Solved

Setup Squid as a second gateway for internet traffic

Posted on 2013-06-09
7
876 Views
Last Modified: 2013-06-18
I have a need to separate one VLAN 150 internet traffic from the rest of our network.
It will still need normal traffic for login to the domain and receive updates, etc.
We will apply ACL on the CORE to only let it talk to the Domain Controller's network.

I will setup Squid running on a CentOS box.
The Squid server will have 2NIC, one NIC will be on the WAN side and one NIC will be on VLAN 150 to intercept HTTP, HTTPS,FTP traffic.

I need help setting up Squid to
    1. Intercept HTTP, HTTPS, FTP traffic for VLAN 150
    2. Restrict access to only 2-3 external domains.
I need help in CentOS
    1. To route HTTP, HTTPS, FTP traffic IN/OUT of the server.
    2. Tips on securing the Server from attack.

I think I got it all.
Thank you Experts !!!
Gilbert
HTTP-Separation.jpg
0
Comment
Question by:chfong98
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 39233490
If you use a router/switch via WCCP, the squid setup should be in transparent mode.
https should not be redirected since it will be seen as a man in the middle attack warning to the user.

Not sure from whom you want to protect the centos box.

Adding squidGuard to your squid setup you can then define rules to restrict what sites users can access.
0
 

Author Comment

by:chfong98
ID: 39233592
I was able to get this to work as a test (somewhat).
-------------------------------------------------
in /etc/squid/squid.conf
-------------------------------------------------
acl vlan150 src 192.168.150.0/24
acl goodsites dstdomain .google.com .amazon.com .nba.com
(they are only allowed a few sites)
#
#http_access allow localnet
#http_access allow localhost
#
http_access allow vlan150 goodsites
I CAN INCLUDE THE WHOLE FILE IF YOU NEED TO SEE IT.
-------------------------------------------------
On the client I set the proxy on the browser
We will push a policy to the users on that VLAN to have proxy stick
from the client browser I can hit amazon and can login (skip the HTTPS part)
-------------------------------------------------
I will still need the Routing and NAT for IN/OUT traffic of the SquidBox.
I what to lock down CentOS from the outside.

Thanks
Gilbert
0
 
LVL 78

Expert Comment

by:arnold
ID: 39233712
I'm not sure on what you mean by lockdown.  You can get bastille which is a good tool to lockdown linux/unix based servers.

http://bastille-linux.sourceforge.net/
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:chfong98
ID: 39233729
I am just looking for confirmation/fix on my Squid config and some Routing and NAT help.
WILL MY DESIGN WORK??  I AM DIGGING WHILE WAITING.
I am not a Linux expert I can follow along on the Routing, Nating and Squid config.
I can turn off ports that are not needed on the CentOS.

WCCP and recompile the kernel with GRE tunnel support is something that I am not too comfortable with and I don't have too much time to research Bastille time. I will definitely
look into it ones I have more time.


So much fun and so little time.
Much appreciated
Gilbert
0
 
LVL 78

Expert Comment

by:arnold
ID: 39233845
There is no need to recompile the kernel, the GRE should already be present.
modprobe -l | grep -i gre
which version of IOS do you have?

Your Centos/Squid box will function as a proxy and not as a router.  This is what puzzled me.
If you want all VLAN 150 traffic to stream through the centos/squid box that it is an entirely different matter.
0
 

Author Comment

by:chfong98
ID: 39251420
Sorry,

lets just work on setting up Squid as a forwarding proxy.
we will not have this host on the main network at all.
can you help me with the iptable part?

Thanks
Gilbert
0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 39251449
There is missing information,

Are you using tagged vlans?

Your proxy must be setup in transparent mode.
Your iptables rules on the LAN side
First allow port 80 traffic from the squid proxy to pass.
Second divert any port 80 request to the squid proxy.
Look at
http://askubuntu.com/questions/4010/iptables-issue-with-squid-as-transparent-proxy
http://stackoverflow.com/questions/10595575/iptables-configuration-for-transparent-proxy
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question