red Hat Linux installation, and selected no packages except those in the bare-bones Red Hat 8.0 installation. I like to use apt for RPM to retrieve any packages needed after the installation.

I would recommend not enabling the internal or external network interfaces until your system is updated and properly configured with an iptables-based firewall.

After the operating system installation is complete, install apt:
rpm -Uvh ftp://ftp.freshrpms.net/pub/freshrpms/psyche/apt/apt-0.5.4cnc8-fr1.i386.rpm

Once apt is installed, you may download the latest apt package information and upgrade your system with any updated packages:
/usr/bin/apt-get update; /usr/bin/apt-get upgrade -y

You may wish to add a root crontab entry to update your system daily:
# Update system daily
0 4 * * * /usr/bin/apt-get update; /usr/bin/apt-get upgrade -y

Change your sshd settings to only allow sshd to bind to your internal IP address, and disable remote root logins:
vi /etc/ssh/sshd_config

Change:
#ListenAddress 0.0.0.0

To:
ListenAddress internal_IP_address

Change:
#PermitRootLogin yes

To:
PermitRootLogin no

Activate the sshd changes.
/sbin/service sshd reload

Disable unnecessary services immediately and when the system is restarted:
chkconfig netfs off && service netfs stop
chkconfig portmap off && service netfs portmap
chkconfig apmd off && service apmd stop
chkconfig atd off && service atd stop
chkconfig gpm off && service gpm stop
chkconfig autofs off && service autofs stop
chkconfig isdn off && service isdn stop
chkconfig kudzu off && service kudzu stop
chkconfig sendmail off && service sendmail stop
chkconfig nfslock off && service nfslock stop
chkconfig rhnsd off && service rhnsd stop
chkconfig pcmcia off && service pcmcia stop
chkconfig anacron off && service anacron stop


You may have other services that should be disabled. Run chkconfig --list | grep on to see a list of services that will start at various system runlevels.

Create an iptables firewall script. In this scenario, the LAN interface is eth1, and the Internet interface is eth0.

mkdir /root/scripts
vi /root/scripts/firewall.sh

Add:
# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done

# Enable TCP SYN cookie protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done

# Don't send Redirect messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done

# Drop spoofed packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

# Log packets with impossible addresses
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done

# Flush INPUT, OUTPUT, and FORWARD chains
/sbin/iptables -F

# Unlimited traffic on the loopback interface
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Set the default INPUT, OUTPUT, and FORWARD policy to DROP
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP

# Use connection state to bypass rule checking
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow incoming port 22 (ssh) connections on LAN interface
/sbin/iptables -A INPUT -i eth1 -p tcp --destination-port 22 -m state --state NEW -j ACCEPT

# Allow incoming port 3128 (squid) connections on LAN interface
/sbin/iptables -A INPUT -i eth1 -p tcp --destination-port 3128 -m state --state NEW -j ACCEPT

# Allow ICMP ECHO REQUESTS on LAN interface
/sbin/iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j ACCEPT

# Deny all other traffic to the LAN interface
/sbin/iptables -A INPUT -j DROP

# Have these rules take effect when iptables is started
/sbin/service iptables save

Make the firewall script executable:
chmod 750 /root/scripts/firewall.sh

Start the firewall:
/root/scripts/firewall.sh

Install squid:
/usr/bin/apt-get install squid -y

Configure squid. Visit the following URLs for configuring Squid, and make sure to use aufs for asynchronous I/O when configuring the Squid cache_dir directives.

http://linux.oreillynet.com/lpt/a/1051
http://squid-docs.sourceforge.net/latest/html/

Start squid at system boot:
chkconfig squid on

Install a caching nameserver:
apt-get install caching-nameserver -y

Start named at system boot:
chkconfig named on

Update your DNS resolver configuration:
vi /etc/resolv.conf

Add:
nameserver 127.0.0.1

Start your caching nameserver:
service named start

Start squid:
service squid start

Back to brandonhutchinson.com.

Last modified: 03/11/2003