Debian Proxy Server Mikrotik sejajar Klien

Installasi UNBOUND DNS server dan LUSCA di Debian Squeeze
host proxy.hade.war.net
ip 192.168.2.25
gw 192.168.2.30

topologi :
Proxy and Cleint connect to SWITCH and using same subnet.

echo deb http://kambing.ui.ac.id/debian/ squeeze main | tee -a /etc/apt/sources.list
echo deb http://download.webmin.com/download/repository sarge contrib | tee -a /etc/apt/sources.list
cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc
apt-get -y update && apt-get -y upgrade && apt-get -y install unbound dnsutils webmin

cd /etc/unbound
wget  ftp://FTP.INTERNIC.NET/domain/named.cache
unbound-control-setup
chown unbound:root unbound_*
chmod 440 unbound_*

nano /etc/unbound/unbound.conf

server:
        verbosity: 1
        statistics-interval: 120
        num-threads: 1
        interface: 0.0.0.0

        outgoing-range: 512
        num-queries-per-thread: 1024

        msg-cache-size: 16m
        rrset-cache-size: 32m

        msg-cache-slabs: 4
        rrset-cache-slabs: 4

        cache-max-ttl: 86400
        infra-host-ttl: 60
        infra-lame-ttl: 120

        infra-cache-numhosts: 10000
        infra-cache-lame-size: 10k

        do-ip4: yes
        do-ip6: no
        do-udp: yes
        do-tcp: yes
        do-daemonize: yes

        access-control: 192.168.0.0/16 allow
        #access-control: 172.16.0.0/12 allow
        #access-control: 10.0.0.0/8 allow
        access-control: 127.0.0.0/8 allow
        access-control: 0.0.0.0/0 refuse

        chroot: "/etc/unbound"
        username: "unbound"
        directory: "/etc/unbound"
        #logfile: "/etc/unbound/unbound.log"
        #use-syslog: yes
        logfile: ""
        use-syslog: no
        pidfile: "/etc/unbound/unbound.pid"
        root-hints: "/etc/unbound/named.cache"

        identity: "ns.hade.war.net"
        version: "1.4"
        hide-identity: yes
        hide-version: yes
        harden-glue: yes
        do-not-query-address: 127.0.0.1/8
        do-not-query-localhost: yes
        module-config: "iterator"

        #zone localhost
        local-zone: "localhost." static
        local-data: "localhost. 10800 IN NS localhost."
        local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
        local-data: "localhost. 10800 IN A 127.0.0.1"

        local-zone: "127.in-addr.arpa." static
        local-data: "127.in-addr.arpa. 10800 IN NS localhost."
        local-data: "127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 3600 1200 604800 10800"
        local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost."

        #zone hade.war.net
        local-zone: "hade.war.net." static
        local-data: "hade.war.net. 86400 IN NS ns.hade.war.net."
        local-data: "hade.war.net. 86400 IN SOA hade.war.net. hostmaster.hade.war.net.  3 3600 1200 604800 86400"
        local-data: "hade.war.net. 86400 IN A 192.168.2.25"
        local-data: "www.hade.war.net. 86400 IN A 192.168.2.25"
        local-data: "ns.hade.war.net. 86400 IN A 192.168.2.25"
        local-data: "ftp.hade.war.net. 86400 IN A 192.168.2.25"
        local-zone: "2.168.192.in-addr.arpa." static
        local-data: "2.168.192.in-addr.arpa. 10800 IN NS hade.war.net."
        local-data: "2.168.192.in-addr.arpa. 10800 IN SOA hade.war.net. hostmaster.hade.war.net. 4 3600 1200 604800 864000"
        local-data: "25.2.168.192.in-addr.arpa. 10800 IN PTR hade.war.net."

    # Use or own ISP , opendns, nawala or google
    forward-zone:
        name: "."
        forward-addr: 203.130.208.18
        forward-addr: 203.130.193.74
        forward-addr: 208.67.222.222
        forward-addr: 208.67.220.220
        forward-addr: 180.131.144.144
        forward-addr: 180.131.145.145
        forward-addr: 8.8.8.8
        forward-addr: 8.8.4.4

remote-control:
        control-enable: yes
        control-interface: 127.0.0.1
        control-port: 953
        server-key-file: "/etc/unbound/unbound_server.key"
        server-cert-file: "/etc/unbound/unbound_server.pem"
        control-key-file: "/etc/unbound/unbound_control.key"
        control-cert-file: "/etc/unbound/unbound_control.pem"

Save file

cat > /etc/resolv.conf << "EOF"
# Begin /etc/resolv.conf
domain proxy.hade.war.net
nameserver 127.0.0.1
nameserver 192.168.2.30
# End /etc/resolv.conf
EOF

unbound-checkconf /etc/unbound/unbound.conf

reboot

Tuning Up

Optimalkan file system cache & ubah opsi untuk partisi cache

Disabled fsck (file system check)
nano /etc/fstab

Angka standart Drive Cache adalah 0 2 ——>> ganti dengan 0 0 (INGAT HANYA DRIVE CACHE)

Opsi Directory /cache :
Apabila menggunakan reiserfs gunakan opsi noatime,notail    0   0
Apabila menggunakan ext4 gunakan opsi noatime,barrier=0     0   0
Apabila menggunakan btrfs gunakan opsi noatime,compress,noacl   0   0

Adjusting tcp sockets and limits

decrease TCP TIME_WAIT setting, the default value (60 in Debian 6) is too high and will result in too many sockets in TIME_WAIT stait. To decrease waiting time, execute following command:

echo 4 > /proc/sys/net/ipv4/tcp_fin_timeout

To verify setting is in effect, use:
cat /proc/sys/net/ipv4/tcp_fin_timeout # Output should show "4"


echo 256000 > /proc/sys/fs/file-max # Adjust system-wide number of open files
ulimit -n 63535                     # Sets number of open files for this process and it's children

Verify your settings with:
cat /proc/sys/fs/file-max # Shows number of files and sockets for this system, must be at least 128000
ulimit -a                 # Show user limits, check "core file size" and "open files"

echo "*        soft        nofile          65536" >> /etc/security/limits.conf
echo "*        hard        nofile          65536" >> /etc/security/limits.conf
echo "root     soft        nofile          65536" >> /etc/security/limits.conf
echo "root     hard        nofile          65536" >> /etc/security/limits.conf
echo "proxy    soft        nofile          65536" >> /etc/security/limits.conf
echo "proxy    hard        nofile          65536" >> /etc/security/limits.conf
echo "session required        pam_limits.so" >> /etc/pam.d/common-session

modprobe ip_conntrack

kemudian tambahkan ip_contrack di /etc/modules
nano /etc/modules

tambahkan kalimat berikut baris paling bawah :

ip_conntrack

Edit the /etc/profile file and ensure that the file does not contain any commands that set ulimit values.
Add the following commands to the end of the /etc/profile file

ulimit -Hn 65536
ulimit -Sn 32768
ulimit -s 2097152

Modifying conntrack capacity
CONNTRACK_MAX = RAMSIZE (in bytes) / 16384 / (x / 32)
where x is the number of bits in a pointer (for example, 32 or 64 bits).

For total number of connection just edit /etc/sysctl.conf

nano /etc/sysctl.conf

fs.file-max=65536
vm.drop_caches = 3
vm.swappiness = 3
net.netfilter.nf_conntrack_acct= 1
net.ipv4.netfilter.ip_conntrack_max = 245000
net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_keepalive_intvl = 10
net.ipv4.tcp_keepalive_probes = 6
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_sack = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.ip_local_port_range = 16384 65535
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 65536 16777216
net.ipv4.tcp_fin_timeout = 3
net.core.netdev_max_backlog = 30000
net.ipv4.tcp_no_metrics_save=1
net.core.somaxconn = 262144
net.ipv4.tcp_syncookies = 0
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

setelah di save,

sysctl -p

catatan : utk ram 512Mb kurangi saja parameter *mem di kolom ke dua dan tiga menjadi setengahnya, kolom ke satu biarkan saja

Reboot CPU nya…

apt-get install -y squid squidclient squid-cgi gcc build-essential sharutils ccze libzip-dev automake1.9 && wget http://proxy-ku.googlecode.com/files/LUSCA_FMI.tar.gz && tar xzvf LUSCA_FMI.tar.gz && cd LUSCA_FMI/ && make distclean

./configure --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin --sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid --localstatedir=/var/spool/squid --datadir=/usr/share/squid --enable-http-gzip --enable-async-io=24 --with-aufs-threads=24 --with-pthreads --enable-storeio=aufs,coss,null --enable-linux-netfilter --enable-arp-acl --enable-epoll --enable-pf-transparent --enable-removal-policies=lru,heap --with-aio --with-dl --enable-snmp --enable-delay-pools --enable-htcp --enable-cache-digests --disable-unlinkd --enable-large-cache-files --with-large-files --enable-err-languages=English --enable-default-err-language=English --with-maxfd=65536 && make && make install

cd /etc/squid/
wget http://proxy-ku.googlecode.com/files/storeurl.pl

cd /etc/init.d/
wget http://proxy-ku.googlecode.com/files/squid

cd /etc/squid/
wget http://proxy-ku.googlecode.com/files/squid.conf
rm squid.conf && mv squid.conf.1 squid.conf
chmod +x /etc/init.d/squid && /etc/init.d/squid stop

edit squid.conf sesuai kondisi
cache
mime_table /etc/squid/mime.conf
etc

chown proxy:proxy /cache* && chmod 777 /cache* && chown proxy:proxy /etc/squid/storeurl.pl && chmod 777 /etc/squid/storeurl.pl && chmod +x /etc/init.d/squid
squid -z

Bila tak ada error teruskan dengan
squid -f /etc/squid/squid.conf -z && /etc/init.d/squid start

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -m state --state NEW -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables-save -c > /etc/iptables.up.rules