My Setup:
i) System: IBM x3200 dual Xeon CPU system with 2 GB RAM
ii) Eth0: IP: 192.168.100.1
iii) Eth1: IP: 192.168.0.1 (192.168.0.0/24 network (around 200 windows XP systems)
iv) OS: Red Hat Enterprise Linux 5.3
Eth0 connected to internet and eth1 connected to local i.e. system act as router.
RPM Package required:
#rpm -qa | grep squid
squid-2.6.STABLE21-3.el5
Editing Squid Configuration file:
# vi /etc/squid.conf
http_port 3128
acl ourlan src 192.168.0.0/24
http_access allow localhost
http_access allow ourlan
http_access deny all
# /etc/init.d/squid restart (stop|start|status)
Client Machine Configuration;
1. Browse Internet Explore
2. Go to Tools -> Internet Options
3. Select Connection Tab and click LAN Setting
4. Check Proxy Server box and enter IP address of proxy server and port address where request are being
handled (Here is 192.168.0.1 and port is 3128)
ACL rules;
A few important type of ACL elements are listed below
1. src : Source i.e. client’s IP addresses
2. dst : Destination i.e. server’s IP addresses
3. srcdomain : Source i.e. client’s domain name
4. dstdomain : Destination i.e. server’s domain name
5. time : Time of day and day of week
6. url_regex : URL regular expression pattern matching
7. urlpath_regex: URL-path regular expression pattern matching, leaves out the protocol and hostname
8. proxy_auth : User authentication through external processes
9. maxconn : Maximum number of connections limit from a single client IP address
Allowing selected machines to have access to the Internet;
acl marketing src 192.168.0.10 192.168.0.20 192.168.0.30
http_access allow marketing
http_access deny !marketing
This allows only machine whose IPs are 192.168.0.10, 192.168.0.20 and 192.168.0.30 to have access to
Internet and the rest of IP addresses (not listed) are denied the service
Restrict the access during particular duration only;
acl LAN src 192.168.0.1/255.255.255.0
acl officetime time MTWHF 10:00-16:00
http_access allow LAN officetime
http_access deny LAN
This allows the access to all the clients in network 192.168.0.1 to access the net from Monday to Friday
from 10:00am to 4:00 pm
Multiple time access to different clients;
acl hosts1 src192.168.0.10
acl hosts2 src 192.168.0.20
acl hosts3 src 192.168.0.30
acl morning time 10:00-13:00
acl lunch time 13:30-14:30
acl evening time 15:00-18:00
http_access allow host1 morning
http_access allow host1 evening
http_access allow host2 lunch
http_access allow host3 evening
http_access deny all
http_access allow host1 morning evening
Blocking sites;
acl marketing src 192.168.0.1/255.255.255.0
acl banned_sites url_regex abc.com *()(*.com
http_access deny banned_sites
http_access allow marketing
or
acl marketing src 192.168.0.1/255.255.255.0
acl banned_sites url_regex “/etc/squid/policy/banned.txt”
http_access deny banned_sites
http_access allow marketing
Creating Your Own Error Messages;
acl marketing src 192.168.0.1/255.255.255.0
acl banned_sites url_regex abc.com *()(*.com
http_access deny banned_sites
deny_info ERR_BANNED_SITE banned_sites
http_access allow marketing
In the above example, a special message will be displayed when ever users try to access the sites with above
banned words. The file name in the option i.e.ERR_BANNED_SITE must exist in the above error
directory(/etc/squid/errors). This error message file should be in HTML format.
Log Files;
By default squid log file store in /var/log/squid
cache_access_log – For access.log
cache_log – For cache.log
cache_store_log – For store.log (Store manager)
pid_filename – Squid process ID file name
Setup a transparent proxy with Squid Server Configuration:
Managing Internet Blocking Squid Guard;
Squid Guard is a URL redirector used to use blacklists with the proxy software squid
Download the software;
#wget http://www.squidguard.org/Downloads/squidGuard-1.4.tar.gz
#tar xvzf squidGuard-1.4.tar.gz (UN pack the source)
# cd squidGuard-1.4 (Compile the tar file)
./configure
make
Download the blacklist software;
#wget http://squidguard.mesd.k12.or.us/blacklists.tgz
Copy your blacklists into the desired blacklist directory (default: /usr/local/squidGuard/db) and unpack them
#cp /root/blacklist.tar.gz /usr/local/squidGuard/db
#cd /usr/local/squidGuard/db
#gzip -d blacklist.tar.gz
#tar xfv blacklist.tar
#mv blacklist/*
Squid Guard Configuration:
Before proceed to change in squid guard we have to add below three lines in /etc/squid.conf file
#vi /etc/squid.conf
redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
redirect_children 8
redirector_bypass on
#cp /usr/local/squidGuard/squidGuard.conf //usr/local/squidGuard/squidGuard.conf.bak
#vi /usr/local/squidGuard/squidGuard.conf
#
# CONFIG FILE FOR SQUIDGUARD
#
dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/logs
dest porn {
domainlist porn/domains
urllist porn/urls
}
acl {
default {
pass !porn all
redirect http://localhost/block.html
}}
This is the simplest file.
You can also do multiple rules;
#
# CONFIG FILE FOR SQUIDGUARD
#
dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/logs
src admin {
# ip 192.168.0.4-192.168.0.10 192.168.0.82
}
src swadesh {
ip 192.168.0.100
}
src marketing {
ip 192.168.0.5-192.168.0.25
}
src devoloper {
ip 192.168.0.35-192.168.0.70
}
src special {
ip 192.168.0.75-192.168.0.150
}
dest mail {
domainlist mail/urls
}
dest porn {
domainlist porn/domains
urllist porn/urls
}
dest adv {
domainlist adv/domains
urllist adv/urls
}
dest gamble {
domainlist gamble/domains
urllist gamble/urls
}
dest hacking {
domainlist hacking/domains
urllist hacking/urls
}
dest hobby {
domainlist hobby/cooking/domains
urllist hobby/cooking/urls
domainlist hobby/games/domains
urllist hobby/games/urls
domainlist hobby/gardening/domains
urllist hobby/gardening/urls
domainlist hobby/pets/domains
urllist hobby/pets/urls
}
dest hospitals {
domainlist hospitals/domains
urllist hospitals/urls
}
dest imagehosting {
domainlist imagehosting/domains
urllist imagehosting/urls
}
dest isp {
domainlist isp/domains
urllist isp/urls
}
dest jobsearch {
domainlist jobsearch/domains
urllist jobsearch/urls
}
dest military {
domainlist military/domains
urllist military/urls
}
dest models {
domainlist models/domains
urllist models/urls
}
dest movies {
domainlist movies/domains
urllist movies/urls
}
dest music {
domainlist music/domains
urllist music/urls
}
dest news {
domainlist news/domains
urllist news/urls
}
dest podcasts {
domainlist podcasts/domains
urllist podcasts/urls
}
dest politics {
domainlist politics/domains
urllist politics/urls
}
dest recreation {
domainlist recreation/humor/domains
urllist recreation/humor/urls
domainlist recreation/martialarts/domains
urllist recreation/martialarts/urls
domainlist recreation/sports/domains
urllist recreation/sports/urls
domainlist recreation/travel/domains
urllist recreation/travel/urls
domainlist recreation/wellness/domains
urllist recreation/wellness/urls
}
dest redirector {
domainlist redirector/domains
urllist redirector/urls
}
dest religion {
domainlist religion/domains
urllist religion/urls
}
dest remotecontrol {
domainlist remotecontrol/domains
urllist remotecontrol/urls
}
dest ringtones {
domainlist ringtones/domains
urllist ringtones/urls
}
dest science {
domainlist science/astronomy/domains
urllist science/astronomy/urls
domainlist science/chemistry/domains
urllist science/chemistry/urls
}
dest searchengines {
domainlist searchengines/domains
urllist searchengines/urls
}
dest sex {
domainlist sex/domains
urllist sex/urls
}
dest shopping {
domainlist shopping/domains
urllist shopping/urls
}
dest socialnet {
domainlist socialnet/domains
urllist socialnet/urls
}
dest spyware {
domainlist spyware/domains
urllist spyware/urls
}
dest tracker {
domainlist tracker/domains
urllist tracker/urls
}
dest updatesites {
domainlist updatesites/domains
urllist updatesites/urls
}
dest violence {
domainlist violence/domains
urllist violence/urls
}
dest warez {
domainlist warez/domains
urllist warez/urls
}
dest weapons {
domainlist weapons/domains
urllist weapons/urls
}
dest webmail {
domainlist webmail/domains
urllist webmail/urls
}
dest webphone {
domainlist webphone/domains
urllist webphone/urls
}
dest webradio {
domainlist webradio/domains
urllist webradio/urls
}
dest webtv {
domainlist webtv/domains
urllist webtv/urls
}
dest drugs {
domainlist drugs/domains
urllist drugs/urls
}
acl {
admin {
pass any
}
swadesh {
pass any
}
marketing { pass !in-addr !adv !porn !aggressive !automobile !chat !dating !downloads !drugs !dynamic !
finance !fortunetelling !forum !gamble !hacking !hobby !hospitals !imagehosting !isp !jobsearch !military !
models !movies !music !news !podcasts !politics !recreation !redirector !religion !remotecontrol !ringtones !
science !sex !shopping !socialnet !spyware !tracker !updatesites !violence !warez !weapons !webphone !
webradio !webtv !searchengines all
redirect http://localhost
} else {
pass any
devoper { pass !in-addr !adv !porn !aggressive !automobile !chat !dating !downloads !drugs !dynamic !
finance !fortunetelling !forum !gamble !hacking !hobby !hospitals !imagehosting !isp !jobsearch !military !
models !movies !music !news !podcasts !politics !recreation !redirector !religion !remotecontrol !ringtones !
science !sex !shopping !socialnet !spyware !tracker !updatesites !violence !warez !weapons !webphone !
webradio !webtv !searchengines all
redirect http://localhost
} else {
pass any
special { pass any
}
} else {
pass any
default { pass !adv !porn !automobile !chat !downloads !drugs !dynamic !finance !fortunetelling !forum !
gamble !hacking !hobby !hospitals !imagehosting !isp !jobsearch !military !models !movies !music !news !
podcasts !politics !recreation !redirector !religion !remotecontrol !ringtones !science !sex !shopping !
socialnet !spyware !tracker !violence !warez !weapons !webphone !webradio !webtv all
redirect http://localhost
}}
Initializing the blacklists:
#squidGuard -C all
#chown -R squid:squid /usr/local/squidGuard/db/*
#squid –k reconfigure
For more information follow:
http://www.squidguard.org/Doc/configure.html
Monitoring squid by squint:
Squint is the report generator software
Requirement of squint;
. Squid proxy server
. Perl (/usr/bin/perl)
. Apache (to view documents), or a local web browser
. Bash (/bin/bash – for running from cron. /bin/sh doesn’t work on some systems)
Software to Downloads;
# wget http://downloads.safesquid.net/free/general/precompiled/squint.tar.gz
Installation Procedure;
#tar –xvzf squint.tar.gz
#cd squint
# cp squint.pl squint.cron.sh /usr/local/bin
# squint.cron.sh init
# squint.cron.sh all
#squint.cron.sh regen
#make && make install
#make init (if required it’s use for cronjob entry)
Now it’s ready to use
http://192.168.0.1/squint
Restricting Download with Squid;
Many times you may want to deny users from downloading huge files using the proxy server. To restrict that
we have to change something.
#vim /etc/squid/squid.conf
acl admin src 192.168.0.5-192.168.0.10
reply_body_max_size 2097152 allow admin
reply_body_max_size 0 allow all
By default, there is no restriction on the maximum file that can be downloaded.
Here admin acl is allowed only a maximum of 2 MB download.
2097152 bytes = 2097152/1024 Kbytes => 2048 KB => 2 MB
Share your Bandwidth;
This section tries to help you use your ISP bandwidth wisely! You might be the system administrator of a
company who always wanted to limit your fellow workers from downloading the media files, limiting the
access of streaming videos which are available in YouTube and wanted to share adequate bandwidth to your
SMTP and HTTP Servers. Thanks to Mr. Sreejith who cleared this concept.
We are going to use the delay_pools TAG in squid.
Before going straight into the configuration, I would like to write some theory.
What exactly are delay pools?
They are simply pools which make a delayed response.
They are essentially bandwidth buckets!
Some of you might have quizzically raised your eyebrows when you read buckets, I know! I too was very
much confused about this bucket concept! But I think I can clarify the whole concept for you!
Imagine bandwidth bucket has a normal plastic bucket used to storing water! Instead of water these buckets
store bandwidth! Initially it will be full! Initially means when no one is using your bandwidth. When a user
requests a page, he will get the response only if there enough bandwidth available from the bucket he is
using. Bucket actually stores traffic! Bandwidth is expressed in terms of how much data is available in one
second, like 1Mb/s (1Mbps)
Traffic is expressed in terms of total data, like 1MB.
Size of bucket determines how much bandwidth is available to a client(s). If a bucket starts out full, a client
can take as much traffic as it needs until the bucket becomes empty. Client then receives bucket allotment at
the ‘fill rate’. (I will tell about the fill rate later, just remember that word in mind).
There are three types of delay pools.
Class 1 => Single aggregate bucket (Totally shared among the members of the bucket)
Class 2 => To understand it better, assume its applied to Class C networks.
There’s one bucket for each network and 256 individual buckets for each ips of every network. Size of
individual bucket cannot exceed the network bucket!
Class 3 => one aggregate bucket, 256 network buckets, 65536 individual buckets. (Class B networks)
Now into configuration,
Firstly we need to define how many delay pools we are doing to declare.
delay_pools 2
This means that we have two delay pools.
delay_class 1 3
This means that the first pool is a class 3 pool (Class B networks)
delay_class 2 1
This means that the second pool is a class 1 pool (Single aggregate bucket)
For each pool we should have a delay_class line.
Now we need to define each pools parameters, like the capacity of each pool and fill rate.
delay_parameters 1 7000/15000 3000/4000 1000/2000
this is delay pool parameters for the pool 1
Pool 1 was a class 3 pool. Class 3 pool has 3 buckets, one aggregate bucket, one for 256 networks and one
for 65536 individual ips!
delay_parameters 2 2000/8000
The second pool of type class 1. Class 1 has only one aggregate bucket!
Now whats this 2000/8000?
Each bucket is recognized by its rate/size
Here 8000 means that the maximum capacity of the bucket!
And it refills at the rate of 2000 bytes/second
This means that if the bucket is empty, it takes 4 seconds for the bucket to get full if no clients are accessing
it!
If you find a declaration like this,
delay_paramters 2 -1/-1
This means theres no limitation to the bucket!
Now lets take an example.
Our ISP connection is 12Mbps and we want our machines to have a maximum of 4 Mbps at peak time.
The rest we dedicate for SMTP or other production servers. We are going to define only one delay pool of
class 1
What is actually 12Mbps?
1Mbps = 1 Megabits per second => 1/8 Megabytes per second (8 bits = 1 byte)
1/8 Megabytes per second => 1/8 * 1024 Kilobytes per second => 128Kilobytes per second => 128KBps
so 1 Mbps => 128 KBps
so 12 Mbps => 128 * 12 = 1536 KBps => 1.5 MBps
To sum up
so 12 Mbps = 12/8 MBps => 1.5 MBps
So with this ISP connection we can download a 6 MB file in 4 seconds!
So here the maximum bandwidth available to machines must be 4 Mbps only! (4Mbps ~ 0.5 MBps ~ 512
KBps)
delay_pools 1
delay_class 1 1
delay_parameters 1 524288/1048576
524288 => 524288/1024 KB => 512 KB => 512/1024 MB => 0.5 MB => 0.5*8 => 4Mb
1048576 => 1048576/1024 KB => 1024 KB => 1 MB
Initially the bucket will be full (1 MB traffic). Now a client makes a request to download a 5 MB file.
It will get the maximum speed(12 Mbps) until it downloads 1 MB, but after that it gets only 0.5 MBps
For 1 MB, it takes 1 second as full bucket is available at first. As the bucket drains, it fills at the rate of 0.5
MBps only.
So 0.5 MBps will only be available after 1 MB has been downloaded!
So the file will get downloaded in 9 seconds. (This is all in theory )
There another TAG associated with delay_pools.
delay_initial_bucket_level => this parametes expects a value in percentage(%)
This parameter specifies how much bandwidth is put in each bucket when squid service starts.
By default, the value will be 50%, which means that in the previous example, the client will
download at full speed till the download reaches 0.5 MB
eg:
acl throttled src 192.168.0.5-192.168.0.10
delay_pools 1
delay_class 1 1
delay_parameters 1 524288/1048576
delay_access 1 allow throttled
Hope this was useful for you!.
1. Squid configuration so that it will act as a transparent proxy
2. iptables configuration
1. a) Configure system as router
2. b) Forward all http requests to 3128 (DNAT)
3. Run scripts and start squid service
Editing Squid Configuration file:
[root@squid ~]# vi /etc/squid.conf
acl ourlan src 192.168.0.0/24
visible_hostname squid.enfinet.bbsr
http_access allow localhost
http_access allow all
http_port 3128 transparent
Check Out your squid configuration file
[root@squid ~]# cat /etc/squid/squid.conf | sed ‘/ *#/d; /^ *$/d’
Out Put are in follows:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl ourlan src 192.168.0.0/24
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
visible_hostname squid.enfinet.bbsr
http_access allow localhost
http_access allow all
icp_access allow all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log
log_fqdn on
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mgr webmaster
coredump_dir /var/spool/squid
Iptables configuration:
iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j DNAT –to 192.168.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128
Here is script that first configures Linux system as router and forwards all http requests to port 3128
[root@squid]# cat /root/iptables.sh
#!/bin/sh
# Written By Swadesh sampad Mohanty
# squid server IP
SQUID_SERVER=”192.168.0.1″
# Interface connected to Internet
INTERNET=”eth0″
# Interface connected to LAN
LAN_IN=”eth1″
# Squid port
SQUID_PORT=”3128″
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables –table nat –append POSTROUTING –out-interface $INTERNET -j MASQUERADE
iptables –append FORWARD –in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# New INBOUND Connection: FTP (with TLS)
iptables -A INPUT -i $INTERNET -m state –state NEW -m tcp -p tcp –syn –dport 20 -j ACCEPT
iptables -A INPUT -i $INTERNET -m state –state NEW -m tcp -p tcp –syn –dport 21 -j ACCEPT
# New INBOUND Connection: Secure Shell
iptables -A INPUT -i $INTERNET -m state –state NEW -m tcp -p tcp –syn –dport 22 -j ACCEPT
# New Rules for Web min
iptables -A INPUT -i $INTERNET -m state –state NEW -m tcp -p tcp –syn –dport 10000 -j ACCEPT
# New INBOUND Connection: SMTP and SMTPS (over TLS/SSL)
iptables -A INPUT -i $INTERNET -m state –state NEW -m tcp -p tcp –syn –dport 25 -j ACCEPT
iptables -A INPUT -i $INTERNET -m state –state NEW -m tcp -p tcp –syn –dport 465 -j ACCEPT
# New INBOUND Connection: HTTP (Plain and SSL)
iptables -A INPUT -i $INTERNET -m state –state NEW -m tcp -p tcp –syn –dport 80 -j ACCEPT
iptables -A INPUT -i $INTERNET -m state –state NEW -m tcp -p tcp –syn –dport 443 -j ACCEPT
# New INBOUND Connection: LDAPS Server (over SSL)
iptables -A INPUT -i $INTERNET -m state –state NEW -m tcp -p tcp –syn –dport 636 -j ACCEPT
# New INBOUND Connection: IMAPS Email Clients (over SSL)
iptables -A INPUT -i $INTERNET -m state –state NEW -m tcp -p tcp –syn –dport 993 -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent
proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to
$SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
[root@squid]#sh /root/iptables.sh
[root@squid]#vi /etc/rc.d/rc.local
sh /root/iptables.sh ( To start the automatically after system reboot )
[root@squid]#service iptables save
[root@squid]#chkconfig iptables on
[root@squid]#service iptables restart
[root@squid]#chkconfig squid on
[root@squid]#service squid restart
Client computer configuration:
Point all desktop clients to your eth1 IP address (192.168.0.1) as Router/Gateway. You do not have to setup
up individual browsers to work with proxies.
Test squid proxy is working correct or not:
See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log
No comments:
Post a Comment