Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Can Squid and Iptables coexist on the same machine and benefit me?

Posted on 2004-11-18
11
Medium Priority
?
1,448 Views
Last Modified: 2011-09-20
I have a firewall I created from Linux Fedora 2.  It has 4 Network Cards.

ETH0 is my PRIVATE LAN
ETH1 is my Internet Connection Between Router and Firewall
ETH2 is my Mail/Webserver
ETH3 is my Public Wireless Segment

In addition to keeping mischevious people on the wireless and Mail/web server segments from getting to the PRIVATE LAN, well I should say SLOW THAT PERSON DOWN, I would really like to be able to filter which computers on the private LAN have access to the internet and even be able to log activity down to the URL.

So I installed SQUID alongside my IPTABLES firewall (same box) and got SQUID functioning.  Right now I'm at the point that if I shut-down iptables, SQUID does it's job.  It is caching sites when I point my computer to them and producing very nice little reports with SARG.  When I bring up IPTABLES, SQUID is broke.

I think I can get past this issue by adding a few more ACCEPTS with IPTABLES, but I don't know if I want to.  Am I getting too complicated by running SQUID and IPTABLES together?  Can IPTABLES log activity similiarly to SQUID?

I'll leave it at that for now, any advise?

Thanks,

Deeky



                                             
0
Comment
Question by:deeky
  • 4
  • 2
  • 2
  • +3
11 Comments
 
LVL 6

Expert Comment

by:blkline
ID: 12622123
I think that you may be making things too complicated -- and perhaps confusing the purpose of the two tools.   Squid is useful if you want to cache web pages for improved response,  or to provide some filtering for websites surfed from inside your network.

IPTABLES is a damned fine firewall and should be able to do all of the security handling that you wish.

Sure, you can do some interesting things combining the two but the it depends entirely what you are attempting to accomplish if the added complexity is worth it.

As for logging, yes -- IPTABLES can do logging, although not as much as you can do with Squid.  
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12623411
If you can post your iptables config file or the output of iptables-save (if you have that script on your system) it might help clarify the problem (feel free to munge your sensitive data, but please be consistent if you do)

Cheers,
-Jon
0
 
LVL 5

Accepted Solution

by:
paranoidcookie earned 800 total points
ID: 12627512
Using optbles combined with squid is the best way to safely control and access and manage users. Both squid and Iptables can be made to output to SNMP information which can be used with tools such a mrtg.

Can I made a suggestion rather then reinvent the wheel with your iptables script why not tweak an existing systems like monmotha to your needs?

http://monmotha.mplug.org/firewall/index.php
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 

Author Comment

by:deeky
ID: 12628846
I have the SQUID working with my IPTABLES, I knew I could figure that one out eventually (right after I post my question).  My concern was more about running both services on the same machine, if that was going to be a problem, or something that is a NO-NO.

What types of issues will I have switching all users over to the proxy server?  For example, we connect to WebEx Sessions for support with our Software Company.  Also, we have FTP programs that send automated orders though the internet to our supplier.  If I understand correctly, these will not use the proxy, but will just find the default gateway and do their business as usual.  I'm really only concerned with caching and monitoring http traffic on our network.

When a user checks email with POP3 and SMTP using Outlook, that will not go through the proxy, or will it?

My understanding would be to tell IPTABLES to block port 80 transmissions on the default gateway to the PRIVATE LAN.  This would prevent anybody from sneaking into their workstation and removing the proxy and using port 80 as usual.  I would then configure each workstation to connect to my default gateway for the PRIVATE LAN and port 3128 (the port I have designated).  Squid will be listening and will do the deed.

Deeky



0
 
LVL 1

Assisted Solution

by:john_bindas
john_bindas earned 400 total points
ID: 12630155
Squid, to the best of my knowledge, can only proxy web traffic. If you want to proxy other services, you'll have to use other proxy servers. You could use, for lack of a better term, "traffic specific" proxies like Squid. A SOCKS proxy can handle different types of traffic, but IIRC, it will just do ACL-type varification. Depending upon your network and security needs, the proxying of some services may be overkill. You may be able to just lock down specific traffic to specific ip addresses. If you email server is on-site, for example, then you could block all smtp traffic execpt that which is destined for your email server.

There is another way to can people and devices to use your Squid proxy. You can to set up a "reverse" NAT for the Squid proxy. I've used this with OpenBSD's ipf and ipnat. I can't see any reason that it wouldn't work with iptables. You configure Squid to listen to a port on the loopback, e.g., localhost:3128. Then you create a NAT rule that redirects your LAN's web traffic to the loopback port that Squid is listening to.

john
0
 
LVL 1

Assisted Solution

by:LeahcimL
LeahcimL earned 400 total points
ID: 12630921
You can even use iptables to force everyone on the private net to use the proxy or dont even access the web at all. iptables and squid is all you need.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

this should redirect any http request from the private net to squid, you can add single computers by using the -s (source) option.

Michael
0
 

Author Comment

by:deeky
ID: 12631140
Interesting comment LeahcimL about forcing and redirecting traffic to the squid proxy.  I notice it contains the NAT command.  I'm already doing NAT on my border router between the internet and the firewall.  Creating another NAT downstream sounds like it might cause me more problems with certain programs or net-services (like I mentioned WebEx)?  

Deeky
0
 

Author Comment

by:deeky
ID: 12631501
Back to the subject LeahcimL brought up.  I realized during this testing phase that I will have to enter each user account on each machine and add the proxy server to Internet Options.  Each time I add another computer I will have to go into this and change it.

I noticed that when I logged on as a different user, it was not keeping the proxy server set "globally" for the workstation.  I presume there is probably a registry change for this, but this was an unexpected issue that has already presented itself, this could be time-consuming and complex for certain workstations.  I don't know everybodies password and several people login on several machines depending on availability.  Anyhow, enough of my problems.

My question was essentially answered.  I wanted to run my idea past the experts to see if what I was trying to do was within normal-cy.  I'm sure I will have more questions in the next few days.

Thanks,

Deeky
0
 

Author Comment

by:deeky
ID: 12631908
I was experimenting with the concept of using the redirect from the PRIVATE LAN to the Squid Port as instructed above.

I'm running into an error on all web browsers on the LAN generated by the Squid machine saying that the URL was not valid.

Hmmm???

Deeky
0
 
LVL 1

Expert Comment

by:LeahcimL
ID: 12642980
do you have any other entries in iptables?

Michael
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12643329
If you direct traffic straight to the proxy you are running in transparnet mode qand you need the folling settings in squid.conf

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

take a look at http://en.tldp.org/HOWTO/TransparentProxy-4.html

If you transparently proxy you do not put the proxy details into the client computers, hope tht helps
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question