hikmah-teknologi

1. Untuk memory 1 G dan HD 120 G saya rasa debian 32 BIT lebih realistik karena ringan dan installasinya cepat (cuma 10 menit) karena tidak perlu akses internet (Saat installasi jangan pasang kabel LAN dan pada saat configure package manager pilih GO Back dan Continue without a network mirrors pilih yes ).
2.  
3. link downloadnya:
4. http://kambing.ui.ac.id/iso/debian/6.0.5/i386/iso-cd/debian-6.0.5-i386-netinst.iso atau
5. http://napoleon.acc.umu.se/debian-cd/6.0.5/i386/iso-cd/debian-6.0.5-i386-netinst.iso
6.  
7. untuk yang 64
8. http://kambing.ui.ac.id/iso/debian/6.0.5/amd64/iso-cd/debian-6.0.5-amd64-netinst.iso
9.  
10. Installasi , topologi dan setting Mikrotik
11.  
12. topologinya Squid sejajar client ( ip proxy satu subnet dgn client)
13.  
14. MODEM------MT-----Swicth----client
15. |
16. Debian
17.  
18.  
19. Local = 192.168.2.30
20. Client = 192.168.2.1-192.168.2.20
21. PROXY = 192.168.2.22
22.  
23. add action=dst-nat chain=dstnat comment="TRANSPARENT PROXY SEJAJAR" disabled=no dst-port=80 in-interface=Local protocol=tcp src-address=!192.168.2.22 to-addresses=\
24. 192.168.2.22 to-ports=3128
25. add action=src-nat chain=srcnat disabled=no out-interface=Local protocol=tcp src-address-list=Local-Address to-addresses=192.168.2.30 to-ports=0-65535
26.  
27. /ip firewall address-list add address=192.168.2.1-192.168.2.21 list=Local-Address
28.  
29. /ip dns
30. set allow-remote-requests=yes cache-max-ttl=1w cache-size=4096KiB \
31. max-udp-packet-size=512 servers="203.130.208.18,203.130.193.74,203.130.196.5, \
32. 222.124.204.34,203.130.196.6,208.67.222.222,208.67.220.220,180.131.144.144, \
33. 180.131.145.145"
34. /ip dns static
35. add address=192.168.2.22 disabled=no name=proxy.crowded.war.net ttl=1d
36.  
37.  
38. ip 192.168.2.22
39. netmask 255.255.255.0
40. gateway 192.168.2.30
41. name server addresses = 192.168.2.30
42. host = proxy
43. domain = crowded.war.net
44.  
45. partisi
46. / root 18 G ext4
47. /cache-1 50 G ext4
48. /cache-2 50 G ext4
49. SWAP 2 G
50.  
51. pilihan packet : SSH-Server dan Standart System Utilities
52.  
53. mulai installasi via remote as root karena di Debian Rootnya sudah langsung aktif saat installasi
54.  
55. tambah repo webmin dan installasi unbound dan build-essential supaya extract tar.bz2 tidak error
56.  
57. [CODE]
58. echo deb http://kambing.ui.ac.id/debian/ squeeze main non-free contrib | tee -a /etc/apt/sources.list
59. echo deb-src http://kambing.ui.ac.id/debian/ squeeze main non-free contrib | tee -a /etc/apt/sources.list
60. echo deb http://download.webmin.com/download/repository sarge contrib | tee -a /etc/apt/sources.list
61. cd /root
62. wget http://www.webmin.com/jcameron-key.asc
63. apt-key add jcameron-key.asc
64. apt-get -y update; apt-get -y install unbound build-essential webmin unbound-host
65. [/CODE]
66.  
67. [CODE]
68. cd /etc/unbound
69. wget ftp://FTP.INTERNIC.NET/domain/named.cache
70. unbound-control-setup
71. chown unbound:root unbound_*
72. chmod 440 unbound_*
73. [/CODE]
74.  
75. nano /etc/unbound/unbound.conf
76. delete isinya ganti dengan
77.  
78. server:
79. verbosity: 1
80. statistics-interval: 120
81. num-threads: 1
82. interface: 0.0.0.0
83.  
84. outgoing-range: 512
85. num-queries-per-thread: 1024
86.  
87. msg-cache-size: 16m
88. rrset-cache-size: 32m
89.  
90. msg-cache-slabs: 4
91. rrset-cache-slabs: 4
92.  
93. cache-max-ttl: 86400
94. infra-host-ttl: 60
95. infra-lame-ttl: 120
96.  
97. infra-cache-numhosts: 10000
98. infra-cache-lame-size: 10k
99.  
100. do-ip4: yes
101. do-ip6: no
102. do-udp: yes
103. do-tcp: yes
104. do-daemonize: yes
105.  
106. #access-control: 0.0.0.0/0 allow
107. access-control: 192.168.0.0/16 allow
108. #access-control: 172.16.0.0/12 allow
109. #access-control: 10.0.0.0/8 allow
110. access-control: 127.0.0.0/8 allow
111. access-control: 0.0.0.0/0 refuse
112.  
113. chroot: "/etc/unbound"
114. username: "unbound"
115. directory: "/etc/unbound"
116. #logfile: "/etc/unbound/unbound.log"
117. #use-syslog: yes
118. logfile: ""
119. use-syslog: no
120. pidfile: "/etc/unbound/unbound.pid"
121. root-hints: "/etc/unbound/named.cache"
122.  
123. identity: "proxy.crowded.war.net"
124. version: "1.4"
125. hide-identity: yes
126. hide-version: yes
127. harden-glue: yes
128. do-not-query-address: 127.0.0.1/8
129. do-not-query-localhost: yes
130. module-config: "iterator"
131.  
132. #zone localhost
133. local-zone: "localhost." static
134. local-data: "localhost. 10800 IN NS localhost."
135. local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
136. local-data: "localhost. 10800 IN A 127.0.0.1"
137.  
138. local-zone: "127.in-addr.arpa." static
139. local-data: "127.in-addr.arpa. 10800 IN NS localhost."
140. local-data: "127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 3600 1200 604800 10800"
141. local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost."
142.  
143. #zone crowded.war.net
144. local-zone: "crowded.war.net." static
145. local-data: "crowded.war.net. 86400 IN NS ns.crowded.war.net."
146. local-data: "crowded.war.net. 86400 IN SOA crowded.war.net. hostmaster.crowded.war.net. 3 3600 1200 604800 86400"
147. local-data: "crowded.war.net. 86400 IN A 192.168.2.22"
148. local-data: "www.crowded.war.net. 86400 IN A 192.168.2.22"
149. local-data: "ns.crowded.war.net. 86400 IN A 192.168.2.22"
150.  
151. local-zone: "2.168.192.in-addr.arpa." static
152. local-data: "2.168.192.in-addr.arpa. 10800 IN NS crowded.war.net."
153. local-data: "2.168.192.in-addr.arpa. 10800 IN SOA crowded.war.net. hostmaster.crowded.war.net. 4 3600 1200 604800 864000"
154. local-data: "22.2.168.192.in-addr.arpa. 10800 IN PTR crowded.war.net."
155.  
156. forward-zone:
157. name: "."
158. forward-addr: 203.130.208.18
159. forward-addr: 203.130.193.74
160. forward-addr: 203.130.196.5
161. forward-addr: 222.124.204.34
162. forward-addr: 203.130.196.6
163. forward-addr: 208.67.222.222
164. forward-addr: 208.67.220.220
165. forward-addr: 180.131.144.144
166. forward-addr: 180.131.145.145
167.  
168. remote-control:
169. control-enable: yes
170. control-interface: 127.0.0.1
171. control-port: 953
172. server-key-file: "/etc/unbound/unbound_server.key"
173. server-cert-file: "/etc/unbound/unbound_server.pem"
174. control-key-file: "/etc/unbound/unbound_control.key"
175. control-cert-file: "/etc/unbound/unbound_control.pem"
176.  
177. save
178.  
179. rubah resolv.conf
180.  
181. [CODE]
182. cat > /etc/resolv.conf << "EOF"
183. # Begin /etc/resolv.conf
184. domain proxy.crowded.war.net
185. nameserver 127.0.0.1
186. nameserver 192.168.2.30
187. # End /etc/resolv.conf
188. EOF
189. [/CODE]
190.  
191. unbound-checkconf /etc/unbound/unbound.conf
192.  
193. reboot
194.  
195. Tuning Up
196.  
197. tune2fs -o journal_data_writeback /dev/sda5
198. tune2fs -o journal_data_writeback /dev/sda6
199.  
200. Optimalkan file system cache & ubah opsi untuk partisi cache
201. Disabled fsck (file system check)
202.  
203. Angka standart Drive Cache adalah 0 2 ——>> ganti dengan 0 0 (INGAT HANYA DRIVE CACHE)
204.  
205. Opsi Directory /cache ubah
206. # /cache-1 was on /dev/sda6 during installation
207. UUID=b11e172f-5b54-474c-92b1-0ae780f85f29 /cache-1 ext4 default 0 0
208.  
209. # /cache-1 was on /dev/sda6 during installation
210. UUID=b11e172f-5b54-474c-92b1-0ae780f85f29 /cache-1 ext4 noatime,errors=remount-ro,nobh,barrier=0,data=writeback 0 0
211.  
212. nano /etc/sysctl.conf
213.  
214. kernel.panic = 30
215. kernel.panic_on_oops = 30
216. kernel.sysrq = 0
217. kernel.core_uses_pid = 1
218. kernel.msgmnb = 65536
219. kernel.msgmax = 65536
220. fs.file-max = 65536
221. vm.swappiness = 0
222. vm.vfs_cache_pressure=50
223. vm.mmap_min_addr = 4096
224. vm.overcommit_ratio = 0
225. vm.overcommit_memory = 0
226. kernel.shmmax = 268435456
227. kernel.shmall = 268435456
228. vm.min_free_kbytes = 65536
229. net.ipv6.conf.all.disable_ipv6 = 1
230. net.ipv4.tcp_syncookies = 1
231. net.ipv4.tcp_syn_retries = 5
232. net.ipv4.tcp_synack_retries = 2
233. net.ipv4.tcp_max_syn_backlog = 4096
234. net.ipv4.ip_forward = 0
235. net.ipv4.conf.all.forwarding = 0
236. net.ipv4.conf.default.forwarding = 0
237. net.ipv4.conf.all.accept_source_route = 0
238. net.ipv4.conf.default.accept_source_route = 0
239. net.ipv4.conf.all.rp_filter = 1
240. net.ipv4.conf.default.rp_filter = 1
241. net.ipv4.conf.all.accept_redirects = 0
242. net.ipv4.conf.default.accept_redirects = 0
243. net.ipv4.conf.all.log_martians = 0
244. net.ipv4.conf.default.log_martians = 0
245. net.ipv4.tcp_fin_timeout = 15
246. net.ipv4.tcp_keepalive_time = 300
247. net.ipv4.tcp_keepalive_probes = 5
248. net.ipv4.tcp_keepalive_intvl = 15
249. net.ipv4.conf.all.bootp_relay = 0
250. net.ipv4.conf.all.proxy_arp = 0
251. net.ipv4.tcp_dsack = 1
252. net.ipv4.tcp_sack = 1
253. net.ipv4.tcp_fack = 1
254. net.ipv4.tcp_timestamps = 1
255. net.ipv4.icmp_echo_ignore_all = 0
256. net.ipv4.icmp_echo_ignore_broadcasts = 1
257. net.ipv4.icmp_ignore_bogus_error_responses = 1
258. net.ipv4.ip_local_port_range = 1024 65535
259. net.ipv4.tcp_rfc1337 = 1
260. net.ipv4.tcp_congestion_control = cubic
261. net.ipv4.tcp_window_scaling = 1
262. net.ipv4.tcp_mem = 65536 131072 262144
263. net.ipv4.udp_mem = 65536 131072 262144
264. net.ipv4.tcp_rmem = 8192 87380 16777216
265. net.ipv4.udp_rmem_min = 16384
266. net.core.rmem_default = 87380
267. net.core.rmem_max = 16777216
268. net.ipv4.tcp_wmem = 8192 65536 16777216
269. net.ipv4.udp_wmem_min = 16384
270. net.core.wmem_default = 65536
271. net.core.wmem_max = 16777216
272. net.core.somaxconn = 32768
273. net.core.netdev_max_backlog = 4096
274. net.core.dev_weight = 64
275. net.core.optmem_max = 65536
276. net.ipv4.tcp_max_tw_buckets = 1440000
277. net.ipv4.tcp_tw_recycle = 1
278. net.ipv4.tcp_tw_reuse = 1
279. net.ipv4.tcp_max_orphans = 16384
280. net.ipv4.tcp_orphan_retries = 0
281. net.ipv4.ipfrag_high_thresh = 512000
282. net.ipv4.ipfrag_low_thresh = 446464
283. net.ipv4.tcp_no_metrics_save = 1
284. net.ipv4.tcp_moderate_rcvbuf = 1
285. net.unix.max_dgram_qlen = 50
286. net.ipv4.neigh.default.gc_thresh3 = 2048
287. net.ipv4.neigh.default.gc_thresh2 = 1024
288. net.ipv4.neigh.default.gc_thresh1 = 32
289. net.ipv4.neigh.default.gc_interval = 30
290. net.ipv4.neigh.default.proxy_qlen = 96
291. net.ipv4.neigh.default.unres_qlen = 6
292. net.ipv4.tcp_ecn = 1
293. net.ipv4.tcp_reordering = 3
294. net.ipv4.tcp_retries2 = 15
295. net.ipv4.tcp_retries1 = 3
296.  
297. setelah di save,
298. sysctl -p
299.  
300.  
301. Kurangi TCP TIME_WAIT setting, default value (60 in Debian 6)
302.  
303. echo 4 > /proc/sys/net/ipv4/tcp_fin_timeout
304.  
305. ulimit -n 65535 # Sets number of open files for this process and it's children
306.  
307. nano /etc/profile file and ensure that the file does not contain any commands that set ulimit values.
308. Add the following commands to the end of the /etc/profile file
309.  
310. ulimit -Hn 65536
311. ulimit -Sn 65535
312.  
313. echo 65536 > /proc/sys/fs/file-max
314. echo "* soft nofile 65536" >> /etc/security/limits.conf
315. echo "* hard nofile 65536" >> /etc/security/limits.conf
316. echo "root soft nofile 65536" >> /etc/security/limits.conf
317. echo "root hard nofile 65536" >> /etc/security/limits.conf
318. echo "proxy soft nofile 65536" >> /etc/security/limits.conf
319. echo "proxy hard nofile 65536" >> /etc/security/limits.conf
320. echo "session required pam_limits.so" >> /etc/pam.d/common-session
321. modprobe ip_conntrack
322.  
323. kemudian tambahkan ip_contrack di /etc/modules
324.  
325. nano /etc/modules
326. tambahkan kalimat berikut baris paling bawah :
327.  
328. ip_conntrack
329. save
330.  
331. Install squid
332. 32 BIT
333. [CODE]
334. cd /home
335. wget http://squid-proxy-pkg.googlecode.com/files/deb-htproxy_14942_i386.tar.bz2
336. tar xvf deb-htproxy_14942_i386.tar.bz2
337. dpkg -i *.deb
338. /etc/init.d/squid stop
339. [/CODE]
340.  
341. 64 BIT
342. [CODE]
343. cd /home
344. wget http://squid-proxy-pkg.googlecode.com/files/deb-htproxy_14942_x86-64.tar.bz2
345. tar xvf deb-htproxy_14942_x86-64.tar.bz2 && dpkg -i *.deb
346. dpkg -i *.deb
347. /etc/init.d/squid stop
348. [/CODE]
349.  
350. pake winscp edit
351. /etc/squid/squid.conf
352.  
353. edit squid.conf sesuai kondisi
354.  
355. cache_dir aufs /cache-1 35000 35 256
356. cache_dir aufs /cache-2 35000 35 256
357.  
358. #CONTOH DNS GOOGLE
359. dns_nameservers 203.130.208.18
360. dns_nameservers 203.130.193.74
361. dns_nameservers 203.130.196.5
362. dns_nameservers 222.124.204.34
363. dns_nameservers 203.130.196.6
364. dns_nameservers 208.67.222.222
365. dns_nameservers 208.67.220.220
366. dns_nameservers 180.131.144.144
367. dns_nameservers 180.131.145.145
368.  
369. pilihan lain sebenernya tidak signifikan kalo mau optimalisasi belakangan aja
370.  
371. chown proxy:proxy /cache-1 && chmod 777 /cache-1
372. chown proxy:proxy /cache-2 && chmod 777 /cache-2
373. squid -z
374. squid -f /etc/squid/squid.conf -z && /etc/init.d/squid start
375.  
376. iptables -F
377. iptables -X
378. iptables -t nat -F
379. iptables -t nat -X
380. iptables -t mangle -F
381. iptables -t mangle -X
382. iptables -P INPUT ACCEPT
383. iptables -P OUTPUT ACCEPT
384. iptables -A INPUT -s 192.168.0.0/16 -m state --state NEW -p tcp --dport 53 -j ACCEPT
385. iptables -A INPUT -s 192.168.0.0/16 -m state --state NEW -p udp --dport 53 -j ACCEPT
386. iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport 80 -j ACCEPT
387. iptables-save -c > /etc/iptables.up.rules