Linux proxy setup
October 6, 2009This is the classic installations of squid via manual installations. Nowadays, there are linux distros that have built in firewall and proxy setup.
Run at your own RISK! lols.
The procedure below was tested successfully on CentOS. The same thing was also implemented on my BSD box and works as well.
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on Unix and Windows and is licensed under the GNU GPL.
Squid provides with the best possible web access. Squid optimises the data flow between client and server to improve performance and caches frequently-used content to save bandwidth. Squid can also route content requests to servers in a wide variety of ways to build cache server hierarchies which optimise network throughput.
QUICK TIP:
1. The easiest way to install and configure Squid Proxy is to install it via the distro package (e.g. RPM,.deb,.tgz) then install webmin for easy configuration of ACL and proxy restrictions.
2. Use SARG or Squid Report Generator for log analysis.
3. Most logical way to configure ACL is to have a list of Allowed Sites then deny All, so no need to create a Restricted Sites that’s difficult to manage. Meaning only sites set in Allowed sites can be access by a group, the rest is denied.
4. The squid has some limitations, if you want content web filtering, I recommend Dansguardian.
5. Internet sites access can be controlled by IP address or subnet, just make sure you know some basic subnetting
6. TCP port familiarization is also a helpful skill in squid configuration.
6. If you want more flexible and more advance, you can try to use LDAP to authenticate Squid proxy users
SOFTWARE REQUIREMENTS
Any Linux or BSD distribution (CentOS, Redhat, Fedora Core, Debian, Gentoo / FreeBSD,OpenBSD)
Squid 2.5 Stable or higher
INSTALLATION AND COMPILATION
a. Download the source archive file (tarball) available at http://www.squid-cache.org or from ftp://www.squid-cache.org/pub
VERSION: squid-2.5.STABLE10.tar.gz
b. Untar the file and change the working directory to squid-*
[root@proxy]# tar zxvf squid-2.5.STABLE10.tar.gz
[root@proxy]# cd squid-2.5.STABLE10
c. In order to configure, compile and install squid, do these following commands:
[root@proxy]# ./configure –enable-underscores –prefix=/home/squid –enable-linux-netfilter –enable-snmp
desc:
–enable-underscores allow underscore on hostnames (URL)
–enable-linux-netfilter Enable Transparent Proxy support for Linux 2.4.
–enable-snmp Enable SNMP monitoring
[root@proxy]#make
[root@proxy]#make install
This will by default, install into “/usr/local/squid”, if we want to install it to any directory, add –prefix=/home/squid for ex.
CONFIGURATION
Basic configuration is to be done in configuration file: /home/squid/etc/squid.conf
One of the important things in the squid.conf file is cache_dir tag which needs to be defined carefully. The directories specified there must be created in the same path and with exact space as mentioned in the conf file with 777 permissions of each cache directory defined.
In the config file, edit the following lines: (these are current config of squid proxy )
HTTP_PORT
This parameter allows the user to define the address on which Squid will listen for client’s http requests. This is a required parameter, and there are no defaults.
Without this configuration, Squid will never start.
http_port 8080
(Check http_port, 3128 is a default)
CACHE_MEM
Specifies the ideal amount of memory to be used for:
• Hot Objects
• Negative-Cached objects
• In-Transit objects
cache_mem 16 MB
MAXIMUM_OBJECT_SIZE
Objects larger than this size will NOT be saved on disk. The value is specified in kilobytes, and the default is 4MB. If you wish to get a high BYTES hit ratio, you should probably increase this (one 32 MB object hit counts for 3200 10KB hits). Leave this value low if you wish to increase the speed more than what you want to save bandwidth.
Note: If using the LFUDA replacement policy you should increase this value to maximize the byte hit rate improvement of LFUDA! See replacement_policy below for a discussion of this policy.
maximum_object_size 8192 KB
CACHE_DIR
All objects which are to be cached are stored in the disk space defined by this tag. This defines the path to cache directory, cache directory name, type and size of the cache area.
cache_dir ufs /cache 15000 16 256
(Set cache_dir to an area that has a large amount of hard disk space in order to devote to caching.)
CACHE_ACCESS_LOG
All the activities the client does gets logged in this file. Using this, analysis on the access made by the clients can be done.
Customization of the logging can be done using the acl’s which logs only those clauses in the specified logformat. If no acl is specified, all requests will be logged to this file.
To disable logging of a request specify “none”.
cache_access_log /home/squid/var/logs/access.log
(Logs the client request activity)
CACHE_LOG
This defines the path and the file where general information about your cache’s behavior goes. This file contains startup configuration information, as well as assorted error information during Squid’s operation. This file is a good place to look when a website is found to have problems running through the web cache. Entries here may point towards a potential solution.
cache_log /home/squid/var/logs/cache.log
(Cache logging file. This is where general information about your cache’s behavior goes.)
CACHE_STORE_LOG
This tag defines the location where the transaction log of all objects that are stored in the object store, as well as the time when the object get deleted. This file really doesn’t have very much use on a production cache, and it primarily recommended for use in debugging. Therefore, it can be turned off by entering none in the entry field.
cache_store_log /home/squid/var/logs/store.log
(Logs the activities of the storage manager)
ACCESS CONTROL LISTS
You can limit users’ ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular type of activity, such as an access time or source network, they are then linked to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.
Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it finds a match, it enforces the allow or deny statement and stops reading further. You have to be careful not to place a deny statement in the list that blocks a similar allow statement below it. The final http_access statement denies everything, so it is best to place new http_access statements above it
Note: The very last http_access statement in the squid.conf file denies all access. You therefore have to add your specific permit statements above this line. In the chapter’s examples, I’ve suggested that you place your statements at the top of the http_access list for the sake of manageability, but you can put them anywhere in the section above that last line.
Squid has a minimum required set of ACL statements in the ACCESS_CONTROL section of the squid.conf file. It is best to put new customized entries right after this list to make the file easier to read.
Here are the following ACL created in squid.conf:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl lan src 192.168.17.0/255.255.255.0
acl lanpub src 202.x.x.250/255.255.255.255
acl isp src 210.x.x/255.255.255.0
acl AllowedSites dstdomain “/usr/local/etc/allowed-sites.squid”
acl RestrictedSites dstdomain “/usr/local/etc/restricted-sites.squid”
acl lansnmp snmp_community freelinux
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
HTTP_ACCESS
This is used for filtering based on the acl matchings. If none of the “access” lines cause a match, the default is the opposite of the last line in the list. If the last line was deny, then the default is allow. Conversely, if the last line is allow, the default will be deny. For these reasons, it is a good idea to have an “deny all” or “allow all” entry at the end of your access lists to avoid potential confusion.
http_access allow lan AllowedSites
http_access allow isp
http_access deny all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.17/255
http_access deny all
HTTP_REPLY_ACCESS
This is used for filtering based on the acl matchings but on the client requests reply. If none of the access lines cause a match, then the opposite of the last line will apply. Thus it is good practice to end the rules with an “allow all” or “deny all” entry.
http_reply_access allow all
ICP_ACCESS
This tag controls icp access on defined access lists.
icp_access allow all
CACHE_MGR
This is the address which will be added to any error pages that are displayed to clients. Defaults to either webmaster.
cache_mgr admin@freelinuxtutorials.com
CACHE_EFFECTIVE_USER
Squid is designed to start as root but very soon after drop to the user/group specified here. This allows you to restrict, for security reasons, the permissions that Squid will have when operating. By default, Squid will operate as either nobody user and the nogroup group.
Note: If these tags are not configured properly, then Squid will have problems while starting.
cache_effective_user nobody
SNMP
To enable and enable snmp monitoring
acl lansnmp snmp_community nocteam (nocteam=sample community string)
snmp_port 3128
snmp_access allow lansnmp all
A good practice is to enable the cache_access_log and cache_log for debugging purposes. Even though they take up ample space, they can always be rotated on daily basis using the logrotate feature.
( You can set up a cron job scheduled every midnight to rotate logs e.g.
0 0 * * * /home/squid/sbin/squid -k rotate )
You can Configure MRTG and Nagios for monitoring SQUID’s performance.
ALLOWING / RESTRICTING ACESS TO SPECIFIC WEB SITES
Squid is also capable of reading files containing lists of web sites and/or domains for use in ACLs. In this example we create to lists in files named /usr/local/etc/allowed-sites.squid and /usr/local/etc/restricted-sites.squid.
# File: /usr/local/etc/allowed-sites.squid
www.freelinuxtutorials.com
www.yahoo.com
www.google.com
www.wikipedia.com
STARTING SQUID
After you’ve finished editing the configuration file, you can start Squid for the first time. First, you must create the swap directories. Do this by running Squid with the -z option:
#/home/squid/sbin/squid -z
Once that completes, you can start Squid and try it out. Probably the best thing to do is run it from your terminal and watch the debugging output. Use this command:
#/home/squid/sbin/squid -NCd1
If everything is working fine, then your console displays: “Ready to serve requests”.
If you want to run squid in the background, as a daemon process
#/home/squid/sbin/squid
You should be a privileged user to start/stop squid..
Or you can run the Squid Script:
#service squid start to start the squid service
#service squid stop to stop the squid service
#service squid status to check the status of the squid service
CHECKING SQUID
Check the cache.log file in your logs directory to find out if squid works correctly. This file contains the informational and error messages that Squid generates at runtime.
#tail –f /home/squid/var/log/access.log
TROUBLESHOOTING SQUID
Squid logs both informational and error messages to files in the /var/log/squid/ directory. It is best to review these files first whenever you have difficulties.The squid.out file can be especially useful as it contains Squids’ system errors.
Another source of errors could be unintended statements in the squid.conf file that cause no errors; mistakes in the configuration of hours of access and permitted networks that were forgotten to be added are just two possibilities.
CONFIGURATION IN THE WEB BROWSER
If you don’t have a firewall that supports redirection, then you need to configure your firewall to only accept HTTP Internet access from the Squid server, as well as configure your PC browser’s proxy server settings manually to use the Squid server. The method you use depends on your browser.
For example, to make these changes using Internet Explorer
1. Click on the “Tools” item on the menu bar of the browser.
2. Click on “Options”
Click on
3.Clich the tab “Network”
4. Click on “Settings”
5. Click on “Manual proxy configuration”
6. Configure the HTTP Proxy address with Proxy Server IP address and port 8080 used by your Squid Proxy server
7. Input also all internal sites that will bypass the Proxy server for direct connection.
8. Click “OK”.
Reference: http://www.freelinuxtutorials.com/tutorials/squid-proxy-server-tutorial/
Linux as a Router and Firewall
I found this old firewall scripts which is very useful in setting up masquerading. Thanks to Darwin
Step by Step Procedure
Step 1. Add 2 LAN cards to the Linux box. You need to have two(2) NICs, one for your private network and one for the public IP address
Step 2. Check if your networks cards are properly detected and installed. You can use the command “dmesg” to verify if it was recognized during the boot-up process
Sample output:
#dmesg |grep eth
e100: eth0: e100_probe: addr 0xfa061000, irq 177, MAC addr 00:10:DC:5E:A8:BF
e100: eth1: e100_probe: addr 0xfa060000, irq 185, MAC addr 00:10:DC:5E:A8:C0
e100: eth0: e100_watchdog: link up, 100Mbps, half-duplex
e100: eth1: e100_watchdog: link up, 100Mbps, full-duplex
Step 3. Configure eth0 for Internet with a Public IP address
For RPM-based distro, a menu-based tool called “setup” can be used to easy configuration setup such as Network
Sample Output 1: (RPM-based like RHEL,CentOS)
# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# Intel Corporation 82557/8/9/0/1 Ethernet Pro 100
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:10:dc:5e:a8:bx
ONBOOT=yes
DHCP_HOSTNAME=freelinuxtutorials
IPADDR=116.x.x.x
NETMASK=255.255.255.240
GATEWAY=116.x.x.x
TYPE=Ethernet
Sample Output 2: (Debian-based)
# cat /etc/network/interfaces
auto eth0
iface eth0 inet static
address 116.x.x.x
netmask 255.255.255.240
mtu 1500
gateway 116.x.x.x
Step 4. Configure eth1 for LAN with a Private IP (Internal private network)
# cat ifcfg-eth1
BOOTPROTO=none
PEERDNS=yes
HWADDR=00:50:8B:CF:9C:05 # Optional
TYPE=Ethernet
IPV6INIT=no
DEVICE=eth1
NETMASK=255.255.0.0 # Specify based on your requirement
BROADCAST=””
IPADDR=192.168.1.1 # Gateway of the LAN
NETWORK=192.168.0.0 # Optional
USERCTL=no
ONBOOT=yes
Sample Output 1: (RPM-based like RHEL,CentOS)
# cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
BOOTPROTO=none
HWADDR=00:10:dc:5e:a8:cx
ONBOOT=yes
DHCP_HOSTNAME=freelinuxtutorials
TYPE=Ethernet
IPADDR=192.168.17.1
NETMASK=255.255.255.0
Sample Output 2: (Debian-based)
# cat /etc/network/interfaces
auto eth1
iface eth1 inet static
address 192.168.17.1
netmask 255.255.255.0
mtu 1500
Step 5. Host Configuration (Optional)
# cat /etc/hosts
127.0.0.1 freelinuxtutorials localhost.localdomain localhost
Step 6. Gateway Configuration (can be no gateway set)
# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=freelinuxtutorials
Step 7. DNS Configuration
# cat /etc/resolv.conf
nameserver 203.x.x.x # ISP Primary DNS Server
nameserver 203.x.x.x # ISP Secondary DNS Server
Step 8. NAT configuration with IP Tables
First of all you have to flush and delete existing firewall rules. So flush rules by typing in terminal:
iptables -F
iptables -t nat -F
iptables -t mangle -F
Now delete these chains:
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Set up IP FORWARDing and Masquerading
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT
# Enables packet forwarding by kernel (save this setting in /etc/sysctl.conf file)
echo 1 > /proc/sys/net/ipv4/ip_forward
#Apply the configuration
service iptables save
service iptables restart
# Check if iptables is set to start during boot up
chkconfig –list iptables
Step 9. Testing
Ping the Gateway of the network from client system: ping 192.168.17.1
Try it on your client systems: ping www.yahoo.com
Configure PC on the network
PC Clients should set their gateway of the private IP of the Linux machine.
- DNS can be set using the ISP DNS, or if you have internal DNS with your customized zones is recommended esp. when you have Active Directory in place on your network
——————————————————————————————————————————————-
This is my sample NAT/firewall script:
#!/bin/sh
#
#
# set a few variables
echo “”
echo “ setting global variables”
echo “”
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables=”/sbin/iptables”
# adjust my /proc
echo “ applying general security settings to /proc filesystem”
echo “”
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
# load some modules
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp; fi
# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
# setup nat
echo “ applying nat rules”
echo “”
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 192.168.17.0/24 -o eth0 -j SNAT –to-source 116.x.x.x <—- Public IP (could be one of the IP address available given by your ISP)
# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
# allow established and related packets back in
$iptables -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
# icmp
echo “ applying icmp rules”
echo “”
$iptables -A OUTPUT -p icmp -m state –state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state –state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -i eth0 -j ACCEPT
# apply icmp type match blocking
echo “ applying icmp type match blocking”
echo “”
$iptables -I INPUT -p icmp –icmp-type redirect -j DROP
$iptables -I INPUT -p icmp –icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp –icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp –icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp –icmp-type address-mask-reply -j DROP
# open ports to the firewall
echo “ applying the open port(s) to the firewall rules”
echo “”
$iptables -A INPUT -p tcp –dport 22 -j ACCEPT
#$iptables -A INPUT -p tcp –dport 3128 -j ACCEPT
# open and forward ports to the internal machine(s)
#echo “ applying port forwarding rules”
#echo “”
#$iptables -A FORWARD -i eth0 -p tcp –dport 80 -j ACCEPT
#$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 116.x.x.x –dport 80 -j DNAT –to-destination 192.168.17.200:80
# logging
#echo “ applying logging rules”
#echo “”
#$iptables -A INPUT -i eth0 -p tcp -m limit –limit 1/s –dport 0:65535 -j LOG –log-prefix “tcp connection: ”
#$iptables -A INPUT -i eth0 -p udp -m limit –limit 1/s –dport 0:65535 -j LOG –log-prefix “udp connection: ”
# drop all other packets
echo “ applying default drop policies”
echo “”
$iptables -A INPUT -i eth0 -p tcp –dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp –dport 0:65535 -j DROP
echo “### dar firewall is loaded ###”
echo “”
Reference: http://www.freelinuxtutorials.com/tutorials/linux-as-a-router-and-firewall
