Link asli: http://pastebin.com/cc1FYxg1
Untuk memory 1 G dan HD 120 G saya rasa debian 32 BIT lebih realistik karena ringan dan installasinya cepat (cuma 10 menit) karena tidak perlu akses internet (Saat installasi jangan pasang kabel LAN dan pada saat configure package manager pilih GO Back dan Continue without a network mirrors pilih yes ).
link downloadnya:
http://kambing.ui.ac.id/iso/debian/6.0.5/i386/iso-cd/debian-6.0.5-i386-netinst.iso atau
http://napoleon.acc.umu.se/debian-cd/6.0.5/i386/iso-cd/debian-6.0.5-i386-netinst.iso
untuk yang 64
http://kambing.ui.ac.id/iso/debian/6.0.5/amd64/iso-cd/debian-6.0.5-amd64-netinst.iso
Installasi , topologi dan setting Mikrotik
topologinya Squid sejajar client ( ip proxy satu subnet dgn client)
MODEM------MT-----Swicth----client
|
Debian
Local = 192.168.2.30
Client = 192.168.2.1-192.168.2.20
PROXY = 192.168.2.22
add action=dst-nat chain=dstnat comment="TRANSPARENT PROXY SEJAJAR" disabled=no dst-port=80 in-interface=Local protocol=tcp src-address=!192.168.2.22 to-addresses=\
192.168.2.22 to-ports=3128
add action=src-nat chain=srcnat disabled=no out-interface=Local protocol=tcp src-address-list=Local-Address to-addresses=192.168.2.30 to-ports=0-65535
/ip firewall address-list add address=192.168.2.1-192.168.2.21 list=Local-Address
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=4096KiB \
max-udp-packet-size=512 servers="203.130.208.18,203.130.193.74,203.130.196.5, \
222.124.204.34,203.130.196.6,208.67.222.222,208.67.220.220,180.131.144.144, \
180.131.145.145"
/ip dns static
add address=192.168.2.22 disabled=no name=proxy.crowded.war.net ttl=1d
ip 192.168.2.22
netmask 255.255.255.0
gateway 192.168.2.30
name server addresses = 192.168.2.30
host = proxy
domain = crowded.war.net
partisi
/root 18 G ext4
/cache-1 50 G ext4
/cache-2 50 G ext4
SWAP 2 G
pilihan packet : SSH-Server dan Standart System Utilities
mulai installasi via remote as root karena di Debian Rootnya sudah langsung aktif saat installasi
tambah repo webmin dan installasi unbound dan build-essential supaya extract tar.bz2 tidak error
echo deb http://kambing.ui.ac.id/debian/ squeeze main non-free contrib | tee -a /etc/apt/sources.list
echo deb-src http://kambing.ui.ac.id/debian/ squeeze main non-free contrib | tee -a /etc/apt/sources.list
echo deb http://download.webmin.com/download/repository sarge contrib | tee -a /etc/apt/sources.list
cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc
apt-get -y update; apt-get -y install unbound build-essential webmin unbound-host
cd /etc/unbound
wget ftp://FTP.INTERNIC.NET/domain/named.cache
unbound-control-setup
chown unbound:root unbound_*
chmod 440 unbound_*
nano /etc/unbound/unbound.conf
delete isinya ganti dengan
server:
verbosity: 1
statistics-interval: 120
num-threads: 1
interface: 0.0.0.0
outgoing-range: 512
num-queries-per-thread: 1024
msg-cache-size: 16m
rrset-cache-size: 32m
msg-cache-slabs: 4
rrset-cache-slabs: 4
cache-max-ttl: 86400
infra-host-ttl: 60
infra-lame-ttl: 120
infra-cache-numhosts: 10000
infra-cache-lame-size: 10k
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
#access-control: 0.0.0.0/0 allow
access-control: 192.168.0.0/16 allow
#access-control: 172.16.0.0/12 allow
#access-control: 10.0.0.0/8 allow
access-control: 127.0.0.0/8 allow
access-control: 0.0.0.0/0 refuse
chroot: "/etc/unbound"
username: "unbound"
directory: "/etc/unbound"
#logfile: "/etc/unbound/unbound.log"
#use-syslog: yes
logfile: ""
use-syslog: no
pidfile: "/etc/unbound/unbound.pid"
root-hints: "/etc/unbound/named.cache"
identity: "proxy.crowded.war.net"
version: "1.4"
hide-identity: yes
hide-version: yes
harden-glue: yes
do-not-query-address: 127.0.0.1/8
do-not-query-localhost: yes
module-config: "iterator"
#zone localhost
local-zone: "localhost." static
local-data: "localhost. 10800 IN NS localhost."
local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
local-data: "localhost. 10800 IN A 127.0.0.1"
local-zone: "127.in-addr.arpa." static
local-data: "127.in-addr.arpa. 10800 IN NS localhost."
local-data: "127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 3600 1200 604800 10800"
local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost."
#zone crowded.war.net
local-zone: "crowded.war.net." static
local-data: "crowded.war.net. 86400 IN NS ns.crowded.war.net."
local-data: "crowded.war.net. 86400 IN SOA crowded.war.net. hostmaster.crowded.war.net. 3 3600 1200 604800 86400"
local-data: "crowded.war.net. 86400 IN A 192.168.2.22"
local-data: "www.crowded.war.net. 86400 IN A 192.168.2.22"
local-data: "ns.crowded.war.net. 86400 IN A 192.168.2.22"
local-zone: "2.168.192.in-addr.arpa." static
local-data: "2.168.192.in-addr.arpa. 10800 IN NS crowded.war.net."
local-data: "2.168.192.in-addr.arpa. 10800 IN SOA crowded.war.net. hostmaster.crowded.war.net. 4 3600 1200 604800 864000"
local-data: "22.2.168.192.in-addr.arpa. 10800 IN PTR crowded.war.net."
forward-zone:
name: "."
forward-addr: 203.130.208.18
forward-addr: 203.130.193.74
forward-addr: 203.130.196.5
forward-addr: 222.124.204.34
forward-addr: 203.130.196.6
forward-addr: 208.67.222.222
forward-addr: 208.67.220.220
forward-addr: 180.131.144.144
forward-addr: 180.131.145.145
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/etc/unbound/unbound_server.key"
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"
save
rubah resolv.conf
cat > /etc/resolv.conf << "EOF"
# Begin /etc/resolv.conf
domain proxy.crowded.war.net
nameserver 127.0.0.1
nameserver 192.168.2.30
# End /etc/resolv.conf
EOF
unbound-checkconf /etc/unbound/unbound.conf
reboot
Tuning Up
tune2fs -o journal_data_writeback /dev/sda5
tune2fs -o journal_data_writeback /dev/sda6
Optimalkan file system cache & ubah opsi untuk partisi cache
Disabled fsck (file system check)
Angka standart Drive Cache adalah 0 2 ——>> ganti dengan 0 0 (INGAT HANYA DRIVE CACHE)
Opsi Directory /cache ubah
# /cache-1 was on /dev/sda6 during installation
UUID=b11e172f-5b54-474c-92b1-0ae780f85f29 /cache-1 ext4 default 0 0
# /cache-1 was on /dev/sda6 during installation
UUID=b11e172f-5b54-474c-92b1-0ae780f85f29 /cache-1 ext4 noatime,errors=remount-ro,nobh,barrier=0,data=writeback 0 0
nano /etc/sysctl.conf
kernel.panic = 30
kernel.panic_on_oops = 30
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
fs.file-max = 65536
vm.swappiness = 0
vm.vfs_cache_pressure=50
vm.mmap_min_addr = 4096
vm.overcommit_ratio = 0
vm.overcommit_memory = 0
kernel.shmmax = 268435456
kernel.shmall = 268435456
vm.min_free_kbytes = 65536
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_congestion_control = cubic
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384
net.core.rmem_default = 87380
net.core.rmem_max = 16777216
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_wmem_min = 16384
net.core.wmem_default = 65536
net.core.wmem_max = 16777216
net.core.somaxconn = 32768
net.core.netdev_max_backlog = 4096
net.core.dev_weight = 64
net.core.optmem_max = 65536
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_orphan_retries = 0
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
net.unix.max_dgram_qlen = 50
net.ipv4.neigh.default.gc_thresh3 = 2048
net.ipv4.neigh.default.gc_thresh2 = 1024
net.ipv4.neigh.default.gc_thresh1 = 32
net.ipv4.neigh.default.gc_interval = 30
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_reordering = 3
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_retries1 = 3
setelah di save,
sysctl -p
Kurangi TCP TIME_WAIT setting, default value (60 in Debian 6)
echo 4 > /proc/sys/net/ipv4/tcp_fin_timeout
ulimit -n 65535 # Sets number of open files for this process and it's children
nano /etc/profile file and ensure that the file does not contain any commands that set ulimit values.
Add the following commands to the end of the /etc/profile file
ulimit -Hn 65536
ulimit -Sn 65535
echo 65536 > /proc/sys/fs/file-max
echo "* soft nofile 65536" >> /etc/security/limits.conf
echo "* hard nofile 65536" >> /etc/security/limits.conf
echo "root soft nofile 65536" >> /etc/security/limits.conf
echo "root hard nofile 65536" >> /etc/security/limits.conf
echo "proxy soft nofile 65536" >> /etc/security/limits.conf
echo "proxy hard nofile 65536" >> /etc/security/limits.conf
echo "session required pam_limits.so" >> /etc/pam.d/common-session
modprobe ip_conntrack
kemudian tambahkan ip_contrack di /etc/modules
nano /etc/modules
tambahkan kalimat berikut baris paling bawah :
ip_conntrack
save
Install squid
32 BIT
cd /home
wget http://squid-proxy-pkg.googlecode.com/files/deb-htproxy_14942_i386.tar.bz2
tar xvf deb-htproxy_14942_i386.tar.bz2
dpkg -i *.deb
/etc/init.d/squid stop
64 BIT
cd /home
wget http://squid-proxy-pkg.googlecode.com/files/deb-htproxy_14942_x86-64.tar.bz2
tar xvf deb-htproxy_14942_x86-64.tar.bz2 && dpkg -i *.deb
dpkg -i *.deb
/etc/init.d/squid stop
pake winscp edit
/etc/squid/squid.conf
edit squid.conf sesuai kondisi
cache_dir aufs /cache-1 35000 35 256
cache_dir aufs /cache-2 35000 35 256
#CONTOH DNS GOOGLE
dns_nameservers 203.130.208.18
dns_nameservers 203.130.193.74
dns_nameservers 203.130.196.5
dns_nameservers 222.124.204.34
dns_nameservers 203.130.196.6
dns_nameservers 208.67.222.222
dns_nameservers 208.67.220.220
dns_nameservers 180.131.144.144
dns_nameservers 180.131.145.145
pilihan lain sebenernya tidak signifikan kalo mau optimalisasi belakangan aja
chown proxy:proxy /cache-1 && chmod 777 /cache-1
chown proxy:proxy /cache-2 && chmod 777 /cache-2
squid -z
squid -f /etc/squid/squid.conf -z && /etc/init.d/squid start
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -m state --state NEW -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport 80 -j ACCEPT
iptables-save -c > /etc/iptables.up.rules
No comments:
Post a Comment