Install and Configure Squid in Ubuntu

Squid in Ubuntu Overview

A proxy server is a very useful tool for a network. It is commonly used in computer networks to protect the network from attack, to filter nefarious web content and pages requested by local users, and to speed up the delivery of web pages and web content by caching (storing) commonly requested web pages, documents, and media. Proxy servers are typically implemented on private, local area networks, to filter, protect and cache content requested by users on that network, this is called “proxy” or “transparent proxy.” Proxy servers can also be implemented on the remote side “in-front-of” destination webservers in order to protect those servers by filtering requests, speeding up web page delivery, and caching frequently requested files, this is called “reverse proxy.”

Types of Proxy Servers

Proxy Server The web browser on the client is configured to point to the proxy server’s IP address. The client can bypass the proxy server by removing or altering the proxy address configuration. An administrator could prevent this by creating a GPO in Active Directory that blocks access to the web browser settings. A proxy server can also function as a caching server.
Transparent Proxy Server The router sends all traffic on defined ports, to the transparent proxy server, this way clients cannot bypass the proxy server. A transparent proxy server can also function as a caching server.
Reverse Proxy Server (Caching) The reverse proxy server or cache server is placed in-front-of or prior-to the web server in order to speed up delivery of frequently requested pages and to protect the web server by creating a layer of separation and redundancy.

diagram of proxy server scenarios

Squid is one of the most popular and most used proxy servers in the world. It is free to download, easy to install and it can be implemented on any distribution of Linux. Here are the steps to install and configure Squid on an Ubuntu distribution of Linux.

Steps to install and configure Squid

Open a terminal, and type in the following commands to install Squid

sudo apt-get update
sudo apt-get install squid squid-common

Ways to start and stop Squid

sudo service squid start (stop|restart|status)
sudo /usr/sbin/squid (launch program directly)
sudo pkill -9 squid

Navigate to the Squid folder to find the squid.conf configuration file

cd /etc/squid
ls (you should see the squid.conf file)

Create a backup of the squid.conf file

sudo cp squid.conf squid.conf.bak

For testing purposes open Firefox and set it to send web requests to the Squid Proxy Server (You will need to know your ip address)

ifconfig (write down your inet address e.g. 192.168.1.100)
 

Open Firefox

Edit > Preferences, Advanced > Network Tab > Connection-Settings:

Manual Proxy Configuration:

HTTP Proxy: your IP address or loopback address 127.0.0.1,    Port: 3128
   Click Ok and Close

Now if you try and go to a website like google you should see an ERROR – Access Denied message from Squid (see bottom line). This means that Squid is working by actively denying the traffic.

Now we need to configure Squid to allow web traffic through the proxy server. Open squid.conf in your favorite text editor like gedit, nano, or vi

sudo nano squid.conf

or

sudo gedit squid.conf & (If gedit does not open from the terminal you can open it as root user)
sudo su
gedit squid.conf &

To switch out of root user

su your-username (if you are root user the prompt is a "#" switch back to your user account privilege)

If you chose to open with squid.conf with gedit, then turn on line numbering (Edit > Preferences > View >Display Line Numbers)

Change the name of your Squid Proxy Server, around line 3399, change.

#    TAG: visible_hostname

to

 visible_hostname YourNameProxyServer  

You can configure access rules for your Squid proxy server (lines 331 to 831 are for Access Control). Notice that on lines 606 to 630 the local networks and usable ports (services) are defined. Active configuration lines, are the lines that are not commented out, i.e. they do not start with  a # sign.

To re-enable web access uncomment line 676

#http_access allow localnet

to

http_access allow localnet

To verify the Web is now working, save your changes to the squid.conf file and restart your Squid server.

sudo service squid restart

Now resfresh your Firefox web browser and your homepage should be visible.

Now we can practice writing a custom ACL (access list) in the squid.conf file to block specific domains and websites. We can write our custom ACL at the end of the acl lines around line 631. From an empty line write the following lines to test domain blocking.

acl blocked_websites dstdomain .msn.com .yahoo.com
http_access deny blocked_websites

Now restart your Squid server, and test to see if Squid denies access to your blocked domains/websites in Firefox.

Video Tutorials

In this series of videos, I go through the same process outlined above, to install and configure a Squid proxy server in Ubuntu .

In part 1, I install Squid in Ubuntu, start and stop it, backup the configuration
file, and configure Firefox to use Squid as a proxy server

In part 2, I discuss editing the configuration file

In part 3, I write a custom ACL in the squid.conf file

Turn a Raspberry Pi into a Web Filter Proxy with SquidGuard

Turn a Raspberry Pi into a Web Filter Proxy with SquidGuard Overview

Most routers for the home don’t do a very good job at filtering objectionable web content. One possible solution is to turn a Raspberry Pi into a proxy web filter that can protect users on your home network. In this lab, I turn a Raspberry Pi running the Raspbian Linux operating system into a robust web proxy that filters objectionable web sites. In order to turn the Raspberry Pi into a web proxy I install and configure Squid and SquidGuard, and then I download and configure a blacklist file which is available for personal use through a creative commons license. This lab focuses on turning the Raspberry Pi into a standalone proxy server that can be reached by changing the network clients web browser proxy settings, or by configuring the router to direct web traffic to the proxy server. In a follow up lab, you could configure the Raspberry Pi as a transparent inline proxy server.

Step-by-step instructions

First, I recommend updating your repositories and then installing the program locate and updating the index/database of file locations. This will help you if you need search for the file paths to the Squid and SquidGuard configuration files. After installing Squid and SquidGuard you will want to run the sudo updatedb command again in order to make the newly installed files indexed and searchable with locate.

$ sudo apt-get update
$ sudo apt-get install locate
$ sudo updatedb

1. Install Squid, start it, and set it to start on boot

$ sudo apt-get install squid3
$ sudo update-rc.d squid3 enable

Use netstat to check to see if Squid is listening on port 3128, also using ps notice that one of the process ids that Squid uses is proxy:proxy for the user and group

$ sudo netstat -antp |grep squid
$ sudo ps -aux |grep squid

2. Edit the Squid configuration file and then reload Squid. Notice, that I run updatedb and then use locate to find the location of the squid.conf file

$ sudo updatedb
S sudo locate squid.conf
$ sudo nano -c /etc/squid3/squid.conf

on lines 1038 to 1040 uncomment the lines that start with #acl localnet src …  (In nano use the Ctrl+w keys to search for, and jump to, specific lines in the configuration file)

acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16

on line 1209 uncomment the line #http_access allow localnet

http_access allow localnet

on line 1613 make sure http_port 3128 is uncommented:

http_port 3128

save and quit.

$ sudo service squid3 reload

or

$ sudo service squid3 restart

3. Now that Squid is running you can test it from another computer on the network by going to another computer and changing the settings in Firefox or Chrome to point to the Squid web proxy on the Raspberry Pi. Open Firefox and go to File > Options > advanced > network tab > connection settings > manual proxy configuration

and set it to: <the ip address of the computer/RPi running squid>:3128

*Note: In order to test the Squid proxy server from another computer you will need to make sure that the proxy server’s firewall is not blocking outside requests. Depending on your distribution the Linux firewalld or iptables firewall can be actively blocking outside requests. You will need to add a rule to allow requests on port 3128. On the Raspbian operating system by default there should be no firewall activated, but just in case, you can turn off the iptables firewall using the following command:

$ sudo service iptables stop

4. You can monitor the access log to see it working

$ sudo tail -f /var/log/squid3/access.log

Now browse the web in Firefox, or the web browser of your choice to see if you are able to receive webpages through the Squid proxy. If you are able to successfully reach websites, then the Squid proxy is working correctly and allowing web requests. Look to the output of Squid’s access.log file to see the requests reaching Squid (issue the tail command shown above)

5. With Squid working you can now install SquidGuard

$ sudo apt-get install squidGuard

6. Now that SquidGuard is installed, you will want to download a blacklist of websites and domains that you can block with SquidGuard. You can find more information at http://squidguard.org on SquidGuard and where to find blacklists. A great resource is located at http://dsi.ut-capitole.fr/blacklists/ which has an extensive blacklists.tar.gz file under a “creative commons” license. The website http://www.shallalist.de has a similar downloadable blacklist with similar license terms. You will find links to other commercial blacklist sites as well. For this lab, I recommend downloading the shallalist.tar.gz file from http://www.shallalist.de. You can download it from the command line using wget or from the gui using a webbrowser. Download the blacklist file to your Downloads or home folder but before you install a full blacklist let’s create a testdomain file with test domains for SquidGuard to practice blocking

$ cd /var/lib/squidguard/db
$ sudo nano testdomains

type in three lines of text to add some test-domains to block:

yahoo.com
msn.com
whatever-you-want-to-block.com

save and exit.

7. Now edit the squidGuard.conf file to configure it to work with the testdomains file. You may want to back up the squidGuard.conf file before making changes.

$ cd /etc/squidguard
$ sudo cp squidGuard.conf squidGuard.conf.bak
$ sudo nano -c /etc/squidguard/squidGuard.conf

In the config file, add the following text elements in red. Be careful in your edits, incorrect syntax will cause squidGuard to fail. The beginning of the text file has been omitted.

#dest adult {
#   domainlist        BL/porn/domains
#   urllist        BL/porn/urls
#   expressionlist    BL/adult/expressions
#   redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
#}

dest test {
domainlist testdomains
}

acl {
admin {
pass any
}

foo-clients within workhours {
#           pass good !in-addr !adult any
} else {
pass any
}

bar-clients {
pass local none
}

default {
pass !test any
redirect http://127.0.0.1/blocked.html
}
}

Save and exit

8. Now install the Apache2 webserver and create a blocked.html page using nano

$ sudo apt-get install apache2
$ cd /var/www/html
$ sudo nano blocked.html

<html>
<head>
<title>Blocked!</title>
</head>
<body>
<h1>You have been blocked by Raspberry Pi administrator!</h1>
</body>
</html>

Save and exit

9. Now you need to compile the SquidGuard blacklists.

$ sudo squidGuard -C all

10. Now give Squid3 ownership or access to some of the squidguard files and directories:

$ sudo chown -R proxy:proxy /var/lib/squidguard/db
$ sudo chown -R proxy:proxy /var/log/squidguard
$ sudo chown -R proxy:proxy /usr/bin/squidGuard

11. Edit the squid.conf file and then reload Squid

$ sudo nano -c /etc/squid3/squid.conf

Add the following line to the squid.conf file around line 4168:

url_rewrite_program /usr/bin/squidGuard

$ sudo service squid3 reload

12. Now open the Firefox browser from another computer and test to see if the domains listed in the testdomains file in step 6 are successfully blocked. Domains not listed in the testdomains file should be allowed. In other words, from another computer with the web browser configured with the proxy settings of the Raspberry Pi’s ip address and port number 3128, try browsing to msn.com or one of the domains listed in the testdomains file that you created in step 6

13. If you were successful at blocking the testdomains then it’s time to extract and decompress the shallalist.tar.gz file that you downloaded in Step 6. When you extract shallalist.tar.gz is will extract into a folder titled BL. You will then copy BL to the squidguard db folder

$ cd ~/Downloads
$ tar -xzf shallalist.tar.gz
$ ls
$ sudo cp BL -R /var/lib/squidguard/db
$ cd /var/lib/squidguard/db

Now recursively change permissions on the BL blacklists folder so you can list through the various blacklist categories that you may wish to activate. You will need to know the name paths of the categories, folders and files that you will want to compile to work with SquidGuard

$ sudo chmod -R 755 /var/lib/squidguard/db/BL
$ sudo chown -R proxy:proxy /var/lib/squidguard/db/BL
$ ls
/var/lib/squidguard/db/BL

14. Now you can edit the squidGuard.conf file to configure it to begin blocking undesirable content

$ sudo nano -c /etc/squidguard/squidGuard.conf

In the config file, change the following lines in red. Be careful in your edits, incorrect syntax will cause squidGuard to fail. You will need to add a dest gamble block as well as changing the paths to the content you intend to block. Notice under dest gamble that I change the paths under domainlist and urllist to match the content and paths in the BL folder

<… previous lines in the squidGuard configuration file are omitted>
#dest adult {
#   domainlist        BL/porn/domains
#   urllist        BL/porn/urls
#   expressionlist    BL/adult/expressions
#   redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
#}

dest test {
domainlist testdomains
}

dest gamble {
domainlist     BL/gamble/domains
urllist             BL/gamble/urls
}

acl {
admin {
pass any
}

foo-clients within workhours {
#          pass good !in-addr !adult any
} else {
pass any
}

bar-clients {
pass local none
}

default {
pass !gamble !test any
redirect http://127.0.0.1/blocked.html
}
}

Save and exit

15. Now you need to recompile the SquidGuard blacklists which will create new squidGuard blacklist database files. Then change ownership of the files in the db folder to proxy

$ sudo squidGuard -C all
$ sudo chown -R proxy:proxy /var/lib/squidguard/db

16. Reload Squid and then use Firefox from another computer to test to see if Squid and SquidGuard are blocking websites with known adult content. You may want to execute this test privately or with the majority of the web browser dragged off screen … just in case it doesn’t work!

$ sudo service squid3 reload
$ sudo service squid3 status

How to Install Squid & SquidGuard in CentOS

How to Install Squid and SquidGuard in CentOS Overview

A proxy server is a very useful tool for a computer network. Proxy servers are commonly used in computer networks to protect the network from attack, to filter undesirable web content and web pages requested by local users, and to speed up the delivery of web pages and web content by caching (storing) commonly requested web pages, documents, and media. Proxy servers are typically implemented on private, local area networks, to filter, protect and cache content requested by users on that network, this is called “proxy” or “transparent proxy.” Proxy servers can also be implemented on the remote side “in-front-of” destination webservers in order to protect those servers by filtering requests, speeding up web page delivery, and caching frequently requested files, this is called “reverse proxy.”

Squid is one of the most popular and most used proxy servers in the world. It is free to download, easy to install and it can be implemented on any distribution of Linux. Here are the steps to install and configure Squid and SquidGuard on a CentOS distribution of Linux.

 

Types of Proxy Servers

Proxy Server The web browser on the client is configured to point to the proxy server’s IP address. The client can bypass the proxy server by removing or altering the proxy address configuration. An administrator could prevent this by creating a GPO in Active Directory that blocks access to the web browser settings. A proxy server can also function as a caching server.
Transparent Proxy Server The router sends all traffic on defined ports, to the transparent proxy server, this way clients cannot bypass the proxy server. A transparent proxy server can also function as a caching server.
Reverse Proxy Server (Cache) The reverse proxy server or cache server is placed in-front-of or prior-to the web server in order to speed up delivery of frequently requested pages and to protect the web server by creating a layer of separation and redundancy.

 

Step-by-step instructions

1. Install Squid, start it, and set it to start on boot.

$ su –
# yum install squid
# service squid start
# chkconfig squid on

Check to see if it is listening on port 3128.

# netstat -antp |grep squid
# ps -aux |grep squid

2. Edit the Squid configuration file to change Squid from IPv6 to IPv4. Reload Squid.

# vim /etc/squid/squid.conf

on line 62 change http_port :::3128 to  http_port 0.0.0.0:3128
save and quit.

# service squid reload
or
# service squid restart

3. Now that squid is running you can test it out directly from your CentOS Linux machine by setting Firefox to use the Squid web proxy. Open Firefox and go to File > Options > advanced > network tab > connection settings > manual proxy configuration.

set it to: 127.0.0.1:3128

Now request a web page from Firefox. The request will be forwarded to Squid, running on the local system at the loopback address and port 127.0.0.1:3128. You can also test Squid from a different computer on the network, by adjusting the computer’s web browser settings to use a proxy. In Internet Explorer go to Tools > Internet options > Connections (tab) > LAN settings > Proxy server and set the address to the IP address of the proxy server and the port number to 3128. In Firefox, go to File > Options > advanced > network tab > connection settings > manual proxy configuration, and set the address and port number to the proxy server’s IP address and port number 3128.

*Note: In order to test the Squid proxy server from another computer you will need to make sure that the proxy server’s firewall is not blocking outside requests. Depending on the release and type of CentOS Linux distribution, the iptables firewall can be actively blocking outside requests. You will need to add a rule to allow requests on port 3128. In the meantime, for testing purposes just turn off the iptables firewall.

# service iptables stop

4. You can monitor the access log to see it working.

# tail -f /var/log/squid/access.log 

Now browse the web in Firefox, or the web browser of your choice to see if you are able to receive webpages through the Squid proxy. If you are able to successfully reach websites, then the Squid proxy is working correctly and allowing web requests. Look to the output of Squid’s access.log file to see the requests reaching Squid (issue the tail command shown above).

5. With Squid working you can now go about installing SquidGuard.

If you do not already have the EPEL repositories, you will need to install additional repositories in CentOS, in order to access to necessary software packages that are not available in the default repositories. Install the Extra Packages for Enterprise Linux (EPEL), the epel-release for the current version of Enterprise Linux (EL6). You can find it at the following website: http://fedoraproject.org/wiki/EPEL. A direct link to the RPM is in the command below. Eventually the link will be outdated and need to be replaced. For 64 bit systems you can change /i386/ to /x86_64/ in the command below.
# yum install http://ftp.osuosl.org/pub/fedora-epel/6/i386/epel-release-6-8.noarch.rpm

Now install SquidGuard.

# yum install squidGuard

{loadposition adposition6}6. Now that SquidGuard is installed, open Firefox and go to the SquidGuard website: http://squidguard.org . The SquidGuard website has links to configuration documentation and websites to download blacklists. You need to download a blacklists file. You can go to http://dsi.ut-capitole.fr/blacklists/  and get the link for the blacklists.tar.gz file, then you can use wget to download blacklists.tar.gz, by copying and pasting the link, or you can download it through the Firefox web browser. Squidguard has its own blacklists.tar.gz file, and you will eventually want to replace it with the newer blacklists.tar.gz file that you downloaded. Before you do that, you can create a test blacklists file for SquidGuard to block. To do that you need to create a blacklists directory in the /var/squidGuard/ directory. Now, in the new blacklists directory use vim create and edit a text file named testdomains.

# cd /var/squidGuard
# mkdir blacklists
# cd blacklists
# vim testdomains

type in three lines of text to add some test-domains to block:
yahoo.com
msn.com
whatever-you-want-to-block.com

save and exit.

7. Now edit the squidGuard.conf file to configure it to work with the testdomains file. You may want to back up the squidGuard.conf file before making changes.

# cp /etc/squid/squidGuard.conf /etc/squid/squidGuard.conf.BAK
# vim /etc/squid/squidGuard.conf

In the config file, add the following text elements in red. Be careful in your edits, incorrect syntax will cause squidGuard to fail. The beginning of the text file has been omitted.

#dest adult {
#   domainlist blacklists/porn/domains
  urllist blacklists/porn/urls
#   expressionlist blacklists/porn/expressions
#   redirect        http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u

#}

dest test {
domainlist testdomains
redirect
http://www.google.com
}
acl {
admin {
pass any
}

foo-clients within workhours {
     #   pass good !in-addr !adult any
} else {
pass any
}

bar-clients {
pass local none
}

default {
  pass !test any
            rewrite dmz
redirect http://www.google.com
     }
}

8. Now compile the SquidGuard blacklists and chown the blacklists to be accessible by Squid.

# squidGuard -b -d -C all
# chown -R squid /var/squidGuard/blacklists 

9. Edit the squid.conf file and then reload Squid.

# vim /etc/squid/squid.conf

add the following line to the squid.conf file around line 28:

url_rewrite_program /usr/bin/squidGuard

# service squid reload
or
# service squid restart

10. Now open the Firefox browser and test to see if your testdomains are successfully blocked, while every other domain is allowed.

11. If you were successful at blocking the test domains then you can extract and decompress the blacklists.tar.gz file that you downloaded in Step 6. Copy some of the extracted blacklist folders to your /var/squidGuard/blacklists/ directory. Now you will need to edit your squidGuard.conf file to account for the new blacklists areas beyond testdomains, recompile the squidGuard database (if there are errors creating the database file/s then you will need to troubleshoot by editing the squidGuard.conf file), chown the blacklists directory recursively, restart Squid and you should be filtering tons of undesirable domains, urls, keywords, etc.

Route, NAT, and Transparent Proxy, with CentOS Linux – Part 2

CentOS Routing and Proxy Cont.

In the previous article, I covered installing CentOS server and converting it to a router, address translator, and transparent proxy. I also covered installing a DHCP server to serve IP addresses to the interior local network. The entire process was recorded in a series of video tutorials (see previous article) and posted to YouTube.

Now that we have configured the iptables forwarding rules, manually configured our interfaces with IP addresses, as well as the default gateway and our DNS nameservers we need to save our configurations. We also need to cover installing BIND and having our CentOS server function as a DNS server as well.


Saving your iptables configuration

You can use terminal line commands to make changes to iptables which will instantly effect the linux firewall. This is similar to the difference between a Cisco router’s startup-config file and its running-config in RAM. Changes to the running-config take effect immediately but are not permanent unless saved to the startup-config. This is a similar scenario with iptables. If you have made changes to iptables using iptables terminal commands, it will directly effect the Linux firewall, but the changes will not be permanent unless they are saved to the iptables configuration file.

There are different approaches to making changes to iptables: the approach we have been using so far is to make the changes to the iptables directly, using terminal commands; another approach is to save a test iptables configuration file and then load it, to test it out. Since we have been using the first approach we need to save our configuration to a file and then replace the default iptables configuration file. Before you replace the default file it is a good idea to create a backup. This command will take the current running iptables configuration which we have manipulated and altered, and save it to a .conf text file. You can save it to the root home folder.
iptables-save > iptables.conf

Now cat your saved iptables.conf file to look it over.
cat iptables.conf

The first command listed below makes a backup of the original default iptables configuration file, and the second command replaces the iptables configuration file with the current configuration, that was just saved as iptables.conf. Now, if the computer needs to be restarted the new configuration will be maintained.
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak
mv iptables.conf /etc/sysconfig/iptables

{loadposition adposition6}You may decide that it is smarter and safer to make changes to the Linux iptables firewall indirectly, by editing a test iptables.conf file before testing it out on the actively running iptables firewall. In this way, you make all your changes to the iptables.conf file and then load it to memory, instead of using iptables terminal commands to experiment with your running configuration and possibly compromise your security or disrupt your network users. With the following commands you save the current iptables to an iptables.conf text file, then edit it with a text editor, then restore it to a running state in active memory. The iptables-restore command is a beneficial command because it loads the edited config file to the running iptables without disrupting the service and potentially dropping the running network host connections.
iptables-save > iptables.conf
nano iptables.conf (edit the iptables.conf configuration file)
iptables-restore < iptables.conf  (load the edited iptables.conf file to the running iptables) 
mv iptables.conf /etc/sysconfig/iptables
(replace the iptables configuration file with the edited version)

Note: For a demonstration of this tutorial, see the video below: Use CentOS Linux for Routing, Proxy, NAT, DHCP – Part 7
Saving manual network interface configurations

A regular desktop installation of CentOS Server comes with the Network Manager program. Network Manager is a graphical management tool used to manage and configure network interfaces in an easy way. It was personally recommended to me to not use the Network Manager, but instead manually configure my network interfaces, meaning Ethernet ports with IP addressing, subnet masks, default gateway address, and DNS servers. Like with iptables, you can manually configure your network interfaces using terminal line commands, but if you restart the server your configurations will not be saved. In order to configure your network interfaces in a manner that will persist, you need to configure the network interface configuration files or scripts.
ls /etc/sysconfig/network-scripts/

You should see configuration files named ifcfg-eth0, ifcfg-lo, or some other variant of ifcfg-<name> where <name> refers to the network interface name. To inspect the interface configuration you can output the text of the config file using cat
cat ls /etc/sysconfig/network-scripts/ifcfg-eth0

You will see some output like the following:
DEVICE=”eth0″
NM_CONTROLLED=”yes”
ONBOOT=”no”
TYPE=Ethernet
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no

This information tells us that Network Manager is managing the interface, the interface is not activated by default when the system boots up, and that the system is using DHCP to acquire an IP address. In order to manually configure the network interface you will need to change these settings and add some additional settings as well. Before you change the settings of the interfaces it is a good idea to create backup configuration files.
cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.bak
cp /etc/sysconfig/network-scripts/ifcfg-eth1 /etc/sysconfig/network-scripts/ifcfg-eth1.bak

Now you can configure your interfaces by altering the configuration files in a text editor like Vim or Nano
nano /etc/sysconfig/network-scripts/ifcfg-eth0

{loadposition adposition7}Now alter and add the necessary settings and IP addressing for your outside interface. In my eth0 example below, I am on the 192.168.2.0/24 network using a static IP address of 192.168.2.98, a twenty four bit subnet mask, and a gateway located at 192.168.2.1. Changes are displayed in red:
DEVICE=”eth0″
NM_CONTROLLED=“no”
ONBOOT=“yes”
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPADDR=192.168.2.98  <whatever IP address your outside interface needs to be set at>
NETMASK=255.255.255.0
GATEWAY=192.168.2.1

IPV4_FAILURE_FATAL=yes
IPV6INIT=no
<addtional entries not listed>

Save the interface configuration file and exit.

On the inside network interface (in my case eth1), I used the following settings:
DEVICE=”eth1″
HWADDR=”00:0C:29:12:AE:75″
NM_CONTROLLED=“no”
ONBOOT=“yes”
IPADDR=192.168.111.1  //the IP address for your inside interface. I chose “.1” since I am the gateway for the inside network
NETMASK=255.255.255.0

Save the interface configuration file and exit. Now you can issue the following commands to verify your interface configurations and your default route
ifconfig
route

Note: For a demonstration of this tutorial, see the video below: Use CentOS Linux for Routing, Proxy, NAT, DHCP – Part 8


Manual Configuration of Network Interfaces for Trunking and VLANs

At the time of writing this article, the network manager in CentOS does not allow you to configure a network interface with subinterfaces, VLANs, and trunking. In order to configure a single network interface to function as multiple subinterfaces which allow VLANS over a trunked link you need to manually configure your network interface configuration file.

In the following scenario suppose you have one network interface eth0 and you want your router to function as a transparent proxy and a router separating an interior network from an exterior network. In the image below you can see how this would logically be arranged in the logical topology, you have the 192.168.111.0/24 network on the interior LAN side, and the 192.168.11.0/24 network on the exterior facing WAN side, of course 192.168.11.0/24 is also in a private network address range, but it is on the side of the CentOS server that is closest to the internet. However, in reality you happen to be physically limited by having only one network interface (eth0) and will therefore need to convert the one interface into multiple subinterfaces with VLANs for a trunked link (Physical Topology).

 

Looking at the physical topology in the diagram above, the CentOS server has transformed a single network interface eth0 into eth0.11 and eth0.111 for VLAN11 and VLAN111 respectively. From there the server is connected to the switch which has been configured as a trunk to allow VLAN11 and VLAN111.

Here are the commands and configuration settings needed to configure the CentOS server to fit with the scenario depicted in the diagram above. The first step is to back up your default or current network interface configuration file. THen copy the configuration file and rename it for both of the subinterface VLANs:
cp /etc/sysconfig/network-scripts/eth0 /etc/sysconfig/network-scripts/eth0.bak
cp /etc/sysconfig/network-scripts/eth0 /etc/sysconfig/network-scripts/eth0.11
cp /etc/sysconfig/network-scripts/eth0 /etc/sysconfig/network-scripts/eth0.111

Now you will need to edit all three of your configuration files ifcfg-eth0, ifcfg-eth0.11 and ifcfg-eth0.111 in turn with a text editor like vi, vim, or nano. In configuring ifcfg-eth0 you will only need to make sure that the interface is activated on startup, and that the interface is not managed by the network manager:
vim /etc/sysconfig/network-scripts/ifcfg-eth0

  DEVICE=”eth0″
NM_CONTROLLED=“no”
ONBOOT=“yes”
TYPE=Ethernet

For the inside interface, the LAN side of the router (in the diagram VLAN111 eth0.111), you will mainly need to change the interface name, the ipaddress, netmask, add a VLAN setting. The default gateway and DNS settings will be configured on the outside facing interface.
vim /etc/sysconfig/network-scripts/ifcfg-eth0.111

DEVICE=”eth0.111″
HWADDR=”00:0C:29:12:AE:75″
NM_CONTROLLED=“no”
ONBOOT=“yes”
IPADDR=192.168.111.1  //the IP address for your inside interface. I chose “.1” since I am the gateway for the inside network
NETMASK=255.255.255.0
VLAN=”yes”

For the outside facing interface, the WAN side of the router (in the diagram VLAN11 eth0.11), you will mainly need to change the interface name, the ipaddress, netmask, add a VLAN setting and add the default gateway and DNS settings.
vim /etc/sysconfig/network-scripts/ifcfg-eth0.11

 DEVICE=”eth0.11″
NM_CONTROLLED=”no”
ONBOOT=”yes”
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPADDR=192.168.11.100  <whatever IP address your outside interface needs to be set at>
NETMASK=255.255.255.0
GATEWAY=192.168.11.1
DNS=127.0.0.1  <if your CentOS server will not be running DNS services, use your normal DNS server address instead>

Note: For a demonstration of this tutorial, see the video below: Use CentOS Linux for Routing, Proxy, NAT, DHCP – Part 9



Video Tutorials

 In part 7, I demonstrate how to save your iptables configuration and make it permanent

In part 8, I manually configure and save the Ethernet network interfaces, IP addresses and gateway address

In part 9, I manually configure a single network interface to be multiple subinterfaces in order to support VLANs and trunking 

Route, NAT, and Transparent Proxy, with CentOS Linux

Overview

It is useful to protect your network, by filtering web requests and other types of traffic, a proxy server is designed to do this. You can create a Linux proxy server using Squid and SquidGuard, and configure network settings on your user’s browsers to access the proxy server which will then apply rules that will filter the requests. However, that can be bypassed by the host computer.

A stronger alternative is to create a transparent proxy server and configure your router to forward all web related requests to the proxy server, that way your network hosts are forced to go through the transparent proxy. A potential problem with that scenario is that you need to have a fairly decent router, which can forward interior traffic on a specified port, to the proxy server on the local area network. A third alternative is to make your transparent proxy server also handle routing, NAT, DHCP, and DNS. It would seem like that would be a huge undertaking, but it can actually be done fairly quickly, using a computer and a distribution of Linux.

transparentproxy-routing-nat

Lab Outline

To create a Linux proxy server that also functions as a router and more, it is recommended to use a server distribution of Linux like CentOS Linux, which is the freely distributed server equivalent to RedHat Enterprise Linux. Along with Debian ,CentOS is one the most popular server distributions of Linux available. For this lab, we download and burn CentOS 6.2, i386 (32bit) or x86_64 (64bit), ISO DVDs Parts 1 and 2. Pick a CentOS 6.2 mirror with Direct DVD downloads and download the DVD iso files, to burn as installation DVDs.

Once you have the CentOS installation DVD iso files downloaded and burned to DVD you need to install the operating system to a computer. You can choose to install to an actual computer or to a virtual computer (virtual machine). In order to do this lab from home, and if you do not have a lot of extra computers lying around, I recommend doing the whole project virtually through the use of virtual machines. For a virtualization platform, I recommend downloading either VMware Player or Virtualbox.

If you decide to follow along with the video tutorials and set up a CentOS server virtual machine and convert it into a router, remember that the IP addressing scheme will need to be modified to work with your personal network. Just because my wireless network uses a 192.168.2.0 /24 local addressing scheme does not mean that yours does also, in fact your network most likely uses a different scheme like 192.168.1.0 /24.

Network diagram of a CentOS proxy server and router using virtual machines

transparentproxy-routing-nat_in-a-virtual-environment

In the lab at the college we installed CentOS to actual physical
computers. Normally, I recommend using computers with two network
interface cards (NICs) installed, but the computers we had available to
us had only one network interface card (NIC). This posed a challenge
since the traffic would need to flow through the computers, from one
network to another, implying the need for two network interface cards.
We fixed this problem by configuring VLANs, and assigning IP addresses
to subinterfaces on the computer’s single NIC. We then connected to a
switchport configured for trunking with the same VLANs as we created on the
computer.

Network diagram of a CentOS proxy server-router implementation using a lab computer with only one network interface card (NIC) and a switch configured with VLANs and trunks

proxy-routing-nat_in-physical-env-w-single-nic

Lab Steps Overview (virtualized machines or physical machines)

a. Understand the benefits of a transparent proxy and a Linux server that can also route, NAT, etc. Plan and diagram your lab. See video tutorial part 1 below.

b. Download CentOS installation ISO files, i386 or x86_64, DVDs. See Lab Outline above and video tutorial part 2 below.

c. To do this lab on a physical computers you will need one computer for the CentOS server, preferably with two NICs, but one is okay too, and another computer for a test LAN host.

To do this lab virtually using a virtual platform like VMware or Virtualbox, first create a new virtual machine for the the Linux operating system. You will probably need to choose RedHat Enterprise 32 bit or 64 bit and walk through all the settings. At the end, configure your virtual CD/DVD to boot to the CentOS installation ISO file that you downloaded. Make sure to add or enable to virtual network interfaces (NICs). Set the first NIC to Bridged Networking mode and the second NIC to NAT mode (then once it is saved change it to again to LAN segment mode), in Virtualbox save the second NIC to Interior Network mode. See video tutorial part 2 below.

d. Configure network addressing on your server’s two network interfaces as well as your test host’s network addressing. See video tutorial part 3 below.

e. Configure routing and NATing using iptables on your server. See video tutorial part 4 below.

f. Install and configure Squid as a transparent proxy server. Configure iptables to port-forward web traffic to the server on port 3128 (Squid). See video tutorial part 5 below.

g. Secure your server by configuring iptables to accept and reject specific types of traffic. Install and configure DHCP server on your CentOS server in order to hand out IP addresses on your local network. See video tutorial part 6 below.

Lab Command Steps

Here is a list of the commands used in this lab project:

1. If you are working in my lab or have a computer with only one network card (NIC) jump to step 2. If you are using a virtual or physical computer with two NICs (e.g. eth0 and eth1) you will  need to configure each NIC with the command below, then jump to step 6. You can dynamically receive an IP address through DHCP coming from your router/gateway on eth0, click on the network manager in the upper right of the task bar and click “auto ethernet” or just click on “eth0” to activate DHCP. Then you will need to manually configure the second NIC using an ifconfig command from the terminal (e.g. ifconfig eth1 192.168.111.1) you will need to have root access to do this. After you have activated DHCP on eth0 and manually configured eth1 use the ifconfig command to check your interface ip addresses to see that you have an address for eth0 and eth1. You are now ready to jump to step 6.
su –
ifconfig eth1 192.168.111.1
ifconfig

2. If you are working in my lab or you have a computer with only one network interface card (NIC), you will need to configure trunking and two VLANs (e.g. 110, 111) on the CentOS Linux server (for students with a physical computer with only one NIC)
vconfig add eth0 110 (in my college lab we use VLAN110 for the 192.168.11.x network)
vconfig add eth0 111 

vconfig rem eth0 111 (removes a VLAN trunk)

3. To configure sub-interfaces in
order to assign an IP address to each VLAN, in our classroom lab we use
VLAN110 for the 192.168.11.0 network.
ifconfig eth0.110 192.168.11.xxx
ifconfig eth0.111 192.168.111.xxx 

4. To configure a default gateway/route
route add default gw 192.168.11.1

5. To configure DNS servers
echo “nameserver 4.2.2.2” > /etc/resolv.conf
echo “nameserver 8.8.8.8” >> /etc/resolv.conf

6. To add kernel support for IP forwarding (routing) we set a flag with the following command
sysctl -w net.ipv4.ip_forward=1

7. To set up NATing we can configure the iptables NAT table for masquerading.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  (assuming eth0 is the outside interface)
or
iptables -t nat -A POSTROUTING -o eth0.110 -j MASQUERADE  (assuming the eth0.110 sub-interface is the outside interface)

8. To install the Squid proxy server
yum install squid
cd /etc/squid/squid.conf

9. Edit the the squid.conf file and change the following line to enable transparent proxy mode:
http_port 3128
to
http_port 3128 intercept

10. Issuing one of the following commands will restart the Squid service or reload the configuration file
service squid restart
service squid reload

11. Add an entry to iptables NAT table to port-forward inbound traffic on the inside interface (LAN side) to the Squid server on port 3128 (assuming eth1 is the inside interface with the IP address 192.168.11.1)

iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j DNAT –to (cont.) 192.168.111.1:3128

12. To get routing and forwarding to work correctly you will also need to remove some statements from the iptables tables that reject traffic. The following lines will remove reject statements from the filter INPUT iptable chain and the FORWARD iptable chain.
iptables -t filter -D INPUT -j REJECT –reject-with icmp-host-prohibited
iptables -t filter -D FORWARD -j REJECT –reject-with icmp-host-prohibited

From first glance, it seems that there is a rule in the iptables INPUT chain (third line) that accepts any protocol from any source to any destination. The following statement would delete the third line of the filter table INPUT chain, the “accept any anywhere anywhere” line: <iptables -t filter -D INPUT 3> but do not use it, because as it turns out, that particular line has information that does not appear in the output of an <iptables -L> command. Try using the following command and then compare it to the results of the <iptables -L> command:
iptables-save

You can see that the third line (-A INPUT -i lo -j ACCEPT) is actually accepting all input on the loopback (lo) interface, and since it is only the loopback interface (i.e. 127.0.0.1) it is not a problem in the iptables, indiscriminately accepting all input on the outside interface. So to clarify, in the following three line commands (see below), the first command show the current iptables rules, the second command removes line 3 (-A INPUT -i lo -j ACCEPT) which is the line that ACCEPTs packets on the loopback interface, filter table, INPUT chain. Finally, the third line below replaces it. To learn how to do this I referred the man pages for iptables <man iptables>.
iptables-save
iptables -t filter -D INPUT 3
iptables -t filter -I INPUT 3 -i lo -j ACCEPT

13. Now you can look at your iptables, default filter table, and nat table, using the following commands
iptables -L -t filter
iptables -L -t nat

14. Now you can add (append) to the iptable filter table with the following commands, to accept input on port 3128 for Squid, and reject all other types of traffic
iptables -t filter -A INPUT -p tcp –dport 3128 -j ACCEPT
iptables -t filter -A INPUT -j REJECT –reject-with icmp-host-prohibited
iptables -L -t filter

iptables 

15. The following commands and instructions are used to install and configure a DHCP server in CentOS. You will need elevate to root access, run updates, then install:
su –
yum install updates
yum install dhcp

16. You should see that the DHCP server fails on starting up, this is because we have not configured it yet. To configure the DHCP server we need to edit the dhcpd.conf file located in /etc/dhcp.
cd /etc/dhcp
ls

17. You should see a file called dhcpd.conf . You will want to edit the file in a text editor like Vim or Nano.
vim /etc/dhcp/dhcpd.conf
or
nano /etc/dhcp/dhcpd.conf

Here is a screenshot of my dhcpd.conf file after I edited it in Vim. The cat command is used to output the file to the terminal for viewing. The lines that begin with # are comments and not active configurations. You could duplicate what you see in my configuration file below, replacing every line that has 192.168.11.x ip addressing with your own network number, like 192.168.1.x, etc.:
cat /etc/dhcp/dhcpd.conf

dhcp-centos

IPtables Overview

The iptables consists of four separate tables: filter, nat, mangle, and raw. Each table has a set of rules or chains.

filter – the filter table is the default table not specified by the -t argument. The filter table has three chains: INPUT for traffic destined for a local socket, FORWARD for packets being routed through the server, and OUTPUT for packets generated locally on the machine

nat – the nat table is consulted when new connections are generated. The nat table has three chains: PREROUTING, OUTPUT, and POSTROUTING

mangle – the mangle table is used for specialized packet alteration. The mangle table has the following chains: PREROUTING, POSTROUTING, INPUT, FORWARD, and OUTPUT.

raw – the raw table is used for configuring exemptions from connection tracking.

Video Tutorials

In part 1, I outline creating a Linux proxy server and router and I diagram the network

In part 2, I create the VMware virtual machine with two NICs and install CentOS

In part 3, I configure network addressing on the CentOS server and a Fedora client

In part 4, I review network addressing, how to do the lab if the server has only one network interface.
I also set up routing and NATing on the CentOS server

In part 5, I install Squid on the CentOS server and configure it to be a transparent proxy.
I configure the iptables NAT table, to portforward all local web traffic to the CentOS server on port 3128. 

In part 6, I continue to configure iptables and I install and configure DHCP server on the CentOS server. 

Install & Configure SquidGuard in Ubuntu

Install and Configure SquidGuard Overview

It is very useful to be able to block users on your network from accessing millions of websites with nefarious content. A great way to accomplish this is with a proxy server like Squid. Squid is a free and powerful proxy server that is capable of blocking users from accessing web content. A great way of enhancing Squid’s ability to block unwanted websites, domains and IP addresses is to install SquidGuard. SquidGuard is an add-on program for the Squid proxy server (see my previous article on Squid), that’s main purpose is to block unwanted web traffic. SquidGuard works with databases of blacklists to block, filter, and redirect requested URLs and domains. You manually download and add blacklist files to SquidGuard and compile them into the SquidGuard database, then Squid can redirect web requests, checking them against SquidGuard’s database of blacklisted websites, domains and IP addresses. It seems like this process would slow down a network, but SquidGuard is an extremely fast web content filter with the ability to check web requests against millions of blacklisted sites in a matter of seconds. There is great information about SquidGuard’s capabilities on the SquidGuard website, including links to download the program, well written installation and configuration instructions, and links to websites that maintain blacklists.

Steps to manually install SquidGuard in Ubuntu

You can download and install SquidGuard using a package manager program like apt-get or yum, or even a graphical software installer tool like the software center program. Instead, I chose to outline the steps involved in manually downloading and installing SquidGuard.

1. Download the current stable version of SquidGuard at http://www.squidguard.org and save it to your downloads folder.

2. Download the Berkeley DB from Oracle at http://oracle.com. Download version 4.8.30.NC.tar.gz with no encryption and save it to your Downloads folder

3. Open a terminal and navigate to the directory where you downloaded SquidGuard and the BerkeleyDB. You should see the tar.gz files
cd ~/Downloads
ls

4. Decompress the tar.gz files (substitute the file names for the versions you downloaded)
tar -xvzf squidGuard-1.5-beta.tar.gz
tar -xvzf db-4.8.30.NC.tar.gz
ls

You should see two folders one for squidGuard and one for BerkeleyDB (e.g. squidGuard-1.5, and db-4.8.30)

5. Install the Berkeley DB first, since SquidGuard requires it for installation. By default, the Berkeley DB will install itself to a directory in /usr/local/ in a folder named BerkeleyDB.4.8 you will need this information when preparing SquidGuard for installation.
cd db-4.8.30
cd build_unix
../dist/configure
make
sudo make install

6. Install SquidGuard by navigating to the extracted SquidGuard folder and then during the configure process you will pass the configure script the location of the Berkeley DB directory and correctly change the squiduser to ‘proxy’ for Ubuntu. The squiduser and group is typically “squid” in other Linux distributions like Fedora.
cd ~/Downloads/squidGuard-1.5
./configure –with-db=/usr/local/BerkeleyDB.4.8 –with-squiduser=proxy
make
sudo make install

You should get a message that the initial SquidGuard configuration is complete. Congratulation, SquidGuard is successfully installed! Make a note of the directory locations of the SquidGurad db, log, and conf files:
/usr/local/squidGuard/db
/usr/local/squidGuard/log
/usr/local/squidGuard/squidGuard.conf

Blacklists

7. Now that SquidGuard is installed you will want to download some blacklists. The SquidGuard website provides a few options. Click on Blacklists link and download a few blacklists. I recommend going here http://cri.univ-tlse1.fr/blacklists/index_en.php and downloading the blacklists.tar.gz file from the top of the Descriptions section

Now you can move the blacklists to the SquidGuard db directory and extract them so they are ready to use.

cd ~/Downloads
sudo cp blacklists.tar.gz /usr/local/squidGuard/db/blacklists.tar.gz
cd /usr/local/squidGuard/db
sudo tar -xvf blacklists.tar.gz

Configuring SquidGuard

8. Now you are ready to configure SquidGuard you will want to open the configuration file with a text editor.
cd /usr/local/squidGuard/
ls

You should see a squidGuard.conf file. Copy the conf file to a backup and open it with a text editor
sudo cp squidGuard.conf squidGuard.conf.bak
sudo su
gedit squidGuard.conf &

If your squidGuard.conf file is janked i.e. blank, then you can copy the configuration directly from the SquidGuard website: http://www.squidguard.org/Doc/configure.html

Looking at your squidGuard.conf file in the text editor make sure that the lines beginning with dbhome and logdir point to the correct directory. For my install the dbhome and logdir lines read:
dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/log

So I changed the dbhome line to:
dbhome /usr/local/squidGuard/db/blacklists

Try to running squidGuard in an output to stderr mode:
squidGuard -d

I had errors showing on line 23 so I commented out lines 22 to 25 with # signs:
#rew dmz{
#          s@://admin/…
#          s@://foo.bar….
#}

Now try running squidGuard:
squidGuard -d

If squidGuard ran with no errors it is time to compile your Blacklists from text to DB with a -C all command
squidGuard -d -C all

{loadposition adposition7}I had additional errors caused by the Destination Classes area in the squidGuard.conf file. The dest adult block of code had the following lines that needed to have the “dest/” edited out, because they are not the correct directory paths following from the “/usr/local/squidGuard/db/blacklists” directory:

dest adult{
domainlist          dest/adult/domains
urllist                   dest/adult/urls
expressionlist    dest/adult/expressions
redirect               http://admin.foo.bar.de…
}

to

dest adult{
domainlist          adult/domains
urllist                   adult/urls
expressionlist    adult/expressions
redirect               http://google.com
}

I also edited the ACL block of code at the end of the config file. I commented out areas that I was not going to use, and focused on the default acl block of code, which I changed to pass only the not(!) adult sites (pass     !adult all):

acl {
#    admin {
#        pass     any
#    }
#
#    foo-clients within workhours {
#        pass     good !in-addr !adult any
#    } else {
#        pass any
#    }
#
#    bar-clients {
#        pass    local none
#    }
#
default {
pass     !adult all
#rewrite dmz
redirect http://google.com
}
}

9. After editing your config file try to compile your Blacklists from text to DB with a “-C all” command
squidGuard -d -C all

If there are no errors make sure the blacklists have correct ownership and group for Squid. You can check ownership of files and folders using the ls-l command. For Ubuntu the correct owner and group for Squid is “proxy”, in other distributions it is “squid”.
chown -R proxy:proxy /usr/local/squidGuard/db/blacklists

10. To finish the installation, add the following line to the squid.conf file in /etc/squid/squid.conf. I added the following line around line 1083 although you could add it anywhere, notice that it is directing the squidGuard program to the configuration file. If your squidGuard installation and configuration file is located in a different directory then adjust the paths in the line accordingly:

url_rewrite_program  /usr/local/bin/squidGuard  -c  /usr/local/squidGuard/squidGuard.conf

11. Now restart Squid or reload the Squid configuration file which is much faster.
service squid reload
or
pkill -9 squid
service squid start

12. In order to test if squidGuard configuration is working correctly and that Squid is passing web requests and checking them against the SquidGuard database. The SquidGuard website recommends running a dry-run test using the following command. You can substitute one of the blacklisted URLs from your blacklists instead of the “http://www.example.com” URL in the example. Also, If you do not have a “test.cfg” file, just remove the part of the line from, “-c … to … test.cfg” (see example below):

echo “http://www.example.com 10.0.0.1/ – – GET” | squidGuard -c /tmp/test.cfg -d
to
echo “http://www.blacklisted.com – – – GET” | squidGuard -d

After running the command above, if you see the following 3 messages in the output then squidGuard is functioning correctly:
– the redirected URL website address from the squidGuard.conf file
– “squidGuard ready for requests”,
– “squidguard stopped”

Now you can try using your web browser to see if it will block blacklisted domains and websites!

Note: If you are in a situation where you do not want to risk requesting blacklisted sites in your browser and having them not be filtered, then you can add one of your own entries in a blacklist, recompile the squidGuard blacklist database, and test to see if your manually entered website is blocked by squidGuard.

Install & Configure Squid in Ubuntu

Squid in Ubuntu Overview

A proxy server is a very useful tool for a network. It is commonly used in computer networks to protect the network from attack, to filter nefarious web content and pages requested by local users, and to speed up the delivery of web pages and web content by caching (storing) commonly requested web pages, documents, and media. Proxy servers are typically implemented on private, local area networks, to filter, protect and cache content requested by users on that network, this is called “proxy” or “transparent proxy.” Proxy servers can also be implemented on the remote side “in-front-of” destination webservers in order to protect those servers by filtering requests, speeding up web page delivery, and caching frequently requested files, this is called “reverse proxy.”

Types of Proxy Servers

Proxy Server The web browser on the client is configured to point to the proxy server’s IP address. The client can bypass the proxy server by removing or altering the proxy address configuration. An administrator could prevent this by creating a GPO in Active Directory that blocks access to the web browser settings. A proxy server can also function as a caching server.
Transparent Proxy Server The router sends all traffic on defined ports, to the transparent proxy server, this way clients cannot bypass the proxy server. A transparent proxy server can also function as a caching server.
Reverse Proxy Server (Cache) The reverse proxy server or cache server is placed in-front-of or prior-to the web server in order to speed up delivery of frequently requested pages and to protect the web server by creating a layer of separation and redundancy.

Squid is one of the most popular and most used proxy servers in the world. It is free to download, easy to install and it can be implemented on any distribution of Linux. Here are the steps to install and configure Squid on an Ubuntu distribution of Linux.

Steps to install and configure Squid

Open a terminal, and type in the following commands to install Squid
 sudo apt-get update
sudo apt-get install squid squid-common

Ways to start and stop Squid
 sudo service squid start (stop|restart|status)
sudo /usr/sbin/squid (launch program directly)
sudo pkill -9 squid

Navigate to the Squid folder to find the squid.conf configuration file
 cd /etc/squid
ls (you should see the squid.conf file)

Create a backup of the squid.conf file
 sudo cp squid.conf squid.conf.bak

For testing purposes open Firefox and set it to send web requests to the Squid Proxy Server (You will need to know your ip address)
 ifconfig (write down your inet address e.g. 192.168.1.100)
Open Firefox
Edit > Preferences, Advanced > Network Tab > Connection-Settings:
Manual Proxy Configuration:
HTTP Proxy: your IP address or loopback address 127.0.0.1,    Port: 3128
     Click Ok and Close
Now if you try and go to a website like google you should see an ERROR – Access Denied message from Squid (see bottom line). This means that Squid is working by actively denying the traffic.

Now we need to configure Squid to allow web traffic through the proxy server. Open squid.conf in your favorite text editor like gedit, nano, or vi
 sudo nano squid.conf
or
 sudo gedit squid.conf & (If gedit does not open from the terminal you can open it as root user)
sudo su
gedit squid.conf &

To switch out of root user
 su your-username (if you are root user the prompt is a “#” switch back to your user account privilege)

If you chose to open with squid.conf with gedit, then turn on line numbering (Edit > Preferences > View >Display Line Numbers)

Change the name of your Squid Proxy Server, around line 3399, change:
 #    TAG: visible_hostname
to
 visible_hostname YourNameProxyServer  

You can configure access rules for your Squid proxy server (lines 331 to 831 are for Access Control). Notice that on lines 606 to 630 the local networks and usable ports (services) are defined. Active configuration lines, are the lines that are not commented out, i.e. they do not start with  a # sign.

To re-enable web access uncomment line 676
 #http_access allow localnet
to
 http_access allow localnet

To verify the Web is now working, save your changes to the squid.conf file and restart your Squid server.
 service squid restart (or “sudo service squid restart” if you are no longer root)

Now resfresh your Firefox web browser and your homepage should be visible.

Now we can practice writing a custom ACL (access list) in the squid.conf file to block specific domains and websites. We can write our custom ACL at the end of the acl lines around line 631. From an empty line write the following lines to test domain blocking:
 acl blocked_websites dstdomain .msn.com .yahoo.com
http_access deny blocked_websites

Now restart your Squid server, and test to see if Squid denies access to your blocked domains/websites in Firefox.

Video Tutorials

In this series of videos, I go through the same process outlined above, to install and configure a Squid proxy server in Ubuntu .

In part 1, I install Squid in Ubuntu, start and stop it, backup the configuration file,
and configure Firefox to use Squid as a proxy server

In part 2, I discuss editing the configuration file

In part 3, I write a custom ACL in the squid.conf file