This week I setup a cool Squid Proxy for our network at the office. What it does?
Follow also the HowTo Setup SquidGuard
1. Caches the websites people visit, so it usess less bandwith and improve performance
2. Allow managers to review web usage,
3. Allow restriction of certain webpages, content etc…

Requirements:
Set two different Ethernets one in each SUBNET. I have setup like this:
<LAN> — <eth1|PROXY|eth0>—-<FIREWALL/ROUTER>—<INTERNET>
eth1: 172.31.0.2  eth0: 10.10.10.156
We will need the Proxy server to have IPtables, so we can have a true Transparent Proxy.
This means, all we have to do is setup the clients Gateway to 172.31.0.2.

1. Download and compiled Squid 3.0 (STABLE 11)

Download:
# wget http://www.squid-cache.org/Versions/v3/3.0/squid-3.0.STABLE11.tar.gz
Compile:
#./configure –prefix=/usr/local/squid –enable-ssl –with-openssl –enable-linux-netfilter –enable-storeio=aufs,ufs–with-large-files –enable-delay-pools –enable-epoll
# make all
# make install
Notes:
with-openssl = Will require OpenSSL-dev library to be installed(only Stable 11)
wget http://http.us.debian.org/debian/pool/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_i386.deb
Delay-pools = Enable delay pools to limit bandwith usage
Epoll = Is an imporved polling protocol, for better performance
Linux-netfilter = allow the Transaprency to work
Troubleshooting:
To compile you will need a C++ library:
# apt-get install gcc
# apt-get install g++
I believe also these are required:
# apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl

2. The squid.conf file

<p style=”text-align: left;”><span style=”font-size: x-small; color: #ff6600;”>
#CLEAN CONFIG FILE, by FELIPE 12/2008
visible_hostname hostname.domain.com</span>
<p style=”text-align: left;”><span style=”font-size: x-small; color: #ff6600;”>#user to run SQUID
cache_effective_user proxy</span>
<p style=”text-align: left;”><span style=”font-size: x-small; color: #ff6600;”>acl manager proto cache_object
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16    # RFC1918 possible internal network</span>
<p style=”text-align: left;”><span style=”font-size: x-small; color: #ff6600;”>acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http</span>
<p style=”text-align: left;”><span style=”font-size: x-small; color: #ff6600;”>#HOST FILE should be edited with correct HOSTS
hosts_file /etc/hosts</span>
<p style=”text-align: left;”><span style=”font-size: x-small; color: #ff6600;”>#HEADER problem when using as Transparent Proxy
http_port 10.10.10.156:9090 transparent</span>
<p style=”text-align: left;”><span style=”font-size: x-small; color: #ff6600;”>#——ACL——
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
http_reply_access allow all
icp_access allow localnet
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
icp_access deny all
htcp_access allow localnet
htcp_access deny all</span>
<p style=”text-align: left;”><span style=”font-size: x-small; color: #ff6600;”>hierarchy_stoplist cgi-bin ?</span></p>
<p style=”text-align: left;”><span style=”font-size: x-small; color: #ff6600;”>#CACHE DIRECTORY 30GB on mounted DISK using UFS
cache_dir ufs /cache 30000 16 256</span>
<p style=”text-align: left;”><span style=”font-size: x-small; color: #ff6600;”>access_log /usr/local/squid/var/logs/access.log squid
cache_log /usr/local/squid/var/logs/cache.log
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern (cgi-bin|?)    0    0%    0
refresh_pattern .        0    20%    4320
icp_port 3130</span>
<p style=”text-align: left;”><span style=”font-size: x-small; color: #ff6600;”>coredump_dir /usr/local/squid/var/cache
check_hostnames off</span>

3.The Iptables Rules Script

#!/bin/sh
#SCRIPT FOR THE SQUID PROXY
#BY FELIPE FERREIRA 12/2008
#SHOULD CONSIDER OTHER THINGS LIKE SMTP,POP3,VNC,RDP,DAMEWARE, LET THOSE PASS DIRECTLY (NO PROXING)
#PROXY CACHE, WEB ON PORT 80,443
# squid server IP
SQUID_SERVER="10.10.10.156"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="9090"
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
#LOG and ALLOW SSH to the server in port 10.10.10.156 only
iptables -A INPUT -i $INTERNET -p tcp --dport 22 -j LOG --log-prefix "SSH LOGIN: "
iptables -A INPUT -i $INTERNET -p tcp --dport 22 -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DNAT port 443 request comming from LAN systems to squid ($SQUID_PORT) aka transparent proxy
#iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 443 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# Redirect traffic back
#iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 443 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG --log-prefix "Drop Packets: "
iptables -A INPUT -j DROP

Follow also the HowTo Setup SquidGuard

Tags: , , , , , , , , , , , , , ,

4 thoughts on “Squid howto

Leave a Reply

Your email address will not be published. Required fields are marked *