Solved

Squid As a Default Gateway

Posted on 2004-09-01
25
8,173 Views
Last Modified: 2013-11-22
I have recently set up Squid 2.5 Stable 6 running on FreeBSD box running 4.9

Everything is working, however I have all my client machines using an automatic configuration script, so that everyone has to pass through the Squid box to get to the Internet.

Since it is possible to connect using alternate browsers, is there a way to make the squid box a Default gateway, rather than my firewall? This way nobody will be able to bypass the proxy.

Currently my firewall is responsible for NAT and PAT... The firewall is a Cisco Pix 506.

Thanks in advance

0
Comment
Question by:cchinoy
  • 11
  • 8
  • 5
  • +1
25 Comments
 
LVL 19

Expert Comment

by:ramazanyich
Comment Utility
0
 

Author Comment

by:cchinoy
Comment Utility
This is the procedure necessary if there is a Cisco Router. I don't have a Cisco Router. I have a Cisco Pix 506 Firewall. The Firewall can not route any packets.

Currently the Firewall is setup to forward everything to the router of my ISP. The router is not under my control...

So essentially I need to understand how incoming requests to squid on Port 80 can be forwarded to squid port 3128 ?

Thanks,

0
 
LVL 19

Expert Comment

by:ramazanyich
Comment Utility
just add another host_port directive:
http_port 80

see details on
http://squid.visolve.com/squid/squid24s1/network.htm#http_port
0
 

Author Comment

by:cchinoy
Comment Utility
This will involve running squid as Root, since low level ports can only be run as root.

I have configured squid to run on a separate group and user for security reasons.
0
 
LVL 19

Expert Comment

by:ramazanyich
Comment Utility
In that case use use
cache_effective_user username
cache_effective_group groupname

and start squid as root. It will start listenign on port 80 and change user on which squid will run. See details
http://squid.visolve.com/squid/squid24s1/admin_parameter.htm#cache_effective_user
0
 

Author Comment

by:cchinoy
Comment Utility
According to my squid documentation , it is not advisable to run squid as root because of potential security concerns - I am looking for a work-around to get transparent proxy working without running it as root.
0
 
LVL 19

Expert Comment

by:ramazanyich
Comment Utility
It will not run as root. It will change PID to your squid user.
Start it and see the owner of squid processes using ps.
0
 

Author Comment

by:cchinoy
Comment Utility
Ok... Here is my configuration:

cache_effective_user squid
cache_effective_group squid

Squid being the group and userid I created to run squid...

What did you want me to change this to

cache_effective_user root
cache_effective_group wheel    ????

Please clarify and I will give it a try....
0
 
LVL 19

Expert Comment

by:ramazanyich
Comment Utility
it should run with your cache_efective_user and cache_effective_group.
Just add
http_port 80
and try to start squid as user root.
It should now listen on port 80 and 3128 and squid processes will run as squid user.
0
 
LVL 2

Expert Comment

by:jdw_2004
Comment Utility
You may want to take a look at ipnat portion of the IPFilter code.  

YourPrompt> man 8 ipnat
YourPrompt> man 5 ipnat

You'll have to build a kernel using a config with this line:

options IPFILTER

Then, you'd route your client PCs to the squid box, enable routing on the squid box (gateway_enable="YES" in /etc/rc.conf).

Reboot and set up an ipnat.conf file with an entry similar to the following:

rdr xx0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128

Then "ipnat -f ipnat.conf"

Oh, you also need to build squid with the option "--enable-ipf-transparent" for this to work.  Otherwise it may not be able to figure out what site your clients wanted.

This should give you the transparent redirection you're looking for.




0
 
LVL 2

Expert Comment

by:jdw_2004
Comment Utility
Oh, and you should not need to run squid on port 80 or give it special permissions for the above to work for you.  ipnat handles all of that as a kernel module.
0
 

Author Comment

by:cchinoy
Comment Utility
Finally,

This is exactly what I am looking for. It is very clear and consise.

I am a newbie to FreeBSD, but I am doing well so far (I think). I understand your email but I have a few followup questions. Please forgive my ignorance

1. I have never rebuild the kernel before. I take it that all I need to do is add the line  - options IPFILTER - to the kernel and recompile? Would you happen to have a document or a site that would detail exactly what needs to be done?

2. I take it that in the command

rdr xx0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128

xx refers to my NIC. How can I find out what the name of my NIC is on my system?

3. I believe I did NOT create squid with --enable-ipf-transparent. so do I have to

./configure --enable-ipf-transparent
make
make all

All over again?

4. Is there anything that I would have to create i.e. an *.sh file so that certain daemons fire up automatically when the server is rebooted? I have created one for squid so that is launches automatically when the server is rebooted. I was wondering if this needs to be done for ipnat?

All over again?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 2

Expert Comment

by:jdw_2004
Comment Utility
1)

The definitive resource for kernel building is the FreeBSD handbook:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html

2) ifconfig will tell you what your network interface(s) is (are).  If you have two, you want the rdr on the *inbound* interface (the one that faces the clients).

3) Yes, that's exactly correct.  Don't forget make install.

4) ipnat is a kernel module and so will load itself once compiled in.

Good luck!
0
 

Author Comment

by:cchinoy
Comment Utility
Ok,

I was able to compile and install the new kernel with the

options IPFILTER

option. However, I do not see any file called ipnat.conf in the /etc directory. Do I have to create this myself? Am I missing anything?

Thanks,
0
 
LVL 2

Accepted Solution

by:
jdw_2004 earned 500 total points
Comment Utility
You will indeed have to create the /etc/ipnat.rules file yourself.  (Ours is called ipnat.conf but I see that FreeBSD has standardized on ipnat.rules.)  

You wiil also need to add the following in /etc/rc.conf:

ipnat_enable="YES"

This will cause it to load the rule(s) on startup.  Sorry for the confusion.
0
 

Author Comment

by:cchinoy
Comment Utility
I guess if you were to call it something other than ipnat.rules, you would have to add a separate line to the /etc/rc.conf like

ipnat_rules=/etc/ipnat.conf

Either way, I added

ipnat_enable="YES" (I am curious. Does this mean that my FreeBSD box is doing NAT? My Cisco box currently does NAT and PAT for my network)

add I created the /etc/ipnat.rules with the following

rdr xxx 0/0 port 80 -> 127.0.0.1 port 3128 tcp

add life was good. Transparent proxy is working !!!! Thanks for all you help and pointing me in the right direction. I will add that up top of this you must make sure that the following exists within your squid.conf file for transparent proxy to work. (For anybody else who happens upon this post and is trying to set this up as well):

        http_port 8080
        httpd_accel_host virtual
        httpd_accel_port 80
        httpd_accel_with_proxy on
        httpd_accel_uses_host_header on
0
 
LVL 2

Expert Comment

by:jdw_2004
Comment Utility
Your FreeBSD box is using its NAT functionality to do the transparent redirection (those things happen at the same spot in the network stack and so are handled by the same code).  Setting up an actual NAT would use the "map" ipnat ruletype instead of "rdr."

It is a sort of NAT if you think about it.  Usually with NAT you have a client , the NAT, and a server.  The NAT pretends to be the client while talking to the server.  In this case, the NAT pretends to be the server while talking to the client.  So it's really the same thing, just from a different perspective.

I don't think you need those squid.conf lines you quoted.  Those are for reverse proxy (accel) configuration, which is something entirely different, and you are not running on port 8080.

In any case, I'm glad it's working for you.





0
 

Author Comment

by:cchinoy
Comment Utility
I got this information right off the Squid website (See below)... I actually remed (#) those items to see if it made a difference and it did. The minute I disabled those tags, transparent proxy no longer worked. Either way, I appreciate all you help in getting this to work.

However, I have one problem now that I didn't have before. I created an acl to block all ports except 80 and 21. This worked prior to the setup of transparent proxy but now it no longer works.

acl !Safe_ports port 1-20
acl !Safe_ports port 22-79
acl !Safe_ports port 81-65535

http_access deny !Safe_ports

I have tried them in different areas in the squid.conf file but with no luck.. Is there something I am missing?


The http_port 8080 in this example assumes you will redirect incoming port 80 packets to port 8080 on your cache machine. If you are running Squid on port 3128 (for example) you can leave it there via http_port 3128, and redirect to that port via your IP filtering or forwarding commands.

In the httpd_accel_host option, virtual is the magic word!

The httpd_accel_with_proxy on is required to enable interception proxy mode; essentially in interception proxy mode Squid thinks it is acting both as an accelerator (hence accepting packets for other IPs on port 80) and a caching proxy (hence serving files out of cache.)

You must use httpd_accel_uses_host_header on to get the cache to work properly in interception mode. This enables the cache to index its stored objects under the true hostname, as is done in a normal proxy, rather than under the IP address. This is especially important if you want to use a parent cache hierarchy, or to share cache data between interception proxy users and non-interception proxy users, which you can do with Squid in this configuration.
0
 
LVL 2

Expert Comment

by:jdw_2004
Comment Utility
acl !Safe_ports port 1-20

is invalid syntax.

acl Safe_ports port 1-20
[etc]

is correct

Then,

http_access deny !Safe_ports

means "deny if Safe_ports is not matched."

0
 

Author Comment

by:cchinoy
Comment Utility
Well here is the problem...

If I have my squid box as the default gateway then my rules to block these ports i.e 443 no longer work. However, if I put in the proxy setting in the web browser the ports are no blocked.

Since ports other than 80 are not capable of transparent proxy, I guess the ideal situation would be to setup the squid box as your default gateway, but at the same time configure the browser to the squid box as well. Is this the case? or am I totally off?
0
 
LVL 2

Expert Comment

by:jdw_2004
Comment Utility
If you use the correct syntax for your ACL definition, it will probably work better.
0
 

Author Comment

by:cchinoy
Comment Utility
Tried it that way and various other ways. It will only work if the proxy settings are explicitly set in Internet Explorer.
0
 

Author Comment

by:cchinoy
Comment Utility
I did a little research and what I want to do is not possible since Squid is a HTTP proxy server, and can't be used to proxy other protocols.

However, implementing the transparent proxy combined with a Automatic Configuration script will allow you to make sure that nobody will be able to by-pass your proxy (See below for a sample configuration script). The language is java and you must save with this with a *.pac extension. Modify according to your environment.

function FindProxyForURL(url,host) {
 if (url.substring(0,5) == "http:") {
  return "PROXY xxx.xxx.xx.xx:3128; DIRECT";}
 else if (url.substring(0,6) == "https:") {
  return "PROXY xxx.xxx.xx.xx:3128; DIRECT";}
 else {
  return "DIRECT"; }
}
0
 

Expert Comment

by:dklt
Comment Utility
Wouldnt it be easiler to use ipchains and Squid together? no need to recompile anything for testing...

I remember my uni used to forward all port 80 access to a transparent cache/proxy and intentionally ban all outgoing traffic to non-80 ports. Problem... some webserver run on port 81, then access to those server will timeout.

cchinoy,
 "I did a little research and what I want to do is not possible since ..."

What exactly u want to do??? I thought u only want to force all out-going port-80 access to firstly fetch from local proxy. You can do that quite easily without configurating any browser...


-Dan
0
 
LVL 2

Expert Comment

by:jdw_2004
Comment Utility
1) This question is closed.

2) ipchains does not exist on FreeBSD.

3) He is looking to redirect other ports, not just 80.

4) https cannot be transparently redirected as it implements the CONNECT method which requires proxy awareness.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now