Often when configuring new Firewall router for a network its necessary to keep log on HTTP (Web) traffic passing by the router. The best way to do this in Linux is by using Proxy server. There are plenty of different Proxy (Caching) servers for GNU / Linux. However the most popular one is Squid (WWW Proxy Cache). Besides this its often a requirement in local office networks that Proxy server is transparent (invisible for users) but checking each and every request originating from the network. This scenario is so common in middle sized and small sized organizations that its a must that every Linux admin is ready to easily configure it. In most of my experience so far I used Debian Linux, so in this post I will explain how to configure Transparent Squid Proxy with configured ACL block rules for employee's time wasting services like facebook / youtube / vimeo etc.
Here is diagram I found on a skullbox.net showing graphically below Squid setup:
1. Install Squid Proxy Server
Squid is available as Debian package since a long time, so on Deb Linux installing Squid is a piece of cake.
debian-server:~# apt-get install --yes squid
2. Create /var/cache/proxy directory and set proper permissions necessary for custom config
debian-server:~# mkdir /var/cache/proxy
debian-server:~# chown -R proxy:proxy /var/cache/proxy
3. Configure Squid Caching Server
By default debian package extract script does include default squid.conf which should be substituted with my custom squid.conf. A Minor user changes has to be done in config, download my squid.conf from here and overwrite default squid.conf in /etc/squid/squid.conf. Quickest way to do it is through:
debian-server:~# cd /etc/squid
debian-server:/etc/squid# mv /etc/squid/squid.conf /etc/squid/squid.conf.orig
debian-server:/etc/squid# wget -q https://www.pc-freak.net/files/squid.conf
debian-server:/etc/squid# chown -R root:root squid.conf
Now open squid.conf and edit lines:
Change 192.168.0.1 which is IP assigned to eth1 (internal NAT-ted interface) with whatever IP of local (internal network) is. Some admins prefer to use 10.10.10.1 local net addressing.
Below in configuration, there are some IPs from 192.168.0.1-255 network configured through Squid ACLs to have access to all websites on the Internet. To tune such IPs you will have to edit lines after (1395) after comment
# allow access to filtered sites to specific ips
4. Disabling sites that pass through the proxy server
Create file /etc/disabled-sites i.e.:
debian-server:~# touch /etc/disabled-sites
and place inside all siles that would like to be inaccessible for local office network either through text editor (vim / pico etc.) or by issuing:
debian-server:~# echo 'facebook.com' >> /etc/disabled-sites
debian-server:~# echo ''youtube.com' >> /etc/disabled-sites
debian-server:~# echo 'ask.com' >> /etc/disabled-sites
5. Restart Squid to load configs
debian-server:~# /etc/init.d/squid restart
[ ok ] Restarting Squid HTTP proxy: squid.
6. Making Squid Proxy to serve as Transparent proxy through iptables firewall Rules
Copy paste below shell script to lets say /etc/init.d/squid-transparent-fw.sh
# forward to squid.
$IPT -t nat -I $PRER -p tcp -s 192.168.0.0/24 -d ! 192.168.0.1 –dport www -j $RED –to 3128
$IPT -t nat -I $PRER -p tcp -s 192.168.0.0/24 -d ! 192.168.0.1 –dport 3128 -j $RED –to 3128
# Reject connections to squid from the untrusted world.
# rules for order.
$IPT -A $IN -p tcp -s 188.8.131.52 -d $ALL_NWORKS –dport 65221 -j $AC
$IPT -A $IN -p tcp -s $ALL_NWORKS –dport 65221 -j $REJ
$IPT -A $IN -i $OUT_B_IFACE -p tcp -s $ALL_NWORKS –dport 3128 -j $REJ
Easiest way to set up squid-transparent-fw.sh firewall rules is with:
debian-server:~# cd /etc/init.d/ Then place line /etc/init.d/squid-transparent-fw.sh into /etc/rc.local before exit 0
debian-server:/etc/init.d# wget -q https://www.pc-freak.net/files/squid-transparent-fw.sh
debian-server:/etc/init.d# chmod +x squid-transparent-fw.sh
debian-server:/etc/init.d/# bash squid-transparent-fw.sh
That's all now Squid Transparent Proxy will be up and running and the number of sites listed in disabled-sites will be filtered for Office employees returning a status of Access Denied.
Access Denied msg
Gets logged in /var/log/squid/access.log example of Denied access for Employee with IP 192.168.0.155 is below:
192.168.0.155 - - [16/Oct/2013:16:50:48 +0300] "GET http://youtube.com/ HTTP/1.1" 403 1528 TCP_DENIED:NONE
Various other useful information on what is cached is also available via /var/log/squid/cache.log and /var/log/squid/store.log
Another useful thing of using Transparent Squid Proxy is that you can always keep track on exact websites opened by Employees in Office so you can easily catch people trying to surf p0rn websites or some obscenity.
Hope this post helps some admin out there 🙂 Enjoy