Do, or do not. There is no ‘try’

Updating all the software on your system can be a pain, but with Linux it doesn’t have to be that way. We’ll show you how to combine the apt package management system with a task scheduler to automatically update your system.

If you’ve been using Linux for even a short time you’ll surely have experienced the wonders of having a package management system at your disposal. For Debian and Ubuntu users the package manager you get is the excellent apt-get system. apt-get makes installing a new program (e.g. xclock, a graphical clock) as simple as:

% apt-get install xclock

That’s nice, but the real reason apt is so useful is that updating your entire system all at once is just as easy:

% apt-get update
…
% apt-get upgrade
…

This will refresh the apt system with the newest information about packages and then download and install any packages that have newer versions. Do it regularly and you can be sure that you’ve got the latest and most secure software on your machine, without needing to hunt down the newest edition of each program individually.

You can make things even easier, however, by combining the apt system with the Linux scheduling daemon cron. cron let’s you schedule any command to run periodically at given intervals. Take the following command:

% (apt-get update && apt-get -y upgrade) > /dev/null

Which both updates the apt cache and upgrades the system. The -y flag tells apt-get to answer yes to every question, which prevents the process from hanging waiting for user input, say in the middle of the night so the bandwidth from the downloads won’t bother anyone. It’s also a good idea to redirect the output of the command to /dev/null, so that your terminal is not flooded with the results of automatic maintenance.

It’s a bad idea to just install everything regardless of errors, sometimes incompatible software can creep into the repository, and that can bring down your whole system. A better idea if you want to be more careful with what your machine is doing is to add the -d flag, which tells apt to merely download the packages, but not install them. You can then run apt-get dist-upgrade later to install the packages without waiting for them to download, and letting you keep a watchful eye over what’s being installed without having to wait for everything to download.

If you want to use this approach then you can add the following lines to your crontab using crontab -e, which will download new packages every Sunday morning at 12am:

# Automatic package upgrades
0 0 * * 0 root (apt-get update && apt-get -y -d upgrade) > /dev/null

There is still an easier way — using the cron-apt package, which as the name might suggest, combines the cron and apt utilities, but provides a bit more flexibility and a simpler interface — as well as supporting e-mail alerts on errors or new information. cron-apt automatically adds the -d flag, so you’ll have to run apt-get dist-upgrade to install the changes. You can install cron-apt like any other common utility by using apt:

% apt-get install cron-apt

The configuration for cron-apt reside in /etc/cron-apt/config — except how often the script runs, that’s depended on cron so you can find it in /etc/cron.d/cron-apt. One popular configuration change is to add the line:

MAILON=”always”

This will make sure an e-mail is always sent when the update runs, rather than only when an error occurs.

That’s it. Setting up your machine to automatically update itself is as simple as a couple of lines in the console. If you need to have closer control over what is happening during the automatic update process then you’ll want to write your own script, the Ubuntu help pages have a good run down of how to write a script around aptitude to achieve the same results.

Source from: http://www.linux.com/articles/113867
By David Coulson on November 25, 2004 (8:00:00 AM)

With ever-present threats from online attackers and script kiddies, administrators need a firewall on the border of any network. A Linux box can make a particularly effective and capable firewall at a fraction of the cost of a Cisco or Check Point system.

The most obvious use for a firewall is to block unwanted traffic from entering or leaving a network. Firewalls can also make specific connections from outside hosts to internal systems, such as a mail or Web server, either behind the firewall or on a trusted or “de-militarized zone” (DMZ) segment.

Almost every version of the 2.x series of the Linux kernel has a different firewall implementation, with 2.0 using ipfwadm, 2.2 using ipchains, and 2.4 implementing netfilter. 2.6 continues to use netfilter, as it is essentially a plug-in framework within the network subsystem for whichever firewall implementation we choose to use. 2.4 and 2.6 support both ipfwadm and ipchains through backports of the systems to netfilter. They also support iptables, which was specifically written for use with netfilter. iptables is now the standard firewall on Linux systems. With a wide range of plug-in modules and third-party additions, it fits almost every need.

Getting the kernel ready for iptables

Nearly all distributions come with support for iptables. For those who like their own fresh kernel, compiled from scratch, simply select all of the options under “IPv4: netfilter” to provide support for everything iptables has on offer. Once you have a kernel with netfilter and iptables support, verify that iptables is available with the following command:

# iptables -L| grep Chain
Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)

If iptables is compiled as modules, as it is in many distributions, the kernel will automatically load the necessary modules for you when it first executes iptables and as you add rules that require a specific module.

iptables structures the filtering processes into a number of tables, which are built by the kernel at boot time. Each table has a distinct function within the network stack and allows an administrator to construct a variety of rules to perform operations against packets heading to, from, or through a firewall. A standard installation will have three distinct tables: filter, which is used to perform filtering on IP packets; nat, used to modify IP or port information to permit, for example, Internet access by a non-routable block; and mangle, which allows you to modify packets’ Type of Service (ToS) values, or to mark packets for lookup in another rule. 2.6 kernels also have a “raw” table, used to perform packet filtering outside of the connection tracking processes.

Filtering packets

The filter table is split up into three separate chains, a list of rules, filtering packets at specific parts of the routing system on the firewall. The INPUT chain is used to match packets hitting the firewall host, OUTPUT to match packets originating on the firewall, and FORWARD contains rules to match packets routed from one interface to another across the firewall.

iptables offers support for connection tracking, which was lacking in both ipchains and ipfwadm. With connection tracking, the kernel keeps a database of existing connections to allow return packets for connections to pass through the firewall. Previous Linux firewall implementations had to check for specific packet types that were common with new connections, or even open ports up for connections. iptables instead allows the state of a connection to be used in a rule, permitting new or existing connections to be handled differently by the kernel. The connection tracking processes within iptables also track multiple connections that are associated with each other, such as FTP data traffic, or ICMP packets returned from a failed connection.

Generally it’s a good idea to populate a firewall ruleset with rules to allow all loopback traffic on the firewall, and allow existing connections permitted by other rules to pass traffic across the firewall. Firewall rules are constructed using a variety of checks, to match our rule against a specific type of packet, a packet to a host or port, or even a packet to or from a specific interface. Rules are inserted into the specific chain as desired by the location in the routeing process when we want to check packets. Should a packet match a rule, the kernel will process the packet based upon the target of the chain, such as dropping the packet, or allowing it to pass through the firewall unfiltered.

The iptables command manages the kernel iptables system, through which you can add, insert, and delete rules on the firewall. As we’ve not selected a specific table, our rules will manipulate the filter table, and the appropriate chain as defined in the command. Firewall rules are very simple, and have a selection of attributes which must be matched for the packet to activate the specific target. The structure of a typical firewall rule entry would be as follows, although IP arguments can be ommitted if they are no necessary for the rule to be matched. You can find detailed information on the specific format of each argument, and the variety of targets available, within the netfilter documentation.

We build our initial configuration with the following commands:

Drop all packets on the firewall in each of the three chains:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Allow traffic in and out over the loopback address for local services on the firewall:
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT

Drop packets with unknown connection states, such as TCP acknowledgement packets not related to an existing connection:
iptables -A FORWARD -m state –state INVALID -j DROP

Allow packets which are from an existing connection, or packets which are associated with another active connection:
iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT

At this point the firewall is somewhat limited, as it does not allow connections in or out, nor does it allow any traffic to be forwarded between interfaces. If we have eth0 as our outside interface, facing the Internet, eth1 our DMZ with our untrusted hosts on, and eth2 as our trusted network, we can continue the configuration to permit traffic between and to the specific network interfaces:

iptables -A INPUT -i eth2 -p tcp –dport 22 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT

The first rule allows anyone coming from our internal network to connect to our firewall via SSH, which runs on TCP port 22. The iptables -p switch selects the IP protocol used, which could be tcp, udp, icmp, and so forth depending upon the specific requirements of the connection. We also allow the internal network attached to eth2 to connect to our DMZ network on eth1, as well as hosts on the Internet, without restriction.

Network address translation

It is rare nowadays for a network to use only routable IP blocks. The majority of production environments include address blocks commonly known as 1918 addresses, as they are defined in RFC1918. These specific addresses, 10.x.x.x, 172.16.x.x, and 192.168.x.x, are not routed on the Internet, so must be converted to a permitted address before you attempt to make a connection from the internal network to the Internet. This process of rewriting the addresses on a packet is known as network address translation. NAT can also be used to allow hosts on the Internet to access network services that run on devices with non-routable addresses. This means you can run multiple network services on the same public IP address, with each existing on distinct hosts on the DMZ or internal networks.

You add a NAT rule using iptables in almost exactly the same way you add a filter rule, although the target is somewhat different because you must inform the kernel you want to rewrite the packet.

iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j SNAT -to 207.166.198.1

This rule will rewrite any packet leaving eth0 that currently has a source address of 10.1.0.0/16, which would be a block within our internal network, so it leaves eth0 with a source address of 207.166.198.1. This type of rule is known as a Source NAT rule, as it modifies the source address of the packet, which is always placed into the POSTROUTING chain within the nat table. The kernel checks the POSTROUTING chain following the routing decision by the kernel to learn which interface the packet will head out of. You can also establish a Destination NAT rule, where you rewrite a packet coming in from the outside and translate it onto an internal address. These rules are placed in the PREROUTING chain, which is checked as soon as the packet enters the firewall, allowing the kernel to perform the routing based upon the translated destination, rather than the outside address.

For instance, if you wanted to permit Web traffic from the outside to reach the internal IP address 10.2.1.2 of your Web server on the DMZ, you would specify:

iptables -t nat -A PREROUTING -i eth0 -d 207.166.198.20 -p tcp –dport 80 -j SNAT –to 10.2.1.2

This rule rewrites packets heading to TCP port 80 on 207.166.198.20, an outside IP address, to the internal IP of 10.2.1.2. As we’ve not specified a TCP port for the inside address, the destination port will not be modified, so you can run the Web service on port 80 as you normally would.

Mangle

The mangle chain is rarely used, although it is particularly powerful as the basis for routing table manipulation or traffic prioritization on the network. The most common use for mangle is to mark a packet with an integer value, which can be looked up in another rule. Alternativly, using iproute2, we allow the packet to be handled by a distinct routing table. For example, if you use the POSTROUTING chain in the nat table, you can’t match rules against the interface the packet came in on. However, if you mark the packet using the mangle table when it first enters the firewall, you can create a POSTROUTING rule that checks for the mark and rewrites the packet on the way out as appropriate:

iptables -t mangle -A PREROUTING -i eth2 -j MARK –set-mark 0×2 iptables -t nat -I POSTROUTING -o eth2 -m mark -mark 0×2 -j SNAT –to 192.168.1.4

Going further

I’ve only touched the surface of what you can accomplish using iptables and netfilter. The projects have a substantial user base, with very active mailing lists and an IRC channel on irc.freenode.net, #netfilter, where users can discuss configuration issues.

by Gina Trapani

http://lifehacker.com/software/top/geek-to-live%E2%80%94mastering-wget-161202.php

Your browser does a good job of fetching web documents and displaying them, but there are times when you need an extra strength download manager to get those tougher HTTP jobs done.

A versatile, old school Unix program called Wget is a highly hackable, handy little tool that can take care of all your downloading needs. Whether you want to mirror an entire web site, automatically download music or movies from a set of favorite weblogs, or transfer huge files painlessly on a slow or intermittent network connection, Wget’s for you.

Wget, the “non-interactive network retriever,” is called at the command line. The format of a Wget command is:
wget [option]… [URL]…

The URL is the address of the file(s) you want Wget to download. The magic in this little tool is the long menu of options available that make some really neat downloading tasks possible. Here are some examples of what you can do with Wget and a few dashes and letters in the [option] part of the command.
Mirror an entire web site

Say you want to backup your blog or create a local copy of an entire directory of a web site for archiving or reading later. The command:
wget -m http://ginatrapani.googlepages.com

Will save the two pages that exist on the ginatrapani.googlepages.com site in a folder named just that on your computer. The -m in the command stands for “mirror this site.”

Say you want to retrieve all the pages in a site PLUS the pages that site links to. You’d go with:
wget -H -r –level=1 -k -p http://ginatrapani.googlepages.com

This command says, “Download all the pages (-r, recursive) on http://ginatrapani.googlepages.com plus one level (—level=1) into any other sites it links to (-H, span hosts), and convert the links in the downloaded version to point to the other sites’ downloaded version (-k). Oh yeah, and get all the components like images that make up each page (-p).”

Warning: Beware, those with small hard drives! This type of command will download a LOT of data from sites that link out a lot (like blogs)! Don’t try to backup the Internet, because you’ll run out of disk space!
Resume large file downloads on a flaky connection

Say you’re piggybacking the neighbor’s wifi and every time someone microwaves popcorn you lose the connection, and your video download (naughty you!) keeps crapping out halfway through. Direct Wget to resume partial downloads for big files on intermittent connections.

To set Wget to resume an interrupted download of this 16MB “Mavericks Surf Highlights 2006: Wipeouts” short from Google Video, use:
wget -c –output-document=mavericks.avi “http://vp.video.google.com/videodownload?version=0&secureurl=qgAAAJCWpcRd5eI2k3sm3LWJZMjLyLFiTxk_KqUrRYbrzLTEw8hwMV30m3MRz6rYMTxGqWIfWMQjNJsP0fNXUMc34jzoPcy6z-qHde5UVD29Po6_9b_-d3J5AQpVROUPRqzkJriangEl2IMkKBJd08Q7TTJIAC_r6XID-fNYPLKHm1KRvx0smOslivNLGmyZsCsZmVNVN0jaw5-dloWtzPlI86zIubh1XvJsTg2u_YaHcaAB&sigh=-BbV2h_bIFVuVg4D-h6MUTxuErM&begin=0&len=139433&docid=6059494448346363884″

(Apologies for the humungous, non-wrapping URL.)

The -c (“continue”) option sets Wget to resume a partial download if the transfer is interrupted. You’ll also notice the URL is in quotes, necessary for any address with &’s in it. Also, since that URL is so long, you can specify the name of the output file explicitly – in this case, mavericks.avi.
Schedule hourly downloads of a file

The nice thing about any command line script is that it’s very easy to automate. For instance, if there was a constantly-changing file that you wanted to download every hour, say, you could use cron or Windows Task Scheduler and Wget to do just that, or if there was a very large file you wanted your computer to fetch in the middle of the night while you slept instead of right this moment when you need all your bandwidth to get other work done. You could easily schedule the Wget command to run at a later time.

As proof of concept, yesterday I scheduled an hourly download of Lifehacker’s daily traffic chart to run automatically. The command looked like this:
wget –output-document=traffic_$(date +\%Y\%m\%d\%H).gif “http://sm3.sitemeter.com/rpc/v6/server.asp?a=GetChart&n=9&p1=sm3lifehacker&p2=&p3=3&p4=0&p5=64\%2E249\%2E116\%2E138&p6=HTML&p7=1&p8=\%2E\%3Fa\%3Dstatistics&p9=&rnd=7209″

Notice the use of %Y and %m datetime parameters which result in unique filenames, so each hour the command wouldn’t overwrite the file with the same name generated the hour before. Note also that the %’s have to be escaped with a backslash.

Just for fun I threw together a little animated gif of the hourly chart image, that displays the movement of Lifehacker’s traffic yesterday from 2PM to midnight:
animated-traffic-chart.gif
Automatically download music

This last technique, suggested by Jeff Veen, is by far my favorite use of Wget. These days there are tons of directories, aggregators, filters and weblogs that point off to interesting types of media. Using Wget, you can create a text file list of your favorite sites that say, link to MP3 files, and schedule it to automatically download any newly-added MP3’s from those sites each day or week.

First, create a text file called mp3_sites.txt, and list URLs of your favorite sources of music online one per line (like http://del.icio.us/tag/system:filetype:mp3 or stereogum.com). Be sure to check out my previous feature on how to find free music on the web for more ideas.

Then use the following Wget command to go out and fetch those MP3’s:
wget -r -l1 -H -t1 -nd -N -np -A.mp3 -erobots=off -i mp3_sites.txt

That Wget recipe recursively downloads only MP3 files linked from the sites listed in mp3_sites.txt that are newer than any you’ve already downloaded. There are a few other specifications in there – like to not create a new directory for every music file, to ignore robots.txt and to not crawl up to the parent directory of a link. Jeff breaks it all down in his original post.

The great thing about this technique is that once this command is scheduled, you get an ever-rotating jukebox of new music Wget fetches for you while you sleep. With a good set of trusted sources, you’ll never have to go looking for new music again – Wget will do all the work for you.

My neighbours are stealing my wireless internet access. I could encrypt it or alternately I could have fun.

Split the network

I’m starting here by splitting the network into two parts, the trusted half and the untrusted half. The trusted half has one netblock, the untrusted a different netblock. We use the DHCP server to identify mac addresses to give out the relevant addresses.

/etc/dhcpd.conf

ddns-updates off;
ddns-update-style interim;
authoritative;

shared-network local {

subnet *.*.*.* netmask 255.255.255.0 {
range *.*.*.* *.*.*.*;
option routers *.*.*.*;
option subnet-mask 255.255.255.0;
option domain-name “XXXXX”;
option domain-name-servers *.*.*.*;
deny unknown-clients;

host trusted1 {
hardware ethernet *:*:*:*:*:*;
fixed-address *.*.*.*;
}
}

subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.2 192.168.0.10;
option routers 192.168.0.1;
option subnet-mask 255.255.255.0;
option domain-name-servers 192.168.0.1;
allow unknown-clients;

}
}

IPtables is Fun!

Suddenly everything is kittens! It’s kitten net.

/sbin/iptables -A PREROUTING -s 192.168.0.0/255.255.255.0 -p tcp -j DNAT –to-destination 64.111.96.38

For the uninitiated, this redirects all traffic to kittenwar.

For more fun, we set iptables to forward everything to a transparent squid proxy running on port 80 on the machine.

/sbin/iptables -A PREROUTING -s 192.168.0.0/255.255.255.0 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.0.1

That machine runs squid with a trivial redirector that downloads images, uses mogrify to turn them upside down and serves them out of it’s local webserver.
The redirection script

#!/usr/bin/perl
$|=1;
$count = 0;
$pid = $$;
while (<>) {
chomp $_;
if ($_ =~ /(.*\.jpg)/i) {
$url = $1;
system(“/usr/bin/wget”, “-q”, “-O”,”/space/WebPages/images/$pid-$count.jpg”, “$url”);
system(“/usr/bin/mogrify”, “-flip”,”/space/WebPages/images/$pid-$count.jpg”);
print “http://127.0.0.1/images/$pid-$count.jpg\n”;
}
elsif ($_ =~ /(.*\.gif)/i) {
$url = $1;
system(“/usr/bin/wget”, “-q”, “-O”,”/space/WebPages/images/$pid-$count.gif”, “$url”);
system(“/usr/bin/mogrify”, “-flip”,”/space/WebPages/images/$pid-$count.gif”);
print “http://127.0.0.1/images/$pid-$count.gif\n”;

}
else {
print “$_\n”;;
}
$count++;
}

Then the internet looks like this!

And if you replace flip with -blur 4 you get the blurry-net

Source from: http://www.ex-parrot.com/~pete/upside-down-ternet.html

Introduction

Squid has a feature called delay pools, which allows us to control download bandwidth. Unfortunately, in most distributions, Squid is shipped without that feature.

So if you have Squid already installed, I must disappoint you — you need to uninstall it and do it once again with delay pools enabled in the way I explain below.

1. To get maximum performance from our Squid proxy, it’s best to create a separate partition for its cache, called /cache/. Its size should be about 300 megabytes, depending on our needs.

If you don’t know how to make a separate partition, you can create the /cache/ directory on a main partition, but Squid performance can suffer a bit.

2. We add a safe ’squid’ user:

# useradd -d /cache/ -r -s /dev/null squid >/dev/null 2>&1

No one can log in as squid, including root.

3.We download latest Squid sources from http://www.squid-cache.org http://www.squid-cache.org/Versions/v2/2.4/squid-2.4.STABLE1-src.tar.gz

4.We unpack everything to /var/tmp:

# tar xzpf squid-2.4.STABLE1-src.tar.gz

5.We compile and install Squid (everything is in one line):

# ./configure –prefix=/opt/squid –exec-prefix=/opt/squid – enable-delay-pools –enable-cache-digests –enable-poll – disable-ident-lookups –enable-truncate –enable-removal- policies
# make all
# make install

[Edit section] Configuring Squid to use the delay pools feature

1. Configure our squid.conf file (located under /opt/squid/etc/squid.conf):

#squid.conf
#Every option in this file is very well documented in the original squid.conf file
#and on http://www.visolve.com/squidman/Configuration%20Guide.html

#
#The ports our Squid will listen on.
http_port 8080
icp_port 3130
#cgi-bins will not be cached.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
#Memory the Squid will use. Well, Squid will use far more than that.
cache_mem 16 MB
#250 means that Squid will use 250 megabytes of disk space.
cache_dir ufs /cache 250 16 256

#Places where Squid’s logs will go to.
cache_log /var/log/squid/cache.log
cache_access_log /var/log/squid/access.log
cache_store_log /var/log/squid/store.log
cache_swap_log /var/log/squid/swap.log
#How many times to rotate the logs before deleting them.
#See the FAQ for more info.
logfile_rotate 10

redirect_rewrites_host_header off
cache_replacement_policy GDSF
acl localnet src 192.168.1.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
acl Safe_ports port 80 443 210 119 70 20 21 1025-65535
acl CONNECT method CONNECT
acl all src 0.0.0.0/0.0.0.0
http_access allow localnet
http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT
http_access deny all
maximum_object_size 3000 KB
store_avg_object_size 50 KB

#Set these if you want your proxy to work in a transparent way.
#Transparent proxy means you generally don’t have to configure all
#your client’s browsers, but hase some drawbacks too.
#Leaving these uncommented won’t do any harm.
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

#all our LAN users will be seen by external web servers
#as if they all used Mozilla on Linux.
anonymize_headers deny User-Agent
fake_user_agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.6+) Gecko/20011122

#To make our connection even faster, we put two lines similar
#to the ones below. They will point a parent proxy server our own Squid
#will use. Don’t forget to change the server to the one that will
#be fastest for you!
#Measure pings, traceroutes and so on.
#Make sure that http and icp ports are correct.

#Uncomment lines beginning with “cache_peer” if necessary.
#This is the proxy you are going to use for all connections…
#cache_peer w3cache.icm.edu.pl parent 8080 3130 no-digest default

#…except for the connections to addresses and IPs beginning with “!”.
#It’s a good idea not to use a higher
#cache_peer_domain w3cache.icm.edu.pl !.pl !7thguard.net !192.168.1.1

#This is useful when we want to use the Cache Manager.
#Copy cachemgr.cgi to cgi-bin of your www server.
#You can reach it then via a web browser typing
#the address http://your-web-server/cgi-bin/cachemgr.cgi
cache_mgr your@email
cachemgr_passwd secret_password all

#This is a name of a user our Squid will work as.
cache_effective_user squid
cache_effective_group squid

log_icp_queries off
buffered_logs on

[Edit section] Delay Pools

#This is the most important part for shaping incoming traffic with Squid
#For detailed description see squid.conf file or docs at http://www.squid-cache.org

#We don’t want to limit downloads on our local network.
acl magic_words1 url_regex -i 192.168

#We want to limit downloads of these type of files
#Put this all in one line
acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt
.ram .rm .iso .raw .wav .mov
#We don’t block .html, .gif, .jpg and similar files, because they
#generally don’t consume much bandwidth

#We want to limit bandwidth during the day, and allow
#full bandwidth during the night
#Caution! with the acl below your downloads are likely to break
#at 23:59. Read the FAQ in this bandwidth if you want to avoid it.
acl day time 09:00-23:59

#We have two different delay_pools
#View Squid documentation to get familiar
#with delay_pools and delay_class.
delay_pools 2

#First delay pool
#We don’t want to delay our local traffic.
#There are three pool classes; here we will deal only with the second.
#First delay class (1) of second type (2).
delay_class 1 2

#-1/-1 mean that there are no limits.
delay_parameters 1 -1/-1 -1/-1

#magic_words1: 192.168 we have set before
delay_access 1 allow magic_words1

#Second delay pool.
#we want to delay downloading files mentioned in magic_words2.
#Second delay class (2) of second type (2).
delay_class 2 2

#The numbers here are values in bytes;
#we must remember that Squid doesn’t consider start/stop bits
#5000/150000 are values for the whole network
#5000/120000 are values for the single IP
#after downloaded files exceed about 150000 bytes,
#(or even twice or three times as much)
#they will continue to download at about 5000 bytes/s

delay_parameters 2 5000/150000 5000/120000
#We have set day to 09:00-23:59 before.
delay_access 2 allow day
delay_access 2 deny !day
delay_access 2 allow magic_words2

#EOF

Hear in delay_parameters 2 5000/150000 5000/120000 we can change the numbers according to our requirement. For example if we want to restrict our lan users to give download speed of 20 KB/Sec with a bucket size 12 MB and to whole network a download speed of 25 KB/Sec with a bucket size 25 MB, change this line to delay_parameters 2 25000/250000 20000/120000

OK, when we have configured everything, we must make sure everything under /opt/squid and /cache directories belongs to user ’squid’.

# mkdir /var/log/squid/
# chown squid:squid /var/log/squid/
# chmod 770 /var/log/squid/
# chown -R squid:squid /opt/squid/
# chown -R squid:squid /cache/

Now everything is ready to run Squid. When we do it for the first time, we have to create its cache directories:

# /opt/squid/bin/squid -z

We run Squid and check if everything is working. A good tool to do that is IPTraf; you can find it on http://freshmeat.net. Make sure you have set the appropriate proxy in your web browsers (192.168.1.1, port 8080 in our example):

# /opt/squid/bin/squid

If everything is working, we add /opt/squid/bin/squid line to the end of our initializing scripts. Usually, it can be /etc/rc.d/rc.local.

Other helpful options in Squid may be:

# /opt/squid/bin/squid -k reconfigure
(it reconfigures Squid if we made any changes in its squid.conf file)
# /opt/squid/bin/squid -help self-explanatory

You can also copy cachemgr.cgi to the cgi-bin directory of your WWW server, to make use of a useful Cache Manager.
Related Content
Quote From: http://wiki.ittoolbox.com/index.php/Install_Squid_with_delay_pools