Transparent Proxy Week 4 Report

This week's task was to install and run squid transparently. Unfortunately I figured out that DNS server is not working, I don't know why, but at least I know that it was working when I installed it. I guess when I was experimenting with Squid I have messed something up.

So first step was to reconfigure DNS server. In default configuration file I changed/uncommented some lines /etc/named.conf.


listen-on port 53 { 127.0.0.1; 192.168.56.2; }; # don't forget ";" after IP address, server won't run because of this
listen-on-v6 { none; };
logging {
channel syslog_errors {
syslog user;
severity error;
};
category default { syslog_errors; };
};

Then add DNS server to auto-run by


sudo chkconfig named on

Give some rights for working directory


sudo chown -R named:named /var/lib/named/

Then I configured forward and backward lookup by using Yast


The reverse zone: 56.168.192.in-addr.arpa
NS Records: server2.sslab.site
Records: Record key-2; Type-PTR; Value-sstlab.site

The forward zone: sstlab.site
NS Records: server2.sslab.site
MX Records: server2.sstlab.site; Priority-5
Records: server2 A 192.168.56.2
client1 A 192.168.56.3
client2 A 192.168.56.5

You should verify if DNS is working by using commands:


dig server2.sstlab.site
nslookup client1.sstlab.site

If it is working right you will see IP in answer section, try it from all machines, in my case they are client1, client2, and server2. Useful link

Second step was to install and configure Squid. Installation is pretty easy


sudo zypper install squid

My configurations in /etc/squid/squid.conf


acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10

acl sstlan src 192.168.56.0/24 # our network

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
access_log /var/log/squid/access.log
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost

http_access allow sstlan # allow access from our network

http_access deny all

http_port 3128 transparent # allow transparensy

cache_dir aufs /var/cache/squid 5000 16 256
coredump_dir /var/cache/squid
minimum_object_size 2 KB
maximum_object_size 61440 KB
refresh_pattern ^ftp: 1440 20 10080
refresh_pattern ^gopher: 1440 0 1440
refresh_pattern -i  (/cgi-bin/|\?) 0 0 0
refresh_pattern . 0 20 4320

visible_hostname sstlab.proxy # hostname

cache_peer 10.1.1.10 parent 3128 0 no-query default # shows that there is a parent cache
never_direct allow all # more on this [here](http://wiki.squid-cache.org/Features/CacheHierarchy)

cache_log /var/log/squid/cache.log
cache_mem 8 MB
cache_mgr aismagambetov@nu.edu.kz
cache_replacement_policy lru
cache_store_log /var/log/squid/store.log
cache_swap_high 95
cache_swap_low 90
client_lifetime 1 days
connect_timeout 2 minutes
emulate_httpd_log off
error_directory /usr/share/squid/errors/af
ftp_passive on
memory_replacement_policy lru

The last step was to configure firewall so that for ports 80 and 3128 it will use a proxy. In /etc/sysconfig/SuSEfirewall2


FW_REDIRECT="192.168.56.0/24,0/0,tcp,80,3128"

Now machines can surf the internet without any proxy.

The last thing I did was whitelist, blacklist implementation. This is squid.conf file with blacklist and whitelist.


acl sstlan src 192.168.56.0/24 # our network
acl white url_regex "/etc/squid/whitelist" # Whitelist location
acl black url_regex "/etc/squid/blacklist" # blacklist location
acl admin src "/etc/squid/admin" # IP addresses that won't be blocked by white list
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow sstlan white # sstlan will use only whitelist sites
http_access deny admin black # admin ip's won't be allowed to go to blacklist sites
http_access allow admin
http_access deny all
http_access deny to_localhost
http_port 3128 transparent
refresh_pattern ^ftp: 1440 20 10080
refresh_pattern ^gopher: 1440 0 1440
refresh_pattern -i  (/cgi-bin/|\?) 0 0 0
refresh_pattern . 0 20 4320
visible_hostname server2.sstlab.site
cache_peer 10.1.1.10 parent 3128 0 no-query default
never_direct allow all
access_log /var/log/squid/access.log
cache_dir aufs /var/cache/squid 5000 16 256
coredump_dir /var/cache/squid
cache_log /var/log/squid/cache.log
cache_mem 8 MB
cache_mgr aismagambetov@nu.edu.kz
cache_replacement_policy lru
cache_store_log /var/log/squid/store.log
cache_swap_high 95
cache_swap_low 90
client_lifetime 1 days
connect_timeout 2 minutes
emulate_httpd_log off
error_directory /usr/share/squid/errors/en-us
ftp_passive on
memory_replacement_policy lru
minimum_object_size 2 KB
maximum_object_size 61440 KB

Comments