setup network web filter for SMB using ubuntu

mun_84
mun_84 used Ask the Experts™
on
Hi Experts,
                   I am actually setting up a content filter for a SMB network. The company doesn't want to spend on expensive devices so i did some googling and found that linux + squid + dansguardian can do the job. I've attached a picture of how my network would look like.

I installed Ubuntu and squid and dansguardian on the server and it seems to filter ok (only on the server).

I would like all web traffic to be captured by the filter and forward to the router. I've only got 1 network card? is that enough? do i need two network cards? I would like to make the filter transparent so minimal changes need to be made.

What IP address should be on each CARD? eth0 and eth1?

i've googled many websites but none gives detailed examples on the network side of things.

Please help. Thanks.
img-201092903-0001.jpg
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Update on what is happening now.
I believe my content filtering is working on the domain however i need to put in the proxy server in the browser IP:3128. How can i make the UBUNTU server catch all port 80 traffic instead of manually putting the proxy address on each PC.

I believe there is something to do with iptables, masquarading , nating?? Please advise my dateline is pretty soon.

Commented:
What is the router device? A linux machine or a cheap linksys like device?

For transparent proxying to work you need to make sure that all web traffic goes to linux machine - you can do this in two ways:
1. the router is capable of redirecting and NATing LAN traffic to your linux server
2. You change your physical (or at least logical) network to be like:

LAN
   |
Proxy
   |
Router
   |
Internet

You can do the latter with physical separation of the network and installing two network interfaces in linux machine or logicaly with the current hardware layout and creating two logical network segments.

Anyhow your LAN and your Proxy should be on one network segment and the Proxy and your router should be on another. Actually if your switch supports VLANs you could use that also to separate the network segments.

 So which way do you preferr?

Author

Commented:
I dont mind installing another nic. But what IPs would i have to configure on each NIC?
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

Author

Commented:
Answering your question in detail the router is just an ordinary router. So linux (Ubuntu) server will have to catch all HTTP request. Only need HTTP filtering too.

Commented:
OK. To do minimal changes, leave the current LAN IPs as they are (10.0.0.0/24). Set on the Proxy the current IP of the router (10.0.0.254).

Create a new (sort of DMZ) subnet - 192.168.0.0/24 that connects the Proxy and the router - the Proxy is 192.168.0.10, the router is 192.168.0.1. You can create an IP alias - you do not need to add another card.

On the Proxy configure:
- IP forwarding (cat 1 > /proc/sys/net/ipv4/ip_forward)
- the firewall to allow forward traffic (iptables -I FORWARD -j ACCEPT)
- set default route via 192.168.0.1.

Configure a new route on the router - net 10.0.0.0/24 via 192.168.0.2.

With these steps you should have a working setup that should work as your current setup but all the traffic goes through the Proxy (machine not program). You then only need to configure transparent proxy by some manual (http://tldp.org/HOWTO/TransparentProxy.html).

If you do not add another card (or create two VLANs on the switch) the client computers could theoretically set IP 192.168.0.3 and access the router directly - bypassing the proxy.

Author

Commented:
im still confuse isit possible to get a diagram of what you are trying to explain?

So from what i understand, I have to convert my linux machine to a router. One nic Eth0 will manage lan and one nice Eth1 as a link from ubuntu to REAL router.

How do i add an IP alias?

Sorry im pretty new to this stuff.

Commented:
Yes you should convert your linux machine to a router. Logical diagram (in any case) is:

LAN
   |
   |   10.0.0.0/24
   |
Proxy
   |
   |    192.168.0.0/24
   |
Router
   |
   |    xx.yy.ww.zz/24
   |
Internet

Physical diagram can be the same (if you plug in a second network card - you assign two IPs on the Proxy machine to two different network cards):

LAN switch (10.0.0.0/24)
   |
   |  
   |   eth0 (10.0.0.254)
Proxy
   |   eth1 (192.168.0.2)
   |  
   |   LAN (192.168.0.1)
Router
   |  WAN (xx.yy.ww.zz/24)
   |
   |
Internet



Or different physical layout (with one network card - assign two IPs to the same network card - network alias):

LAN  computers ------------+  
(10.0.0.0/24)                    |
                                         |   LAN
eth0 (10.0.0.254)             |   switch
Proxy server ----------------+
eth0:0 (192.168.0.2)        |
                                         |
LAN if (192.168.0.1)          |
Router -----------------------+


About network alias:
http://www.yolinux.com/TUTORIALS/LinuxTutorialNetworking.html#NETWORKALIASING

Author

Commented:
This setup is too complex for me.
What i would compromise is to change the gateway of all machines to my server. Atleast i dont have to put the proxy setting in all browsers! So lets say in configure PC! with gateway of ip 10.0.0.254 (UBUNTU BOX) how can i set my iptables to intercept port 80 traffic and filter it and all other ports pass through.

Can give me full solution thanks.

Commented:
> This setup is too complex for me. What i would compromise is to change the gateway of all machines to my server.

This is the exact thing I proposed except in my solution you don't need to change the GW on all the PC machines because on the proxy machine you set the IP to the same IP your current router has...

The link I posted tells you all about this (http://tldp.org/HOWTO/TransparentProxy.html). You should read the whole (short) manual not to miss some configuration for squid also. As far as iptables is concerned you have to put:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t filter -I FORWARD -j ACCEPT
And don't forget to set the IP forwarding (cat 1 > /proc/sys/net/ipv4/ip_forward).

Author

Commented:
the proxy works transparently but dansguardian is not filtering the traffic! the reason for this entire setup is for dansguardian to work transparently not just the proxy.

example:

PC1 surfs the web with default gatewau 10.0.0.254 -> Ubuntu gateway intercepts the http request and filters is on port 8080 -> If page is block dansguardian sends a block page reply if not is shows the webpage.

I know dansguardian will not work without squid so somehow squid will have to integrate into my setup.

** SQUID works transparently for now but no filtering! when i put in the proxy 10.0.0.254:8080 it gets filterd.
Commented:
Sorry, I missed the dansguardian part of your question. Here is a quick reference for this to work:

http://dansguardian.org/downloads/DGandTransparent.txt

You have to change the iptables rules I posted a bit - redirect traffic to dansguardian instead of squid:
iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j REDIRECT --to-port 8080

And disallow direct access to squid:
iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP

Author

Commented:
Great finally got it to work as required.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial