1

I'm using a PC running on CentOS 6.7 with 2 NIC's (eth0 & eth1) as a Squid Proxy server. eth0 (Red interface/ 192.168.0.2/24) is connected physically with the router (192.168.0.1/24) while the eth1 (green interface/ 192.168.1.1/24) is connected with the LAN. 

eth0:
Connect automatically
Method = Manual 
Address = 192.168.0.2 
Mask = /24 
GW = 192.168.0.1
DNS = 8.8.8.8, 8.8.4.4

eth1:
Connect automatically
Method = Manual 
Address = 192.168.1.1 
Mask = /24 
GW = 192.168.0.2
DNS = 8.8.8.8, 8.8.4.4

While configuring the CentOS box as the proxy server I did following configurations:

  1. Updated yum and installed Squid

  2. edited /etc/squid/squid.conf file as shown bellow:

    #
    # Recommended minimum configuration:
    #
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

    # Example rule allowing access from your local networks.
    # Adapt to list your (internal) IP networks from where browsing
    # should be allowed
    #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
    #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

    acl localnet src 192.168.1.0/24 # RFC1918 possible internal network

    #acl localnet src fc00::/7 # RFC 4193 local private network range
    #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
    .
    .
    .(other lines kept same for now)

  3. Started the Squid proxy:

    # service squid start # chkconfig squid on

  4. Edited /etc/sysctl.conf file as follows

    net.ipv4.ip_forward=1

  5. Edited the /etc/sysconfig/iptables-config file

    Changed "no" to "yes" in following to lines: And Saved

    IPTABLES_SAVE_ON_STOP="yes" IPTABLES_SAVE_ON_RESTART="yes"

  6. Changed the rules in iptables as follow:

    # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    # iptables -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited
    # iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited
    # iptables -t filter -A INPUT -p tcp --dport 3128 -j ACCEPT
    # iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
    # iptables -A FORWARD -i eth1 -p tcp --dport 443 -d www.facebook.com -j DROP
    # iptables -A FORWARD -i eth1 -p tcp --dport 443 -d www.youtube.com -j DROP

    # service iptables save
    # chkconfig iptables on
    # service iptables restart

  7. Installed the dhcp server (yum install dhcp)

  8. Disabled the Selinux:

    # setenforce 0
    # vim /etc/sysconfig/selinux and chandge;
    SELINUX=enforcing to
    SELINUX=disabled

  9. Edited the /etc/sysconfig/dhcpd file and add;

    DHCPDARGS=eth1

  10. Edited the /etc/dhcp/dhcpd.conf file as bellow:

    # DHCP Server Configuration file.
    # see /usr/share/doc/dhcp*/dhcpd.conf.sample
    # see 'man 5 dhcpd.conf'
    #
    authoritative;
    subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.50 192.168.1.220;
    option domain-name-servers 8.8.8.8, 8.8.4.4;
    # option domain-name "centos.local"
    option routers 192.168.1.1;
    option broadcast-address 192.168.1.255;
    default-lease-time 600;
    max-lease-time 7200;
    }

  11. Started the dhcp server

    # service dhcpd start
    # chkconfig dhcpd on

  12. Following adding filtering sites/rules/file extenstions to,
    a.) /etc/squid/acls.txt
    b.) /etc/squid/adult.txt and
    c.) /etc/squid/badsites.txt files I changed the /etc/squid/squid.conf file:

    .
    .(Above rules as chnaged in step 2)
    .
    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #
    visible_hostname cetos-server.local
    acl social dstdomain -i "/etc/squid/acls.txt"
    acl badsites dstdomain -i "/etc/squid/badsites.txt"
    acl adult url_regex -i "/etc/squid/adult.txt"
    acl non-working time SMTWHFS 18:00-23:59
    acl non-working time SMTWHFS 00:00-06:00

    http_access deny non-working
    http_access deny social
    http_reply_access deny badsites
    http_reply_access deny adult

    # We recomend you to use at least the following line.
    hierarchy_stoplist cgi-bin ?

    # Uncomment and adjust the following to add a disk cache directory.
    cache_dir ufs /var/spool/squid 10240 16 256
    .
    .(Other rules were not changed)

  13. Restarted squid, dhcpd and iptables:

    # chkconfig squid on
    # service squid restart

    # chkconfig iptables on
    # service iptables restart

    # chkconfig dhcpd on
    # service dhcpd restart

Once this is done proxy works very well. No PC in LAN can access internet without going through the proxy server (192.168.1.1 Port: 3128).

BUT,

The Problem:
Once I restart the CentOS machine, though all the above configurations are still there and the Squid, DHCP and iptables are running properly (as they were running before the restart of the machine), now a PC in my LAN can access the internet without proxy settings are added to that PC. (Eg: a PC with 192.168.1.155/24 can access internet without adding proxy server IP and Port in the system proxy settings.)

Could you please help me to rectify this issue?

Thank you.

Improve this question
2
  • As I can see from your Iptables config, nothing pevents from forwarding your packets directly between interfaces if your default FORWARD policy is ACCEPT. Also, remove "GW = 192.168.0.2" row from your eth1 config. May be you'd better using transparent proxy to get rid of setting up your client computers. This way you automatically redirect any http requests to proxy port.
    – Oleg Bolden
    Commented Mar 29, 2016 at 7:10
  • Your Youtube and Facebook blocks are not effective. You can’t block connections to a CDN like that. And you probably don’t want to block Google entirely, so you’ll have to go with HTTPS interception.
    – Daniel B
    Commented Mar 30, 2016 at 8:34

1 Answer 1

Reset to default
0

Thank you very much. I removed the Gateway IP in eth1. Also I changed the iptables rules.

  1. First I cleaned the all iptable rules.

    # iptables -F
    # iptables -X
    # iptables -t nat -F
    # iptables -t nat -X
    # iptables -t mangle -F
    # iptables -t mangle -X

    1. And then added the following rules:

      # modprobe ip_conntrack
      # modprobe ip_conntrack_ftp
      # iptables -P INPUT DROP
      # iptables -P OUTPUT ACCEPT
      # iptables -A INPUT -i lo -j ACCEPT
      # iptables -A OUTPUT -o lo -j ACCEPT
      # iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
      # iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
      # iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
      # iptables -A INPUT -i $LAN_IN -j ACCEPT
      # iptables -A OUTPUT -o $LAN_IN -j ACCEPT
      # iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
      # iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
      # iptables -A INPUT -j LOG
      # iptables -A INPUT -j DROP

  2. In addition to this to block YouTube and Facebook I diverted the incoming requests for www.youtube.com and www.facebook.com from port 443 to squid server (that is 192.168.1.1:3128) (As mentioned bellow). Here, as I have already blocked the above 2 sites with in the squid proxy now no one within the LAN can access the above 2 sites.

    # iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -d www.facebook.com -j DNAT --to 192.168.1.1:3128

    # iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -d www.youtube.com -j DNAT --to 192.168.1.1:3128

Now the proxy server works fine.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .