Can Squid and Iptables coexist on the same machine and benefit me?

I have a firewall I created from Linux Fedora 2.  It has 4 Network Cards.

ETH0 is my PRIVATE LAN
ETH1 is my Internet Connection Between Router and Firewall
ETH2 is my Mail/Webserver
ETH3 is my Public Wireless Segment

In addition to keeping mischevious people on the wireless and Mail/web server segments from getting to the PRIVATE LAN, well I should say SLOW THAT PERSON DOWN, I would really like to be able to filter which computers on the private LAN have access to the internet and even be able to log activity down to the URL.

So I installed SQUID alongside my IPTABLES firewall (same box) and got SQUID functioning.  Right now I'm at the point that if I shut-down iptables, SQUID does it's job.  It is caching sites when I point my computer to them and producing very nice little reports with SARG.  When I bring up IPTABLES, SQUID is broke.

I think I can get past this issue by adding a few more ACCEPTS with IPTABLES, but I don't know if I want to.  Am I getting too complicated by running SQUID and IPTABLES together?  Can IPTABLES log activity similiarly to SQUID?

I'll leave it at that for now, any advise?

Thanks,

Deeky



                                             
deekyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

blklineCommented:
I think that you may be making things too complicated -- and perhaps confusing the purpose of the two tools.   Squid is useful if you want to cache web pages for improved response,  or to provide some filtering for websites surfed from inside your network.

IPTABLES is a damned fine firewall and should be able to do all of the security handling that you wish.

Sure, you can do some interesting things combining the two but the it depends entirely what you are attempting to accomplish if the added complexity is worth it.

As for logging, yes -- IPTABLES can do logging, although not as much as you can do with Squid.  
0
The--CaptainCommented:
If you can post your iptables config file or the output of iptables-save (if you have that script on your system) it might help clarify the problem (feel free to munge your sensitive data, but please be consistent if you do)

Cheers,
-Jon
0
paranoidcookieCommented:
Using optbles combined with squid is the best way to safely control and access and manage users. Both squid and Iptables can be made to output to SNMP information which can be used with tools such a mrtg.

Can I made a suggestion rather then reinvent the wheel with your iptables script why not tweak an existing systems like monmotha to your needs?

http://monmotha.mplug.org/firewall/index.php
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

deekyAuthor Commented:
I have the SQUID working with my IPTABLES, I knew I could figure that one out eventually (right after I post my question).  My concern was more about running both services on the same machine, if that was going to be a problem, or something that is a NO-NO.

What types of issues will I have switching all users over to the proxy server?  For example, we connect to WebEx Sessions for support with our Software Company.  Also, we have FTP programs that send automated orders though the internet to our supplier.  If I understand correctly, these will not use the proxy, but will just find the default gateway and do their business as usual.  I'm really only concerned with caching and monitoring http traffic on our network.

When a user checks email with POP3 and SMTP using Outlook, that will not go through the proxy, or will it?

My understanding would be to tell IPTABLES to block port 80 transmissions on the default gateway to the PRIVATE LAN.  This would prevent anybody from sneaking into their workstation and removing the proxy and using port 80 as usual.  I would then configure each workstation to connect to my default gateway for the PRIVATE LAN and port 3128 (the port I have designated).  Squid will be listening and will do the deed.

Deeky



0
john_bindasCommented:
Squid, to the best of my knowledge, can only proxy web traffic. If you want to proxy other services, you'll have to use other proxy servers. You could use, for lack of a better term, "traffic specific" proxies like Squid. A SOCKS proxy can handle different types of traffic, but IIRC, it will just do ACL-type varification. Depending upon your network and security needs, the proxying of some services may be overkill. You may be able to just lock down specific traffic to specific ip addresses. If you email server is on-site, for example, then you could block all smtp traffic execpt that which is destined for your email server.

There is another way to can people and devices to use your Squid proxy. You can to set up a "reverse" NAT for the Squid proxy. I've used this with OpenBSD's ipf and ipnat. I can't see any reason that it wouldn't work with iptables. You configure Squid to listen to a port on the loopback, e.g., localhost:3128. Then you create a NAT rule that redirects your LAN's web traffic to the loopback port that Squid is listening to.

john
0
LeahcimLCommented:
You can even use iptables to force everyone on the private net to use the proxy or dont even access the web at all. iptables and squid is all you need.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

this should redirect any http request from the private net to squid, you can add single computers by using the -s (source) option.

Michael
0
deekyAuthor Commented:
Interesting comment LeahcimL about forcing and redirecting traffic to the squid proxy.  I notice it contains the NAT command.  I'm already doing NAT on my border router between the internet and the firewall.  Creating another NAT downstream sounds like it might cause me more problems with certain programs or net-services (like I mentioned WebEx)?  

Deeky
0
deekyAuthor Commented:
Back to the subject LeahcimL brought up.  I realized during this testing phase that I will have to enter each user account on each machine and add the proxy server to Internet Options.  Each time I add another computer I will have to go into this and change it.

I noticed that when I logged on as a different user, it was not keeping the proxy server set "globally" for the workstation.  I presume there is probably a registry change for this, but this was an unexpected issue that has already presented itself, this could be time-consuming and complex for certain workstations.  I don't know everybodies password and several people login on several machines depending on availability.  Anyhow, enough of my problems.

My question was essentially answered.  I wanted to run my idea past the experts to see if what I was trying to do was within normal-cy.  I'm sure I will have more questions in the next few days.

Thanks,

Deeky
0
deekyAuthor Commented:
I was experimenting with the concept of using the redirect from the PRIVATE LAN to the Squid Port as instructed above.

I'm running into an error on all web browsers on the LAN generated by the Squid machine saying that the URL was not valid.

Hmmm???

Deeky
0
LeahcimLCommented:
do you have any other entries in iptables?

Michael
0
paranoidcookieCommented:
If you direct traffic straight to the proxy you are running in transparnet mode qand you need the folling settings in squid.conf

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

take a look at http://en.tldp.org/HOWTO/TransparentProxy-4.html

If you transparently proxy you do not put the proxy details into the client computers, hope tht helps
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.