# 0. Do this installation only on a non-essential machine, as the host may be # targeted for serious denial-of-service or cracking attempts. For maximum # security, run it inside a virtual machine. Also, *you will need a # static IP address*. The goal of the process is for ys to be able to give # the revolutionaries usable proxy servers *at known addresses*. # # 1. Install squid on your system. You will need to be root for this. # Under Ubuntu, do "apt-get install squid" # Under RedHat, Fedora, and Centos do "yum install squid" # Under Gentoo, do "emerge squid" # Under OpenBSD, do "pkg_add PKG_PATH=ftp://ftp.openbsd.org/pub/{version}/packages/i386/squid" # Under FreeBSD, do this: # wget http://www.squid-cache.org/Versions/v2/2.7/squid-2.7.STABLE6.tar.gz; # tar zxvf squid-2.7.STABLE6.tar.gz # cd squid-2.7.STABLE6 # ./configure '--sysconfdir=/etc/squid' '--enable-storeio=diskd,ufs,aufs' '--enable-delay-pools' '--enable-pf-transparent' '--enable-ipf-transparent' '--disable-ident-lookups' '--enable-removal-policies' # make # make install # Under NetBSD, do "cd /usr/ports/www/squid; make install clean" # # Under Mac OS X using SquidMan: # i. SquidMan is at . # ii. Locate the download links for various dmg files at the bottom of # the page. # iii. Click the link for version 2.5b; When prompted, pick "load with # DiskImageMounter.app". (Or, alternately, you could save the file # somewhere and double-click to launch it.) # iv. When the disk image shows up in finder. double-click on the big # blue "SquidMan" icon. (Or, better yet, drag that icon into your # Applications folder and then launch it from there) # v. Click "Open" when asked if you really want to launch this # program you’ve just downloaded from the Internet. # vi. Click "OK" in response to the "Squid Missing. The Squid subsystem # needs to be installed…" dialog. # vii. The settings dialog will pop up. Go to the Template tab. # viii. Delete everything in the text box and replace it with the # contents of this configuration file. # ix. Uncomment the cache_dir line. # x. Click Save. # xi. Click Start Squid. # # 2. Red Hat and CentOS only: # * Edit the iptables via system-config-securitylevel. As root, run # /usr/bin/system-config-securitylevel # * Set SELinux: to either Permissive(slightly better) or Disabled. # Note, this is a crude solution. Someone with more SELinux # knowledge might be able to write a pass-through rule. # * Now go into Customize. In Other Ports, set it like this: # portnum:protocol (eg. 42342:tcp, 42343:tcp, 42344:tcp). # Do this for all of your nonstandard ports. Hit OK->OK # # 3. Replace your squid configuration with this file. It is likely # to be in /etc/squid/squid.conf, but could be in /etc/squid.conf # as well. # # 4. Fix the ‘visible_hostname’line in /etc/squid.conf: it should declare # your machine's hostname (i.e. the part following "userid@" in your # terminal prompt) # # 5. Choose a nonstandard port number to listen on, or better yet # about a dozen of them. Fix the http_port line in /etc/squid.conf. # Add more lines as needed. # # 6. Mac OS/X users only: uncomment the cache_dir line. We don't know # why it's required even though caching is turned off, but squid # apparently won't start without it. # # 7. Type ’sudo adduser squid’ and specify a password # # 8. Restart squid by typing: ‘/etc/init.d/squid restart’ # # 9. Stop the service by typing ‘/etc/init.d/squid stop’ # # 10. Test it in debug mode by typing "squid -z" (which creates the cache files) # # 11. Type ’squid -NCd10′ to test squid in debug mode and leave it running. # # 12. Open Firefox and type the URL localhost:3128 It will fail to retrieve a # page, but at the bottom it should confirm that the error is generated # by squid. (To be extra-sure, re-do this test using one of the # non-standard ports you declared in step 4.) # # 13. Back at the Terminal type CTRL-C to cancel the debug mode # # 14. Start squid for real with ‘/etc/init.d/squid start’. It will start # automatically from now on. # # 15. If your squid host is sitting behind a hardware router with firewalling # capability, you must set up port forwarding of all your nonstandard # ports to the squid host machine. The procedure for this varies # depending on your router, but is most likely to involves pointing your # browser at 192.168.1.1 and navigating to a "Port Forwarding" page. # # 16. The easiest way to test that your proxy server is working is to # use the proxy tester at austinheap.com: # # If it says "Fatal error: couldn't connect to host", then your # squid instance probably isn't running; check for possible fatal # error in the configuration parse, and if you don't see that make # sure that you have correctly configured your ruter or firewall # to pass through packets. If it says "Your proxy is not accepting # connections from the validation servers.", you're at least # reaching squid, but your allow/denies aren't right or you # configuration file doesn't live where you think it does. # # 17. Register your proxy server with proxyheap at # # You'll have to do this once for each listener port you declared. # You will receive an email notification from the proxyheap # verification servers if all is well. Otherwise, email will tell you # that your server could not be verified and drop the entry from the # proxyyheap database. Once you are successfully registered, # the Iranian revolutionaries can begin using your proxy with # no further action required on your part. # # 18. Death threats have already been made against cooperating # hackers. If you receive such a threat, report it to your local # police immediately. Do not assume that your cooperation is unknown # to the Iranian regime or their agents, and do not assume you will # have warning if they act on their threats. If you are not already # armed and prepared to defend yourself, fix both of these bugs. # # For troubleshooting help, go to . # # Directions brought to you by ESR and the deliberately anonymous members # of NedaNet at #irantech. Recipe derived from one published by r3boot # at # You will need to modify this line visible_hostname thyrsus.com # You should enable a bunch of different nonstandard ports. # This list re-purposes ports associated with a number of on-line games. # You'll have to remove the trailing comments to use these, as the squid # configuration parser chokes on them. There is a much longer list here: # # # You should not necessarily stick with these, as the Iranian government # might block them; it's better to think up random port numbers of your own http_port 28910 # Heretic II http_port 26900 # Hexen II http_port 15000 # Baldur's Gate http_port 7012 # Anarchy Online http_port 7013 # Anarchy Online http_port 7501 # Anarchy Online http_port 7502 # Anarchy Online http_port 7503 # Anarchy Online http_port 7504 # Anarchy Online http_port 9000 # Asheron's Call http_port 9001 # Asheron's Call http_port 9002 # Asheron's Call http_port 9003 # Asheron's Call http_port 9004 # Asheron's Call http_port 9005 # Asheron's Call http_port 9006 # Asheron's Call http_port 9007 # Asheron's Call http_port 9008 # Asheron's Call http_port 9009 # Asheron's Call http_port 9010 # Asheron's Call http_port 9011 # Asheron's Call http_port 9012 # Asheron's Call http_port 9013 # Asheron's Call # MacOS users must uncomment this line #cache_dir ufs %CACHEDIR% %CACHESIZE% 16 256 ###################################################################### # You probably will not need to change anything below this line. ###################################################################### # Make squid more anonymous forwarded_for off client_db off acl manager proto cache_object acl localhost src 127.0.0.1/32 acl all src 0.0.0.0/0.0.0.0 acl localnet dst 127.0.0.0/8 acl localnet dst 10.0.0.0/8 acl localnet dst 172.16.0.0/12 acl localnet dst 192.168.0.0/16 # http://www.ripe.net/cgi-bin/search/gdquery.cgi?max-results=100&page-results=10&index=ripedb&boolean=and&record-type=paragraph&header=whois&footer=whois&start-page=%2Fdb%2Fwhois-free.html&terms=ministry+iran&file-match=net[6n]&file-match=org&show-context=yes°ree-of-error=0&submit=Search&page=0 acl iran-gov src 194.225.164.0/23 acl iran-gov src 213.176.19.0/26 acl iran-gov src 213.176.74.0/23 acl iran-gov src 217.172.104.0/22 acl iran-gov src 217.172.108.0/22 acl iran-gov src 217.172.112.0/22 acl iran-gov src 217.172.120.0/22 acl iran-gov src 217.172.124.0/22 acl iran-gov src 217.172.96.0/22 acl iran-gov src 217.24.144.0/22 acl iran-gov src 217.24.148.0/22 acl iran-gov src 217.24.152.0/22 acl iran-gov src 217.24.156.0/22 acl iran-gov src 78.38.77.160/28 acl iran-gov src 80.191.21.0/24 acl iran-gov src 84.47.212.0/22 acl iran-gov src 84.47.216.0/22 acl iran-gov src 84.47.220.0/22 acl iran-gov src 84.47.248.0/21 # http://www.countryipblocks.net/country-blocks/select-formats/ acl iran-net src 62.193.0.0/19 acl iran-net src 62.220.96.0/19 acl iran-net src 77.36.128.0/17 acl iran-net src 77.77.64.0/18 acl iran-net src 77.104.64.0/18 acl iran-net src 77.237.64.0/19 acl iran-net src 77.237.160.0/19 acl iran-net src 77.245.224.0/20 acl iran-net src 78.38.0.0/15 acl iran-net src 78.109.192.0/20 acl iran-net src 78.110.112.0/20 acl iran-net src 78.111.0.0/20 acl iran-net src 78.154.32.0/19 acl iran-net src 78.157.32.0/19 acl iran-net src 62.60.128.0/17 acl iran-net src 78.158.160.0/19 acl iran-net src 79.127.0.0/17 acl iran-net src 79.132.192.0/19 acl iran-net src 79.170.144.0/21 acl iran-net src 79.175.128.0/18 acl iran-net src 80.66.176.0/20 acl iran-net src 80.69.240.0/20 acl iran-net src 80.71.112.0/20 acl iran-net src 80.75.0.0/20 acl iran-net src 80.191.0.0/16 acl iran-net src 80.242.0.0/20 acl iran-net src 80.253.128.0/20 acl iran-net src 80.253.144.0/20 acl iran-net src 81.12.0.0/17 acl iran-net src 81.28.32.0/20 acl iran-net src 81.28.48.0/20 acl iran-net src 81.31.160.0/20 acl iran-net src 81.31.176.0/20 acl iran-net src 81.90.144.0/20 acl iran-net src 81.91.128.0/20 acl iran-net src 81.91.144.0/20 acl iran-net src 82.99.192.0/18 acl iran-net src 82.115.0.0/19 acl iran-net src 83.147.192.0/18 acl iran-net src 84.47.192.0/18 acl iran-net src 84.241.0.0/18 acl iran-net src 85.9.64.0/18 acl iran-net src 85.15.0.0/18 acl iran-net src 85.133.128.0/17 acl iran-net src 85.185.0.0/16 acl iran-net src 85.198.0.0/18 acl iran-net src 86.109.32.0/19 acl iran-net src 87.107.0.0/16 acl iran-net src 87.247.160.0/19 acl iran-net src 87.248.128.0/19 acl iran-net src 89.144.128.0/18 acl iran-net src 89.165.0.0/17 acl iran-net src 89.221.80.0/20 acl iran-net src 89.235.64.0/18 acl iran-net src 91.98.0.0/15 acl iran-net src 91.184.64.0/19 acl iran-net src 91.186.192.0/19 acl iran-net src 91.206.122.0/23 acl iran-net src 91.208.165.0/24 acl iran-net src 91.209.242.0/24 acl iran-net src 91.212.16.0/24 acl iran-net src 91.212.19.0/24 acl iran-net src 91.212.252.0/24 acl iran-net src 92.42.48.0/21 acl iran-net src 92.50.0.0/18 acl iran-net src 92.61.176.0/20 acl iran-net src 92.62.176.0/20 acl iran-net src 92.242.192.0/19 acl iran-net src 93.110.0.0/16 acl iran-net src 93.190.24.0/21 acl iran-net src 94.74.128.0/18 acl iran-net src 94.101.128.0/20 acl iran-net src 94.101.176.0/20 acl iran-net src 94.101.240.0/20 acl iran-net src 94.139.160.0/19 acl iran-net src 94.182.0.0/15 acl iran-net src 94.184.0.0/17 acl iran-net src 94.232.168.0/21 acl iran-net src 94.241.128.0/18 acl iran-net src 95.38.0.0/16 acl iran-net src 95.80.128.0/18 acl iran-net src 95.81.64.0/18 acl iran-net src 95.82.0.0/18 acl iran-net src 95.82.64.0/18 acl iran-net src 95.130.56.0/21 acl iran-net src 95.130.240.0/21 acl iran-net src 188.34.0.0/16 acl iran-net src 188.93.64.0/21 acl iran-net src 188.121.96.0/19 acl iran-net src 188.121.128.0/19 acl iran-net src 188.136.128.0/17 acl iran-net src 188.158.0.0/15 acl iran-net src 193.189.122.0/23 acl iran-net src 194.225.0.0/16 acl iran-net src 195.146.32.0/19 acl iran-net src 212.16.64.0/19 acl iran-net src 212.33.192.0/19 acl iran-net src 212.50.224.0/19 acl iran-net src 212.80.0.0/19 acl iran-net src 212.95.128.0/19 acl iran-net src 212.120.192.0/19 acl iran-net src 213.176.0.0/19 acl iran-net src 213.176.32.0/19 acl iran-net src 213.176.64.0/18 acl iran-net src 213.195.0.0/18 acl iran-net src 213.207.192.0/18 acl iran-net src 213.217.32.0/19 acl iran-net src 213.233.160.0/19 acl iran-net src 217.11.16.0/20 acl iran-net src 217.24.144.0/20 acl iran-net src 217.25.48.0/20 acl iran-net src 217.64.144.0/20 acl iran-net src 217.66.192.0/20 acl iran-net src 217.66.208.0/20 acl iran-net src 217.146.208.0/20 acl iran-net src 217.172.96.0/19 acl iran-net src 217.174.16.0/20 acl iran-net src 217.218.0.0/15 # The proxyheap validation servers acl proxyheap src 208.116.53.210 acl proxyheap src 208.116.53.211 acl CONNECT method CONNECT # Deny the Iranian government http_access deny iran-gov # Allow manager from localhost http_access allow manager localhost http_access deny manager # Don't allow access to private networks http_access deny localnet # Allow Iran http_access allow iran-net # Allow the proxyheap validation servers http_access allow proxyheap # Deny the rest http_access deny all icp_access deny all cache deny all hierarchy_stoplist cgi-bin ? access_log /dev/null cache_log /dev/null cache_store_log /dev/null refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 icp_port 3130 # First line is for Mac OS X; second is for generic Unix/Linux/BSD. # It's probably best we just use the platform default here. #coredump_dir is /Applications/Squid/var/cache #coredump_dir /var/spool/squid3 # $Id: squid.conf,v 1.19 2009/06/23 11:23:12 esr Exp $