working on squid connecting to network pc's

davimint · 07-26-2007, 07:16 PM

Ok, I'm lost again...

I finally got squid/dansguardian working ( I guess the
Server side ) but can not find any doc's that tell me
how to make the other pc's ( two windows machines ) on
the same network filter.

" I'm sorry if the above sounds stupid "

Maybe this would clear things up... I have got
Slackware setup and installed squid & dansguardian
on my main pc that's hard wired to my LinkSys router
which is connected to my cable modem. Now, theres two
other machines both with windows on them that are
wireless. They work, but will let my kids get on any
website they wish but I want to stop that. Dansguardian
is working great on the linux pc.

If it's filtering the servers (my main pc) should it
not be doing the same on all pc's since the rules work
on the server ?....

Lost Again.. Please help...

david....

acid_kewpie · 07-27-2007, 02:33 PM

unless you have specifically configured a transparent proxy then you'll need to make the clients use squid as their explicit proxy in whatever browsers you are using. if you are already doing this then please provide some useufl information such as your squid.conf file.

davimint · 07-27-2007, 04:30 PM

Yes, it's transparent or it's says it is so I guess
I've gotten that much correct.

Here's my squid.conf file.

Code:

bash-3.1# cat squid.conf
http_port 127.0.0.1:3128 transparent
visible_hostname MyBox1.xxxxxx (the x is my address)
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_dir ufs /usr/local/squid/var/cache 100 16 256
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl allowed_hosts src 192.168.1.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 445         # windows update
acl CONNECT method CONNECT
acl local_net src 192.168.1.0/24
acl MyBox2 src 192.168.1.101
http_access allow local_net
http_access allow localhost
http_access allow MyBox2
http_access allow manager localhost
http_access deny manager all
http_access allow allowed_hosts
http_access deny all
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access allow allowed_hosts
icp_access deny all
cache_effective_user squid
cache_effective_group squid
coredump_dir /usr/local/squid/var/cache

I'm trying to understand so maybe this will help.

also here's the rc.firewall scrip I'm running for
iptables and I think that's my problem.

Code:

#! /bin/sh

iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT

iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080

iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080

archtoad6 · 07-27-2007, 05:33 PM

In order to filter traffic, the server has to see the traffic -- it's not clear from your verbal description if the wireless traffic is passing through the Slack/Squid box.

Does you LAN look like this:

Code:

                             \       /  ~ ~ ~  \ 
             +-------+        \     /           \+-------+
 (    )      | Cable |      +---------+          | Kids' |
( 'Net ) === |       | ---- | LinkSys |          |  PC   |
 (    )      | Modem |      +---------+          +-------+
             +-------+           |               
                                 |
                             +-------+  
                             | Slack/|
                             | Squid |
                             +-------+

or like this:

Code:

                             \       /  ~ ~ ~  \ 
             +-------+        \     /           \+-------+
 (    )      | Cable |      +---------+          | Kids' |
( 'Net ) === |       |      | LinkSys |          |  PC   |
 (    )      | Modem |      +---------+          +-------+
             +-------+           |               
                 |               |
                 |           +-------+  
                 |__________ | Slack/|
                             | Squid |
                             +-------+

(Drawings not to scale.

)

davimint · 07-27-2007, 06:58 PM

Hey, those drawings are cool !!!!!!!!!

My system is set up like your first drawing.

So, in order to use squid and dansguardian on a LAN I must
change the way the hardware works like your second drawing.

I know that several tutorials mentioned that configuration
( like the second drawing)but the one I was using said nothing
about that but it also did not state that they were on a LAN
either.

Before I start changing everything and start over I would like
to make sure that the first drawing just won't work or if theres
a hack to make it work. Also,what's the drawback.

Thanks Again.

archtoad6 · 07-28-2007, 09:40 AM

Quote:

Originally Posted by davimint

Hey, those drawings are cool !!!!!!!!!

Thanks for the compliment. It's not hard in KWrite.

Quote:

Originally Posted by davimint

My system is set up like your first drawing.

So, in order to use squid and dansguardian on a LAN I must
change the way the hardware works like your second drawing.

Yes.

Quote:

Originally Posted by davimint

I know that several tutorials mentioned that configuration
( like the second drawing)but the one I was using said nothing
about that but it also did not state that they were on a LAN
either.

No comment, probably n/a.

Quote:

Originally Posted by davimint

Before I start changing everything and start over I would like
to make sure that the first drawing just won't work or if theres
a hack to make it work.

AFAIK, no way -- the server just can't filter packets/traffic not going through it.

Now, I don't use SOHO routers for security -- I have a dedicated firewall ("FW") (currently running SmoothWall Express 2.0) -- so I can't advise you if your model LinkSys can do any of the things you need. See next . . .

Quote:

Originally Posted by davimint

Also,what's the drawback.

Really good Q.

The drawback is that your server (Slack/Squid) will now be directly exposed to all the crackers & script kiddies out the "Big Bad, Wild & Wooly, West(ern) Web" (tm

). Whether you are aware of it or not, & my apologies you you already know this, the router shares your public IP address by NAT'ing, & NAT'ing provides a lot of inherent protection. Steve Gibson (grc.com) of SpinRite & SheildsUP! fame has said on his "Security Now" webcast that a simple IP sharing (NAT'ing) router provides about 90% of the protection of a dedicated FW.

So, to be safe, you must do 1 of these things:

(Unlikely) Dig into the capabilities of your LinkSys, & use it do the access control. I suspect if your LinkSys could do this, we wouldn't be having this discussion.
Turn Slack/Squid into a FW as well as server. Not easy, nor perhaps desirable -- FW's need to run a minimum of services & checking them is a PITA.
Find an old "door stop" or "boat anchor" & install one of the specialty FW distros on it (SmoothWall Express, IPCop, etc.) & put it between the LinkSys & the cable modem. It most likely has Squid already, so just transfer your rules.
Get a 2nd SOHO router -- wireless not necessary -- & put it between the LinkSys & the cable modem.

Quote:

Originally Posted by davimint

Thanks Again.

You're welcome.

davimint · 07-28-2007, 04:14 PM

archtoad6,

Appreciate the info very much. People like yourself here on LQ help
us newbies out so much.

I liked the second router Idea the best since the PC that I have
slackware/squid/dansguardian installed on is my best PC and it has a
onboard NIC and also a NIC card. I also looked at IPCop, although I
have a old PC that I could use it does not have any NIC's and according
to IPCops hardware info you need something better than I have to run
squid as a caching web proxy. I don't really want to give up one
one of my other PC's to just run IPCop.

So, thanks again.

david

archtoad6 · 07-30-2007, 08:53 AM

You should have seen/heard me 6 years ago.

What are the specs on the old box?

BTW, there is presentation on dedicated FW boxen coming up at HLUG ("H" as in Houston, TX). I believe it will be on Sept. 23, the 4th Sat. of the month. It is likely that it will be streamed over the Web.

While it is still in planning stages, the tentative agenda looks like this:

The main (Impress) presentation will be done by Brandon Napier. He will also do an IPCop install.
I will demonstrate a SmoothWall Express 2 install.
Pete Jameson, the group leader, will show off Devil Linux.

If you're in Houston, however unlikely, you are welcome to attend. Also, I will try to blog or calendar the event here at LQ.

davimint · 07-30-2007, 09:18 PM

You've got me interested in the "IPCop" distro just to
see how it works in linux. So, I've already got a few
questions if you don't mind.

The system spec's on the old door stop are as follows
which may be good enough I hope to run IPCop using
squid.
Intel 733 MHZ Celeron processor
20GB hard drive
64MB of ram ( may not be enough )

I've already robbed one nic card so I've got the
internet working on it. I've booted a liveCD to make
sure everything was good. I know I'll need at least one
more nic card if not two according to the info I'm
reading which is the reason for my second question.

Look at this link...
http://www.ipcop.org/1.4.0/en/instal...iguration.html

I don't quite understand why they are listing the
"blue" and "green" interfaces like they are with the
amount of "wireless routers" in the home market. Is
there a big security reason why I should not use the
four wired ports on my LinkSys WRT54GS.
My plans If I decide to "JUMP into the FIRE" is to
install my system like this. "Sorry no cool drawings".

Cable Modem > server with IPCop > router > one wired &
Two wireless PC's

Thanks again.

archtoad6 · 07-31-2007, 09:54 AM

I already mentioned the planned HLUG IPCop/FW event in Sept., but tomorrow night we are doing a test install or 2. Particularly, Brandon plans to do IPCop on some kind of "boat anchor", so this thread is very topical.

733 MHz is more than enough CPU. I believe 64 MB of RAM is plenty for a basic installation, but may not be enough for heavy proxy-ing. I believe I started w/ 32 or 64, but now have 128. Depending on the proxy load, fill it to the mobo's max. I am lucky that there are always friends around w/ old RAM, not to mention my own collection.

As to NIC's, same situation as w/ RAM: if my own collection isn't enough, some one I know will have one. But even new ones, 10/100 anyway, are cheap.

I read "1.2. Decide On Your Configuration" &, based on my experience w/ SmoothWall Express, it all seemed clear. (Note: IPCop forked from SmoothWall a few years back.) To answer your Q:

Yes, there are security reasons for not letting the wireless router also be the wired switch. Wireless security will probably always be weaker than wired security. If your wireless router is new enough to be capable of WAP 2, then the risk may be acceptable. Don't forget, all the computers you plan to connect through it must have the same capability. If, at the other extreme, the wireless router is only capable of the now easily cracked WEP, then there is no way you want it on the GREEN net. In fact, maybe you should consider junking it. At the very least, it should be on the ORANGE net, perhaps even the RED (if possible).

I assume the reason you ask, is that it seems a shame to let its switching capability go to waste. One possibility is to ignore its WAN port & connect it to the IPCop FW through 1 of its LAN ports. If you do this, you will need a crossover cable, unless its new enough to auto sense. You would also need to disable its DHCP server.

There are practical reasons for doing it this way & letting the IPCop box handle all DHCP service -- centralization & flexibility. IPCop uses dnsmasq for DNS & DHCP, it is very powerful, yet simple enough to learn to administer easily. Some of its features:

Fixed IP address assignment by MAC address. This is almost the same as using static IP's, but w/o the hassle of having to set them up on each individual box.
Its own hosts file becomes part of your network's DNS resources. The info in it is served to every box on your LAN. In effect, it becomes a "master" hosts file.
Its own config file can blanket block whole domains w/o having to enumerate all the hosts found on them. Compare to host by host blocking using the hosts file.

In the past this was used mostly for ad blocking, I think in the future, we will see more & more blocking of malicious web sites using this or similar mechanisms.
Etc., etc., etc. (W/ fond memories of Yul Brynner)

Did I ever ask what model Linksys you have & for a link to its specs. & info.?

My own LAN is something like this:
Hub* | DSL "Modem" | SME FW* | switch*

I have an old Linksys BEFW1154 that I can connect at any the places marked '*'. (I can even put on the hub because my ISP gives me 3 IP addresses). It only does WEP, so I only connect it when someone bring a laptop over, & then not inside my LAN (== GREEN == at the switch).

davimint · 08-01-2007, 12:43 AM

It looks like I've got some reading to do. This afternoon
I slipped out of work to get that second nic card for this
old door stop of computer. Anyway after reading the
install guide and downloading smoothwall 2.0 It was
time to see what I could break.

My configuration is as follows.

Cable-Modem > SW-Server/firewall > wired computer

As you can see I dropped out the modem for now because
I was having problems and could not understand why
smoothwall was not getting anything other than 192.168.0.1
address on the RED interface. It turns out that I needed
to reset my cable-modem for some reason. By the way that's
not in the install instructions.

The router is new it's a WRT54GS with WAP2 so I will
probably try to get it working tomorrow night.

Is there anything you can think of that needs to be
changed in the wireless router that you can give me
advise on? I like advise.

Also, since I'm this deep into this deal. The reason
I started this project was to get dansguardian working
with squid and control all the PC's in my network from
all the bad stuff on the internet.

I noticed when I updated smoothwall that squid has
been updated. Considering I'm a newbie who has not
read all the doc's I probably have a silly question.
If the server was tucked under my shelf with no screen
attached is there anyway to use the smoothwall:81
interface to install & configure dansguardian on it.
From my first working with the interface I didn't see
anyway to do that sort of thing.

Thanks again for the help.

archtoad6 · 08-01-2007, 11:57 AM

I guess I just love lists

:

Glad to hear you got SmoothWall Express working. If I had known you were going to use it &~ IPCop, I would have mentioned the "SP1" d/l which includes all the updates.

Just because I am still using SmoothWall Express, doesn't mean I recommend it. -- I am seriously considering moving to IPCop.
It's serendipitous that Brandon, a current IPCop user, came along when he did.
Glad you sprang for the 2nd NIC. Eventually I think you will want a 3rd one also. I currently believe that the best way to include wireless in your LAN is w/ a BLUE network. If, however, you can:
1. leave the wireless router's WAN port unused,
2. connect the FW & all wired computers through its LAN ports,
3. shut down its wired DHCP, &
4. leave its wireless DHCP active;
then I think the 3rd NIC may be unnecessary. I will try to remember to raise this issue at the Workshop tonight.
That's a good beginning configuration -- get it working & then add to it.

Feel free to post edited vers. of my "drawings". An easy way is to (temporarily) quote my post, then paste the "Code:" block into KWrite or other text editor & have at it. A tip: make a duplicate & remove the "Color:" coding, do your edits, then replace the color if you want.
Good router, I hear. Good luck w/ it. Unfortunately, I do very little wireless, so I can't really give specific advice. However, I do have a lot of friends here in HLUG that I can ask if the answers aren't readily available on LQ or the 'Net at large.
While I believe dansguardian was developed by a SmoothWall team member, I am not sure if it is part of the default install for SmoothWall Express, or if it is easily added. Remember, SmoothWall Express is the community ver. of the distro. -- something like the relationship between FC & RHEL.

One of the reasons for my considering the move to IPCop is that it is a purely community project, & therefore easier to modify -- I think. An example is fail-over dial-up: This feature is part of the commercial ver. of SmoothWall, but (probably for marketing reasons) it is deliberately omitted from SmoothWall Express.

Furthermore, I haven't felt the need for dansguardian (yet).

My next FW "project" is Squid ACL's so that when an ad or malicious site is blocked, a nice, user-friendly, notice appears.
I don't think you can use the smoothwall:81 interface to install & configure dansguardian, but you can use:
Code:
```
ssh  -p 222  root@smoothwall
```
Just remember, it's a different password
I have pipe dreams of remotely administering Linux FW's for people. Updates, Ad Blocking, Squid ACL's, maybe even Dan's Guardian; maybe even for money.

archtoad6 · 09-23-2007, 05:11 PM

Well, another list

:

Got the date wrong it was yesterday, Sat. the 22nd.
It was videoed, but not streamed, & will probably be put on-line.
Brandon's slides are available (as .pdf) at http://twiki.hlug.org, we may post text or more images later.
We omitted Devil Linux, Pete had equipment failurs & couldn't prepare,
SmoothWall 3 was out in time, so I demo'd that.
We had 33 attending, more than we've seen for quite a while.
I get get to do a short ver. for a a Wed. pm group in acouple of weeks.
SmoothWall 3 seems to have more parent oriented features than IPCop (1.4.16).
IPCop (1.4.16) may be friendlier to the savvy admin.
I will be switching (from SWE 2.0), leaning toward IPCop.