Can Squid and Iptables coexist on the same machine and benefit me?
I have a firewall I created from Linux Fedora 2. It has 4 Network Cards.
ETH0 is my PRIVATE LAN
ETH1 is my Internet Connection Between Router and Firewall
ETH2 is my Mail/Webserver
ETH3 is my Public Wireless Segment
In addition to keeping mischevious people on the wireless and Mail/web server segments from getting to the PRIVATE LAN, well I should say SLOW THAT PERSON DOWN, I would really like to be able to filter which computers on the private LAN have access to the internet and even be able to log activity down to the URL.
So I installed SQUID alongside my IPTABLES firewall (same box) and got SQUID functioning. Right now I'm at the point that if I shut-down iptables, SQUID does it's job. It is caching sites when I point my computer to them and producing very nice little reports with SARG. When I bring up IPTABLES, SQUID is broke.
I think I can get past this issue by adding a few more ACCEPTS with IPTABLES, but I don't know if I want to. Am I getting too complicated by running SQUID and IPTABLES together? Can IPTABLES log activity similiarly to SQUID?
I'll leave it at that for now, any advise?
Thanks,
Deeky
ETH0 is my PRIVATE LAN
ETH1 is my Internet Connection Between Router and Firewall
ETH2 is my Mail/Webserver
ETH3 is my Public Wireless Segment
In addition to keeping mischevious people on the wireless and Mail/web server segments from getting to the PRIVATE LAN, well I should say SLOW THAT PERSON DOWN, I would really like to be able to filter which computers on the private LAN have access to the internet and even be able to log activity down to the URL.
So I installed SQUID alongside my IPTABLES firewall (same box) and got SQUID functioning. Right now I'm at the point that if I shut-down iptables, SQUID does it's job. It is caching sites when I point my computer to them and producing very nice little reports with SARG. When I bring up IPTABLES, SQUID is broke.
I think I can get past this issue by adding a few more ACCEPTS with IPTABLES, but I don't know if I want to. Am I getting too complicated by running SQUID and IPTABLES together? Can IPTABLES log activity similiarly to SQUID?
I'll leave it at that for now, any advise?
Thanks,
Deeky
If you can post your iptables config file or the output of iptables-save (if you have that script on your system) it might help clarify the problem (feel free to munge your sensitive data, but please be consistent if you do)
Cheers,
-Jon
Cheers,
-Jon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have the SQUID working with my IPTABLES, I knew I could figure that one out eventually (right after I post my question). My concern was more about running both services on the same machine, if that was going to be a problem, or something that is a NO-NO.
What types of issues will I have switching all users over to the proxy server? For example, we connect to WebEx Sessions for support with our Software Company. Also, we have FTP programs that send automated orders though the internet to our supplier. If I understand correctly, these will not use the proxy, but will just find the default gateway and do their business as usual. I'm really only concerned with caching and monitoring http traffic on our network.
When a user checks email with POP3 and SMTP using Outlook, that will not go through the proxy, or will it?
My understanding would be to tell IPTABLES to block port 80 transmissions on the default gateway to the PRIVATE LAN. This would prevent anybody from sneaking into their workstation and removing the proxy and using port 80 as usual. I would then configure each workstation to connect to my default gateway for the PRIVATE LAN and port 3128 (the port I have designated). Squid will be listening and will do the deed.
Deeky
What types of issues will I have switching all users over to the proxy server? For example, we connect to WebEx Sessions for support with our Software Company. Also, we have FTP programs that send automated orders though the internet to our supplier. If I understand correctly, these will not use the proxy, but will just find the default gateway and do their business as usual. I'm really only concerned with caching and monitoring http traffic on our network.
When a user checks email with POP3 and SMTP using Outlook, that will not go through the proxy, or will it?
My understanding would be to tell IPTABLES to block port 80 transmissions on the default gateway to the PRIVATE LAN. This would prevent anybody from sneaking into their workstation and removing the proxy and using port 80 as usual. I would then configure each workstation to connect to my default gateway for the PRIVATE LAN and port 3128 (the port I have designated). Squid will be listening and will do the deed.
Deeky
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Interesting comment LeahcimL about forcing and redirecting traffic to the squid proxy. I notice it contains the NAT command. I'm already doing NAT on my border router between the internet and the firewall. Creating another NAT downstream sounds like it might cause me more problems with certain programs or net-services (like I mentioned WebEx)?
Deeky
Deeky
ASKER
Back to the subject LeahcimL brought up. I realized during this testing phase that I will have to enter each user account on each machine and add the proxy server to Internet Options. Each time I add another computer I will have to go into this and change it.
I noticed that when I logged on as a different user, it was not keeping the proxy server set "globally" for the workstation. I presume there is probably a registry change for this, but this was an unexpected issue that has already presented itself, this could be time-consuming and complex for certain workstations. I don't know everybodies password and several people login on several machines depending on availability. Anyhow, enough of my problems.
My question was essentially answered. I wanted to run my idea past the experts to see if what I was trying to do was within normal-cy. I'm sure I will have more questions in the next few days.
Thanks,
Deeky
I noticed that when I logged on as a different user, it was not keeping the proxy server set "globally" for the workstation. I presume there is probably a registry change for this, but this was an unexpected issue that has already presented itself, this could be time-consuming and complex for certain workstations. I don't know everybodies password and several people login on several machines depending on availability. Anyhow, enough of my problems.
My question was essentially answered. I wanted to run my idea past the experts to see if what I was trying to do was within normal-cy. I'm sure I will have more questions in the next few days.
Thanks,
Deeky
ASKER
I was experimenting with the concept of using the redirect from the PRIVATE LAN to the Squid Port as instructed above.
I'm running into an error on all web browsers on the LAN generated by the Squid machine saying that the URL was not valid.
Hmmm???
Deeky
I'm running into an error on all web browsers on the LAN generated by the Squid machine saying that the URL was not valid.
Hmmm???
Deeky
do you have any other entries in iptables?
Michael
Michael
If you direct traffic straight to the proxy you are running in transparnet mode qand you need the folling settings in squid.conf
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_head
take a look at http://en.tldp.org/HOWTO/TransparentProxy-4.html
If you transparently proxy you do not put the proxy details into the client computers, hope tht helps
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_head
take a look at http://en.tldp.org/HOWTO/TransparentProxy-4.html
If you transparently proxy you do not put the proxy details into the client computers, hope tht helps
IPTABLES is a damned fine firewall and should be able to do all of the security handling that you wish.
Sure, you can do some interesting things combining the two but the it depends entirely what you are attempting to accomplish if the added complexity is worth it.
As for logging, yes -- IPTABLES can do logging, although not as much as you can do with Squid.