Linux Box as a Squid Server

 Operating System: Centos 6.3

Squid is a proxy server for caching and filtering web content.  Squid Proxy caches requested web pages from ISP and reuses the pages if similar requests are made in the future. This has a huge impact on the response time and bandwidth usage since web content is getting delivered from the local network. Bandwidth usage is lowered and response time is fast.

INSTALLATION AND CONFIGURATION OF SQUID PROXY

Installation:

Update you yum repositories

[root@telweb]# yum update

Install squid:
[root@telweb]# yum install squid –y

By default configuration, squid has the capability to do web content caching. The default configuration file for squid is   /etc/squid/squid.conf

Start squid service:
[root@telweb]# service squid start

Enable squid startup on boot
[root@telweb]# chkconfig –levers 235 squid on

Set your Local machine web browser to access internet via proxy. Default port for proxy is 3128
Firefox : Options / Preferences - Advanced - Network - Settings - Choose “Manual proxy configuration ” - Type your Proxy server ip (192.168.2.1 ) and port no 3128
Try to access web pages. This should work. If it doesn’t, disable iptables and selinux on the proxy server.

[root@telweb]# service iptables stop

Make sure iptables are stopped at startup of the server.
[root@telweb]# chkconfig iptables stop

Disable selinux:
This is done by opening the file /etc/selinux/config
Find the section inside the file listed as SELINUX=enforcing and change it to
SELINUX=disabled

And save.

Reboot your system

SQUID SERVER WEB FILTERING

Squid server can be used to restrict web access to particular websites based on key words or the web page link. This is achieved via access lists.

Restricting access to particular web sites based on their link.
Create a file in /etc/squid/  for blocked web sites

[root@telweb]# touch /etc/squid/blockedwebsites.squid

Open the file and add the web sites to be blocked;
[root@telweb]# vi /etc/squid/blockedwebsites.squid

Add below to block facebook and yahoo access;
-------------------------------------------------------------------------------------------------------------------------
#blockedsites
www.facebook.com
www.yahool.com 
-------------------------------------------------------------------------------------------------------------------------
Save the file.

Open the file /etc/squid/squid.conf and add an acl for above sites to be blocked.

Find the section;
-------------------------------------------------------------------------------------------------------------------------
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
-----------------------------------------------------------------------
and add the  acl just below it to give;
-------------------------------------------------------------------------------------------------------------------------

acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# ACL blocksites
acl blocksites dstdomain "/etc/squid/blockedwebsites.squid"
-------------------------------------------------------------------------------------------------------------------------

To deny access for the created access list, add the following
http_access deny blocksites
add it in the file at the below section;
-------------------------------------------------------------------------------------------------------------------------
# Only allow cachemgr access from localhost
http_access allow manager localhost

 # Deny access to blocksites ACL
http_access deny blocksites
-------------------------------------------------------------------------------------------------------------------------
save the file.

Restart the squid service;
[root@telweb]# service squid restart

Launch your browser and try to access facebook or yahoo.


The page is blocked.



Blocking sites by use of keywords

 Create a file blockbykeywords.squid in /etc/squid/
[root@telweb]# touch /etc/squid/blockbykeywords.squid

And the key words in the file created.
[root@telweb]# vi /etc/squid/blockkeywords.conf
Add;
--------------------------------------------------------------------------------------------------------------------------
#block using a key word
Porn
Sex
XXX
--------------------------------------------------------------------------------------------------------------------------

Add an Acl in the /etc/squid/squid.conf just below the point we had added the previous Acl;

--------------------------------------------------------------------------------------------------------------------------
acl CONNECT method CONNECT
# ACL blocksites
acl blocksites dstdomain "/etc/squid/blockedwebsites.squid"

 # ACL blockkeywords
acl blockkeywords url_regex -i "/etc/squid/blockbykeywords.squid"
--------------------------------------------------------------------------------------------------------------------------

To deny blockkeywords access list, add the following as highlighted in the file;

--------------------------------------------------------------------------------------------------------------------------
# Only allow cachemgr access from localhost
http_access allow manager localhost

 # Deny access to blocksites ACL
http_access deny blocksites

 # Deny access to blockkeywords ACL
http_access deny blockkeywords
--------------------------------------------------------------------------------------------------------------------------
Restricting Access to specific Ip address;

create a file ( /etc/squid/blockip.squid ) and add the ip adresses one per line.

[root@telweb]# cat /etc/squid/blockip.squid
------------------------------------------------------------------------------------------------------------
#blocked ips
192.168.2.100
192.168.2.105
192.168.2.90
------------------------------------------------------------------------------------------------------------
Open the /etc/squid/squid.conf and create a new acl “blockip” and acl type “src” in the acl section
---------------------------------------------------------------------------------------------------------------
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
# ACL blocksites
acl blocksites dstdomain "/etc/squid/blockedsites.squid"
# ACL blockkeywords
acl blockkeywords url_regex -i "/etc/squid/blockkeywords.squid"
# ACL blockip
acl blockip src "/etc/squid/blockip.squid"
-------------------------------------------------------------------------------------------------------------
and add the following line “http_access deny blockip” to http_section to deny the access to the acl “blockip” .
------------------------------------------------------------------------------------------------------------
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
# Deny access to blockip ACL
http_access deny blockip
# Deny access to blocksites ACL
http_access deny blocksites
# Deny access to blockkeywords ACL
http_access deny blockkeywords
------------------------------------------------------------------------------------------------------------

 Allow Full access for specific Ip addresses :

You can allow specific ip address to gain full access without blocking sites and keywords . just create a file “/etc/squid/allowip.squid ” and add the ip address one per line and create an acl “allowip”  and acl type “src” in the acl section

------------------------------------------------------------------------------------------------------------
# ACL allowip
acl allowip src "/etc/squid/allowip.squid"
------------------------------------------------------------------------------------------------------------
and add the “allowip” in the http_access as below
------------------------------------------------------------------------------------------------------------
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
# Deny access to blockip ACL
http_access deny blockip

 # Deny access to blocksites ACL
http_access deny blocksites !allowip

 # Deny access to blockkeywords ACL
http_access deny blockkeywords !allowip
------------------------------------------------------------------------------------------------------------

Configuring Squid as Transparent Proxy :

You can configure squid as transparent proxy .
 just find below line in the /etc/squid/squid.conf
------------------------------------------------------------------------------------------------------------
# Squid normally listens to port 3128
http_port 3128
------------------------------------------------------------------------------------------------------------
and replace with

------------------------------------------------------------------------------------------------------------
# Squid normally listens to port 3128
http_port 3128 intercept
------------------------------------------------------------------------------------------------------------
Create a file “/root/squidfw.sh” and add the following firewall script ( modify as per your interface configuration ).
-------------------------------------------------------------------------------------------------------------------
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.2.1"
# Interface connected to Internet
INTERNET="eth1"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
------------------------------------------------------------------------------------------------------------------
run above bash script file
[root@telweb]# sh /root/squidfw.sh

and add the below line to “/etc/rc.local” to run the script during startup
[root@telweb]# vi  /etc/rc.local
------------------------------------------------------------------------------------------------------------
sh /root/squidfw.sh
------------------------------------------------------------------------------------------------------------
Change default gateway ip to squid server ip on the user machines .
Now users can access Internet without setting proxy in the browser settings.

Done!!

Reported:
blocking of the sites when the proxy was in manual mode was highly effective. effectivness reduced when proxy was set to transparent. The proxy was not able to filterout/block https unlike it was the case with the manual proxy setup.



Comments

Post a Comment

Popular posts from this blog

MPLS-VPN

Image
L3MPLS VPN Definitions: VRF – Virtual Routing Instance. Its an Instance of a routing table – Each customer has their own VRF defined with different definitions of RD and RT Route Distinguisher (RD); Used to uniquely identify routes belonging to a particular VRF. Route Targets (RT); Used to specify how routes are imported and exported from VRF. MP-BGP; Multiprotocol BGP- Used to carry BGP routes and VPN routes between PE Routers. Setup: Required; VPN to interconnect Head office to a branch office. 1. Define VRF, RD and RT VRF = Trust-Bank Route Distinguisher (RD): 37027:20 Route Targets (RT): 37027:20 PE1(config)#ip vrf Trust-Bank PE1(config-vrf)#rd 37027:20 PE1(config-vrf)#route-target both 37027:20 2. Enable VRF on the client facing interface on the PE routers and assign IP to be used to communicate to CE VRF = Trust-Bank R1(config)# int fastEthernet 0/0 R1(config-if)# ip vrf forwarding Trust-Bank R1(config-if)# ip add 192.168.2.1 255.255...
Read more

MPLS - L2MPLS / L2 Circuits

Image
L2MPLS L2 Circuits Before MPLS MPLS Enabled Core: Required: Head office and Branch office to be interconnected on L2 which is of full redundancy on Service Provider Core Network Configuration: 1. Select VLAN to use for the circuit. For our case we assign VLAN 200 note: Configuration only done on Edge Devices (PE) 2.Configure on PE-1 Defining presudowire class to MPLS; #pseudowire-class ethernet-port encapsulation mpls #exit Note: fa0/0 is the interface facing HQ #show run int fa0/0.200 #interface FastEthernet0/0.200 #encapsulation dot1Q 200 #xconnect 3.3.3.3 200 pw-class ethernet-port 3. Configure on PE-3: Defining presudowire class to MPLS; #pseudowire-class ethernet-port #encapsulation mpls #exit Note: fa0/0 is the interface facing HQ # no shut #interface FastEthernet0/0.200 #encapsulation dot1Q 200 #Xconnect 1.1.1.1 200 pw-class ethernet-port Troubleshooting; Make sure that the CEF is enabled ...
Read more

Linux Box as a DHCP Server

Image
Operating System: Centos 6.3 In this setup, client machines on the LAN are assigned IP addresses automatically unlike the previous setup where IP addresses were being assigned manually. To configure; Install dhcp package via terminal; [root@telweb]#  yum install dhcp* -y Copy the available sample dhcp configuration at /usr/share/doc/dhcp* [root@telweb]#  Cd  /usr/share/doc/dhcp* [root@telweb]#  Cp dhcpd.conf.sample /etc/dhcp/dhcpd.conf If asked to replace the existing dhcpd.conf at /etc/dhcp/ , answer with an yes. To configure the dhcp, edit the file /etc/dhcp/dhcp.conf [root@telweb]#  Vi /etc/dhcp/dhcpd.conf Go to the section highlighted below and edit it to suit your network; -------------------------------------------------------------------------------------------------------------------- # A slightly different configuration for an internal subnet. subnet  192.168.2.0  netmask  255.255.255.0  {   range...
Read more