A proxy server is a very useful tool for a network. It is commonly used in computer networks to protect the network from attack, to filter nefarious web content and pages requested by local users, and to speed up the delivery of web pages and web content by caching (storing) commonly requested web pages, documents, and media. Proxy servers are typically implemented on private, local area networks, to filter, protect and cache content requested by users on that network, this is called “proxy” or “transparent proxy.” Proxy servers can also be implemented on the remote side “in-front-of” destination webservers in order to protect those servers by filtering requests, speeding up web page delivery, and caching frequently requested files, this is called “reverse proxy.”
Types of Proxy Servers
Proxy Server
The web browser on the client is configured to point to the proxy server’s IP address. The client can bypass the proxy server by removing or altering the proxy address configuration. An administrator could prevent this by creating a GPO in Active Directory that blocks access to the web browser settings. A proxy server can also function as a caching server.
Transparent Proxy Server
The router sends all traffic on defined ports, to the transparent proxy server, this way clients cannot bypass the proxy server. A transparent proxy server can also function as a caching server.
Reverse Proxy Server (Caching)
The reverse proxy server or cache server is placed in-front-of or prior-to the web server in order to speed up delivery of frequently requested pages and to protect the web server by creating a layer of separation and redundancy.
Squid is one of the most popular and most used proxy servers in the world. It is free to download, easy to install and it can be implemented on any distribution of Linux. Here are the steps to install and configure Squid on an Ubuntu distribution of Linux.
Steps to install and configure Squid
Open a terminal, and type in the following commands to install Squid
HTTP Proxy: your IP address or loopback address 127.0.0.1, Port: 3128 Click Ok and Close
Now if you try and go to a website like google you should see an ERROR – Access Denied message from Squid (see bottom line). This means that Squid is working by actively denying the traffic.
Now we need to configure Squid to allow web traffic through the proxy server. Open squid.conf in your favorite text editor like gedit, nano, or vi
sudo nano squid.conf
or
sudo gedit squid.conf & (If gedit does not open from the terminal you can open it as root user)
sudo su
gedit squid.conf &
To switch out of root user
su your-username (if you are root user the prompt is a "#" switch back to your user account privilege)
If you chose to open with squid.conf with gedit, then turn on line numbering (Edit > Preferences > View >Display Line Numbers)
Change the name of your Squid Proxy Server, around line 3399, change.
# TAG: visible_hostname
to
visible_hostname YourNameProxyServer
You can configure access rules for your Squid proxy server (lines 331 to 831 are for Access Control). Notice that on lines 606 to 630 the local networks and usable ports (services) are defined. Active configuration lines, are the lines that are not commented out, i.e. they do not start with a # sign.
To re-enable web access uncomment line 676
#http_access allow localnet
to
http_access allow localnet
To verify the Web is now working, save your changes to the squid.conf file and restart your Squid server.
sudo service squid restart
Now resfresh your Firefox web browser and your homepage should be visible.
Now we can practice writing a custom ACL (access list) in the squid.conf file to block specific domains and websites. We can write our custom ACL at the end of the acl lines around line 631. From an empty line write the following lines to test domain blocking.
Turn a Raspberry Pi into a Web Filter Proxy with SquidGuard Overview
Most routers for the home don’t do a very good job at filtering objectionable web content. One possible solution is to turn a Raspberry Pi into a proxy web filter that can protect users on your home network. In this lab, I turn a Raspberry Pi running the Raspbian Linux operating system into a robust web proxy that filters objectionable web sites. In order to turn the Raspberry Pi into a web proxy I install and configure Squid and SquidGuard, and then I download and configure a blacklist file which is available for personal use through a creative commons license. This lab focuses on turning the Raspberry Pi into a standalone proxy server that can be reached by changing the network clients web browser proxy settings, or by configuring the router to direct web traffic to the proxy server. In a follow up lab, you could configure the Raspberry Pi as a transparent inline proxy server.
Step-by-step instructions
First, I recommend updating your repositories and then installing the program locate and updating the index/database of file locations. This will help you if you need search for the file paths to the Squid and SquidGuard configuration files. After installing Squid and SquidGuard you will want to run the sudo updatedb command again in order to make the newly installed files indexed and searchable with locate.
Use netstat to check to see if Squid is listening on port 3128, also using ps notice that one of the process ids that Squid uses is proxy:proxy for the user and group
2. Edit the Squid configuration file and then reload Squid. Notice, that I run updatedb and then use locate to find the location of the squid.conf file
on lines 1038 to 1040 uncomment the lines that start with #acl localnet src … (In nano use the Ctrl+w keys to search for, and jump to, specific lines in the configuration file)
on line 1209 uncomment the line #http_access allow localnet
http_access allow localnet
on line 1613 make sure http_port 3128 is uncommented:
http_port 3128
save and quit.
$ sudo service squid3 reload
or
$ sudo service squid3 restart
3. Now that Squid is running you can test it from another computer on the network by going to another computer and changing the settings in Firefox or Chrome to point to the Squid web proxy on the Raspberry Pi. Open Firefox and go to File > Options > advanced > network tab > connection settings > manual proxy configuration
and set it to: <the ip address of the computer/RPi running squid>:3128
*Note: In order to test the Squid proxy server from another computer you will need to make sure that the proxy server’s firewall is not blocking outside requests. Depending on your distribution the Linux firewalld or iptables firewall can be actively blocking outside requests. You will need to add a rule to allow requests on port 3128. On the Raspbian operating system by default there should be no firewall activated, but just in case, you can turn off the iptables firewall using the following command:
$ sudo service iptables stop
4. You can monitor the access log to see it working
$ sudo tail -f /var/log/squid3/access.log
Now browse the web in Firefox, or the web browser of your choice to see if you are able to receive webpages through the Squid proxy. If you are able to successfully reach websites, then the Squid proxy is working correctly and allowing web requests. Look to the output of Squid’s access.log file to see the requests reaching Squid (issue the tail command shown above)
5. With Squid working you can now install SquidGuard
$ sudo apt-get install squidGuard
6. Now that SquidGuard is installed, you will want to download a blacklist of websites and domains that you can block with SquidGuard. You can find more information at http://squidguard.org on SquidGuard and where to find blacklists. A great resource is located at http://dsi.ut-capitole.fr/blacklists/ which has an extensive blacklists.tar.gz file under a “creative commons” license. The website http://www.shallalist.de has a similar downloadable blacklist with similar license terms. You will find links to other commercial blacklist sites as well. For this lab, I recommend downloading the shallalist.tar.gz file from http://www.shallalist.de. You can download it from the command line using wget or from the gui using a webbrowser. Download the blacklist file to your Downloads or home folder but before you install a full blacklist let’s create a testdomain file with test domains for SquidGuard to practice blocking
$ cd /var/lib/squidguard/db
$ sudo nano testdomains
type in three lines of text to add some test-domains to block:
yahoo.com
msn.com
whatever-you-want-to-block.com
save and exit.
7. Now edit the squidGuard.conf file to configure it to work with the testdomains file. You may want to back up the squidGuard.conf file before making changes.
In the config file, add the following text elements in red. Be careful in your edits, incorrect syntax will cause squidGuard to fail. The beginning of the text file has been omitted.
11. Edit the squid.conf file and then reload Squid
$ sudo nano -c /etc/squid3/squid.conf
Add the following line to the squid.conf file around line 4168:
url_rewrite_program /usr/bin/squidGuard
$ sudo service squid3 reload
12. Now open the Firefox browser from another computer and test to see if the domains listed in the testdomains file in step 6 are successfully blocked. Domains not listed in the testdomains file should be allowed. In other words, from another computer with the web browser configured with the proxy settings of the Raspberry Pi’s ip address and port number 3128, try browsing to msn.com or one of the domains listed in the testdomains file that you created in step 6
13. If you were successful at blocking the testdomains then it’s time to extract and decompress the shallalist.tar.gz file that you downloaded in Step 6. When you extract shallalist.tar.gz is will extract into a folder titled BL. You will then copy BL to the squidguard db folder
$ cd ~/Downloads
$ tar -xzf shallalist.tar.gz
$ ls
$ sudo cp BL -R /var/lib/squidguard/db
$ cd /var/lib/squidguard/db
Now recursively change permissions on the BL blacklists folder so you can list through the various blacklist categories that you may wish to activate. You will need to know the name paths of the categories, folders and files that you will want to compile to work with SquidGuard
14. Now you can edit the squidGuard.conf file to configure it to begin blocking undesirable content
$ sudo nano -c /etc/squidguard/squidGuard.conf
In the config file, change the following lines in red. Be careful in your edits, incorrect syntax will cause squidGuard to fail. You will need to add a dest gamble block as well as changing the paths to the content you intend to block. Notice under dest gamble that I change the paths under domainlist and urllist to match the content and paths in the BL folder
<… previous lines in the squidGuard configuration file are omitted>
#dest adult {
# domainlist BL/porn/domains
# urllist BL/porn/urls
# expressionlist BL/adult/expressions
# redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
#}
dest test {
domainlist testdomains
}
dest gamble {
domainlist BL/gamble/domains
urllist BL/gamble/urls
}
acl {
admin {
pass any
}
foo-clients within workhours { # pass good !in-addr !adult any
} else {
pass any
}
bar-clients {
pass local none
}
default { pass !gamble !test any redirect http://127.0.0.1/blocked.html
}
}
Save and exit
15. Now you need to recompile the SquidGuard blacklists which will create new squidGuard blacklist database files. Then change ownership of the files in the db folder to proxy
16. Reload Squid and then use Firefox from another computer to test to see if Squid and SquidGuard are blocking websites with known adult content. You may want to execute this test privately or with the majority of the web browser dragged off screen … just in case it doesn’t work!
$ sudo service squid3 reload
$ sudo service squid3 status
How to Install Squid and SquidGuard in CentOS Overview
A proxy server is a very useful tool for a computer network. Proxy servers are commonly used in computer networks to protect the network from attack, to filter undesirable web content and web pages requested by local users, and to speed up the delivery of web pages and web content by caching (storing) commonly requested web pages, documents, and media. Proxy servers are typically implemented on private, local area networks, to filter, protect and cache content requested by users on that network, this is called “proxy” or “transparent proxy.” Proxy servers can also be implemented on the remote side “in-front-of” destination webservers in order to protect those servers by filtering requests, speeding up web page delivery, and caching frequently requested files, this is called “reverse proxy.”
Squid is one of the most popular and most used proxy servers in the world. It is free to download, easy to install and it can be implemented on any distribution of Linux. Here are the steps to install and configure Squid and SquidGuard on a CentOS distribution of Linux.
Types of Proxy Servers
Proxy Server
The web browser on the client is configured to point to the proxy server’s IP address. The client can bypass the proxy server by removing or altering the proxy address configuration. An administrator could prevent this by creating a GPO in Active Directory that blocks access to the web browser settings. A proxy server can also function as a caching server.
Transparent Proxy Server
The router sends all traffic on defined ports, to the transparent proxy server, this way clients cannot bypass the proxy server. A transparent proxy server can also function as a caching server.
Reverse Proxy Server (Cache)
The reverse proxy server or cache server is placed in-front-of or prior-to the web server in order to speed up delivery of frequently requested pages and to protect the web server by creating a layer of separation and redundancy.
Step-by-step instructions
1. Install Squid, start it, and set it to start on boot.
$ su –
# yum install squid
# service squid start
# chkconfig squid on
Check to see if it is listening on port 3128.
# netstat -antp |grep squid
# ps -aux |grep squid
2. Edit the Squid configuration file to change Squid from IPv6 to IPv4. Reload Squid.
# vim /etc/squid/squid.conf
on line 62 change http_port :::3128 to http_port 0.0.0.0:3128 save and quit.
# service squid reload or # service squid restart
3. Now that squid is running you can test it out directly from your CentOS Linux machine by setting Firefox to use the Squid web proxy. Open Firefox and go to File > Options > advanced > network tab > connection settings > manual proxy configuration.
set it to: 127.0.0.1:3128
Now request a web page from Firefox. The request will be forwarded to Squid, running on the local system at the loopback address and port 127.0.0.1:3128. You can also test Squid from a different computer on the network, by adjusting the computer’s web browser settings to use a proxy. In Internet Explorer go to Tools > Internet options > Connections (tab) > LAN settings > Proxy server and set the address to the IP address of the proxy server and the port number to 3128. In Firefox, go to File > Options > advanced > network tab > connection settings > manual proxy configuration, and set the address and port number to the proxy server’s IP address and port number 3128.
*Note: In order to test the Squid proxy server from another computer you will need to make sure that the proxy server’s firewall is not blocking outside requests. Depending on the release and type of CentOS Linux distribution, the iptables firewall can be actively blocking outside requests. You will need to add a rule to allow requests on port 3128. In the meantime, for testing purposes just turn off the iptables firewall.
# service iptables stop
4. You can monitor the access log to see it working.
# tail -f /var/log/squid/access.log
Now browse the web in Firefox, or the web browser of your choice to see if you are able to receive webpages through the Squid proxy. If you are able to successfully reach websites, then the Squid proxy is working correctly and allowing web requests. Look to the output of Squid’s access.log file to see the requests reaching Squid (issue the tail command shown above).
5. With Squid working you can now go about installing SquidGuard.
If you do not already have the EPEL repositories, you will need to install additional repositories in CentOS, in order to access to necessary software packages that are not available in the default repositories. Install the Extra Packages for Enterprise Linux (EPEL), the epel-release for the current version of Enterprise Linux (EL6). You can find it at the following website: http://fedoraproject.org/wiki/EPEL. A direct link to the RPM is in the command below. Eventually the link will be outdated and need to be replaced. For 64 bit systems you can change /i386/ to /x86_64/ in the command below. # yum install http://ftp.osuosl.org/pub/fedora-epel/6/i386/epel-release-6-8.noarch.rpm
Now install SquidGuard.
# yum install squidGuard
{loadposition adposition6}6. Now that SquidGuard is installed, open Firefox and go to the SquidGuard website: http://squidguard.org . The SquidGuard website has links to configuration documentation and websites to download blacklists. You need to download a blacklists file. You can go to http://dsi.ut-capitole.fr/blacklists/ and get the link for the blacklists.tar.gz file, then you can use wget to download blacklists.tar.gz, by copying and pasting the link, or you can download it through the Firefox web browser. Squidguard has its own blacklists.tar.gz file, and you will eventually want to replace it with the newer blacklists.tar.gz file that you downloaded. Before you do that, you can create a test blacklists file for SquidGuard to block. To do that you need to create a blacklists directory in the /var/squidGuard/ directory. Now, in the new blacklists directory use vim create and edit a text file named testdomains.
# cd /var/squidGuard # mkdir blacklists
# cd blacklists
# vim testdomains
type in three lines of text to add some test-domains to block: yahoo.com
msn.com
whatever-you-want-to-block.com
save and exit.
7. Now edit the squidGuard.conf file to configure it to work with the testdomains file. You may want to back up the squidGuard.conf file before making changes.
# cp /etc/squid/squidGuard.conf /etc/squid/squidGuard.conf.BAK
# vim /etc/squid/squidGuard.conf
In the config file, add the following text elements in red. Be careful in your edits, incorrect syntax will cause squidGuard to fail. The beginning of the text file has been omitted.
9. Edit the squid.conf file and then reload Squid.
# vim /etc/squid/squid.conf
add the following line to the squid.conf file around line 28:
url_rewrite_program /usr/bin/squidGuard
# service squid reload or
# service squid restart
10. Now open the Firefox browser and test to see if your testdomains are successfully blocked, while every other domain is allowed.
11. If you were successful at blocking the test domains then you can extract and decompress the blacklists.tar.gz file that you downloaded in Step 6. Copy some of the extracted blacklist folders to your /var/squidGuard/blacklists/ directory. Now you will need to edit your squidGuard.conf file to account for the new blacklists areas beyond testdomains, recompile the squidGuard database (if there are errors creating the database file/s then you will need to troubleshoot by editing the squidGuard.conf file), chown the blacklists directory recursively, restart Squid and you should be filtering tons of undesirable domains, urls, keywords, etc.
In the previous article, I covered installing CentOS server and converting it to a router, address translator, and transparent proxy. I also covered installing a DHCP server to serve IP addresses to the interior local network. The entire process was recorded in a series of video tutorials (see previous article) and posted to YouTube.
Now that we have configured the iptables forwarding rules, manually configured our interfaces with IP addresses, as well as the default gateway and our DNS nameservers we need to save our configurations. We also need to cover installing BIND and having our CentOS server function as a DNS server as well.
Saving your iptables configuration
You can use terminal line commands to make changes to iptables which will instantly effect the linux firewall. This is similar to the difference between a Cisco router’s startup-config file and its running-config in RAM. Changes to the running-config take effect immediately but are not permanent unless saved to the startup-config. This is a similar scenario with iptables. If you have made changes to iptables using iptables terminal commands, it will directly effect the Linux firewall, but the changes will not be permanent unless they are saved to the iptables configuration file.
There are different approaches to making changes to iptables: the approach we have been using so far is to make the changes to the iptables directly, using terminal commands; another approach is to save a test iptables configuration file and then load it, to test it out. Since we have been using the first approach we need to save our configuration to a file and then replace the default iptables configuration file. Before you replace the default file it is a good idea to create a backup. This command will take the current running iptables configuration which we have manipulated and altered, and save it to a .conf text file. You can save it to the root home folder. iptables-save > iptables.conf
Now cat your saved iptables.conf file to look it over. cat iptables.conf
The first command listed below makes a backup of the original default iptables configuration file, and the second command replaces the iptables configuration file with the current configuration, that was just saved as iptables.conf. Now, if the computer needs to be restarted the new configuration will be maintained. cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak
mv iptables.conf /etc/sysconfig/iptables
{loadposition adposition6}You may decide that it is smarter and safer to make changes to the Linux iptables firewall indirectly, by editing a test iptables.conf file before testing it out on the actively running iptables firewall. In this way, you make all your changes to the iptables.conf file and then load it to memory, instead of using iptables terminal commands to experiment with your running configuration and possibly compromise your security or disrupt your network users. With the following commands you save the current iptables to an iptables.conf text file, then edit it with a text editor, then restore it to a running state in active memory. The iptables-restore command is a beneficial command because it loads the edited config file to the running iptables without disrupting the service and potentially dropping the running network host connections. iptables-save > iptables.conf nano iptables.conf (edit the iptables.conf configuration file) iptables-restore < iptables.conf (load the edited iptables.conf file to the running iptables)
mv iptables.conf /etc/sysconfig/iptables (replace the iptables configuration file with the edited version)
A regular desktop installation of CentOS Server comes with the Network Manager program. Network Manager is a graphical management tool used to manage and configure network interfaces in an easy way. It was personally recommended to me to not use the Network Manager, but instead manually configure my network interfaces, meaning Ethernet ports with IP addressing, subnet masks, default gateway address, and DNS servers. Like with iptables, you can manually configure your network interfaces using terminal line commands, but if you restart the server your configurations will not be saved. In order to configure your network interfaces in a manner that will persist, you need to configure the network interface configuration files or scripts.
ls /etc/sysconfig/network-scripts/
You should see configuration files named ifcfg-eth0, ifcfg-lo, or some other variant of ifcfg-<name> where <name> refers to the network interface name. To inspect the interface configuration you can output the text of the config file using cat
cat ls /etc/sysconfig/network-scripts/ifcfg-eth0
You will see some output like the following: DEVICE=”eth0″
NM_CONTROLLED=”yes”
ONBOOT=”no”
TYPE=Ethernet
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
This information tells us that Network Manager is managing the interface, the interface is not activated by default when the system boots up, and that the system is using DHCP to acquire an IP address. In order to manually configure the network interface you will need to change these settings and add some additional settings as well. Before you change the settings of the interfaces it is a good idea to create backup configuration files. cp /etc/sysconfig/network-scripts/ifcfg-eth0/etc/sysconfig/network-scripts/ifcfg-eth0.bak cp /etc/sysconfig/network-scripts/ifcfg-eth1/etc/sysconfig/network-scripts/ifcfg-eth1.bak
Now you can configure your interfaces by altering the configuration files in a text editor like Vim or Nano nano /etc/sysconfig/network-scripts/ifcfg-eth0
{loadposition adposition7}Now alter and add the necessary settings and IP addressing for your outside interface. In my eth0 example below, I am on the 192.168.2.0/24 network using a static IP address of 192.168.2.98, a twenty four bit subnet mask, and a gateway located at 192.168.2.1. Changes are displayed in red: DEVICE=”eth0″
NM_CONTROLLED=“no”
ONBOOT=“yes”
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes IPADDR=192.168.2.98 <whatever IP address your outside interface needs to be set at> NETMASK=255.255.255.0
GATEWAY=192.168.2.1
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
<addtional entries not listed>
Save the interface configuration file and exit.
On the inside network interface (in my case eth1), I used the following settings: DEVICE=”eth1″
HWADDR=”00:0C:29:12:AE:75″
NM_CONTROLLED=“no”
ONBOOT=“yes” IPADDR=192.168.111.1 //the IP address for your inside interface. I chose “.1” since I am the gateway for the inside network NETMASK=255.255.255.0
Save the interface configuration file and exit. Now you can issue the following commands to verify your interface configurations and your default route ifconfig
route
Manual Configuration of Network Interfaces for Trunking and VLANs
At the time of writing this article, the network manager in CentOS does not allow you to configure a network interface with subinterfaces, VLANs, and trunking. In order to configure a single network interface to function as multiple subinterfaces which allow VLANS over a trunked link you need to manually configure your network interface configuration file.
In the following scenario suppose you have one network interface eth0 and you want your router to function as a transparent proxy and a router separating an interior network from an exterior network. In the image below you can see how this would logically be arranged in the logical topology, you have the 192.168.111.0/24 network on the interior LAN side, and the 192.168.11.0/24 network on the exterior facing WAN side, of course 192.168.11.0/24 is also in a private network address range, but it is on the side of the CentOS server that is closest to the internet. However, in reality you happen to be physically limited by having only one network interface (eth0) and will therefore need to convert the one interface into multiple subinterfaces with VLANs for a trunked link (Physical Topology).
Looking at the physical topology in the diagram above, the CentOS server has transformed a single network interface eth0 into eth0.11 and eth0.111 for VLAN11 and VLAN111 respectively. From there the server is connected to the switch which has been configured as a trunk to allow VLAN11 and VLAN111.
Here are the commands and configuration settings needed to configure the CentOS server to fit with the scenario depicted in the diagram above. The first step is to back up your default or current network interface configuration file. THen copy the configuration file and rename it for both of the subinterface VLANs: cp /etc/sysconfig/network-scripts/eth0 /etc/sysconfig/network-scripts/eth0.bak
cp /etc/sysconfig/network-scripts/eth0 /etc/sysconfig/network-scripts/eth0.11
cp /etc/sysconfig/network-scripts/eth0 /etc/sysconfig/network-scripts/eth0.111
Now you will need to edit all three of your configuration files ifcfg-eth0, ifcfg-eth0.11 and ifcfg-eth0.111 in turn with a text editor like vi, vim, or nano. In configuring ifcfg-eth0 you will only need to make sure that the interface is activated on startup, and that the interface is not managed by the network manager: vim /etc/sysconfig/network-scripts/ifcfg-eth0
For the inside interface, the LAN side of the router (in the diagram VLAN111 eth0.111), you will mainly need to change the interface name, the ipaddress, netmask, add a VLAN setting. The default gateway and DNS settings will be configured on the outside facing interface. vim /etc/sysconfig/network-scripts/ifcfg-eth0.111
DEVICE=”eth0.111″
HWADDR=”00:0C:29:12:AE:75″
NM_CONTROLLED=“no”
ONBOOT=“yes” IPADDR=192.168.111.1 //the IP address for your inside interface. I chose “.1” since I am the gateway for the inside network NETMASK=255.255.255.0
VLAN=”yes”
For the outside facing interface, the WAN side of the router (in the diagram VLAN11 eth0.11), you will mainly need to change the interface name, the ipaddress, netmask, add a VLAN setting and add the default gateway and DNS settings. vim /etc/sysconfig/network-scripts/ifcfg-eth0.11
DEVICE=”eth0.11″
NM_CONTROLLED=”no”
ONBOOT=”yes”
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPADDR=192.168.11.100 <whatever IP address your outside interface needs to be set at>
NETMASK=255.255.255.0
GATEWAY=192.168.11.1
DNS=127.0.0.1 <if your CentOS server will not be running DNS services, use your normal DNS server address instead>
It is useful to protect your network, by filtering web requests and other types of traffic, a proxy server is designed to do this. You can create a Linux proxy server using Squid and SquidGuard, and configure network settings on your user’s browsers to access the proxy server which will then apply rules that will filter the requests. However, that can be bypassed by the host computer.
A stronger alternative is to create a transparent proxy server and configure your router to forward all web related requests to the proxy server, that way your network hosts are forced to go through the transparent proxy. A potential problem with that scenario is that you need to have a fairly decent router, which can forward interior traffic on a specified port, to the proxy server on the local area network. A third alternative is to make your transparent proxy server also handle routing, NAT, DHCP, and DNS. It would seem like that would be a huge undertaking, but it can actually be done fairly quickly, using a computer and a distribution of Linux.
Lab Outline
To create a Linux proxy server that also functions as a router and more, it is recommended to use a server distribution of Linux like CentOS Linux, which is the freely distributed server equivalent to RedHat Enterprise Linux. Along with Debian ,CentOS is one the most popular server distributions of Linux available. For this lab, we download and burn CentOS 6.2, i386 (32bit) or x86_64 (64bit), ISO DVDs Parts 1 and 2. Pick a CentOS 6.2 mirror with Direct DVD downloads and download the DVD iso files, to burn as installation DVDs.
Once you have the CentOS installation DVD iso files downloaded and burned to DVD you need to install the operating system to a computer. You can choose to install to an actual computer or to a virtual computer (virtual machine). In order to do this lab from home, and if you do not have a lot of extra computers lying around, I recommend doing the whole project virtually through the use of virtual machines. For a virtualization platform, I recommend downloading either VMware Player or Virtualbox.
If you decide to follow along with the video tutorials and set up a CentOS server virtual machine and convert it into a router, remember that the IP addressing scheme will need to be modified to work with your personal network. Just because my wireless network uses a 192.168.2.0 /24 local addressing scheme does not mean that yours does also, in fact your network most likely uses a different scheme like 192.168.1.0 /24.
Network diagram of a CentOS proxy server and router using virtual machines
In the lab at the college we installed CentOS to actual physical
computers. Normally, I recommend using computers with two network
interface cards (NICs) installed, but the computers we had available to
us had only one network interface card (NIC). This posed a challenge
since the traffic would need to flow through the computers, from one
network to another, implying the need for two network interface cards.
We fixed this problem by configuring VLANs, and assigning IP addresses
to subinterfaces on the computer’s single NIC. We then connected to a
switchport configured for trunking with the same VLANs as we created on the
computer.
Network diagram of a CentOS proxy server-router implementation using a lab computer with only one network interface card (NIC) and a switch configured with VLANs and trunks
Lab Steps Overview (virtualized machines or physical machines)
a. Understand the benefits of a transparent proxy and a Linux server that can also route, NAT, etc. Plan and diagram your lab. See video tutorial part 1 below.
b. Download CentOS installation ISO files, i386 or x86_64, DVDs. See Lab Outline above and video tutorial part 2 below.
c. To do this lab on a physical computers you will need one computer for the CentOS server, preferably with two NICs, but one is okay too, and another computer for a test LAN host.
To do this lab virtually using a virtual platform like VMware or Virtualbox, first create a new virtual machine for the the Linux operating system. You will probably need to choose RedHat Enterprise 32 bit or 64 bit and walk through all the settings. At the end, configure your virtual CD/DVD to boot to the CentOS installation ISO file that you downloaded. Make sure to add or enable to virtual network interfaces (NICs). Set the first NIC to Bridged Networking mode and the second NIC to NAT mode (then once it is saved change it to again to LAN segment mode), in Virtualbox save the second NIC to Interior Network mode. See video tutorial part 2 below.
d. Configure network addressing on your server’s two network interfaces as well as your test host’s network addressing. See video tutorial part 3 below.
e. Configure routing and NATing using iptables on your server. See video tutorial part 4 below.
f. Install and configure Squid as a transparent proxy server. Configure iptables to port-forward web traffic to the server on port 3128 (Squid). See video tutorial part 5 below.
g. Secure your server by configuring iptables to accept and reject specific types of traffic. Install and configure DHCP server on your CentOS server in order to hand out IP addresses on your local network. See video tutorial part 6 below.
Lab Command Steps
Here is a list of the commands used in this lab project:
1. If you are working in my lab or have a computer with only one network card (NIC) jump to step 2. If you are using a virtual or physical computer with two NICs (e.g. eth0 and eth1) you will need to configure each NIC with the command below, then jump to step 6. You can dynamically receive an IP address through DHCP coming from your router/gateway on eth0, click on the network manager in the upper right of the task bar and click “auto ethernet” or just click on “eth0” to activate DHCP. Then you will need to manually configure the second NIC using an ifconfig command from the terminal (e.g. ifconfig eth1 192.168.111.1) you will need to have root access to do this. After you have activated DHCP on eth0 and manually configured eth1 use the ifconfig command to check your interface ip addresses to see that you have an address for eth0 and eth1. You are now ready to jump to step 6. su – ifconfig eth1 192.168.111.1
ifconfig
2. If you are working in my lab or you have a computer with only one network interface card (NIC), you will need to configure trunking and two VLANs (e.g. 110, 111) on the CentOS Linux server (for students with a physical computer with only one NIC) vconfig add eth0 110 (in my college lab we use VLAN110 for the 192.168.11.x network)
vconfig add eth0 111
vconfig rem eth0 111 (removes a VLAN trunk)
3. To configure sub-interfaces in
order to assign an IP address to each VLAN, in our classroom lab we use
VLAN110 for the 192.168.11.0 network. ifconfig eth0.110 192.168.11.xxx
ifconfig eth0.111 192.168.111.xxx
4. To configure a default gateway/route route add default gw 192.168.11.1
5. To configure DNS servers echo “nameserver 4.2.2.2” > /etc/resolv.conf
echo “nameserver 8.8.8.8” >> /etc/resolv.conf
6. To add kernel support for IP forwarding (routing) we set a flag with the following command sysctl -w net.ipv4.ip_forward=1
7. To set up NATing we can configure the iptables NAT table for masquerading. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE (assuming eth0 is the outside interface)
or iptables -t nat -A POSTROUTING -o eth0.110 -j MASQUERADE (assuming the eth0.110 sub-interface is the outside interface)
8. To install the Squid proxy server yum install squid
cd /etc/squid/squid.conf
9. Edit the the squid.conf file and change the following line to enable transparent proxy mode: http_port 3128
to http_port 3128 intercept
10. Issuing one of the following commands will restart the Squid service or reload the configuration file service squid restart
service squid reload
11. Add an entry to iptables NAT table to port-forward inbound traffic on the inside interface (LAN side) to the Squid server on port 3128 (assuming eth1 is the inside interface with the IP address 192.168.11.1)
12. To get routing and forwarding to work correctly you will also need to remove some statements from the iptables tables that reject traffic. The following lines will remove reject statements from the filter INPUT iptable chain and the FORWARD iptable chain. iptables -t filter -D INPUT -j REJECT –reject-with icmp-host-prohibited
iptables -t filter -D FORWARD -j REJECT –reject-with icmp-host-prohibited
From first glance, it seems that there is a rule in the iptables INPUT chain (third line) that accepts any protocol from any source to any destination. The following statement would delete the third line of the filter table INPUT chain, the “accept any anywhere anywhere” line: <iptables -t filter -D INPUT 3> but do not use it, because as it turns out, that particular line has information that does not appear in the output of an <iptables -L> command. Try using the following command and then compare it to the results of the <iptables -L> command: iptables-save
You can see that the third line (-A INPUT -i lo -j ACCEPT) is actually accepting all input on the loopback (lo) interface, and since it is only the loopback interface (i.e. 127.0.0.1) it is not a problem in the iptables, indiscriminately accepting all input on the outside interface. So to clarify, in the following three line commands (see below), the first command show the current iptables rules, the second command removes line 3 (-A INPUT -i lo -j ACCEPT) which is the line that ACCEPTs packets on the loopback interface, filter table, INPUT chain. Finally, the third line below replaces it. To learn how to do this I referred the man pages for iptables <man iptables>. iptables-save
iptables -t filter -D INPUT 3 iptables -t filter -I INPUT 3 -i lo -j ACCEPT
13. Now you can look at your iptables, default filter table, and nat table, using the following commands iptables -L -t filter
iptables -L -t nat
14. Now you can add (append) to the iptable filter table with the following commands, to accept input on port 3128 for Squid, and reject all other types of traffic iptables -t filter -A INPUT -p tcp –dport 3128 -j ACCEPT
iptables -t filter -A INPUT -j REJECT –reject-with icmp-host-prohibited
iptables -L -t filter
15. The following commands and instructions are used to install and configure a DHCP server in CentOS. You will need elevate to root access, run updates, then install: su –
yum install updates
yum install dhcp
16. You should see that the DHCP server fails on starting up, this is because we have not configured it yet. To configure the DHCP server we need to edit the dhcpd.conf file located in /etc/dhcp. cd /etc/dhcp
ls
17. You should see a file called dhcpd.conf . You will want to edit the file in a text editor like Vim or Nano. vim /etc/dhcp/dhcpd.conf
or nano /etc/dhcp/dhcpd.conf
Here is a screenshot of my dhcpd.conf file after I edited it in Vim. The cat command is used to output the file to the terminal for viewing. The lines that begin with # are comments and not active configurations. You could duplicate what you see in my configuration file below, replacing every line that has 192.168.11.x ip addressing with your own network number, like 192.168.1.x, etc.: cat /etc/dhcp/dhcpd.conf
IPtables Overview
The iptables consists of four separate tables: filter, nat, mangle, and raw. Each table has a set of rules or chains.
filter – the filter table is the default table not specified by the -t argument. The filter table has three chains: INPUT for traffic destined for a local socket, FORWARD for packets being routed through the server, and OUTPUT for packets generated locally on the machine
nat – the nat table is consulted when new connections are generated. The nat table has three chains: PREROUTING, OUTPUT, and POSTROUTING
mangle – the mangle table is used for specialized packet alteration. The mangle table has the following chains: PREROUTING, POSTROUTING, INPUT, FORWARD, and OUTPUT.
raw – the raw table is used for configuring exemptions from connection tracking.
Video Tutorials
In part 1, I outline creating a Linux proxy server and router and I diagram the network
In part 2, I create the VMware virtual machine with two NICs and install CentOS
In part 3, I configure network addressing on the CentOS server and a Fedora client
In part 4, I review network addressing, how to do the lab if the server has only one network interface.
I also set up routing and NATing on the CentOS server
In part 5, I install Squid on the CentOS server and configure it to be a transparent proxy.
I configure the iptables NAT table, to portforward all local web traffic to the CentOS server on port 3128.
In part 6, I continue to configure iptables and I install and configure DHCP server on the CentOS server.
It is very useful to be able to block users on your network from accessing millions of websites with nefarious content. A great way to accomplish this is with a proxy server like Squid. Squid is a free and powerful proxy server that is capable of blocking users from accessing web content. A great way of enhancing Squid’s ability to block unwanted websites, domains and IP addresses is to install SquidGuard. SquidGuard is an add-on program for the Squid proxy server (see my previous article on Squid), that’s main purpose is to block unwanted web traffic. SquidGuard works with databases of blacklists to block, filter, and redirect requested URLs and domains. You manually download and add blacklist files to SquidGuard and compile them into the SquidGuard database, then Squid can redirect web requests, checking them against SquidGuard’s database of blacklisted websites, domains and IP addresses. It seems like this process would slow down a network, but SquidGuard is an extremely fast web content filter with the ability to check web requests against millions of blacklisted sites in a matter of seconds. There is great information about SquidGuard’s capabilities on the SquidGuard website, including links to download the program, well written installation and configuration instructions, and links to websites that maintain blacklists.
Steps to manually install SquidGuard in Ubuntu
You can download and install SquidGuard using a package manager program like apt-get or yum, or even a graphical software installer tool like the software center program. Instead, I chose to outline the steps involved in manually downloading and installing SquidGuard.
1. Download the current stable version of SquidGuard at http://www.squidguard.org and save it to your downloads folder.
2. Download the Berkeley DB from Oracle at http://oracle.com. Download version 4.8.30.NC.tar.gz with no encryption and save it to your Downloads folder
3. Open a terminal and navigate to the directory where you downloaded SquidGuard and the BerkeleyDB. You should see the tar.gz files cd ~/Downloads
ls
4. Decompress the tar.gz files (substitute the file names for the versions you downloaded) tar -xvzf squidGuard-1.5-beta.tar.gz
tar -xvzf db-4.8.30.NC.tar.gz
ls
You should see two folders one for squidGuard and one for BerkeleyDB (e.g. squidGuard-1.5, and db-4.8.30)
5. Install the Berkeley DB first, since SquidGuard requires it for installation. By default, the Berkeley DB will install itself to a directory in /usr/local/ in a folder named BerkeleyDB.4.8 you will need this information when preparing SquidGuard for installation. cd db-4.8.30
cd build_unix
../dist/configure
make
sudo make install
6. Install SquidGuard by navigating to the extracted SquidGuard folder and then during the configure process you will pass the configure script the location of the Berkeley DB directory and correctly change the squiduser to ‘proxy’ for Ubuntu. The squiduser and group is typically “squid” in other Linux distributions like Fedora. cd ~/Downloads/squidGuard-1.5
./configure –with-db=/usr/local/BerkeleyDB.4.8 –with-squiduser=proxy
make
sudo make install
You should get a message that the initial SquidGuard configuration is complete. Congratulation, SquidGuard is successfully installed! Make a note of the directory locations of the SquidGurad db, log, and conf files:
/usr/local/squidGuard/db
/usr/local/squidGuard/log
/usr/local/squidGuard/squidGuard.conf
Blacklists
7. Now that SquidGuard is installed you will want to download some blacklists. The SquidGuard website provides a few options. Click on Blacklists link and download a few blacklists. I recommend going here http://cri.univ-tlse1.fr/blacklists/index_en.php and downloading the blacklists.tar.gz file from the top of the Descriptions section
Now you can move the blacklists to the SquidGuard db directory and extract them so they are ready to use.
cd ~/Downloads
sudo cp blacklists.tar.gz /usr/local/squidGuard/db/blacklists.tar.gz
cd /usr/local/squidGuard/db
sudo tar -xvf blacklists.tar.gz
Configuring SquidGuard
8. Now you are ready to configure SquidGuard you will want to open the configuration file with a text editor. cd /usr/local/squidGuard/
ls
You should see a squidGuard.conf file. Copy the conf file to a backup and open it with a text editor sudo cp squidGuard.conf squidGuard.conf.bak
sudo su
gedit squidGuard.conf &
If your squidGuard.conf file is janked i.e. blank, then you can copy the configuration directly from the SquidGuard website: http://www.squidguard.org/Doc/configure.html
Looking at your squidGuard.conf file in the text editor make sure that the lines beginning with dbhome and logdir point to the correct directory. For my install the dbhome and logdir lines read: dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/log
So I changed the dbhome line to: dbhome /usr/local/squidGuard/db/blacklists
Try to running squidGuard in an output to stderr mode: squidGuard -d
I had errors showing on line 23 so I commented out lines 22 to 25 with # signs: #rew dmz{
# s@://admin/…
# s@://foo.bar….
#}
Now try running squidGuard: squidGuard -d
If squidGuard ran with no errors it is time to compile your Blacklists from text to DB with a -C all command squidGuard -d -C all
{loadposition adposition7}I had additional errors caused by the Destination Classes area in the squidGuard.conf file. The dest adult block of code had the following lines that needed to have the “dest/” edited out, because they are not the correct directory paths following from the “/usr/local/squidGuard/db/blacklists” directory:
I also edited the ACL block of code at the end of the config file. I commented out areas that I was not going to use, and focused on the default acl block of code, which I changed to pass only the not(!) adult sites (pass !adult all):
acl {
# admin {
# pass any
# }
#
# foo-clients within workhours {
# pass good !in-addr !adult any
# } else {
# pass any
# }
#
# bar-clients {
# pass local none
# }
#
default {
pass !adult all
#rewrite dmz
redirect http://google.com
}
}
9. After editing your config file try to compile your Blacklists from text to DB with a “-C all” command squidGuard -d -C all
If there are no errors make sure the blacklists have correct ownership and group for Squid. You can check ownership of files and folders using the ls-l command. For Ubuntu the correct owner and group for Squid is “proxy”, in other distributions it is “squid”. chown -R proxy:proxy /usr/local/squidGuard/db/blacklists
10. To finish the installation, add the following line to the squid.conf file in /etc/squid/squid.conf. I added the following line around line 1083 although you could add it anywhere, notice that it is directing the squidGuard program to the configuration file. If your squidGuard installation and configuration file is located in a different directory then adjust the paths in the line accordingly:
11. Now restart Squid or reload the Squid configuration file which is much faster. service squid reload
or pkill -9 squid
service squid start
12. In order to test if squidGuard configuration is working correctly and that Squid is passing web requests and checking them against the SquidGuard database. The SquidGuard website recommends running a dry-run test using the following command. You can substitute one of the blacklisted URLs from your blacklists instead of the “http://www.example.com” URL in the example. Also, If you do not have a “test.cfg” file, just remove the part of the line from, “-c … to … test.cfg” (see example below):
After running the command above, if you see the following 3 messages in the output then squidGuard is functioning correctly:
– the redirected URL website address from the squidGuard.conf file
– “squidGuard ready for requests”,
– “squidguard stopped”
Now you can try using your web browser to see if it will block blacklisted domains and websites!
Note: If you are in a situation where you do not want to risk requesting blacklisted sites in your browser and having them not be filtered, then you can add one of your own entries in a blacklist, recompile the squidGuard blacklist database, and test to see if your manually entered website is blocked by squidGuard.
A proxy server is a very useful tool for a network. It is commonly used in computer networks to protect the network from attack, to filter nefarious web content and pages requested by local users, and to speed up the delivery of web pages and web content by caching (storing) commonly requested web pages, documents, and media. Proxy servers are typically implemented on private, local area networks, to filter, protect and cache content requested by users on that network, this is called “proxy” or “transparent proxy.” Proxy servers can also be implemented on the remote side “in-front-of” destination webservers in order to protect those servers by filtering requests, speeding up web page delivery, and caching frequently requested files, this is called “reverse proxy.”
Types of Proxy Servers
Proxy Server
The web browser on the client is configured to point to the proxy server’s IP address. The client can bypass the proxy server by removing or altering the proxy address configuration. An administrator could prevent this by creating a GPO in Active Directory that blocks access to the web browser settings. A proxy server can also function as a caching server.
Transparent Proxy Server
The router sends all traffic on defined ports, to the transparent proxy server, this way clients cannot bypass the proxy server. A transparent proxy server can also function as a caching server.
Reverse Proxy Server (Cache)
The reverse proxy server or cache server is placed in-front-of or prior-to the web server in order to speed up delivery of frequently requested pages and to protect the web server by creating a layer of separation and redundancy.
Squid is one of the most popular and most used proxy servers in the world. It is free to download, easy to install and it can be implemented on any distribution of Linux. Here are the steps to install and configure Squid on an Ubuntu distribution of Linux.
Steps to install and configure Squid
Open a terminal, and type in the following commands to install Squid sudo apt-get update
sudo apt-get install squid squid-common
Ways to start and stop Squid sudo service squid start (stop|restart|status)
sudo /usr/sbin/squid (launch program directly)
sudo pkill -9 squid
Navigate to the Squid folder to find the squid.conf configuration file cd /etc/squid
ls (you should see the squid.conf file)
Create a backup of the squid.conf file sudo cp squid.conf squid.conf.bak
For testing purposes open Firefox and set it to send web requests to the Squid Proxy Server (You will need to know your ip address) ifconfig (write down your inet address e.g. 192.168.1.100) Open Firefox
Edit > Preferences, Advanced > Network Tab > Connection-Settings:
Manual Proxy Configuration:
HTTP Proxy: your IP address or loopback address 127.0.0.1, Port: 3128 Click Ok and Close
Now if you try and go to a website like google you should see an ERROR – Access Denied message from Squid (see bottom line). This means that Squid is working by actively denying the traffic.
Now we need to configure Squid to allow web traffic through the proxy server. Open squid.conf in your favorite text editor like gedit, nano, or vi sudo nano squid.conf or sudo gedit squid.conf & (If gedit does not open from the terminal you can open it as root user)
sudo su
gedit squid.conf &
To switch out of root user su your-username (if you are root user the prompt is a “#” switch back to your user account privilege)
If you chose to open with squid.conf with gedit, then turn on line numbering (Edit > Preferences > View >Display Line Numbers)
Change the name of your Squid Proxy Server, around line 3399, change: # TAG: visible_hostname to visible_hostname YourNameProxyServer
You can configure access rules for your Squid proxy server (lines 331 to 831 are for Access Control). Notice that on lines 606 to 630 the local networks and usable ports (services) are defined. Active configuration lines, are the lines that are not commented out, i.e. they do not start with a # sign.
To re-enable web access uncomment line 676 #http_access allow localnet to http_access allow localnet
To verify the Web is now working, save your changes to the squid.conf file and restart your Squid server. service squid restart (or “sudo service squid restart” if you are no longer root)
Now resfresh your Firefox web browser and your homepage should be visible.
Now we can practice writing a custom ACL (access list) in the squid.conf file to block specific domains and websites. We can write our custom ACL at the end of the acl lines around line 631. From an empty line write the following lines to test domain blocking: acl blocked_websites dstdomain .msn.com .yahoo.com
http_access deny blocked_websites
Now restart your Squid server, and test to see if Squid denies access to your blocked domains/websites in Firefox.
Video Tutorials
In this series of videos, I go through the same process outlined above, to install and configure a Squid proxy server in Ubuntu .
In part 1, I install Squid in Ubuntu, start and stop it, backup the configuration file,
and configure Firefox to use Squid as a proxy server
In part 2, I discuss editing the configuration file
In part 3, I write a custom ACL in the squid.conf file
